The PSN hack and open source

I’m one of the people who has recently (perhaps in an excess of caution) cancelled their credit card because of the security breach of the Sony Playstation Network. Now you might wonder what this has to do with open source, but bear with me. Back in 2004 I went to a conference in The Hague about open source in the secondary software sector (meaning industrial sectors where software was a part of their product but not the core offering). One of the companies there was Sony Computer Entertainment. The presenter explained that Sony was a very open source-friendly company, and that within the development division in Japan Linux desktops were the norm. The presenter also pointed to the Linux installation kit that Sony had released for their then-current games console the Playstation 2 (PS2), and advised us to look out for more Linux-related tie-ins in future games consoles. True to their word, two years later the Playstation 3 launched with the facility to install Linux in the basic model. True, you could not access most of the console’s advanced hardware via this ‘Other OS’ option, but it was a nice gesture, and generally appreciated by the open source community.

Unfortunately, three years later, when Sony released the revised ‘slim’ version of the console, they decided to remove the option to install Linux. Sony said that the change was necessary as they wished to focus on the gaming side of their console, and could no longer support the work necessary to create and test Linux drivers for the new hardware revision. Cynical observers commented that the removal was more likely due to the progress that hobbyist developers had made in unlocking access to the PS3’s more advanced hardware features via the ‘Other OS’ feature, thereby threatening the monopoly over the approval of advanced software that Sony then had. Indeed, shortly after the release of the PS3 slim, hobbyists succeeded in circumventing the PS3’s security features and progressively gained full control of the machine.

This brings us to the first open source-related lesson of this story – withdrawing freedom is hard. As the technical team who finally overcame the PS3’s security pointed out the removal of the ability to install Linux drew their attention to the console. Having sold the console as – in part at least – a venue for open development and hobbyist coding, Sony’s removal of this capability struck some as unjust, and motivated them to forcibly right what they saw as a wrong. Now I am not trying to equate the open source community with technologists who overcome third-party control mechanisms like the protection of the PS3; while there is some cross-over, the activities are essentially distinct. It can be said, though, that Sony used freedom to develop and open-source friendliness as marketing tools (particularly effective in a market where their chief gaming rival was perceived open source opponent Microsoft) and their decision to withdraw that freedom was (a) highly resented and (b) in the end ineffectual.

Moving to Sony’s more recent problems, their decision to take robust legal action against one of the technologists responsible for overcoming their console security angered many, and led to so-called DOS or Denial of Service attacks against the Playstation Network (PSN) – the service which enables online gaming and sales of downloadable content for Sony consoles. In the wake of these DOS attacks, Sony deactivated the PSN for a long period of maintenance. Many surmised that this was intended to allow changes to the system that mitigated the loss of control of the console platform itself that Sony had experienced. In fact, as the first link above shows, Sony’s PSN had been hacked and the personal details of approximately 100 million users such as myself had been accessed by unknown third parties. At the time of writing Sony has not given details of how the hack was effected, but rumours on the internet – many pre-dating the closure by several months – claimed that Sony may have been using outdated versions of popular open source software on their PSN servers. Professor Eugene Spafford of Purdue University gave some of the details of these rumours when testifying yesterday to the US House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade. Professor Spafford mentions outdated versions of the Apache httpd server as a potential attack vector in the hack, basing his remarks seemingly on unspecified postings to security-related mailing lists. While I have not been able to locate the postings he is talking about, it is certainly true that purported logs of the efnet IRC channel #ps3dev have been circulating that contain claims very similar to those Professor Spafford raises.

This brings us to our second open source-related lesson from this ugly situation – even the best- maintained open source is only as secure as its last release. Clearly we have no way of knowing what happened in the PSN hack, but no-one should rely on the security of open source – or indeed any software – who does not also commit to keeping their installations up to date.

PS. Professor Spafford’s prepared remarks for the subcommittee (pdf)) are also interesting in that they recommend a system of consumer data protection that closely mirrors the UK’s own Data Protection Act.