PlayStation Network Hack Will Cost Sony $170M

alphadogg writes "Sony expects the PlayStation Network hack will cost it $170 million this financial year, it said Monday. Unknown hackers hit the network gaming service for PlayStation 3 consoles in April, penetrating the system and stealing personal information from the roughly 77 million accounts on the PlayStation Network and sister Qriocity service. A second attack was directed at the Sony Online Entertainment network used for PC gaming. Sony responded to the attacks by taking the systems offline." Does the $170 million figure include compensation for PSN subscribers who suffered from the outage?

Yeah, but they can make it up in volume

[elrous0]

All they need to do is add a bunch more PSN subscribers, and they can make it up in monthly subscription fees.

Problem solved. You're welcome, Sony.

Re:Yeah, but they can make it up in volume

[matt_gaia]

If by adding subscribers, you mean PSN+ subscribers, then yes, they can recoup some money that way.

If you mean regular, old PSN subscribers, then, well.... *facepalm*

Re:Yeah, but they can make it up in volume

[mlts]

I doubt it. Come September, things will be exactly business as usual with the PSN breach completely forgotten about by then.

I also doubt Sony lost much money. They might have lost a little bit handing out subscription time to compensate, as well as hiring some consultants to maybe add an IDS/IPS system in some places. However, realistically, their losses from the PSN breach are negligible, probably less than it costs to do a promotion of a new game.

Call me cynical, but a lot of firms know that they can skimp on security because it doesn't make them money. If they get breached, they make a token effort to "clean it up", and business goes on. It is going to take governments stepping in, and having nasty criminal/civil consequences happen to companies who go lax on internal security for this to ever change.

Re:Yeah, but they can make it up in volume

[ThatCanadianGuy]

I just saw a report on the news, Financial experts predict a 3.2 billion dollar loss for Sony this financial year. They blame it on the earthquakes, tsunamis and the hack. I don't think we'll see the PSP2 this year....

Define "suffered from the outage"

[Whatanut]

Let's be honest. This is an outage of an entertainment network. I don't think anyone can really claim they suffered due to it not being available. If anything they may have gained by the fact that they did something else.

Now, if you want to argue that people are suffering due to the information loss, I'll go with that one. But not from the outage itself.

Re:Define "suffered from the outage"

[Blackwulf]

I imagine publishers that make their living selling downloadable games on PSN suffered from this outage in a highly economic way.

Re:Define "suffered from the outage"

[Yetihehe]

Yeah. As soon as PSN got down, bin Laden was shot down too. Maybe those soldiers searching for him just played too much playstation?

Re:Define "suffered from the outage"

[Svartalf]

It's NOT the "Not Available" part that's the problem here... It's the leakage of info that's the real issue. 77 million. At least part of them with credit cards, some of those in the clear in violation of PCI security standards.

Compensation is Peanuts

[Sonny+Yatsen]

Look, the compensation that Sony is giving out in the aftermath of the PSN attack is peanuts. It doesn't cost them a hell of a whole lot to set up. The free two games? Sony already has deals set up with developers to provide "free" games to PSN plus subscribers, the additional cost of a few extra free games to all subscribers (who might not even take advantage of it, since most of these games are ancient and they probably already have it) is marginal, at best. The one month of free PSN+ for subscribers doesn't cost much, either, since it's only a small minority with PSN+ accounts. I'd doubt that the compensation would cost them much more than a few million dollars at best.

Re:Compensation is Peanuts

[countertrolling]

Peanuts are expensive. There'll be probably three to the package, like what the airlines serve.. to save weight, of course

Re:Compensation is Peanuts

[wjousts]

I'd also say they might be hoping that a few people will decide to continue their PSN+ subscription after they get a free month, so actually Sony might come out ahead on that one. Same goes for the credit monitoring, they probably got a cut rate deal with the credit monitoring company in exchange for Sony basically giving that company your personal information (so they can spam you or else sell on your info) and with the expectation that some people will continue to want monitoring after the first year (at their own cost).

So what?

[Osgeld]

How much is this going to cost the people who's credit information was stolen? fuck Sony I don't care how much it will cost them!

Was it worth it?

[ArcRiley]

The real question is whether it would have cost them $170 million to leave the OtherOS feature alone. Lets not forget Sony started the fight with the community by removing a feature originally provided on the hardware that was used heavily by researchers and programmers at home. Then the community found a way to root the PS3, then they patched it, then the root keys were found, then they started blocking rooted consoles from the network, then the network was taken down for everyone.

The community is big, Sony is small, and there are enough fringe elements in the community to make us dangerous as a whole. Hopefully they've learned their lesson and begin behaving in a more cooperative manner with the community, but I have a feeling they're just going to raise the stakes even further.

Re:Was it worth it?

