Sony Music Greece Falls To Hackers

xsee writes "Hackers: 6, Sony: 0. It appears an attacker has performed a SQL injection attack against SonyMusic.gr. The latest attack has exposed usernames, real names, email addresses and more. Is Sony's network being used as the world's largest public penetration test?"

SQL Injection...

[yarnosh]

The most preventable of all security holes. How sad.

Re:SQL Injection...

[hedwards]

I'm enjoying this for the lulz and the epic security fail. I just wish I could buy a drink for whomever it is that's doing this to Sony.

Re:SQL Injection...

[Bacon+Bits]

I thought the most preventable of all security holes was blank administrator passwords. Granted, the most notorious instance of this was the default install of SQL Server 2000's sa account....

Re:SQL Injection...

[yarnosh]

I guess I meant from a code perspective. I suppose there are plenty of other ways to leave your system wide open. /shrug

Re:SQL Injection...

[networkzombie]

Windows does not allow network access to any account with a blank password. Using a blank password with the SA account in SQL is incompetence.

Re:SQL Injection...

You'd buy a drink to people stealing personal info? They are driven by profit just like sony exec. JUST LIKE sony execs....
I wonder if all this fail is just some insider at sony doing a new version of the "stolen laptop full of personal info" trick.
Anyway Sony is currently the perfect target for crackers, just like a political demonstration is perfect for common criminals who want to smash a glass and steal some (corporations' branded) items from a shop.

Re:SQL Injection...

[mrman18766]

I thought the most preventable of all security holes was blank administrator passwords.

One small exception to this rule. On Windows >= Vista, if an account has a blank password, it is not allowed to connect remotely.

Re:SQL Injection...

[Phoghat]

From Wikipedia

SQLIA is one of the Top 10 Web Application vulnerabilities

My sympathy goes out to Sony because they were once considered the top innovator in almost everything electronic. Then they just F'd up over and over again. I want to root my PS3? Sorry sucker everything you buy still belongs to us.

Well Sony, Up yours!

Sell short SNE

[ub3r+n3u7r4l1st]

Time to sell short Sony stocks while we are at it.

Re:Sell short SNE

[Nrrqshrr]

If you waited till Sony got screwed 6 times before realizing it was time to sell, you'r way too late, buddy.
I guess I would have bought LT stocks on Sony around the first hack, when it became pretty cheap, and expected a rise. But honestly, right now, there is no way you can tell whether Sony will ever get up from this, or no.

Public penetration test

[mehrotra.akash]

Isnt every network exposed to the public (esp. mid size or larger commercial ones) continously under attempted attack?

Re:Public penetration test

[techno-vampire]

Isnt every network exposed to the public (esp. mid size or larger commercial ones) continously under attempted attack?

Yes, of course they are. However, there are examples of SQL injection attacks going back to November, 2005. There's no excuse for a company as big as Sony to be vulnerable to them almost five years later.

Re:Public penetration test

[smash]

Well given they were running apache 1.3 on various things, which was not really suggested as the basis for new installs even way back in 2003-2004, its no great surprise they're still vulnerable to shit that was popular / exposed back in 2005.

Re:Public penetration test

[MagusSlurpy]

Yes, but to be fair to Sony (which really pains me), they are currently the focus of every bored script kiddie in the world right now, as well as most of the legitimately pissed-off, skilled hackers. While there may not be such a thing as "security through obscurity," there is a lot to be said for not having a target the size of Montana painted on your servers.

Re:Public penetration test

Examples, sure. The attacks existed long before that.

My (at the time) boss's sons website got hit by an SQL injection somewhere around 2001. My boss told us about it, and mentioned that he had been told that it was a brand new kind of attack, so it wasn't a surprise that his site was insecure.

I sat there shaking my head, because our development tool at the time (Dreamweaver Ultradev) already had a simple built in protection against it: When it generated SQL code, it added a Replace() around every variable, replacing quotes with escaped quotes. Not the best way, but it shows that people were aware of the problem. Plus, a couple of years before that - in 1999, I was looking for shell command injection holes in Unix shell scripts. Though the language is different, the problem is the same. User input that become part of a command, which - if not escaped perfectly - allows someone to end the quote and turn the rest of the user input into a command.

And from where did I know about injection attacks? From a Unix book I got from the library around 1993. A book where some parts were outdated when I read it.

The concept of injection attacks has been known for a loooong time, and once you understand the concept, seeing that it applies to SQL as well as shell scripts shouldn't take more than 2 extra brain cells.

Re:Public penetration test

[AmiMoJo]

What surprises me is that it took this long to uncover the vulnerability. I would expect every script kiddie to be testing for SQL injections and ancient versions of software.

Re:Public penetration test

[krazytekn0]

almost 5? uh... ok

Re:Public penetration test

[techno-vampire]

Brain fart.

Karma's a bitch, Sony.

[jaskelling]

Years of half baked products, poor reliability, hostile customer service, lazy innovation, and a general disdain for security are what your customers have had to deal with. I really don't care who is doing it to you or why - but I applaud them teaching you the hard lessons of the evolving technological age. You can't keep repeatedly flipping people the finger anymore and tell them to deal with it. Evolve or die. And no, my loathing isn't related to just the recent PS3 debacle. It extends to experiences with consumer audio, professional theatrical projection equipment, and so on right down the line. The fact that you're being taken out by the simplest of attacks in most cases just makes my smile grow a little more.

Re:Karma's a bitch, Sony.

[rrohbeck]

+5.
Remember when Sony products were cool because they were innovative? Today you're outing yourself as a mindless consumer if you buy anything Sony.

Re:Karma's a bitch, Sony.

[seanvaandering]

Other than getting a free Sony Blu-Ray player recently, I really try to avoid Sony products as a rule. I used to LOVE them, their receiver line was one of the best ten years ago, but the only thing I would entertain buying these days is MAYBE a LCD TV. There is just so much better choices out there these days and i'm not into buying name brand for the name anymore.. having a family will do that to ya :)

Re:Karma's a bitch, Sony.

take it easy fanboi.

Re:Karma's a bitch, Sony.

[Opportunist]

Remember when Sony products were cool because they were innovative?

Yes, I'm actually that old.

I guess we should explain for the kids here since I guess they can't even imagine it: Sony was cool. Not just like Apple today, with fanboys liking it and everyone else hating it, it was THE cool brand. They had innovative products with never seen before features and a kickass support that didn't bother to ask for details, they just threw a new model at you if the old one croaked, which was actually unlikely because, hey, it was a SONY, they don't fall apart! People were proud to have Sony speakers and Sony radios in their cars, they were proud to have a Sony walkman (as if you could get any others, after all it was a brand name) and they had every right to be proud, they bought something of lasting value!

I admit, it's very hard to believe that today.

Re:Karma's a bitch, Sony.

[Swarley]

Don't even bother with the Sony TVs. They do make some nice TVs, but so do Samsung and Sharp (Aquos anyway, their budget sets don't hold the same value proposition) for quite a bit less money. I can't think of a single line of Sony products that doesn't butt up against better and cheaper competition. They are just coasting and selling the name to people old enough to have bought their first nice TV 20+ years ago when Sony actually gave a crap.

Re:Karma's a bitch, Sony.

[Bacon+Bits]

Remember when Sony products were cool because they were innovative?

Yes, I'm actually that old.

That's OK. I'm old enough to remember before Sony meant good. I remember when Sony meant cheap knock-off from Japan.

Re:Karma's a bitch, Sony.

[Luckyo]

No, somewhere more cold. Bacteria and virii that cause various diseases that go under "cold" umbrella enter state similar to hibernation at around -5C.

Re:Karma's a bitch, Sony.

[SuperQ]

Yup, I loved my walkman and and then discman. And decent earbuds. I tried to love minidisc, but it was just too painful to keep using sony's proprietary bullshit. Between the minidisc fail, the memory stick fail, and the general shit-tastic quality of stuff these days I've just given up.

Re:Karma's a bitch, Sony.

[johanatan]

He has a lower slashdot ID than you though. Fail!

Re:Karma's a bitch, Sony.

[_xeno_]

professional theatrical projection equipment

There was an interesting story in the Boston Globe this weekend about how Sony projectors are projecting 2D digital movies up to 85% darker than they should.

The reason? It turns out to be Sony DRM, although the article doesn't ever come out and say it directly. Basically, there's a special 3D lens required to display 3D movies, but this lens reduces the brightness of 2D movies.

So why aren't theater personnel simply removing the 3-D lenses? The answer is that it takes time, it costs money, and it requires technical know-how above the level of the average multiplex employee. James Bond, a Chicago-based projection guru who serves as technical expert for Roger Ebert's Ebertfest, said issues with the Sonys are more than mechanical. Opening the projector alone involves security clearances and Internet passwords, "and if you don't do it right, the machine will shut down on you."

