Coin-OpEd: The great PSN PR debacle
Sony's security breach has been an unmitigated disaster for all involved. Why, then, is the publisher working so hard to deflect the blame?
We'll begin emailing you updates about %gameName%.
Here's a secret I've been harboring that may give some of you cause for concern: I read your comments on my stories. Now, I say that not to make any of you out there self-conscious or to give you cause to repress some urge to engage in the conversation, profanely or otherwise. Actually, I fully endorse the expression of first thought in that Ginsbergian way.
And over the course of the past couple of weeks, you all have certainly had a lot to say on this whole PlayStation Network quagmire. Should I provide a recap of what's been going on over at Sony? Will a link work? I think a link will work. Here. It occurs to me that we've written more than 30 stories on the issue in half as many days. Perhaps a single link won't work. Dammit, here's a few more.
Our quaint reporting on the matter notwithstanding, GameSpot user comments number in the tens of thousands. (Rest assured, the people here who bandy about "words" like "KPI" will be sending Christmas cards to Sony this year.) The vast majority of you have been so perfectly reasonable in your discussion of the topic that I would trust you with my hypothetical children.
Of course, having been dubbed GameSpot's resident troll (apologies to Tom Mc Shea), I'm drawn to those of you whose first thoughts skew toward the obtuse and asinine. These are the ones that proclaim Sony's impending demise or the fact that Microsoft is somehow culpable. Comparisons to Armenian genocide always get a chuckle out of me, as do those who shrug off the incident since the credit card they had registered was itself stolen.
My personal favorites, of course, go something like, "i dont understand? when i press the play button it doesnt play. i have three white cables and two blue ones. do i plug in the blue ones into the white ones. january is coming."
In the world of corporate PR, however, "first thought, best thought" is not an adage that rules the day. Come along with me, and we'll match up what Sony was saying with what was actually happening.
As detailed in a letter responding to an inquiry by the US House of Representatives' Subcommittee on Commerce, Manufacturing, and Trade, Sony Network Entertainment America uttered its first WTF at or around 4:15 PDT on April 19, when its systems inexplicably rebooted.
By April 20, the PSN operator had clear evidence that its database had been compromised and that data of some kind might be in the hands of…someone. With nary a peep to the public, what I presume to be a giant red button under shatter-proof glass was pressed, causing Dave Jefferies from Illinois to briefly fear he had broken something, having just landed an epic uppercut in an online match of Mortal Kombat.
At around 9:30 a.m. PDT on April 21, Sony said in a brief statement, "While we are investigating the cause of the Network outage, we wanted to alert you that it may be a full day or two before we're able to get the service completely back up and running." At the same time, Sony was engaging with a second computer security firm to look into the issue. One or two days, huh?
Fast-forward two days, and Sony had diagnosed the problem, later telling congressmen, "Intruders had used very sophisticated and aggressive techniques to obtain unauthorized access, hide their presence from system administrators, and escalate privileges inside servers." The technical wunderkinds also deleted log files to cover their tracks.
That evening, around 8 p.m. PDT, Sony issued this statement:
"We sincerely regret that PlayStation Network and Qriocity services have been suspended, and we are working around the clock to bring them both back online. Our efforts to resolve this matter involve rebuilding our system to further strengthen our network infrastructure. Though this task is time consuming, we decided it was worth the time necessary to provide the system with additional security. We thank you for your patience to date and ask for a little more while we move towards completion of this project. We will continue to give you updates as they become available."
One such update? Someone tantamount to Ving Rhames from Mission Impossible has had his way with the PSN. Relevant update two? HOLY CRAP, CHANGE YOUR PASSWORDS.
April 24 was Easter Sunday, and my mom was in town. The visit did not go well, but I wouldn't concern yourselves with that. What I would concern yourselves with is the fact that Sony knew it had a "sophisticated hacker" on its hands, and a third security firm had been brought on the case to "determine the scope of the data theft." Despite this escalation, Sony took the holiday as one of rest, providing no updates on the matter.
Cadbury Egg thus devoured, Sony indicated in its letter to Congress that by Monday, all three of the security firms it had hired could definitively say that the personal information for any given PSN or Qriocity service account (of which there are 77 million, though that figure does not reflect unique users) had been compromised. Name, address (city, state, zip), country, e-mail address, birth date, PlayStation Network/Qriocity password and login, and handle/PSN online ID.
The official word? "I know you are waiting for additional information on when PlayStation Network and Qriocity services will be online," Sony said that day around 8:20 a.m. PDT. "Unfortunately, I don't have an update or time frame to share at this point in time. As we previously noted, this is a time-intensive process, and we're working to get them back online quickly. We'll keep you updated with information as it becomes available. We once again thank you for your patience."
On April 26, as Sony and its hired guns worked to ascertain whether Ving Rhames was, in fact, buying mai tais in Jamaica with your credit card, the company at long last copped to what many had begun to suspect: Everyone panic. Oh my god, panic. Here's the part of Sony's comment that day that I found particularly interesting:
"We are currently working to send a similar message…regarding a compromise of personal information as a result of an illegal intrusion on our systems. These malicious actions have also had an impact on your ability to enjoy the services provided by PlayStation Network and Qriocity, including online gaming and online access to music, movies, sports, and TV shows."
Phrases that jump out at me: "illegal intrusion," "malicious actions," "enjoy the services."
I've taken the liberty of bringing the subtext as I see it to the fore: "We're sorry that whoever did this is a jerk and, through no fault of our own, decided to personally attack each and every one of you. These actions clearly have nothing to do with anything we did. Rather, it is you all that whoever did this has it out for. Man, I'm glad we're all in this together, right?"
In fact, the deflective tone of Sony's comments has been the one area of certainty and consistency throughout this incident. For instance, in a Q&A concerning the attack posted on April 27, Sony responded to the direct question of "Was my personal data encrypted?" with:
"All of the data was protected, and access was restricted both physically and through the perimeter and security of the network. The entire credit card table was encrypted, and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack."
In other words, this data is basically entrusted to guards. Said guards may wield M16s. Limb-severing lasers may be involved. Did that matter? No, no it did not. Incidentally, Dr. Gene Spafford of Purdue University, who testified before Congress' inquiry as a cyber-security expert, lambasted Sony's security efforts, claiming that the company was using outdated server software without a firewall.
"Investing in security measures affects the bottom line," he said of companies in general. "They don't understand the risks involved by not investing in security…So when they are hit, they pass that cost along to their customers and to the rest of society."
Perhaps the most egregious comment came yesterday, when Sony Corp. CEO Howard Stringer issued an apology of sorts to all PSN and Qriocity users (and let's not forget SOE's strung-out EverCrack junkies). It began with "Dear Friends" and ended with this:
"In the last few months, Sony has faced a terrible earthquake and tsunami in Japan. But now we are facing a very man-made event--a criminal attack on us--and on you--and we are working with the FBI and other law enforcement agencies around the world to apprehend those responsible."
Japan's tragedy in April has definitely killed nearly 15,000 people (with more than 10,000 still missing). More, the country faces years--decades, even--of figurative fallout from the literal nuclear reactor fallout in Fukushima. How this incident and Sony's nothing-but-downplayed data breach are related, I can't even begin to speculate. How the two are uttered in the same paragraph, I prefer not to speculate.
In a world of "first thought," people speak from a genuine or heartfelt place. What we've gotten from Sony instead is a carefully crafted message designed for maximum manipulation. Can you feel those strings being pulled?