[tepples]

The community is big, Sony is small

Then why doesn't the community organize to buy 51% of SNE, or at least enough stock to get someone on the board?

Re:Was it worth it?

[Duradin]

"Lets not forget Sony started the fight with the community"

Hmm, I thought the community started the fight by using OtherOS to hack the PS3's security.

Re:Was it worth it?

I thought Sony started the fight when they tried to secure for themselves hardware that they did not own.

Re:Was it worth it?

[ALeavitt]

They obviously had someone on board, or OtherOS never would have been available in the first place. Because they had someone on board, they purchased PS3s. Then somebody else made the decision to retroactively remove functionality from the devices that they purchased, and they felt rightly outraged. It shouldn't be necessary to be a stockholder to expect that the consumer devices that you purchase won't be remotely disabled without any recourse in what essentially amounts to a bait-and-switch.

Re:Was it worth it?

[mlts]

I think their next step is going to be wringing their hands in front of Congress asking for tougher laws against "hackers". Laws demanding hardware DRM stacks, ACTA, Son-of-ACTA, and other stuff (which have little to do with hacking, but a lot to do with basic free speech.) I'm sure they will be labelling the people who "jailbroke" the PS3 as the same people who stole their credit card data.

Re:Was it worth it?

[gman003]

Because we're rebels, and we don't do things that way. That's the way the man would do it.

Do you want to be the man? I didn't think so.

Re:And for Developers/Publishers?

[countertrolling]

And how do you propose they recoup the lost confidence from their developers and publishers?

Another Spiderman movie, and game. It's about the money, screw the 'hearts and minds' BS, and it's Sony, so if you're going to tell me that they are separate companies, put a cork in it :-)

Compensation right...

[Drethon]

I got an e-mail about a free month and a half or something like that on all games I previously held an account on... They going to bring the MxO server back up for a month and a half?

Seems "light"

[Archangel+Michael]

The estimate seems a tad "light". That might be direct costs (compensation, credit monitoring, lost revenue during outage etc), things that can be measured directly. However I'm sure that there is a a huge hidden cost that is not being included. I can't imagine it being anything less than half a billion in related losses. People think security is expensive. Lack of security is even more expensive.

Sony is no longer the paragon of technology they once were in the days of the Walkman.

This begs the question...

[chemicaldave]

What would have been the cost to upgrade their system to prevent this in the first place?

Yes, I know some things you cannot predict, but supposing they knew about each vulnerability. How much would it have cost? $170M is a lot of money, but I know that infrastructure changes in big entities can cost a lot of money.

Not that much...

[chemicaldave]

... considering their estimated FY2011 $3.1B loss due to natural disasters.

Won't cost Sony a dime

[Fujisawa+Sensei]

The hack won't actually cost them a time.

The compensation will be in the form of a PSN+ subscription. But you will still have to cough up a credit card or something. Then it will be the users responsibility to unsubscribe when the free subscription is up. Most of the Sony lemmings won't notice until the CC bill arrives, then they will already be in the second month of service and have to pay for that too.

So Sony is still going to make money from the deal.

When trying to talk to the GPU

[tepples]

No, Sony started the fight by making half the system's RAM off-limits to homebrew. The Other OS hypervisor didn't provide any sort of 3D or 2D acceleration or even a well-defined method to use otherwise unused VRAM as a RAM disk. As I understand it, the only way Geohot and others tried to "hack the PS3's security" before this whole incident was just to try to do basic things with the GPU.

Re:When trying to talk to the GPU

[asdfghjklqwertyuiop]

I know. How generous and thoughtful of Sony to do something like accept that people should be able to use their own personal private property however they like. They should be nominated for a nobel prize. All those criminals who would do something so heinous as to write their own code should be thrown in jail immediately.

Re:When trying to talk to the GPU

[wierd_w]

Wait-- What!?

The PS3 has had a long standing, and almost glacially low, level of dedicated hacker interest compared to other contemporary systems which were targeted almost immediately after launch. Fail0verflow themselves even pointed out this timeline in their presentation.
http://www.youtube.com/watch?v=4loZGYqaZ7Ii

Throwing the bone to the homebrew community, however sparse on meat, was one of the biggest, if not *THE* biggest things (Given the very very sorry PKI implementation discovered years later...) sony did to help ensure profitability of their system in the face of piracy, since it removed the MOTIVE to hack the console! Why fix what isnt broken? If the console lets you run your own code already, why dig deeper?

The hackers like Geohot who were fuzzing the hypervisor were doing so to get a little more meat on that bone-- Not to raid the table, like you are implying. It wasn't until AFTER Sony took that bone away that the angry pitchfork carrying hackers teamed up to oust the baron from his lofty castle.

