After Hours

What to do about the PlayStation Network breach

The PlayStation Network security compromise is big news, but many may not know what to do about it. A brief overview of Sony's history on such matters may prove helpful.

Many readers will already know about the PlayStation Network (and Qriocity digital music service) security breach. Here is a summary of the latest breach, a rundown of Sony's poor record of handling customer data and privacy, and some suggestions about what to do if you are affected.

How Sony dropped the ball (again)

The PlayStation Network, commonly abbreviated PSN, is "an online multiplayer gaming and digital media delivery service provided/run by Sony Computer Entertainment for use with the PlayStation 3 and PlayStation Portable video game consoles," according to Wikipedia. As of this writing, there are around 77 million registered PSN users, which means that around 77 million people may have been subject to security compromise due to Sony's traditional laxity in its concern for the well-being of its customers.

The short version of the disaster area that is PSN security goes something like this:

All of this has touched off a minor firestorm of controversy regarding the (lack of) security for users of the PlayStation Network. Many PSN customers are shocked to discovery the cavalier attitude Sony evidently takes toward the security of their financial and personal data.

They should not be shocked. Have we forgotten already the past transgressions of the Sony Corporation? Let us recall the sordid details of the 2005 Sony/BMG copy prevention rootkit scandal:

The same old song

  • In August 2000, senior VP Steve Heckler of Sony Pictures Entertainment in the US said, "The industry will take whatever steps it needs to protect itself and protect its revenue streams. . . . We will develop technology that transcends the individual user." The full litany of his declarations included chilling predictions about the transgressions against Sony's customer base that would come in the decade to follow.
  • In 2001, Natalie Imbruglia's second album, White Lilies Island, was sold in Europe under the BMG label with copy prevention measures and no warning labels, inspiring a minor media flap. That same year, copy prevention was used on the N'Sync album Celebrity in the United States, as well as on promotional copies of Michael Jackson's You Rock My World in Europe.
  • In 2005, Mark Russinovich's Sony, Rootkits and Digital Rights Management Gone Too Far provided a detailed technical description of Sony/BMG's music CD copy prevention scheme. Testing the (at that time) latest version of RootkitRevealer, Russinovich discovered that his Van Zants CD Get Right with the Man had, unbeknownst to him, installed a rootkit developed by First 4 Internet on his MS Windows machine.
  • Less than half a month later, still in 2005, J. Alex Halderman wrote in Sony Shipping Spyware from SunnComm, Too about additional copy prevention malware on Sony/BMG CDs developed by SunnComm. While SunnComm's MediaMax DRM software was not characterized as a rootkit, it was most certainly a case of spyware installed "without meaningful consent or notification".
  • Sony/BMG eventually released a program whose purpose was ostensibly to remove the First 4 Internet XCP rootkit software from affected computers. Unfortunately, all it did was unhide the rootkit (not uninstall it) and install additional software of questionable character and technical merit that was designed to resist uninstallation.
  • When finally issuing a recall, Sony/BMG representatives publicly ridiculed market concerns over the security issues introduced by this rootkit. Sony BMG's Global Digital Business President Thomas Hesse asked NPR reporter Neda Ulaby, "Most people, I think, don't even know what a rootkit is, so why should they care about it?"

Here's why: Aside from the resource consumption of this software running in the background, the creepy stalkerish behavior of DRM software installed without user knowledge and spied on the user's activities; Sony/BMG's copy prevention efforts were aimed at prohibiting even fair use of the content distributed on these CDs; Sony/BMG failed to properly address the problem once it was discovered by the public, instead actually exacerbating the problem. Sony/BMG publicly deprecated consumers' and security experts' concerns over the danger represented by this rootkit, which created a vulnerability not only for the questionable motives of Sony/BMG, but also for legions of independent malicious security crackers because of how simply and easily the rootkit's capabilities could be repurposed to mask additional arbitrary software. Viruses and other malicious security cracker activity began taking advantage of the XCP rootkit. Even better, the supposed rootkit removal tool involved installing ActiveX controls containing "backdoor methods" that were also susceptible to external exploits. J. Alex Halderman once again reported on the bad behavior of Sony/BMG DRM policy that the uninstaller for SunnComm's copy prevention software "Also Opens Huge Security Hole".

