The fallout from the PlayStation Network hack has caused a flurry of debate about the reliability of digital distribution.

What’s not yet clear is the extent to which developers will be hurt because of consumer mistrust.


CasualGaming.biz contacted several developers, who rely on digital distribution, to hear their take on the situation.
“We’re rooting for Sony to resolve the issue as quickly as possible. PSN is one of our primary channels for reaching console game fans, and it does feel as though Sony should compensate customers, if not developers, for the outage,” said a PopCap official.
Sony have promised compensation for developers. Some will undoubtedly feel the brunt of the outage more, however.
For instance, Creat Studios have a number of titles available on PlayStation Network, including Cuboid, Mushroom Wars and Digger HD.
“The PSN downtime has certainly reduced our visibility as a company as most of our titles are sold through PSN,” said PR and marketing coordinator Bill Fryer.
“We have been long time partners with Sony and I feel that they understand how an outage like this affects developers like us. We have been in constant contact with Sony through this time and they have been accommodating with the dates of sales and marketing assets so far.
“Most of our titles are being sold through the PSN, so any PSN user base lost will affect our sales. But we are confident that this extended maintenance will provide a secure user interface that will work to restore this loss of confidence.”
Restoring confidence won’t be easy after a mass outage like this, though.
“It just goes to show how fragile the business is at this point in the evolution of digital distribution,” said Mel Kirk, VP of marketing at Zen Studios.
Zen develops and publishes pinball games across PSN and Xbox Live. Kirk said they were due to release Sorcerer’s Lair for Zen Pinball on April 26, but have been delayed as a result of the outage.
“Zen Studios has felt the impact just as hard as any other digital publisher on the platform,” she said.
“The PSN outage really is a bummer for all parties - developers, publishers and gamers alike - and it shows the need for heightened security and preventative measures to keep a system like PSN from being hacked.”
The immediate loss of business is regrettable, though Kirk thinks the situation will be worse for those that published games just before the outage.
“In all honesty, it will probably be a lot tougher on the guys who released games last week, or the week before. You really need the first few weeks’ sales momentum to carry you into the post-launch hype loss, and it might be tough for those guys to get that back unless Sony steps in and provides some support for them. We hope they do! The loss of a week’s worth of sales will be felt by every publisher regardless of how great or small the revenue is.”http://www.casualgaming.biz/news/309...-affected-devs ...

News via http://streetskaterfu.blogspot.com/2...formation.html

The PSN is down, all accounts got dumped by an anonymous hacker and the community is cryin' for answers. 77 million accounts with password and sometimes CC info are worth a lot in several hack chans. This is a very huge case.

Now SONY engaged an external security company to discover the holes in SONY's system and find answers. As I was wondering if there may be some information about the actual case we can find out publically, I researched a bit myself.

One interesting point I found is a not secured access log of a PSN environment.
You will quickly notice the IP 214.1.211.251, which sends requests like a vulnerability scanner.
The IP points to the DoD Network Information Center, based in Ohio USA.

The first log entry of this IP is [03/Mar/2011:07:10:38 -0800]. As the DoD is knows as beeing easy to hack, the anonymous hacker could have used this as proxy.

Maybe SONY might want to take a look at this IP, I hope soon we get some news and details about the case...

- SKFU ...

News via http://wololo.net/wagic/2011/04/28/p...n-the-hackers/

Unless you’ve been under a rock for the past days, you probably know that Sony announced they have been hacked, and our private information (potentially including credit card numbers) has been stolen from the PSN. This potentially impacts 77’000’000 customers.
I’ve received many emails/comments telling me “Wololo, you’re always in favor of CFW, and always on the side of the hackers, so what do you say now?”
Well, clearly I’m not happy that some people did that, I’m not happy that my information got stolen by these people. I want to point out that I never claimed that hacking into a corporation’s network was a good thing. Just like other people who are in favor of hacking and jailbreaking, I think customers should be able to enjoy their hardware the way they want, as long as they do not interfere with other people’s freedom. This makes things very clear: I’m not in favor of piracy, cheating online, identity theft, or anything like that.
This attack is unrelated to jailbreak

