So this PSN/Sony Hacker Drama...

[Transient]

Class action lawsuits to follow...

[Eraser]

Class action lawsuits to follow...

First one has already been announced last week actually

[Foo]

The results of that could be interesting for companies like EA that regularly close off online services.

[Eraser]

Depends on whether or not they're suing over the unavailability of the system or the loss of private information, including credit card details.

I don't think they're suing over the system being unavailable, as Sony pretty much covered that in their terms of service. As a consumer, you pretty much have no leg to stand on in this case because you accepted their ToS, which in this area, apparently don't state anything unreasonable. There was a short article about this on Kotaku or Slashdot (can't remember which) last week.

[GONNAFISTYA]

It's not too bad when you think about it. When you accept Apple's ToS they'll sew your mouth to a chinese person's ass and feed him burritos.

[Transient]

Or give him a choice between cuddlefish and vanilla pudding.

[VolumetricSteve]

Jumping in:

Screw Sony. This is retarded. When the PS3 was coming out, they promised linux, multiple video outs, two gigabit ports, full PS1/PS2 backwards compatibility, blu-ray support and a ton of other garbage, the thing was slated to be a modern day C64....Today, we've finally arrived at ...most bluray movies work....and...it plays PS3 games, which need to be patched, getting one step closer to the shoddy design that goes into PC stuff. I remember the thing with rootkits on audio CDs too. I can't think of too many other companies that have expressed SO CLEARLY that they couldn't possibly give less of a crap about their customers, old and new, than Sony has. Ugh.

[bitWISE]

Yea, wasn't removing the OtherOS feature supposed to prevent this? lol

[VolumetricSteve]

Removing the OtherOS feature accomplished two things:

* Pissing me off

* Pissing lots of other people off

They justified it by saying it'd reduced their support call volume. I don't give a crap about THEIR problems, I bought a product they advertised with certain features, and then took them away because...they don't feel like dealing with it? I'll most likely never buy a Sony product first hand ever again. They don't need any more of my money, or anyone else's.

[U4EA]

Here's your bow of apology from Sony execs, CEO Kazuo Hirai [center], senior vice presidents Shiro Kambe [left] and Shinji Hasejima [right]:



Oh, and btw there's a newly reported SOE breach: Sony admitted that some credit card numbers and bank account numbers from European customers held on an oudated database may have been obtained in this newly discovered SOE breach.

[MKJ]

doesnt get more lolleriffic than this.

[U4EA]

We discovered that the intruders had planted a file on one of our Sony Online Entertainment servers named “Anonymous” with the words “We are Legion.”

[U4EA]

Anonymous responds.

[AmIdYfReAk]

That is a good read.

[mrd]

It certainly seems out of character for them considering the other stuff they've been engaged in.

[mrd]

A third attack planned: http://news.cnet.com/friday-poll-hacker ... 444-1.html

The next blow, should it happen, could prove to be one of the worst public relations disasters to ever strike a consumer electronics company. Hackers say they have access to some of Sony's servers and plan to publicize all or some of the information they can copy from those servers. This may include consumers' credit card details. (A source tells CNET that this group of hackers claims to have access to Sony's servers, which are different from the servers already hacked to expose more than 77 million user accounts.)

Such private information would undoubtedly travel quickly around the world through torrents and download sites. Sadly, the vessel for this material would most likely be a simple text file, perhaps only 10MB-20MB in size. That may not sound like a large file, but in terms of pure text, its a bible's worth of names and numbers. Countless credit/debit cards would have to be replaced, and identities would have to be protected (for free, courtesy of Sony). Trust would be lost, perhaps never to be gained again.

[Transient]

That's just peachy.

[Tsakali]

ouch. being that i don't know shit about high level security and hacking, not sure how much of this was their own fault,and not sure that if someone with the right knowhow targets you if there is really anything realistic you can do to prevent it.

[mrd]

I'm honestly surprised that Sony didn't take their entire company's network off the internet when they discovered the first breach. Obviously this is a huge step to take but when your entire global reputation is on the line, huge steps have to be taken. I think it was pretty naive of them to think that if their PSN got fucked over that something else was not in the pipe or already in the process of happening. The timing of all these events together is problematic for Sony, what with Anonymous claiming to have their own on-going operation in the midst of all this other hacking and distribution of their data.

It's the same old story, and you hit it on the head Tsakali, if there is a will, there is a way. The problem with network security is that breaches of this scale are so uncommon that they are essentially a black swan. Network ops get complacent because they just see the same bullshit all day, every day in the logs. From their perspective, a well planned attack is virtually impossible to predict or prepare for and indeed, a well planned attack would get through anyway, as this one did. I think as this progresses people are going to start realizing that nothing is sacred and nothing is safe, because it isn't. I personally don't have much pity for any of the people who lost their shit nor do I have pity for Sony. Be more diligent with who you give your fucking personal information to, especially when it's a multi-billion dollar corporation who likes to do shit like store all data collected from every user, ever, in a large server farm.

This could get interesting in the next few days...

[Foo]

I'm honestly surprised that Sony didn't take their entire company's network off the internet when they discovered the first breach.

That just wouldn't happen. Corporations are big beasts and there's no way there's a single IT faction responsible for the entire infrastructure. They're separate business units and lots of isolated silos. If your website gets hacked you don't shut down your company's internal domain controllers, but that's essentially the kind of thinking you'd need to take a company with multiple online presences 'off the grid'. There'd be no logic in doing that.

