The Lawbringer: The system is down
by Mathew McCurley 
Apr 29th 2011 at 3:30PM
For PlayStation Network users, this past week has been a harrowing one. The security breach and subsequent dismantling of the online network was a huge blow to Sony, which prided itself on being able to provide the service free of charge and expand into sales, downloads, and everything else synonymous with a next-gen online network. This past week's events, however, prove that these networks are fragile and have everyone asking the question, "What is next?"
What would happen if World of Warcraft were down for a week -- not due to some prescribed downtime or voluntary upgrades, mind you, but a comprehensive security breach that affected every single member of our online community? From the PlayStation Network incident, we can see the hostile environment that these security breaches foster, from political ramifications to financial consequences and even legal trouble. Shall we muse about the stability of online networks?
The times we are forced not to play
Downtime happens for any network, right? It's part of the maintenance of said network or the general chaos of things, manifested by a failure that pulls down the network. Amazon's EC2 web hosting service had a rough time last week, running popular internet destinations like Reddit and Foursquare off the web for a limited time. Even on Amazon's cloud computing system, 100% uptime network availability was still at risk.
World of Warcraft's server architecture has downtime every week when the game is taken down for maintenance, repair, and diagnostic work. In fact, this type of downtime has been a staple of the MMO genre for a good, long while. It comes with the territory; historically, MMOs have a vastly larger number of people connecting to their servers. As we move into an age when every game has some type of online component or matchmaking, the landscape begins to change.
Back when World of Warcraft first launched at retail, the servers were utterly destroyed. We picked Frostwolf as our first server based on some very random and obscure selection process that I don't even remember fully to this day. Alignment of the planets, letters in the alphabet -- you name it, it was part of the server selection process. I think we even had an augur in my house.
Our selection would prove unwise, as Frostwolf was one of those servers plagued with troubles. Blizzard's benefit is that everyone connecting to WoW is doing it for the same reason -- to play WoW. When Frostwolf and other servers hit the proverbial pavement and the game was fairly unplayable for many, Blizzard easily and swiftly credited players with extra game time to make up for the problems. If WoW went off for a week for any reason, Blizzard could "make us right," as it were, with giving us that week for free.
The problem with PSN is that not everyone is logging on to do the same thing, play the same games, or purchase the same digital goods. The number of remedies are endless. Of course, WoW's numbers are not PSN numbers, but the principle is the same; the nature of the remedy, however, is different. Blizzard can give people the one commodity that it provides -- game time. What will PSN do for its users, customers, MMO subscribers, and more?
The data breach on Sony's end is bad. Real bad. We don't really know to what extent, but it's up there. It was reported that the first class action lawsuit has been brought against Sony because of the data loss and breach, with the potential for more in the future. Filed in California, the class action suit alleges that all 77 million PSN customers were harmed after Sony failed to secure their data and financial information.
Lawsuits are the end of the line when you're looking to be compensated for your loss -- rather, I should say that winning a lawsuit is the end of line in remedy-seeking. Filing the suit gets you on the radar and forces the other party to take notice and defend. Sony is on notice.
How catastrophic would the data breach have to be to bring Blizzard into the sights of a class action suit? Blizzard has already been the target of the community's ire over the Real ID fiasco in 2010, and back in 1998, Blizzard was the target of a class action aimed at pre-Warden snooping on StarCraft to keep cheaters off of Battle.net. Because of the limited number and nature of the services that Blizzard provides, a class action would never become as large in scope as the fight against the PlayStation Network will be in the coming months. Our data, however, must be protected.
Getting political
Politics and games are always strange bedfellows, mostly because the generational gaps and divides between gamers and politicians have been present for many years. That is changing, however. Younger politicians entering office have spent their childhoods playing video games, and it's starting to show.
Senator Richard Blumenthal of Connecticut issued a letter to Sony discussing the information breach and lambasting them for not being more open with communication relating to the attacks on the network. Just the fact that a U.S. senator even understands the gravity of a data breach this size from what would have years ago been dismissed as "one of those game things" is remarkable to me. These are customers and patrons of a service who deserve the same protection and respect as consumers of any other type of service.
There are WoW players in government -- a good number, in fact. It makes me a happy player to know that there are people in my government who understand the serious nature of data on the internet and the security that is an imperative part of the equation. Hopefully, Blizzard will never have to receive a similar letter from a senator, but to be honest, I'd rather have a letter from a senator who understands the nature of the problem then "get your internet tubes fixed, Warcrafts Worlds or whatever."
Our networks are fragile and will be fragile as long as people know how to disrupt them. We still don't know who is responsible for the Sony data breach. What we can learn from all of this, however, is that personal data and financial information, while usually just tossed around from site to site without a care, can still be a hot-button issue. You hand your credit card to a waiter at a restaurant all the time, right?
