Top 4 Mistakes Sony Made with Its Network Outage -- Redmondmag.com

Top 4 Mistakes Sony Made with Its Network Outage

By Chris Paoli
05/16/2011

After being offline for almost a month, Sony's network is starting to come back alive. While the hackers responsible should be the focus of our irascibility, Sony cannot be seen as completely guilt-free, by both its actions pre-hack and after the fact. Here are the company's biggest mistakes in the whole matter:

4. Sony's Lack of Assurance to Developers Who Continue To Lose Money
If you are a developer, every day the network had been down is a day that you are losing money. And, although a limited amount of online functionality has returned, its virtual marketplace is still nowhere to be found.

Here's what Christian Svensson , senior vice president of video game development company Capcom, wrote in a post on its forums: "…as an executive responsible for running a business, the resulting outage obviously costing us hundreds of thousands, if not millions of dollars in revenue that were planned for within our budget."

What's even worse are the small development houses that's products are only available through digital distribution. For companies like Capcom, they still are losing money on the lack of download support, however their profits won't completely evaporate if consumers can still buy their products on store shelves. For those who only rely on online for distribution, no network equals no income. And how are Sony reassuring developers to hang in there? With an impersonal memo that gives partners a small, vague amount of info that was already circulating the public for a few weeks.

Speaking on this issue, Dylan Cuthbert, founder of Q-Games, designer of downloadable games, said "I have no idea yet what Sony are going to do to help developers such as ourselves but I have a feeling they are thinking about doing something or they will lose developers which of course is pretty bad for them."

3. Sony Points Finger at Anonymous
With every (rare) statement made by the company since the outage, Sony is continuously crying victim. And it has been pointing its fingers at the party it feels is responsible. "We discovered that the intruders had planted a file on one of our Sony Online Entertainment servers named 'Anonymous' with the words 'We are Legion,'" wrote Kazuo Hirai, Chairman of the Board of Directors of Sony Computer Entertainment America, in the response to the federal subcommittee mentioned earlier.

There had been whispers of the self-described anarchist hacker group's involvement since the beginning. The group has denied any involvement, specifically to allegations made by a Financial Times article, in a press release titled "SONY, I AM DISSAPOINT."

According to the press release, not only does the group give reasons why it wasn't involved, it counters with who it thinks was actually at fault: "Since Sony was warned of security holes months in advance, one of those 'best practices' would be to accept the advice of the experts. In Sony's passing the blame there is no justification for the collection and retention of personal information they didn't need."

With a group like Anonymous, it's a little hard whether to believe it had no involvement in the hack, due to the fact that leadership is decentralized, the group is many and individual members are, well, anonymous. But it doesn't make it incorrect for putting some of the blame where it belongs: Sony's network practices.

2. Sony's Out-Of-Date Software and Missing Firewall
With a security crack that affects millions of individuals' personal information, it's impossible for the U.S. Government to keep out of the matter. A hearing was held on May 4 to try to get some answers on what actually caused the situation. Of course, answers would not be coming from Sony (check out our #1 mistake). Instead, Eugene Spafford, executive director for Purdue University's Center for Education and Research in Information Assurance and Security, played the part of troubleshooter for Congress.

In testimony, Spafford alleges that Sony was using a hosted Web service that was out-of-date and, even worse, knew about it.

"[I]ndividuals who work in security and participate in the Sony network had discovered several months ago while they were examining the protocols on the Sony network to examine how the games work, [that] the network game servers were hosted on Apache web servers -- that's a form of software.

But they were running on very old versions of Apache software that were unpatched and had no firewall installed, and so these were potentially vulnerable.

And they had reported these in an open forum that was monitored by Sony employees, but had seen no response and no change or update to the software. That was two to three months prior to the incident where the break-ins occurred."

For a technology giant like Sony, operating a network that is both old and lacking any sort of security is both a novice and profit-killing mistake, especially when your job is to assure users that information will be safe guarded. Sony's responded to these allegations by completely avoiding the allegations, as evident in its written response. This brings us nicely into our top misstep by Sony:

1. Lack of Communication From the Company
With the above problems listed, they could all boil down to Sony having a real issue with communication. But, as with most things in life, it's usually not what you say, but what you fail to say that causes the biggest problems.

The PlayStation Network went down on April 20. The public was warned about the possibility of loss of user data on April 26. That seems like quite a long time to stay quiet, especially since it was noted that the breach was discovered a day before the outage.

Not only was there no news to users on whether their data was safe, there wasn't even any word on why the network was down, when it could possibly be back up and how Sony was looking into the issue. Prior to a vague blog post on the 26th, the only news of the status of the breach came from turning on your PlayStation 3 or PSP to see that a connection could not be made.

ZDNet's Peter Cohen, who follows the Apple and video game industries, commented exactly how the 77 million users must had been feeling: "Stop spinning, Sony, and give us a straight answer on what happened to our data. Otherwise this failure will hang around Sony’s neck like an anchor, and make the Xbox 360 and Xbox Live that much more appealing to gamers looking for a secure and reliable playground."

This lack of communication is also doing no favors with those who have already purchased its PlayStation products.

According to the UK-based video game publication Edge, consumers quickly became sick of the silent treatment regarding their data and lack of online functionality: "'In the first week of downtime we did not really see any major change in sales or trades,' says one source, a store manager at a major UK retailer speaking on condition of anonymity. 'However from the second week onwards we have seen an increase of over 200 per cent on PS3 consoles being traded in, split almost 50/50 between those trading for cash and those taking a 360 instead.'"

While this is a great opportunity for Microsoft to pounce on the mistrust of millions of users with its Xbox 360, Sony needs to both reassure and prove to customers that the company still deserves its business. Too bad Sony's crisis team has done little for this cause. Since the outage started, Sony had continuously given vague timetables of when its services will start resuming -- and had been wrong most of the time.

Although, Sony did recently announce that users will be receiving free games, extended services for subscription-based products and a free movie rental (whenever its online marketplace is back up and running). But where was this generosity and assurance to customers during the past four weeks? And is it too late for many of its customers? It is for those mentioned above that have already moved onto a different gaming system.

Not being open with those who are actually support your product through purchase will only lead to many as seeing Sony is a tarnished brand name. While it's not easily forgivable to be running out-of-date, easily hackable software, we all have come to the realization that problems do occur in the technology field that could cause an outage. However, if there is a lack of communication coming from the company, it only causes consumers to jump to their own conclusions about what the situation is and how it's being handled. And, speaking as one of the said consumers that owns Sony products, my conclusion is incompetence.

What do you think was Sony's biggest mistakes? And how can a company convince you that it deserves its business after such a long outage? Let us know by commenting below.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.

Featured

Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.
What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.