By now, I am sure everyone would have heard how Sony’s Playstation Network (and assorted services) are down for the better part of a week, with no definite restoration date in sight, due to an “external incursion”. Sony was so nice as to offer a FAQ (you might also be interested in this wired article). However, there are a couple of points that I take issue with:

1) First of all, let’s stop the blame game. All I see so far from major media outlets was “Was it Anonymoys? Was it the rebug firmware modder guys?” (Both of these parties have denied involvement, you can read more about rebug here). Instead of that, can we get some full disclosure on WHAT happened, WHY it has happened and WHAT steps have been undertaken to address so that will never happen again? So far, from Sony’s FAQ:

Q.3 What is the main reason to this problem? Which parts of the system were vulnerable to the intrusion?
We are currently conducting a thorough investigation of the situation. Since this is an overall security related issue, we will not comment further on this case.

When I, among millions of other people, trust my details to a network, I place some trust. When this network is PSN (and it is not like Sony is a Mon-n-Pop shop not able to afford top-notch security equipment and advice, if the PS3 stayed “unhackable” for 4+ years, as far as the general public is concerned, proves that they can allocate enough security resources in what they deem critical). Given that details include:

Q.6 Does that mean all users’ information was compromised? Tell us more in details of what personal information leaked.

In terms of possibility, yes. We believe that an unauthorized person has obtained the following information that you provided: name, address (city, state/province, zip or postal code), country, email address, birthdate, PlayStation Network/Qriocity password, login, password security answers, and handle/PSN online ID. It is also possible that your profile data may have been obtained, including purchase history and billing address (city, state/province, zip or postal code). If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. If you have provided your credit card data through PlayStation Network or Qriocity, it is possible that your credit card number (excluding security code) and expiration date may also have been obtained.

I, for one, would like to fully know what intrusion countermeasures are in place so details such as these (can you spell “identity theft”?) are relatively safe. The “you did not have to provide them will all these details” defense simply is not applicable, thanks to the “provide us your details or else you will not be able to deathmatch online” policy of Sony. As was the case with other major data breaches, could that signify that security measures were simply lacking? While this can be (and so far IS) a PR disaster for Sony, a way to regain some “face” is to admit any mistakes, share relevant information for the benefit of the community (both the user community and “infosec” community). As for “but do you really expect to give out a list of countermeasures in place”?, well, security by obscurity never, ever had worked in the past, why should it work now?

2) While this is not strictly Sony’s fault, and appears to be a standard mode of operation, why the onus of protecting my data is on me, the average user? Again, let’s quote the FAQ:

Q.9 I want to know if my account has been affected.

To protect against possible identity theft or other financial loss, we encourage you to remain vigilant to review your account statements and to monitor your credit reports. Additionally, if you use the same user name or password for your PlayStation Network or Qriocity service account for other unrelated services or accounts, we strongly recommend that you change them. When the PlayStation Network and Qriocity services are back on line, we also strongly recommend that you log on to change your password.
For your security, we encourage you to be especially aware of email, telephone, postal mail or other scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking.

Q.10 What should I do to prevent any unauthorized use of my (credit card) personal information?

For your security, we encourage you to be especially aware of email, telephone, postal mail or other scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. Additionally, if you use the same user name or password for your PlayStation Network or Qriocity service account for other unrelated services or accounts, we strongly recommend that you change them. When the PlayStation Network and Qriocity services are back on line, we also strongly recommend that you log on to change your password.
To protect against possible identity theft or other financial loss, we encourage you to remain vigilant to review your account statements and to monitor your credit reports.

So, a network which has Sony’s backing (read: “practically infinite amount of money”), instead of owing up to their mistakes, assumes a stance which, once you get through all the legalese, effectively amounts to “oh we lost your data and we will not even let you know what measures we had in place to address such attacks and we will not give you a heads up what caused all this, neither we will let you know what we have done to address this issue after the fact, sorry if you get any charges on your credit card or if your details are now in the hands of scammers”. And no Sony, a 20 euro voucher so I get to see Ryu kicking some butt wearing his grandma’s underpants does not really cut it.

I am very very disappointed. To sum it up, I would really like to see Sony come forward and help us regain some of the trust lost but I am not holding my breath for it.

Advertisements