Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sony Suffers Yet More Security Breaches

Posted by Unknown on from the flogging-a-dead-sony dept.

Oldcynic writes "As Sony struggles to restore the Playstation Network we receive news today of another breach, this time at Sony Ericsson in Canada. 'Sony Corp. spokesman Atsuo Omagari said Wednesday that names, email and encrypted passwords may have been stolen from the Sony Ericsson Canada website, but no credit card information was taken.' Another group managed to penetrate Sony Entertainment Japan yesterday as well. I almost feel bad for them.

33 of 288 comments (clear)

  1. Was it really worth it, Sony? by elrous0 · · Score: 5, Insightful

    I've always said that Sony is the most control-freak tech company in the world (making even Nintendo and Apple look sedate by comparison), a company that would happily shoot itself in the foot rather than lose even an *inch* of control of it's media, it's IT, or its technology.

    From the rootkit fiasco, their obsessive lockdown of blu-ray (which of course, was cracked), and (many) assorted other lawsuits--Sony has established itself as the kind of company who would happily put a spycamera in everyone's home to make sure that no one is watching a pirated copy of Spiderman 3 (though why anyone would want to watch even a free version of that or just about any other Sony movie is beyond me).

    But now they've removed a little-used and fairly innocuous Linux feature from the PS3, and then busted a guy who jailbroke the machine in response. Not only did they send in thugs to kick his door down and take all his shit (then strongarm him into admitting guilt to something that, before the DMCA, wouldn't even be considered a crime), but they even went as far as to try to force ISP's to hand over the identities of everyone who even DISCUSSED the hack on his website or blog.

    Well, was it worth it, Sony?

    --
    SJW: Someone who has run out of real oppression, and has to fake it.
    1. Re:Was it really worth it, Sony? by somaTh · · Score: 4, Funny

      Sony has established itself as the kind of company who would happily put a spycamera in everyone's home

      So THAT's what the PlayStation Eye is for!

      --
      Nostalgia isn't what it used to be.
    2. Re:Was it really worth it, Sony? by rotide · · Score: 4, Insightful

      I wouldn't call it retaliation, per se. I'd more be inclined to describe it as a company that everyone who likes to "penetration test" sees as a fun target now. They pissed certain people off and made a certain amount of headlines and eventually they hit "critical mass" with the "hacker community". Sony keeps fixing things and the "testers" are having a good time showing the world that they are still vulnerable.

      Sony is being forced to play a game where the other side has the better toolset.

    3. Re:Was it really worth it, Sony? by malacandrian · · Score: 2

      ...admitting guilt to something that, before the DMCA, wouldn't even be considered a crime...

      There are indeed many things in life that were not illegal until they were.

    4. Re:Was it really worth it, Sony? by TheGratefulNet · · Score: 3, Interesting

      but you have to realize: in a war, 'precise bombing' is not always possible.

      if the hackers that are pissed off are just attacking sony any way they can, its not hard to imagine that others who 'touch' sony will also get hurt. ie, their users and customers.

      I long ago stopped buying and supporting sony things. my way to fight back is to just stop buying. but kids today who think that sony is 'evil' in the most literal sense of the word might go to any lengths to seek revenge.

      there IS a lesson here. the teenager who gets pissed off at the world and wants to seek revenge is not something you can directly fix. the way to fix the problem is stop pissing off your customers in the first place.

      sony, culturally, probably won't understand a word of this. I expect the 'war' to continue for quite a while.

      gee, just like the 'grownups' kind of wars. just like it.

      --

      --
      "It is now safe to switch off your computer."
    5. Re:Was it really worth it, Sony? by _Sprocket_ · · Score: 3, Informative

      ...admitting guilt to something that, before the DMCA, wouldn't even be considered a crime...

      There are indeed many things in life that were not illegal until they were.

      That is actually a fundamental concept in law - whether one has inherent rights and law adds restrictions or whether one's rights are expressly granted by law.

    6. Re:Was it really worth it, Sony? by DurendalMac · · Score: 5, Insightful

      Yeah, but it's just getting excessive now. When Moe pokes Curly in the eyes, it's funny. When Moe beats Curly to death with a lug wrench and then dismembers him with a chainsaw, then...well, actually, it's still funny.

      Carry on.

    7. Re:Was it really worth it, Sony? by cpu6502 · · Score: 5, Informative

      >>>>>If someone could resurrect the innovative Sony of the mid-to-late '70s
      >>
      >>Sony has always just been the 'reliable brandname' on equipment from a company big and powerful enough to roll in the innovations that other entities have pioneered in.

      I believe you're mistaken.
      Sony is the company that invented videocassettes (Umatic and Betamax). Sony is the company that invented Betacam. The 3.5 inch floppy. The Compact Disc. Rewritable magneto-optical discs. THAT'S the company the grandparent poster was talking about when he said "innovative".

