Editorial: Who Is Responsible for the PSN Outage?

I am nothing if not magnanimous. For those of my readers that live under rocks, or deep inside Mom’s Basement surrounded by love pillows and the entirely abhorrent Atlus-driven marketing campaign for sex robot murder masturbation simulator Catherine, Sony is in a bit of a pickle.

A few weeks ago, Sony’s vaunted Playstation Network experienced a serious and prolonged outage and some of its users’ personal data may have been stolen, and that data may be being sold on the black market, which is terrible news as all PSN nerds might have hundreds, possibly even thousands, of dollars in spare change in their dwindling bank accounts.

The general staff consensus as reached on the podcast was that this was not the work hobbyist crackers and network security aficionados. Anonymous has refused to take credit, and their refusal lends some credence to their story.  Pulling off an act of e-vandalism such as this and then disclaiming responsibility is not the style of Anon. Sony Public Enemy #1 GeoHot, on the other hand, seems to think that Sony’s anti-consumer, anti-hacker attitude is responsible for “alienating” the hacker community, leaving legions of disgruntled hackers no recourse but to… break into a secured system, steal personal data, and sell it for profit?

George Hotz
George Hotz's hair is a tribble; your lawsuit is invalid.

For those of you blessedly young enough to have grown up in a world before hacking became a commonplace term, allow Grampy Lane to spin you a yarn of yesteryear, when computer cowboys met in a bar called the Gentleman Loser, down on the south side of the Sprawl, and talked about that time Case punched the Villa Straylight in mirrorshades.

As that was no doubt gibberish to my uncultured buffoons of readers, allow me a digression.  In the late 80s and early 90s, a new form of “punk” sf arose from the dingy basements of the nascent computer geek subculture:  cyberpunk.  Spawned mostly from the cryptopen of one iconoclastic writer, William Gibson, the genre focused on the exploits of gray-area dwelling computer criminals in a dystopian future where the international megacorps won and we all got screwed (but it is not coming true, amirite?).  Because cyberpunk was hugely popular with the kids at the time, and this newfangled thing called the Internet was really starting to take off when Netscape 2.1 got support for frames and this upstart company called Macromedia created Shockwave, hacking also became immensely popular.

Whereas real hackers were programmers that often pulled apart proprietary hardware and software to learn how to make it tick, the new generation of hackers (called “script kiddies”) were little more than juvenile morons who used tools written by unethical programmers to make nuisances of themselves on emerging networks.  Having only little or no knowledge of computer programming or network architecture themselves, script kiddies nevertheless wanted to recreate the technodrama of cyberpunk in the here and now by making like their security-cracking heroes, who spent their time finding, exploiting, and then (hopefully) fixing holes in network security.

Which leads us back to hacker culture today.  A real “hacker” (as opposed to a vandal or cracker) is simply a programmer or network security specialist that likes dicking around with hardware and software.  GeoHot is, appropriately, a hacker, because all he did was investigate the PS3’s native security and then publish key components necessary to “hack” into the system itself, gaining control of hardware and software usually sealed-off from a user.  The “whys” and ethics of whether he should do this are irrelevant; he merely provided a way to get at a certain object, in this case, the PS3’s basic systems.  This could be used for any number of purposes, most benign, and only a few malign.

GeoHot is drastically different from someone that would break into a secured system, steal personal data, and then attempt to resell that data to unscrupulous criminals on the black market.  Anonymous, for all their claim to be legion and without conscience or pity, are not criminals and have not, to my knowledge, ever been involved with identity theft.

Mirrorshades Anthology Cover
This is how we rolled, back in the day.