In other words, you have to deal with Sony DRM. Rather than jump through the Sony-imposed hoops, theaters just leave the 3D lens on all the time.

Why bother with Sony projectors at all if they have this problem and others don't?

The reason appears to be a basic business quid pro quo. Sony provides projectors to the chains for free in exchange for the theaters dedicating part of their preshow ads to Sony products.

So, yeah. Another wonderful example of Sony in general and Sony DRM in specific giving customers an inferior product.

Obviously the theaters deserve some blame for this too.

Re:Karma's a bitch, Sony.

[siddesu]

That's what American management does to you.

Re:Karma's a bitch, Sony.

[Pentium100]

I have two Sony Walkmans (Walkmen?) and they are very good and solidly built (quite a lot of metal parts, compared to today's mostly plastic devices). Whatever they make now will most likely break beyond repair before the cassette players do. Yes, the players needed a belt change, but that was relatively easy to do and the new belts should last a long time. I still listen to cassette, since I have a lot of tapes so it makes sense to record new stuff to tape instead of copying all tapes to a digital format, buy portable and car digital players, in a sense I am "locked in". Also, it is more convenient to record to a cassette compared to PC, and digital recorders are quite expensive.

Re:Karma's a bitch, Sony.

[mehrotra.akash]

"Opening the projector alone involves security clearances and Internet passwords"

Is it a projector or an ATM?

Re:Karma's a bitch, Sony.

[JohnRoss1968]

And they both have a lower Slashdot ID than you do, for that matter so do I. That doesn't mean a damn thing.
Sorry but the fail is on you.

Re:Karma's a bitch, Sony.

[JohnRoss1968]

LMFAO I love you fanboys, you always make me smile.
A better analogy would be If you leave your widescreen TV down at the end of your driveway and someone steals it. The Police would probably chick it out for you but don't expect them to bust their humps doing it. Then You leave your computer system down there the next day and someone steals that. At that point you can expect the police to tell you to go fuck yourself.
Or
If If you have a habit of hosing yourself down with water then running around outside in the snow and you get sick, the doctor might chide you a bit for it but would probably treat you. then the next day you start drinking drain cleaner. Im hoping for your sake that the doctor has you sent to a nice safe place.

Re:Karma's a bitch, Sony.

[JohnRoss1968]

Dont confuse him with the FACTS, he's just a FANBOY. Im not sure his brain could take it.

Re:Karma's a bitch, Sony.

[andydread]

There was a time when people had Trinitrons or just a regular old TV. Trinitrons rocked back then in the 80s and early 90s. They never failed. Nowadays I see Sony products and i say "oh looks nice....oh well...its Sony, they are hostile to their customers I'll pass."

Re:Karma's a bitch, Sony.

[andydread]

It is a Sony product. Do not open/disassemble Sony Products without the proper authorization. You are just a mere customer who purchased the product. You do not own it.

Re:Karma's a bitch, Sony.

[sinan]

I remember Sony and Sanyo transistor radios from 1960. Used to listen to one crossing Bosphorus every night on a ferry. All the onlookers were mesmerized by it.

Re:Karma's a bitch, Sony.

[Stone2065]

As a former ATM tech... sounds like it's EASIER to get into an ATM than one of those pieces of Sony shit.

Re:Karma's a bitch, Sony.

[_xeno_]

No, that is just the polarising lens/filter combo needed for passive 3D glasses. Like sunglasses polarisation makes the image darker.

Yes, that would be the technical reason why the image is darker, but that's not the DRM part. The DRM is the reason that the projectionist doesn't simply replace the lens: if they do, they risk tripping Sony's DRM and locking the projector out.

Rather than risk that, they just leave the lens on. Thereby making the movie look absolutely horrible.

So it may not be DRM making the movie dark directly, but DRM is the root cause: Sony doesn't trust the people who own the projector to change the lens, and it's DRM that enforces that policy.

Re:Karma's a bitch, Sony.

[Nrrqshrr]

I still have one of those old TVs with only 8 channels that you switch to and from with 8 different buttons. It also has a knob under each button to "fine-tune" the image. This TV never saw a repairman's face.


And I spent entire summers playing with the Xbox on it.

Re:Karma's a bitch, Sony.

[bhtooefr]

The point is that Sony DRM freaks out if you screw up when reconfiguring the projector for the 2D lens.

Re:Karma's a bitch, Sony.

[Hamsterdan]

And as they didn't have enough problems already...

http://www.engadget.com/2011/05/23/bbc-hd-quietly-begins-broadcasting-in-1080p-but-not-all-sony-hd/

Re:Karma's a bitch, Sony.

[Hamsterdan]

And as *if* ...

Re:Karma's a bitch, Sony.

[TheRaven64]

Is 16 years considered a long time for HiFi equipment to last? I'm still using the amplifier and speakers that my father bought in the early '80s. It was in my parents living room for a couple of decades, and I got it afterwards. It's getting on for 30 years old now, and still works fine. Looking on eBay, the same model amplifier seems to be pretty common. I'm pretty sure that HiFi stuff lasting 20 years or more is common, not exceptional.

Re:Karma's a bitch, Sony.

You miss the point. The polarizing lens are needed only for 3D movies, so for non-3D movies they darken the image without need. The point is that removing the 3D lenses is not possible due to Sony's DRM measures build in the projection itself, so they are left in place for all projections, even if the movie would require them removed because it's not 3D.

Re:Karma's a bitch, Sony.

[guybrush3pwood]

I'm not a fanboy, I just disagree with that schmuck who think he's living inside Hackers and someday will wear a dress and fuck Angelina Jolie if he keeps hacking the planet. But thanks for feeding my point with more analogies, anyway.

Re:Karma's a bitch, Sony.

[JohnRoss1968]

now thats a low slashdot ID number.

Re:Karma's a bitch, Sony.

[JohnRoss1968]

Feeding your point. lol If you think what I wrote strengthens your point then you need to learn to read.

Re:Karma's a bitch, Sony.

[javanree]

Even worse; if you manage to find the cause it almost always comes down to some Sony-only part, which is impossible to buy in any regular (web)shop. And if you then have the nerve to call Sony tech support, asking for a specific part... let's not even go there :( After 2 TV sets with such issues I've stopped buying Sony, at least some other brands still have decent consumer service (Technics and Philips to name a few)

Re:Karma's a bitch, Sony.

[Des+Herriott]

Nah.

Re:Karma's a bitch, Sony.

[Tetsujin]

Nah.

Aw, if you'd just signed up a little later, you'd have "6510", the model number of the Commodore 64's CPU!

Re:Karma's a bitch, Sony.

[Omestes]

We had a Sony receiver from the early-mid 80's that my girl friends parents gave us. I was a wondrous thing. Then it died, and we replaced it with a second-hand high-end Pioneer receiver from the early 80's, which is a slightly more wondrous thing, though it doesn't turn on with the nice "brang!" noise the Sony had.

Sony used to be a good brand, they were known for their quality, and long life. This started to go away in the mid-90s, though. I had a Sony stereo (over grown boombox) from 1992, hooked to a CD-player from 1993, they rocked. When I wanted something beefier in ~1996 I got another Sony (it was ugly as sin) and it died within a year, and had terrible sound. I got another, it died almost as quickly, and was uglier (fake chrome, bight colors, shaped like something from a B sci-fi movie!), and had worse sound, and the volume knob made everything crackle, it had no EQ outside of silly presets.

Finally I just moved on to using my computer as a music player, and using my iPod (gotten for free) with my old Sony stereo from 1992 via mic-in and radio.

I don't actually think that Sony devolved in quality much more than anyone else. Its damn hard to find good equipment, since everything is built as a disposable commodity these days. Without spending high premium rates (200-300% of the average), your getting crap that is going to die within a year or two, and has sub-bar build quality and bad audio/video/whatever its function is. There is no good brand at the consumer level.

I'm being general. Recently we ran into this with vacuum cleaners, our $400 vacuum died (we got it on a good deal, no box) 3 months after the warranty. We were going to buy a Dyson, and realized that it felt as cheap and crappy as the $100 store-brand specials, and was made with thinner, more bendy, plastics than most other, cheaper, vacuums. Why bother spending $500-600 for a piece of plastic shit? Even if it "works better", its going to die a couple months after warranty too. I miss my 150lb Kirby. It was built like a tank, and saved me going to the gym. Further, it was almost 30 years old and would have worked fine, but some damn sales-man convinced me that new=better.

90% of the time new != better. New = cheaper for the same price. New = greater profit margin for the manufacturer and no real consumer benefit.

Sorry for the rant.

