Sony just released a bit of info regarding the PlayStation Network and Qriocity breach that I’ve been dreading to read since March. Simply put, everyone’s personal information such as usernames, passwords, addresses, and possibly credit card and purchase information has been compromised due to an unauthorized intrusion in their network. I’ve said time and time again that a breach like this is peanuts compared to what happened at Gawker back in late 2010 and nowhere near the magnitude of the Epsilon breach a short while back. With over 70 million accounts affected and the depth of the sensitive information accessed, this is easily one of the largest security disasters in Internet history. To put it into perspective, this is the equivalent of almost a quarter of the population of the United States becoming vulnerable to identity theft overnight. So who is to blame for this? Does the blame game make an all-out assault on Sony? Are Anonymous and the hacker splinter cell that piggybacked their tactics be the ones we tar and feather? Or are we the ones responsible for this attack via our growing hive mindish and egotistical outlook on the world?
The old saying of “fool me once, shame on you, fool me twice shame on me” applies to a broader degree in today’s globalized economy. The importance of internet security has been beaten to death over the years, with issues ranging from the insecurities of IPv4 to viruses such as Conficker, and identity theft to brute-force database breaches. The 2000s transformed the Internet into the most dangerous playground of them all as hackers became smarter on a playing field that remained largely the same since the mid 1990s. As the war on the wired frontier has heated up, a war on the wireless frontier is just beginning to brew. So when all these previous warning signs regarding the protection of your consumer’s information arise, you expect every sensible company out there to take measures to ensure that a breach doesn’t happen to their home.
The Gawker hack was the tipping point that should have led every major corporation out there to completely re-analyze their consumer protection security systems that they had in place. It’s not that recent security breaches were performed by some elite group of super-hackers. All it took was a small group of young people who simply understood how the Internet worked. Their knowledge, at best, is comparable to that of professionals working at major security firms such as Kapersky or Norton. The Gawker breach made consumers rethink how they use passwords, and it should have made companies dealing with sensitive consumer information to rethink how they protect their users.
Sony chose to ignore that, whether it be for reasons driven by financial concerns or reasons driven by hubris. It isn’t cheap to bring in a firm to completely overhaul a network that deals with 70 million people worldwide. Suddenly explaining to investors the reason why millions of dollars were just dissected from this quarter’s financials, effectively causing Sony to potentially come short to analyst forecasts and expectations is possibly just as costly of a move. So Sony chose to ignore the turmoil occurring in the online industry and opted to keep its fingers crossed in hopes that such a breach wouldn’t happen to them.
Then came the first major warning sign. In February a hacker giving detailed information on how insecure the PlayStation Network was published a report about how certain sensitive user information was obtained with minimal effort. This information wasn’t isolated in any way; it was republished by a major PlayStation blog among other sites. It’s almost 100% guaranteed that this information was obtained by Sony at some level of the bureaucratic hierarchy. Yet Sony did nothing. It was at this moment that a ticking time bomb became active and it was only a matter of time until Sony’s own ineptitude caused it to blow.
Sony is definitely at fault here. The personal information of over 70 million people should never have been transferred across the network in pretty much unencrypted text format for anyone with a few simple tools to acquire. It is absurd that Sony would implement such lax security measures when dealing with the transference of sensitive information such as credit card numbers and security codes. The PlayStation Network launched in 2006, over a year after the major CardSystems breach that involved the exposure of over 40 million credit cards. A year is plenty of time to implement security measures to prevent that. Over four years is definitely more than enough time to set a few million aside to revamp those security measures. Simply put, this PSN breach is unacceptable on Sony’s part. Sony’s sloppiness was fueled by either frugality or hubris, but the hit it would’ve taken by revamping the PSN’s security would have been far less costly than the aftermath it will experience due to this breach.
Blame the Hackers
Speaking of hubris, hackers are so bent on personal pride for their accomplishments that they often make the mistake of linking their exploits back to themselves. The Melissa worm, the Blaster virus, and the ILOVEYOU worm easily come to mind as major internet security threats that were traced back to their creators and arrests were made. The last few years, the hacktivist group known as Anonymous has risen out of the ranks of 4chan to act as sort of a “moral compass” for anonymous Internet users worldwide. Originally the actions of Anonymous were strictly for the lulz, with campaigns against Habbo, child-predator Chris Forcand, and the Church of Scientology. Somewhere around 2009 or 2010 Anonymous began to take a more serious spin in its attacks with its attacks being more politically and “ethically” motivated. Culminating with the HBGary disaster, Anonymous had outgrown its original mission of lulz to an all out hacktivist group bent on punishing those who infringed upon certain Western ideologies.
The thing about Anonymous is that they work in numbers. They pack a very big punch and when the masses combine, the punch is devastating. For being such a disorganized group, they sure know how to mount an organized attack. The downside to this is that the more people that are involved, the more likely it is for information to be spread to other people outside the group. This is precisely what happened in the Sony breach. The initial information regarding the PSN’s lack of security measures was greeted with skepticism when it was posted on PS3Crunch.
