Sony PlayStation hack: welcome to the modern world

The cyber-intrusion highlights a worrying trend. Are the bad guys winning?

News that Sony has brought in external investigators after the personal information of more than 100 million Sony online gamers was compromised in hacker attacks highlights a sombre reality: not even one of the world's most sophisticated technology companies can outwit the hackers in 2011.

Online gamers' disappointment at being denied access to Sony's PlayStation Network and Qriocity service while the hacks were investigated – robbing them of the privilege of being able to blast each other to bits in cyberspace – quickly turned to anger as Sony announced just what sort of information the hackers are thought to have gained access to. As the company put it:

We believe that an unauthorised person has obtained the following information that you provided: name, address (city, state/province, zip or postal code), country, email address, birthdate, PlayStation Network/Qriocity passwords and login and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorised a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence that credit card data was taken at this time, we cannot rule out the possibility.

At least one lawsuit has already been launched in the US by a PSN user who claims Sony did not do enough to protect the private data of its customers, and the attorney generals for four US states have begun looking into the attack.

Here in the UK, the Information Commissioner, Christopher Graham, appears to be taking a strong stance for a change. He told BBC Radio 4's You and Yours programme that the matter looked like "a very significant breach of data protection law", though he will only be able to hit Sony with his potential fines of up to £500,000 if at least some of the compromised PSN data was stored in the UK.

Even then, while fines are all well and good, locked stable doors and bolting horses come to mind. Fining Sony will do nothing to reduce the risk of identity theft or fraud now faced by users of the PSN or Qriocity services, who Sony has kindly suggested should "remain vigilant to review your account statements and to monitor your credit or similar types of reports".

Missing and action

Identity theft is a real and growing problem. According to CIFAS, the UK's fraud prevention service, identity fraud increased by almost 10 per cent in the first nine months of 2010 compared to the same period in 2009. The number of victims of impersonation rose by 18.4 per cent.

It's easy to blame corporations like Sony for not investing in adequate security measures. But the hacking of servers run by the security firm RSA in March showx just how capable the bad guys – the hackers – are today.

RSA is not just a security specialist. Its authentication technology is specifically geared towards keeping the bad guys out of corporate networks, yet it still had to own up to a severe breach of its defences which could have compromised the security of authentication systems used by 40 million employees to access sensitive networks, both corporate and government.

The UK government has by no means an unblemished security record. In November 2007 two disks holding the personal details of all families in the UK with a child under the age of 16 went missing. The Child Benefit data on them included name, address, date of birth, National Insurance number and, where relevant, bank details of 25 million people. The then chancellor, Alistair Darling, said there was no evidence that the data had gone to criminals, but urged people to monitor their bank accounts for unusual activity.

In September 2008, the Insolvency Service said the names, addresses and bank details of up to 400 directors of 122 firms were lost after four laptops were stolen. That same month, the Service Personnel and Veterans Agency lost three USB portable hard drives with details of 50,500 staff. A month later, the Ministry of Defence said that a hard drive being held by a contractor, containing 1.7 million records, was missing.

Hacked off

Insider threats and good old-fashioned carelessness are nothing new, and won't stop until people stop being human. Encryption and data loss prevention (DLP) technologies have come a long way, but there is no such thing as "100 per cent secure", and no technology in the world can prevent a malicious insider with the right level of access privileges from helping himself to a little sensitive data.

Yet the Sony and RSA hacks are more worrying, if anything, than a lost or stolen memory stick or laptop. These are the ominous signs that the bad guys - increasingly so, it seems - are outsmarting what should be some of the most secure defences.

As Andy Cordial, managing director of the secure storage systems firm Origin Storage, puts it: "There have been hacks of several corporates in recent weeks. Regardless of what caused these incursions, it is now clear that the database security systems in active use on both sides of the Atlantic are no longer sufficient."

Or, to put it another way: right now, the bad guys are winning.