Re:Karma's a bitch, Sony.

[Mindcontrolled]

Walkman? Anti-Skipping? Young Padawan, if you put a shiny silver disc into it, it is NOT a Walkman... Now get off MY lawn, if you please. ;)

Re:Karma's a bitch, Sony.

[garyebickford]

Remember when Sony products were cool because they were innovative?

Yes, I'm actually that old.

That's OK. I'm old enough to remember before Sony meant good. I remember when Sony meant cheap knock-off from Japan.

So does this mean they've gone full circle?

Re:Karma's a bitch, Sony.

[garyebickford]

I think they still make the Kirby, pretty much like before. But maybe not.

But... why?!

[MrEricSir]

The Application String Interface was a poor idea from the start. It's the 21st century, we shouldn't be building strings to do DB queries.

Re:But... why?!

[betterunixthanunix]

I would classify this as part of the more general category of "in band signalling." The telephone network learned the hard way why such a design is bad when people began to use blue boxes, but it still took decades for them to fix the problem. I suspect that it will be a while before we see a real fix to the SQL injection problem as well.

Re:But... why?!

[MrEricSir]

I wouldn't go so far as to use the comparison to in band signalling for this particular problem. After all, that comparison might be more fitting for the notoriously sloppy way modern PCs fail to distinguish between program storage and data storage.

Re:But... why?!

[Chatterton]

Not distinguishing between program storage and data storage permit all kind of nice meta programming. LISP is beautiful in its kind for that. But not checking your inputs is the worst offender and the source of all sins. It is so easy to cut corners on input validation :-(

Re:But... why?!

[garyebickford]

I was going to mention that, but not in the nicely ironic way you did. :) Considering that merging the two is one of the half-dozen most important concepts in 'stored program' computers.

PPT?!

[microcuts]

i'm sorry, but was the phrase: "world's largest public penetration test?" really necessary?

Re:PPT?!

[plover]

i'm sorry, but was the phrase: "world's largest public penetration test?" really necessary?

Sony acts like the world's largest orifice so it's only fitting.

Re:PPT?!

[nospam007]

"Sony acts like the world's largest orifice so it's only fitting."

It's not a trick, it's a Sony!

Re:PPT?!

[JohnRoss1968]

No But It Sure Was Funny.....

Re:PPT?!

[oztiks]

http://pastebin.com/WqLysjiN

Re:PPT?!

[MagusSlurpy]

Sony acts like the world's largest orifice so it's only fitting.

Sarah Palin's mouth?

Sony = Consistent

[alphax45]

Well at least they are consistent - none of their systems seem to have more than basic security.

Re:Sony = Consistent

[Tamran]

Consistency - It's only a virtue if you're not a srew-up.

http://www.despair.com/consistency.html

Re:Sony = Consistent

[ub3r+n3u7r4l1st]

Simplicity is beauty -- at least it comes from the mouth of those who are against spaghetti and obfuscated code.

There are still places for spaghetti and obfuscated code, and this is why.

Re:Sony = Consistent

[Ecuador]

Yeah, because "basic security" does not involve sanitizing your sql queries...

people are stealing user info

[YesIAmAScript]

And you're egging them on?

They aren't just doing this to Sony, they're doing this to the people who use the services too.

Take it from a person had a gawker account. When they were hacked, it caused a great inconvenience for me.

Re:people are stealing user info

[fotbr]

In this case....I don't feel sorry for anyone doing business with sony. From my point of view, they made their bed, now they get to lay in it.

Re:people are stealing user info

[Killerchronic]

It maybe a problem for users but this is a serious wakeup call to said users, no your data is not as safe as you think it is when you are handing it over to all these companies, its about time the cracks were shown to customers and just how slack these companies can be in keeping their protocols and systems running correctly. I am still laughing, im not a sony fan in any way, shape or form, obviously its bad its happening but its hilarious that a company this big has such lax security and is being exposed on an almost daily basis.

Re:people are stealing user info

[Isaac+Remuant]

You're right. While we might enjoy this bullying because we dislike a company there is a larger context than, OMGZ 0WN3D!1!!!!11

I had a gawker account as well and, while it wasn't a problem for me to change my level lame password for that and other sites, it might turn out worse for other people.

Re:people are stealing user info

[LordLucless]

So your saying, by doing this they're going to drive customers away from Sony, reduce their income stream, and eventually remove them from the world of global commerce?

Wow, that sounds...terrible

Re:people are stealing user info

Quite frankly we need more of this type of action where it can actually dent Sony's reputation. Sony is a horrible company you shouldn't be doing business with in the first place. The same can be said for Microsoft and Apple.

Re:people are stealing user info

[naz404]

Did Sony fall for Little Bobby Tables again?

http://xkcd.com/327/

Re:people are stealing user info

[JohnRoss1968]

At this point I would have to say this is SONY's fault.
How inept can your IT dept be.
They should just shut the whole thing down and redo it right, like they should have done it the first time.
3....
2....
1.....
Let the Fanboys commence defending SONY for their lackluster performance.

Re:people are stealing user info

[hedwards]

Honestly is this really that much worse than when Sony decides to vandalize customer equipment?

Re:people are stealing user info

[maxwell+demon]

Indeed. I could enjoy it if they had extracted Sony's DRM keys. But extracting user names etc., no.

Re:people are stealing user info

[AmiMoJo]

Browsers could do a lot to mitigate the damage if they just enabled some basic password protection features. Firefox, for example, has a master password system but it isn't enabled by default, and even when it is on there is no secure password generator. It can all be done with add-ons but should really be the default so everyone starts using it.

In case you don't know what I am talking about the ideal way for a browser to manage passwords is for it to generate a random secure password for each site. It stores that password and fills it in for you when you try to log in, thus saving the user from having to remember hundreds of random passwords while preventing the hacking of one site affecting others. An optional master password can be requested before the random password is filled in.

Re:people are stealing user info

[Stone2065]

It's heading rapidly towards the level of incompetence that the rootkit fiasco was...

Re:people are stealing user info

[justforgetme]

ohh, wait I have to say something about this!!!!

I was in a bank once, while it was being robed! Ok, it wasn't the nicest experience I ever had and I might have been inconvenienced a bit.
Did I lose the money I had in the bank? No.
Did I loose the info I had stored in it? No.
Did I manage to do the jobs I had with the bank? Yes, I just went to another branch.

So if you are going to create a service infrastructure that hasn't enough failsaves and backup plans to deal with a simple digital break in then you damn well deserve to be reduced to the economic equivalent of decarbonized organic material... And all people who trusted your Services (including Yours truly) deserve a very big refund for your incompetence and a big slap in the face for being such fools!

Re:people are stealing user info

[erroneus]

There are no Sony fanboys. There are people who are addicted enough to their games that they can't see who is behind them or that they don't care who they work with or where the data flows. But to call them fanboys is a stretch of the imagination. Sony doesn't have "fans." Just consumers.

Re:people are stealing user info

Sony deserves it.

Re:people are stealing user info

[tiddlydum]

But what if you have multiple computers? Or don't just use firefox, like me? That's the problem with leaving it all up to your browser. Lose your hard disk? Bye bye passwords.

A different password for every account is overkill. You just need a few, like one for services you don't trust, one for services you do, and one for your computers.

Re:people are stealing user info

[PReDiToR]

My Gawker account was compromised too.
Oh dear, I had to wait until they got the system back up and change my password.

My PSN account has been compromised.
Oh dear. I had to wait a couple of weeks for them to bring their service up again.

In both cases the password change was done in seconds. I went to the web page, entered my old password, clicked the "Password Hasher" icon next to the "new Password" box, clicked "Bump" and entered my passphrase. Click OK. Completely new 26 character UPPER/lower/1234/!"£$ as easy as that. And I don't have to remember it, I just had to have it to hand when I typed it into my PS3.

If having to change a password is a "great inconvenience" then maybe you're doing something wrong? Are you using the password in multiple places? You're on Slashdot, you should know better.

Password hasher, a little paper address book, KeePass, SecureLogin/OperaWand all go to make life easy when it comes to long random secure passwords that you don't have to remember and that take a couple of clicks to recreate or update.

Re:people are stealing user info

[CastrTroy]

I do this using password safe. Just back up the file to your phone and an USB key every so often. You sync your phone everyday anyway. If you don't sync your phone, pick another device you sync all the time,like your mp3 player, or what have you. Or just sync the file to drop box if you like and it syncs to all your comupters. It's encrypted anyway. Choose a single strong password and you've gone a long way to opening yourself up to all kinds of attack vectors.

