Many readers will already know about the PlayStation Network (and Qriocity digital music service) security breach. Here is a summary of the latest breach, a rundown of Sony's poor record of handling customer data and privacy, and some suggestions about what to do if you are affected.
How Sony dropped the ball (again)
The PlayStation Network, commonly abbreviated PSN, is "an online multiplayer gaming and digital media delivery service provided/run by Sony Computer Entertainment for use with the PlayStation 3 and PlayStation Portable video game consoles," according to Wikipedia. As of this writing, there are around 77 million registered PSN users, which means that around 77 million people may have been subject to security compromise due to Sony's traditional laxity in its concern for the well-being of its customers.
The short version of the disaster area that is PSN security goes something like this:
- Sony admits utter PSN failure: your personal data has been stolen The PSN compromise has, at a bare minimum, exposed customers' names, addresses, email addresses, birthdays, and PSN passwords. Sony says there is no evidence that credit cards were compromised, but refuses to rule it out. Even this seems optimistic, however. The network has been shut down to protect it from further compromise.
- Press Release: Some PlayStation Network and Qriocity Services to be Available This Week It should be interesting to see how this will work out.
- PSN security cracker chatlogs If you pay close attention, you may note the presence of little details like credit card numbers stored in plain text.
- Sony claims SOE is safe Sony claimed that the Sony Online Entertainment network, which manages Sony's MMORPG lines, is separate from PSN and safe from this breach.
- The Sony Online Entertainment service has been shut down as well. It turns out Sony was wrong about the separation between PSN and the SOE network. As Sony put it, "In the course of our investigation into the intrusion into our systems we have discovered an issue that warrants enough concern for us to take the service down effective immediately." A Slashdot user offers an alternative explanation: "Someone tried to play a Sony music CD in one of their Windows servers during a maintenance window, and the SBRK (Sony-blessed rootkit) decided it had found some pirate MP3..."
All of this has touched off a minor firestorm of controversy regarding the (lack of) security for users of the PlayStation Network. Many PSN customers are shocked to discovery the cavalier attitude Sony evidently takes toward the security of their financial and personal data.
They should not be shocked. Have we forgotten already the past transgressions of the Sony Corporation? Let us recall the sordid details of the 2005 Sony/BMG copy prevention rootkit scandal:
The same old song
- In August 2000, senior VP Steve Heckler of Sony Pictures Entertainment in the US said, "The industry will take whatever steps it needs to protect itself and protect its revenue streams. . . . We will develop technology that transcends the individual user." The full litany of his declarations included chilling predictions about the transgressions against Sony's customer base that would come in the decade to follow.
- In 2001, Natalie Imbruglia's second album, White Lilies Island, was sold in Europe under the BMG label with copy prevention measures and no warning labels, inspiring a minor media flap. That same year, copy prevention was used on the N'Sync album Celebrity in the United States, as well as on promotional copies of Michael Jackson's You Rock My World in Europe.
- In 2005, Mark Russinovich's Sony, Rootkits and Digital Rights Management Gone Too Far provided a detailed technical description of Sony/BMG's music CD copy prevention scheme. Testing the (at that time) latest version of RootkitRevealer, Russinovich discovered that his Van Zants CD Get Right with the Man had, unbeknownst to him, installed a rootkit developed by First 4 Internet on his MS Windows machine.
- Less than half a month later, still in 2005, J. Alex Halderman wrote in Sony Shipping Spyware from SunnComm, Too about additional copy prevention malware on Sony/BMG CDs developed by SunnComm. While SunnComm's MediaMax DRM software was not characterized as a rootkit, it was most certainly a case of spyware installed "without meaningful consent or notification".
- Sony/BMG eventually released a program whose purpose was ostensibly to remove the First 4 Internet XCP rootkit software from affected computers. Unfortunately, all it did was unhide the rootkit (not uninstall it) and install additional software of questionable character and technical merit that was designed to resist uninstallation.
- When finally issuing a recall, Sony/BMG representatives publicly ridiculed market concerns over the security issues introduced by this rootkit. Sony BMG's Global Digital Business President Thomas Hesse asked NPR reporter Neda Ulaby, "Most people, I think, don't even know what a rootkit is, so why should they care about it?"
