With the details of 77 million customers involved, the PlayStation Network hack is one of the largest ever malicious attacks on a commercial organisation. Although Sony is assuring gamers that the infrastructure is being strengthened, this 'outside intrusion' has once again raised questions about the security of online transactions.
Amid the firestorm, industry reactions have been mixed with many developers expressing frustration at the attack and its possible consequences, rather than anger at Sony. Ste Curran, creative director at the Brighton-based studio Zoe Mode, told Develop Magazine: "From my perspective, the bigger issue is not about PSN, but confidence in digital distribution generally. For every story like this that breaks in the mainstream press, consumer confidence about their details being safe is eroded. Confidence [in online transactions] has been building up, and I think will continue to, but this is a blip. It could be a little step back."
Lol Scragg, founder of Cohort Studios in Dundee, told us that the situation may have devastating consequences for his company. "We have our first self-funded, self-published PSN game, Me Monster: Hear Me Roar, coming out next week, so from our point of view, the fact that the network isn't available is a big concern.
"They're saying it could be next week before it's fixed – well, that will be disastrous for us. The other issue is whether the consumers will have lost their trust in the network. If it comes back up, lots of people will be withdrawing all their credit card details, so the potential market we were looking at a week ago – well, this is going to affect it; it's going to cost us in terms of revenue. The PR department are really going to have to earn their salaries – the next three or four days are going to determine whether the PSN continues or falls apart."
Industry news sources have varied between rage, incrimination and sanguine reflection. On Eurogamer, Johnny Minkley refers to the situation as a PR disaster and berates Sony for providing gamers with too little information. "Some are already calling this Sony's 'Deepwater Horizon moment', in reference to the oil rig explosion and the subsequent handling of it by BP that caused the company's reputation so much damage."
However, Brenna Hillier on VG247 has a different slant, downplaying the controversy as a "melodrama" and highlighting the weaknesses inherent across the whole digital economy – with customers at the epicentre: "You're a weak link here. You're not aware of how much you give away about yourself. You trust, foolishly, that nobody can breach the walls society puts around you. You're wrong. You can't blame PSN for that; it doesn't store anything you wouldn't hand over anyway."
I also spoke to James Binns, publisher of Edge Magazine, and a veteran presence at Future, the company responsible for the Official PlayStation Magazine. He told me: "It's been exceptionally hard for Sony to manage this, since they were initially unaware of the scale of the problem. Communicating something this complex is a difficult job.
"They've now got to focus on getting the infrastructure right – that's more important than any PR messaging, and they need the time to fix it. The issues around cloud storage of personal information aren't going to go away. This has happened to Sony, but it could have happened to many other businesses that store consumers personal data, passwords and credit card details. It doesn't affect the quality of PSN's core offering which is strong.
"Among our forum communities there's as much a sense of rage directed at the hackers as there is at Sony. But Sony has work to do to rebuild public confidence."
As for the security industry, there's been speculation over how the intruders got in. Initial theories tended to focus on the hacker community, specificially the Anonymous collective who threatened Sony with reprisals after the company's legal action against fellow hacker George Hotz. However, many experts now believe the attack was the work of a sophisticated criminal operation. Rik Ferguson, a computer security consultant at Trend Micro, told us: "This has all the hallmarks of commercial criminal activity going for a saleable commodity. It doesn't look as though they would have broken in directly through the PlayStation Network. Far more likely is that they breached the corporate systems and then moved through them to access this valuable data."
"I think it's an attack on a central system," agreed Dave Whitelegg, a data security blogger. "There are so many different ways that could happen. At the data centre, for example; some of the big credit card hacks have happened via Wi-Fi attacks, getting into the corporate side of the network. It could be an internal attack, it could be someone plugging directly into the PlayStation Network with a PC pretending to be a PlayStation and bypassing security that way – there are just so many different attack vectors."
Meanwhile, Peter Wood of First Base Technologies is a "white hat hacker" who tests systems for large corporations. I asked him whether the discovery of the PS3 "root key" by hackers may have aided in this intrusion:
"I would say that without question, the more that you can explore a manufacturer's proprietary technology, the more weaponry you have for an attack. All gaming machines are, in the end, computers, but much of the software and a big chunk of the firmware is proprietary to the manufacturer – if you're able to gain privileged access to that, you will learn more about how the system works. And if the manufacturer has in any sense relied on 'security by obscurity' – ie, some hidden functionality, or the use or hidden ports, etc – those are exactly the sorts of vulnerability that will be exposed by reverse engineering hardware."
He does concur, however, that this looks to be the work of professional criminals, rather than hackers with a grudge against Sony. "If someone has got access to 70 million people's details, that implies to me that they have got control of a backend server somewhere within Sony – that's how it happened with everyone else, be it HBGary or Google or whoever.
"As we keep seeing over and over again, it only takes a stupid SQL injection flaw or something like that for somebody to be able to pull the data out of that backend database. Then it doesn't matter if the company is selling CDs, running a gaming network or a bank, the problem is those backend systems will all be the same sorts of things – they'll be running either Windows or a flavour of Unix, and they'll be running Microsoft SQL server, or Oracle or MY SQL – those are the only choices there are for storing this massive amount of data. And it only takes one configuration mistake to allow someone to suck all the data out."
Of course, there's always a third possibility, that this wasn't anarchists or major criminals, it was just kids looking for free stuff. It seems that Sony was first alerted to the problems when gamers started downloading masses of content from the PlayStation Store without paying, thanks to a custom firmware hack. Of course, CFWs have been around on the system for quite a while, and these are unlikely to give users access to the backend infrastructure. However, maybe a small vulnerability of the type Peter Wood hinted at became obvious during one of these smash-and-grab raids.
Whatever the case, everyone is agreed on one thing: whatever Sony does to deal with the hack, it had better be effective and it will have to be accompanied by a PR campaign of reasonably spectacular proportions. Although, of course, as the Red Ring of Death scandal showed, gamers do tend to have quite a forgiving nature.
