Blaming the Victim
There's a lot of talk at the minute, regarding the recent theft of millions of customers' personal details from Sony's online services, Playstation Network (PSN) and Qriocity. Obviously it's yet another plus point for us paranoid technophobes who don't use the same password for anything, have a separate email address for every service we use and never give out credit card numbers unless we're 100% sure we can trust the security being used, but me saying "told you so" is hardly helpful, and certainly doesn't change the fact that 77 million people are now living in the knowledge that their name, address, phone number and possibly credit card number and password is currently in the hands of a malicious hacker.
But there is a moral dilemma... who to blame? I immediately began badmouthing Sony for this obvious lapse in security, but this morning a colleague of mine pointed out to me that you should never blame the victim; the fault lies with the hacker. This is a very good point, and one echoed by many, some even go so far as to suggest that blaming Sony for this hack is like blaming a shopkeeper for a burglary, or telling a rape victim she was asking for it. I would never blame a rape victim for being raped, nor would I blame a shopkeeper for being burgled. But let's say the shopkeeper were to go home for the night, trusting the locking up to his absent-minded apprentice. Then, let's say the apprentice gets drunk, staggers home leaving the door of the shop wide open, and insults a local gang on the way home before drunkenly daring them to burgle the shop. Would it then be OK to blame the burglary on the apprentice?
For those who don't know, this hack has a history. The hackers almost certainly got in by discovering some weakness in the protocol used to access the Playstation Network from a Playstation 3. This time last year, such a task would have been impossible, but, at the 27th Chaos Communication Congress meeting in Berlin in December 2010, a group of hackers known as fail0verflow presented their work [YouTube] in hacking the PS3. During this presentation, they pointed out that the PS3's security model is fundamentally broken because although Sony uses a pretty damn bullet-proof elliptic curve cryptography method to sign its code, rather than use a different random number each time, they use the same number, which effectively means that anyone with a basic understanding of maths can reverse engineer Sony's private key, effectively rendering the PS3's entire code-signing functionality completely useless. So who do we blame for this... fail0verflow for pointing out Sony's mistake, or Sony for making such a stupid, rookie mistake in the first place?
Soon after fail0verflow gave their presentation, George "geohot" Hotz, the hacker previously known for his work in breaking the security of the iPhone, used fail0verflow's methods to reverse-engineer the master private key of the Playstation 3. Anyone who has this number can write and run any code they damn well like and run it on any PS3 console in the world. It was a godsend to homebrew coders, and I know people who have done some really cool things with it, including one person who wrote some code to use an Xbox Kinect to control a PS3. But in blowing the PS3's security wide open in this way, it's very likely that geohot inadvertently allowed malicious hackers to write code that interfered with the Playstation Network, leading to the theft of 77 million peoples' personal details. So should we be blaming geohot for this mess? Many do.
For my part, we need to go back to fail0verflow's presentation in Berlin. Early in the presentation, the group make a very good point about the PS3's security. The PS3 remained unhacked for 4 years after its release. Many owners of the console wrongly assume that this means the PS3 is very secure, unlike the Wii which was hacked in under a week. But, as fail0verflow point out, when it first came out the PS3 didn't need to be hacked, because it ran OtherOS. This was a piece of software built into the console that effectively allowed homebrew coders to do almost what they wanted with it. This was a happy co-existance for over three years until Sony, for one reason or another, decided to kill OtherOS on existing consoles via a firmware update. At the time I argued that this was a bait-and-switch and that Sony should really be in court for breach of the Trade Descriptions Act... people bought the PS3 knowing they could use it for homebrew and now they've parted with cash they're being told they can't any more. I'm not a lawyer, but regardless, Sony pissed off thousands of hackers with this rather odd decision. This led to the hacking and subsequent discovery of the master private key. The PS3 didn't take four years to hack, it took four years for a hack to become necessary, and then less than a month to hack.
I'm not defending the yet-unnamed person or people who broke into PSN and stole all the customer details, they're clearly bad people. And no, I'd never blame the victim for a crime. But in this case, there are 77 million victims and Sony aren't one of them. Sony, instead, is the incompetant apprentice and a victim only to karma. Perhaps one day they'll learn that people in glass houses shouldn't throw stones... and people who suck at security shouldn't piss off hackers.