Amazon Servers Used In Sony Playstation Hack

the simurgh writes "Amazon servers may have been used to carry out the massive Playstation hack that compromised the personal information of more than 100 million Playstation Network users. According to a report from Bloomberg, sources close to the ongoing investigation say the attack was mounted from Amazon Web Service's cloud computing platform."

It's a conspiracy.

Obviously. Who is better equipped to take down Sony than the elusive Amazon?

A cloud attacks another

[mehrotra.akash]

Will there be a thunderstorm?

Re:A cloud attacks another

[Gaelinda]

This gives a whole meaning to the slogan "To the cloud"!

Re:A cloud attacks another

[the_humeister]

So Amazon brought down Sony, but their banning yaori. Are they good or evil???

Re:A cloud attacks another

[somersault]

You mean it actually had a meaning before?

Re:A cloud attacks another

No idea what yaori is, but Amazon also banned wikileaks

Re:A cloud attacks another

yaoi*

Lern to spellz teh enrgish

Re:A cloud attacks another

[lostthoughts54]

Lern to spellz teh enrgish

Yaoi is a Japanese word. If u are going to be a douche, the least you could do is be right.

Nihongo superu o manabu. there fixed.

Re:A cloud attacks another

It's "they're" you fucking moron...

Re:A cloud attacks another

[Killall+-9+Bash]

Part of a meaning, apparently.

Re:A cloud attacks another

[cyber-vandal]

Those adverts are so fucking patronizing - I want to kill everyone involved in making them.

Re:A cloud attacks another

[pandrijeczko]

Sony and "Yaoi" - a pair of crappy Japanese comics.

Re:A cloud attacks another

I fail to see the evil part. Both are good, hence Amazon is good.

Re:A cloud attacks another

[vegiVamp]

> yaori

Mmm, Maori yaoi.

Re:A cloud attacks another

I wish I could unsee that sentence.

Re:A cloud attacks another

[d.the.duck]

If you need any help, let me know.

So it came from an Anonymous Cloud?

[toygeek]

Is it an Anonymous Cloud or Anonymous' Cloud?

So if the attack came from a cloud, then wouldn't it be a lightning attack instead of a "hacking" attack?

We really need to get this internet meteorology right.

Re:So it came from an Anonymous Cloud?

[larry+bagina]

Anonymous's

Re:So it came from an Anonymous Cloud?

I simply do not like those rules in your link. The English that I learned says that toygeek did it right. Word's ending in "s" should not get the "'s" after them, the apostrophe is sufficient.

Re:So it came from an Anonymous Cloud?

I don't know; can you rephrase your question in a car analogy?

Re:So it came from an Anonymous Cloud?

[larry+bagina]

Not liking something doesn't make it wrong. Learning something doesn't make it right.

Re:So it came from an Anonymous Cloud?

Then, do pray tell, what's an "anonymou"? If that's how you speak and write English, then you are a stupid, asshole, motherfucking piece of shit.

P.S. http://www.britannica.com/EBchecked/topic/264162/Hesss-law-of-heat-summation

Re:So it came from an Anonymous Cloud?

[AvitarX]

Too bad English is a living language.

Though in general things lean the way you've said it, there is definitely space to do it either way with a "polysyllabic word ending in a sibilant" (generally based on intention of how it is to be said).

And "some contemporary writers omit the extra s in all cases"

http://en.wikipedia.org/wiki/Apostrophe#Standardisation

I don't see the issue with the "new" way of adding an apostrophe only for words ending in "s" and an "'s" for words that don't, and in 15 years, I bet that's how it goes.

Re:So it came from an Anonymous Cloud?

[Vectronic]

An anonymou is the singular of anonymii. "that anonymou really stands out from the rest of the anonymii", and anonymous is a pejorative, like emos. "being unidentifiable is a characteristic of anonymous's"

now you know.

Re:So it came from an Anonymous Cloud?

I don't see the issue with the "new" way of adding an apostrophe only for words ending in "s" and an "'s" for words that don't, and in 15 years, I bet that's how it goes.

Which shows just how aware of linguistics you really are. You honestly expect a debate that's been going on for over a hundred years to be resolved in the next fifteen?

Re:So it came from an Anonymous Cloud?

[lostthoughts54]

Too bad English is a living language.

\

living language= a language so butchered it has no true rules, making it illogical and inefficient.
Even at 7 i knew there was a issue with having to learn, "For every rule there is a rule breaker."
English would be much better if people just followed rules. Exceptions only when absolutely necessary. But instead we make rules then break them at our leisure and as long as others like the rule breaker, it is now considered correct. It due to this stupid mentality that i still have difficulty with the English language(my native language, even if i grew up in the Southeast U.S.) , but i had absolutely no problems in Spanish or Japanese(Japanese, i just started learning).

and in 15 years, I bet that's how it goes.

in 15 years u will need this. http://en.wikipedia.org/wiki/Mandarin_Chinese

Re:So it came from an Anonymous Cloud?

[Bing+Tsher+E]

Please don't harp on other people about the way they butcher language, and then use 'u' as a word. This isn't your little chatspeak den here.

