In mid-November, members of Sonys PlayStation Underground received the Holiday Demo Disc and discovered that after executing one of the game demos on the disc, their PS2 memory cards were completely erased. While that doesnt mean much to nongamers, for anyone who has spent 40-plus hours building a character in a role-playing game or playing through a season of football—well, its a huge boot in the trousers.
The sampler disc was sent via mail to members of the PlayStation Underground, an opt-in promotional group that Sony calls a “personal link to all the insider info from the PlayStation world.”
Ryan Bowling, public relations manager for Sony Computer Entertainment America, said Sony responded to the situation by sending out warning e-mails to PlayStation Underground subscribers telling them to remove their memory cards before playing the demo.
“It is unfortunate that it happened,” Bowling said, “and were going to make sure it doesnt happen again.”
But what does this mean for the rest of us?
Theres more to the story than a handful of gamers losing their saved game files. The implications of such a glitch can be huge, especially as consumers start to set up networked computing systems in their homes, complete with routers, networks and servers. Minus cubicles and a water cooler, its the equivalent of a small enterprise network.
Rick Fleming, chief technology officer at Digital Defense Inc., said that although most consumers dont realize it, game consoles are computers that run off their own proprietary operating systems. As a result, a bug in a demo CD, CD-ROM or DVD-ROM could affect the rest of a home network and spread to an enterprise network through a VPN connection or portable storage devices.
“PlayStation and Xbox are being networked with home computers … so I can easily see how something like that would spread across a network,” Fleming said. “Every time you connect to something else, theres another opportunity for something to go wrong.”
Trouble within the Firewall
The idea that a removable disk can affect an entire networked system seems almost quaint, reserved for corporate spoofs such as “Office Space,” in which the protagonists use a program on a 3.5-inch floppy disk to steal money from their company. Nowadays, companies and consumers focus on outside threats, assuming theyre sitting pretty behind Internet firewalls and anti-virus programs.
“Its like theyll leave the windows and sliding glass doors open,” Fleming said. “Not the front door, though. Its vaulted shut.”
While there are few recent instances of companies sending out software with embedded viruses, it still happens on occasion. In 2002, Microsoft sent out a .Net developer disk infected with the Nimda virus, although Microsoft says it didnt actually spread to any machines.
In the entertainment sector, AOL Time-Warner released a “Powerpuff Girls” DVD in 2001 that contained the peevish “FunLove” virus, which spread to users who played the disc on PC.
In an earlier echo of the PlayStation Underground incident, MacAddict magazine sent out a demo with a version of the Auto-Start virus. In most of these cases, the problems were easily fixed, but is still a signifier that seemingly innocent CDs sent out by reputable companies can contain malicious content.
Trojans and Viruses
With the CD drives in virtually every machine, its more common than ever for people to share information via optical media, Fleming said. Most people dont give a second thought to putting something like that in their machine.
So, are these little glitches as banal as reports make them out to be? Maybe—although more-conspiratorial analysts say these harmless bugs could turn into an entirely new threat that the security community is not ready to handle.
“Most of the time when we see threats show up, its a concept for how a Trojan or virus can be introduced,” Fleming said. “When its introduced, its mostly very benign—erasing the flash memory on a PlayStation is not going to affect me personally—but what does concern me is that we have a whole new threat vector. People are going to take the concept and think, Whats the next thing I can do?”
An Ounce of Prevention
Not every security expert interviewed by eWEEK.com voiced the same opinion, but they all agreed that any networked user needs to take the same precautions, whether theyre on a home or business network.
John Pescatore, vice president of Internet security at Gartner Inc., said home network security has a long way to go, since most major companies involved in home computing dont focus on that kind of security environment.
“Theres a funny thing going on,” he said. “For many years, Microsoft built Windows with home users in mind, but in 2001 to 2002, they got religion and started doing more for enterprise security. They forgot about the home user who doesnt have an IT staff to take care of their problems.
Pescatore also said theres been discussion in the industry about how to integrate security into consumer electronics. The problem is that companies still say anything harder to use slows down consumer adoption—so no one is willing to make security a priority in a consumer environment.
“Theres not a lot of incentive to say, My product is harder to use,” Pescatore said.
AOL has recently moved to help consumers with security by offering McAfee VirusScan Online services for free.
Businesses also can take a few notes from a home-network invasion. Much like home users, Fleming said, businesses keep a closer watch on outside threats and dont do enough to make sure that nothing is coming from within the company.
“Computer institutions and the FBI have surveys that show around 60 percent of all security instances occur internally,” Fleming said. “This is where a lot of companies dont get it. They do all of the testing on outside resources and dont monitor internally.”
Fleming strongly recommended that businesses create a strong security policy thats enforced through monitoring and training. People need to be aware of bringing in software and other devices from home. That includes things such as music CDs, which often store data other than the actual music tracks.
“There has to be mandated vigilance in the enterprises,” Fleming said. “Its got to be pounded into their heads to be careful.”