Sony Officially Blames Anonymous For PSN Hack

H_Fisher writes "In a letter to Congress, Kazuo Hirai, chairman of Sony's board of directors, blames hacker group Anonymous for making possible the theft of gamers' personal information. 'What is becoming more and more evident is that Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack designed to steal personal and credit card information for illegal purposes,' Hirai wrote. He also indicated that Sony waited two days before notifying the FBI of the theft."

shame game

[alphatel]

I officially blame Sony for being PSN hacked.

Re:shame game

[ouija147]

Anonymous my ASS

Convenient scape goat

Re:shame game

[_xeno_]

They probably deserve the blame, too - they were apparently hacked via a "known vulnerability" although I don't think they've ever stated which one.

Re:shame game

[tripleevenfall]

Same here.

I fail to see any kind of plausible explanation why "We were busy defending ourselves from Anonymous" affected the poor design of their security structure.

Re:shame game

[toastar]

I think they meant anonymous as in they don't know who did it, not Anonymous the group.

Kinda like the guy who broke into my car and stole my radio/mp3 player was anonymous.

Re:shame game

[Eggplant62]

I blame Sony for not having security sufficient to prevent such an attack in the first place. What, did we have a Win '08 server facing the 'net without a firewall??

Re:shame game

Actually it was Anonymous Coward. My bad. I just wanted to play "global thermonuclear war" and suddenly I got all these credit card numbers.

Re:shame game

[Omnifarious]

The real mind bender is.. Is there a difference? I mean, Anonymous isn't exactly organized is it? It's just a convenient name people adopt sometimes.

Re:shame game

[shentino]

Who scapegoated them?

A professional cyber cracker may well opt to take advantage of anonymous's wrath by leaving a frame job behind.

Re:shame game

[characterZer0]

Sony is not the victim, the users are the victims.

Re:shame game

[zmollusc]

Yeah, but a home owner with huge amounts of other people's sensitive data should have better security, or contract it out to someone competent.

Re:shame game

[HungryHobo]

Anonymous?
bah!
Not a chance!

To me this looks like the work of the famous lone wolf known as "Somebody"!

Re:shame game

[WrongSizeGlass]

I blame Sony for not having security sufficient to prevent such an attack in the first place. What, did we have a Win '08 server facing the 'net without a firewall??

No, it was a PS3 that used to serve as a Linux firewall. Unfortunately they 'patched' it and now it doesn't run Linux anymore.

Re:shame game

[margeman2k3]

Agreed.

In Canada (not sure about the rest of the world), if you don't have enough security measures in place to prevent someone from stealing sensitive/confidential information in your possession (like say, credit card numbers), then you are held responsible as well.
Comes up all the time now that doctors have copies of their patients' medical records on their laptops. Different, but the idea is the same.

Re:shame game

[poetmatt]

Wha? Why would it have to go that far?

This is a single file that sony "magically" came up with after the fact. This is more than a week later, and there's nothing they're showing to substantiate their claim. If there was an actual anonymous attack plan stating "let's steal sony's credit card info" prior to this event, then we might have a finger to point at anonymous.

Instead, I'd bet my life savings that Sony planed this "anonymous framing document" themselves.

I really hope this puts sony out of business.

Re:shame game

[hedwards]

I'm guessing that Sony is scapegoating them because it's easier than figuring out who did do it. And even when/if they do figure out who it was, it's basically impossible to prove that that individual isn't in some convoluted way anonymous.

Re:shame game

[0100010001010011]

The reason it took so long is because they were planning on using 'terrorists', but after the recent news they decided against it.

Add "Anonymous" to the list of things that frighten the lay person and get stupid laws passed.
Right after 'terrorists' and 'for the children'.

Re:shame game

[bioster]

Of course there's a difference.

Just because party A and party B are both anonymous doesn't mean they're the same party. It just means you can't pick either of them out of a crowd.

The Anonymous group which has been anti-Sony recently is huge, amorphous organization with goals that change from day to day depending on what they feel like doing that day. Think of Anonymous as an online flash mob.

The anonymous group that hacked Sony? Who knows. They could be highly organized under a feudal system where failure is rewarded with the opportunity to commit seppuku. Although this group is anonymous, they may have none of the attributes that make Anonymous what it is.

