Dianne Feinstein Inadvertently Calls to Expose America’s Critical Infrastructure to Hackers

For days now, surveillance hawks have been complaining that terrorists probably used encryption in their attack on Paris last Friday. That, in spite of the news that authorities used a phone one of the attackers threw in a trash can to identify a hideout in St. Denis (this phone in fact might have been encrypted and brute force decrypted, but given the absence of such a claim and the quick turnaround on it, most people have assumed both it and the pre-attack chats on it were not encrypted).

I suspect we’ll learn attackers did use encryption (and a great deal of operational security that has nothing to do with encryption) at some point in planning their attack — though the entire network appears to have been visible through metadata and other intelligence. Thus far, however, there’s only one way we know of that the terrorists used encryption leading up to the attack: when one of them paid for things like a hotel online, the processing of his credit card (which was in his own name) presumably took place over HTTPS (hat tip to William Ockham for first making that observation). So if we’re going to blindly demand we prohibit the encryption the attackers used, we’re going to commit ourselves to far far more hacking of online financial transactions.

I’m more interested in the concerns about terrorists’ claimed use of PlayStation 4. Three days before the attack, Belgium’s Interior Minister, said all countries were having problem with PlayStation 4s, which led to a frenzy mistakenly claiming the Paris terrorists had used it (there’s far more reason to believe they used Telegram).

One of those alternatives was highlighted on Nov. 11, when Belgium’s federal home affairs minister, Jan Jambon, said that a PlayStation 4 (PS4) console could be used by ISIS to communicate with their operatives abroad.

“PlayStation 4 is even more difficult to keep track of than WhatsApp,” said Jambon, referencing to the secure messaging platform.

Earlier this year, Reuters reported that a 14-year-old boy from Austria was sentenced to a two-year jail term after he downloaded instructions on bomb-building onto his Playstation games console, and was in contact with ISIS.

It remains unclear, however, how ISIS would have used PS4s, though options range from the relatively direct methods of sending messages to players or voice-chatting, to more elaborate methods cooked up by those who play games regularly. Players, for instance, can use their weapons during a game to send a spray of bullets onto a wall, spelling out whole sentences to each other.

This has DiFi complaining that Playstation is encrypted.

Even Playstation is encrypted. It’s very hard to get the data you need because it’s encrypted

Thus far, it’s not actually clear most communications on Playstation are encrypted (though players may be able to pass encrypted objects about); most people I’ve asked think the communications are not encrypted, though Sony isn’t telling. What is likely is that there’s not an easy way to collect metadata tracking the communications within games, which would make it hard to collect on whether or not some parts of the communications data are encrypted.

But at least one kind of data on Playstations — probably two — is encrypted: Credit cards and (probably) user data. That’s because 4 years ago, Playstation got badly hacked.

“The entire credit card table was encrypted and we have no evidence that credit card data was taken,” said Sony.

This is the slimmest amount of good news for PlayStation Network users, but it alone raises very serious concerns, since Sony has yet to provide any details on what sort of encryption has been used to protect that credit card information.

As a result, PlayStation Network users have absolutely no idea how safe their credit card information may be.

But the bad news keeps rolling in:

“The personal data table, which is a separate data set, was not encrypted,” Sony notes, “but was, of course, behind a very sophisticated security system that was breached in a malicious attack.”

A very sophisticated security system that ultimately failed, making it useless.

Why Sony failed to encrypt user account data is a question that security experts have already begun to ask. Along with politicians both in the United States and abroad.

Chances are Sony’s not going to have an answer that’s going to please anyone.

After one in a series of really embarrassing hacks, I assume Sony has locked things down more since. Three years after that Playstation hack, of course, Sony’s movie studio would be declared critical infrastructure after it also got hacked.

Here’s the thing: Sony is the kind of serially negligent company that we need to embrace good security if the US is going to keep itself secure. We should be saying, “Encrypt away, Sony! Please keep yourself safe because hackers love to hack you and they’ve had spectacular success doing so! Jolly good!”

But we can’t, at the same time, be complaining that Sony offers some level of encryption as if that makes the company a material supporter of terrorism. Sony is a perfect example of how you can’t have it both ways, secure against hackers but not against wiretappers.