Re:So it came from an Anonymous Cloud?

[PCM2]

The English that I learned says that toygeek did it right. Word's ending in "s" should not get the "'s" after them, the apostrophe is sufficient.

I do not think you learned the rule completely. Look carefully at what Strunk & White says in the linked text: "Form the possessive singular of nouns with 's." Words that end with S that are not singular still just take the apostrophe, as you say. So it would be "the witch's cauldron," but in the case of Shakespeare's MacBeth, it would be "the witches' cauldron." For singular words, though, adding the apostrophe-S is generally preferred, because it helps avoid ambiguity. If you think about it, though, this almost never applies to anything but proper names. There really aren't many (any?) words in the English language that end in S but have the same form whether they are plural or singular. Most add -es to make them plural, in which case they just take the apostrophe.

Re:So it came from an Anonymous Cloud?

[lostthoughts54]

And who did i correct? i dont think i even mentioned any specific rules or violations of said rules. I said the language is completely fubared. Did my use of "u" in place of "You" throw your comprehension off? I commented on the english language and the adaptive include whats popular way of evolving. Then i made a small dry joke about English(essentially the USA) world dominance is slipping and will probably move towards Chinese.
"It due to this stupid mentality that i still have difficulty with the English language". - that comment right there

lol, my chatspeak den. I was never a chatroom guy, message boards(and those few and far between) are the furthest i get.Too many elitist retards running around on the internet. So until /. rules out shorthand, i will use it when i please. U are welcome to enjoy your proper English and skip any posts i make at your discretion. hell mod me down for bad English. Its a free internet.

Re:So it came from an Anonymous Cloud?

[mug+funky]

i think it's terribly efficient actually. if a little hodge-podge.

i love the fact that one can say something and completely fuck the grammar out of it, and yet still be understood.

redundancy is actually quite important in a language, especially when the phonics we've inherited from the Romans can have such similar sounds.

try distinguish between "n" and "m" over the phone. you can't.

Re:So it came from an Anonymous Cloud?

[SheeEttin]

We really need to get this internet meteorology right.

Well, if I ever get into the The Cloud business, I know what to put on my business cards...

Re:So it came from an Anonymous Cloud?

[Kalriath]

And who did i correct? i dont think i even mentioned any specific rules or violations of said rules. I said the language is completely fubared. Did my use of "u" in place of "You" throw your comprehension off? I commented on the english language and the adaptive include whats popular way of evolving

Parse Error.

Re:So it came from an Anonymous Cloud?

[AvitarX]

Well, I had one teacher recommend it, but you're right.

I expect it to be divided like the oxford comma.

It's definitely moving towards the simple rule in think though.

Amazon PR Disaster

[longacre]

Revenue from cloud services: 1.5%
Retail revenue lost from consumers who will forever link one of the greatest breaches in history with the Amazon brand: Priceless

Re:Amazon PR Disaster

I'd spin it as "Amazon cloud: crackers give up botnets for it!"

Re:Amazon PR Disaster

[Charliemopps]

I think you underestimate the revenue growth "The Cloud" generates for it's vendors.
I also think you over estimate how many people will ever even hear that Amazon was involved, much less care about it.

Re:Amazon PR Disaster

[fuzzyfuzzyfungus]

Hey, not every VPS service has the advanced management APIs that make operating 7 proxies on demand hassle free...

Re:Amazon PR Disaster

I'd spin it as "Amazon cloud: crackers give up botnets for it!"

How do you know they're white? :D

Re:Amazon PR Disaster

[maxwell+demon]

Revenue from cloud services: 1.5%

Retail revenue lost from consumers who will forever link one of the greatest breaches in history with the Amazon brand: Priceless

You mean, just like the customers are fleeing the Windows platform in droves?

Re:Amazon PR Disaster

Or not, because really, let's be honest, the only people who aren't secretly chuckling to themselves that Sony got fucked over, rather than fucking consumers over like it usually does are Sony fanboys, who are, despite the loudness of their outcries, thankfully only small in number.

Re:Amazon PR Disaster

What are you talking about? I still trust Amazon, they didn't hack Sony. That's like saying it's Microsoft's fault that someone used a Windows computer to write a virus.

Or that it is a gun maker's fault that someone shot another person.

It's a tool, the people to blame are the ones using the tool to accomplish illegal goals.

Re:Amazon PR Disaster

[mug+funky]

That's like saying it's Microsoft's fault that someone used a Windows computer to write a virus.

can we leave Apple fanboys out of this, just this once? this doesn't involve them.

Liability

[Sprouticus]

It will be interesting to see what sony does with this if it is true. I mean, it is not like they care about burning bridges. I could totally see them suing Amazon, if only to give them a PR black eye.

Re:Liability

[houstonbofh]

It will be interesting to see what sony does with this if it is true. I mean, it is not like they care about burning bridges. I could totally see them suing Amazon, if only to give them a PR black eye.

Your post was not totally clear. Is the intent to give Amazon a PR Black Eye, or to freshen up the Sony PR Black Eye? I think Amazon would actually end up with a PR win if they handled it right.

