Don't Blame Sony, You Can't Trust ANY Networks

The hack attack that forced Sony to take the Playstation Network and Sony Online Entertainment offline and resulted in the theft of personal information from tens of millions of people around the world wasn't really Sony's fault, it was an inevitability, a security expert tells Kotaku.

Bruce Shneier, internationally renowned security technologist and author of Applied Cryptography, Secrets and Lies and Schneier on Security, said that the only thing unusual about the break in to Sony's dual networks is that they are used for gaming, something titillating to the mainstream media.

"It's another network break-in, it happens all of the time," he said. "This stuff happens a lot."

For every incident like the infamous Heartland Payment data breach in 2008, which impact millions, there are dozens of smaller breaches, some under reported or not reported at all. The issue is so prevalent that Congress is currently holding hearings on the threat of data theft.

When asked if Sony's network was secure, or if there was some misstep on the part of the company in keeping their customer's personal and credit card information protected, Schneier was dismissive.

"What does that even mean?" he asked. "Is there such a thing as a secure house?"

No networks, Schneier added, are really secure and people have to come to grips with that.

The fact that Sony, and not Microsoft or Nintendo, was the company breached by hackers has nothing to do with their level of security, he said.

Don't Blame Sony, You Can't Trust ANY Networks


Bruce Schneier isn't just a security expert, he's also an Internet meme. He's testified before Congress, written articles for publications around the world and appears to be the hacker's answer to Chuck Norris, with a page dedicated to "Schneier Facts" like: "Bruce Schneier cuts meat in prime number lengths." and "Bruce Schneier once killed a man using only linear cryptanalysis."

Both Nintendo and Microsoft, for their part, both say they have secure networks.

"The security of and confidentiality of our customers' information is extremely important to us," Nintendo said in a statement to Kotaku. "That's why we have many technical, administrative and physical security measures in place to protect personal information from unauthorised access and improper use. We also review our security procedures periodically to consider appropriate technology and updated methods, and test our systems."

Microsoft's response was similar.

"The security around our Xbox LIVE service and member information is our highest priority," a spokesman said. "Other than that, we have no comment."

Schneier remains unconvinced:

"Everyone is probably equally sucky," he said of network security in general. "Some may be better than others.

"Unfortunately, the moral here is that you give your information to a third-party, blindly trusting them, a bank, a credit card company, a phone company, Amazon, J. Crew, or Sony. You are blinding trusting that they will use the information wisely and secure it. And you have no say how they do that and you have no recourse if they fuck up."

But, the famously cynical Schneier adds, "Even with all of that, most people are really safe all of the time."

"You're doing OK, I'm doing OK. I buy stuff online all of the time. I bank online. And what other option is there?"


Comments

    Precisely, your house isn't secure. Smash a window or remove a roof tile...easy access. Houses are robbed all the time and there is no knee-jerk reaction to overhaul house security.

    Same at retail, your credit card numbers are easily stolen by retail staff and often the case of deceitful transactions is retail staff re-running your transactions for their own profit.

    That wallet you carry around or phone shopping with your credit card...the insecurities simply never end.

    The banks in terms of customers ultimately have the recourse to refund the customers. It's the merchants that tend to get ripped at the end of the day.

    Why expect 100% security from technology then? Simple do the best they can and the evolving technology will eventually weed things down to a more acceptable level of security/comfort.

      Yep, back in my computer science student days (when dinosaurs walked the earth), they told us that the only way to make any computer secure is to remove the network access (wired and wireless), take away the keyboard, mouse and monitor and all of the USB ports etc. Your computer is now secure. It's also useless.

      The fact is that everybody's personal information is stored in so many places these days means that anybody who thinks it hasn't already been "obtained" several times over is being hopelessly naive. In most cases the people storing the info who have it stolen aren't even aware there's been a breach.

      My problem with the Sony situation isn't that it got hacked, but the fact that their communication was so poor after they found out about it. That and the fact that PSN has been down for 2 weeks now and I wants my BC2 multiplayer.

      While it isn't possible to completely secure your house, you can certainly make it more difficult to for intruders.

      Locking my front door will make things more difficult. Installing an alarm system further increases the difficulty, as would adding bars to the windows. Whether it is worth doing all this will depend on the value of what is stored in the house.

      Sony was storing 10,000,000 credit card numbers, which might be valued at US$50 million on the black market. The question isn't whether their network was completely secure, but whether their security measures were adequate given the value of what they were protecting.

        Here's the thing,

        Sony is a huge billion dollar international company. It is unrealistic and ignorant to think they haven't 'locked their front door'. They're smart enough to at least say, let's look at all these other companies like Amazon or Paypal or Live and the online security that they've employed and whether or not that is the standard expected level of security to have. They aren't stupid.

        what people seem to have a problem with is whether Sony, using your analogy, has armoured doors and bulletproof windows and land mines laid out on their front lawn, when they live in a neighbourhood where little to zero households have had any need for them.

        'reasonable expectation'.

        You live in a world where there are guns and bucket loads of bad guys out there who use them, and yet I don't expect to see you going to work every morning in your bulletproof vest; that's ultimately what it comes down to.

          I like your analogy, it's like a fortress versus an army of footmen and tanks.
          Though, the problem with this is that both sides have weapons and countermeasures to each other. For every mine that a server has up, the hacker likely has a mine-sweeper, or maybe even a dummy soldier to set them off prematurely.
          A common problem with security is that data does not only need to come in, but it also needs to come out. Sure you can place turrets at the ports, but what looks like a friendly vessel will probably make a safe landing. Though the key to any attack is consistency and luck. Sony must have been pretty slack not to notice any test that could have been placed on their network. And even so, any of those could have been false positives or even other hackers failing. Any failed attempt is seen as a success in the eyes of an admin, so they probably thought that they were safe.

    Of course Nintendo has a secure network. No one knows it exists :D

Join the discussion!