For my first post on the blog, I thought I'd post about something that's gotten a lot of coverage in the press over the last week or two. In this case, the perceived security issues affecting both Apple and Sony. What's interesting is that the two incidents started opposite ends of the spectrum, then wound up at opposite ends again (although reversed) as more information became available.
The first issue relates to Apple and what has become known in tech circles as “Locationgate”. Basically, researchers discovered that iPhones running iOS 4.x had a file that stored location information. When this information was backed up to a computer, it was left unprotected. Some other enthusiasts then created a program that allows you to decode the location information and display it over a Google Maps layout. (They did intentionally skew the accuracy a bit). Upon the initial report, a lot of people were up in arms, but as more information was put forth, the anger began to subside.
First of all, when you turn on your iOS device for the first time, you are explicitly asked if you want to share location data with Apple. If you click yes, then you had consented to this practice. There is also language in the EULA outlining this, but most people never read more than the first and last paragraphs. Also, the data in the location file was based off the Assisted GPS (utilizing cell towers and wifi hotspot info), not the regular GPS service. This means that at best, it would provide an approximation of your location. To give you an idea of the vague nature of this data as I’m writing this post, the location data could show me at my house, the hospital, the university, or even the police station depending on which direction the data skews due to using aGPS instead of regular GPS. Finally, a lot of people have signed up for the “Find My iPhone” service through Apple’s Mobile.me website. So there should at least be some vague understanding that this data is being traced.
To Apple’s credit, they addressed these concerns in a FAQ they posted on their website last week. They admitted that they should have provided more clear and concise information about the location caching, and that the file was actually caching more data than intended. They promised to address this in a future update of the iOS software, which was released last night. I strongly urge anyone using iOS devices to upgrade to iOS 4.3.3 as soon as possible. So at this point, the issue has largely been resolved, and the majority of users have returned to their normal day-to-day affairs.
On the other hand, Sony’s issues relating to the Playstation Network (PSN) started out as simple downtime, but have grown progressively worse and worse. At first, users were just miffed because they couldn’t play Modern Warfare 2 or some other multiplayer game on their Playstation 3s. As time went on, Sony then notified its user base that the service was being rebuilt from scratch, and that there had been some sort of intrusion into the system. Then it started getting worse. Sony sent out an email to all PSN users notifying them that their usernames, email addresses, password and (possibly) credit card information may have been obtained by these hackers. But it gets worse from there.
This past Sunday (May 1), Sony officials had a big press conference in Japan to address these issues, complete with the deep bowing that is a customary sign of apology in the Japanese culture. The officials stated that they were working to restore services as quickly as possible, and that they would work to compensate its users in some fashion. Fast forward to Monday, when it was revealed that not only had the Playstation Network and Qriocity been hacked, but Sony Online Entertainment (SOE) as well. This means that anyone playing its online games (including Everquest and Everquest 2) on the PC side of things were affected as well. At this point, stories began to circulate that some of these hackers tried to sell back a list of 2.5 million credit card numbers they lifted from Sony’s servers. Sony executives were called before the US House of Representatives on May 4 to answer some serious questions pertaining to this breach. Sony did not personally attend the hearing, instead submitting a written response to the questions. In the press release Sony put out about this issue, they summarized what they told the Congressional committee about the intrusion.
Just today (May 5), it was revealed that the servers that Sony was using to run PAN/Qriocity/SOE were not only running outdated server software, but lacked even a basic firewall to prevent intrusion on their systems. Dr. Gene Spafford of Purdue testified before the House Subcommittee on Commerce, Manufacturing, and Trade that independent security experts had been monitoring Sony’s systems and reporting security threats to Sony in an open forum available to all Sony employees. These expert reported these major security issues to Sony about three months BEFORE their systems were hacked. This means that Sony knew full and well that they had a security concern on their hands, but did nothing about it until it was too late. It’s literally as if Sony’s engineers decided that the system worked fine, so there was no need to make changes.
There’s a difference between making an oversight that leads to a security vulnerability (such as we’ve often seen with Windows and to a lesser extent OS X) over the years, and just choosing to ignore a known issue. The former could be considered careless, the latter outright ignorant, even dangerous. For a company that was under hot water once before for installing rootkits on customer’s computers with any notification if they inserted music CDs into their machines, this is just another example of Sony placing an emphasis on profit over security.
Links to more information are below:
Apple FAQ on the Location caching issue: http://bit.ly/fvsEiM
Sony response to US House: http://bit.ly/iYdrY7
Sony using insecure servers for PSN: http://bit.ly/mBaXJr