Did you miss Playstation Network?

Originally posted 05/16/2011 on lubbockonline.com

I've been remiss in not reporting the Sony Playstation Network breach and outage. The network started going back up this weekend. Ok, yesterday.

You might wonder why I would seemingly ignore one of the largest data breaches ever. Part of it was waiting to see what came out. Part of it was that if you were active on the PSN you were probably already more aware of the situation and following it closer than I had time to. But now there's more information, and I might actually be able to tell you a few things you don't know about a breach like this. Sadly, it won't be good news

Joshua Grech of the Daily Telegraph reports that the PSN started coming back up sometime Sunday, although it may take a few days for everything to be available again. He also reports that Sony is going to offer a "Welcome Back" package of software and content to encourage people to stay with Sony and Playstation (or come back if they've bought an Xbox during the outage). As part of the increased security in the system users will have to change passwords when they log back in, and will have to prove they are the account holder to do it. When announcing the return to service Sony Group CEO Kazuo Hirai had one of the best non-apologies I've seen:

"I wish I could tell you that technology is available to completely protect any company against cyber attack. "But unfortunately the threat of cyber crime and data theft will continue to plague networks, companies, government agencies and consumers around the world for some time to come."

Translation: "Sorry, people. It's not our fault. We can't prevent it and neither can anybody else, now and forever."

It's true that there is no perfect protection against bad guys, online or in the real world, the disturbing thing is how hard it is to track a truly skilled attacker online. Bianca Bosker at the Huffingtong post looks at just how hard it can be. A truly skilled attacker will use botnets, spoofed IP addresses and spoofed MAC addresses as well as multiple hops through computers - some under the control of the attacker, some not, but all used to obscure the origin of the attack.

When a breach is discovered there are steps taken to find out what happened. What those steps are varies from company to company, but one of the first is to check the system logs:

Once a company discovers its network has been breached, investigators will usually first comb the server’s log files, which record all traffic to and from the server including attempts to access the network or extract information from it. Reviewing these records -- the digital equivalent of watching security camera footage -- offers a look at any suspicious communication with a company’s network and where it may have originated.

Unfortunately, though logs are one of the best tools for seeing what happened on the server, skillful attackers can easily negate them by editing all evidence of their activities out. By doing that they could keep an attack from being noticed for weeks, months, or even years. Unlike theft in the real world, theft online leaves the original on the server. Removing the logs entirely would tip off the systems administrators that something happened. Editing the logs removes the evidence that something unusual has happened while leaving all records of normal activity in place.

Sony has gotten a lot of bad publicity for having the PSN down for so long, and are being sued for the breach. We don't know what kind security they had in place. I would be tempted to say that it obviously wasn't adequate, but the truth is, no one has adequte security. Sony's real failure was in the handling of the breach. Instead of being open and informative they were secretive and withheld important information in the hopes of controlling the damage. They did the same thing when they loaded rootkits on CD's, and I imagine they'll do the same thing the next time they have an event like this. Because breaches like this will happen it makes no sense to hide when they happen. The thing to do is have policies and procedures in place that cover breaches and provide for the rapid dissemination of information to the people affected, law enforcement and the media. That doesn't mean to tell everything, but each of those groups should receive the appropriate information.

Every company should have every possible protection in place, but must admit that they are not immune to breaches and prepare for that eventuality. It's the only responsible thing for them to do.

Twitter much more than a social network

Twitter is the surprise contender in the free speech arena. It is also becoming a surprise tool/weapon in the fight over the line intellectual property rights and fair use.

Twitter is becoming a lot more important than anyone would have expected in the case against WikiLeaks. CNET reports that a judge has set a hearing to determine whether the Justice Department has a right to the Twitter accounts and records of several Wikileaks members, including a member of Iceland's parliament. A decision in Twitters favor could hamper Justices case against Wikileaks, but it's unlikley it would scuttle it.

I've been blogging about Sony's war against George Hotz, but today there was an amusing development. David Kravets at Wired reports that a Twitter user sent the PS3 unlock code to Sony's "Kevin Butler" Twitter account. Whoever runs the account wasn't looking and retweeted it to all 75,000 of his followers. Gotta love the irony. Sony probably sent the unlock code to more people than George Hotz ever did.

When the internet was turned off by the government in Egypt people used their cell phones to text updates to Facebook and Twitter. In the past year there Twitter has been a major source of information in several areas of unrest and civil rights abuses in the past year.

A few years ago no one would have thought a "microblog" site would become a major source of information and a major tool for the oppressed to make public their plight.

