Don't Blame Sony, You Can't Trust ANY Networks
The hack attack that forced Sony to take the Playstation Network and Sony Online Entertainment offline and resulted in the theft of personal information from tens of millions of people around the world wasn't really Sony's fault, it was an inevitability, a security expert tells Kotaku.
Bruce Schneier, internationally renowned security technologist and author of Applied Cryptography, Secrets and Lies and Schneier on Security, said that the only thing unusual about the break in to Sony's dual networks is that they are used for gaming, something titillating to the mainstream media.
"It's another network break-in, it happens all of the time," he said. "This stuff happens a lot."
For every incident like the infamous Heartland Payment data breach in 2008, which impact millions, there are dozens of smaller breaches, some under reported or not reported at all. The issue is so prevalent that Congress is currently holding hearings on the threat of data theft.
When asked if Sony's network was secure, or if there was some misstep on the part of the company in keeping their customer's personal and credit card information protected, Schneier was dismissive.
"What does that even mean?" he asked. "Is there such a thing as a secure house?"
No networks, Schneier added, are really secure and people have to come to grips with that.
The fact that Sony, and not Microsoft or Nintendo, was the company breached by hackers has nothing to do with their level of security, he said.
Both Nintendo and Microsoft, for their part, both say they have secure networks.
"The security of and confidentiality of our customers' information is extremely important to us," Nintendo said in a statement to Kotaku. "That's why we have many technical, administrative and physical security measures in place to protect personal information from unauthorized access and improper use. We also review our security procedures periodically to consider appropriate technology and updated methods, and test our systems."
Microsoft's response was similar.
"The security around our Xbox LIVE service and member information is our highest priority," a spokesman said. "Other than that, we have no comment."
Schneier remains unconvinced:
"Everyone is probably equally sucky," he said of network security in general. "Some may be better than others.
"Unfortunately, the moral here is that you give your information to a third-party, blindly trusting them, a bank, a credit card company, a phone company, Amazon, J. Crew, or Sony. You are blinding trusting that they will use the information wisely and secure it. And you have no say how they do that and you have no recourse if they fuck up."
But, the famously cynical Schneier adds, "Even with all of that, most people are really safe all of the time."
"You're doing OK, I'm doing OK. I buy stuff online all of the time. I bank online. And what other option is there?"