I guess the problem you're having is that you're equating anonymous with Anonymous. One is a description and the other is the name of an organization which happens to be descriptive.

If (as we suspect) Anonymous had nothing to do with the hack, then all Sony is doing is trying to vilify an organization that opposes it. In other words they're putting the blame on someone they don't like in the hopes of lowering public opinion of them.

Re:shame game

[ceswiedler]

From what I've heard, the vulnerability was in a library which was used by a piece of middleware which Sony relied on.

Sony should have tracked vulnerabilities in indirect dependencies more carefully, but I'll bet that dozens of other companies which invest millions of dollars in security have similar issues. It takes a ridiculous amount of money and sacrificed features to harden a non-trivial setup against truly determined attackers. Sony had both a lot of valuable credit-card data and a lot of wrath from the tech world, and that's a dangerous combination.

Re:shame game

[geekmux]

I blame Sony for not having security sufficient to prevent such an attack in the first place.

You are aware that Mr. Hindsight has perfect vision, right?

My point here is one can ALWAYS make your statement after the fact. Reality shows us that we have such things as 0-day vulns. In my opinion, Sony's failure was not so much getting hacked in the first place(which they do have their faults here, don't get me wrong), but more for failing to properly plan for this scenario.

If we've said it once, we've said it 1,000 times...it's not a matter of "if", it's only a matter of "when". Proper planning for the "when" can be just as important as the planning to avoid it.

Re:shame game

[DarkTempes]

This from this twitter makes me think it wasn't an apache or php vulnerability, though 'application server' is a broad enough term that it could mean almost anything.
Some random security researcher posited that because they had outdated apache server versions (with no known exploits) that it might have been an apache vulnerability. News sources elsewhere repeated that nonsense.

Re:shame game

[poetmatt]

Why am I an internet tough guy? That is quite a non sequitur. They have had abhorrent policies and generally treat the public like shit for years. I don't do business with sony in any way. I do not buy sony products.

In reality, companies who have total access cut off for more than 3 days are extremely likely to go out of business (>90%). This is a well studied economic issue, and in this case while it is not all business with the company, it is substantial. A week's worth of PSN revenue is not small by any stretch of imagination for a company that relies on it, and neither will the penalties from lawsuits and regulations that come out of this.

Re:shame game

[N0Man74]

Anonymous my ASS

Convenient scape goat

Indeed. I think that the following quote shows they don't really understand the nature of Anonymous.

'What is becoming more and more evident is that Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack designed to steal personal and credit card information for illegal purposes,'

oh Shit!

They're on to us!

Yeah right

[festers]

"carefully planned, very professional, highly sophisticated"

These are not words I think of when discussing Anonymous. Give me a break.

Re:Yeah right

[Bobfrankly1]

"carefully planned, very professional, highly sophisticated"

These are not words I think of when discussing Anonymous. Give me a break.

"carefully planned, very professional, highly sophisticated"

These are not words I think of when discussing Sony.

Re:Yeah right

[cpu6502]

Sony is doing what all people in power do:
- find a scapegoat.

Reminds me of what my boss said, "I will not take the blame for the failure of this board. YOU will." Normally I would agree, but I told you that we should do additional testing to verify it works, but you said 'we don't have time'. LIKEWISE I suspect Sony's employees told them to add additional safety measures, but Sony's managers refused to spend the labor time/cost.

So instead the managers are deflecting blame from themselves to the users.

Bastards.

Re:Yeah right

[Idbar]

See, what baffles me is that they lock Blurays, Consoles, Google TVs, handsets to no point. They know they are not good at it because (except for the GoogleTVs) all of them have been hacked already.

Yet they go around collecting information they know they are not good at protecting.

Re:Yeah right

[10101001+10101001]

Off-topic, I know, but it reminds me of how US Senators are trying to scapegoat Pakistan over not finding and handing over bin Laden. Last I checked, bin Laden's organization attacked the US and it was the US who was actively pursuing bin Laden for over 9 years. That Pakistan might not have found him in 5 years seems a moot point. And that doesn't even begin to point out how quickly we blamed the Taliban when they couldn't (or wouldn't, since it might upset their delicate power balance with the war lords) find and hand over bin Laden in a few months.