Sony looking for anyone posting PS3 hack

Sony is threatening to sue anyone who is posting or distributing the PS3 hack refined and distributed by George Hotz. According to David Kravets of the Threat Level blog it doesn't end there. Sony is requesting a judge order Google to turn over the the number, names, IP addresses and all comments by people who viewed the video of the jailbreak on youtube.

Sony is claiming that jailbreaking will eat into PS3 games sales, and has demanded (and the judge granted) that Mr. Hotz turn over all of his computer equipment to them. The whole situation is ludicrous. The exact same activity that Sony is up in arms about is entirely legal on a cell phone. Until recently the PS3 didn't have the protections that George Hotz is being sued for circumventing, and Sony didn't mind if other software was put on the PS3. Even Linux was ok, and that made the PS3 useless as a game console. Modders, the people who would be most likely to use this hack, are a small minority of PS3 gamers.

This problem isn't there because of George Hotz. This problem exists because Sony removed functionality - the ability to install homegrown software on your PS3. What gives them the right to do that? Should GM be able to disable your CD player after you've paid off your car? I would hope that the Judge would boot Sony out of court. But he won't. Hopefully common sense will rule the court and jailbreaking your PS3 or other game console will be legal.

Is Sony only loaning you the PS3?

Wired's Threatlevel blog reports that George Hotz has been ordered by the court (PDF) to turn over all of his computer equipment to Sony. He has also been ordered to recover any and all devices or instructions for getting around the security that keeps you from installing software you want on your Xbox but that hasn't been approved by Sony. Software such as a different operating system - something that was permitted until recently. That's bad enough, but the Sony has already released a firmware patch that renders Mr. Hotz's hack ineffective. Yet one of the reasons Sony wanted all of his equipment and data because his keeping it would do them irreparable harm. The irreparable harm of allowing people to make full use of the equipment they've paid good money for. The jailbreak is a massive 100k. The equipment Sony wants contains terrabytes of data. Yet less than a week after the judges ruling, a patch is out that prevents the jailbreak from working, meaning Sony will suffer no further harm. That there was any harm in the first place is arguable.

Worse, the judge ordered "the Defendant Hotz, with notice of this Order, shall retrieve any Circumvention Devices or any information relating thereto which Hotz has previously delivered or communicated to the Defendants or any third parties."

Folks, the instructions were posted on Youtube. They've been posted and reposted all over the web. Mr. Hotz and removed the Youtube video and any other copies of the information he can, but the genie is out of the bottle. Short of shutting down the internet, George Hotz can no more retrieve all copies of his PS3 jailbreak than he can put out the sun by spitting at it. That demand is impossible to comply with.

But all of this really hinges on one question: Who owns your PS3 after you've handed your $300? Software companies started the idea of licensing their products instead of selling them outright. I don't like the idea with software, and I can't stand it with hardware. The idea that when I buy a computer I can't decide to change it without permission of the company I bought it from is ridiculous. It also would have cost Sony money, had they forbidden modifications to PS3's a couple of years ago. The Department of Defense bought several thousand PS3's and installed Linux on them to create a bargain basement price supercomputer. That couldn't have happened under the current Sony rules.
How long will it take for the government to realize that the DMCA is too vague and is easily abused, and that abuse stifles innovation, opposite the intended effect of intellectual property laws?

Sony hammers researchers with DMCA

On the Deeplinks blog at eff.org Corynne McSherry and Marcia Hofmann report on the case of Sony vs Hotz. The implications of the case are broad reaching and frightening. Sony is suing researchers for the crime of exposing security holes. The researchers found security holes that allow users to run Linux on the Playstation 3 - something Sony allowed until recently.

This is the ultimate result of the Digital Millenim Copyright Act (DMCA). The DMCA makes it a crime to circumvent security measures on electronic media and devices - even if you have purchased the device and are exercising rights granted to you by other laws. Copyright fair use and modifying your own equipment on your own network for otherwise legal uses are two examples.

Sony is also suing under the Computer Fraud and Abuse Act (CFAA) because the the researchers violated the terms of use for the Playstation Network - even though it appears the researchers used their own network, not Sony's. As McSherry and Hofmann point out, Sony is suing the researchers for using computers (PS3's are computers) they bought in a way Sony doesn't like. If Sony wins this case we could find ourselves facing criminal charges for installing software that didn't come with the computer or connecting our television to the wrong provider.

You think that sounds farfetched? Sony is suing these researchers because they installed Linux on Playstation 3's. Something Sony allowed until recently, but now is willing to go to court to prevent. If Sony wins how long before Dell insists you can't install Linux on their computers, or HP decides that you can't install Open Office, AbiWord, or any other replacement for Microsoft software?