Adding a cherry to the top of this screw-the-customer sundae was the fact that, in the name of copyright protectionism, DRM software distributed with Sony/BMG CDs was reported to contain code infringing the copyrights of open source software projects including the MP3 library LAME and the VLC Media Player.

Since then, Sony/BMG has accumulated a strong reputation for suing customers for exorbitant sums of money, even as it violated the Children's Online Privacy Protection Act and Federal Trade Commission Act by displaying personal data for about 30,000 minors on its websites.

Perhaps due to its poor record for customer service, Sony/BMG has been replaced by Sony Music Entertainment. It seems unlikely that anyone is fooled by the name change.

From promising beginnings

The PlayStation 3, or PS3, originally looked like a pretty nice purchase. It offered some stellar gameplay capabilities for its time, of course, as part of the ongoing battle for market share amongst home game consoles. It also came with the ability to play Sony's patented Blu-Ray digital optical disk format, for a complete console price lower than that of many dedicated digital video disk players that could handle both Blu-Ray and DVD formats. More surprising to many who are familiar with Sony's sordid history of punishing its customers, perhaps, is the OtherOS feature that PlayStation 3 offered.

OtherOS offered the ability to install OSs other than the standard, basic system software that shipped with the PS3. PlayStation hackers installed various Linux configurations on the machines, tweaked them endlessly, and even built PS3 clusters, in one case to crack SSL encryption. Protein folding research has been supported by the ability to run Folding@Home on the PS3, and the Air Force has been using a PS3 supercomputer cluster called Condor to track and identify objects in space. FreeBSD was among the OSs ported to the PS3 via its OtherOS feature (in fact, it is believed the PS3's native CellOS is at least in part derived from FreeBSD), though Linux-based systems have easily been the most common.

Around the time of the release of the PlayStation 3 Slim, Sony decided that the OtherOS feature was a bad idea after all. The PS3 Slim did not come with that feature, and the version 3.21 firmware update for other PS3s disabled OtherOS. The PlayStation Network would be restricted so that anyone using a firmware version that supported the OtherOS feature should not be able to access the network. Noted iPhone unlocker George Hotz promised users of the OtherOS feature that he would begin work on custom firmware for the PS3 that would both allow the OtherOS feature to work and allow PSN access.

Sony, returning to form, sued George Hotz and managed to get some disturbing judgments out of a judge that chisel away at the legal protections for hardware owners to use their hardware as they see fit. Hotz has since publicly ceased his iPhone and PlayStation hacking activities.

PS3 hacking has been largely strangled in its crib, between Sony's release of limited new variants of the console and firmware "upgrades". The closest people are getting to the kind of capabilities offered by OtherOS is network booting via the PSJailbreak exploit.

What to do

If you are a user of the PlayStation Network, there are a few things you should do to protect yourself now and in the future:

  • You may want to replace any credit cards whose numbers have been used with PSN.
  • You may want to check any other private information used with PSN to see what could be at risk.
  • You may want to watch your accounts and credit activity like a hawk for a while.
  • You may want to change any passwords related to PSN or SOE at your earliest opportunity, just in case your accounts survive cancellation in a way that can be later exploited, then cancel those accounts.
  • You may want to avoid ever giving Sony or any of its subsidiaries another dime. Buy hardware you are not forbidden to understand, and use easily verifiable software so this kind of "security through obscurity" nonsense will not affect you in the future.

I, however, will not be doing any of the above. I have avoided paying Sony for its products since some time before the rootkit scandal of 2005. To my recollection, I have not in fact bought anything from Sony or its subsidiaries since the 90s. If you are still buying Sony products, it is not too late to stop now.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

25 comments
RayFoxxe
RayFoxxe

:3 This calls for this song! "Do what you want, ???cause a pirate is free, YOU ARE A PIRATE! Yar har, fiddle di dee, Being a pirate is alright to be, Do what you want ???cause a pirate is free, You are a pirate!" xD PS Network is getting pirated!

