Slashdot Mirror
Sony Suffers Yet More Security Breaches
Oldcynic writes "As Sony struggles to restore the Playstation Network we receive news today of another breach, this time at Sony Ericsson in Canada. 'Sony Corp. spokesman Atsuo Omagari said Wednesday that names, email and encrypted passwords may have been stolen from the Sony Ericsson Canada website, but no credit card information was taken.'
Another group managed to penetrate Sony Entertainment Japan yesterday as well. I almost feel bad for them.
I've always said that Sony is the most control-freak tech company in the world (making even Nintendo and Apple look sedate by comparison), a company that would happily shoot itself in the foot rather than lose even an *inch* of control of it's media, it's IT, or its technology.
From the rootkit fiasco, their obsessive lockdown of blu-ray (which of course, was cracked), and (many) assorted other lawsuits--Sony has established itself as the kind of company who would happily put a spycamera in everyone's home to make sure that no one is watching a pirated copy of Spiderman 3 (though why anyone would want to watch even a free version of that or just about any other Sony movie is beyond me).
But now they've removed a little-used and fairly innocuous Linux feature from the PS3, and then busted a guy who jailbroke the machine in response. Not only did they send in thugs to kick his door down and take all his shit (then strongarm him into admitting guilt to something that, before the DMCA, wouldn't even be considered a crime), but they even went as far as to try to force ISP's to hand over the identities of everyone who even DISCUSSED the hack on his website or blog.
Well, was it worth it, Sony?
SJW: Someone who has run out of real oppression, and has to fake it.
Somewhere out there, there's a hacker with a world map and a bunch of pins. Also, an intense dislike of Sony.
It's not sad to see this happening considering their reputation for the past 10 years. You cannot continually screw your revenue sources and expect to remain on top of the pyramid. Eventually it will all fallout from underneath you, one way or another.
Period.
After it was discovered that Sony was installing rootkits on people's machines, Mr Thomas Hesse, president of Sony BMG's global digital business said, "Most people I think don't even know what a rootkit is, so why should they care about it?"
They are just taking the same approach to Security, since they don't know what it is, why care about it?
the fucking you get for the fucking you get.
Having to work for a living is the root of all evil.
From TFA:
"E-mail, password, and names of thousands of users were exposed via text file"
Why...why...WHY do people still insist on plain text passwords? Have these people ever heard of a hash? There is 0 reason ever to store a plaintext password, end of story. Anyone who designs a system that stores passwords in plain text should be fired on the spot.
Monstar L
This is what you get
when you mess with us.
-- Karma Police
Seriously, how long until Sony head office just tells every department to yank their network cables until a full security audit is done? This is just embarrassing at this point.
I wonder if this rise in internet vigilante-ism is going to birth a corporate funded internet version of the Pinkertons. I.E. a group of black hat hackers paid by big corporations to hunt down and ruin groups like Anonymous through less than legal means.
Feel bad for them? The fuck? "They" are a corporation, whose only reason for existence is to make money. Sure, there might be individuals working there with morals, but the company itself has none at all--regardless of what US law says, it's not a person.
This corporation has spied on, sued, made vulnerable to other attacks, and bullied its customers, potential customers, competitors, and little bald children with cancer who were lying in a bed that Sony had to put its muddy boot up on to tie its laces. And, probably because it thought it could get away with overworking or undertraining its net admins, it cut corners when it came to security. The security of its customers' credit card info. Who, after all the bullshit Sony pulled, still paid for their shit, and put their credit at risk, unlike those who "stole" from Sony, who won't have what they bought taken away at the first whim, who aren't badgered every time they want to watch a movie on a different device, who don't have to sit through unskippable guilt-trips and FBI warnings, and don't have to pay again when the disc gets scratched.
Almost feel bad for them? Ha! I'm not even close to feeling bad for them. There is no possible amount of "suffering" that could make me feel bad for them. Call me when Sony wakes up one morning with a pain in its left arm and is forced to face its own mortality.
<xml><I><am><so><damn>Web 2.0</damn></so></am></I></xml>
Sony is more or less the king of DRM. Why not apply some of it to their own servers?
DRM = Digital Rights management
They should keep the Right to screw with their servers to themselves
Every time there are attacks against those who impede freedom, it's always used as ammo for the corporation to do more or retro-justify their actions. I can't imagine Sony going back on to allowing the "Other OS" option, although not their first act of douchery, it seemed to have ignited this wildfire.