Re:Liability

[jhoegl]

I dont know that this kind of law suit would go anywhere anyways. Amazon provides a service, much like ISPs provide service. If you sue one, you would have to sue all.
However, if Sony were smart, they would put pressure on Congress to require companies to gain stronger knowledge about those they lease server space to.

Re:Liability

[MaxBooger]

Amazon does a lively business selling Playstation 3 consoles and games. I doubt Sony will want to bite one of the hands that feeds it.

Re:Liability

Sony could take the Tyler Durden approach in legal battles: "You don't know where I've been, Lou! You don't know where I've been!"

In other news..

Thieves were recently caught shoplifting. They wearing clothes from Gap, calling into question the influence and security of such clothing.

Yes, the story makes about as much sense as that...

Re:In other news..

[mehrotra.akash]

More like using a pepper spray (meant for self defence) to steal stuff from others

Re:In other news..

[moonbender]

Not a very good analogy. This is more like (car analogy time) hiring a tow car for a vehicle you don't own as a way of stealing it. The tow car driver facilitates the crime without being aware that they are doing anything illicit.

Re:In other news..

[hoytak]

Rather, it's like they were using Amazon Fresh when they suddenly learned this: http://www.smbc-comics.com/index.php?db=comics&id=876#comic

Re:In other news..

[zarzu]

Not really. It would be more like a tow car rental company. Amazon only provides the basic hardware, they were used as anonymizer, just like a rental would if you provide fake information (which was done in this case).

Re:In other news..

Not really. Amazon doesn't provide any of the components required to do the task - they just rent the computers, so it would be more like a tow car parts rental company, where you assemble the parts to make the tow car.

I don't see it...

[Junta]

I suspect most all of the people that are amazon customers only vaguely know what's going on and won't bother to learn the detail on the hosting provider for the attackers systems.

I suspect the minority that are that inclined almost all know that in this specific scenario, Amazon was just a hosting provider and understand that means they aren't particularly responsible for what happened any more than AT&T would be responsible for a house downloading a video illegally.

Sure, there is probably a very small population that will stumble upon the facts and falsely presume Amazon is an evil company for cracking into Sony's stuff (as opposed to an evil company for other reasons). I have a feeling that change in revenue would be lost in the noise and small compared to any arbitrary boycott over seemingly small and/or inane things Amazon does on any given day.

Re:I don't see it...

[TooMuchToDo]

Competent hosting companies monitor for this abuse. Amazon doesn't, and turns a blind eye towards it (because it would greatly reduce the margin on their computing resources they sell if they had to monitor for abuse).

Re:I don't see it...

[the_humeister]

Or maybe they'll like the fact that they were utilized in attacking Sony.

Re:I don't see it...

The entire reason fraud and abuse proliferate online is the need for "instant access"

If every company stepped out of this mindset and had a "human" verify every signup, eg calling them on the phone and verifying the signup information, much less fraud would be possible as it eliminates the anonymity. The banks have no problems doing this, and make tonnes of money. It takes about a week to get a bank account via online versus going into the bank itself and having one in about an hour.

Because the general populous is against national ID cards, there is simply nothing that can be verified to begin with that can't be faked. So let's put this the other way around, let's open "Verify Online" physical presence stores, and all they do is verify the ID of people in person and email them back a verified token to activate the account. The online service pays for it, and if they are too cheap to afford it, they shouldn't be in business. I believe we call these Notary Public. Just extend it to this.

Any company or person who wishes to sign up for an account that has any form of "credit" (virtual or real, eg "points" "dollars" "credits" "gold") must be verified in person.

Why would this reduce fraud you might ask?
- Nearly all fraud online involves the theft of billing credentials (credit cards, bank account numbers, and the addresses), the very same information used to signup.
- Paypal, banking and credit card sites all use some kind of physical token , actually mailing, sending a SMS message or phoning to verify, the fraud is often caused by the theft of the login information and then subsequently "sending money" to someone to cash out immediately.
- Online games are often an used for money laundering, by putting all the ill gotten money into the "Credit" system of the game, either from virtual purchases, or the game gold or points itself, and then in turn those are sent to another player with a different id, to sell all those back for real world cash aka RMT (eg back via paypal) to gold buyers or other stupid players. Therefor eroding the gameplay. Simply "losing" in online gambling to other players can be laundering it, where the other player is in cahoots. Do you see why the government goes nuts about online gambling?

All in all, the money is funneled into criminal enterprises, terrorism, drugs, etc if it's not siphoned off by idiots who don't know what they just did. So by having the verification at the time of account creation, you eliminate the fraudulent signups, since part of the convenience of signing up instantly is that you can signup outside your place of residence. Instead the fraudulent activity then has to occur at the stolen-account or from mules (jobs cashing checks.)

So all that data taken from Sony means that there is potentially millions of billing data out there that could be used to create millions of legit-looking accounts with credit-bearing companies. Everything has been explained above.

As for Amazon, the only thing they could have done to prevent this is firewall off all EC2 instances from connecting outside without implicit permission. That in itself isn't verifiable since many external sites allow API access.