Of course, these are politicians I'm talking about. Expecting some sort of responsibility or accountability out of them is like expecting responsibility or accountability out of a company. But, oh no, we should never regulate companies. That would interfere with the free market and then those companies wouldn't be quite as efficient!

Re:Yeah right

[AK+Marc]

If you read their statements, they blame Anonymous for DDOSing Mastercard and Visa for the breach on PSN. They spread Faux News style "information" by saying something that works out to "Anonymous was attacking people because of us (and a smaller attack on PSN that wasn't active at the time of the intrusion) and then the attack happened. We aren't saying that Anonymous did it, we are saying it looks like there's a link - We report - You decide." Of course, for making fun of our favorite un-news group, I'm sure I'll get modded/flamed, but it's something people are getting used to seeing in the news. When deliberate lies are spread as "fair and balanced news" from formerly reputable news organizations, why should we expect any less from corporations?

It's possible the two were linked. Perhaps Sony deliberately reduced security to improve uptime with a DDOS. Perhaps the targeted attack was planned and ready for a while and they waited until Sony was busy with other security matters or wanted to deflect the blame. "Linked" doesn't mean "caused by" or even "influenced by" in that the attacks would likely have happened even if Anonymous didn't exist. But that the timing may have been adjusted, however slightly, by Anonymous's actions. But it's not like someone DDOSing Sony from Anonymous said "Wow, I just hacked the Gibson, let's see what's in this garbage file..."

Re:Yeah right

[Jonner]

Anyone who has read TFA will not find this the least bit insightful, though the Slashdot headline is extremely misleading as usual. Sony said they had been the "victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack designed to steal personal and credit card information for illegal purposes," but did not blame Anonymous for that. They said they were under a DDOS attack from Anonymous at the same time as the security breach and the two events may or may not have been related.

Re:Yeah right

[dkleinsc]

- find a scapegoat.

A good scapegoat isn't just someone who can take the blame, it's somebody who you're trying to attack or remove for reasons you can't actually state publicly. For instance, if The Boss has to pick between scapegoating Alice or Bob, they might pick on whoever's standing in the way of a plum promotion for their good friend Fred, regardless of whether Alice or Bob had more to do with the problem in the first place. Or if someone from country A attacked country B, if the leaders of country B wanted to attack country C but couldn't come up with a legitimate reason they might try to blame the whole thing on country C rather than country A.

So I'm guessing Sony has it in for Anonymous for reasons totally unrelated to this breach.

Re:Yeah right

[0xG]

"carefully planned, very professional, highly sophisticated"

These are not words I think of when discussing Anonymous. Give me a break.

"carefully planned, very professional, highly sophisticated"

These are not words I think of when discussing Sony.

This are not words I think of when reading slashdot...

Re:Yeah right

[mr_lizard13]

The Slashdot headline isn't just misleading, it's a complete fabrication.

Re:Yeah right

[10101001+10101001]

Pakistan entered into a counter terrorism relationship with the United States after 9/11, in part to keep the United States from invading Pakistan on the way to Afghanistan, and they had captured hundreds of Al Qadea members over the last 10 years. Before that, the US and Pakistan had closer relations during the 1960s and 1980s with alot of US military and intelligence assistance going to Pakistan.

So...Pakistan was bribed and coerced into helping the US find and capture bin Laden, which is precisely why the CIA failed for 9 years. Oh, right, none of that matters to the point that the CIA failed for 9 years.

Al Qadea had conducted operations against the Pakistani government after 9/11, however some factions of the Pakistani government, the intelligence service and some of the Army, favor the political and religious stance of Al Qadea over the more liberal leanings of the majority of urban Pakistanis.

Yes, while most of Afghanistan pre-9/11 was war lord wilderness, only a sliver of Pakistan was. To appease that group (and its followers in the government), very little work was done to directly attack Al Qadea in that sliver. But, Pakistan kept being pushed by the US and eventually started taking actual action, which resulted in Al Qadea finally responding with attacks in 2007 (Bhutto's assassination, possibly) and later. So, only after that point would I see Pakistan's government actually really caring about Al Qadea as a threat. Of course, none of that against explains why the US failed in finding and capturing bin Laden.