Here's why: Aside from the resource consumption of this software running in the background, the creepy stalkerish behavior of DRM software installed without user knowledge and spied on the user's activities; Sony/BMG's copy prevention efforts were aimed at prohibiting even fair use of the content distributed on these CDs; Sony/BMG failed to properly address the problem once it was discovered by the public, instead actually exacerbating the problem. Sony/BMG publicly deprecated consumers' and security experts' concerns over the danger represented by this rootkit, which created a vulnerability not only for the questionable motives of Sony/BMG, but also for legions of independent malicious security crackers because of how simply and easily the rootkit's capabilities could be repurposed to mask additional arbitrary software. Viruses and other malicious security cracker activity began taking advantage of the XCP rootkit. Even better, the supposed rootkit removal tool involved installing ActiveX controls containing "backdoor methods" that were also susceptible to external exploits. J. Alex Halderman once again reported on the bad behavior of Sony/BMG DRM policy that the uninstaller for SunnComm's copy prevention software "Also Opens Huge Security Hole".
Adding a cherry to the top of this screw-the-customer sundae was the fact that, in the name of copyright protectionism, DRM software distributed with Sony/BMG CDs was reported to contain code infringing the copyrights of open source software projects including the MP3 library LAME and the VLC Media Player.
Since then, Sony/BMG has accumulated a strong reputation for suing customers for exorbitant sums of money, even as it violated the Children's Online Privacy Protection Act and Federal Trade Commission Act by displaying personal data for about 30,000 minors on its websites.
Perhaps due to its poor record for customer service, Sony/BMG has been replaced by Sony Music Entertainment. It seems unlikely that anyone is fooled by the name change.
From promising beginnings
The PlayStation 3, or PS3, originally looked like a pretty nice purchase. It offered some stellar gameplay capabilities for its time, of course, as part of the ongoing battle for market share amongst home game consoles. It also came with the ability to play Sony's patented Blu-Ray digital optical disk format, for a complete console price lower than that of many dedicated digital video disk players that could handle both Blu-Ray and DVD formats. More surprising to many who are familiar with Sony's sordid history of punishing its customers, perhaps, is the OtherOS feature that PlayStation 3 offered.
OtherOS offered the ability to install OSs other than the standard, basic system software that shipped with the PS3. PlayStation hackers installed various Linux configurations on the machines, tweaked them endlessly, and even built PS3 clusters, in one case to crack SSL encryption. Protein folding research has been supported by the ability to run Folding@Home on the PS3, and the Air Force has been using a PS3 supercomputer cluster called Condor to track and identify objects in space. FreeBSD was among the OSs ported to the PS3 via its OtherOS feature (in fact, it is believed the PS3's native CellOS is at least in part derived from FreeBSD), though Linux-based systems have easily been the most common.
Around the time of the release of the PlayStation 3 Slim, Sony decided that the OtherOS feature was a bad idea after all. The PS3 Slim did not come with that feature, and the version 3.21 firmware update for other PS3s disabled OtherOS. The PlayStation Network would be restricted so that anyone using a firmware version that supported the OtherOS feature should not be able to access the network. Noted iPhone unlocker George Hotz promised users of the OtherOS feature that he would begin work on custom firmware for the PS3 that would both allow the OtherOS feature to work and allow PSN access.
Sony, returning to form, sued George Hotz and managed to get some disturbing judgments out of a judge that chisel away at the legal protections for hardware owners to use their hardware as they see fit. Hotz has since publicly ceased his iPhone and PlayStation hacking activities.
PS3 hacking has been largely strangled in its crib, between Sony's release of limited new variants of the console and firmware "upgrades". The closest people are getting to the kind of capabilities offered by OtherOS is network booting via the PSJailbreak exploit.
What to do
If you are a user of the PlayStation Network, there are a few things you should do to protect yourself now and in the future:
- You may want to replace any credit cards whose numbers have been used with PSN.
- You may want to check any other private information used with PSN to see what could be at risk.
- You may want to watch your accounts and credit activity like a hawk for a while.
- You may want to change any passwords related to PSN or SOE at your earliest opportunity, just in case your accounts survive cancellation in a way that can be later exploited, then cancel those accounts.
- You may want to avoid ever giving Sony or any of its subsidiaries another dime. Buy hardware you are not forbidden to understand, and use easily verifiable software so this kind of "security through obscurity" nonsense will not affect you in the future.
I, however, will not be doing any of the above. I have avoided paying Sony for its products since some time before the rootkit scandal of 2005. To my recollection, I have not in fact bought anything from Sony or its subsidiaries since the 90s. If you are still buying Sony products, it is not too late to stop now.
Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.