So who, then, could perpetrate this?  I do not think GeoHot is correct in assuming that disgruntled hackers chose to take down Sony’s system in some sort of protest.  Again, the nature of their hacking would be to find the exploit, and then publish it to show Sony that their claim of security was but one more lie to their customers.  Even hackers so upset at Sony’s practices that they would actively take a break from doing whatever it is hackers do in their off time (swill Mountain Dew, tend to their families, and re-solder old Apple ][e boards, probably) are hardly the types to turn to hardened crime…

Which leaves actual criminals.  Organized crime is, sadly, not a thing of Scorsese movies or the history of Chicago.  The average PSN user’s identity is inherently more valuable than the contents of their bank account.  Organized crime syndicates and identity thieves can make far more use of a name and fake persona than they ever could with the $1,500 in savings someone has.  False passports, fake identification documents, fake visas are all big business for people involved in drug and human trafficking.  Criminal organizations that wish their members to move through society undetected require false IDs.  And the sorts of information that could be gained from such information as stored on a PSN account (such as answers to secret questions, home addresses, names and birth dates)are the keys by which savvy criminals can socially engineer and steal even greater bits of one’s identity to fuel their black market trade in false personae.

And what better cover for such a heist than a break-in to a major computer entertainment company’s network, timed around the same time as Sony has alienated and angered many in the computer security field with their civil litigation against a hacker?  Of course it was those disgruntled hackers sitting in their basements eating cheetos, we all say (including GeoHot).  Because that is the simple and easy explanation, the one that tugs on our sense of familiar narratives. But it is logically inconsistent with the stated values and aims of that community, and much more in line with the standard operating procedure of a sophisticated criminal organization. Who, thoughtfully, will never claim any actual responsibility for it because the best way to remain in business as a criminal organization is to never let people know you are there.

Sony’s litigation to protect their interests and proprietary trade secrets is par for the course; do not think for a second that any major computer entertainment company would hesitate to do the same.  And well that they should; failure to protect legal interests in court often leads to the judiciary turning a blind eye and deaf ear to future complaints.  GeoHot may be a romanticized, Robin Hood-esque hero to many nascent populists that dislike the faceless, money-grubbing ways of megacorps, but in reality, he is just a fairly tech-savvy guy that broke a thing and revealed a secret, in and of itself a simple act that, divorced from its context, has no ethical implications.  But the proper reaction from GeoHot’s supporters would not be further acts of vandalism and electronic violence against Sony; ultimately, such actions would be rooted only in petulance and the spoiled whining of children who feel that they are somehow entitled to Sony’s secrets.  And indeed, there is no indication that the hacking community behaved in the way that everyone expects them to.  But that narrative, promoted from within and without the gaming community by people that understand the world in too simplistic of terms, has gained real traction, and I worry that it is being used as a smokescreen while actual thieves make away with the identities of innocents caught in the senseless crossfire between Sony and consumers.

10 comments

  1. Today, Sony claimed that Anon is behind this. I tend to believe this claim, because if they had forged the details they claim to have found, the security firms (almost certainly including Kaspersky and Symantec) would not stand for the deception.

    I think we are all looking very much into this; probably moreso than we need to be. The hackers “had access” to lots of data. How much did they actually take? Sony doesn’t know–nobody does. I am perfectly willing to believe that this is Anon doing their best to blow Sony’s network apart and to leave them with loads of egg on their face. If that is the case, I’m not willing to believe Anon were there to steal credit card numbers or identities. I don’t like Anon, I don’t like their methods, but at the same time I don’t think they are in this for identity theft and fraud.

    Alternatively, Sony may have no idea who did this and are using Anon as a scapegoat; which begs the question: how do they get three major security firms to go along with such a deception?

    We must also remember that Anon is not an organisation in the typical sense. It has no clear leadership chain. One speaker cannot speak for all of the group; some of them may be inclinced to do things even when others within the group do not. The Facebook page for the ‘group’, when this event took place, seemed to support that conclusion.

  2. Update!
    http://www.bbc.co.uk/news/business-13288532

    Now, Sony claim that the DoS by Anonymous provided cover for a more sophisticated data-theft attack. They stop short of saying the two were correlated.

    “Whether those who participated in the denial of service attacks were conspirators or whether they were simply duped into providing cover for a very clever thief, we may never know.”

    Once again, I’m totally unwilling to believe, without solid evidence, that Anonymous was a wilful participant in an identity theft conspiracy. It just doesn’t match their modus operandi, and I’m willing to believe their avowed claims to a certain degree.