Pakistan had a legal responsibility to find bin Laden and other Al Qadea members, the fact that his compound was a couple hundred meters from a major Pakistan military academy makes it hard to believe they didn't know where he was.

And the US "knew" bin Laden was in Pakistan, yet it wasn't until after the raid on the compound that they were certain bin Laden was there. Leon Panetta even made it very clear in a recent interview that the belief that bin Laden was there was based entirely on circumstantial evidence. There was no direct proof. But, yea, I'm sure a few Pakistani military academy troops, from the virtue of being nearer, would intrinsically do a better job.

In short, no matter how much of a case you can make that Pakistan could and should have done a better job, it's still deflecting from the real point that US Intelligence took over 9 years to find bin Laden. The failure of Pakistan, taken in that perspective, seems a rather moot point. After all, Pakistan isn't exactly a super power, didn't until more recently even have a personal interest in finding bin Laden, and if Pakistan was as untrustworthy in relaying information as you imply then actually relying upon them in the hunt was mildly foolish at best if not outright fool hearty. The point isn't that Pakistan is excused because it did a piss-poor job. It's that Pakistan's piss-poor job doesn't excuse the US's piss-poor job, especially if you're seeking to find someone to blame. Personally, I'm not.

Re:Yeah right

[demonbug]

"carefully planned, very professional, highly sophisticated"

These are not words I think of when discussing Anonymous. Give me a break.

"carefully planned, very professional, highly sophisticated"

These are not words I think of when discussing Sony.

No kidding. PSN only got marginally worse once they shut it off.
Maybe they are taking this opportunity to actually build a network that works and isn't embarrassingly slow.

Re:Yeah right

[AK+Marc]

Faux news (without the quotes and caps) is what Sony is reporting. That Fox News has a similar moniker that it worked hard to obtain (suing for the right to lie in news stories, having more opinion content than news content and presenting the opinions as news, and other such practices). As such, it seemed quite appropriate. And I called it that those who don't like Fox News being made fun of would flame me.

And the complaints against Fox are unrelated to any political ideology they are linked with. Their news isn't bad. It's just that there's almost no news on the Fox "News" channel. The FCC should make them rename it to the Fox Opinion channel.

Anony == Scrapegoats

Dont have the competency or skill to run your network correctly?
Dont know who else to blame when your on the hook for a class action and liability in the billions?

Blame Anonymous.

Anonymous?

hey!
I didn't do crap!

Re:Anonymous?

[Tsingi]

hey! I didn't do crap!

Coward

Re:Anonymous?

[Moryath]

Sony, go fuck yourselves.

We are not "Anonymous."

We are the customers whose data you exposed by being a bunch of idiot fucktards who wouldn't bother with the most basic of data encryption.

And WE ARE STILL LEGION.

Re:Anonymous?

[houstonbofh]

I have to agree. If so, it is the first time Anonymous has been called "very carefully planned, very professional, highly sophisticated" about anything. That alone should raise flags.

"...steal..."

[betterunixthanunix]

The fact that the attack involve the theft of credit card data, as opposed to just shutting down the network, screams "not Anonymous" to me. You know, given how Anonymous tends to just shut things down with DDoS attacks, or occasionally overwrite a web page with one that spreads some message.

Re:"...steal..."

[jank1887]

FTFA:

"The attack that stole the personal data of millions of Sony customers was launched separately, while the company was distracted protecting itself against the denial of service campaign, Sony said.

Sony said it was not sure whether the organizers of the two attacks were working together."

I.e., it's anonymous's fault. We were busy dealing with their crap and didn't notice someone coming in and stealing stuff.

Re:"...steal..."

[eepok]

So very this. I'd mod you up if I could.

The common and fashionable sentiment is "Anonymous is a scapegoat for the Sony Conspiracy" or "Sony just needs a scapegoat for their failure..." when the defense of Anonymous should be exactly as you stated: It's not their MO.