bshaw1957
bshaw1957

If one reads the artilce with any degree of sense and looks at the area where the article has been posted (Home/Blogs/...), then it is quite clearly an individual's opinions and therefore should be read as such with as we say the proverbial "grain of salt"

realvarezm
realvarezm

Is incredible that this once huge entertainment corporation, now emulates the evil, monstrous and powerful emporium from a movie like I robot, Soylent Green or g force :) Their PR is shredded to pieces and soon its value market will go down (at least in the geek community) Gone are the days when I bought my first walkman and PSX without having to worry about someone or something watching my back. And like the publisher of this article suggest I will not buy never a Sony made product (except a case or death) lets not forget that out there are many other companies like Sony, so be watchful and vigilant dont let the dark force of their greed get ahold of you! Like a Wiseman once said what kills a skunk is the publicity it gives itself.

cmiller5400
cmiller5400

The root kit brouhaha was enough for me to stop using/purchasing their products. Now, the next topic should be why in the h-e-double hockey sticks does Microsoft X-box Live need your Social Security Number!!?? A friend of mine said it was required when he signed up... Just one of many reasons I don't do online gaming.

AnsuGisalas
AnsuGisalas

Soh-neechan, all your suck is belong to |< R 4 X 0 R! How do they actually manage to run a business? Or do they have seperate hiring systems, one for actual make-stuff employees and one for customer-handling monkeys?

DaemonSlayer
DaemonSlayer

If a news story, you sure show that unbiased journalism has more than just died, it shows biased journalism in it's plainest form and that we all should never expect an unbiased news story ever again. MSNBC has already joined my list of untrustworthy news sources... Shall CBS's TR and maybe parent company CBS itself join the list? If an editorial, fine and dandy. Make sure the fact is clear so we all know that the Sony hate is yours and not just a CBS ploy to take the high road to look saintly.

apotheon
apotheon

Do you think Sony sucks? Sony Sucks Reasons Why Sony Sucks Sony Customer Support Sucks Some people sure seem to think it does. Have some more Google scrapings.

realvarezm
realvarezm

Is incredible how much we take from these giants corporations. I tell if we all stick together (at least this community) and demand fairness and transparency in their actions, we can change the way they do their business and actually make them create a social conscience.

seanferd
seanferd

I'd love to hear the rationalization for that one.

seanferd
seanferd

Perhaps one for engineers and researchers, and one for the biz-suits.

apotheon
apotheon

Your linguist roots are exposed. You're actually making Nihongo puns.

AstroCreep
AstroCreep

There are two spots above the article that state this is a "Blog". Blogs are usually "Editorial" in nature, given the fact that the author is writing his/her own commentary on a topic.

ap90033
ap90033

AMEN this site is run by idiots if you hadn't noticed. They think they are "all that" and ignore anything posted or sent that doesn't line up with their BIASED views. Typical liberal media...

apotheon
apotheon

> Is this a news story or an editorial? It's an editorial. The biases are not hidden behind a thin veneer of "objectivity" as they are in yellow journalism; they are obvious, direct, and unignorably in your face. Next question . . . ?

seanferd
seanferd

But I'll be damned for not knowing that there is a FreeBSD port for the PS3.

Sterling chip Camden
Sterling chip Camden

Ever since 2005, if the choice is between Sony and doing without, I do without.

apotheon
apotheon

Many of us boycott various unethical corporations. Many, many more of us don't care enough to bother, and the corporations end up still making money hand-over-fist.

seanferd
seanferd

And apparently this site is read by a significant number of seriously deluded heavy crack users. Typical "liberal"-labeler having little contact with reality. And Chad, being such a huge Liberal, is part of the librul media conspirimacy.

apotheon
apotheon

Who ignored what DaemonSlayer said? I take it you didn't bother to read my response to DaemonSlayer's question. It seems like it's you who is ignoring what does not line up with biases.

apotheon
apotheon

I've always known you were one of the good'uns.

seanferd
seanferd

The sarcasm is never obvious enough for some people, and others may have experienced so much internet craziness that they find it plausible that my remark is serious. Will Poe's Law be illustrated here? Find out at eleven.

apotheon
apotheon

. . . ap90033 might take that literally and actually believe I'm a "liberal". Oh, wait. Sorry. I don't mean to out your plan if you're just planning to toy with him.

apotheon
apotheon

I'm not sure what you mean, saying that your favorite link leads to DaemonSlayer's comment.

Editor's Picks