Stolen Pixels #255: The Veep

By Shamus
on Apr 29, 2011
Filed under:
Column

My latest comic stars Kevin Butler. Yes, I know Penny Arcade kind of did a similar joke on Monday, but I think this is a big enough target for all of us to shoot at without worrying about crossfire.

This is a sad story. Sony made a lot of mistakes in the design and marketing of the PS3, but they’ve managed to correct everything they could fix. The price is down, the library is respectable, and the developer tools have finally matured enough to mitigate or obfuscate the device’s unorthodox hardware. It’s been closing the gap with the Xbox 360 and giving consumers a real choice.

And now this.

Enjoyed this post? Please share!


2020242 comments. (Insert played-out "meaning of life, the universe and everything" joke here.)

From the Archives:

  1. HeadHunter says:

    For a short time, I had been considering the idea of a PS3 in place of a Blu-Ray player. Looks like this has made up my mind for me. I’d rather pay the same price for a standalone Blu-Ray player. It may be a “dumb” machine, but not nearly as “dumb” as the folks at Sony.

    • Lalaland says:

      To be honest I’d still get the PS3 as a blu-ray player, just don’t sign up for PSN. The CPU horsepower on offer for BD-Java makes a big difference in how fast discs load. You’re also guaranteed software updates for years to maintain compatibility with discs over time something I’ve no confidence in dedicated players getting for more than their warranty period.

  2. DanMan says:

    It’s so unfortunate. I bought the PS3, because I believe it to be the superior machine. Blu-ray player, built-in wireless. (I bought mine on launch day, so I know X-BOX has gotten better, but it wasn’t better at the time).

    I was willing to pay more for the better technology. It just seemed like Sony wasn’t ready to release when they did. X-BOX was running away with the market and Sony bit off more than they could chew.

    This is more evidence of “we wanted the world, but all we got was this lousy island.” Grand promises that they were unable to deliver on in a timely fashion

  3. ? says:

    That’s all very nice, but why does this news pretend to be Spoiler Warning, when clearly it is not? :P

  4. Irridium says:

    I don’t really blame Sony for being hacked. It could just as easily have been Xbox Live, Steam, GoG, or anything really.

    They’re just really, really bad at dealing with their problems. They’re quality of PR is as bad as the general quality of Games For Windows Life.

    • Raygereio says:

      Well, one could blame them for placing sensitive information in a position where it could be retrieved by someone with malicious intent.

      When your house gets robbed it certainly isn’t your fault that the thief decided to steal your TV. But one could look at you and say: “Gee, wasn’t leaving that door right there open when you went out somewhat of a silly thing to do?”.

    • Brandon says:

      There’s really no evidence to support that it could have just as easily been any other platform.

      This seems more like a huge security blunder on Sony’s part (Or perhaps an elaborate inside job). Security is always an issue for any of the big platforms, but this is outrageously bad. When you’re dealing with people’s personal data, you need to do better than this.

      • Nathon says:

        There is plenty of evidence to support the idea that it could have been a different platform. Companies that have more to lose than Sony (I know, it’s hard to imagine, but RSA is on the list) have had major breaches this year. It looks like credit card numbers were encrypted, per PCIDSS requirements. Of course, it’s possible the attacker(s) got access to the keys.

        Security is hard. We’ll see where these class action suits go, but I doubt they’ll get any punitive damages out of a company like Sony.

        I’m not saying they did everything perfectly, and I’m certainly not a fan of many of their business (and anti-consumer) practices, but this sort of thing can happen to anyone, no matter how careful they are.

        • Ben says:

          Its highly unlikely the hackers got the keys given how CC#s are typically processed. Generally the key is encrypted on entry and then just past to the payment processor still encrypted without the merchant having the key. It is general security best practices to not keep keys near the data they encrypt. This provides security even if the encrypted CC# database is taken.

          Yes security is hard and it is imperfect but that doesn’t mean that you can afford to be lax about it and use its difficulty as an excuse.

        • Jeff says:

          Have you looked into how it was done? I heard that apparently developer credentials are processed at point of access or something – fake your credentials and you sign in as a developer. It’s not checked from within the network, it’s checked at the console you access the network from. That’s just dumb, if true.

    • Eric says:

      But we can blame them, and should. Let’s do it!

      1) Shouldn’t have happened in the first place. I bought a product that has been rendered inoperable by preventable circumstances. I mean, duh. I’m paying for both my PlayStation 3 and access to the Network, I expect both to work. You can’t argue “well, downtime happens, you’re not losing anything because it’s free”, but Sony chose to give users free access to PSN in the first place. You can’t use Sony’s decision in providing the service for free to rationalise the downtime. And of course, this ignores Plus users, who do pay.