Re:people are stealing user info

[TheRaven64]

On OS X, the keychain is a system service that is separate from the end user applications. Any app can use it with a couple of function calls, and the service has fine-grained ACLs, so you have to explicitly grant an application access to each password (except ones that it created), so multiple browsers can share the passwords. It's encrypted on disk and is trivial to back up.

Re:people are stealing user info

[petermgreen]

The same can be said for Microsoft and Apple.

mmm, I find it sad, on the one hand I want to play the big hit games and I want to reward the developers for what they have created (I don't want to pirate stuff). OTOH I find the direction the gaming market is going with forced firmware updates on consoles and online activation (or worse) on the PC very unattractive.

If anything the XBOX seems to be the lesser of three evils at the moment, afaict they aren't requiring online activation (though they are taking steps towards it with in-box DLC) and afaict their firmware updates don't retroactively remove functionality.

I hope an actual customer friendly option comes out of this but I wouldn't hold my breath.

Re:people are stealing user info

[DarkOx]

That sounds great, that way nobody can logon to any site from a machine that is not theirs because they won't have the password safe on that machine and don't know any of the passwords. We might as well just forget this whole cloud thing and go back to fat clients for every service. Oh and before you say lastpass, we all know how well that worked out for people recently; also a service like that presents to valuable a target, even if its a hard one it will be attacked often.

Re:people are stealing user info

[airfoobar]

its about time the cracks were shown to customers

I think Geohot already did that, quite literally.

Re:people are stealing user info

[maxwell+demon]

It's heading rapidly towards the level of incompetence that the rootkit fiasco was...

It would be funny if the vulnerability that was exploited came from that very rootkit, installed by some unsuspecting employee putting a Sony CD into the computer ...

Re:people are stealing user info

[spliffington]

Except now people can sync their encrypted locally stored password files across devices. I use 1password on OS X and sync it to my phone.

Re:people are stealing user info

[Stone2065]

Touche', good sir/ma'am. Well said.

Re:people are stealing user info

[vegiVamp]

> it caused a great inconvenience for me.

Oh, you poor widdle thing.

You can't be 100% secure, but you can at least do your god damn best. Being open to SQL injections is not doing your god damn best, it's saying "fuck this security thing, money belongs in my pockets and fuck the customers up the arse".

As an aside, I also had a gawker account. The inconvenience for me was limited to being forced to change my password on their site. It's not as if the password I use on junk sites like gawker is the same I'm using for my email or banking.

Re:people are stealing user info

[ian_from_brisbane]

I was in a bank once, while it was being robed!

The robe must have been size XXXXXL to fit a bank.

Re:people are stealing user info

[memyselfandeye]

It is Sony's fault, but it's not the victims fault. I still remember when I moved from small town New Mexico to Cleveland. It wasn't very long before my car was broken into, and it was "my fault" for leaving valuables in it. How is what happened to the victims of Sony's inept security, and victims of criminals who violated said inept security, their fault. That's akin to saying it's the fault of a rape victim for happening to be attractive towards a rapist. I'm not necessarily saying this is what you meant, but there sure are an awful lot of comments eluding that the victim who was stupid enough to use Sony deserves it.

Why can't you live in a world where you can provide details to Sony without worrying about having your identity stolen? Why can't you live in a world where you don't need to lock your car? Why do we need SSH and public key encryption? Why can't you live in a world where you don't have to worry about any crime against property or person? I say it's because we've build a society that is great about protecting the rights of the accused, but does little to protect the rights of the victims. If these guys get caught, the will be afforded every conceivable protection against prejudiced trials... yet there will be no such guarantees for the victims.

Re:people are stealing user info

[malkavian]

And what about people that only use people, not just techs?
Most people I know wouldn't even know how to begin doing that.
Could be a market opportunity to set up a simple one click thing to do it.

Re:people are stealing user info

[JohnRoss1968]

They have these neat little things called THUMB-DRIVES.
You can store your passwords on those using several programs. I use Keepass myself but there are others out there if you just open up your eyes and look around.

Re:people are stealing user info

[justforgetme]

well, it was morning. So I forgive me (see? I could have written myself there but I didn't)

Re:people are stealing user info

[Dan541]

Users = People who fund Sony.

Re:people are stealing user info

[jimshatt]

Very small bank. Probably a sandbank.

Re:people are stealing user info

[N0Man74]

In this case....I don't feel sorry for anyone doing business with sony. From my point of view, they made their bed, now they get to lay in it.

This was modded Insightful? This statement is moronic!

Some of us did business with Sony years ago. Before they screwed over the 'Other OS" users of PS3s, before the rootkit fiasco, or even before the Playstation 2 disk read error epidemic was well known.

My last dealings with Sony Online Entertainment were 6 or 7 years ago, and yet they still had data on me on their servers, Luckily *most* of it (addresses, CC info, etc) is out of date, but things like my email address, date of birth, and perhaps answers to some secret questions may have been compromised.

So, it's *my* fault that I didn't predict the depths to which Sony would stoop in the future?

I am a critic of Sony, as I think any sane person should be. You, on the other hand, are being anti-fanboy idiot.

Re:people are stealing user info

[Clever7Devil]

I don't think there are many here who believe the hackers are doing the morally correct thing. Certainly far less evil than rape though. Furthermore, I find it hard to believe that Sony is being attacked due to its attractiveness as a target.

It's a little bit more like a man calling a bunch of prisoners' mothers whores and then walking around outside the penitentiary backwards with your pants down. Sure, there's a wall between you and them, how long and how many do you think it will hold?

Re:people are stealing user info

[Clever7Devil]

Don't ask me how he got your pants. That's another story and it's early. ;-)

Re:people are stealing user info

[Aldenissin]

I agree with you quite a bit. However, I have to say that hardly anyone, even you, take security completely serious. It's not as if you never dreamed any of these companies could be "bad". You just don't care and are apathetic in a sense as virtually everyone is, since it is more convenient.

In the end, you can't trust any company. Ok, that isn't correct. I trust everyone. That is what all relationships are based on, even enemies. I trust an enemy will try to screw me over. I trust these companies will sell me out for the sake of their "shareholders", even if I was one.

Oh how much better the world would be if we did business with those self employed and perhaps even small business, instead of corporations. You hear all of the time, it isn't personal, it's just business. Bullshit. All business is personal, and anyone who says otherwise is just trying to shirk their civic responsibilities to their fellow man. Man is man because we work together, not because we can conquer each other. We conquered this earth together, and if we ever stop screwing each other over we can conquer virtually anything.

But we won't. We instead want to listen and laugh at Doomsday predictors. Stay short-sighted and live to excess, living void and unfulfilling, meaningless lives.

Re:people are stealing user info

[Aldenissin]

Mod parent insightful, not troll. He's right, it's not as if we haven't been warned that this info. is has easy transferability, and not securely watched over.

Re:people are stealing user info

[Aldenissin]

It is Sony's fault, but it's not the victims fault. I still remember when I moved from small town New Mexico to Cleveland. It wasn't very long before my car was broken into, and it was "my fault" for leaving valuables in it. How is what happened to the victims of Sony's inept security, and victims of criminals who violated said inept security, their fault. That's akin to saying it's the fault of a rape victim for happening to be attractive towards a rapist. I'm not necessarily saying this is what you meant, but there sure are an awful lot of comments eluding that the victim who was stupid enough to use Sony deserves it.

It isn't "wholly" one's fault. However, with a but a few exceptions, we let most of what happens to us happen. If you stored a friend's expensive diamond jewellery (or left a kid and they were kidnapped, etc.) in your car, and it was stolen while you were living in Cleveland, I would bet she'd blame you. I don't live and Cleveland, and I know about Cleveland. No, you didn't and Sony customer's don't deserve it, but they did put themselves out there. Most here are being smug because they do it right now with the next bad boy corporation that will pop up on the radar.

Why can't you live in a world where you can provide details to Sony without worrying about having your identity stolen? Why can't you live in a world where you don't need to lock your car? Why do we need SSH and public key encryption? Why can't you live in a world where you don't have to worry about any crime against property or person? I say it's because we've build a society that is great about protecting the rights of the accused, but does little to protect the rights of the victims. If these guys get caught, the will be afforded every conceivable protection against prejudiced trials... yet there will be no such guarantees for the victims.

Why? Because people are evil in their hearts, that's why. Even under total surveillance people will still try to screw others over fi they think there is a chance to get away with it or they feel it is worth it.

Those rights are to protect the innocents. They are put on trial too, which is the purpose of a trial, or did you forget? I agree we don't protect the rights of the victims. Even the evil people luckily for the most part still see they are better off (for now) with protections of the accused. If we wanted to protect victims, we wouldn't send people to schools for criminals (jail and prison) and instead bring back indentured servitude, for example. But we let those that are evil twist and distort logic to where indentured servitude=slavery.

