*ren* PSN Down, Customer Info Compromised

[Shifty Geezer]

I think this 'hacking' of websites is being pulled out of proportion. Sony is not Google or Microsoft. Sony is a multi industry company....

I think this a legitimate observation. There isn't one IT department for all of Sony, and if you know much about It departments, you'll know plenty are populated by less-than-ideal engineers - that's true for every profession actually, you always get some who aren't any good at their job. Sony HQ can make a demand for security updates, but the individual IT departments may not be up to it. It's the Sony brand that's hurt, but it's no more Sony's responsibility than, say, a shopping centre's management being responsible if one of its tenants' employees dips into the till. Just as individuals can act in Anonymous's name and Anonymous as an organisation takes the blame. Except of course Anonymous is even less structured than the Sony group.

 

[goonergaz]

What makes me 'laugh' is all the "Sony security is rubbish" etc comments. Also the comments regarding MS/add any other company here "obviously has much better security" implecations.

This (to me) is not true. If Sonys security is so 'bad' why has it taken so long to be hacked? And then why are we now seeing so many attacks?

Personally I think (as mentioned earlier) the attacks have revealed a weakness which people may well be now attacking - or maybe they are attacking Sony because they are working hard on PSN (and therefore they are maybe taking their eye off the other sites?).

I also think no company has a 100% secure system. IIRC didn't MS have to patch a major security hole in Windows 'recently' (Vista IIRC)?

And here's something else...why is IE the browers that suffers the biggest security issues/viruses etc and this being a reason why many use Opera/Firefox etc? Is it because MS make bad software/security or because it's the most used product so an easy target?

 

[liolio]

I think this a legitimate observation. There isn't one IT department for all of Sony, and if you know much about It departments, you'll know plenty are populated by less-than-ideal engineers - that's true for every profession actually, you always get some who aren't any good at their job. Sony HQ can make a demand for security updates, but the individual IT departments may not be up to it. It's the Sony brand that's hurt, but it's no more Sony's responsibility than, say, a shopping centre's management being responsible if one of its tenants' employees dips into the till. Just as individuals can act in Anonymous's name and Anonymous as an organisation takes the blame. Except of course Anonymous is even less structured than the Sony group.

That's true but I would not put the burden only on people (even higher level executives to some extend). I saw companies that went throught various mergers acquisitions, the very nature of their infrastructure is fucked even less than ideal engineers try their best to make something "hereterogeneous" work but it ha its limits, I guess. I'm not sure that the problem with Sony but I just want to enlight that sometime people are facing stuff that have not been set up "clean" to begin with due to the company(or a division within a company, etc.) history.

 

[BoardBonobo]

... If MS did something to annoy the hacker community would they be fairing any better?

MS would be too easy pickings for most hackers to bother with. To say that you exploited a flaw, zero day or otherwise, in MS software would be as grand an achievement as breaking into your own house with your key.

There isn't a system out there that is 100% secure against exploitation. There are just degrees of vulnerability. The majority of the flaws exist in third party packages and patches are reliant on those parties finding such flaws and then patching them. Not every server is going to be running Apache2 with the Suhosin patch for example.

For an example of how many fundamental flaws exist in server technologies, it is possible to crash a server running php if you just feed 2.2250738585072011e-308 (or any other randomly long float) in a GET clause. Simply because php has a flaw that causes an infinite loop when converting a float to a string (Intel only).

The general ire against Sony is like flogging a dead horse. They are running servers that obviously needed some attention but until they began to be attacked wholesale those servers would have been perfectly fit for service.

Ultimately the only people who really get hurt are the end users. People like you and me. Maybe it's time all the anger got re-directed from the easy, and wrong, targets like Sony and were channelled into something better like finding the losers who committed the hacks in the first place. They're the ones who are deserving of the anger and vitriol aimed at Sony. After all since Sony are victims and we are victims too, everything piece of mud flung at Sony lands on us too. Sony were stupid because they let data be stolen and we were stupid to give it to them in the first place. And the hackers walk around saying aren't we cool, we're the only ones are aren't getting covered in sh*t.

 

[Shifty Geezer]

As ever, the blame is apportioned across lots of people, none of whom can be held aloft singularly as the culprit, and none of whom can be wholesalely changed to solve the issues. If Sony had better engineers, this wouldn't happen. If the engineers had better management, this wouldn't happen. If the server software companies had better testers, these flaws wouldn't get through, and if the testers had better management and tools, they could do a better job. And, of course, if the hackers had any principles, we wouldn't have to worry about security flaws in the first place! And if they had better parents. And if the parents had a better, more supportive society...

If it were possible to isolate one part of the chain and make it perfect, we could solve all the problems of hacking. But that is not possible, and there will always be crime and victims.

It's the same as console piracy. Each generation the console companies implement security measures to prevent piracy, and each generation some new exploit they never considered is found. The next iteration of hardware fixes those known faults, only for some new vulnerability to be found. Same with internet services - you can only protect against known issues and expected issues. Trying to defend against and every unknown possible attack vector is impractical.