      2) Personal data should have been encrypted along with credit card information. There is no excuse. It’s debatable whether or not this is “public” or “private” information, but I don’t think Sony has the right to decide that for anyone. Ultimately buying a mass consumer product should not render you open to identity theft, stalkers, etc. if you have taken great pains to maintain your privacy in the past.

      3) Sony’s response to this has been bafflingly awful. If they had just come out straight, possibly with a contingency plan made in advance for just this sort of event, and told people “yes, there is a major problem, but here’s what you can do, and here’s what we’re doing right now” then it wouldn’t have been nearly as bad as it is now. As it stands, instead they chose to wait almost a week to let people know that their sensitive data was at risk. I’ve seen this happen a number of times recently, and I’m pretty sure it’s because companies/banks/etc. don’t want their stock to crumble in the wake of fears, and want to skirt around/downplay the problems as much as possible. Guess what, guys? People are going to lose confidence in you, and even more so if you hide things from people. That’s called being disingenuous. In the time you tried to avoid admitting to what had happened, you put everyone at risk for longer than necessary.

      Let me repeat this. since it’s important: in denying that there was a serious problem, Sony made it exponentially more likely that the hackers could use the millions of credit card details and personal profiles they had attained, all for the entirely selfish reasons of maintaining their bottom line, even though that bottom line ultimately depends on the people who had their data stolen in the first place. Congratulations!

      Can we keep blaming? I like blaming!

      • Irridium says:

        I’m not saying we shouldn’t blame them completely, I’m saying we shouldn’t blame them for being hacked in the first place. We most definitely should blame them for not encrypting the cards though, and for their awful way of handling things.

        Anything and everything hooked up to the internet can be hacked. No exceptions.

      • Mari says:

        And yet how many people lost confidence in, say, the U.S. government for the massive data breaches it’s had through the years and the fact that it has waited sometimes much longer than Sony before notifying people that their data was compromised? How many of them are still holding a grudge? The V.A. data loss wasn’t reported to the public until 19 days after it happened. It was even an entirely predictable incident (considering that the V.A. had FAILED four out of the last 5 annual security inspections). But I don’t see large groups of people still complaining, much less refusing to do “business” with the U.S. government or lobbying for more security. Basically the outcry from the public consisted of about a month of folks talking about it and then it was forgotten. Can’t we expect pretty much the same for Sony? Maybe even less since they fessed up sooner?

        • Jeff says:

          People expect incompetence in the public sector. We can’t choose not to purchase their services. (Well, you could try to not pay tax, and see where that gets you. (In court for tax evasion.))

          We expect better from people who actually want to convince us to give them our money.

        • Eric says:

          So… your argument is that mass apathy makes this sort of incompetence acceptable?

  5. ccesarano says:

    I’m actually stunned at the reaction this has been getting. I column over at GameKrib, where the common member is the “bro gamer” doing much harm to this industry. Left and right everyone’s saying “Yo dawg, this be why payin’ for Xbox is aight. This junk don’t happen on Sexbox lol”

    Only with a bit more lingo and a lot less punctuation.

    Then I head over to GamersWithJobs, and there’s a lot of intelligent people that write and speak like they have an education, and they too are claiming to be done with Sony and the PS3 based on how they handled this situation.

    Funny thing is, there was no good way to handle this situation, and according to Ars this was an internal hack. Granted, the fact that their personal data tables weren’t encrypted was weak. Sure, it’s not too bad that the Credit Card database was encrypted and more secure, but I imagine part of “personal data” includes things like passwords.

    However, if this had never happened then no one would care. I mean, do people believe Microsoft is somehow less vulnerable? Have we so quickly forgotten the half-assed engineering tasks that led to the Red Ring of Death?

    I started this gaming generation being one of them Wii60 kids, but I recently grabbed a PS3 because their first party offerings are, well, genuinely good offerings as opposed to Microsoft’s for the past few years. They’ve also shown signs of learning some valuable lessons.

    This isn’t them having a shitty marketing campaign or trying to make the PSP look “cool” by having a stereotypically black urban kid speak highly about it in ebonics (while later calling the Nintendo Wii a kid’s toy). This is Sony trying to minimize damage to an obviously bad situation, and if they came right out and said “Dude, okay, your stuff might be compromised, we have to physically move PSN, as in its servers and all that other stuff, and we’ll let you know when it’s all fixed”, people would still be pissed.

    I mean, the only thing here they really did WRONG was not encrypting personal information. But it happened to be hacked with Mortal Kombat and Portal 2 fresh on store shelves and E3 less than two months away. I mean, what are they going to say? What CAN they say, especially when Microsoft takes the inevitable cheap shot at them?

