My take about the Sony EPIC FAIL

First of all let me be clear: it was an EPIC FAIL, anybody saying otherwise is pretty much deluded. On the other hand, even though I’m one of those users who have enough rights to be upset with Sony (I just renewed my Plus subscription a couple of weeks ago), I don’t feel like this is all like people pretend it to be. A lot of the sentiment you see out there seem to come from people who aren’t in that database at all, and that are just trying to take a shot at Sony, either because they hate all corporations alike, or because they still feel they should have kept Linux an option on the PS3s.. or even more likely because they would like for Sony to invest more in developing consoles but pretend not to pay for games.

Am I being cynical? Probably. But I also read enough posts over the last year or so that seem to pretend that each and every PS3 owner should have felt robbed of the opportunity or running Linux on their systems… and as a PS3 owner myself, I don’t really see what’s the point. Sure there were a couple of things that as a Linux enthusiast and hacker I would have liked to be able to do, but with the exception of the clustering efforts to crunch numbers (which seem to be a field nowadays in the hand of high-end graphics cards), the most useful thing I have seen done with Linux on a PlayStation 3 has been testing BluRay movies with Linux, like Steve “beandog” has posted on Planet Gentoo a long time ago.

But my take is more interested in putting into prospective what the EPIC FAIL was about. Definitely I don’t count a general intrusion an EPIC FAIL by itself: most systems out there are going one way or another to fail… of course, we don’t expect them to fail as badly as putting at risk this many users. But then again, my main reason to think that Sony misdesigned their whole network is a simple one: the intruders gathered the users’ passwords.

Given that I expect most people commenting or reading about this are non-technical gamers (and people who don’t play but, as I said above, want to feel smug about it), I don’t expect most of them to put this into context: “Obviously Sony knows my password! I tell it to them every time I connect!” — which for anybody who ever worked on securing web application is a very naïve statement.

When you design a secure login system you do not store the password, but rather a function (hash) of it; when the login request comes in, you take the received string, apply the same function to it, and compare the result with the one you stored. Bonus points for salting such hash so that the same password, on two different users’ records, would be saved differently. Which is why on good systems you have “Reset password” options, and not “Recover password” ones (and why I loathe those systems which do send me back my password).

The fact that Sony declared passwords and (interestingly) security questions as compromised, makes it apparently likely that they didn’t store the hashes, but rather the cleartext passwords. I’m not sure about this myself to be honest: it sounds very stupid for them to make such a puny mistake, but Occam’s Razor calls for the most obvious explanation and that is definitely it. A more complex (but still feasible) explanation is that the intrusion was a long-term one, and that the intruders were able to snoop the passwords between the user and the authentication chain, during the time they are left in cleartext, from the application’s point of view.

I’ll leave a point for discussion for those who have had to deal with credit cards handling: I know that there are security protocols that need to be followed to be given access to processing credit cards; is the “hash the passwords” one missing? If so it might be as much fault of the credit card companies as it is of Sony.

Speaking about long-term, I’m still not sure why everybody’s assume that the (apparent) DoS on Sony’s infrastructure was related to the intrusion. Most complainers seem also to ignore Sony’s statement about finding out only later on that the database was compromised up to this point. By experience, it sounds like oversimplifying the situation. Until further pointers, it cannot be entirely ruled out that the intrusion was an inside job, maybe happening for months or more by now, and that the DoS only served unintentionally as a method to catch the auditing guys’ eyes. Personally I’d believe that on the count that Sony is not telling you that your currently listed creditcard is compromised, but that any creditcard you used is compromised. Which is scarier.

So to add at least a bit of a point to this whole mess, I think that at least the commentators of Free Software area should stop trying to find faults in corporations who don’t share wholly their ideals, and should rather try showing users another viable way. Asking them to stay in the past decade is not viable, and yet if we keep bickering among themselves, that is definitely what’s going to happen. Anybody said “fragmentation”?

Yes Sony, we love you — now try to make sense

I’ll stop writing about Ruby-NG porting or the tinderbox effort for a moment to write a little rant to our beloved Sony.

I’ve already ranted before about the prices of games in Italy, and about the fact that Sony’s own PlayStation Network has quite silly pricing policies (sometimes the prices for UK – in pounds – and those for the rest of Europe – in euro – aren’t equivalent, the UK price is sometimes a 20% cheaper), but I guess I’ll just write a bit more of their silliness now.