*Aibo
I get it, they've done a ton of unpopular things, but what has all of this hacking done? Do they really think it's made them think twice about potentially unpopular business decisions? Are a ton of other hacker just jumping on a bandwagon because they can? Do you think that losing all that money will inspire them to do good by their consumers? I can only speculate as to the true intentions of the hackers out there, but it kinda bothers me when I get the impression that people are doing this to "get back at them for something they did that I don't like or agree with." If that's really the case, I wish they would just get over it already and move on. I am personally getting sick of reading about Sony.
Pretty Shitty Network
Good to see their failure to correctly prioritize who is important (the actual Customer) is beginning to cause them problems.
Agree. Sony has screwed more kids than the catholic church.
If you mod me down the terrorists will have won
...some group(s) has been sitting on these security holes for a long ass time now and is only just now taking them out. One after the other, blow after blow, so the world sees them failing constantly.
There's something oddly recursive about that statement.
Please subscribe me to your newsletter.
calc.exe tells me: 173000000/77000000=2.2467532467532467532467532467532 So, how is it that this is costing Sony a little over 1% of Ponemon's estimate?
Let me give you the real quote here: "E-mail, password, and names of thousands of users were exposed via text file on Pastebin.".
Sony bashing time again ?
I DO feel bad for myself and all PSN users. SONY should have -- and most importantly, could have -- done better.
It's almost eery...
They're either...
1- Very incompetent on the security side
2- Very unlucky
3- Pissed off the wrong people
I think 1 and 3 pretty much covers it...
IMO, I think someone is after blood, and it won't be pretty...
I've got better things to do tonight than die.
They're going to try and release another game system again, but they need a little less competition. ;-D
Let's face it. If it is connected to the internet it can be hacked by outsiders. If it isn't it can be hacked by insiders. It is no different than banks. We hand them our money. It doesn't matter in the least to me if my bank is robbed my money is protected. Obviously we need some similar protection with our data.
Is buying a Harley Davidson as your first motorcycle since you were 16 at age 49 a midlife crisis issue?
I think the apt expression in this case is -
You reap as you sow.
I guess I should have used the preview button.
The stop condition is "when a fucker that fucks someone that ain't fucked over anyone, in a particularly upsetting manner, in recent memory, gets fucked, the fucker fucking this fucker doesn't deserve to be fucked."
It's simple. A child could understand it.
Emotions! In your brain!
Sony: Where security is our last priority.
Saying your "phone ran out of batteries" is like saying your "car ran out of gas tanks".
If the passwords were properly hashed (with a good salt) and were strong enough such that a dictionary attack couldn't break them, you wouldn't have 'thousands' of leaks.
I don't feel bad for Sony. They have sued enough people to pay all of these damages and then some. This is the exact reason they are getting attacked. If they weren't jerks to start off then people might have a little respect for them. Since they don't care about people, people don't care about them! That is just the facts.
The stop condition is "when a fucker that fucks someone that ain't fucked over anyone, in a particularly upsetting manner, in recent memory, gets fucked, the fucker fucking this fucker doesn't deserve to be fucked." It's simple. A child could understand it.
Certainly shows the versatility of the word...
Is it ever a woman's fault that she gets raped?
No. Blame rests with the people who perform the illegal action.
What if she dressed provocatively?
Still not her fault.
What if she dressed provocatively and was in a bad part of town late at night?
Still no. There may have been some bad judgement calls on her part, but it's still not her fault.
What if other people warned her that it was the bad part of town and she might be at risk if she went there?
Okay, she was definitely showing bad judgement, but still not her fault.
What if after being told that she went to that part of town, late at night, dressed provocatively, and started slapping anyone she felt "looked like a thug" and dared them to rape her?
Well...
And last week she ran over your dog, and when it looked like he might have gotten off with just a broken leg she put the car in reverse and backed over him again?
Okay, it's never a woman's fault if she gets raped, and you really shouldn't wish it on anyone. But there comes a point where if you take a certain amount of glee in bad things happening to people who've been total asses to you and have been engaging in clearly reckless behavior then i think you can be forgiven for your technically inappropriate response.
no corporation anywhere takes security seriously*. This beat down is hopefully a big enough event to make other companies realize collecting personal information has a liability associated with the revenue stream. I'm not naive enough to hope that corporations will start caring about security. Maybe if the gov gets involved and passes 'lemon laws' for software we can get some quality/security.