The question here is whether the hacks are because Sony at large was complacent/incompetent, or if they were just a victims of the ordinary run of cat-and-mouse hacking. If, like the PS3 encryption fault, Sony were sitting on weak servers that they knew were weak, then they didn't do as much as they realistically could and need to shoulder a lot of the blame. But if their security was 'as good as every one else' and they were led to believe that they weren't open to hacks, then it's not particularly their fault if they couldn't preempt security measures that would have prevented this. At the moment there's lots of noise saying Sony were incompetent, but there's no hard evidence yet, but most people seem to prefer to judge long before the trial is ever held.

 

[mrcorbo]

One thing that concerns me, that I've mentioned before, was the need for Sony to bring in outside firms to investigate the intrusion. Ideally, wouldn't you want to have a sufficient level of expertise in-house to deal with something like this? The fact that they created the new position of CISO after the intrusion happened points to them realizing that they had a deficiency before. Not recognizing the need for this position beforehand points to a lack of competence in their management, at least in this specific case. It further leads me to suspect, that their staffing below the management level was probably insufficient as well for the operation they were being asked to oversee.

 

[Nesh]

Sony had fragmented operations, each focusing on different services and hardware products and has faced huge risks for the past few years. Such large scale companies are comprised of multiple entities and management, face separate challenges and it is harder to coordinate their operations and shift resources for a common direction or subject. They develop different strategies, for different competition, hence different priorities and focus and different risks ajd different margins. Is it a matter of incompetency due irresponsibility/negligence or a natural occurrence due to its structure and operations slowing down reaction and recovery? Too large for their own good?

If we are about to compare lets compare apples with apples, companies that face similar competition with similar large scale operations and structure.

How many other multiple and simultaneous hacking attempts have we seen in these companies?

Have we seen a large scale hacking attempt to MS, which is a blue chip company with huge focus on software, lower risk operations, more centralized management, having some of the largest liquidity to spend on security?

 

[mrcorbo]

Sony had fragmented operations, each focusing on different services and hardware products and has faced huge risks for the past few years. Such large scale companies are comprised of multiple entities and management, face separate challenges and it is harder to coordinate their operations and shift resources for a common direction or subject. They develop different strategies, for different competition, hence different priorities and focus and different risks ajd different margins. Is it a matter of incompetency due irresponsibility/negligence or a natural occurrence due to its structure and operations slowing down reaction and recovery? Too large for their own good?

If we are about to compare lets compare apples with apples, companies that face similar competition with similar large scale operations and structure.

How many other multiple and simultaneous hacking attempts have we seen in these companies?

Have we seen a large scale hacking attempt to MS, which is a blue chip company with huge focus on software, lower risk operations, more centralized management, having some of the largest liquidity to spend on security?

Is it wrong to expect companies to rise to meet the challenges they face? Or are failures OK as long and they have a good excuse?

You keep bringing other companies into the discussion, so maybe this will help illustrate my point. Is MS's RROD fiasco OK because they have such little experience in manufacturing complex electronics and they were simultaneously dealing with the transition to lead-free solder? Or should they be held accountable for their failures and should customers demand that they perform better? Is it reasonable for consumers to be skeptical of the reliability of their future consoles because of these issues or should everyone assume that they will address this and forget about what happened so as to not unfairly penalize them for their mistake(s)?

 

[Cornsnake]

http://www.escapistmagazine.com/videos/view/extra-credits/3306-NOT-a-Security-Episode

Very good video about this whole situation.

 

[Nesh]

Is it wrong to expect companies to rise to meet the challenges they face? Or are failures OK as long and they have a good excuse?

You keep bringing other companies into the discussion, so maybe this will help illustrate my point. Is MS's RROD fiasco OK because they have such little experience in manufacturing complex electronics and they were simultaneously dealing with the transition to lead-free solder? Or should they be held accountable for their failures and should customers demand that they perform better? Is it reasonable for consumers to be skeptical of the reliability of their future consoles because of these issues or should everyone assume that they will address this and forget about what happened so as to not unfairly penalize them for their mistake(s)?

Is it right to believe that a company of any size, power and structure face the same challenges, has the same ease and identical speed of recovery as the next?
Isnt Sony trying to face the challenge but get hit over and over every week faster than it is possible to check and fix the problem for every division and every region?
If there is a company as large and with the same stracture as Sony that can do it faster than they get hit hell will froze

I didnt say anything about being ok or not.

Its whether it is about negligence/irresponsibility or not.
Thats why I put my views in question form not as a fact to ponder.

If MS did anything they could to sell a well rounded quality and resilient product and then run over an unexpected hardware flaw that wasnt in their knowledge you cant accuse them for being irresponsible but you can rightfully complain. If it was under their knowledge, they could fix it but went with it regardless, then you can accuse them for negligence and irresponsibility

 

[Nesh]

http://www.escapistmagazine.com/videos/view/extra-credits/3306-NOT-a-Security-Episode

Very good video about this whole situation.