Re:I don't see it...

[Pseudonym+Authority]

That is so stupid. There is no way I would bother with a provider that I had to talk to. Also, my rebuttal is in your comment.

calling them on the phone and verifying the signup information, much less fraud would be possible as it eliminates the anonymity. The banks have no problems doing this

And just how much bank fraud does that stop exactly? HINT: NONE.

Online games are often an used for money laundering, by putting all the ill gotten money into the

OH YAH, I can just imagine some hard looking mafia types trading gold on Runescape, with the FBI monitoring them and hiding as a noob while waiting for the transaction to complete. How totally ridiculous.

The online service pays for it, and if they are too cheap to afford it, they shouldn't be in business.

Fascism! Socialism! Unamerican! But really, that is just a way to further consolidate power and money for the large corporation, which it is quite clear that you are just shilling for, you asshat fucktard apologist.

Re:I don't see it...

They cannot legally monitor for abuse... Or they can then get sued for "not finding abuse fast enough" and shit like that.

It is the same reason why no shared or VPS hosting company says they actively monitor your usage / files. This is a form of liability control for them. The second they start taking responsibility for "catching pirates, hackers, crackers, and pedophiles" is the second they can then be named in a lawsuit and sued.

Re:I don't see it...

[turbidostato]

"Competent hosting companies monitor for this abuse. Amazon doesn't, and turns a blind eye towards it"

Just like competent gun makers will monitor for gun abuses? Is this the "Colt should pay for murderings produced using its weapons" argument?

Re:I don't see it...

[grcumb]

Just like competent gun makers will monitor for gun abuses? Is this the "Colt should pay for murderings produced using its weapons" argument?

If Colt were renting out the firearms by the hour and selling ammunition by the crate, then yes, you could reasonably expect them to monitor who is using them and for what stated purpose.

Re:I don't see it...

[ipwndk]

The banks in Denmark certainly doesn't require you to identify yourself over the phone, or physically. I created an account yesterday in five minutes flat.

Of course they use a digital signature that is linked to my citizen ID that all the Danish banks made together in collaboration to remove that very check you are describing.

This can however be exploited as well as you describe :S Problem here is that it's my citizen ID. It's not just money then. They can change my name, my taxes, healthcare services and anything else that is between me and the state. Ack, I began the comment to say that we're far more advanced, but the pitfall with a totally digitalized citizenship is that our identify is at stake :|

Re:I don't see it...

[Rakishi]

So Hertz has to have a guy sitting in every car that people rent to prevent someone from using the rented car to commit a crime?

Re:I don't see it...

[dakameleon]

Online games are often an used for money laundering, by putting all the ill gotten money into the

OH YAH, I can just imagine some hard looking mafia types trading gold on Runescape, with the FBI monitoring them and hiding as a noob while waiting for the transaction to complete. How totally ridiculous.

Actually, that's not as utterly ridiculous as you make it out to be: http://www.policeone.com/police-technology/articles/3115040-Online-games-are-new-choice-for-money-laundering/

Re:I don't see it...

[datapharmer]

Seriously. I've grown tired of reporting abuse to amazon, whose policy is to "send the complaint on to the customer". I now just block their IP ranges. Unfortunate for anyone who legitimately wants to crawl my sites using their service, but if enough people block them they will start seeing customers head elsewhere. Blocking about a half dozen abusive ISPs has cut my attack logs down exponentially, so failure to regulate your service = banned appears to be an acceptable policy in many cases.

Re:I don't see it...

[TooMuchToDo]

If you abuse a gun, there isn't much that can be done. You cause problems for others on the Internet? That's a fast way to get NANOG on your back and have your IP blocks and AS numbers blackholed at a variety of large networks (transit, peering fabrics, etc).

Re:I don't see it...

I suspect the minority that are that inclined almost all know that in this specific scenario, Amazon was just a hosting provider and understand that means they aren't particularly responsible for what happened any more than AT&T would be responsible for a house downloading a video illegally.

Certainly anyone that uses a hosting service like theirs understands the nature of the beast and knowns Amazon isn't responsible for the Sony hack.

Sure, there is probably a very small population that will stumble upon the facts and falsely presume Amazon is an evil company for cracking into Sony's stuff (as opposed to an evil company for other reasons). I have a feeling that change in revenue would be lost in the noise and small compared to any arbitrary boycott over seemingly small and/or inane things Amazon does on any given day.

Combine the total lack of conviction left in the world with the usual ineffectiveness of boycotts... I don't think AWS is worried about a misunderstanding really affecting their bottom line. The most that will happen is maybe a public statement denying responsibility.

Re:I don't see it...

No, it's the "a gun-range should monitor the weapons it gives out, and how all weapons on the grounds are used - or be liable for any killing/injuries incurred on it's land or with it's property" argument.

Re:I don't see it...

[dkf]

If every company stepped out of this mindset and had a "human" verify every signup, eg calling them on the phone and verifying the signup information, much less fraud would be possible as it eliminates the anonymity.