*defense contractors are an exception because their revenue, right now, in front of their face, is dependent on security.
Okay Sony has done some pretty crappy stuff. But what I can't stand is these people who are saying Sony is getting whats coming to them by being hacked. In case you haven't been reading the Sony hacks are stealing PERSONAL INFORMATION. This isn't about Sony, this isn't about 'Getting even' this is about some jerks with too much free time and too little morals trying to get a quick buck by screwing over Sony's customers. It's like Robin Hood decided to steal from ordinary citizens who payed taxes to the king because they support the king, then buys himself a HDTV.
tldr: Hackers are targeting Sony to steal customer information not to 'get back at Sony'
Not referencing attacks on Sony, but the actual act of hacking them has become mainstream. I'm sure it's funnier from our side than theirs.
As much as Sony seems to attract this kind of attention, maybe "secretly enjoy" would be more accurate.
What I'm seeing is a bizarre attention-seeking behavior, playing into a victimization mindset.
IANAPs (I Am Not A Psychiatrist), though. Just reminds me of a lot of dramawhores I've know.
Welcome to the Panopticon. Used to be a prison, now it's your home.
The bad guys heard in the news, "Sony hacked -- Cause: Unpatched Apache web servers," and just realized, "Holy shit that's the dumbest thing ever! Sony is totally crackable; Let's go crack the other vulnerable Sony servers -- If they were dumb once, they were likely dumb all over the place!"
Granted, pissing off a bunch of hackers/crackers is not a smart move, but being known for having poor security practices is even worse.
The stop condition is "when a fucker that fucks someone that ain't fucked over anyone, in a particularly upsetting manner, in recent memory, gets fucked, the fucker fucking this fucker doesn't deserve to be fucked." It's simple. A child could understand it.
I'm glad you like the word "fuck"; However, it has clouded your logic. You just said: When someone who doesn't fuck any others has recently been brutally fucked, the person that fucked the innocent person does not deserve to be fucked.
In short: The Bad guys can hurt innocents, and the bad guys don't deserve any retaliation. I don't think that's anywhere close to a stop condition. I think that spawns a new train of fuckers fucking, or at least one new fucker, due to the revenge said innocent is likely to seek, and or promote others to seek on the Innocent's behalf.
I suggest using less expletives; It may help you express yourself more clearly.
As someone who's worked inside a high tech multi-billion dollar company's security team, let me share with the company psychology when breached. The first hole found in the infrastructure that it used to penetrate causes mayhem. It is all hands on deck. Then someone finds another hole with similar severity. More mayhem. More hands on deck. As more holes are found, indifference sets in because at that point IT knows the problem is systemic and would require senior execs to admit incompetence. So IT tells business, this is a long term project (read, cannot be fixed) and they just have to suck it up. Some band-aids are applied, a multi-million dollar project is spun up, more employees are hired (under the same incompetent bosses) and everyone lives happily ever after.
This makes me want to return to the old days. You know... A time when some people setup or rented a game server out of their own pocket so everyone could have fun. The only thing you had to worry about back then was if an admin kicked you off for acting like a fool or you got caught cheating and you got banned. They didn't even know who you were.
Thanks to Sony and some of the other game companies, they saw profit in that free online play and killed off the game communities by removing the server code or crippling it so badly it wasn't fun anymore. They got rid of the game communities that cared about fun and not profit.
So now when you play online you have to worry about identity theft and your credit card number being stolen. Gee that's great. But if you think for a moment that this is only a Sony issue, you are fooling yourself. Sony is just a public target at the moment to get people to rethink doing business with Sony. So what about the others? Who is out there not looking for publicity? Just someone looking to get into your wallet. But most people are sheep and as soon as the press loses interest they will still give Sony whatever Sony wants, just like they will trust EA, AcT ans all the others.
Those free servers we all used in the old days don't look so bad now. All they recorded was your GUID, an IP and your NIC. Makes whining about privacy invasion because someone could look at your stupid dynamic IP and your handle seem rather lame now. Those same idiots bought consoles. Gotta love those consoles. Good choice... Pffft
If it kept on, /. will have to create a "Sony hack of the week" section
Sony may not be a pristine white angel, used excessive measures for protecting their intellectual property, and retracted a few features that made their products more appealing to the geeky part of prospective customers. But this, this is going way way too far. What would we do without Sony if they were to wither and die under all these attacks? Whoever is behind this obviously is no longer trying to hurt Sony, but crush them while they are down licking their wounds.
here's my 1/2 assed attempt at the legendary template:
(BTW - the filter almost prohibited me from posting this!)