Its got some good points and some...not so good.
For example it says that Sony announced the PSN+ as a compensation and then threw some games in it while they should have done it from the beginning. Its kind of irrelevant because:
1) Regardless of when they were announced, they will be obtained by the user simultaneously once the Store is back
2) Sony announced the PSN+ and that they will announce details of other planned compensation soon once they finalized what they could give . It wasnt like they were planning to give us PSN+ only and then throw some games as if its because they discovered later people wanted more.

Then its the free credit argument again which is financially a bad idea

 

[Cornsnake]

Its got some good points and some...not so good.
For example it says that Sony announced the PSN+ as a compensation and then threw some games in it while they should have done it from the beginning. Its kind of irrelevant because:
1) Regardless of when they were announced, they will be obtained by the user simultaneously once the Store is back
2) Sony announced the PSN+ and that they will announce details of other planned compensation soon once they finalized what they could give . It wasnt like they were planning to give us PSN+ only and then throw some games as if its because they discovered later people wanted more.

Then its the free credit argument again which is financially a bad idea

I agree with the first point.

The second not so much. IMO it all depends on how much Sony will lose because they aren't doing enough, versus how much they won't lose if they did more. Which is obviously very hard to tell.

 

[Nesh]

I agree with the first point.

The second not so much. IMO it all depends on how much Sony will lose because they aren't doing enough, versus how much they won't lose if they did more. Which is obviously very hard to tell.

Giving direct credit is a much more complicated process. How can you estimate how much credit is enough for the majority of the consumers. $5? $10?$20? what is he right value for each region considering the currencies and pricing differences? Then it depends on whether it will be spent on 1st or 3rd party content. 3rd parties will demand money for each of their content purchased with that credit. Multiply that by millions of users?

 

[Cornsnake]

Giving direct credit is a much more complicated process. How can you estimate how much credit is enough for the majority of the consumers. $5? $10?$20? what is he right value for each region considering the currencies and pricing differences? Then it depends on whether it will be spent on 1st or 3rd party content. 3rd parties will demand money for each of their content purchased with that credit. Multiply that by millions of users?

If they only give everyone some credits then yes, that's going to cost a lot. But obviously the current free games a great deal for some, so keep that. And for those that don't like it give them an alternative like discount on future games, or actual credits, or anything Sony can think of that doesn't necessarily cost them much but is of value to the customer.

Of cours were still getting 30 days PS+ and perhaps more, so there is still chance Sony will offer something good for everyone.

 

[patsu]

One thing that concerns me, that I've mentioned before, was the need for Sony to bring in outside firms to investigate the intrusion. Ideally, wouldn't you want to have a sufficient level of expertise in-house to deal with something like this? The fact that they created the new position of CISO after the intrusion happened points to them realizing that they had a deficiency before. Not recognizing the need for this position beforehand points to a lack of competence in their management, at least in this specific case. It further leads me to suspect, that their staffing below the management level was probably insufficient as well for the operation they were being asked to oversee.

Probably... but my sense is even after they have a CISO office, it's not a bad idea to bring in the bests from elsewhere to chip in -- if the workload is too heavy and they can't react in time.

 

[mrcorbo]

Probably... but my sense is even after they have a CISO office, it's not a bad idea to bring in the bests from elsewhere to chip in -- if the workload is too heavy and they can't react in time.

Sure. Based on the situation it may be appropriate. But, according to their timeline, this is the first thing they did. To me, this indicates that at that time they had inadequate internal resources.

 

[patsu]

It should be set up by SOE, which has been running online games for several years now.

In my experiences, people try to hack in all the time. If they were able to survive for so long, it's probably adequate/average/par for the course. The people who got into PSN may be of a higher caliber.

 

[deathindustrial]

In my experiences, people try to hack in all the time. If they were able to survive for so long, it's probably adequate/average/par for the course. The people who got into PSN may be of a higher caliber.

How do we know that they didn't get in earlier and Sony was just quiet about it (or didn't notice)? Money motivated attackers are less likely to talk about it and Sony certainly would not have had motivation to disclose anything if they could avoid it. Privacy and disclosure laws are fairly new in most regions to my knowledge.

Cheers

 

[patsu]

There are laws in place for privacy and billing info leaks. I don't think anyone can argue whether the hackers got in earlier or not. There is no proof either way. The bottomline is if your server security is weak, the ops guys will be very very busy 24/7. It's not a life you want to live. They would naturally want to do a good job. A large scale data center should be reasonably secure given the scale of problem (simple web hosting aside).

But if the attacker is talented and persistent, then they can always wait for a hole to appear some day.


The application security, however, may have holes if the developers are not careful/experienced enough.

 

[Shifty Geezer]

How do we know that they didn't get in earlier and Sony was just quiet about it (or didn't notice)? Money motivated attackers are less likely to talk about it and Sony certainly would not have had motivation to disclose anything if they could avoid it. Privacy and disclosure laws are fairly new in most regions to my knowledge.

How do you know MS's/Google's/Facebook's/Amazon's/Samsung's network security wasn't so utterly useless that thousands of hackers downloaded user data all the time and everything ripped from Sony is old news, but these companies just hushed it up or didn't notice?