You've got a lovely trust in the ability of people to spot liars over the phone there. And in the general Power of Bureaucracy to Do Good.

How many people are you going to employ doing this? How are you going to pay for them? (Hint: the cost of getting signups verified would be passed on to you.) And it wouldn't stop fraud, just give a bigger opportunity for bribery and corruption. Automated systems, for all their faults, are at least honest and fair in a limited sense (because it is hugely easier to write them that way). All your suggestion would do is cripple large parts of the market to no great benefit of anyone. And yes, you can see evidence of this sort of thing with excessive regulation in large parts of the world.

Re:I don't see it...

Just like competent gun makers will monitor for gun abuses? Is this the "Colt should pay for murderings produced using its weapons" argument?

If Colt were renting out the firearms by the hour and selling ammunition by the crate, then yes, you could reasonably expect them to monitor who is using them and for what stated purpose.

Not entirely accurate; Amazon didn't rent server space to the people who attacked Sony, so in your analogy, Colt would need to be aware if the firearm and ammunition they rented out was stolen by someone else that intended to commit a crime. Hardly a reasonable expectation.

Re:I don't see it...

You analogy doesn't follow, Hertz doesn't sell gas!

Re:I don't see it...

[turbidostato]

"No, it's the "a gun-range should monitor the weapons it gives out, and how all weapons on the grounds are used - or be liable for any killing/injuries incurred on it's land or with it's property" argument."

So a cab driver is responsible if he happens to drive an assassin to his victim. Quite understandable.

really?

[cratermoon]

Considering how Amazon has become known for caving to the slightest pressure from law enforcement or even just a nosy senator, to host such an attack from EC2 seems extraordinarily stupid.

It would make much more sense to launch it from somewhere hosted by a company that doesn't have a reputation for giving up their customer's data and shutting down even legitimate stuff that happens to run afoul of their vague guidelines.

Re:really?

[VortexCortex]

Considering how Amazon has become known for caving to the slightest pressure from law enforcement or even just a nosy senator, to host such an attack from EC2 seems extraordinarily stupid.

It would make much more sense to launch it from somewhere hosted by a company that doesn't have a reputation for giving up their customer's data and shutting down even legitimate stuff that happens to run afoul of their vague guidelines.

?? Huh?

If you're in the business of stealing credentials, why not use some of the Amazon services those credentials allow you to access in order to get even more credentials?

As a benefit this also allows moronic assumpteers to take a distracting trip down "IP + Credentials == People" or "Shoot the Messenger" lane. If UPS delivers you a bomb or an envelope full of anthrax, it's not UPS's fault -- It's the malcontent that sent the package (Well, it's partially your fault too for accepting mail from a company who's name is "Oops!"). Of course the return address is a fake, unless, you assume the identity thieves are careless with their own identities...

Re:really?

[Hardhead_7]

Considering how Amazon has become known for caving to the slightest pressure from law enforcement or even just a nosy senator, to host such an attack from EC2 seems extraordinarily stupid.

It would make much more sense to launch it from somewhere hosted by a company that doesn't have a reputation for giving up their customer's data and shutting down even legitimate stuff that happens to run afoul of their vague guidelines.

Nah, once you do something on the scale of the PSN hack, it doesn't matter if the service provider caves too easily or not, because everyone gives up information when they get served a warrant. And there will be warrants. They just had to make sure Amazon has no way to trace it back to them, and it seems very unlikely the perpetrators accessed Amazon's servers from anything other than a laptop bought at a yard sale with a fake MAC address on a public wi-fi hotspot.

And the cloud services were paid for with a Visa gift card that was bought with cash.

Re:really?

[DrXym]

Nah, once you do something on the scale of the PSN hack, it doesn't matter if the service provider caves too easily or not, because everyone gives up information when they get served a warrant. And there will be warrants. They just had to make sure Amazon has no way to trace it back to them, and it seems very unlikely the perpetrators accessed Amazon's servers from anything other than a laptop bought at a yard sale with a fake MAC address on a public wi-fi hotspot.

You'd like to think so but hackers can do stupid things, or fail to cover their tracks sufficiently, e.g. can't wipe logs. It's also possible that if anonymous were responsibles that internal ructions over the attack could lead to the person being identified via an informant which in turn leads to a raid which in turn leads to information being found that way.

Re:really?

[drolli]

Why? If you stole the credit card numbers before to buy the computation time, its not a big deal it they later fine the virtual machine afterwards. I would obviously only use the EC2 to collect and encrypt the data, but obviously not process it. If you need a lot of bandwidth to handle the incoming data, but you can afford a few days to transfer them out.

Re:really?

[colinrichardday]

And the cloud services were paid for with a Visa gift card that was bought with cash.

The last time I purchased a Visa gift card with cash, I had to show ID.

Re:really?

Which wasn't yours. So, there.

Re:really?

You can walk into a Safeway or a 7-Eleven and buy those things for cash... Hell, you could pay someone just as easily to walk in and buy it for ya if you were worried about the cameras...

Re:really?

[colinrichardday]

This occurred at a Safeway.

