One potential suspect behind Sony’s massive PlayStation Network security breach was 21-year old George Hotz, AKA Geohot, who recently settled a lawsuit with the company over hacking into the PlayStation 3’s hardware. But in a blog post today, Hotz denies that he had anything to do with the PSN attack.
Assuming he’s telling the truth (“I’m not crazy, and would prefer to not have the FBI knocking on my door,” he said), that leaves plenty of other suspects for Sony to consider, like the patchwork group of hackers calling themselves “Anonymous,” who have been known to cause distributed denial of service (DDoS) attacks.
Hotz clearly doesn’t have much sympathy for Sony. He says in the blog post that Sony invited the attack by making enemies of hackers: “The fault lies with the executives who declared a war on hackers, laughed at the idea of people penetrating the fortress that once was Sony, whined incessantly about piracy, and kept hiring more lawyers when they really needed to hire good security experts. Alienating the hacker community is not a good idea.”
He also makes sure to separate the sort of hacking that he does from the PSN attacks: “Running homebrew and exploring security on your devices is cool, hacking into someone else’s server and stealing databases of user info is not cool,” he said. “You make the hacking community look bad, even if it is aimed at douches like Sony.”
One potential project Hotz says he was working on was a PlayStation Network alternative that jailbroken (or hacked) PS3s could use to play multiplayer games and download homebrewed software. That project ultimately never happened once Sony set its legal hounds on him.
Hotz went on to say that he bets “Sony’s arrogance and misunderstanding of ownership put them in this position” — a common sentiment among the hacking community.
“Sony execs probably haughtily chuckled at the idea of threat modeling. Traditionally the trust boundary for a web service exists between the server and the client,” he said. “But Sony believes they own the client too, so if they just put a trust boundary between the consumer and the client (can’t trust those pesky consumers), everything is good. Since everyone knows the PS3 is unhackable, why waste money adding pointless security between the client and the server? This arrogance undermines a basic security principle, never trust the client.”
He suggests that the hacker shouldn’t sell the stolen private data (which includes credit card numbers and would likely fetch a high price in some circles), and that he’d love to see a breakdown of just how the hack was completed. But with Sony and law enforcement on red alert to find the culprit, I don’t suspect we’ll see a breakdown of the attack anytime soon.