Re:people are stealing user info

[Aldenissin]

copying is akin to sharing. Stealing is taking something not meant to be shared. It is still copying if I share a movie/song and meant to, i.e. with a friend. If you take it from the publisher's servers and had to crack to get to it, that is stealing.

Re:people are stealing user info

[chickenarise]

You always happen upon the gem after you used up all your mod points. *shakes fist*

Re:people are stealing user info

[SuperTechnoNerd]

Serves them right for buying an evil product from and evil company.
You reap what you sow.

Re:people are stealing user info

[heypete]

What, like LastPass?

Re:people are stealing user info

[memyselfandeye]

A perfect example is our grand jury system. It used to be that any citizen could convene a grand jury and present evidence to convince the jury to indict a person. I don't see that happening anymore, and good luck trying to do it. So, let's say I was a victim of this crime and I thought it was my neighbor. I can't go and convene a grand jury on my own, I have to file a report at the police department and hope they will arrest the bugger and that the prosecutor will convene the grand jury. Thus, as a victim, I have no guaranteed right to try and get my pound of flesh, so to speak. I have to hope and pray my case is deemed worthy enough. This is why in small town America, where I grew up, there is an inherit distrust of non elected law enforcement. You have absolutely no recourse if the police decide they do not want to investigate your claim. And let's be honest, identity theft is rarely investigated because hey, they should have known better.

I was really ranting about the claims that if you didn't know better it's your fault. Not locking your doors, or not using SSLcommunication against a sanitized SQL sever for Sony Service XYZ, doesn't magically make it OK to steal from you, or less severe if you get caught because hey "the guy was asking for it." As it stands now, we have no way of going after these guys on our own and the legal system has no incentive to do so. So the only solution is to keep updating your anti-virus, keep downloading patches, and keep on top of the latest security trends so that, hopefully, this doesn't happen to you. Don't you think that's unfortunate? I don't know about you, but I'd much prefer to spend my time elsewhere.

Sony will be secure?

[ohnocitizen]

From TFA, some curious speculation:

While it's cruel to kick someone while they're down, when this is over, Sony may end up being one of the most secure web assets on the net.

Is there any evidence to back this up? I keep thinking of counter examples, the best one being Sony. They've been attacked how many times now, and they are still leaving security holes of this nature up? One would think after the first attack a company wide IT effort to harden their servers would have been given something other than the lowest priority...

Re:Sony will be secure?

Yes, and you would think the airlines would strengthen the door after the first cockpit invasion back in the 30s or 40s, whenever it was, but we had to wait until the mother of all hijackings before this most basic move was undertaken.. What we will probably get is some kind of 'TSA' for the internet instead. History repeats itself in many ways.

Re:Sony will be secure?

[dakameleon]

Give Sony a bit of a break, it's only been a month, and SCE & Sony Music are far enough apart within the overall Sony group for it to not necessarily have filtered all the way to testing the vulnerabilities in Hungary.

Re:Sony will be secure?

[the_enigma_1983]

I don't see how it'd take even a month to get that far. By the second attack, memos or something should be going company-wide, saying "People are trying to break into our networks, make sure stuff is secure".
If it takes more than 4 weeks for an IT team to do a basic security audit (SQL injection means not using parameterized queries, so basic to spot and fairly simple to stop), then you simply haven't budgeted enough for IT. Which is a reason for the new problem but still a problem they had control over.

Re:Sony will be secure?

[Stone2065]

To add to your comment... a single person, working 8 hour days, works about 168 hours a month. Assuming even 5 people on this (a pathetically low number, I'll grant you), that's 840 man-hours. How much coding/investigating can YOU ALL do in 840 fucking hours?

Re:Sony will be secure?

[sgbett]

Probably about 840 hours worth. I can't tell if you think thats a lot or a bit. Seems like a lot to me. Reckon they could at least have looked over all the code they have in that time, and spotted anything basic like, you know, SQL injection ...

Re:Sony will be secure?

[ohnocitizen]

This ^. +1. These are very basic mistakes we are seeing exploited. Its almost as if this is a company that is unaware of basic security practices (they could check out owasp for some hints). What seems more likely is a company that has been hacked, and begun playing the blame game rather than taking even the most rudimentary steps to secure their system. A press release is not an effective server hardening tool, its more of a provocation. So "Its only been a month" doesn't seem like any kind of excuse for a company as large and wealthy as Sony. A company with an apparently cavalier attitude towards sensitive user data.

Re:Sony will be secure?

[plover]

If we didn't have it in place already, I'd be using those hours to bring in a static code analysis tool like Fortify or Coverity or Klocwork to begin scanning my source code repositories for security flaws. Could I fix them all in that time? Highly doubtful. It mostly depends on the size of the codebase, but once you get millions of lines of code that have never been scanned before, the tools will likely identify hundreds or even thousands of vulnerabilities, including many false positives that would have to be weeded out. I just saw a presentation where the vendor estimated each XSS bug identified by a code scan takes about 94 minutes to fix, after he factored in testing and everything else.

Re:Sony will be secure?

[garyebickford]

In a corporation that large, in an emergency it would probably take a month for management and legal to get the memo written, edited and approved for sending. If not an emergency, it could take much longer.

Then, each team would have to reschedule other activities to make room for the 'mission from the Suits On High', figure out what things need to be fixed, work up a fix plan, build the fixes on the dev server, test there, get through the release process, and rollout to the production servers. After all, accidentally creating a new hole while fixing the old one would not be a good thing. So that's another month, or two.

Since some of these teams work for various companies in various parts of the world, which are loosely held by the top level holding company, add another month just for the various companies to get the word from the holding company that something needs to be done.

To add to that, from what I've read, the approach to work scheduling in Greece (and many other countries) is rather casual, so it might take an extra month to get the whole thing done there. "After all, who's going to go after us? We're just a little music service in East Podunk. Nobody's heard of us, and if they have, nobody cares!" (A too-common attitude of many companies toward security.)

So, they're probably right on schedule, but the hackers can move much faster. Think PT boat vs. Battleship.

CL Jpb Ad

Established company seeking security professionals, all positions open

Like it matters.

[MrQuacker]

Anyone who's ever visited Greece knows nobody buys music there. For 2euro an hour you can visit an internet cafe, get the password from the guy at the front desk, and connect to the cafes local file server. Last time I was there they had something like 20TB+ worth of movies, music, tv shows, games, and porn.

They decided that since people download stuff anyways, might as well save on the bandwidth and store it locally. Any time you download a file its mirrored in the cafes file server, so others can copy it without having to re-download.

And if you dont go that route, you can buy bootleg copies from any number of African immigrants on the street for just a few euro. Many times for better quality than available in stores for retail price.

Re:Like it matters.

[Eravnrekaree]

Especially about the better quality, is the ironic truth. Remember those who were copying Star Wars Laserdiscs and making them into movie files, because the DVDs were often so slow in coming, and then the DVD releases were only of the new doctored versions and the original versions of star wars were impossible to purchase? The Laserdiscs of Star Wars were also reported to have better special features compared to the later DVD releases.Often times its impossible to get movies on DVDs from the companies, which basically is the companies tell fans, screw you, so fans just share the copies with themselves. For years companies have treated their customers like shit, and they then expect people to love them?

Re:Like it matters.

[Psychotria]

I don't think the music piracy is the point. I think that the point is that the public perception on Sony is being degraded; it has nothing to do with piracy as far as I can see. This is being reported in mainstream media now... would I trust Sony with any of my details? Not a chance. Additionally, these "attacks" must be costing Sony money... probably a lot of money due to not only customer's trusting them less, but the extra employees (or current employees overtime) and resources they need to spend to fix things.

Re:Like it matters.

[drinkypoo]

I can verify that if you have the fat boxed set there are some nifty features. It also came with a big picture book if you bought the extra-fat boxed set.

I only wish I had an LD player that would play more than 1 disc 2 sides. All the LD players which play 2 discs that I see any more are Karaoke units and they want real money for them... as if that were a selling point.

Re:Like it matters.

[erdraug]

Given that the average bootleg CD has an approximate lifespan of six months i doubt Greeks rely on them to build a music collection. I know mine is of the expensive variety. In hindsight, i could have listened to the radio more and done something else with that money instead. Like go to more concerts. Now what was the average price of a concert ticket in Greece again?

Re:Like it matters.

[PReDiToR]

Also take it as given that if you're on holiday in Greece the music you're listening to there has a lifespan of six weeks and the longevity of the CD doesn't figure.
Rip the thing to your hard drive if you want to have a copy of the latest Euro-pop to give your nephew/neice in a couple of months to keep them ahead of the curve and make them sound cool by having it before everyone else has it.
But FGS, once your holiday drinkfest is over you won't ever want to hear that squeaky trash again.

