PSN: A Plea for Reason

The hysterics around the PSN breach have become incredibly hyperbolic. At this point it seems clear that no one got any credit card info, Sony just has to warn people to be cautious since, in theory, someone could have downloaded the entire database, although they have no evidence of this, and by some miracle brute force decode the whole thing. Likewise, identity theft isn't too big a problem since Sony didn't have anybody's social security number which is the most salient piece of data. No, the real biggest problems are compromised passwords which you may have used elsewhere, and downtime for the service itself. In both cases this isn't really any worse than any number of well publicized hacks in recent memory.

 

The problem is people are holding Sony to an impossible standard. People say they should have immediately notified everyone who was effected last week, but you can't assume they automagically knew what had happened and who was impacted when the intrusion was first detected, and Sony have come out and directly said they didn't really have a good idea of the nature and scope of the breach until Monday. People also complain that Sony shouldn't have built such an insecure system, but no system is perfectly secure and for all we know this was the most difficult and magnificently executed hack in the history of hacks. We can't say we know their security was bad, only that the concerted effort of the attackers overcame it. People also blame Sony for "poking the bear" or "kicking the hornets nest" when they sued Geohot and others (in an attempt to protect their business interests), which is a lot like telling a rape victim they shouldn't have dressed so provocatively. One thing is clear, no matter who the hackers were, this was an illegal intrusion, a criminal act and no matter what Sony's stance on custom firmware is (the compromise of which, for all we know, directly led to the discovery of vulnerabilities in PSN), that in no way excuses an attempt to steal customer information and credit card numbers.

 

It does not help that so much schadenfreude is being expressed by fanboy partisans around the net who have a distaste for Sony anyway and are more than happy to fan the flames of panic and anguish. My Google Reader feed is filled with outlandish, unsubstantiated and, frankly, unconscionable link bait stories written by people who don't understand what they are saying, but are happy to repeat anything that makes Sony look bad. Ars Technica loves telling us correlation does not equal causation when it come to videogame violence, but as soon as three idiots email them to claim they saw fraud on their credit cards (and depressingly common occurence, PSN notwithstanding), so few that you can't even rightfully claim even correlation, they are more than happy to report these coincidences as though they are news. Many outlets have also made the mistake of using the statements from random customer service reps in the banking industry to supposedly discredit Sony's claim to have warned major financial institutions. Speaking as someone who has worked in a call center for a major bank I can guarantee you Sony doesn't call the same 800 number that's on the back of your debit card to make such notifications and that kind of information takes a while to trickle down the chain.

 

To date, I haven't seen any evidence of actual damages incurred by customers due to the breach. Associated services like Hulu Plus have already done the smart thing and offered subscription extensions to impacted users. The biggest losers are small developers dependent on PSN sales for their livelihood. Talk of congressional inquiries are premature, as are class action lawsuits. The breach of PSN has been a massive inconvenience, to be sure, but it is not the business catastrophe it is being made out to be.

To date, I haven't seen any evidence of actual damages incurred by customers due to the breach. Associated services like Hulu Plus have already done the cool thing and offered subscription extensions to impacted users. The biggest losers are small developers dependent on PSN sales for their livelihood. Talk of congressional inquiries are premature, as are class action lawsuits. The breach of PSN has been a massive inconvenience, to be sure, but it is not the business catastrophe it is being made out to be.The hysterics around the PSN breach have become incredibly hyperbolic. At this point it seems clear that no one got any credit card info, Sony just has to warn people to be cautious since, in theory, someone could have downloaded the entire database, although they have no evidence of this, and by some miracle brute force decode the whole thing. Likewise, identity theft isn't too big a problem since Sony didn't have anybody's social security number which is the most salient piece of data. No, the real biggest problems are compromised passwords which you may have used elsewhere, and downtime for the service itself. In both cases this isn't really any worse than any number of well publicized hacks in recent memory.

 

The problem is people are holding Sony to an impossible standard. They should have immediately notified everyone who was effected last week, but you can't assume they automagically knew what had happened and who was impacted back then, and Sony have come out and directly said they didn't really have a good idea until Monday. People also complain that Sony shouldn't have built such an insecure system, but no system is perfectly secure and for all we know this was the most difficult and magnificently executed hack in the history of hacks. We can't say we know their security was bad, only that the concerted effort of the attackers overcame it. People also blame Sony for "poking the bear" or "kicking the hornets nest" when they sued Geohot and others (in an attempt to protect their business interests), which is a lot like telling a rape victim they shouldn't have dressed so provocatively. One thing is clear, no matter who the hackers were, this was an illegal intrusion, a criminal act and no matter what Sony's stance on custom firmware is (the compromise of which, for all we know, directly led to the discovery of vulnerabilities in PSN), that in no way excuses an attempt to steal customer information and credit card numbers.

 

It does not help that so much schadenfreude is being expressed by fanboy partisans around the net who have a distaste for Sony anyway and are more than happy to fan the flames of panic and anguish. My Google Reader feed is filled with outlandish, unsubstantiated and, frankly, unconscionable link bait stories written by people who don't understand what they are saying, but are happy to repeat anything that makes Sony look bad. Ars Technica loves telling us correlation does not equal causation when it come to videogame violence, but as soon as three idiots email them to claim they saw fraud on their credit cards (and depressingly common occurence, PSN notwithstanding), so few that you can't even rightfully claim even correlation, they are more than happy to report these coincidences as though they are news. Many outlets have also made the mistake of using the statements from random customer service reps in the banking industry to supposedly discredit Sony's claim to have warned major financial institutions. Speaking as someone who has worked in a call center for a major bank I can guarantee you Sony doesn't call the same 800 number that's on the back of your debit card to make such notifications and that kind of information takes a while to trickle down the chain.

 

To date, I haven't seen any evidence of actual damages incurred by customers due to the breach. Associated services like Hulu Plus have already done the cool thing and offered subscription extensions to impacted users. The biggest losers are small developers dependent on PSN sales for their livelihood. Talk of congressional inquiries are premature, as are class action lawsuits. The breach of PSN has been a massive inconvenience, to be sure, but it is not the business catastrophe it is being made out to be.