Re:really?

[SomePgmr]

Considering how Amazon has become known for caving to the slightest pressure from law enforcement or even just a nosy senator [talkingpointsmemo.com], to host such an attack from EC2 seems extraordinarily stupid.

You're probably right, but I had to laugh that just a few posts up someone was complaining that they're not trigger-happy enough. Maybe they really have found a middle-ground.

It would make much more sense to launch it from somewhere hosted by a company that doesn't have a reputation for giving up their customer's data and shutting down even legitimate stuff that happens to run afoul of their vague guidelines.

I expect the doer[s] knew the hack would be done-and-over by the time anyone was issuing shut-downs. I'd guess the way to find them now has everything to do with the stolen data. Where it went, where it's being sold or used, etc.

Re:really?

[Syberz]

If CSI taught me anything, it's that there's a traffic camera picture of the person having purchased the VISA gift card that the authorities will use to run a visual basic interface on it to cross-check with their "everyone on the planet" database.

Re:really?

[cratermoon]

Good analysis of how they would probably foil the backtrace. As far as caving when there are warrants, I was thinking of a hosting company off in a small island country that doesn't put a lot of effort into complying with international law enforcement efforts. I don't know of such places, but I'm sure they must exist.

DANGER! Corny alert

[xeroedouttwice]

Looks like the "cloud" rained on PS3 network's parade, so to speak. Hyuk-Hyuk-Hyuk!!! (Imitates Goofy Disney character)

Was the cloud hacked too?

Wait a minute... Amazon's cloud crashed 4/21, the day after Sony realized they'd been pwned and took down PSN.

Is there something Amazon isn't saying, like maybe they were pwned too??

Re:Was the cloud hacked too?

[ColdWetDog]

Wait a minute... Amazon's cloud crashed 4/21, the day after Sony realized they'd been pwned and took down PSN.

Is there something Amazon isn't saying, like maybe they were pwned too??

And it was the day after 4/20 - therefore it had something to do with stoners.

George Bush didn't support legalization of marijuana.

Goddamnit. It's GEORGE BUSH'S FAULT!

Re:Was the cloud hacked too?

[maxwell+demon]

Or maybe Sony fought back? :-)

Re:Was the cloud hacked too?

[wmbetts]

Finally someone with some sense and logic posting on this story. I wish more people realized it was all his fault.

Re:Was the cloud hacked too?

[ColdWetDog]

Everything is George Bush's fault. Well, except for a few things that are Ronald Regan's fault....

Re:Was the cloud hacked too?

Ronald Regan is George Bush's fault!

Re:Was the cloud hacked too?

[ColdWetDog]

Ronald Regan is George Bush's fault!

Temporally, I'd be a little happier if it were the other way around. If Ronald Regan is George Bush's fault we have a problem in the Time Tunnel.

It's not easy being amazon

So they used Amazon. They could just as well have used any other of the 1000's of 'rent a vm' providers out there. But I guess it's news just because it's amazon.

If amazon has any access logs they will probably find out that the attackers either bounced themselves though another vm host or though some form of anonymiser service and they will be just as surprised by that as they are with this news. "What? The hacker didn't attack Sony by directly using his own computer?!"

used != may have been used

Why does the headline differ from the summary? Is it that hard to write a headline that isn't sensationalist?

Re:used != may have been used

[easyTree]

Is it that hard to write a headline that isn't sensationalist?

The question is, why would you want to?

sources close to the investigation

[doperative]

> sources close to the ongoing investigation say the attack was mounted from Amazon Web Service's cloud computing platform ..

What evidence is there that Amazon Cloud was the source and why the need to keep the source of these allegations anonymous.

Web Services cloud- computing unit was used by hackers in last month’s attack against Sony Corp. (6758)’s online entertainment systems, according to a person with knowledge of the matter

I see, asome 'person'

Re:sources close to the investigation

[Platinum+Dragon]

In other words, about as much evidence as other claims that Anonymous, PS3 hackers, or Osama bin Laden were involved.

Hey, gotta fill that news cycle. Gotta draw eyeballs for advertisers. Content is just a vehicle for making money. Truth is incidental, and at this point often accidental.

Re:sources close to the investigation

[eulernet]

TFA is totally bullshit.

I think that the hackers used a few open L1 proxies on Amazon AWS.

In my list of open proxies, there are around 20 proxies on Amazon AWS, of the form
ec2-??-??-??-???.us-west-1.compute.amazonaws.com:80
ec2-??-??-??-??.ap-southeast-1.compute.amazonaws.com:80
ec2-??-??-??-??.compute-1.amazonaws.com:80
ec2-??-??-??-??.eu-west-1.compute.amazonaws.com:80
where ??-??-??-?? is an IP address.

Re:sources close to the investigation

[Giant+Ape+Skeleton]

TFA is totally bullshit.

I think that the hackers used a few open L1 proxies on Amazon AWS.