Many criticized the document to be full of vague information and supposition. Of course, the self-proclaimed experts of the Internet regarded the document as junk because no specific details were given on how the hacked information was obtained. The hacker behind the document did his best to conceal this information for obvious reasons. However that didn’t mean that another hacker couldn’t reverse engineer a hack to arrive at the same conclusion based off of the initial release. Give someone an end result and some vague information and they’re bound to come up with the means sooner or later. Anonymous only attacked Sony’s websites but a supposed splinter group took it a step further and attacked the PSN using the same methods the hacker of the original document used. The end results were the same. Personal information including usernames, passwords, credit cards, and more became accessible to that group, prompting Sony to perform an emergency shutdown of the PSN and Qriocity services.
The fault obviously lies with the splinter group that performed the breach. Anonymous backed off on Operation Sony after its initial attacks on Sony websites because it realized that the end-user of the Sony products was not their target and therefore should not suffer the burden of their attack. The hacker who initially revealed the security issues with the PSN is also at fault here. Instead of contacting Sony directly or contacting a security firm to present his or her findings, the hacker opted to go public with the information that eventually was used to cause the meltdown that has been happening for the last few days.
The personal quest for status and pride is what triggered this whole event. A more malicious group simply picked up where he left off. Both him, and the group responsible for the breach should be prosecuted to the fullest extent of the law. They are the true culprits in this situation and the reason why you may soon be a victim of credit card fraud or identity theft. Sony is just as big of a victim in this situation as you are.
Or are we the culprit as much as we are the victim in this situation? Part of the reason why Anonymous is what it is today and why 4chan reigns supreme is because we, the denizens of the Internet, support them and laugh with them in their exploits. Every day people glorify Anonymous as a symbol of freedom and rebellion. We use their memes, we follow their “operations,” we start our own mini-revolutions against authority out of inspiration, all because we believe in values such as freedom and equality.
Yet through our support over the years for such behavior we have developed a hive-mind mentality that is as destructive as the issues we oppose. Take Reddit, for example. I enjoy Reddit as much as the next person. I’m not a frequent commenter but I like to browse the main page, the WTF section, and I sometimes skim the Technology section to make sure no news stories slipped past my Google Reader. It’s a great place to go to when I have a few minutes to kill and I know I’ll find something that will make me laugh. Yet the hive-mind mentality that originated with 4chan and Anonymous is most prevalent in Reddit and in other sites across the internet. Reddit often becomes a prime example of an organized elitist community of 4channers where sensationalist titles rule the upvote and often contradict the very same things they go against.
That hive mind mentality is what makes articles dealing with the infringement of personal freedoms in the Middle East reach the top of the front page alongside a topic of a proposed witch-hunt against an individual who said something questionable on the internet. The moral compass of the internet is skewed far beyond repair because we rely on the hive mind mentality to fuel our opinions and beliefs. Sensationalist titles are what are driving our beliefs, and this is exactly the behavior that fuels Anonymous in its actions.
We advocate freedom of religion by condemning oppressive regimes halfway around the world, yet we rally behind a group that launches an attack against a religious organization here at home. We are quick to rabidly point out “socialist” and “Orwellian” qualities of the current administration yet we are quick to go after websites to silence them for voicing opinions or beliefs that are contrary to the Western ideologies we grew up with. We support all of these radical movements and hackings yet when it backfires we cry foul. This is exactly what happened with the Sony breach.
Before the hive mind existed hackers were individuals or obscure small groups that carried out the dirty work for their own personal gain. Now everyone wants to be involved on the bandwagon until it no longer benefits them. We gave Anonymous and the splinter group the OK to hack Sony because we support their actions most of the time. We played with fire and now we got burned. We are guilty for indirectly supporting such groups in the first place. We are guilty for being part of the hive mind that gave rise to these groups. The Sony breach is as much our fault as it is the hackers, because without us they would not exist.
You can either choose one of those three groups to blame or you can choose to spread the blame evenly between the three. All three parties were either directly or indirectly related to executing the Sony breach. Sony could’ve not waited until hell broke loose before revamping its PlayStation Network security, the hackers could have kept their tactics private and actually informed Sony or a security firm directly to prevent this from happening in the first place, and we could have stopped supporting Anonymous and similar groups regardless of their reasons for their operations because we as individuals, have the power to go against the hive mind and say “no” instead of joining with the chorus. All three parties blended well together to create this unfortunate concoction. In the end though, the losers will only be one of those three: us. Sony will lose some money, perhaps some consumer confidence, but within a year or two all will be forgiven and forgotten. The hackers aren’t affected, unless they are caught. And if they are, they too will be forgotten as someone else from the hive mind will step in to take their place. It is us who will end up suffering. We already have with the downtime and only the future can tell how many of us will have to deal with theft and fraud issues. I guess it’s time for us to go cry foul…until Anonymous steps up to take on some other “grave injustice” in the world.