By taking the bone away totally, they created HUGE incentive to hack the system, along with deeply seated enmity. That enmity was kindled once before by the sony rootkit debacle, and once restoked, seems to have been one of the major motivational forces behind the seemingly systematic attacks against sony's infrastructure.

To do this right next time, to avoid further hacker enmity, and to prevent piracy on their next console (this one is irreversibly compromised), Sony needs to do the following:

1) Re-enable OtherOS like functionality, with access to the GPU. Access does not == white papers, so a sufficiently advanced custom GPU would take a lot of effort to map out functionality by the community, and would be an activity many would consider *fun*. While they are mapping out what the hardware can do, they are NOT trying to make copied games run. Without a whitepaper to work from, it would be very hard to compete with licensed commercial games. Your average NES emulator or Tetris clone would be about what you would expect to come out. Hardly a competitor for the latest Gears of War, or Red Faction type games.

2) Implement a correct and proper PKI. Give otherOS application code a unique public key to enable execution. Bonus if it uses a totally different private key too.

3) Stop retroactively removing features from consoles. It does not matter how unprofitable that functionality is-- DONT TOUCH IT!

4) Treat users with some dignity, stop warehousing their personal information, and store what information they DO collect on a server that isnt pitifully protected.

But no. You have already made up your mind that Geohot is Teh Badz, that hackers hacked the PS3 exclusively to cheat on online latter play, and that sony is the victim of these dreadful offenses.

No amount of factual reporting will change your mind either.

Please, correct me if I am mistaken in this evaluation, but your tone kept consistently on target with that viewpoint.

Higt cost a good think in the end

[softWare3ngineer]

I think the high cost is good thing. It creates a strong business case for security. companies will only take information security seriously when 1. there a very real cost associated 2. the cost of strong information security is less than the costs of loosing information. Earned value to the rescue! [Probability of getting hacked] * [cost of hack (170 million)] [cost of infoSec department]

Re:Higt cost a good think in the end

[Opportunist]

You may rest assured that this calculation was already done, and the probability was deemed "near zero". Why? Because it's easier to put some idiot on the CSO hotseat than to hire someone who knows what he's doing, pay him accordingly and also hand him a budget high enough that he doesn't quit on the spot again when he notices that he's just hired as the idiot to keep the "guy to fire when shit hits fan" seat from walking away on its own.

Re:And for Developers/Publishers?

[kimvette]

And how do you propose they recoup the lost confidence from their developers and publishers [slashdot.org]?>

Stop being so evil, for starters.

Sony's motto as of late seems to be: "Do as much evil as possible."

And now they are reaping what they have sown. I don't agree with the script kiddies' actions against Sony (i'm partial to destroying them economically through large-scale boycott) but Sony did have it coming to them. Taking away the OtherOS option (which is fraud; a bait-and-switch move by removing one of the key selling points) and then suing a customer who decided to take the functionality back was probably just the final straw. After installing rootkits (infringing on GPL'd code copyrights in the process) to customers' systems (a felonious act; accessing computer systems without authorization), falsely advertising product, building shoddy product and having some of the worst customer service in existence, are they actually surprised they are the target of script kiddies everywhere?

They invited it through their actions.

Re:And for Developers/Publishers?

[CronoCloud]

Taking away the OtherOS option (which is fraud; a bait-and-switch move by removing one of the key selling points)

OtherOS was never a selling point to the vast majority of PS3 owners who probably never knew you could install Linux on the thing. I say that as someone who DID at one time have YDL on my PS3.

And as well all know, you can still have OtherOS if you want, you just won't be able to access PSN. It's your choice either way.

I'd also wager that most of the people who complain about the removal of OtherOS, never actually used that functionality, or perhaps never even owned a PS3 in the first place.

Re:And for Developers/Publishers?

[TheReaperD]

OtherOS was never a selling point to the vast majority of PS3 owners who probably never knew you could install Linux on the thing.

With the exception of programmers and high-end hackers... Which just happens to be the people Sony pissed off. The script kiddies just joined in for the fun after the fire fight started. This is very much a Sony created problem.

Re:And for Developers/Publishers?

[thsths]

> And as well all know, you can still have OtherOS if you want, you just won't be able to access PSN. It's your choice either way.

I'll cut of one of your arms, and you tell me which one. It is your choice, and therefore your fault if you lose the right arm (or the left).

Even the strongest Sony fanboy should see the flaw in the argument.

Re:Cost of lost business

[tophermeyer]

It was a little inconvenient during the outage. Even though "it still worked" you had to let it fail on a couple of logins first. And for me on some nights it just didn't work at all. During the outage I wound up using an Xbox for Netflix streaming. I didn't want to have to futz with it every time I started it up.

I'm back to using the PS3 now of course. But I too am concerned about the networks security and how much I can count on future service availability.