In my list of open proxies, there are around 20 proxies on Amazon AWS, of the form ec2-??-??-??-???.us-west-1.compute.amazonaws.com:80 ec2-??-??-??-??.ap-southeast-1.compute.amazonaws.com:80 ec2-??-??-??-??.compute-1.amazonaws.com:80 ec2-??-??-??-??.eu-west-1.compute.amazonaws.com:80 where ??-??-??-?? is an IP address.

...so in order to find the perpetrators, we simply need to determine which seven of those proxies were used in the attack!

Is This Supposed To Be News?

[RoFLKOPTr]

So the hackers chose to bounce their packets off a server rented from Amazon. They could have chosen a server rented from a thousand others. Hell, they could have done it with a server rented from me. Thankfully, they did not. But really who the hell cares?

Re:Is This Supposed To Be News?

[Captain+Spam]

Just wait for this upcoming week's headlines...

"Logitech Mice Used In Sony Playstation Hack"
"64-Bit Processors Used In Sony Playstation Hack"
"Store-Brand Clothing Used In Sony Playstation Hack"
"Mountain Dew Used In Sony Playstation Hack"

Re:Is This Supposed To Be News?

[RoFLKOPTr]

Just wait for this upcoming week's headlines...

"Logitech Mice Used In Sony Playstation Hack" "64-Bit Processors Used In Sony Playstation Hack" "Store-Brand Clothing Used In Sony Playstation Hack" "Mountain Dew Used In Sony Playstation Hack"

"Sony VAIO Used In Sony Playstation Hack"

Re:Is This Supposed To Be News?

[nickb64]

maybe MY stolen VAIO was used in the attack.

It was stolen randomly less than a week before PSN went down, coincidence, I think not.

/puts on tin foil hat

Re:Is This Supposed To Be News?

I'm kind of hoping they did it from OtherOs.

Re:Is This Supposed To Be News?

[pandrijeczko]

It's just so the PS3 fanbois can feel a bit more comfortable renting their rectums back to Sony & paying for the privilege when the PSN comes back online because it will all have been Amazon's fault, not Sony's.

Re:Is This Supposed To Be News?

[lev400]

Agreed. What does it matter what servers they used to attack from? Normaly attacks are done from zombie PC's or hacked web serers but guess they wanted a good connection to PSN etc. Also title is mis-leading. It should read "Servers Rented from Amazon Used In Sony Playstation Hack".

Re:Is This Supposed To Be News?

Yes, exactly. The implication here is that Amazon is somehow at fault. Amazon is providing a service, the service is there for people to use, Amazon cannot ( within reason ) control what is done with their servers. If they had not used Amazon, then they would have used some other provider. Why not imply that the ISP's were also at fault as they provided the network links into Sony. Once again it seems that Sony are diverting attention away from their own security problems.

"Hosted by" Amazon?

[identity0]

An attack from Anonymous? Pshaw, yeah right.

We all know Amazon really did the hack themselves, because they were mad they couldn't get Sony on the One-Click patent, since PS3 users don't use mice.

Re:"Hosted by" Amazon?

[AmiMoJo]

More like the loss of £80 per PS3 when they gave out refunds to people over the removal of OtherOS.

Seriously though I doubt there is any love lost between Amazon and Sony.

Outpriced by Amazon?

[malacandrian]

Presumably, they chose Amazon's network as they were cheaper than renting time on a botnet. I'm intruiged as to the ramifications on the distributed computing black market as it were, whether it will force their prices down in this age of cheap computing (especially as none of the resources used are theirs per say) or they'll raise them as a charge for the anonymity Amazon and Google would never provide.

Good

[JockTroll]

Would be cool to see Sony and Amazon sue the hell out of each other. A bit like two rapists/murderers buttfucking and then disemboweling each other. Unfortunately such huge corporations always reach some sort of agreement in these cases - smart thieves don't steal from each other. A shame, because watching them fighting it out, maybe sending their security teams to do battle in their rival's offices, while we laugh on the faces of grieving widows and throw dog feces at weeping orphans would be AWESOME.

It produces MUSHROOM CLOUDS!

BOOM... so much for "cloud computing" (I first heard the term back in the early to mid 1990's, and figured it was bullshit then, just like it's turning up to be now).

how dare

internet was used ? no !?!?

Amazon Prime Members?

[tgeek]

Shame the hackers weren't Amazon Prime members - then they could have had everything they wanted in 2 days at no extra charge.

Re:Amazon Prime Members?

[ajo_arctus]

They probably are Amazon Prime members now. You'll see the $79 fee appear on your next CC bill*

* assuming you own a PS3

a third way

[OrangeTide]

stealing a few AWS accounts is cheaper than either of the options you mentioned.

lightning attack

[nurb432]

we called that blitzkrieg in wwii

The Truth

We are dealing with a new group. Amozynous!

Big Business Security

[lordkamon]

If a large corporation's site like the Sony site could be so easily compromised, how are we supposed to guage the level of security of any other site? Another question, if the security of Sony was compromised by using Amazon in some way, doesn't that mean that those who use Amazon are potentially at just as much risk as those who were compromised at Sony? So let's say nono it's a completely different thing, how can you 100% guarantee that? On a more constructive note, how do we eliminate this kind of access in future? My suggestion.... eliminate anonymous internet access permanently.

