It goes without saying that Sony currently has a target the size of Iowa painted on its back.  Between the breaches in the Playstation Network, Sony Online Entertainment, and now Sony Pictures, you would be hard pressed to find a company that has been more thoroughly embarrassed when it comes to user data security.  Every day brings word of another incursion.  I’m thinking that something is going to have to give sooner or later.

Sony started out this whole mess by going after George Hotz, a famous hacker that goes by the online name Geohot.  Geohot has done all manner of things, including a simple jailbreak for the iPhone known as Limera1n.   Geohot also had his eyes on rooting the Playstation 3, Sony’s premier gaming console.  While Sony had given you the option to install a Linux-based OS onto the console from the start, Geohot wanted to take it a step further and unlock the ability to run other kinds of code, as well as gaining access to the memory contents and hypervisor level of the console.  This would allow users to do things like emulate Playstation 2 games, which was an original feature of the console that was later dropped due to complexity and memory contraints.  Geohot also started work on creating a custom firmware for the console that would allow users to do as they wished, while still keeping certain features of the OS intact.  In April of 2010, Geohot announced that he was not pursuing the development any further, but in January 2011, he posted the root signing keys of the PS3 online.  This is probably the straw that broke Sony.  The root key would give anyone the ability to sign code and execute it on the console without raising any suspicion.  Sony sued Geohot, and after some legal maneuvering and lots of publicity, eventually settled the lawsuit in April 2011.  This was the catalyst for the difficulties that Sony has faced over the past two months.

In late April, Sony shut down large portions of the Playstation Network (PSN) for an extended period of time due to what was later termed an “external intrusion”.  After rushing to bring the network that controlled the majority of Playstation online multiplayer capabilities, Sony Online Entertainment was intruded upon as well as PSN in early May.  Rather than rushing things back online this time, more care was taken to excise any possible problems and no ETA was set to bring the services back to the public.  In the interim, Sony profusely apologized for the problems and even testified before the US Congress about the breaches.  Sony recently enabled PSN once more, only to fall victim to another hacking group exposing portions of the Sony Pictures online customer database.  In all, close to 40 million Sony customers have had their personal information exposed in one form or another in the past two months.  Email addresses, birthdates, and credit card numbers with Card Verification Value (CVV) verification codes have all been stolen.

What started out as a showdown in the desert between Sony and a group of hackers angered by the treatment of Geohot has now taken on the appearance of a rotting carcass slowly being picked over by anyone that wants to come along and poke it.  The question now isn’t whether Sony will be hacked again, but what might get stolen this time, and where it will be stolen from.  As a former customer of Sony Online Entertainment, I can be certain that some of my information is probably out in the wild.  I’ve since changed passwords and credit card numbers to avert any possible wrongdoing, but other customers haven’t been so lucky.  I’ve lost all confidence in Sony and their ability to keep my information secure.  While many point to the infamous rootkit incident as the point where Sony started to sour in the eyes of their customer base, I think the PSN outage points to a bigger issue.  If Sony wants to install software on my computer to monitor whether or not I’m ripping CDs that’s their business.  I can dislike them for doing something they shouldn’t and be done with it.  The only harm done was their ham-handed attempt to sneak something onto my PC.  But with this series of hacks, Sony has taken their corporate image and dragged it through the filthiest mud imaginable.  I now no longer dislike Sony because they do things they shouldn’t, but instead I’ve lost confidence in their ability to keep me safe.  Just like a bank failure, when a company can no longer assure me they can do business the way that it should be conducted it’s time to move my business elsewhere.

Sony faces some pretty rough territory in the coming future.  First, they really need to find out what raised the ire of their intruders and apologize for it.  Profusely.  It may be a little late now, but if they show a little remorse for whatever wrong they may have done it might call off the dogs for a bit.  Sony needs time to recover and reassess their security posture.  Secondly, Sony needs to can their security team and bring a set of fresh eyes into the picture.  It’s quite apparent that the current time wouldn’t know security if it bit them in the ass.  Passwords stored in clear text, arbitrary account recovery mechanisms, and general incompetence seem to abound.  It’s time to get a new CISO and make some drastic and public changes.  Announce what you are going to do and make sure your now-burned customers are aware of your new commitment to security.  You aren’t going to win anyone back by implementing new security features and burying them on page 20 of a 21 page press release.  Face it Sony, your reputation is shot either way.  Why not make the most of it and try to win back some fans by admitting your screwed up and then fixing it?

Tom’s Take

There’s no doubt Sony makes good technology.  Even when it fails.  However, a series of organizational policies that have left their customer base more violated than the speed limit is their worst failure to date.  There isn’t going to be a cool new feature to save them from this disaster.  No hope for a new version of software to work out these bugs.  It’s time to rewrite the security posture from the ground up.  Find an executive or two to fall on their swords for this whole mess and move on.  Make sure to keep your former customers in the loop about how you’re going to ensure that this never happens again.  I, for one, am done with Sony until I see some major changes in their handling of customer data.  No more TVs, cameras, Walkmen, or games until they prove to me that filling out an online profile isn’t going to expose me to all manner of dastardly things on the Internet and beyond.  Sony’s had their moment of silence in all this by refusing to come clean about the hack in the first place.  Again and again, they’ve kept their mouths shut about timetables and countermeasures.  And until I hear something from them about all this, they won’t hear anything from me at all.