In case you don’t follow security or gaming news, the PlayStation Network (PSN) went down from late April and stayed for about 3 weeks before it was fully restored on May 16. The reason for the outage according to Sony was an “external intrusion.” During that time, around 77 million accounts have been compromised; meaning the attackers got access to username, passwords, birth dates and other information used to register new accounts. Sony feared and warned its users of any identity-theft scams. In addition to these peaces of information, payment-card data and billing addresses might have also been obtained, rendering some users to cancel and reissue their credit cards. Sony estimated the cost of the attack to be 170 million US dollars. That, of course, is in addition to the company’s hit in security reputation.
Before we can talk about what we can take from this, I’d like to express a few abstract ideas in an effort to understand the big picture.
Why should you care about this incident?
Video games certainly don’t interest some people, especially seniors who have little time to spend behind the controller or who prefer spending their money on something they see as more important. But these are not the only reasons. Gaming has not been popular until recent years, because the number of games in the 1970’s and 80’s was limited both by development teams and by technology. I remember being the only kid in my high-school class who had access to a PC, which was running some version of DOS. I was playing games either with my brother or cousins; I wouldn’t talk about gaming in school simply because my classmates didn’t have a gaming platform and they were not aware of the existence of Doom, Dune, Prince of Persia and others.
With the advances of microprocessor-based devices (computers, smart phones, gaming consoles), it is now hard to find an adult who hadn’t played a video game at some point. Developers seem to utilize whatever platform they can get their hands on to build games. Even Facebook, which started as a social networking site, made a platform for app development, which developers subsequently used to built games along with the apps.
What I’m getting at here is gaming today is quite large indeed; and this, in my opinion, is one of the causes of the PSN outage, which we’ll look at shortly.
How the PSN evolved
The PlayStation 1 and 2 did not have online multi-player gaming capabilities, and there were no critical software updates that the owner had to install to play a certain game or patch an important bug in the console. The software was pretty stable and usable. This also meant that people could install modifications to their PlayStations in order to run pirated games. In an effort to control piracy, Sony now frequently requires users to update their systems or else they won’t be able to use the PSN for multi-player. Further, recently released video games will refuse to run if they detect that you’re running an old version of the PS3 software. And lastly, with the rise and popularity of downloadable content, Sony decided to make an online store for purchasing and downloading games (that’s how people’s credit cards were endangered). The PS3 comes with a hard drive that’s large enough to hold a handful of games.
While purchasing games off the internet is convenient, it also means that some information about the customers needs to stored, and Sony must be entrusted to keep it safe. Generally, anyone should be careful every time a website asks for critical information. Some people refused to trust the PSN and discourage people from using it, like the famous hacker George Hotz.
I believe this particular breach was not just a random occurrence of security breaches you find in many cases; it had good reasons behind it:
Other OS removal
Originally, the PS3 was advertised to have a feature called “Other OS,” which allowed the owner of the console to install an operating system other than the one that comes with the PS3. Admittedly, few people, namely hackers, found this feature interesting. Later on, Sony feared this feature would allow users to hack the PS3 and run pirated games or cheat in multi-player; and so they disabled it entirely. While most users did not care about this, it upset the hacker community, so much that some of them returned their consoles and asked for a refund because the product did not offer what it advertised. In short, Sony alienated and upset the hacker community and users who found this act inexcusable. Hackers of the PS3 actually stated in a press conference that the reason the PS3 hack was late was because the console already had a way for hackers to play with the system.
Underestimating Diversity of Customers
As we mentioned earlier, the gaming community have grown dramatically over the last few years. It becomes difficult then to tailor games and consoles that pleases everyone. similarly, new after-sale services can either please or upset users. Even wikipedia which is respected by almost everyone globally managed to cause unrest. Seniors would seem to think gaming is for children or teenagers who wouldn’t fight back a large corporation like Sony. Sony seemed to think similarly as it did not care to explain its stance clearly on removing features and it underestimated the capabilities of its customers.
Ignoring the Ownership Conflict
There is quite a bit of conflict of who owns the PlayStation console and who has privileges to make changes to it. Many PS3 owners believe it’s their right to use the console as they wish, without interference or complaint from Sony. Their justification for this is when someone buys a car, they are free to modify it any way they want; they can add a custom engine, custom rims, custom decorations.. etc. The manufacturer does not sue them for doing these modifications because the dealer’s ownership of the car transferred “fully” to the buyer. Sony and a few other computer companies (like Apple) believe they can still claim control of the console (or device); that they can enforce rules and updates even after the users have purchased their consoles. Ignoring this conflict and acting without the users’ consent is sure to generate hate and lack of respect towards the consumers.
What we can learn from this story is:
- Never underestimate what customers are capable of
- It is a bad idea to alienate a good portion of your community (Don’t do evil)
- Don’t ignore conflicts
- Make customers’ privacy a top priority
- Always be careful which website you give your information to
- It is a good idea to check security and tech news websites to have an idea of potential targets for attackers