
Sony: The Company That Kicked the Hornet's Nest - daniel02216
http://www.businessweek.com/magazine/content/11_21/b4229035889849.htm
======
daimyoyo
When Sony started their assault on GeoHot I sold everything in my house that
had a Sony logo on it. Not only have they had the info of PSN players
compromised, they are now a company with a reputation of going after hackers.
The best way to deal with people modifying your hardware is to embrace it the
way Microsoft has, or at least understand it will happen and focus on your
product the way apple does. Instead, Sony's arrogance threatens to destroy it.
The times are changing and if Sony can't accept that, maybe they should go
back to rice cookers.

~~~
mishmash
We've got a 52" Bravia, Sony 5.1 system, PS3 with 15 games or so and will
absolutely _NEVER_ knowingly give Sony another penny.

As soon as the PSN is up and I'm able to delete the PSN account (which they're
saying will only be possible from your original PS3) we're going to pawn the
PS3 and games.

I don't want Microsoft to win the living room and so won't be supporting them
either. I guess unless Wii2 has beautiful graphics we'll be an exclusive PC
gaming house.

The whole situation is disgusting. I don't get to play much but it really
pisses me off that Sony has essentially killed one of the only great
activities that I've kept from child to adulthood.

~~~
briansmith
> I don't want Microsoft to win the living room and so won't be supporting
> them either. I guess unless Wii2 has beautiful graphics we'll be an
> exclusive PC gaming house.

On which PC operating system?

~~~
mishmash
Steam on a Mac Pro.

~~~
toast76
I hope you enjoy both the games :)

~~~
mishmash
Wait there's two!?

------
bane
The real question is, for all companies that try to control access to even
single user software via online authorization systems, how wise does this look
now?

I'm still playing Atari 2600 games, decades later, because they still work.
Tying down use to a single-point-of-failure-authorization-system guarantees
that your investment in creative works has a short shelf life. But most gamers
know at least what the original Super Mario Bros theme song sounds like as
coming from an NES.

~~~
patio11
_guarantees that your investment in creative works has a short shelf life_

Talk to Thomas if you want actual numbers, but the overwhelming majority of
AAA games have fairly predictable sales curves with a peak window measured in
weeks or, in some cases, days. See also books, movies, music, etc.

Evergreen content is highly anomalous in creative industries.

~~~
Lewisham
AMA video game researcher (Computer Science). I can confirm the truth of this,
but I don't have any hard sources right now.

If a AAA title doesn't move 1 million copies in opening week, the studio is
going to be in trouble either directly financially, or with the publisher
(see: Mirror's Edge).

Everyone is fully aware of the ridiculousness of where the market is right
now.

~~~
robryan
I bet game developers hate this effect, years of development time to
effectively try and market a game into peoples hands in the first couple of
weeks whether they like it or not.

This I much prefer the path many MMO's have taken or a game like TF2, continue
to add over time to keep a solid value proposition for years to come rather
than the 2 weeks after it comes out.

~~~
bane
I think this is sort of what I'm getting at. The Game industry is moving
rapidly to copy the Movie industry. Years of work, tens of millions of
dollars, splashy and expensive ad campaign all culminating in a couple weeks'
worth of sales and the bargain bin/used game box/forgotten 3 months later. The
vast majority of which barely break even with production costs.

Old game mags used to have a metric called "replayability". Games with poor
re-playability were dinged by the gaming press as offering low-value for the
dollar to the gamer. I'm just wondering if the Movie style approach offers
similar low-value for the dollar for the game makers in terms of the amount of
money required to advertise to gamers for every AAA title that comes out the
door, only to throw all that work away next month. It's almost like the
industry is pumping out Mandalas, then sweeping them away.

Heck Mega Man (Rock Man) has had 7 or 8 games with virtually the same artwork
(the most expensive part of game production). A modern developer might look at
this and say "we'll just release a MegaMan game and every year release more
enemies with more stages, weapons and bosses that just figure into the main
release."

(I'm thinking Mega Man of course because I'm in the process of replaying
through the series again and Capcom is losing millions from the PSN nonsense).

I guess what I'm rambling about is that there has to be a better way for the
studios and the gamers to find better value in terms of longevity on both the
development costs and the purchase price of the games -- and tying the games
to a transient online auth system isn't going to do it.

