How Sony's Antipiracy Approach Made It a Hacker Target

On Friday, 10 June, Spanish police announced the arrest of three hackers for allegedly targeting banks, Middle Eastern governments, MasterCard and, most important perhaps, Sony.

Why Sony? Because over the past year, a high-profile international war has been waged by hackers against the consumer electronics giant. There have been denial-of-service attacks and data breaches. The arrest was meant to send a message that the war was being won by the authorities.

But in the short history of gaming, disruption regularly comes from the computer underground, leading to some of the greatest achievements in the medium’s relatively short history. The recent battles highlight a recurring question for the industry: Are hackers good or bad for gaming?

Sony’s problems stem from a single hacker: George Hotz, a young programmer from New Jersey. He managed to gain full access to the PlayStation 3 and shared his hack with the world. Sony was worried that such an intrusion would encourage piracy and aggressively moved to silence Hotz.

The game industry has had a long and unique love/hate relationship with hackers. Many of the earliest gaming pioneers and developers began their careers as hackers. They were the MIT students who created Spacewar! on a mainframe in the 1960s, the home-brew geeks working on Apple IIs and Commodore 64s in the ’80s, and the Doom generation working on PCs in the ’90s.

As these early engineers grew into positions of power within the industry, they began encouraging hackers actively on their own. John Carmack, technical director and cofounder of Id Software, creators of Doom and Quake, has built his business on the hacker ethic. "I think [hacking] is good for the evolution of like knowledge in general," he once told me. "You work on top of the results of other people, and you can’t do that when you’ve got these black boxes."

But while computer game pioneers see value in the hacker ethic, console makers—which rely on selling proprietary hardware—have often treated hackers as a threat. When players modify hardware to run home-brew software and open source operating systems, they also render antipiracy technology useless. Over the years, Sony, Microsoft, and Nintendo have successfully sued distributors of "modchips"—add-on hardware that allows for copyright protection circumvention.

In the annals of game hacking, the battle over the PS3 didn’t seem that different in the beginning. It started in January 2010, when Hotz revealed that he had gained access to PS3’s system memory and processor. "I can now do whatever I want with the system," he told the BBC. "It’s like I’ve got an awesome new power—I’m just not sure how to wield it."

His technique made use of OtherOS, a PS3 function that allowed players to run alternate operating systems, like Linux, on their consoles. Sony had advertised OtherOS as a feature when the company released the first PS3 console in 2006. "It was fully intended that you, a PS3 owner, could play games, watch movies, view photos, listen to music, and run a full-featured Linux operating system that transforms your PS3 into a home computer," the manual read. But after Hotz posted his technique online, Sony felt the security of the system had been compromised. They feared that Hotz’s hack might allow users to run illegal games. Citing "security concerns" not explicitly linked with the PS3 hack, Sony released a firmware update that disabled OtherOS.

In April 2010, Plaintiff Anthony Ventura filed a class action suit in the Northern District of California against Sony Computer Entertainment America (SCEA) complaining that "Sony’s decision to force users to disable the Other OS function was based on its own interest and was made at the expense of its customers."

The outrage soon spread around the world. By the end of 2010, hackers in Australia and Germany had released PS3 jailbreaks of their own. The German hacker team, failoverfl0w, presented their findings at the Chaos Communication Congress, a technical conference in Berlin devoted to security and policy issues. In January, Sony sued Hotz and failoverfl0w for circumventing the console’s copyright protection. The company alleged, among other things, that Hotz had violated the Digital Millennium Copyright Act as well as the federal Computer Fraud and Abuse Act and the company’s terms of service agreement.

The Electronic Frontier Foundation, a leading civil liberties group devoted to digital rights, said "Sony is sending [a] dangerous message: that it has rights in the computer it sells you even after you buy it, and therefore can decide whether your tinkering with that computer is legal or not. We disagree. Once you buy a computer, it’s yours. It shouldn’t be a crime for you to access your own computer, regardless of whether Sony or any other company likes what you’re doing."

As the class action over OtherOS and the online outcry proceeded, Sony looked to cast an even wider net. A California district court approved Sony’s subpoena request [PDF] requiring Twitter, Google, PayPal, YouTube, and Bluehost to supply information on Hotz's hacking efforts (including the IP addresses of anyone who visited his blog).

Colin Sebastian, an analyst with Lazard Capital Markets, a New York City–based technology research firm, says suing game hackers is often ill advised. "It’s been shown before that when companies go after piracy and hackers, the best strategy is to do it as quietly as possible or you attract more attention," he says.

In fact, Sony’s actions prompted the global hacktivist group Anonymous to take up the cause. Citing "severe violation of privacy rights," Anonymous unleashed a denial-of-service attack on Sony’s websites and also organized worldwide boycotts and protests against the company in March.

On 31 March, SCEA settled its lawsuit against Hotz. As part of the agreement, Hotz was banned from reverse engineering or circumventing the copyright protection of any Sony device. In addition, he agreed to a permanent injunction preventing him from distributing hacking tools or details—or face US $10 000 per violation. Riley Russell, general counsel for SCEA, said, "Our motivation for bringing this litigation was to protect our intellectual property and our consumers. We believe this settlement and the permanent injunction achieve this goal."

While piracy has gotten plenty of attention in the film and music industries, the video-game industry has lost an estimated $4 billion to pirates in the last five years. "It was never my intention to cause any users trouble or to make piracy easier," said Hotz, who denied any wrongdoing. "I’m happy to have the litigation behind me."

But the story was far from over. On 19 April, technicians on the Sony Network Entertainment America team discovered a problem on the PlayStation Network—the online gaming system containing personal data from 77 million consumer accounts. The team found that 4 of the network’s 30 servers were inexplicably rebooting themselves and were subject to what the company later characterized as "unplanned and unusual activity." After taking these servers down and discovering 6 more servers possibly compromised, Sony shut down the entire PlayStation Network.

After days of analysis by computer forensics experts, Sony confirmed that "intruders had used very sophisticated and aggressive techniques to obtain unauthorized access," including deleting log files to cover their tracks. Though Sony could not determine whether credit card information had been stolen, the massive breach—which was made public on 26 April—sent chills through consumers and politicians, who later called for a congressional investigation.

Things got worse. A Sony technical team examined the network infrastructure on the servers for Sony Online Entertainment (SOE), the San Diego–based division which runs the company’s massively multiplayer online games such as EverQuest, and on 1 May discovered that a breach had also occurred at SOE, on 16 and 17 April. This one had potentially exposed another 24.6 million customer accounts, including names, addresses and passwords, and 12 700 credit card numbers. In response to questions from Congress about the breach, Sony claimed the attacks were "in retaliation for enforcing intellectual property rights."

Sony has announced plans to beef up its security measures in response to the hacker attacks. These actions include automated software monitoring, enhanced data protection, and firewalls, as well as moving its system to a new data center and naming a new chief information security officer.

Despite the settlement in the Hotz case, the question of who controls video-game consoles is still open. Speaking on his own behalf, Yasha Heidari, Hotz’s attorney, says the implications of the battle go far beyond gaming: "The real question is, what should consumers do with products they purchase?" he says. "The PS3 always marketed itself as a computer…. That’s why the class action suit is taking place now. If this was a normal PC, an Apple or Dell said, ‘You can’t run a program unless they’re authorized,’ most consumers would be up in arms, but simply because this is a console that doesn’t change that fact."

A short version of this article appeared in print as "Sony vs. the Hackers" in the May 2011 issue.