Home
I was just talking to a Sony contact of mine about all the misinformation swirling about out there, so Brad's story is great timing. Read on to see what the news outlets are not saying about the PSN outage.
We've all been hearing over and over again for the last week that Sony was running an outdated version of the Apache web-server software on its webservers. The implication, of course, was that this represents Sony's laissez-faire attitude toward the protection of customer information, making it easy for the hackers to gain entry to the PlayStation Network.
But the funny thing about this kind of "common knowledge" in the age of the Internet is the way rumors have an unfortunate tendency to be repeated as fact. Just a week ago it was "common knowledge" that Sony stored every PSN password in plain text. It was also "common knowledge" that Sony Online Entertainment hadn't been compromised. Neither of those things proved true.
One member of the Beyond3D forum, deathindustrial, was curious about the outdated server software claim and did a very brief amount of very interesting research into the issue....
(Beyond3D's community has a unique combination of technically knowledgeable users with a low rate of console fanboyism, allowing for an honest discussion of things like the PSN data breach without the conversation devolving into another proxy battle in the great fanboy wars.)
As it turns out, it is fairly simple to use Google's webcache to show what version of Apache the PSN servers were using back in March. According to a page request archived by Google on March 23, 2011, at that time Sony was running version 2.2.17 of the software. You can see from Apache's website that 2.2.17 is the latest stable version of the webserver available even today. This is a direct repudiation of the claims being made that Sony's webservers were out of date by as much as five years.
Poster deathindustrial also goes on to point out the folly in using "security expert" Dr. Eugene Spafford's testimony before Congress as a source for the claims that the servers were outdated and that Sony knew about it. In the written statement which accompanied his testimony, Spafford clearly states:
I have no information about what protections they had in place, although some news reports indicate that Sony was running software that was badly out of date and had been warned about that risk.
So he had no first-hand knowledge of the state of Sony's servers or Sony's knowledge about possible exploits, and he was literally repeating claims that he read in the media, which might have stemmed from IRC chat logs that were being passed around back in February. He didn't even do the very basic detective work it would've taken to completely repudiates the claims.
It's sad to say, but many are so eager to see Sony's eye blackened that they are willing to believe any rumor that puts the PlayStation in a negative light. We are in a backwards world where everything Sony says is assumed to be a lie or conspiracy, and anonymous IRC chat logs of dubious origins have miraculously become the most trusted news source in the industry. Here we have a concrete example of why it's important to actually verify your source before repeating something as fact.