Anonymous, to date, has shown itself to be mischievous (sometimes malicious) and extremely precise in their targeting. They have never represented themselves to be a for-profit hacking crew and they're smart enough to know that such actions are hurting the innocent users more than the company. Thus, the copying of millions of accounts' financial information cannot rationally be tied to them on history alone.

I really don't think Anonymous did this and I think Sony just needs *a* target of blame ASAP. In my opinion, anonymous is a *scapegoat of convenience*, given their vocal opposition to the modding community.

Tinfoil Hat Time: Maybe a for-profit hacking crew executed this attack knowing Anonymous would be target #1, thus giving them sufficient smoke screen.
Hmmm...

Re:"...steal..."

[just_another_sean]

Yes but the information they "stole" was used more to embarrass them then anything else. I never heard anything about them accessing HBG's bank accounts or using their corp. credit cards; judging by the amount and sensitivity of data they copied it seems likely they could have used it to drain a few accounts.

As others have stated this just seems like a convenient scapegoat. If it was Anonymous then copying credit card data was most likely just part and parcel to further embarrassing Sony by pointing out how weakly they guarded this data.

Carefuly Planned and Profesional?

[Bo'Bob'O]

Some how none of that seems to point to Anonymous in any way.

Wait, what...

[Jugalator]

Sony said on Wednesday that Anonymous targeted it several weeks ago using a denial of service attack in protest of Sony defending itself against a hacker in federal court in San Francisco.

  The attack that stole the personal data of millions of Sony customers was launched separately, while the company was distracted protecting itself against the denial of service campaign, Sony said.

  Sony said it was not sure whether the organizers of the two attacks were working together.

So they know Anonymous DDOS'ed them, and Anonymous have admitted this too.

They also were attacked separately where the theft took place. They don't know if these groups were working together. They blame the latter on Anonymous too. How did they draw that final conclusion??

Re:Wait, what...

[betterunixthanunix]

Sony said on Wednesday that Anonymous targeted it several weeks ago using a denial of service attack in protest of Sony defending itself against a hacker in federal court in San Francisco.

This quote is more disturbing as far as I am concerned. Sony was not defending itself against Geohot, since Geohot never attacked Sony nor did Geohot sue Sony. Geohot was defending himself in a lawsuit filed by Sony.

Talk about slanting things...

Re:Wait, what...

[chemicaldave]

Sony defending itself against a hacker in federal court in San Francisco.

Did they really claim to be defending themselves against a "hacker" in court? Don't they mean "suing"? And isn't it unfair to lump the hackers who stole the information with completely different hacker, Geohot? Who the fuck wrote this article?

Re:Wait, what...

[_xeno_]

If you read the letter (which is made needlessly annoying by the fact that it's scanned in and the raw text isn't made available, fuck you very much Sony), you'll see that on page 2 they explain:

When Sony Online Entertainment discovered this past Sunday afternoon that data from its servers had been stolen, it also discovered that the intruders had placed a file on one of those servers named "Anonymous" with the words "We are Legion."

So that's how they come to that conclusion. Which I guess means we can blame Anonymous, in so much as anyone calling themselves Anonymous is Anonymous.

Not that I really believe that the attacker really is "Anonymous," but they do make a good scape goat. And who knows, maybe the attacker did decide that this attack might as well be carried out under the "anonymous" banner.

Re:Wait, what...

[Machtyn]

Legalese. They defended their IP against Geohot's hacking. Whether we see it like that is a different story. Most of us see it as Geohot had to defend his ownership of hardware from Sony. IANAL, but I think the law sees both as correct until a judgment is made.

It's the girl's fault!

[JackSpratts]

Whilst I was admiring the gentle sway of her shapely derriere somebody stole my laptop!

Re:I don't buy it

[betterunixthanunix]

More likely, Anonymous has become a convenient name to throw around whenever someone cracks a security system. Poorly designed security system? Just blame Anonymous when someone pulls off a successful attack. The media makes Anonymous sound like some sort of invincible, unstoppable hacker/wizard/demigod army (or should I just say, "Hackers on steroids"), so nobody will blame you when you blame Anonymous.

If people only knew that Anonymous is just a bunch of teenage script kiddies...

Old, but gets funnier after every hack

[zill]

Fox was right! Anonymous is a bunch of hackers on steroids!