Amid the uproar about terrorists maybe using encryption, the ways they may have — to secure online financial transactions and game player data — should be a warning about condemning encryption broadly.

Because next week, when hackers attack us, we’ll be wishing our companies had better encryption to keep us safe.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

3 replies
  1. seedeevee says:

    My Sony privacy policy tells me (https://www.playstation.com/en-us/legal/privacy-policy/#california):

    “Governing Law
    SCEA operates in parts of North and South America but this site is intended for consumers in the United States. When we process personal data and information and personally identifying information in the United States, we follow United States data protection and privacy regulations, which may not offer the same level of protection as in other parts of the world, such as the European Union. If we are made aware that a consumer’s country of residence is outside the United States, that consumer will be directed to the appropriate Sony company.”

    “Passive Information Collection
    SCEA may collect information such as our website visitors’ IP address, IP address-related information, system Media Access Control (“MAC”) address, network configuration information, network device information, browser plug-in types and versions, operating system, and platform. We also may collect information about your download activity, browser activity, forum postings and session information.”

    Seems like different countries get different protections. I guess I am extra special being in California. But it seems that Europe is even more special.

    Other game systems and game makers all have their own messaging services/voice chat/video uploading.

    Xbox live has 49 million registered users with 39 million active users. (http://www.gamespot.com/articles/steam-reaches-new-concurrent-user-record/1100-6431895/)

    Steam has 125 Million registered users with a record 12.5 million logged in at the same time. (http://www.gamespot.com/articles/steam-reaches-new-concurrent-user-record/1100-6431895/)

    The Playstation Network has at least 150 million users. (http://www.gamesindustry.biz/articles/2013-11-13-playstation-plus-has-seen-significant-growth-says-sony)

    Anyone can join any of these networks. You just need a proper PC/xbox/Playstation. They are all entirely anonymous if you want. You can use prepaid cards to purchase whatever you need.

  2. orionATL says:

    these loud sobs about encryption have no locus in concern for france or the victims of the attack in paris; american natsec bureaucrats dont give a damn about french natsec bureaucrats problems.

    no, all this crap, and it is crap*, is about using the french misfortune and surrounding factual uncertainty to attack and, having attacked, to destroy, the foundations of support for encryption in this country. diane feinstein has demonstrated numerous times that she does not know her ass from a hole in the ground when it comes to spy technology. but she is the minority and former chair of ssci and hence an excellent subject to get to go running around crying “are the children in bed. it’s half past nine o’clock.”

    *can we keep our heads long enough to remember that

    – there is no tool of war that cannot be defeated and defended against, that would include non-encrypted everything.

    – saving a few lives is almost never justification for taking precipitous government action in the u.s., c.f., car seat belt, car airbag, smoking, climate change, airplane crash deaths, but “turrurists”? linsey graham and political notables shout “lemme at ’em”

    – all terrorist attacks, everywhere in the world, kill minute numbers of persons at a time (127 in paris).

    the one exception, the bombing of the wtc in the u.s. occurred primarily due to the gross negligence of the fbi and cia bureaucracies and because of incompetence, or purposeful neglect , of president gw bush and national security advisor candy rice. it HAD NOTHING WHATSOEVER TO DO WITH ANY ASPECT OF SURVEILLANCE TECHNOLOGY.

    – we face death everyday merely in the course of living our ordinary lives.

    – due primarily to a fatal combination of television technology and corporate motivated televisioj commentators, we have become a nation of hysterical overreaction on any notable public emergencies. in each and every emergegency, all fools rush to the same side of the ship. that could have dangerous consequences, couldn’t it?

    but there is one exceedingly strange exception to the current “we become massively hysterical” rule.
    we NEVER get hysterical about any mass gun murder in this country, of which there have been over 100 seperate incidents since the sandyhook elementary school murders.

  3. Teddy says:

    Feinstein is a moron, especially around issues she is particularly entrusted with due to her position on the Intelligence Committee. As long as whatever policies she’s pushing are enriching Blum, her war-profiteer husband, she’s happy. Look for Richard Blum to be deep in the encryption/decryption space soon, if he’s not already.

Comments are closed.