Remaining in the area of pricing, Sony have been following two very different roads. While both are tied to their expansion of the PlayStation Network game offering because of the introduction of the PSP Go (which does not have an UMD drive, and thus can only play games downloaded through their store), they don’t seem to work quite in the same way.

The first road is making the “usual” games available on PSN as well as UMD, re-issuing older releases and issuing some of the new releases on the two media at the same time. This, though, creates a bit of a problem; while non-UMD releases are faster to load and play (and those with a cracked PSP and pirated games can confirm that quite surely), their price on the PSN is usually quite fixed: it’s the same recommended retail price for the UMD, even when the real stores don’t use that price at all to sell the game. For instance, when I bought Monster Hunter Freedom Unite game for the PSP, I paid it the equivalent of €25 (from Amazon UK), the in-store price in Italy was around €32, and the PSN price was a whopping €39.99! Holy crap! And as it’s a so-called “digital copy” of the game, you cannot lend it to your friend to try it out (which is the way I originally came to know Monster Hunter), nor you can re-sell it if you don’t like it after having bought it (I don’t usually resell the games, but I do buy them preowned).

On the other hand, they have found one thing for which the PSN is well suited in the form of the “minis”, smaller, cheaper games, around 30MB of storage and €5 of price; from the classic Tetris to some newer games. The size and price are just right: for €5 I won’t be scorned by not being able to re-sell or lend the game, and the size allows them to be stored on the PSP’s memory stick even if it’s not that big, which makes them perfect for me when I’m waiting in queue at the doctor’s (or at the airport as it came to be last November).

Now, though, Sony’s silliness comes again: earlier this month (around the 10th if my memory serves me right), Sony released a firmware update that should have allowed PlayStation 3 owners to play minis as well. Since this called out for an emulator, this was the final and crucial hit for those hoping to see PlayStation 2 compatibility in the PS3 (as the last hope that was given was related to a software emulation patent filed by Sony, which is now very well possible to link to the minis emulator rather than PS2 compatibility). It baffled quite a bit of people, me included, that at the time of release of the firmware, the minis weren’t updated: if you simply downloaded them with the PS3 it asked you to copy them on the PSP; Sony did announce with the firmware that the new minis were to be released on the 17th — today. A hint to the next disappointment was already to be seen in their wordings:

[…] we are working on getting the majority of the current minis ready for the PS3 from the 17th December.

Yes they say the “majority” of the current minis, not all of them. Indeed today when I finally went on to re-download the two minis I bought last month (the evergreen Tetris, and a Mahjonng solitaire game, both perfect games to play while waiting in queue — I just miss a card solitaire game, would be awesome to have, now that I don’t have it on my Nokia any more), I got the surprise: the Mahjonng game is available and works on the PS3, but Tetris is not (yet?) available! It still only works on the PSP. Sigh! Really would it have costed so much for Sony to release firmware and minis at the same time? (Probably, a schedule slip-up, they likely wanted to have the whole system ready before Christmas I guess). Okay never mind that.

Next in line of the series of Sony silliness proofs is the Facebook integration that came with the previous firmware update (3.10); yes you can now link your Facebook account with PSN – no you still cannot add your PSN handler in your contact information like it was an IM user, which is what I would have found most useful (to see which ones of my friends I’m missing) – and it will show on your feed the games and demos you buy or download from the PlayStation Store (it actually asks you every time for that as well), and the trophies that you’re awarded in games. Not a bad idea after all, since it allows you to know whether your friend already bought or tried out the game you were looking forward for.

Unfortunately it seems like Sony forgot that quite a bit of games hide their Trophy description until you actually get them! This is the case, for instance, of Worms (how could I have not bought that game? Sure it’s nowhere near Worms 2 or Worms Armageddon for PC – mouse controls for the win! – but it’s still not bad at all!). Until awarded, those trophies look like “???” with description “???”. And lo and behold, the Facebook integration shows them just like that, even to me.

Add this to my anger already built up for the Fallout 3 UK disc not being compatible with the downloadable content from the Italian PlayStation Store (I’m still looking for two £20 PSN Gift Cards to buy the expansions… a friend of mine looked for them while he was in London for a week-end but couldn’t find them), and you can start to see why I’m quite a bit scorned with Sony.