The PSN Fiasco

It’s now the US government’s turn to question Sony about its online security, which follows the UK government’s scrutiny into the company’s affairs.

In a letter addressed to PlayStation executive deputy Kaz Hirai, the Subcommittee on Commerce, Manufacturing, and Trade has prepared a list of questions related to the intrusion; the list can be downloaded from the New York Times here. The letter asks several questions that Sony has not disclosed to the public, such as:

• How many PSN users had a credit card on file
• Why Sony cannot determine if credit card was stolen.
• What are Sony’s plans towards increasing its security in the future.

The Subcommittee’s press release states:

“Given the amount and nature of personal information known to have been taken, the potential harm that could be caused if credit card information was also taken would be quite significant. The Subcommittee on Manufacturing, and Trade has a longstanding interest in consumer privacy, identity theft, and industry efforts to address threats posed by unauthorized access to consumers’ personal information resulting from a data breach.”

The Subcommittee is requiring a reply by no later than May 6, as part of a privacy driven effort “to protect consumer information.”

Meanwhile, Kaz Hirai will be holding a press conference tomorrow from Sony Japan, to address the PlayStation Network hacking crisis.

The conference will be held at 2PM Japan time, which means a lovely 12 midnight time for those in New York and 5AM the next day for those in London.

It is expected that Hirai will announce a new PlayStation Network security system, and when PSN will be live for users to enjoy. He also may announce what sort of compensation Sony will offer.

As for PSN itself, the service is still down, but Sony has already stated that the service would return sometime around May 3. For the last two weeks, PlayStation Network has been down, and worse, personal data was exposed, including millions of debit card data. In fact, some underground sites have begun sellingwhat they claim are 2.2M credit card info, though the claims could be fraudulent or worse, propagating computer worms or viruses.

Regardless, Sony has let users know in a recent FAQ that they’ll compensate their users somehow for the trouble.

The PlayStation EU Blog promises:

“We are currently evaluating ways to show appreciation for your extraordinary patience as we work to get these services back online.”

It’ll be interesting to see what kind Sony comes up with. As a baseline, Microsoft and Electronic Arts have offered free games for outages.

iPhone and PlayStation 3 jailbreaker George “Geohot” Hotz has weighed in on the current PlayStation Network outage stemming from PSN identity theft from unknown hackers in his blog.

He immediately denied having anything to do with the scam, with the reasoning that he’s not stupid, though he doesn’t refrain from taking a potshot at Sony executives:

“To anyone who thinks I was involved in any way with this, I’m not crazy, and would prefer to not have the FBI knocking on my door. “Running homebrew and exploring security on your devices is cool, hacking into someone elses server and stealing databases of user info is not cool. You make the hacking community look bad, even if it is aimed at douches like Sony.”

He continued:

“Also, let’s not fault the Sony engineers for this, the same way I do not fault the engineers who designed the BMG rootkit. The fault lies with the executives who declared a war on hackers, laughed at the idea of people penetrating the fortress that once was Sony, whined incessantly about piracy, and kept hiring more lawyers when they really needed to hire good security experts. Alienating the hacker community is not a good idea.”

Hotz concluded with some words to those behind the scam, again slamming Sony in the process:

“To the perpetrator, two things. You are clearly talented and will have plenty of money(or a jail sentence and bankruptcy) coming to you in the future. Don’t be a dick and sell people’s information. And I’d love to see a write up on how it all went down…lord knows we’ll never get that from Sony, noobs probably had the password set to ’4? or something. I mean, at least it was randomly generated.”

His full blog entry can be found here.