Tuesday, April 26, 2011

PSN Breach, the Cloud and Caution

Taking a short breather inbetween my Reply series and circling back to the issue of "transparency," I'm reading the breaking news about Sony's Playstation Network/Qriocity network breach and it doesn't look too good:

"... an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained."

- from Patrick Seybold, Sr. Director, Corporate Communications & Social Media

Newer reports from the forensic team indicate all personal data stored with your PSN account has been compromised. Everything including name, address, birth date, the answers to your account reset questions, email address, and passwords.

Coming on the heels of this great post from the Guardian, it simply reinforces the reasons we all originally wanted to get away from the monolithic IBM corp and their "dumb terminal" model of client-server processing. Companies ask me to "trust them" with all kinds of information that is a terrible security risk. It has been demonstrated many times now that most of these companies will either neglect to properly secure their network, fail to use even the simplest security procedures (storing passwords in plaintext, no encryption) or will even sell your data to the highest bidder.

And they want me to trust them with my data? Because it makes their targeted marketing easier and more profitable? And for that I get to pay them money?

At this point in time, no one really trusts Sony anymore to give them the whole truth, especially coming on the heels of their settlement with GeoHot for hacking the "other OS" functionality which was originally a major selling point for the PS3 and which Sony subsequently disabled in several "updates" to the console. Rumors abound of Sony rebuilding their network to destroy the regained functionality of the firmware-modded PS3.

I personally am wary of the rush to distributed computing which goes by the trendy and amazin' *insert sparklies here* name of "cloud computing." The infrastructure is being pushed together hastily; security auditing is often minimal in the "rush to market" and the time-honored wisdom of 'not putting all your eggs in one basket' seems to have gone the way of most sensible and tested business advice and ideas in this modern rush for "newersexierbetterMOAR! because... it's the internet!"

That, on top of the hundreds of stories of company malfeasance, collusion with marketeers and underhanded dealings with consumers (Sony rootkit, anyone?) makes me wary of trusting companies who want my trust and yet have not demonstrated a reason for me to believe their interests coincide with mine as a consumer. And it makes me wary of putting all my data "out there in the cloud" instead of on my desktop where I can control access.

And oh yeah... there's that little Apple iPhone tracking problem too...


By the way, in case you hadn't heard, I am now a military acronym for Psyops; just a little tidbit from the propaganda war. That is all.


sororNishi said...

Congrats on the military cred, you deserve it...:))

Our Government, and military, regularly lose memory sticks and laptops, some left on buses, some just nicked full of peoples details.

Sony's 77,000,000 credit card details is a record, so far, I would think, but that record will probably fall. If the Government lost that much stuff it would be Top Secret and we'd never hear about it.

It's a funny relationship we have with data, tho. It reminds me of flushing the toilet, once people have flushed, very few are aware that the stuff goes somewhere, it's like a black hole/consciousness barrier..... same with My Personal Data... Sony has got it "oh that's OK then , Sony are a techy company, they'll handle it OK"....

Where does it go? All we are offered is The Company's Privacy Policy, we never get the nuts and bolts of how/where it is stored..... and there's really no opportunity to ask.

I'm not sure that will ever change, all we will get is statements like Amazon.... 'your data is 99.9999% safe in The Cloud'... yeh,.. right.

Brinda said...

And so many use the same password to everything!

Miso Susanowa said...

@soror: let me add to that banks... it is a verifiable fact (google tons of studies and charts) that more than 7/8 of the huge data loss/breaches that have occurred in the past 10 years have been either inside jobs or negligence on the part of people working for the banks/military/corporation; the "hacker threat" is far less likely than negligence.

The Govt does lose that much stuff lol. Again, a couple hours googling will turn up the relevant articles and charts. Scary, isn't it?