Obviously this is a huge step to take but when your entire global reputation is on the line, huge steps have to be taken.

I think they did take a huge step. Downing the entire PSN is a huge step.

I think it was pretty naive of them to think that if their PSN got fucked over that something else was not in the pipe or already in the process of happening.

Absolutely. Though this is a classic IT problem - You run day-to-day with a particular number of operatives, and as soon as a big problem hits, you divert many of them into fixing that problem. If a second problem comes your way at that same time, most of your operatives are distracted with the first problem. Sony did the only logical thing which was engaging with an outside specialist to bulk up the number of operatives they had. The problem with this of course is that outside parties aren't intimate with your systems. You still have to take some people away from the front line and divert them to the issue. So you still weaken your overall IT operations ability whenever you're responding to a crisis.

The problem with network security is that breaches of this scale are so uncommon that they are essentially a black swan.

I disagree. They're certainly a big scary unknown to your day-to-day sysadmin (myself included), but there are security specialists that deal with this kind of thing every day in other fields such as banking and stocks, and there's a big body of knowledge building up around the subject that has been accumulating for decades. Of course, this knowledge tends to be concentrated around a few specialist consulting outfits, but I don't think it's reasonable to say that this kind of attack is a 'black swan'.

Network ops get complacent because they just see the same bullshit all day, every day in the logs. From their perspective, a well planned attack is virtually impossible to predict or prepare for and indeed, a well planned attack would get through anyway, as this one did.

True. Or more accurately, it's very rare that management dedicates sufficient man hours to what is perceived as a low-likelihood risk, especially if your business isn't one of the classic targets (banking, politics). The answer to this is adopting and applying appropriate strategies and principles, such as Defense in depth. Of course, if you're a network admin in a team of 5 that would need a team of 10 to have the time just to implement those things, stuff just isn't going to get done.

Ultimately I think the Sony breaches are a direct consequence of this - Sony had x number of IT staff and those staff implemented these systems, but didn't choose to spend or weren't permitted to spend sufficient time implementing security into those systems. Or they didn't have sufficient knowledge/training to know that they should even be doing it. Stuff like hashing and salting passwords stored in a database are fundamental web programming basics, but personally I've seen it demonstrated time and time again that many (perfectly intelligent and otherwise capable) developers simply never got taught this, and other very important concepts.

There are also still wide gulfs of misunderstanding between developers and operations, and there's a necessary symbiotic relationship between them that simply isn't present in most organizations. This results in devs releasing insecure systems and ops implementing them while each side will rely on being able to blame the other. This is the 'not my problem' culture that I reckon probably got Sony into this doo-doo.


Edit: LOL WALL OF TEXT

[mrd]

Aye, good points. I guess it's easy for me to say "Sony should have done this and done that" after everything has happened and as a third-party observer. I suppose when you're in the thick of it and your multi-billion dollar company is getting fucked by random dude #742 on the internet, its a bit unnerving. But... what you said about the not-my-problem culture is essentially what it boils down to. Maybe they should start teaching more network admins to get into network programming and developing their own applications, etc. instead of relying on third party software? Or is that generally what happens at the moment?

ps - I love walls of text

[Foo]

Maybe they should start teaching more network admins to get into network programming and developing their own applications, etc. instead of relying on third party software? Or is that generally what happens at the moment?

Tricky. Each is its own dedicated role nowadays, as each takes someone concentrating at it full-time for years to develop necessary skills and a body of knowledge.

2 things apparently went wrong on a fundamental level over at Sony:

1. Someone breached the network perimeter - Sysadmin issue
2. The data that was obtained during the breach was able to be read - Developer issue

I'm hoping more info becomes available over the next couple of months (I'd love it if there were an HBGary-style email leak as well) as this appears to be a great case study for how to do things wrong.

[Eraser]

Be more diligent with who you give your fucking personal information to, especially when it's a multi-billion dollar corporation who likes to do shit like store all data collected from every user, ever, in a large server farm.

That's an Utopian ideology. These days, you cannot do anything that involves computers without divulging personal information. One could say that you simply shouldn't give up personal info like your name or address, but then you're opting out of so many services Internet provides that I don't think it's realistic to not give up some portion of your private info.

I'm not talking about putting your whole life on Facebook here, but something simple as placing an online order with your creditcard simply requires you to give up name and address info. And still, even the more diligent people would expect a large company like Sony to have their shit together, right? That may be naive, but compared to "www.bobs-second-hand-cars-and-assault-rifles.com" Sony should be a lot more worthy of that trust.

[Eraser]

Maybe they should start teaching more network admins to get into network programming and developing their own applications, etc. instead of relying on third party software? Or is that generally what happens at the moment?

I don't think that's what happening and I don't think it should either. You see, if everyone will start developing their software for themselves, each and everyone will fall into the same traps. One piece of software that's constantly being reviewed by different people and used on thousands of online services has a lot bigger chance of becoming secure than if you have 100 different applications that power one or two websites. All 100 are most likely to share the same faults.

Of course, software being popular in use also means it's a meaty target for hackers. Hack it, and you've got yourself access to countless of sites and services, which may not all be as strict in keeping up with the latest software updates as they should be.

[Kenrohan]

The Hacker managed to bring down all of Sony, websites, games everything is down. =(