I’ve seen various comments on the net that this attack was performed “thanks” to some Custom firmware installed on some PS3s. This triggered new “anti jailbreak” comments from various people, including this guy who, despite making the efforts to do some research on the subject (and that’s good, because most people don’t do that), clearly should not be talking about stuff he doesn’t understand. I’m a computer engineer, I don’t talk about fashion. He’s a gamer and shouldn’t talk about security.
So, why do I claim that this has nothing to do with jailbreaks? Well, assuming the hack was performed “thanks” to a hacked PS3, it means Sony’s servers “trust” a PS3 accessing their system to not be hacked or modified. This is crazy, and this is security 101: the server should NEVER trust the client, end of story, NO exception. I trust Sony’s engineers to know this, so I believe this is not what happened. If I’m wrong, and if indeed there was some backdoor in the Sony system that allowed to trust a PS3 more than say, MediaGo running on a PC, then whoever designed such a backdoor in place is highly responsible for what happened. And Sony is guilty of believing that security through obscurity works. As I read somewhere, the good thing about open source software is that you can’t start to believe that your “opponent” won’t be able to read your code. So you design your security accordingly.
Now, my opinion is that a Jailbroken PS3 was not involved with this. Why would it be needed? You can connect to the PSN on a PC with MediaGo. It sounds fairly reasonable to me that somebody could investigate the code from that client and find some flaws in there, who knows? So for all we know, PS3 hardware wasn’t even involved in this attacks, making even a stronger point that this has nothing to do with jailbreaking a PS3. And if a PS3 was actually involved and you think it means jailbreak is related to this issue, then read the paragraph above.
As customers, Sony is the one responsible for our security, we can’t trust 6 billion people to play nice

Whatever you do, there will be people in the world trying to screw you, people not respecting the law. When these people attack you, you are free to hate them. As I said, I’m not happy some people stole my information, I don’t like these guys, but I know the world is made of people stealing your stuff, and it will always be the case.
Would you give your credit card number to me, or would you enter it on a form in my website? No. Because I’m a nobody, and there is no history of me not being a bad guy. I also have no way to be contacted easily in person. But you give your credit card information to Sony. Because it is a respected company, and you trust them to handle that kind of stuff correctly. By putting your trust in them, you implicitly ask them to be responsible, and by accepting your money and your credit card number, they accept to be responsible for your information’s security, even if their stupid PSN License says they can’t be responsible for a security breach.
Sony store the account information for 77’000’000 people. With such a big number of customers, I expect them to dedicate time and energy into securing their system. No system is perfect, but I expect them to apply the minimum security rules to their systems. First, the information retrieved by the hackers shouldn’t be usable in any way, because the information they stole should be encrypted, or hashed. Passwords should be hashed. It allows login systems to recognize that your password is correct without really knowing it. How comes Sony announced that our passwords were stolen then? How can they even be “unsure” if our credit card information was stolen? Our credit card information shouldn’t even be stored on their system, at worst it should be an encrypted version, and the rest should be 100% handled by Visa or Mastercard.
It is difficult to understand exactly what information ...

As the PlayStation Network / Qriocity outage stretches into its second week, over on the PlayStation Blog rep Patrick Seybold has just posted an updated Q&A based on the inquiries of concerned users. Beyond the security of our personal information, the most important question is when service might be restored and he reiterates Sony expects to have "some services" up and running within a week from yesterday. When it comes to the most important personal information like credit card numbers, there are assurances that the credit card database was encrypted and there is no evidence anything was taken, but that's a possibility that still cannot be ruled out completely. To keep things secure, Gamasutrareports game developers are getting new SDKs with updated security features as well. When the service comes back up, expect a mandatory system update that requires a new password before getting back to your Mortal Kombat or Portal 2-related plans.
http://www.engadget.com/2011/04/27/s...s-up-and-runn/
...

...

Soon-to-be-celebrity hacker and thorn in Sony's side George 'Geohot' Hotz has denied any involvement in the ongoing breach at the PlayStation Network. The 21-year-old hacker — who is best known for creating the first software-based hack for the iPhone, and getting hypervisor access and exposing the root key to the PlayStation 3 — has made it clear that he had nothing to do with filleting Sony's online gaming servers, saying 'I'm not crazy.'http://games.slashdot.org/story/11/0...SN-Hack-Attack ...

