PSN Hack: Why I blame Sony more than the hackers
Unless you’ve been under a rock for the past days, you probably know that Sony announced they have been hacked, and our private information (potentially including credit card numbers) has been stolen from the PSN. This potentially impacts 77’000’000 customers.
I’ve received many emails/comments telling me “Wololo, you’re always in favor of CFW, and always on the side of the hackers, so what do you say now?”
Well, clearly I’m not happy that some people did that, I’m not happy that my information got stolen by these people. I want to point out that I never claimed that hacking into a corporation’s network was a good thing. Just like other people who are in favor of hacking and jailbreaking, I think customers should be able to enjoy their hardware the way they want, as long as they do not interfere with other people’s freedom. This makes things very clear: I’m not in favor of piracy, cheating online, identity theft, or anything like that.
This attack is unrelated to jailbreak
I’ve seen various comments on the net that this attack was performed “thanks” to some Custom firmware installed on some PS3s. This triggered new “anti jailbreak” comments from various people, including this guy who, despite making the efforts to do some research on the subject (and that’s good, because most people don’t do that), clearly should not be talking about stuff he doesn’t understand. I’m a computer engineer, I don’t talk about fashion. He’s a gamer and shouldn’t talk about security.
So, why do I claim that this has nothing to do with jailbreaks? Well, assuming the hack was performed “thanks” to a hacked PS3, it means Sony’s servers “trust” a PS3 accessing their system to not be hacked or modified. This is crazy, and this is security 101: the server should NEVER trust the client, end of story, NO exception. I trust Sony’s engineers to know this, so I believe this is not what happened. If I’m wrong, and if indeed there was some backdoor in the Sony system that allowed to trust a PS3 more than say, MediaGo running on a PC, then whoever designed such a backdoor in place is highly responsible for what happened. And Sony is guilty of believing that security through obscurity works. As I read somewhere, the good thing about open source software is that you can’t start to believe that your “opponent” won’t be able to read your code. So you design your security accordingly.
Now, my opinion is that a Jailbroken PS3 was not involved with this. Why would it be needed? You can connect to the PSN on a PC with MediaGo. It sounds fairly reasonable to me that somebody could investigate the code from that client and find some flaws in there, who knows? So for all we know, PS3 hardware wasn’t even involved in this attacks, making even a stronger point that this has nothing to do with jailbreaking a PS3. And if a PS3 was actually involved and you think it means jailbreak is related to this issue, then read the paragraph above.
As customers, Sony is the one responsible for our security, we can’t trust 6 billion people to play nice
Whatever you do, there will be people in the world trying to screw you, people not respecting the law. When these people attack you, you are free to hate them. As I said, I’m not happy some people stole my information, I don’t like these guys, but I know the world is made of people stealing your stuff, and it will always be the case.
Would you give your credit card number to me, or would you enter it on a form in my website? No. Because I’m a nobody, and there is no history of me not being a bad guy. I also have no way to be contacted easily in person. But you give your credit card information to Sony. Because it is a respected company, and you trust them to handle that kind of stuff correctly. By putting your trust in them, you implicitly ask them to be responsible, and by accepting your money and your credit card number, they accept to be responsible for your information’s security, even if their stupid PSN License says they can’t be responsible for a security breach.
Sony store the account information for 77’000’000 people. With such a big number of customers, I expect them to dedicate time and energy into securing their system. No system is perfect, but I expect them to apply the minimum security rules to their systems. First, the information retrieved by the hackers shouldn’t be usable in any way, because the information they stole should be encrypted, or hashed. Passwords should be hashed. It allows login systems to recognize that your password is correct without really knowing it. How comes Sony announced that our passwords were stolen then? How can they even be “unsure” if our credit card information was stolen? Our credit card information shouldn’t even be stored on their system, at worst it should be an encrypted version, and the rest should be 100% handled by Visa or Mastercard.
It is difficult to understand exactly what information was stolen. I completely understand that my birthday, my address, my email, etc… are stored in clear, it’s the only way for the system to be able to re-display them on edit pages, or for Sony to contact me. But password and credit card info? Come on. So was this a wording mistake in the PR? Or a major encryption mistake in their system? Either way this is bad, and Sony will have to explain this to their customers.
So yeah, bad guys screwed up with Sony, but Sony screwed up by playing in League 1 against companies like Google, Amazon, or Apple, without having the necessary software skills (or without investing enough in these skills) to actually play this game. As I mentioned many times, Sony is a great hardware company, but they should definitely outsource their software and their security to companies that have more experience/resources.
This is why I blame them more than the hackers, who have been doing nothing more than what robbers have done for centuries: picking locks.