Jason Stamper is technology correspondent of NS and editor of Computer Business Review.

Jason Stamper is editor of Computer Business Review

Garry Knight via Creative Commons
Show Hide image

Why Barack Obama was right to release Chelsea Manning

A Presidential act of mercy is good for Manning, but also for the US.

In early 2010, a young US military intelligence analyst on an army base near Baghdad slipped a Lady Gaga CD into a computer and sang along to the music. In fact, the soldier's apparently upbeat mood hid two facts. 

First, the soldier later known as Chelsea Manning was completely alienated from army culture, and the callous way she believed it treated civilians in Iraq. And second, she was quietly erasing the music on her CDs and replacing it with files holding explosive military data, which she would release to the world via Wikileaks. 

To some, Manning is a free speech hero. To others, she is a traitor. President Barack Obama’s decision to commute her 35-year sentence before leaving office has been blasted as “outrageous” by leading Republican Paul Ryan. Other Republican critics argue Obama is rewarding an act that endangered the lives of soldiers and intelligence operatives while giving ammunition to Russia. 

They have a point. Liberals banging the drum against Russia’s leak offensive during the US election cannot simultaneously argue leaks are inherently good. 

But even if you think Manning was deeply misguided in her use of Lady Gaga CDs, there are strong reasons why we should celebrate her release. 

1. She was not judged on the public interest

Manning was motivated by what she believed to be human rights abuses in Iraq, but her public interest defence has never been tested. 

The leaks were undoubtedly of public interest. As Manning said in the podcast she recorded with Amnesty International: “When we made mistakes, planning operations, innocent people died.” 

Thanks to Manning’s leak, we also know about the Vatican hiding sex abuse scandals in Ireland, plus the UK promising to protect US interests during the Chilcot Inquiry. 

In countries such as Germany, Canada and Denmark, whistle blowers in sensitive areas can use a public interest defence. In the US, however, such a defence does not exist – meaning it is impossible for Manning to legally argue her actions were in the public good. 

2. She was deemed worse than rapists and murderers

Her sentence was out of proportion to her crime. Compare her 35-year sentence to that received by William Millay, a young police officer, also in 2013. Caught in the act of trying to sell classified documents to someone he believed was a Russian intelligence officer, he was given 16 years

According to Amnesty International: “Manning’s sentence was much longer than other members of the military convicted of charges such as murder, rape and war crimes, as well as any others who were convicted of leaking classified materials to the public.”

3. Her time in jail was particularly miserable 

Manning’s conditions in jail do nothing to dispel the idea she has been treated extraordinarily harshly. When initially placed in solitary confinement, she needed permission to do anything in her cell, even walking around to exercise. 

When she requested treatment for her gender dysphoria, the military prison’s initial response was a blanket refusal – despite the fact many civilian prisons accept the idea that trans inmates are entitled to hormones. Manning has attempted suicide several times. She finally received permission to receive gender transition surgery in 2016 after a hunger strike

4. Julian Assange can stop acting like a martyr

Internationally, Manning’s continued incarceration was likely to do more harm than good. She has said she is sorry “for hurting the US”. Her worldwide following has turned her into an icon of US hypocrisy on free speech.

Then there's the fact Wikileaks said its founder Julian Assange would agree to be extradited to the US if Manning was released. Now that Manning is months away from freedom, his excuses for staying in the Equadorian London Embassy to avoid Swedish rape allegations are somewhat feebler.  

As for the President - under whose watch Manning was prosecuted - he may be leaving his office with his legacy in peril, but with one stroke of his pen, he has changed a life. Manning, now 29, could have expected to leave prison in her late 50s. Instead, she'll be free before her 30th birthday. And perhaps the Equadorian ambassador will finally get his room back. 

 

Julia Rampen is the editor of The Staggers, The New Statesman's online rolling politics blog. She was previously deputy editor at Mirror Money Online and has worked as a financial journalist for several trade magazines.