    This is almost a damn tragedy.

    (Note: I can’t see the comic while at work, so I’m just chipping in my own thoughts on the matter.)

    • Piflik says:

      Agreed…not encrypting the passwords is kinda weak, but apart from that I don’t think Sony did anything wrong…even when it comes to handling the situation. They closed the service as soon as they noticed the intrusion, stated an investigation and when they were sure personal data was compromised, they informed the users…I think I wouldn’t have done differently…

      Personally I have no hard feelings for Sony…maybe because I have never used a credit card on PSN and have different passwords for most of my accounts…I guess I might get some more spam mails, but my filter does quite a good job so far…

    • Ben says:

      That Ars article does not say the hack was internal, it says that the Sony is moving their servers. Remember that Sony’s first public statements talked about an “external intrusion” not an internal one so I’m inclined to believe that the server moving is more publicity defense more then anything. Additionally if it was internal and they have proof of that they wouldn’t have taken everything down to fix problems, an inside job would have meant they fix up the internal policy, fire the guy and done. Taking the system offline doesn’t stop an insider from getting data.

      Even assuming it was an inside job the losses could have been well mitigated by using proper security best practices. Among them would be not storing passwords in plaintext and not storing CC#s at all or if you are storing them not having the key. A typical CC# system would be the user inputs the number it is encrypted and then passed (still encrypted) to the payment-processor without ever being unencrypted in the Sony branches of the pipeline. This way even in a catastrophic security failure the CC#s would be unusable by the hacker.

      Also I don’t buy the “it could happen to anyone” argument. For all the problems with RROD the 360 has had there hasn’t been something like this for xbox Live. Its not like Xbox live is a less appealing target, it has CC#s just the same, probably more of them because of Xbox live gold. Even in the case of companies this has happened rarely do you see CC#s being taken and used.

      Is Sony entirely to blame here? Of course not the perpetrators should be found and prosecuted to the fullest extent of the law but Sony does deserve blame here for poor adherence to security best practices as well as the delay in notification about the extent of the breach.

  6. Wtrmute says:

    You know, that theory of yours on why the PS3 is hard to develop for makes only too much sense. I had never thought of it that way, but now…

    I mean, Nintendo and MSFT aren’t angels, either, but that’s some pretty Machiavellian thinking right there. I guess the folks at Sony hadn’t heard about Balmer’s “Developers developers developers” talk.

  7. Hal says:

    Yikes, that is an unflattering expression for the female gamer in the first panel.

  8. Some Jackass says:

    I wonder in the end how many PS people will jump ship, especially with Nintendos new hardware on the horizon

    • Raygereio says:

      Not that much; after all, it’s not like you can take your Playstation games and start playing them on the xbox or .

    • Bobby Archer says:

      That’s a good point. If Nintendo says anything about network security when they’re presenting their new console at E3, they could get a huge amount of momentum out of this.

      • Sumanai says:

        And a laugh out of me. They used WEP on the DS after all.

        • Sumanai says:

          Thought I’d add an explanation:

          WEP is a security standard for Wifi, that doesn’t do anything useful. Nintendo argued that it’s “good enough for video games” ignoring the fact that you can’t have a Wifi router set to WPA (a security standard that’s actually useful) if you want to use the DS with it.

          Essentially forcing anyone who wants to use their Wifi with the DS to set it up with WEP, and thus ruin the security of all their wireless connections. Meaning that I can’t, for example, have a somewhat secure connection to the internet with my Wii and netbook at the same time as provide an internet access to the DS.

          From what I’ve understood the only reason to have WEP only, is to help cut costs in making the device.

  9. Irridium says:

    Also Shamus, nice picture of Catherine. Can’t believe I missed that the first time I read the comic.

  10. Vegedus says:

    I like the “subtlety” of what you did with the TV :P

Leave a Reply

Comments are moderated and may not be posted immediately. Required fields are marked *

*
*

Thanks for joining the discussion. Be nice, don't post angry, and enjoy yourself. This is supposed to be fun.

You can enclose spoilers in <strike> tags like so:
<strike>Darth Vader is Luke's father!</strike>

You can make things italics like this:
Can you imagine having Darth Vader as your <i>father</i>?

You can make things bold like this:
I'm <b>very</b> glad Darth Vader isn't my father.

You can make links like this:
I'm reading about <a href="http://en.wikipedia.org/wiki/Darth_Vader">Darth Vader</a> on Wikipedia!

You can quote someone like this:
Darth Vader said <blockquote>Luke, I am your father.</blockquote>