Re:Like it matters.

[Colonel+Korn]

Rip the thing to your hard drive if you want to have a copy of the latest Euro-pop to give your nephew/neice in a couple of months to keep them ahead of the curve and make them sound cool by having it before everyone else has it.

Good luck finding a radio station or public space in Greece that doesn't play >75% bad American music.

Plain text passwords??

[wvmarle]

The linked article also provides a screen shot with obscured personal information.

It appears the passwords are stored in plain text, not as hash: formatting makes it unclear but it seems the length varies, and the password fields are short (6-10 characters or so), while hashes are much longer than that.

Bad bad security! No wonder they also fall victim to the age-old SQL injection attack... which I thought most SQL interface libraries can automatically intercept by adding the appropriate escaping... many years ago I used Pythons MySQLdb and they were doing that for very very long already... so there should be no excuse for allowing this to happen still.

expect more

[smash]

Evidently, the playstation 3 firmware/network isn't the only instance where sony totally fails at securing their shit. SQL injection? Really? In this day and age? I'm simply shocked that it hasn't happened a lot earlier; they've been pissing people off for years now, its amazing its taken this long for a collective group to make a serious effort to try and break in.

"Is Sony's network being used as ..."

[QuasiSteve]

Is Sony's network being used as the world's largest public penetration test?

No, every other scriptkiddie is just joining in on teh lulz of flogging the dead horse. "ZOMG I sql injectioned a SONY site! Yeah, it's got nothing to do with PS3 or PSN, and yeah it's some site in Greece, but lulz amirite!?"

It's even in the bloody article, isn't it?

As I mentioned in the Sophos Security Chet Chat 59 podcast at the beginning of the month, it is nearly impossible to run a totally secure web presence, especially when you are the size of Sony. As long as it is popular within the hacker community to expose Sony's flaws, we are likely to continue seeing successful attacks against them.

It appears someone used an automated SQL injection tool to find this flaw. It's not something that requires a particularly skillful attacker, but simply the diligence to comb through Sony website after website until a security flaw is found.

I mean.. honestly?

They could be running this against $random_site and try to hit the news with it, too.. but they wouldn't.. because nobody cares about a random hack at a random site right now.. but if it's got SONY attached to it.. well.. lulz rules the news.

None of which excuses the poor security.. but none of which excuses the submitter from his choice of words either.

Re:"Is Sony's network being used as ..."

[flimflammer]

Jesus Christ, man. How far did that stick get wedged up your ass?

Re:"Is Sony's network being used as ..."

[DurendalMac]

Kinda makes you wonder why Sony was vulnerable to exploits that could be found in skiddie tools. If someone had to actually dig for an exploit or found a new one to use against them, then that would be something, but when skiddies can breach your network then you seriously need to fire the guys in charge of security because they suck at their jobs.

Re:"Is Sony's network being used as ..."

[LordLucless]

As long as it is popular within the hacker community to expose Sony's flaws, we are likely to continue seeing successful attacks against them.

It almost seems as if deliberately screwing people over doesn't really pay off, doesn't it?

Re:"Is Sony's network being used as ..."

[Cyberllama]

There's a difference between "running a totally secure web presence" and "exploited by an automated SQL injection tool". If an auomated tool could find it, then you have to wonder why the hell Sony hadn't just run the damn tool themselves. There are levels of insecurity, and this level is well below what a company like Sony should be at.

Re:"Is Sony's network being used as ..."

[TheVelvetFlamebait]

Right, because nobody with good customer service ever had bad security.

Re:"Is Sony's network being used as ..."

[LordLucless]

But people with really, really bad customer "service" give people a reason to try and violate that security.

Re:"Is Sony's network being used as ..."

[TheVelvetFlamebait]

Be honest; which situation do you think is more likely:

a) After the PSN network went down and everyone's credit card details were stolen, other hackers just started to realise how evil Sony is, or
b) After the PSN network went down and everyone's credit card details were stolen, other hackers just started to realise how weak Sony's security is, how easy it would be to gain the ability to brag that they took down a large corporation's security, and how much money they could spend with pilfered credit card details.

Look me in the eyes and tell me that Google would be treated differently if their security was on par with Sony's.

Re:"Is Sony's network being used as ..."

[LordLucless]

Fine, I'll tell you. Looking in the eyes is a bit hard, given the medium. And I'll have to go sort-a.

It wasn't because everyone suddenly realised Sony had particularly porous security. I'm sure that their Greek web-portal's security had bugger-all to do with the security of the PSN. You speak like Sony's security is some monolithic entity; in reality, there's probably at least a dozen different teams responsible for security, from the ones who work on their DRM, the engineers who designed the PSN, the various CMSes used to run a multitude of public facing websites, and the internal network security of dozens of Sony offices around the world.

What happened is, Sony became a "cool" target. Part of it is due to their behaviour, part of it was to do with a successful high-profile attack against them, and a large part of it is to do with the herd behaviour of the groups that do this sort of thing. It makes them feel good, like they are fighting "the man", and it gives them a whole lot of attention, because defacing some other company's server wouldn't get merely as much press as another Sony victim.

Re:Being positive here... apk

[compro01]

SONY now knows 1 good thing from this: How to stop it from happening again on this and other sites/domains they own & host websites from.

How to stop this particular attack.

Available evidence suggests they have no shortage of dailyWTF-worthy screwups that people can continue to exploit.

Re:Being positive here... apk

[Opportunist]

SONY now knows 1 good thing from this: How to stop it from happening again on this and other sites/domains they own & host websites from.

Well, if the recent weeks told us one thing then that they do NOT learn anything from the penetrations. PSN was penetrated and they took it down, but it seems they didn't really learn much from it, since SOE followed. PSN went back up, only to be torn down again near instantly because it was AGAIN penetrated with an allegedly similar attack. And now that. An SQL injection, the one attack that can be prevented the easiest and with the least hassle (hell, there's even free frameworks for nearly every script language in the world that do it automatically for you).

I'd say if one thing's certain, then that Sony doesn't learn jack from the attacks.

SQL injection attacks fixed long ago

[SuperKendall]

I suspect that it will be a while before we see a real fix to the SQL injection problem as well.

It's called a paramterized query and pretty much every language on the planet supports this mechanism.

SQL injection is mostly a solved problem, except for programmers.

Re:SQL injection attacks fixed long ago

[plover]

Parameterized queries by themselves aren't the panacea that people make them out to be. They still allow attack code to be stored in the database. Bad handling of the data deeper in the application stack, where protections aren't expected, might still choke on the code. You need 100% of the SQL queries in the system to be parameterized. Even then, they do nothing to prevent other language injection attacks to pass through, such as XSS attacks.

As you say, it's a solved problem, if the programmers use it. And parameterized queries absolutely protect those particular queries from the malicious bastards, so I'm not knocking them in any way. I'm just saying that someone shouldn't naïvely claim "we're secure" based solely on that premise.

Re:SQL injection attacks fixed long ago

[Splab]

Indeed you can inject JS or whatever if data isn't parsed correctly, but using parametrized queries will at least never ever expose the users credit cards, username, passwords etc.

Re:SQL injection attacks fixed long ago

[yarnosh]

As you say, it's a solved problem, if the programmers use it. And parameterized queries absolutely protect those particular queries from the malicious bastards, so I'm not knocking them in any way. I'm just saying that someone shouldn't naïvely claim "we're secure" based solely on that premise.

I think that goes without saying. The GP just said that SQL injection is a solved problem.

Re:SQL injection attacks fixed long ago

[maxwell+demon]

You know, "we're secure against SQL injection" isn't the same as "we're secure". Of course storing non-SQL related things which might be used in other attack forms (like XSS) in the data base is completely unrelated to SQL injection attacks (unless the SQL injection is used to get that code in because otherwise the system is well secured against it). Just like it won't help your security if you protect against all sorts of attacks, but post your admin password on the main page.

Re:SQL injection attacks fixed long ago

[nstlgc]

You failed to refute his point that parameterized queries fix SQL injection attacks. Indeed it does not protect against XSS attacks, buffer overflows, aids, cancer and greed, but nobody claimed that it would.

Re:SQL injection attacks fixed long ago

[RyuuzakiTetsuya]

Parameterized queries still don't keep you off the hook from sanitizing your database inputs. Even if you're using something like the PDO object to generate and prep DB queries, in the end, MySQL's looking for a string for input.

The real solution is getting away from sending SQL queries to DBs in string format, as the root poster hinted at, but, sanitizing DB inputs really isn't the hardest job to do, nor is it the biggest problem we face.

