OK listen, it sucks that some thieves stole your name, address and hashed passwords. I get that. Sony should be held accountable on some level, though I’d say the thieves more so.

But I’m so SICK and TIRED of the professional game bloggers making everything look so much worse than it is, spinning things to make it seem like Sony all but rolled out the red carpet for the thieves. I’ve seen it on Destructoid (though to their credit, they went back and updated the post later), Kotaku, Joystiq, Gamespot, Massively… all saying some variety of “Experts say that Sony had unpatched servers and no firewall, and knew about it.”

This is all coming from Dr. Gene Spafford, from Purdue University. Or so the spun stories will tell you. Most of these stories even link to the written testimonial. Which actually says:

In the Sony case, the majority of the victims are likely young people whose sense of risk, privacy and
consequence are not yet fully developed, and thus they may also not understand the full
ramifications of what has happened. Presumably, both companies are large enough that they
could have afforded to spend an appropriate amount on security and privacy protections of
their data; I have no information about what protections they had in place, although some
news reports indicate that Sony was running software that was badly out of date, and had
been warned about that risk.

(emphasis mine)

Most of the testimony is really basic stuff about how bad having data stolen is and what “phishing” means and other stuff that 99.99% of the people reading this blog already understand. As for the spoken testimonial, here that is:

There’s your expert and you can hear it for yourself. Basically he read a mailing list where someone claims to know that Sony had an out of date version of Apache (no details on how out of date) and no firewall (this is clearly bullshit…there’s no way they didn’t have a load balancer in place to distribute 77 million users across their servers, and pretty much every load balancer is also a firewall; between the apache servers and the application servers there needs to be some kind of firewall to handle NAT or something…unless all of Sony’s servers were on public facing machines, which is very very VERY hard to imagine) and claims that Sony reads the same mailing list and knew all about it.

That’s not exactly compelling testimony to me… people say all kinds of random shit on mailing lists and forums. Also note that in his written testimony he refers to news reports, leading me to wonder if he even reads the mailing lists in question.

Now whatever security measures Sony had in place, they were clearly not up to the task at hand, and shame on them for not having beefier security. We’re all paying the price for that mistake. But there’s a big difference between “not enough security” and what this expert is saying, which is essentially “there was no security at all.”

Add to that the fact that Sony says the breach occurred via an application server, not a web server, and with all the security people looking over their shoulders, the FBI involved and the intense scrutiny they’re under, I find it a stretch to think they’re going to try to pull off a lie right now.

And yet.. every one of these posts have commenters nodding their heads and dragging out the pitchforks and torches and assuming that yup, everything this old gentleman has to say must be 100% true.

I’ve never been more ashamed of the community of professional bloggers out there.