Re:!Anonymous

[sqrt(2)]

There is no official "anonymous" and there is no leadership or command structure. It's a concept, an idea to describe an emergent system of hacktivism. Saying anonymous is responsible for this (or anything) is like saying democracy is responsible for causing the wars in the middle east. You're mixing up an idea, an ethos, with an organization.

Re:I told you, I didn't do it!

[OECD]

There is no 'Anonymous.' It's just a term that's been widely co-opted. Sort of like 'Al Qaeda.'

Re:I don't buy it

[Amouth]

you know if Anonymous is actually responsible i want Sony to provide Proof of that - else it's just slander.

Re:!Anonymous

[locallyunscene]

Except they didn't. They posted company emails to show the incompetence of the CEO and claimed credit for it. They didn't steal credit card, address, or other personally identifiable information and then denied it.

Sony didn't explicitly blame Anonymous.

[Renaissance+2K]

Sony may have blamed Anonymous for the attack, but they're not accusing Anonymous of executing the attack itself. They said the following:

• They found a file named "Anonymous" on their servers that contained the text "We are Legion."
• They were too distracted by Anonymous' DDOS freakshow to notice the real intrusion that was taking place.

Granted, Sony can say anything to cover their butts, but Hell... The hackers could have just as easily left an "Osama wuz here" file. Would that mean Al Qaida definitely did it? Could they abandon any further investigation and blog posting because the dude is shark food now?

Re:!Anonymous

[harl]

Anonymous disagrees with you.

"The attackers went one better than this, however: they dumped the user database for rootkit.com, listing the e-mail addresses and password hashes for everyone who'd ever registered on the site."

There was also the little bit about posting personal info about spouses and children of HBGary employees.

Got my letter...don't know why

[hilldog]

I got a letter in the mail yesterday May 3rd advising me my info may have been hacked. Weird since I don't have a play station and have not played an online Sony game in over a decade (12 years maybe more) and then I canceled my subscription. Which brings me to a question why is information that old still being kept where it can be cracked?

Re:!Anonymous

[powerlord]

There is no official "anonymous" and there is no leadership or command structure. It's a concept, an idea to describe an emergent system of hacktivism. Saying anonymous is responsible for this (or anything) is like saying democracy is responsible for causing the wars in the middle east. You're mixing up an idea, an ethos, with an organization.

Yes, but when an organization runs around saying they are attacking targets, and when that organization has no real leadership (collective/mob), they also can't cry foul if someone co-opts their name, claims to be part of them (since they have no real membership requirement or leadership, whose to say), and decides to either:

1) Partake in the attack even though it has been officially "called off" (hey, just because most of Anonymous might be clueless, doesn't mean some of it can't hack/crack with the best of them.

2) Use your name as a convenient scape goat to pin their crime on (okay, we take as much data as we can, and point the finger at THOSE guys over there).

Either which way, saying "Anonymous Denied all Responsibility, It MUST BE SONY'S FAULT!" is the biggest LOL of them all.

Its the fault of the malicious idiot who attacked and broke into the network. Yeah, Sony should have done a better job securing the data, but that does not absolve the THIEF of responsibility (in spite of what most slashdotters seem to think).

To turn a phrase...

[Bobfrankly1]

FTFA:

Sony said on Wednesday that Anonymous targeted it several weeks ago using a denial of service attack in protest of Sony defending itself against a hacker in federal court in San Francisco.

Meanwhile in reality:

Sony said on Wednesday that Anonymous targeted it several weeks ago using a denial of service attack in protest of Sony attacking a hacker in a hopeless attempt to control information that had already slipped far out of it's control in federal court in San Francisco.

Agreed - Scapegoat for organized crime

Looking for credit card info? Anonymous tends to do things for idealogical reasons, AFAIK. There may be some overlap, but this sounds like organized crime. And yes, known vulnerabilities are things you should not be vulnerable to if you have credit card info for even two million people.

Re:Agreed - Scapegoat for organized crime

[negRo_slim]

It's highly unlikely that anyone that would self identify as Anon was involved with this. Perhaps Sony's recent troubles have caused people, who might not otherwise have bothered, to take a closer look at Sony and their related infrastructures and there they found opportunities they had previously overlooked.

