Wednesday, April 27, 2011

PSN'ing Me Off - Sony's Failure to Secure The PlayStation Network

Let us establish first and foremost the basic position in which Sony now finds itself with the gaming public: they are fucked.

Some of you will doubtlessly protest my very strong language and crude imagery regarding the current situation with Sony's PlayStation Network.  Some of you probably expect nothing less.  Either way, I stand by my assertion.  The scenario that has played out couldn't possibly be conceived, even with assistance from LSD, salvia, shrooms, and mescaline all mixed together.  DDOSing the PSN, that sort of thing should be something that any network engineer, security oriented or not, ought to be factoring into their designs when they build something like this.  But this has gone way beyond a mere botnet or script kiddie attack.  Somebody, or a group of somebodies, didn't just shut down the PSN the way that Anonymous "accidentally" did a few weeks ago.  They broke in and made off with user data.  How much user data?

Try all of it.

There are, best estimate, some 70 million PSN accounts.  Those accounts contain names, addresses, and most importantly, credit card info.  And every last bit of that data was taken.  This is light-years above owning a box on Sony's network.  It's like the Great Train Robbery, only considerably worse.  What could you do with essentially unfettered access to 70 million credit and debit cards?  Depends on how smart you were about it.  The best part, from the perspective of the hackers, is that Sony has actually helped them get away with this.  How so?  By not owning up to the fact that they got hacked, and not owning up to the fact that personal data was lost.  Because Sony sat around with their thumbs up their asses, putting out milquetoast "updates" which informed without actually enlightening anybody, and ignored the rising degree of protests far longer than they should have, they essentially covered for the hackers.  Their prevarications have given those guys at least a week's head start to play around with other people's money.

One thing that should be kept in mind at moments like this is that it really is smart to avoid ascribing malicious motives to certain actions which can be better explained by basic stupidity.  Consider Patrick Seybold, the Senior Director of Corporate Communications and Social Media for Sony.  It's tempting to paint him as an outright villain, a corporate mouthpiece stooge who propagated a farrago of lies by repeating over and over, "we don't know how bad it really is" for six whole days.  But it's perhaps more accurate to look at him as being stupid.  The less flattering view would be the typical suit, a guy who is in the habit of talking a lot but not really saying much of anything, which might go over well in the boardroom but tends to make your customers start hauling out their pitchforks and torches.  The more forgiving perspective would be a man who was given the mushroom treatment by another segment of his company and used as a human shield for a week.  Continuing up the food chain, we have the engineers whose balliwick the PSN falls under.  Again, real tempting to paint them as evil bastards.  Again, much better to look at them as exercising gross stupidity rather than genuine evil.  In a corporate environment the size and breadth of Sony, the size of a problem is proportionate to the speed with which one's CYA reflex kicks in.  A tiny little problem, nobody will give it a second thought, just fix it and forget it.  A bigger problem, say an authentication issue for the East Coast for example, and you can be sure there's some CYA going on before the problem actually gets fixed.  When you've got a problem like the current one, everybody will be on the verge of panic trying to figure out how their posteriors can be sufficiently shielded, even as the small vestiges of their brains still capable of coherent thought inform them that there isn't a snowflake's chance in Hell they can make anything relating to the disaster look good.  Fiascoes like this one tend to lead upper management to demand people's heads, and heads will be served up one way or the other.  If the engineers weren't feeding Seybold any genuinely useful information, then it's certainly understandable why Seybold's blog posts weren't assuaging the public's discontent.

I would like to take a moment to address another example of stupidity, and one that has far more potentially damaging consequences.  It is the stupidity of complacency.  The stupidity of "don't worry, it's not a big deal."  To some extent, Sony gave us this brand of stupidity over the course of the last week, and it's turned out that we shouldn't just be worried, we should be all sorts of pissed off and justifiably scared.  An article on Ars Technica had some choice words from Michael Pachter, an analyst at Wedbush Morgan who has seemingly made the current stage of his career focused on "analyzing" the video game industry.  And by "analyzing," I mean "spouting mindless bullshit and getting paid six figures for it."  In the past, I've done my best to avoid giving much thought to Pachter and his inanities, but his pronouncements in regard to Sony and the PSN breach just cannot go unchallenged.  The first mistake is playing the "shit happens" card, stating that security breaches do happen and it sucks for customers.  Sony wasn't even stupid enough to try and use that gambit, which doesn't start Pachter off on solid footing.  Yes, security breaches happen, but in regards to the PSN, security breaches DIDN'T happen.  Outages, yes.  Authentication problems, more than Sony would probably like to admit.  I know that no system is 100% secure and no system can avoid being breached forever.  The PSN was probably the closest thing to an impenetrable system that Man has devised in the last decade.  When it finally was breached, it was ripped wide open and the really valuable data, the personal user data, not the games, was sucked out like marrow from a cracked bone.  The "hassle of tracking down whether somebody is fraudulently using credit info" which Pachter breezily dismisses isn't the sort of annoyance that can be dispensed with by clicking a mouse and re-entering some data.  Assuming for a moment that the spread of credit cards stored on the PSN is evenly split up between the 4 major credit card companies (Visa, MasterCard, American Express, Discover), then each of those companies is looking at dealing with seventeen and a half million cards that need to be cancelled and re-issued.  It's likely not such an even split, but the company who's only handling four or five million card cancellations probably won't be feeling suitably grateful for the distinction.  That's going to tie up massive amounts of resources which would otherwise be pointed towards day-to-day operations.  The ripple effect on the economy just from having to process all those cancellations beggars the imagination.  Even if it's handled at a lower level through local banks and credit unions, it's still eventually going to impact the operations of the credit card companies.