~~~
robryan
One issue is perception of value. It's a lot easier to monetise a brand new
game over one which is being updated or added to.

To everyone except hardcore gamers the current release method is probably very
tiring, as in I might pick up a new game and play it for a few months at the
rate I play games. In that time so many of these big titles would have come
out.

It also means once these releases drop off best seller lists they quickly
become unloved. I've seen big bugs and game mechanics issue that just never
get fixed I guess because most of the sales have already happened.

------
stcredzero
I keep on pointing this out. Compare the two groups:

    
    
        - Sony a big company with big company HR bureaucracy 
        - The worldwide interest group re: Hacking
    

Sony might have one or several groups within the company involved with a given
project. The population interested in hacking a popular Sony project is not
only very large, but constitutes a _frictionless global meritocracy_
interacting via the Internet.

Conclusion? When it comes to big companies vs. the hacker communities, it's
asymmetrical warfare, and _the big companies are the underdogs_. Big companies
are outnumbered and outclassed.

However, instead of behaving like the outclassed guerillas they are, they keep
acting like they're the empire, and keep getting bloodied in losing fights.
All it takes is a few minutes of thought to realize that DRM is the _worst
possible_ tactical position they could possibly take. Companies that do this
are deluded.

But here's the real kicker: It is possible for companies to use the principles
of asymmetrical warfare and win fights. You have to pick your battles based on
sound economic principles. You have to pick your battles, such that the huge
numerical and training advantages of the adversary are moot.

I know how to do this.

EDIT: Here's a hint. Take a look at your bug tracker. Imagine that it only has
reports where the bugs are hard or impossible to reproduce. Imagine that the
consequences of the bug are separated by several weeks time from the probable
causes. Imagine that there are tens of thousands of such reports. Imagine that
the reports only constitute a small fraction of actual occurrences.

It is quite possible to put parties trying to crack your system in exactly
this position. If you make it easy to "crack" your program, and instead put
all of your effort towards clandestine detection, then there is no incentive
for people to fully crack your system, such that they can find the detection
mechanisms. Separate the consequences of detection from the actual detection
by a time span of several weeks. Use detection to protect value-add and up-
sell revenue which is inherently dependent on server-side implementation.

Use honeypots. Your "easily cracked" version 1 becomes a kind of honeypot for
detection, which protects your real revenue stream. Present a hack-y feeling
loophole that lets people acquire your value-add content for a sizable
discount from full-price.

Remember, you're fighting an asymmetrical conflict. Be sneaky. Don't even let
your opponent know she's even in a contest if you can help it. Fool them into
thinking they've "won."

~~~
chopsueyar
HBGary?

~~~
stcredzero
Savvy fighters of asymmetrical conflict don't announce their location to their
enemies. Savvy fighters are prepared ahead of time and have security in place
before they open hostilities. Savvy fighters of asymmetrical conflict
compartmentalize their assets, so losing one doesn't entail the loss of
others. Savvy fighters of asymmetrical conflict have contingency plans.

None of the above applies to HBGary.

------
ianferrel
This seems like complete speculation.

Is there any evidence that Sony's data breach is in any way related to a
hacker backlash? The closest thing the article provided was a file left on
Sony's servers referencing Anonymous. That's pretty week.

~~~
Lewisham
Well, it will be until anyone is apprehended.

I think it is fair to say that Sony did "kick the hornet's nest." Is that what
caused them to become a target for black hats? Unlikely. Whoever did this was
likely looking for a big score, likely to try and sell the data to organized
crime, and thus an ideological attack doesn't make a lot of sense.

However, it seems very plausible that some gray hats like Anonymous started
kicking the tires of their security systems, and shared information that
indicated things were looking lax, and that's what brought the black hats in.

If you're gonna be dumb, you gotta be tough. And Sony obviously wasn't.

------
hnsmurf
The media is largely conflating two very different definitions of "hacker"
here. There's a big difference between the people who jailbreak hardware and
the people who steal credit card data. The former is arguably legal and moral,
the latter is neither.

The type of hacker that brought down PSN and stole credit card data needs no
motive other than the millions of dollars of credit fraud that will follow.
They need only opportunity.