Surprisingly, I don't think World of Warcraft's biggest problem with hackers is data integrity. I don't have the data to back it up, of course, but I would suspect more people making money off of WoW are doing so because the service actually runs opposed to trying to bring it down or compromise users. However, the one big caveat to that is the credit card fraud that is perpetrated by gold and item sellers. The X-53 rocket, for instance, is usually sold to players using stolen credit cards to pay for game time.
In the wake of the PSN debacle, just be safe. Keep your financial information secure, and use only sites you trust. Hopefully, Sony can make good on its troubles, especially for those MMO players out there without access to their games and the financial information now compromised. As for Blizzard, I think the lesson it takes away from the events of last week is to be up front immediately with the information of a breach of information leak. Fast, open response is key.
This column is for entertainment only; if you need legal advice, contact a lawyer. For comments or general questions about law or for The Lawbringer, contact Mat at mat@wowinsider.com.
Filed under: Analysis / Opinion, The Lawbringer
Reader Comments (Page 1 of 1)
Dysthymia Apr 29th 2011 3:56PM
http://www.youtube.com/watch?v=LJvM3m2hVzo
Jed Apr 29th 2011 3:56PM
They've already said that credit card data was encrypted and was not stolen anyway.. Personal information was though.. sadly taken.. that being said.. I already get spam from other sources. I already get telemarketing phone calls. So I'm not too worried about whats going to happen because realistically nothing will come from this except people who were cut off from the psn being all pissy and filing lawsuits because they might get an easy pay off.
lancrkllr Apr 29th 2011 4:45PM
I know that a lot of people are concerned regarding their credit card information. I believe additional transparency on Sony's part, or at least getting all their information out at once (and correctly) would have helped in this situation.
Sony initially stated that the reason that there was no problem regarding the leak of credit card information was due to the fact that hackers would not be able to get all of the credit card information (specifically the security code on the back of the card as they stated they never asked for it). This statement was changed to "we asked for it, but never stored it" following users posting screen shots of the PSN signup page that indeed asked for your card security code.
I think the main problem is the fact that the information regarding the PSN network going down has been sporadic and the information we've been receiving from Sony has been changing almost daily.
I understand that even if all hell broke lose, from a PR perspective, many companies would rather attempt to downplay the severity of the situation, however, in a situation in which sensitive information may, or may not have been leaked, I feel that it is necessary to be clear and concise with your user base in order to reduce the amount of fear. I mean, a decent portion of people who play games on consoles are either too young to own a credit card (so it's their parents who are now freaking out), or may not know much about computer networking, and are currently assuming the worst.
Overall, i think that it's a 2 way street:
We are willing to give you our information (including potentially sensitive information), and in return we expect that any information you store from us will be secure (specifically sensitive information).
ps. Hey Sony... in the future do what every other company does when they are dealing with hackers... hire them for R and D.
DarkWalker Apr 29th 2011 5:23PM
Encrypted credit card data is not as safe as most might think. It's data so valuable for crackers, spending big sums on computational power to break the encryption might be worth it - if the crackers even need to do it, though; if they made off with many million people worth of personal information, what guarantee we have that they didn't made off with the executables that decrypt said credit card data, and are as of now happily reverse engineering it?
And the personal information itself is quite valuable. It should be enough to allow whoever took the data to unwillingly register users to a whole lot of services, create legitimate-looking mail accounts to use for spam (spam that will be credited to the hapless PSN user whose data was used), etc; imagine you trying to sign up for a Battle.net account and having trouble because your data was sold to a gold farmer who used it to make a few WoW botting accounts. Worse yet, imagine if the information stolen, complemented by a couple Google searches, is enough to apply for a loan.
Eirik Apr 29th 2011 8:14PM
If you use a credit card to pay for warcraft (or playstation), you likely also use it elsewhere. If one of those other sites has also been breached, and your credit card number and name are known (and repeat this step any number of times), that provides a good start at cracking the encryption key.
> What would happen if World of Warcraft were down [due to] a comprehensive security breach...?
I would inform my bank pronto, and take immediate steps to get my credit card changed. And that's regardless of how I use the card otherwise. It's attached to my account, it's compromised, it goes.
NinjaClarinet Apr 29th 2011 3:56PM
"Use sites you trust" doesn't really seem to apply anymore, not if big names like Sony and Amazon are having...issues. Granted, you shouldn't use a site you don't trust anyway.
Notsuoh Apr 29th 2011 4:06PM
Great article, sir! It will be an interesting topic to keep tabs on in the coming weeks for sure.
"There are WoW players in government -- a good number, in fact."
Wouldn't it be funny if a politician running for a major office used this in their campaign to gather votes from gamers? I'd like to see democrats and republicans squared off under horde and alliance flags.
DarkWalker Apr 29th 2011 5:23PM
I think this should be seen as a warning shot by players that think Blizzard's security can't ever be compromised. PS3 users certainly thought the same about the PSN.
