Last week a “hacking group” called Lizard Squad took down the PlayStation and Xbox Live networks. On Christmas day. That was annoying, but even more annoying to me is the ignorant and misinformed technology reporting surrounding the story. I don’t blame reporters who can’t figure out who did what. All we have is the word of self-proclaimed “cyber terrorists” and ass-covering corporations to go by, and each side has motivation to exaggerate or downplay the significance and sophistication of the hack. But while it’s tough to know what really happened, at least we should be able to get the technical details right.
First of all, this was not a “hack”. Or at least, Sony and Microsoft were not the ones who got hacked. This was a distributed denial of service attack (DDOS). That’s when a whole bunch of computers overwhelm a server with requests, so the server can’t do anything but handle useless requests. It’s like if your phone number was distributed to hundreds of thousands of people who just dialed your number over and over again. Your phone becomes useless. Your friends can’t make it through because your phone is always busy. And you can’t block the offending numbers because there are so many of them. There’s no way to tell prank calls from legit ones, so there’s nothing to do but shut your phone off and either get a new number or wait for the crowd to get bored and move on.
This is where the “hacking” part comes in. Lizard Squad didn’t hack Microsoft and Sony. They hacked tens or hundreds of thousands of ordinary personal computers. How it works is this: They code some specific program, custom to their needs, and sneakily get it onto large numbers of common machines without their owners knowing. Sometimes hackers do this by disguising their virus as pirated software or pornography to trick people into downloading it. Sometimes they infect legitimate websites using various security vulnerabilities, and use that trusted site to get to people. (This happened on my site a little while ago.) Sometimes they hide it inside of programs pretending to be anti-virus. (I’m sure you’ve seen the “You computer is infected! Click here to clean it!” ads. Yeah. Don’t click those.)
So your computer gets hacked. But unlike typical malware, this program doesn’t do anything right away. No stolen credit card numbers. No porn popups. No hacked accounts. No spam messages to your friends over social media. Instead it sits there quietly, hiding in the deep parts of the operating system and not making any trouble. It connects to the hacker’s server every once in a while, checking in and asking for orders. If there are no orders, the program goes back to sleep.
This is called a “botnet”, and your hacked computer is one of the bots. When the hacker is ready, he adds the command to his server “Attack the PlayStation network!”. The next time your computer checks in, it gets the order and begins hammering away at the PlayStation servers. You probably won’t even know your computer is doing this. The only thing you might notice is that your internet might feel a little laggy, and likely as not you’ll blame that on your internet provider.
All by itself, your little computer is no threat. But once the botnet is big enough, it becomes a dangerous force, able to take down major websites at will. The authorities can’t very well track down each and every infected machine all over the world, so they have to attack the botnet command server. But the server is usually hosted someplace that’s hard to reach, and it moves around a lot, and it’s maintained through various blinds and proxies that make it extremely difficult to track down the owner of the botnet. It’s possible to take these networks out, but it takes time and the cops usually don’t know the botnet exists until the attackers use it. (By “cops” I mean “whatever government organizations are fighting cyber-crime”.) Even if they take down the command server that gives the orders, those infected machines are still out there. The virus may have opened up other holes in their security, making it easier to make them part of a new botnet. Or maybe there’s a fallback server that the cops won’t find out about until the next attack. It’s a constant game of cat-and-mouse.
The kids open up their new console on Christmas morning, set it up, and then it sits there, useless, trying to download updates and patches from a server that’s being crushed by a botnet. Maybe it’s possible to unplug from the network and use the machine in isolation. I don’t know. In any case, the user might not have the knowledge or know-how to realize they could do this. The instructions say to plug the machine into the internet, so they did. The instructions list lots of troubleshooting tips, but I’m willing to bet they don’t suggest unplugging from the network.
An example: My friend already had his Playstation 4 set up, but on Christmas day he wanted to play Disney Infinity. The game got stuck at the title screen and couldn’t proceed. It didn’t give an error or say what was wrong. It just sat there, because the engineers hadn’t made any allowance for the possibility that the internet would be available, but not the PlayStation Network. This is a system designed by people who just assumed the servers would never be down. This is a shocking rookie mistake and I don’t believe this kind of lazy network code is part of a console in 2014. (The solution in his case was to unplug from the internet, but only people who understand technology and read the news would know to do that.)
People are wondering why the hackers would be so cruel as to attack on Christmas day. But it’s possible that they attacked on Christmas not because they cared about Christmas, but because that’s when PSN and XBox Live would be most vulnerable. The servers would already be stressed with the rush of new machines, new account registrations, and huge crowds of people downloading patches. This is the most intense load the servers will experience all year, and that’s the best time to attack if you want your botnet to overwhelm them and make them useless. It’s entirely possible that if the botnet attacked on some Monday morning in February when the kids were in school, it would be nothing more than a minor nuisance. If you’re looking to make a name for yourself and make the nightly news, then you hit on Christmas morning. You’ll have the best chance to take down the servers, you’ll impact that most people, and the news sites won’t be able to resist the allure of a Christmas-day attack.
Imagine how much more devastating this would have been if Microsoft had stuck with their original plan and made the Xbox One completely dependent on the internet. By making a machine depend on the server, you make the server a huge target. If the XBox One and PS4 could gracefully fall back to offline mode, then there would be little harm in attacking them, and therefore little incentive to do so.
The Lizard Squad made international news this year. A third party (the eccentric Kim Dotcom) offered them thousands of free accounts on his file sharing service to discontinue the attack. This was a big win for Lizard Squad, which means other groups are likely to imitate it in the future. If XBL and PSN can’t even withstand one botnet, how well are they going to hold up when multiple competing groups are all hammering away at them at the same time?
Remember this the next time some suit condescendingly explains to us that we need to be online to enjoy next-gen games. These companies do not have a firm grasp on the internet or the kinds of threats they face, and they did not plan ahead when designing their consoles. Their networks were designed by marketing more than engineers, and they’re going to have to learn the hard way (though repeated failure) how to make their systems robust enough to mitigate attacks.
Shamus Young has been writing programs for over 30 years, from the early days of BASIC programming in the 80’s to writing graphics and tech prototypes today. Have a question about games programming for Shamus? Ask him! Email email@example.com