I don’t have any stake in the PSN outage issue, not owning any Sony products more complicated than headphones (The last console I bought was an original Xbox- used- to ‘chip and run XBMC on), but it has made interesting reading on the interwebs. There are the official releases, which until today were basically “The system is down.” There is also all kinds of amusing speculation, because when you take video games away from geeks, they suddenly have all kinds of time for that sort of thing. A fairly credible and highly publicized bit of speculation comes from this thread at reddit, where someone from PSX-Scene places the root of the problem on custom firmware that allowed consoles onto the developer network, which subsequently allowed users to purchase paid content with bogus credit card information. The specific details aren’t that interesting to me – the interesting thing is that almost all the speculation has something in common: that Sony was, at least in part, relying on a client-side security model*. If true, this is seriously fucking stupid, even by Sony standards. Ignoring security concerns, when writing software there is a standard adage “Never trust the user.” Usually, the user can’t be trusted because the user is a fucking idiot. Occasionally, the user can’t be trusted because the user is malicious (where, in this case, “malicious” is defined as “Wants to run their own code on hardware they own”).
Back in December there was the excellent Fail0verflow talk at 27C3 where they eviscerated the security model on the PS3, and pretty much demonstrated that Sony screwed the pooch on that front (watch the talk if you haven’t; it is by far the best security presentation I’ve ever seen). Even before this, the PS3 was fairly deeply compromised by a variety of other techniques, and the PSP has been compromised (and re-compromised) almost since it shipped, so they didn’t just have a reasonable assumption that clients couldn’t be trusted, they knew it for certain.
There was also the rootkit scandal with the copy protection on some Sony BMG audio CDs. All together, this sets up precedent for an almost unlimited degree of poor design in Sony security systems.
Now, Sony is saying that a huge quantity of personal information on every user may have been compromised, and there are a spate of complaints about bogus charges on cards used with PSN services floating about on the ‘net (complaints of unknown correlation and reliability). This leads to the really interesting questions: Was all this information stored in plaintext? – it sure sounds like it was if it was extracted on such a scale. If both the Sony release and the speculation about access being gained through compromised consoles is true, why was this information accessible from clients? And finally, how did a system with all the above properties come to be designed? I’m seriously hoping this gets analyzed in public, because it will make an amazing instructional case study, and something of worth might as well be salvaged from this clusterfuck.
* There are a couple non client-side attack theories too. The boring “Organized criminals did it” option, and the theory that Anonymous (big A) is doing their gleeful mayhem thing, like they threatened. These aren’t any more or less credible, they just aren’t as interesting.