Re:Big Business Security

[V!NCENT]

"If a large corporation's site like the Sony site could be so easily compromised, how are we supposed to guage the level of security of any other site?"
You can't.

"Another question, if the security of Sony was compromised by using Amazon in some way, doesn't that mean that those who use Amazon are potentially at just as much risk as those who were compromised at Sony?"
No? Amazon has nothing to do with this. They just let you rent a PC.

" So let's say nono it's a completely different thing, how can you 100% guarantee that?"
Because there is absolutely no relationship between Amazon security and Sony's secutiry.

"On a more constructive note, how do we eliminate this kind of access in future?"
Stop being a moron and not hand over information you do not like to get stolen. Do you also not lock your door on your way out? Prevention is what it is called.

"My suggestion.... eliminate anonymous internet access permanently."
Let's see how that works below:

Jack: "Hi, my name is John"
Computer: "Are you?"
Jack: "Yes I am. I am using John's WiFi to connect to you, computer"
Computer: "Well OK then, John. Do what you like"
[Two months later]
*Knock-Knock*
John: "Who's there?"
"NYPD! Open the door!"
[one month later]
Investigator: "Confess now and you'll get your food. We know it's you who did it!"
John: "OK OK I confess, just let me eat"
Court: "John you admitted you're guilty, therefor you will not pass GO and go directly to jail'

Jack is now enjoying his vacation on some exotic resort.

Re:Big Business Security

Well, let's keep the name calling out of this. You could simply say "you are sorely misinformed, do more research".

If we can't ask questions that are apparently as absurd as mine and have to consistently suffer with responses like yours, then I feel sorry for society as a whole and would redirect your comment back on yourself.

I do appreciate your clarification of it all, as it makes alot more sense now.

I grew up never having to lock the door on our house for many many years. It's only lately that we've recently had to. tangent*

Re:Big Business Security

[V!NCENT]

OK, I'm sorry. Strong emotions come out easyer on the internet.

By reading Slahdot you are expected to know what has been going around lately with respect to law enforcement and political engineering. By destroying things like Wikileaks due to destruction of anonimity and then piling upon that not being knowledgeable on the subject kind of makes me very mad. Especialy because the politicians that have enforced many shit upon society were not knowledgeable at all.

We can start this discussion again in a civilized manner if you are still open for it ;-)

see it weekly, at least...

I work in infosec, and not a week goes by where we don't see an attack of some kind that originates from AWS, with us as the target. It's easy and cheap to setup a fairly powerful and distributed AWS system for this purpose. We're giving serious thought to blocking all incoming AWS traffic due to this.

IF

If they are being rented, they are no longer "Amazon's servers." It's simply a dumb pipe, and the dumber, the better. If they can't find the perp from the (hopefully limited) info given by Amazon's records, tough shit.

Hosted BackTrack OS

[elephantsaroundhere]

In the future the attackers may want to go straight to this new hosting provider : http://www.hostedbacktrack.com/ All the required tools are already installed as they are planning on offering hosted BackTrack Operating Systems.

How legitimate companies sign up

[nacturation]

The hackers didn’t break into the Amazon servers, the person said. Rather, they signed up for the service just as a legitimate company would, using fake information.

And to think that by providing accurate information, I've been doing things wrong all this time.

They obviously didn't use S3 then!

[mysqlbytes]

Because the hack, and Amazons S3 outage occured at about the same time!

Lieberman and PNAC, Version 2.0

[sgt_doom]

Nosy senator? Did you mean Joey Lieberman, a member of that ultra-neocon Foundation in Defense of Democracies (whose, one wonders???), PNAC version 2.0?

Recently, they have financed a pile of drivel, in support of the Cheney-Rumsfeld conspiracy theory on 9/11, and attacking all those critics who know stuff like math, science, engineering, aviation and are retired intelligence professionals and military professionals, as well as former heads of state (i.e., really "flaky" guys as opposed to goatherds like Cheney and Rumsfeld, no doubt?).

Yup, sure wouldn't ever want anyone to investigate the backgrounds of those 64 passengers aboard the four commericial airliners involved that day.

After all, in homicide cases, it is always routine to investigate the background of the victim or victims, as in the majority of cases the murderer knows their victims. And on 9/11/01, the certain group of victims were those passengers with ahead-of-time reservations that day!

Being able to anonymously rent a server...

not really surprising that it gets used in an attack.

That's until you realize...

...that they went through Apple to get to Microsoft, to get to Google, to get to Yahoo, to get to Facebook, to get to McDonalds (showing off), to get to Amazon to get to Sony.

It's like the whole internet was pissed off at em.

So The Cloud(TM) is useful after all...

Who'd have guessed

Re:So The Cloud(TM) is useful after all...

[d.the.duck]

I think the hackers would disagree. I think they found it eminently useful.

Punctuation matters

From TFA:
"The hackers didn’t break into the Amazon servers, the person said. Rather, they signed up for the service just as a legitimate company would, using fake information."

So legitimate companies routinely use fake information?