Re:SQL injection attacks fixed long ago

[vegiVamp]

If your "deeper" code chokes on your data, it hasn't been coded correctly, and neither has your data insert mechanism. You never, ever, ever trust input. Ever. You validate and clean input as it comes in, before it goes into the database. If you're going to do things to data you get out of the database that could be dangerous - say, eval() it, you check it again when you fetch it.

Yes, that makes proper programming look like a lot of error handling. That's because IT IS, because that's the only way to prevent that kind of shit from happening. Live with it.

Also, XSS attacks through database-stored content, while also preventable by validating data input, does not fall under the header of SQL injection, and thus aren't expected to be stopped by bind variables.

Re:SQL injection attacks fixed long ago

[tequila13]

paramterized query

Now with SQL injection solved, if only we could figure out a way to make computers check the spelling ..

Re:SQL injection attacks fixed long ago

[SuperKendall]

Now with SQL injection solved, if only we could figure out a way to make computers check the spelling ..

The need for consistent spelling is the mark of a little mind - or a QA person.

Almost

[kimvette]

I almost feel bad for Sony.

Almost.

Sony

[SigmaTao]

*facepalm*

Re: the world's largest public penetration test?

[CyberDong]

Actually, I think it's Lisa Sparxxx at 919 guys.

Sony LCD TV one of the better ones.

[syousef]

Don't even bother with the Sony TVs. They do make some nice TVs, but so do Samsung and Sharp (Aquos anyway, their budget sets don't hold the same value proposition) for quite a bit less money. I can't think of a single line of Sony products that doesn't butt up against better and cheaper competition. They are just coasting and selling the name to people old enough to have bought their first nice TV 20+ years ago when Sony actually gave a crap.

When I was shopping for TVs last year the Sony was one of the better ones for input lag. Not great mind you. The Aquos was great for input lag but had terrible sharpening artifacts. It was like watching a cheap and cheerful Chinese brand TV and I couldn't stand it in the store so I didn't buy it. Samsung has become awful for input lag - as in unplayable on a console.

I ended up with the Sony 55ex500. Not a bad tele but some annoyances. Definitely would do better with a second tuner as the guide sucks, and some annoying bugs on the menu (like most recently watched channels don't work). Apart from these 2 annoyances and first unit replaced due to dead pixels in the first week, the TV has been trouble free and served my young family well. Great sound and picture (with minor tweaking to set up). Great fun with the Wii. Fantastic Bluray. Lots of inputs. (Some slight picture stutter in full res panning for some titles, even with 100Mhz gimmick, but livable). And it was the cheapest of the bunch. The geek in me also hates that you can't downgrade firmware - new firmware always a risk with the tele. If I could find better I would have bought it. I have no love of Sony.

What was striking was how bad input lag had gotten on most models, and how quality had gone down even quicker than price for all manufacturers. Few now have decent dead pixel policies.

Re:Sony LCD TV one of the better ones.

[drinkypoo]

How much time did you spend playing with the controls on the Aquos? Mine was a bit that way when I got it but I was able to tone it down. I had a 32", traded it for a compressor and air tools, and now we have a larger one in the living room. (The 32" was in my room, then it migrated out, then it was too small for the living room... it worked out great.) This set (which we got at costco) seems to have just one problem, getting input7 and input8 (both hdmi) confused on occasion. It would be hilarious if it weren't the single most expensive thing we own that doesn't roll. It's still kind of amusing since it rarely happens, is cleared up by a power cycle, and is the only blemish on an otherwise fantastic set. And it has the absolute minimum lag...

Re:Sony LCD TV one of the better ones.

[syousef]

I only spent a minute or 2. I didn't need to tweak the other TVs in the shop, nor was I confident that I would find a set of settings that would work well for all movies etc. It really was awful. ANY of the other sets - even the cheap ones - looked stellar compared to that grainy pixelated picture. I was horrified and ran a mile in the opposite direction.

I really do wish they'd fix those 2 issues on a newer firmware...but I'm not holding my breath. Sony seems to only take things away with firmware upgrades.

public penetration test

[n1hilist]

Heh heh, Sony's gettin' shafted!

Sony should have learned from Little Bobby Tables

[Cyberllama]

This never gets old to me.
http://xkcd.com/327/

Re:Being positive here... apk

[DI4BL0S]

it was AGAIN penetrated with an allegedly similar attack.

This is not true, The secondary attack was just resetting passwords from users that did not reset their password yet, made possible by the data stolen (email & date of birth) from PSN hack earlier. I saw this comming the second I read sony would force every user to change their password on first logon.

I love the smell of napalm in the morning

[ras]

Is Sony's network being used as the world's largest public penetration test?"

No more than HB Gary was.

To wit: This is the prescription for being attacked mercilessly, for months on end:

1. 1. Produce an item that is clearly advertised as having feature X, where feature X is useful only to really, really good programmers. You know - the ones who spend their time cracking the hardest problems using array of specialised parallel processors.
2. 2. Sell the item to lots of people, who hand over their money on the basis of having feature X.
3. 3. Some years later, withdraw feature X, so the all the software these people have invested years in creating is blown away.
4. 4. When said programmers then fairly legitimately, extract your secret keys so they can restore feature X, unleash a phalanx of lawyers to peruse them within an inch of their financial lives, until they recant.

At that point you will discover what sort of damage a bunch of really pissed off top notch programmers can do.

With luck all the other psychopathic mega corporations around the world are watching and learning. The lesson is simple: don't poke a hornets nest.

Re:I love the smell of napalm in the morning

[thsths]

> This isn't about other OS, it is about blocking people like you who don't think that they should have to pay for games. Freeloading pirate.

There seems to be absolutely no evidence to support this statement. The position of Sony on illegal games has not changed, but the position on other OS has. And the whole thing started just weeks after other OS was disabled - is that a coincidence? I don't think so.

Re:I love the smell of napalm in the morning

[Bios_Hakr]

If you build software on top of locked hardware, then you should *never* update the systems until you test what the updated will break.

Now, there may be a group out there that is concerned about not being able to replace failed units. But I doubt any *really* good programmers were bothered by a PS3 firmware update.

LULZ

[elucido]

Poor Sony.

Maybe if they cared as much about their customers as they do about profits and making money, this could have been avoided or at least negotiated. But now it's out of control. It's game over.

The hackers aren't going to stop. Sony needs to hire cyber warriors.

How does this even happen?

[rebelwarlock]

One of the first things you learn about web programming is to clean any string a user touches. If there's even a remote possibility that a user submitted something, clean it before putting it in your query. How is it even possible that someone would be given money for web programming before learning this? That's not even a rhetorical question; I'm genuinely interested in the answer.

Re:How does this even happen?

[Tei]

Maybe that was the first program written in PHP for the people that created this. Literally, the first program (even before a hello world), created even before the programmer learned everything else. Is even possible that the original author/authors have now the experience to know that you don't have to do this, but have never be able to go back and fix things. The "if is not broken, don't fix" is broken.

Re:How does this even happen?

[WuphonsReach]

Because 80-90% of the people out there think testing and QA is answered by the question, "does it work?". And they believe that as long as it works then it is written correctly.

Proper QA requires knowledge of the system and understanding the weak points. Then you construct test cases to break the software on purpose and make sure that the tests cover those weak points. It is not testing for success, it is testing to make sure it doesn't fail.

They probably wanted to save money

[elucido]

It's cheaper not to hire or pay for information security.

And when they do they probably don't hire the best. Let's face it, Sony is not innocent and I could care less what happens to Sony. I don't own Sony stock, I don't work for Sony, and I don't own any Sony products except for an old PSX. So I just don't care what happens to Sony.

Maybe other companies will now give a shit about information security.

Re:HAHAHAHAH!!!!!

[andydread]

+1 indeed. I too got a bad taste in my mouth when they got into the content production business. Back then I think it was their purchase of Columbia Records that started their downhill slide. Before that they used to make cool hardware and the fought many moons ago for consumer rights and the right to build unencumbered consumer hardware. I Remember getting Sony Style catalogs etc and wanting everything in it. I recommended and Sold many a Sony product over the years and now will not touch a Sony product nor recommend/sell their products to anyone.

testing whether Slashdot...

[BlueScreenO'Life]

... is vulnerable... ' ;  SELECT * FROM master.dbo.tables; DROP DATABASE master;

Re:testing whether Slashdot...

[Posting=!Working]

I know you were trying to make a joke, but since about 2-3 weeks ago, if I click my username in the top right, I get "The user you requested does not exist, no matter how much you wish this might be the case. "

It's just a theory, but I think the != in the middle of my username has something to do with it.

Re:testing whether Slashdot...

[jonamous++]

happens to me, too (++). If you use the character codes in the URL it works; for me, I have to use http://slashdot.org/~jonamous%2B%2B

Re:testing whether Slashdot...