(Inevitably, in every thread about Sony, someone proposes a reason with one or more flaws. This is a handy form that passes the lameness filter and that can be reused for all such posts to save time! It does not specifically address all possible flaws and may be expanded in future versions.)
Your post advocates a
( ) technical ( ) legislative ( ) market-based ( ) vigilante
approach to arguing for/against Sony. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which vary from state to state.)
( ) Sony is a corporation that has no heart, and apparently no head/brains either.
( ) Sony is a entity that exists all over the world in every country.
( ) As noted above, also have far reaching arms of the law.
( ) Is known to haplessly sue any individual/website/company that may violate its opinion of use of their products.
( ) Organizations such as Anonymous will only enable further actions
( ) Organizations such as Anonymous will be used as a scapegoat for attacks
( ) Grey hats will test their network, upon finding quantity of holes will become blackhats and obtain more money from those interested in users data.
( ) Users of PS3s will not put up with it
( ) Users of PSPs will not put up with it
( ) Users of PCs will not put up with it
( ) Requires too much cooperation from law enforcement
( ) Requires cooperation from too many of your friends and is counterintuitive
( ) Requires immediate total cooperation from everybody at once
( ) Anyone could anonymously destroy anyone else's career or business
( ) Ideas similar to yours are easy to come up with, yet none have ever worked
( ) Other:
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
( ) Legal precedence in previous court actions
( ) Lack of centrally controlling authority for Sony
( ) Open relays in foreign countries
( ) Asshats.
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment
( ) Susceptibility of protocols other than * to attack
( ) Willingness of users to install OS patches received by Sony
( ) Armies of worm riddled broadband-connected PS3 Consoles
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of break-ins
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of crackers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook.
( ) Other:.
and the following philosophical objections may also apply:
( ) Any scheme based on opt-out is unacceptable
( ) Hardware should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) Plaintext Databases suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures cannot involve wire fraud or credit card fraud
( ) Countermeasures cannot involve sabotage of public networks
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my game stats
( ) Killing them that way is not slow and painful enough
( ) Other:
My past experience with Sony items marked below are partially/entirely the basis for my reasoning:
( ) betamax tapes
( ) walkman
( ) discman
( ) radios
( ) stereos
( )
My abilities are only limited by my imagination
You know, there is a class of software were YOU have control of what feature goes in or out of.
(And that isn't a Soviet Russia joke, altought "In Soviet Russia your software controls YOU!" is quite interesting.)
Rethinking email
They didn't have these problems before Howard Stringer took the helm. Sony might be doing okay in the area that's his specialty: recorded entertainment, but it's been gasping technology-wise. Dump him.
I am a PS3 fan, I love the games, I was wary of Microsoft and the 360 after them completely disowning the Xbox 1.
I own over 20 legitimate games for my PS3, I own several PSN games.
Fuck Sony, they pushed and they pushed and they took things away, they litigated the shit out of Geohot (who was a scapegoat, a group of hackers had a 90 minute video on how to hack the PS3 weeks before Geohot released the code)
They deserve all the shit they get, they continue to piss on the community. ALL I wanted was XBMC for my PS3, it's all I ever wanted but they took away the linux loophole (2 years ago) they took away linux (6 months ago) their attitude stinks and they deserve all the shit they get.
Don't antagonise the hackers, these idiots basically put a stick in the beesnest and wondered why they got stung.
If you can pick or control the overall authentication protocol, it would be even better to only store the s and v parameters from the Secure Remote Password (SRP) protocol. Pick a good underlying hash function H(), such as in the parent post. SRP uses some fancy zero-knowledge proof / public key algorithms (fairly interesting if you study it) to significantly reduce attack cross-sections for a much wider range of attack scenarios than just a hashed password, even when the password is weak.
Unfortunately, the most common situation is a web browser using http or https, and I don't know any way to use SRP properly in that context. Perhaps implement a secure tunnel on top of http in javascript and send all data through that - but that is totally tedious and impractical, probably can't work with images, and doesn't prevent MITM (man-in-the-middle) attacker from replacing the javascript in a way nearly impossible for either end to detect.