    I wonder what further developments await!

  3. AFAIK, the “evidence” behind Anon’s involvement was a plain text file containing Anon’s well-known slogan. Anon has been fairly consistent in denying responsibility, which is also against their MO. They’ve never attempted to disclaim credit before, and while a distributed denial of service attack is within their capabilities and standard operating procedure, a DDoS is a nuisance, not a true cracking attempt.

    A cracking attempt to get at personal data smacks of actual criminals using a likely cover (“Anon did it!”). I wouldn’t be entirely surprised if Anon beat Kaspersky or Symantec to figuring out who actually did it, just to clear their name of being involved with cracking.

    While I (sadly) have not kept my education in programming and networks up, I generally support hackers and hacking as worthwhile forays into the wild of computer architecture. Although I do not support any criminality and think hackers should and ought to work within the law to explore the hardware and software domains (and generally, they do), Anon and their tactics do not make them criminals.

    And I hate to see innocents being blamed for a crime, especially now that federal regulators and law enforcement could be involved. Don’t scapegoat hackers; go after the unethical SOBs that hired themselves out to a crime syndicate.

  4. The night the event took place, some members of Anon posted on the group’s facebook page saying that they were proceeding with an attack, and basically apologising to other members of Anon who were against it. This is what I meant when I said that they are not an ‘organisation’ or ‘united’ in the typical sense of the word.

    You raise a great point: criminals leaving behind an Anon-like text file to cover their own tracks. Totally believeable. Especially since it now seems (given the latest update) that Anon was providing cover (almost certainly unwittingly) by perpetrating a simultaneous DDoS attack whilst the real hackers were data-mining in the bowels of PSN.

    Incidentally, a DDoS is *exactly* the sort of thing Anonymous does and is well capable of, and is much more plausible than a massive, articulated hacking attempt. Let’s be clear: a DDoS isn’t a ‘hack’ and isn’t ‘hacking’. It’s an attack, but is in no way even in the same league as what happened to PSN with regard to data security.

    My guess is that what the House heard today is probably the actual case:

    1) Some members of Anon started a DDoS, aimed at knocking PSN offline. They had done this before.
    2) Whilst this was going on, another group–much more sophisticated, probably funded by organised crime in Russia or China–broke into PSN and ‘gained access’ to personal data.
    3) Sony took the entire network down and set about trying to determine what the case was, to which end they hired several companies, including Guidance Software and Data Forte, amongst others.

    The developments that come out of this are enlightening, if only because they show the rather unusual way in which this information is making its way to Sony’s hand, and the ways in which they seem to be trying to fit their PR line to the even-developing facts.

  5. This is an episode worth a Hollywood movie.

    -@Lane: Have you read underground? It’s an eminently readable account of late 80’s hacking, co-authored by Julian Assange.

  6. I’ve read some of Assange’s stuff but tbh I am not entirely sure what it was called. Mostly it was his political philosophy.

  7. No, well this is a proper book co-written with a proper author, not really heavy on the political philosophy. It just charts the early days of hacking, and some of the more interesting episodes like infecting NASA’s systems with a debilitating worm program.

    It’s an absolute page-turner, which isn’t my typical experience of non-fiction.

  8. For all the vigilante justice Anonymous is known for, and I can appreciate an epic David vs. Goliath narrative as much anybody, Anonymous has been known to do much less heroic stuff like try to get 11 year old girls to strip on webcams and then posting personal information and making death threats for failure to do so.

    Personally, I think Anonymous probably has been DDoSing Sony off-and-on, if not constantly, since they went after GeoHot. And mulling through billions of log entries from spoofed IP addresses to find the handful that gained access to their internal network is very much needle in a haystack type work.

    There are also plenty of botnets out there that are controlled by organized crime that could provide the same cover.

    Adding in that Sony found a bunch of servers unexpectedly rebooting with logfiles apparently deleted I think it’s possible that whoever got in used a secure delete program and those files aren’t recoverable. So whatever individual(s) got in may end up getting away with it.

Comments are closed.