Then again there might just be one really bad ass anon who decided to get down with his bad self.

Re:Agreed - Scapegoat for organized crime

[SuricouRaven]

Or it could be that Sony, fearing Anonymous attacks, had their engineers start running systematic security audits - and then discovered that PSN had been hacked months ago, but do well that it hadn't been noticed.

Not an ideal strategy

[Oxford_Comma_Lover]

Getting anonymous mad at them might not be the best strategy for beefing up the image of their security, though.

Re:Not an ideal strategy

[Sinning]

Well, it could be a good way to quickly discover any other security holes.

Re:I don't buy it

[powerlord]

FTFA:

We also informed the subcommittee of the following: ...

- We discovered that the intruders had planted a file on one of our Sony Online Entertainment servers named "Anonymous" with the words "We are Legion." ...

Well, it may be slander, but they claimed (Under Oath?), that they were informed that Anonymous was responsible for the break-ins on the SOE servers. I don't think they actually said "Anonymous is behind the attacks", they just listed the evidence they have found since then.

Sony itself freely admits that Anonymous may have not been involved in the attack itself, but states that the initial intrusion seems to have happened at the same point that the initial Anonymous DoS attack did, and that the initial attack, knowingly or not, helped provide concealment for the breach.

Specifically read the last 3-4 paragraphs on:
http://www.flickr.com/photos/playstationblog/5687533298/in/set-72157626521862165/lightbox/ and the first one on http://www.flickr.com/photos/playstationblog/5687532796/in/set-72157626521862165/lightbox/
(I'd copy and paste the relevant paragraphs, but its tough to do that with pictures, so if you really care, go read what they wrote).

If Anonymous ISN'T behind these attacks and just patsies/dupes (as Sony admits is possible), then they should probably use much of their world renowned internet ability to help track down who ACTUALLY broke into the servers, if for no other reason than to clear their name.

Canada will stand up to Sony

[future+assassin]

I hate linking to this POS paper but here's the story http://www.theprovince.com/life/Privacy+czar+scolds+Sony+calls+power+levy+heavy+fines/4725743/story.html

WSJ Article

[xkalikox]

not sure if there's a paywall up, but WSJ has an article entitled 'Sony Says Hacker Left Taunting Message' in it, it says Sony is claiming the hackers left a file on the server entitled Anonymous, with contents saying 'We are Legion'.

Slightly deceptive headline

[__aavqan3009]

Sony said on Wednesday that Anonymous targeted it several weeks ago using a denial of service attack in protest of Sony defending itself against a hacker in federal court in San Francisco. The attack that stole the personal data of millions of Sony customers was launched separately, while the company was distracted protecting itself against the denial of service campaign, Sony said. Sony said it was not sure whether the organizers of the two attacks were working together.

BitTorrent

[GFLPraxis]

If Anonymous had stolen the data, it would be on TPB/Bittorrent right now. Remember HBGary?

Apparently

[microbee]

Sony would have blamed Bin Laden had he not been killed by the US earlier this week. They had to find some other scapegoat so that's why it took so long for their official blaming.

Re:!Anonymous

[amicusNYCL]

Saying anonymous is responsible for this (or anything) is like saying democracy is responsible for causing the wars in the middle east. You're mixing up an idea, an ethos, with an organization.

Are you equating the loosely-affiliated group Anonymous with a concept like democracy, or are you redefining the common definition of Anonymous as a loosely-affiliated group to now mean anyone involved in hacking or online attacks for an ideological reason other than financial gain? I've never heard proponents of democracy, or any other ethos, say something as cheesy as "We are [ethos]. We are Legion. Expect Us." The words "we" and "us" clearly identify people as a group. That is, even Anonymous thinks they're a group and not just an ethos. They are not an ethos, they are a group of people with some common world views, regardless of whether or not they have an official roster.

It's perfectly reasonable that a not-for-profit attacker would in fact steal valuable information just to steal it, not necessarily to release or sell it. It makes Sony look much worse, and costs them more, to have their customers' financial and personal data stolen, even if that information never actually gets used or released. In addition, it's not Sony's customers that Anonymous wants to attack, it is Sony itself. It doesn't serve their goals to release customer information, all they need to do is steal it. In other words, it would fit in with the idea of revenge against Sony to simply do as much damage to them as possible even if you don't plan on benefiting directly from the attack.

