PS3 Hacker: Sony Needed To Hire More Security Experts, Not Lawyers

By M.H. Williams

Instead of the long, protracted legal battle we expected, Sony and PS3 hacker George Hotz settled their case earlier this month, with Hotz being unable to hack a Sony product ever again for fear of steep fines.  In a post on his personal blog, Hotz weighed in on the current PlayStation Network breach, denying any involvement with the affair.

“To anyone who thinks I was involved in any way with this, I’m not crazy, and would prefer to not have the FBI knocking on my door. Running homebrew and exploring security on your devices is cool, hacking into someone elses server and stealing databases of user info is not cool. You make the hacking community look bad, even if it is aimed at douches like Sony,” he wrote.

In his post, Hotz addressed the person behind the hack and theft, urging them not to release private user information.

“You are clearly talented and will have plenty of money (or a jail sentence and bankruptcy) coming to you in the future. Don’t be a dick and sell people’s information,” he advised.

Hotz points the finger for this debacle at Sony’s executives, not the engineers behind the company’s security or even the perpetrator of the hack.

“The fault lies with the executives who declared a war on hackers, laughed at the idea of people penetrating the fortress that once was Sony, whined incessantly about piracy, and kept hiring more lawyers when they really needed to hire good security experts. Alienating the hacker community is not a good idea,” he continued.

“Sony execs probably haughtily chuckled at the idea of threat modelling. Traditionally the trust boundary for a web service exists between the server and the client. But Sony believes they own the client too, so if they just put a trust boundary between the consumer and the client (can’t trust those pesky consumers), everything is good. Since everyone knows the PS3 is unhackable, why waste money adding pointless security between the client and the server?”

“This arrogance undermines a basic security principle, never trust the client. It’s the same reason MW2 was covered in cheaters, EA even admitted to the mistake of trusting Sony’s client. Sony needs to accept that they no longer own and control the PS3 when they sell it to you. Notice it’s only PSN that gave away all your personal data, not Xbox Live when the 360 was hacked, not iTunes when the iPhone was jailbroken, and not GMail when Android was rooted. Because other companies aren’t crazy,” Hotz contends.

Was Sony playing a losing battle of chicken with hackers?