[LearnToSpell]

I know you were trying to make a joke, but since about 2-3 weeks ago, if I click my username in the top right, I get "The user you requested does not exist, no matter how much you wish this might be the case. "

It's just a theory, but I think the != in the middle of my username has something to do with it.

I think so too, since your username appears to be 'Posting =! Working'

Re:testing whether Slashdot...

[Posting=!Working]

For some reason that didn't work for mine. However, I just found out that you can replace the username with the UID and it will pull up my comments.

this only needs to be done when changing the movie

[YesIAmAScript]

And to get a digital movie to play also requires security clearances and internet passwords, it won't simply play on any projector, you need to get it authorized. So not changing the lens at the same time is a problem with incompetence or sloth.

No, it isn't the Sony DRM giving customers an inferior product, it is the theaters. Analog projection showed us they don't really see image quality as a big factor in their business success. You were lucky to get a projector with the film held steady in the gate, well lit and in focus, so is it a surprise theaters don't take their responsibilities any more seriously for digital?

As a person who is sensitive to flicker (a bit) and to jumpy film images, I have to say the rock-steady images of digital (and with quite even brightness usually too!) is not an inferior product. It's a greatly superior product. I don't know who is making the projectors I'm seeing though, could be Sony, could be anybody.

I really *really* wish...

[Zapotek]

...they used my scanner. It would be so fitting. Sony BMG Greece hacked by a vulnerability found by a scanner written by a Greek dude.
That would be completely worth the development effort.

Only six?

[RyuuzakiTetsuya]

I'm going to stop being a blatant sony fanboy and defend the ridiculous shit they've done, but, only six?

between PSP releases 1.50 and 6.20, there's way more than just six points for the hacker team.

But should not encourage laziness

[Kupfernigk]

Obviously a parameterised[sic] query prevents the most obvious forms of injection attack, but it alone does not protect against everything. Although it can be tedious, all data returned in forms should really be checked for syntactical legitimacy. Apart from anything else, this makes it easy to distinguish between accident and malice, and so know when to pop up a box saying "please check that the contents of each box make sense before clicking Submit" and when to put up a 404 and block the IP for a while. On a large commercial website, the development cost per submission is quite low, and failing to validate data is a stupid corner to cut.

Hit a Honeypot ?

[What+the+Frag]

http://pastebin.com/WqLysjiN

If these is actually an excerpt of the actual data, then it looks like test data for me. Look at the passwords. They repeat a lot but grouped with ascending order. For example in the middle of the file there are a lot of "123456" passwords, but nowhere else. As the data seems to be ordered by u_usr this seems to be very unlikely.

Re:this only needs to be done when changing the mo

[makomk]

And to get a digital movie to play also requires security clearances and internet passwords, it won't simply play on any projector, you need to get it authorized.

The normal theater staff have the authorizations for that, though. I'm not sure what Sony, theater chain or distributor policy is on giving access to projector innards, and I suspect this is a closely guarded secret.

Re:could NOT care less!!

[Lillebo]

endlessly

ftfy

Hell yes.

[Stone2065]

Yes... yes it was... as it was funny as shit. :)

less THAN you do

[starsky51]

Think about it.

Re:could NOT care less!!

[maxwell+demon]

For the love of God, the saying is COULD NOT CARE LESS!

But he could care less: He could care so little that he wouldn't even bother to post about how little he cares about it.

Warning: Spoiler

[Eevee]

In the Robin Hood stories, Little John was actually a rather large person.

Re:Warning: Spoiler

[smelch]

Just because a phrase becomes idiomatic and loses its full context when spoken or written does not mean you need to get on the internet and "correct" people for using the idiom simply because you do not understand where it came from.

In other news, when people say they "literally" did something when obviously they didn't, they don't misunderstand what the word "literally" means, they are just exaggerating. By correcting them you either come off as a jackass, or you come off as somebody that really struggles with the meaning of the word yourself.

Nothing is worse than a know-it-all who doesn't.

Sorry, but..

[mcgrew]

Anybody who trusts Sony after all the various customer-rapings Sony has committed in the last ten or fifteen years deserves to have their data stolen.

Fool me once, shame on you. Fool me twice, shame on me. If you buy Sony you're begging to be abused.

Dear Sony....

[Lumpy]

How is that new PR plan going?
was it really a good idea to make everyone hate you?

Irony

[Gi0]

One user, when he registered in Sony's site, entered this "8elo pl na ma8o pios diavazei ayta ta e-mail" which is greek for "i would really like to know who's reading these emails".

I'll get my coat

[queBurro]

sql injection? since it's a greek site maybe they were only worried about... trojan horses?

Re:could NOT care less!!

It comes from the full phrase "I know naught and could care less." So when people say they could care less, they mean they could care less than naught. People who are unfamiliar with the classics hear "I could care less," and get confused and angry because they aren't familiar with the actual quote. But their anger just displays their ignorance. "I could care less" is the original and correct, and "I couldn't care less" is the ignorant "correction."

Obligatory

[Willtor]

Little Bobby Tables' mom strikes again.

Re:Obligatory

[Tetsujin]

Little Bobby Tables' mom strikes again.

I guess those kids at school actually were right, when they said his mom was at the center of the biggest public penetration test ever performed.

Re:could NOT care less!!

[bipedalhominid]

Ok, I don't care very much at all. That still leaves plenty of room to care even less. Am I right? Besides saying "I could care less", sounds way cooler than I could care even less. It just rolls off the tongue so well that it has become the way to express this particular sentiment. This is about the Cool Hand Luke factor not being technically accurate.

Re:could NOT care less!!

The original phrase is "You know nothing and you care less, as people say." (Mansfield Park (1815), which precedes the usage of "couldn't care less" by about 130 years ("couldn't care less" became a popular phrase in the 1940s). It's the people who think they're being grammatically correct who are wrong on this one.

Re:could NOT care less!!

[bipedalhominid]

I could care more but I find myself caring less. Could not you just say I couldn't care less?

Sony and the Internet

[TheNinjaroach]

Sony just doesn't get it. They don't know how to do business online. The internet has been a pain in the side of their movie and record labels, so Sony neglects it as much as they can get away with and this is what happens.

Secure in all the wrong places....

[ThreeDeeNut]

What I find most intriguing in all of this is that "security of their product" is more important than the "security of their customers information". I mean seriously how many millions did SONY spend on securing their music, videos, and other "media". I forget what device it was but I remember my last SONY product was one where the data could only be read by a SONY reader... I think it was a voice recorder I bought for a client. None the less, their products are secured from the user, but the user is not secured at all. Maybe if they spent the money they wasted on DRM on securing their network and innovating like they did in the past they would be a viable company, but i guess that being greedy got in the way of their profits. Didn't they recently try and jail/sue some kid for modding his PS3? I mean seriously, shame on you SONY. Get your house in order and try to remember that your customers wants and needs dictate your ability to do business. Your profits will soar if you bring back your old ways of being innovative, delivering quality and most importantly delivering what the customers want. Your lawyers and money guys should be the ones jailed for your pathetically weak grip on reality. Forcing people to buy your crap will never equate to growth... instead it will be a slow downward spiral like a dookie in a toilet bowl. On the topic of DRM also, wasn't it sony who's profits soared through blank cassettes? That was thinking outside the box and winning on both sides of the coin. DRM, suing modders, proprietizing every piece of media (ie: mini-disk, memory stick, etc) is certainly the fastest way to the bottom of the bowl. JMHO As for HiFi audio, SONY never peaked my interest... I went Denon long ago and ill prolly never go back.

One phrase:

[MarkVVV]

What goes around, comes around.

The real score

[AdamHaun]

Hackers: 6, Sony customers: 0

Let's not lose sight of who's actually being hurt here.

Re:could NOT care less!!

[garyebickford]

Hmm. I think that the result is two phrases that are both OK.

"I couldn't care less" is a perfectly reasonable, grammatically and logically 'true' statement (if said truthfully.

"I could care less" is a shorthand phrase derived from a longer original phrase. It can also be considered as assuming a prepended "as if", which adequately describes its ironic character.

So, they're both right! :D

Of course, I could[n't] care less. :)

Re:could NOT care less!!

[doccus]

You might be interested to know, that i received a failing grade in a post-secondary essay, in large part because the *english* teacher was insistent that the correct term was 'could care less' .. over my protestations.. my insistence that *he* needed a refresher is what led to the less than stellar grade (!)

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Sony should have learned from Little Bobby Tabl

[Cyberllama]

Whoever modded me down as redundant really should have noticed that my post was 40 minutes before the other one. The other just happened to be in response to one of the first threads posted. Bah, oh well!