Re:!Anonymous

[Guerilla+Antix]

It is entirely Sony's fault. Once a company has decided to protect my personal property and fails to do so, it's that company's fault. Completely. If I put valuables in a bank vault and the bank gets broken into I blame the bank, not the thief. Thievery like this isn't random, it's a statistical inevitability that Sony didn't prepare for. They were happy taking the money of the people using their service and didn't uphold their end of the bargain: secure their $#!+.

Hahahahaa - incompetence ? blame anonymous.

[unity100]

i wonder if sony can sink lower. default, problem-free blaming - screwed up ? blame anonymous. nuclear accident ? blame anonymous. martian invasion ? blame anonymous. i can see unlimited use for this 'blame anonymous' thing.

Re:Boogeyman

[DrXym]

Now, I'm not saying that this was sophisticated attack. I don't know. But the fact remains that any network/server can fall to this kind of stuff.

Most security admins acknowledge it too which is why logging is enabled, roles are separated out, teams perform penetration testing an so forth.

I have no idea how sophisticated the attack against Sony was but the way they're talking of moving their data centers and that they had defence at the perimeter suggests to me that someone broke in through their intranet or wifi (e.g. sitting in their carpark) to gain access rather than through a public facing interface to the service.

Re:Cuts Both Ways

[19thNervousBreakdown]

It sure would be.

Re:Blame the victim?

[PRMan]

Because there are different ways to approach the problem and heavy-handed lawyer-inflicted abuse makes you look like a total jerk.

Marcon hacks Wii and adds the "Homebrew Channel", which has never enabled piracy (although some others have built upon it to do so). Nintendo releases a firmware update. Marcon re-opens Homebrew Channel. Ninetendo releases another firmware update, which bricks a few Wiis on accident. Marcon re-opens Homebrew Channel and finds a way to un-brick some of the bricked Wiis. Nintendo pretty much just leaves the issue alone, not wanting to harm their customer base even more.

Note, at no time did Nintendo sue Marcon, remove features that were advertised with the product, etc. And when they realized their strategy was doing more harm than good, they backed off a little. Nintendo is still making a fortune off of Wii, BTW.

Contrast Sony. They said you could install Linux on your Playstation, but not use about half the hardware. GeoHot figures out how to use ALL the hardware. Instead of realizing what's best for everyone involved, in a control-freak driven rage they remove OtherOS. GeoHot casually puts it back. Sony removes it again, makes it so future firmware updates are forward-only, and requires all their game and BluRay partners to do a firmware check on all new releases. And they drag GeoHot into court on what should be freedom of speech. Then, they subpoena all visitors to GeoHot's website, everyone who ever gave him money, etc., etc., really making enemies of millions of unrelated people. All this in addition to their track record of installing a rootkit on customers' PCs when listening to music (a 5-10-year felony if you or I did it) and taking back purchases from thousands of customers and refusing to lift a finger to give them back.

Sony is NOT the victim here. And they are being punished for legitimate crimes (hacking, theft) by vigilante justice because the courts and governments haven't done their job.

I hope I'm not the only one who sees the problem.

[icannotthinkofaname]

very carefully planned, very professional, highly sophisticated

Is this supposed to be the same "Anonymous" that's supposed to have its home on 4chan's Random board? 'Cause none of these qualities bring those users to mind.

I suggest Sony look elsewhere. I'm pretty sure "very carefully planned, very professional, highly sophisticated" and "Anonymous" are mutually exclusive possibilities.

Ohh, this is going to sting....

[TiggertheMad]

due entirely to Sony's fuckwitted lack of security concerning sensitive data, I have had to take measures to protect my identity

Fuckwitted, indeed. By making this (dubious sounding) claim, they have just poked anon with a stick after it has just been demonstrated that they have a major security problem. There is a fair chance that anon has a sizable population of already irritated PSN users. In light of the whole HBGary fiasco, does this REALLY seem like a wise thing to do?

GG Sony, you are proving to be more entertaining by the day...