Hacking Game Companies: Who is to Blame?
April 17th 2011, a day that will live in infamy in gaming history. Of course, this is the date that the Sony Playstation Netowrk (PSN) was first taken down due to unauthorized intrusion on the PSN servers from hackers. This event had two significant consequences: first it prevented nearly 50 million PS3 and 70 million PSP owners from accessing any of the network features of their respective systems (i.e online play, playstation e-store, trophy syncing, etc), and second it exposed over 100 millions user accounts to hackers including emails, passwords, usernames, download history, and credit card credentials. Naturally, panic insued more so because hardcore fans could not fathom life without being able to sync their trophies to watch their trophy level increase or get online with their buddies for nearly a full month. In all seriousness, it was one of the largest hacker events in the internet age and something that has cost Sony dearly in terms of customer confidence, money, time, and momentum.
As unfortunate as all this was for fans, developers, and Sony what really struck me was that most people seemed to actually put the blame for all of this on Sony for not doing enough to protect the confidential information of the users and for taking too long to inform the users on the breach. While browsing numerous game sites and forums during the network outage, it wasn't uncommon to see talk like "I'm never buying a Sony product ever again!", "I'm not going to buy the new PSP when it comes out because it will still be on PSN", "I've sold my PS3 and moved to Xbox", "I will never trust Sony again", "Sony screwed up big time" etc. In my opinion, to draw conclusions like that sound naive, immature, and ignorant of the real issue. The real issue of course is that the Internet is not secure in any sense and you should never blindly trust Sony or any other company with your confidential information on any network.
I've always contended that to blame Sony (or any other victim of a hacking attack) for allowing themselves to be hacked is analogous to blaming a robbery victim for letting the burglar get into the house. The key point is the same in both scenarios: there is no such thing as complete 100% protection against intrusion. Throughout history, people have been victims to robbery whether they had a wooden door with no locks or a 10 ton safe protecting their assets. The reason for this is simple: if the person(s) committing the robbery is dedicated enough to the task and given adequate resources, there is always a way of working around any security measure. Security mechanisms are intrinsically made to be broken because there is always at least one party who should have access to the protected content. Thus for every lock out there, there is a key somewhere. For every encryption algorithm, there is an encryption key. The best thing the victim can do is not make it easy for them. Use a metal door with deadbolts instead of a wooden door without locks. Invest in an alarm to accelerate notification and potential recovery. But there is no guaranteed security for anything.
So did Sony make it easy for the hackers to access the personal information of over 100 millions customers? Well it couldn't have been too easy given that PSN debuted back in 2006 when the PS3 was released and was not hacked for over 4 years. In fact, among gaming companies and hardware, Sony's PS3 was the only system to not have been hacked as of end of 2010. Then of course, the PS3 master key was finally broken opening the flood gates for hackers in December 2010. By that time, both the Xbox360 and Wii hardware had long been hacked and Xbox live has been victim to intrusion on more than one occasion. Let's not even put the words "security" and ipod, ipad, or PC in the same sentence. So I would argue that Sony has been relatively secure for quite some time and has arguably increased the target on themselves with some questionable decisions (i.e removing otherOS). But at the end of the day, let's not confuse what this is: this was not a high school student playing around who happened to stumble upon the database of the PSN and its users accidentally (that would be making it easy). This was a concentrated, sophisticated, and deliberate attack on Sony that could have honestly happened to any of the large gaming or tech companies out there. Think of this attack as more like the Ocean series or the Italian Job instead of the apartment robbery seen on your local news.
If I was being rash with my thinking that this attack could have happened to anyone, the last few weeks have proven me correct. The list of just gaming companies that have been victims to cyber attacks in just the past few weeks since the PSN attack include (but not limited to)
Codemasters (DIRT series)
Bethesada (Brink, Fallout)
Eidos (Tomb Raider)
Epic (Unreal engine, Gears of War)
Square Enix (Final Fantasy)
Bioware (Mass Effect)
So again nobody is safe from these coordinated and determined attacks. So tell me, are each of these companies to blame just as Sony was for the PSN hack?