~~~
redthrowaway
Motivation aside, there's pretty strong parallels between breaking into the
PSN, and breaking into the PS3 hypervisor. Obviously the hypervisor was a much
harder nut to crack and GeoHot is likely far more skilled than the PSN people,
but he's basically a grey hat systems cracker.

------
brisance
Actually Sony brought this unto themselves longer than that, starting with the
Sony-BMG rootkit. I've actively avoided buying Sony products since.

------
mrspandex
The attack on Sony was not against the company, it was against its customers.
I'm sure this will damage Sony in a huge way, but I have 0 respect for the
people who did this.

~~~
chrischen
I'm sure it was against the company too, but I agree the people who actually
did the break-in are not getting enough flak.

------
m0dE
I just finished watching Sony's PSN Relaunch Announcement. It kept on making
me think: Why not just hire Geohotz?

Let's just say Geohotz accepts the offer and works in PSN. I think the general
public will be convinced that PSN is now secured by the top elite hacker in
the world who pointed out Sony's security flaws. Furthermore, Sony will appeal
to consumers that they're humbly admitting their mistake and are dedicated to
improve their security.

Yes, I know the root key and identity theft are completely different. Also,
whether Geohotz actually does anything to Sony is irrelevant.

I'm strictly talking within PR scope.

~~~
blhack
Do you think he'd accept? Would you?

~~~
9999
Do you honestly think they would ask him? Why would they? Is he an expert on
server side security even? The security vulnerabilities that were exploited
for the PSN hack have almost nothing to do with his realm of knowledge. What
will actually happen is this: Sony, MS, Nintendo, EA, Activision, and
virtually every other IP holder will lobby very, very, very hard to change the
DMCA to be far stricter, and people that do anything even remotely close to
what Geohotz did will find themselves in a Federal prison, regardless of
whether or not what they did was truly unethical.

~~~
blhack
>Do you honestly think they would ask him? Why would they?

Yes. Because he is quite clearly a talented hacker. Do you think it would make
more sense to hire somebody who may not have experience with sony's
technology?

------
9999
"The Hotz incident was followed in February by a German police raid on the
apartment of Alexander Egorenkov, another hacker who had distributed software
that let PlayStation consoles run homemade games. Other technology companies
have found ways to channel hackers' energy without resorting to lawsuits.
Microsoft (MSFT), for instance, permits hackers to unlock its Kinect gaming
device and invites some of them to its conferences. Google (GOOG) pays white-
hat hackers who help identify bugs. Sony is far more uncompromising, says
Robert Vamosi, a senior analyst at security firm Mocana. "Hardware
manufacturers like Sony just aren't very good about listening when a security
researcher presents them with a flaw," Vamosi says. "

That paragraph I just quoted up there is some of the sloppiest journalism I've
ever seen. The analogy being drawn is completely without merit. Microsoft is
"hacker" friendly because they allow people to fool around with the Kinect?
And Sony is hacker unfriendly because they removed a feature (the Linux
install option) that they feared would lead to massive piracy? And Google is
just great because they offer bounties for security flaws? In what way are any
of those facts similar? None of them are even referring to the same sort of
"hacking." If Google made a game system that made its money based on licensing
fees from software sales, it would do everything within its power to prevent
piracy. Microsoft already does this. Running homebrew was not what Sony was
trying to stop.

What I'm about to say will probably be very unpopular here. Anyway, the
"hacker" (I hate their usage here... they should say cracker) excuse that they
are just trying to enable homebrew software is utterly laughable as well. As
soon as Geohotz was successful, numerous other companies capitalized on it and
went to that next (tiny, tiny, tiny) step to enable running pirated games.
Should Sony have sued Geohotz? Probably not. But what did Geohotz honestly
think people were going to do with his developments? Does he want people to
keep making games for the PS3? Did he honestly think that people wouldn't
immediately turn around and use his progress to pirate games? The ethics of
this supposed "hacker" community leave a lot to be desired, and I truly wish
we could return to the old usage of the term, and stop applying it to people
that are really just safe crackers and thieves.

