May 032011

I don’t like multiplayer gaming for several reasons, ranging from my dislike for first-person shooters on consoles to the plethora of flat-out jackasses who hide behind the anonymity of the Internet; but I know a lot of people for whom multiplayer gaming is their favorite thing to do after a day at work. Thanks to the on-going shutdown of Sony’s PlayStation Network, they effectively ended up with nothing more than an expensive Blu-ray player. And considering that a large number of Portal 2 users couldn’t play the game that they purchased, to be denied the ability to play one of the most anticipated titles in recent gaming history is understandably very frustrating.

That said, Sony did the right thing by shutting down PSN for the duration of the investigation. What is the first thing that police do at a crime scene? They secure the scene. No one is allowed in or out except for those involved in the police work so that they can do their investigations with the crime scene intact and undisturbed. Sony did the same thing. Yes, it was inconvenient for millions of people, but it was the right thing to do.

However, in a major mea culpa on 1 May, Kazuo Harai, Representative Corporate Executive Officer and Executive Deputy President of Sony, announced that the exploit that was used to breach PSN was a known exploit but that the exploit was never communicated to the California facility that currently houses PSN’s servers. As an IT specialist, I understand that system patches can’t be applied the second that they’re available. Time needs to be scheduled for a maintenance window to correct the situation.  Unfortunately, the management at Sony Network Entertainment, Inc., the division that manages PSN, was never notified of the exploit, thus enabling the attackers to get into the network.

Considering the anger that was drawn from Sony’s removal of the Other OS functionality and the unprecedented attack on hacker Geohot, which led to their recent problems with organizations like Anonymous, to not immediately communicate a vulnerability to a network that contains information (including credit cards) for millions of people is mind-boggling. SNEI should have been made aware of the vulnerability immediately.

Instead, 77 million people are potentially impacted by the resulting shutdown. Many can’t play the multiplayer games that they love; a huge number of users of Portal 2, probably the most anticipated game of the year, are stuck with a game they can’t play because they can’t register it; and paid services like Hulu Plus and PlayStation Plus are inaccessible. The biggest black eye, however, is that the personal information for millions of users, including the password information for PSN and possibly users’ credit card information, are in the hands of the hackers. The resulting action was that a huge number of people immediately canceled the credit card that was linked to their PlayStation Network account and have to wait anywhere from one to three weeks for a replacement, which is a major inconvenience to those who have gained a dependency on that little piece of plastic.

With all of that taken into account, I find Sony’s gesture towards PSN subscribers to be ridiculously insulting. PSN users will be entitled to at least one free game of Sony’s choosing (the title(s) of which have yet to be determined), and a free month of PlayStation Plus for everyone and a free month for Qriocity and Music subscribers. Engadget referred to this as a “nice gesture”. No. No, it’s not, particularly when we’re talking about millions of people’s personal and credit card information.

I can only speculate about the free game; however, it’s safe to say that it’s not going to be a top title. More likely than not, it will be some really cheap game either everyone has or no one wants, similar to Microsoft offering Undertow because of their 2007-2008 Xbox Live outage. I’ll be glad if I turn out to be wrong on this, but I doubt it, especially when Sony is looking at giving this to 77 million users.

The incendiary part of the offer is the 30 days of PlayStation Plus, a premium service that is meant to compete with Xbox Live Gold. For $50 per year, subscribers get access to a selection of free games, discounted purchases, game saves that are stored on PSN instead of locally, access to some betas, and other benefits. While that might sound good, once the subscription ends the user loses access to all of those free games, cloud-stored game saves, and so forth.

All that Sony’s offer does is attempt to hook people into enjoying PlayStation Plus in the hopes that they will continue to subscribe after the 30 days are up by pushing their premium services under the guise of an apologetic gesture. You can’t tell me that no one within Sony’s management did not take a potential increase in subscribers into account when making this ridiculously shallow and transparent offer.

The Sony Defenders™ (that’s a joke, people) attacked those of us who are not pleased with Sony’s meaningless gesture with claims that Sony doesn’t need to provide any kind of restitution because it’s a free service. Some went so far as to imply that they don’t need to provide any security either, as though people should expect to have their personal and credit card information stolen from a free network.

The stupidity in this position, however, is that PSN is not free. We paid for PSN with the purchase of our PS3s. Remember that Sony stressed the free nature of PSN as marketing leverage against the not-free Xbox Live Gold as one of the reasons to buy a PS3. We pay for PSN every time we buy a game that uses Trophies or enables multiplayer gaming because we’re buying a game that requires PSN for that functionality.  We pay for PSN every time we buy a game that requires PSN for activation. Do we have to pay a separate fee like we do with Xbox Live Gold? No, but to say that we don’t pay for PSN is fallacious; and to imply that we should not expect security from a service (especially one that stores credit card information) just because it’s free is absurd.

On the opposite end, some people were expecting restitution along the lines of a full year of PlayStation Plus  and two full-priced games for free, which would be upwards of $170 for every PSN account. $170 of products and services for each of 77 million users? Greedy much? Personally, I would have been content with $10 or $15 deposited into my PlayStation Store wallet. But to be offered nothing more than a marketing scheme to entice us to subscribe to a premium service as an apology is insulting.

Looking forward, PSN will be more secure than it ever was in order to prevent this from happening again. I’m sure that Microsoft also decided to take a second look at their security implementation for Xbox Live because of this incident, so XBL will likely be more secure as well.

One thing that I hope will come out of this is the removal of game authentication. No one should have had to wait for PSN to return to be able to play a game, even in single player mode, because of it having to authenticate first.

Another thing that I hope will return from this is the private server. One of the best things about PC gaming is the ability for any PC to act as a game server without the need of a central authentication service, depending on the game. For over a decade, Friday night has been my game night with my nephew and a friend of mine with one of us (usually me) as the server. Games like the Rainbow Six, Ghost Recon, and Unreal Tournament series have received thousands of hours of gameplay this way. The best part is that all that we need are the correct ports in my firewall for game connectivity (or Hamachi as of late). That’s it!

If this PSN service outage has proven anything it’s that the removal  of authentication requirements and the return of private servers that don’t depend on PSN (or XBL) could make millions of people happy should an outage occur, no matter how unlikely that outage might be. Once again, the corporate war against piracy is proven to hurt only legitimate customers.

Regardless of what eventually happens, one thing is certain: this debacle will provide lots of case studies for system security, data encryption, and public relations. I trust that Sony will be far more proactive with fixing vulnerabilities from now on.

But for the moment a tweet from a friend of mine says it all: “Come on! I just want my damn PSN back…”