No computational system is perfectly secure, simple as that, and if the stored data is valuable enough - such as the millions of personal player data from the PSN, or, for what matters, from Battle.net - crackers might be willing to spend a staggering amount of effort to get into the system and steal it.
lancrkllr Apr 29th 2011 5:45PM
I agree that any network that's not "closed" is hackable.
However, the network design for the PSN was/is atrocious. Client side security checks that could be bypassed, unencrypted personal data, etc.
Imo, Sony picked a fight with hackers it's network could not withstand.
once again... there's a reason why most software / network hardware companies hire hackers rather than go after them in court.
DarkWalker Apr 30th 2011 10:22AM
@lancrkllr
Well, last time I looked, WoW's passwords were not even case sensitive. As for the rest, including encryption of personal data, unless Blizzard offers some insights on their internal structure and procedures, we can't say if they are any better.
The one thing Blizzard actually has for them is the usage of Authenticators for player login (which makes a user login/password pair almost useless). Apart from that, there is no sign their security procedures are any better.
lancrkllr Apr 30th 2011 1:25PM
The thing that really pissed me off about the sony network infrastructure is that the security checks are handled client side.
One of my professors demonstrated how client side security checks allow 3rd party programs to simply bypass the security check (he wrote the 3rd party software (simple console program) in front of us in about 20 mins on the overhead projector). This was in response to the initial jailbreaking of the PS3 by geohotz.
*This demonstration was on retrieving single user data w/o the username and password.
Essentially, all that is necessary is that the 3rd party bypass is placed to prevent the security routine from being run... all it does it report back a positive result on the check, and then you can essentially request whatever you want from the server.
The fact that blizzard runs server side security, rather than simply relying on client side security makes it almost 100% better imo. As Jabouty said... never trust the client.
Even XBL runs server side checks for security. I understand that sony's initial design plan was to assume no one would ever jailbreak the PS3 to display their design flaw, however... someone did
Starsmore Apr 29th 2011 6:56PM
Class action lawsuits are BS, along with these politicians (in the US and abroad) going on about how they are gonna "investigate" Sony for this.
The class action has absolutely nothing to do with putting Sony "on notice" for this horrible breach (that'd be like suing your building management when a thief blows a hole in the wall of your offices and steals your shit). It's one dumbass customer with 40 "scented blood in the water" lawyers to back him up.
Even if they win, the lawyers will walk away with 50% - 75% of what Sony has to pay out, and the actual customers will get a coupon for $5 off their next PSN purchase of $100 or more.
And the politicians? Pfft. My best bet is that this Blumenthal fellow either a) was a PSN member whose info got out there, or 2) his kid is a PSN member whose info got out there. It's a convenient target for a lazy politician to stand up and shake his fist about, to look like he's doing something for his constituents. As opposed to, y'know, balancing a budget, getting the US out of 2 (3? 5?) useless wars, solving the health care problem, or a dozen real issues.
Yeah, Sony getting hacked is a big issue, but it's really a non-issue. Your info is out there already. No credit card info was lost, just personal information. And if you think your name wasn't already on a mailing list, I've got a bridge in New York City to sell you.
Tyrrax Apr 29th 2011 7:19PM
The system is down yo!
http://www.homestarrunner.com/systemisdown.html
Eirik Apr 29th 2011 8:22PM
unsubstantiated rumor: Sony had Red Hat servers that were some 5 years behind on patches, and that the compromise was in the Apache server software they used.
I can't find corroboration on this, but friend who is reasonably well informed on linux issues told me this.
It does raise the question: If you sue some company on data exposure issues, would you be willing to settle in exchange for a) your reasonable costs to protect your data (change cards, etc), b) legal fees to date (presuming you attempted to negotiate before the suit), and c) some reasonable assurance that they would keep their servers patched henceforth? If you were a business, would you reject such terms?
Jabouty Apr 30th 2011 8:30AM
As a hardware modder myself I can honestly tell you a few things here:
1) Sony believes that they own the hardware, not the end consumer that purchased it. Therefore they incredibly "Trust" their clients in the client-to-server exchanges. Lesson one: never trust the client machine!!!
2) Sony transmits the user information from the client (since it's a "trusted source") in plain text, not encrypted. Including CC #s. Lesson two: Encrypt everything client side and send; encrypt again on server with a second algorithm after reciept and decrypt.
Anyone with half a brain when it comes to security of data will tell you the #1 thing here is "Never trust the client". Yet since Sony feels they own the hardware, they didn't follow that advice which is what most likely led to the compromise.
steluta986 May 25th 2011 3:25PM
It would be funny that people of politics would play all day long World of Warcraft , and they wouldn't do theirs main work, and to see them after 12-14 hours of continue playing:) they would look like drogged:) But in Romania there are small chances to this happen because they are old and has nothing in common with pc.