Our laws are completely inadequate for addressing this kind of abuse now, and
I dread to see what sort of draconian measures will be put in place in
response to this sort of shortsighted, unethical, and lame "hacking." If you
don't want a closed system, then don't buy it. This is what will give us more
open systems in the future, not enabling pirates.

~~~
blhack
The reason what you're saying is unpopular here is because it is fundamentally
incorrect.

What difference do you see between hacking your PS3 and hacking your kinect?
How is hacking your ps3 "cracking"? In my opinion, and I suspect that the vast
majority of technologically literate people would agree with me, what happened
with the PS3 fits the classic definition of hacking perfectly.

~~~
9999
The Kinect hacks consisted of using the Kinect device for reasons other than
originally intended. No laws were broken. The intent is basically pure. The
hackers (because they are real hackers) just asked themselves "what else can
we do with this hardware?" They broke no laws. They did no economic harm to
MS, and if anything, helped them.

On the other hand, the PS3 hack will _primarily_ be used to enable piracy.
That's it really. Did it initially enable homebrew games? Yes, but is that
what the vast majority of people will use it for? You're deluded if you think
otherwise.

The problem I have with non-ethical non-consequentialist crackers like Geohotz
is that they are not solving a legitimate problem in the first place. If you
want to make open systems, then stop providing monetary support to closed
systems in the first place.

~~~
aphexairlines
Console hacking in the past has contributed to new industry growth. When the
original Xbox was hacked, one of the outcomes was Xbox Media Center (XBMC).

XBMC led to incentives to accelerate the development of home media center
components like audio/video decoders. This obviously helps everyone in the
growing media center industry.

XBMC also is directly responsible for the birth of at least two startups in
the media center space, Boxee and Plex.

So while some companies in an established and profitable industry lost some
revenue from piracy, a new industry got a big boost from people being able to
experiment with and innovate on top of a console.

~~~
9999
And what positive outcomes have come of Geohotz' work? Geohotz worked
_exclusively_ to enable piracy! Sorry, but it's true! Sony removed the Other
OS install option _because_ of Gehotz' work towards enabling piracy! Read his
wikipedia entry (<http://en.wikipedia.org/wiki/George_Hotz>) if you don't
believe me.

The PS3 was a freer console for the masses before his work. His work enabled
piracy, theft, and constitutes extortion. What part of his initial explanation
of the PS3 root key divulgence don't you understand? Here it is:

" ~geohot

props to fail0verflow for the asymmetric half no donate link, just use this
info wisely i do not condone piracy

if you want your next console to be secure, get in touch with me. any of you
3. it'd be fun to be on the other side.

...and this is a real self, hello world although it's not NPDRM, so please
wait to run... shouts to the guys who did PSL1GHT without you, I couldn't
release this

first piece of homebrew you can run put in service mode, put on usb stick,
boot"

"i do not condone piracy" = I don't think you should use this for piracy

"if you want your next console to be secure, get in touch with me. any of you
3." = I know this shit I did will be used for piracy, that's why you 3
(Nintendo, MS, Sony) may want to consult me to avoid the massive piracy that
will surely result due to my hacks in the future

Is this not, in a sense, extortion? Is he not willfully and knowingly enabling
theft?

My point is that the PS3 was a more open platform before Geohotz arrived on
the scene. It would be more open today if it weren't for his efforts, which
are almost entirely in aid of piracy and theft. Please, name one thing that he
has enabled that wasn't previously possible with an Other OS install that is
not essentially just stealing. Please. Go for it. Tell me I'm wrong.

I'm just a guy that makes a living making software, Geohotz is a guy that is
making a living by robbing the companies that pay me. Why should we grant him
the glorified title of hacker? RMS is a hacker. Linus is a hacker. PG is a
hacker. Carmack is a hacker.

Geohotz is a cracker.

~~~
sluckxz
The one major thing I know of that has come of this is that I can put linux on
my ps3 again. I'm happy about that. I'd like to think he willfully and
knowingly unlocked a piece of hardware for the masses knowing it would
primarily be used for piracy plus lots of other cool things too.