A PlayStation 3 owner in Alabama has been the first to initiate a lawsuit against Sony, following the security breachand potential theft of data from the PlayStation Network.
The complaint was filed on behalf of Birmingham, Alabama resident Kristopher Johns, in the US District Court for the Northern District of California. Johns is asking for the lawsuit to be raised to a class action, which if granted would allow any US PlayStation Network user to become a plaintiff in the case.
The details of the lawsuit, as first reported by CNET, cover the basics of the case as already reported. Sony is accused of not taking, "reasonable care to protect, encrypt, and secure the private and sensitive data of its users".
Sony is also accused of taking too long to notify customers of the seriousness of the problem and that personal information was at risk. This, argues the lawsuit, made it impossible for customers to, "make an informed decision as to whether to change credit card numbers, close the exposed accounts, check their credit reports, or take other mitigating actions".
Johns is seeking compensation and free credit reporting services - the latter something which US Senator Richard Blumenthal has already demanded from Sony for all US customers.
Although Sony has already been heavily criticised on both of the lawsuit's two main complaints so far there is still no evidence of fraud or misuse of any stolen data. If such evidence does emerge then Sony's position could weaken significantly.

http://www.gamesindustry.biz/article...ver-psn-breach
...

Security experts have attempted to estimate the cost of the ongoing PlayStation Network security scandal to Sony, with suggestions ranging from around $20 million to $24 billion.
Wedbush Morgan analyst Michael Pachter, speaking to websiteShacknews, suggests that PSN generates around $10 million in revenues and $3 million in profits per week. The service has already been down for over a week now.
However, Pachter's estimate does not take into account indirect losses from reduced customer confidence in the service and nor does he address the question of legal compensation. In his opinion though: "If they offer some free stuff and continue to follow up, this will all be forgotten in a few months."
According to data security research firm The Ponemon Institute, as quoted by Forbes, the average cost of a data breach involving a criminal act is currently $318 per record.
Forbes suggests that with 77 million registered accounts worldwide this creates a potential cost to Sony of over $24 billion.
US streaming video service Hulu has already offered subscribers one week's credit as a result of the service downtime, with website Kotaku reporting that Sony Online Entertainment will offer a range of special events and compensations this weekend for titles DC Universe Online and Free Realms.
In related news, reports suggest that Sony is asking developers to install new SDKs (software development kits) on their PlayStation 3 development kits during the PSN downtime.
According to Gamasutra the new SDKs include advanced security features, meant to avoid any repeat of the current problems.

http://www.gamesindustry.biz/article...-USD24-billion
...

Sony has claimed that credit card data stored on the PlayStation Network was encrypted and that there is still no evidence that credit card information has been stolen following last week's security breach of the online service.
Although on Tuesday Sony admitted that it could not rule out the possibility that credit card data had been taken, there is still no suggestion that the breach has been that serious.
The entire credit card table was encrypted and we have no evidence that credit card data was taken.

Sony

According to an update on the official PlayStation Blog, "All of the data was protected, and access was restricted both physically and through the perimeter and security of the network. The entire credit card table was encrypted and we have no evidence that credit card data was taken.
"The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack."
While Sony still cannot guarantee that credit card information, encrypted or otherwise, was not taken it continues to offer the same advice to customers: " If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained."
"Keep in mind, however that your credit card security code (sometimes called a CVC or CSC number) has not been obtained because we never requested it from anyone who has joined the PlayStation Network or Qriocity, and is therefore not stored anywhere in our system."
The protection of credit card data could be the first positive news for Sony during the ongoing scandal, but the admission that personal data was not encrypted could still prove damaging.
This data has already been confirmed as compromised and would be of significant use to criminals in terms of identity theft and as an aid to phishing scams.
Yesterday it was revealed that the Information Commissioner's Office in the UK is to quiz Sony over its online security arrangements.

http://www.gamesindustry.biz/article...-was-encrypted
...