Pachter continues to show his absolute lack of anything resembling intelligent thought when he made the following pronouncement: "In my view, a serious hacker with evil intent would be better off hacking into a financial institution rather than a gaming network."  He continues to diminish the scale of the disaster by concluding that the breach is "not a serious security threat."  If I were a serious hacker with evil intent, directly hacking into a financial institution would be the last thing in the universe I'd want to do.  It wouldn't matter to me if it was the Last National Bank of Zimbabwe.  Shooting for a direct breach of bank data would be unbelievably stupid and ultimately profitless.  Banks have been directly robbed so many times in physical form over the centuries that they tend to design their computer systems much like they would their branches.  Lots of security fences, lots of redundancies, lots of alarms.  Banks expect people to try and straight out rob them, so they harden themselves accordingly.  True, they can still be breached, and user data can be obtained, but banks will go berserk the minute a breach happens and they will be locking down everything related to the breach very quickly.  If you're lucky, you'll have about 24 hours worth of use out of that data, then it's pretty much wasted hard drive space.  Rather than hit the banks directly, hacking a game network would allow somebody to come at them sideways.  Remember how I asked what you would do if you had 70 million credit card accounts, all the personal data associated with those accounts, and a week's head start?  If I were the smarter version of Pachter's hypothetical "serious hacker," I'd be making relatively small money transfers.  A cash advance here, a direct withdrawl there.  Keep the limit down to a C-note at a time.  Even if I could only pull it off one time each for 10% of the accounts that I snagged, that's still 7 million accounts, and a Benjamin from each one of those accounts would add up to some serious money.  Banks look for big money transfers into and out of individual accounts.  Somebody shows up with a hundred million dollars and says, "I'd like to make a deposit," you can bet there's a manager on the phone to the Feds before the ink's even dry on the deposit slip.  Small money transfers, on the other hand, it's background noise to a bank.  A modicum of caution while pulling money out and putting in, nobody would have any reason to suspect anything, certainly nothing that would justify filling out a Suspicious Activity Report.  And if I were being extra smart about it, there would be a mix of ATM withdrawals and electronic fund transfers.  Shift a C-note to the bank of my choice, pull it out a few hours later, and the cash is mine.  I could go on about how ATM cameras would be recording me, but if I'm smart enough to have planned and executed a plunder on this scale, dealing with ATM cameras would have been factored into my thinking and a suitable countermeasure developed.  Bottom line: a gaming network is the perfect vehicle to rob a bank, because nobody will see it coming.

As my high school forensics coach told me oh so many years ago, it's considered good form to concede at least one of your opponent's points during a debate.  And while I firmly believe that describing Michael Pachter as a halfwit is overly generous praise, his little chat with Ars Technica did produce one point which I can agree with.  "Over the long run, we'll all forget about this, unless it happens again."  Perhaps not entirely accurate, but close enough.  The brouhaha will eventually die down, people will be fired, and life will return to something resembling normal.  How quickly things return to almost-normal, and how close they come to the established benchmark of normal prior to the breach, depends very heavily upon what Sony does next.  The smart thing to do would be complete disclosure.  Let the world see how thoroughly they fucked up and how badly they got taken.  Make sure that the conditions and the environment which allowed the breach to happen do not recur.  Sony needs to be crawling on their hands and knees over broken glass coated in lemon juice and salt to win their customers' confidence back.  Even then, it may never quite reach the level of confidence that they once enjoyed.  The question is how to prevent a new breach from happening.  If the hackers got in through a hacked PS3, what would Sony do?  Update the firmware to further cut off functionality?  Brick every PS3 currently out in the world and make their customers buy all new ones just to rebuild the integrity of the PSN?  Both of those options would almost certainly exacerbate an already infuriated customer base, as well as give hacker groups like Anonymous more grist for their mills.  Until Sony discloses how the hack was pulled off, it's exceedingly difficult to say how best to proceed.  Continuing to do what they've been doing for the last week is guaranteed to make the situation worse.  "Proactive" measures which somehow result in a further diminished user experience for the PSN when it finally does come back up will have the same effect.  For the immediate future, Sony is fucked as far as their customers are concerned, because there is nothing they can do that won't piss people off even more.  Even SCEA's board committing seppuku on YouTube wouldn't make people happy.  Sony will just have to take their lumps and contemplate the scale of repairs needed not only to the PSN, but to their reputation and their customer base.

No comments:

Post a Comment