The PSN hack lessons

The hacking of the PlayStation Network is a very bad thing for our industry as a whole; not just Sony. There have been rumours that a major commercial provider of online resources was used by hackers to hack into the PSN.

Not only have the stories spread distrust and anger amongst games players, anxiously checking credit card statements and changing passwords for other online services, but it raises the spectre of potential future exposure of all online ‘cloud’ resource providers in terms of liability caused by actions of their customers using them to attack other services.

Doubtless they are busy checking those many customers now and verifying they are genuine commercial organisations, and I suspect they are also looking at what those customers are doing with the facilities they rent to them in a lot more detail.

This future, understandable paranoia may make doing such business ‘in the cloud’ much harder, especially for start-ups without a track record to carry the inevitably much more specific – and larger – insurance policies that will follow.

The main advantage of these ‘cloud’ services is that a hard-to-estimate business venture like a new online game can rent the relatively huge resources of an online provider at short notice based on actual demand, and tune the servers and bandwidth rented thereafter to match the eventual take-up.

The trouble is this profile to the service provider, at least in the first few days, is not unlike the sort of usage like that rumoured in the hack attack on PSN; for example a small-scale test followed by a relatively huge ramp-up of resources.

HOTZ PROPERTY

There is a further issue too; the publicity that these attacks generate. I imagine there are few in this industry that haven’t heard of George Hotz now or indeed of Anonymous.

I thought the identity – perhaps we should say ‘branding’ these days – of Anonymous, taking imagery from the excellent film V for Vendetta was a good one, and I’m sure there will be many in that loose organisation who are very angry that others, probably outsiders simply misdirecting blame, have now irrevocably tainted the image of the wider group.

I have hacked into systems in the past (I was asked to do so) and it was an interesting challenge, but I succeeded far more quickly than the owner of the system expected. This is often the way.

It amazes me there has been so much talk about the fact that the British cracked the Enigma code in World War II, but no one thought to consider if the Germans had cracked the simpler British codes.

They had, but not unsurprisingly chose not to tell the British – and, of course, the victors write the history books.

Practically speaking, people are always the weakest link. With enough dedication, most security systems can be overcome eventually.

All we can really do is make our house or network or whatever more secure than the one next door. Using memorable but easy-to-guess passwords, writing the passwords on post-it notes that are easily noticed by visitors, or simply someone working ‘on the inside’ are all problems.

Much like with houses we have to be able to get in and out. Extra security is something to be suffered by us all as a result of the danger of break-ins, so we tolerate imperfect security in return for practicality. Let’s face it, a house with no doors or windows would be more secure, but not very practical to live in.

THE DEVIL’S IN THE DATA

In the PSN case, as with other less publicised ones, the target has been the user data; Names, email addresses and so on.

The key should be to reduce the value of having such lists in large numbers. We all tolerate casual fraud every day; we have no practical choice.

By this I mean the numerous emails trying to sell us something, or to scam us by saying we have inherited millions. But those scams are a part of the problem. They rely on such lists of in-use email addresses to do these annoying scams in the first place, and companies – like ours – regularly get emails offering to sell bulk lists of addresses, perpetuating the annoyance.

If sale of such bulk email lists were outlawed, this might help. We will all continue to pay for it in the years to come, the online component of our industry especially, as trust in online activities with access to credit cards is damaged.

Hacking has been around a long time and is probably here to stay, but hopefully this mass loss of personal data will be a rare thing. We need it to be.