Someone ought to define a way to delegate a web apps' password validation to the SSL layer of the https connection, which would then use SRP to do the validation. Find ways to make it hard for attacker to force a downgrade to less secure authentication, for example by making the browser remember what web sites have used SRP in the past, and refusing to use weaker authentication protocols for them ever again. Done well, this would also reduce vulnerability to should-not-have-been-signed fraudulent certificates.
The problem you're describing stems purely from your misuse of the concept "community" where it's inappropriate as well as the similar wrongful misidentification of and inclusion of Anonymous.
Many including anyone who is a "blackhat" knows that the group classification "blackhats" (plural) is nothing but separate "individual" points of interest sharing nothing but their (non-)ethical stance on use of (information technology) tools and methodology.
There is no community. There might be, at most, accidental collaboration, intentional trade, and business networking, but these things do not make a community except to lazy minds.
As to Anonymous it is nothing so simple as "blackhat" or "whitehat" or even "greyhat". Nor is Anonymous a community in the sense that a community is a stable group of likeminded codependent cosupportive individuals. Anyone who has been up and close with Anonymous and experienced the torrent of seemingly brownian motion of signal and noise that makes its "body politic" should understand that these things are antitheses to what Anonymous is.
Anonymous is a meta-attack and a meta-defense, a proto-hive, a hyper-consciousness, a mind-meld: Anonymous includes everything and the "strongest" most atomically approved of and supported "thoughts" direct it. Anonymous is will.
The "actions" of Anonymous are nothing but wave-tops in fluid refraction patterns of "thoughts" where every individual and resource makes the sea.
That's why you are Anonymous if you wish. That's why Anonymous must be legion. That's why Anonymous can't ever forget.
Anonymous is a nothing enabling anything, an anti-structure, and if one understands this one will also understand that Anonymous is both always and never misused. If it makes it easier feel free to think of Anonymous as an unlimited magic eightball that anyone and everyone can add notions to and continually shake as much as they want and obey as they wish when they wish. And sometimes that gives effects, i.e. it "works".
Anything Anonymous has ever done has been polarizing: one either supports it or opposes it, anything that ever has merit or a lack of merit is polarizing, any Anonymous channel is polarizing, both signal and noise is polarizing, everything in Anonymous is a splinter, is a fracture, and it is supposed to be that way. But if you seek out Anonymous, even if you are only lurking or taking notes for others then you have become a tiny part of it, adding to the mass of the sea.
If one wanted to try to destroy Anonymous one would have to structure it, order it, smooth out the creases, regiment it. And even then one would have to do it completely and without failure in a very short amount of time in order to "crystallize" it or one would fail. Noise can be signal, "signal" and "noise" only depends on what you are interested in hearing, it is not intrinsic but subjective.
Anonymous had to happen sooner or later, it is part of our "technologically evolutionary" pathway.
Expect us, after all you are already here :)
Not very likely except as mere tokens of evolutionary selection and pressure. There has so far been exactly 2 trials of suspected Anonymous participants despite the private and public availability of many thousands of IP-addresses and neither verdict was directly related to Anonymous participation but instead to botnets. Everything else is just soup and cold increasingly irrelevant, silently degrading, and meaningless data of the "because we say so" kind that is at best circumstantial evidence to a good lawyer and a direct insult to any technologically savvy judge and jury.
By the way those two verdicts did not truly result in any significantly detrimental effects to the accused; a slap on the wrist and a legal ruling saying that in their jurisdiction DDoSing is not criminal...
You don't think there are countries supporting the attack on Sony, countries looking the other way, countries in effect ignoring any Sony request, and countries without any ability to meet any Sony requests?
It's not like we're talking about spam-king creeps where the mail server has to be backtraceable and more not to automatically be classified as spam.
There are about 200 countries in the world and millions of nodes. If you do things right over 9000 hops is no problem and you can have the payload change appropriately at each hop to even defeat a hypothetical internet-wide simultaneous packet inspection, protocol limitations are easily avoided, there is no reason not to establish private gateways, no reason not to use protocol translation or subvert others to automatically do it for you without human intervention, no reason not to use and loop through all kinds of networks and transient nodes, no reason not to use innocent public facilities as one-to-many or many-to-one triggers and sub-node redirection points.
Good luck unwinding that!
and we'll end up with as much on-line privacy as one taking a dump in a transparent toilet in Times Square. Anonymity will be a felony and all our traffic will be routed through Morality Police / Think of the Children Central.
The moment the innocent seeks revenge, he ceases to be innocent.