      --
      My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
    8. Re:Was it really worth it, Sony? by h4rr4r · · Score: 3, Insightful

      So instead of fixing their security issue they decided to steal value from consumers. What a wonderful company.

    9. Re:Was it really worth it, Sony? by CharlyFoxtrot · · Score: 2

      Hate to say this, but Apple is the new Sony. Steve jobs will as much as admit it. He loved Sony like we all did back in the day of Trinitrons and Walkmans. They made GORGEOUS hardware.

      Great article discussing just that here.

      "Alan Deutschman, Reynolds professor of business journalism at University of Nevada-Reno and author of "The Second Coming of Steve Jobs" -- the definitive unauthorized biography of the Apple CEO -- notes that from his early twenties on, Jobs had a fascination with Sony that bordered on obsession.
      [...]
      "At the time, Sony was committed to not releasing a crappy product just because the market was there; they waited until they had a truly revolutionary innovation, combined it with great design and then profited from it for long, long time," says Deutschman."

      --
      If all else fails, immortality can always be assured by spectacular error.
    10. Re:Was it really worth it, Sony? by Tanktalus · · Score: 2

      Well, yes and no. You see, there are two lists going on here. The first list is "stuff that's important." On this list you'll find things like "peace in the Middle East" and "harmony among the planet's many ethnicities". Or things like "democracy in every country" (which may include the U.S. depending on your perspective).

      On the second list, there is "stuff that is important but that I can actually do something about right now." Unless you live in Libya or another country currently undergoing a rebellion to institute some form of democracy, we have to go waaaay down on that first list to find anything from the second.

    11. Re:Was it really worth it, Sony? by Teknikal69 · · Score: 2
      I've never bought a bad Samsung product to be honest and lately that is all I have been buying. To be fair I do tend to go for their top of the line stuff and I've yet to have anything let me down I'd actually say their my favourite brand at the minute I think their pushing technology faster than anyone else and let's face it most apple devices are just recased Samsung chips.

      Just my opinion of course but I really believe they are heading in the right direction lately.

  2. Again? by Catnaps · · Score: 2

    Somewhere out there, there's a hacker with a world map and a bunch of pins. Also, an intense dislike of Sony.

    1. Re:Again? by somersault · · Score: 3, Insightful

      More likely a lot of separate individuals/groups who want to join in on the Sony bashing trend.

      --
      which is totally what she said
    2. Re:Again? by socsoc · · Score: 2
      Good thing you posted a disclaimer.

      Disclaimer: I in no way agree with parent and fully support Sony with my money and first born child.

    3. Re:Again? by Allicorn · · Score: 3, Insightful

      Why extract the database of users' information if your goal is only to give a slap in the face to the evil corporation?

      It's almost as if the goal of this criminal activity wasn't heroic anti-corporatist hactivism at all...

      --
      OMG!!! Ponies!!!
  3. Karma by what2123 · · Score: 3, Insightful

    It's not sad to see this happening considering their reputation for the past 10 years. You cannot continually screw your revenue sources and expect to remain on top of the pyramid. Eventually it will all fallout from underneath you, one way or another.

  4. There will be no peace. by Anonymous Coward · · Score: 5, Insightful

    Period.

  5. Security? by muffen · · Score: 5, Interesting

    After it was discovered that Sony was installing rootkits on people's machines, Mr Thomas Hesse, president of Sony BMG's global digital business said, "Most people I think don't even know what a rootkit is, so why should they care about it?"

    They are just taking the same approach to Security, since they don't know what it is, why care about it?

  6. Plain text passwords.... by antifoidulus · · Score: 3, Insightful

    From TFA:

    "E-mail, password, and names of thousands of users were exposed via text file"

    Why...why...WHY do people still insist on plain text passwords? Have these people ever heard of a hash? There is 0 reason ever to store a plaintext password, end of story. Anyone who designs a system that stores passwords in plain text should be fired on the spot.

    --
    Monstar L
    1. Re:Plain text passwords.... by Relayman · · Score: 2

      No. Any good encryption scheme encrypts your password as a complete character string. The password systems I work with use a one-way encryption method; if you have the encrypted value, you can't decrypt it to get the password. Having just three characters of your password should not be able to determine its validity unless they are decrypting your password (vulnerability) or storing it as plain text (vulnerability). This is an unacceptable method.

      --
      If I used a sig over again, would anyone notice?
    2. Re:Plain text passwords.... by Anonymous Coward · · Score: 2, Informative

      Also from TFA, it says the passwords were "encrypted". What wasn't in TFA is the phrase "plain text" - that part YOU added. Way to get worked up over something that you formulated.

    3. Re:Plain text passwords.... by mcrbids · · Score: 2

      Why...why...WHY do people still insist on plain text passwords? Have these people ever heard of a hash? There is 0 reason ever to store a plaintext password, end of story. Anyone who designs a system that stores passwords in plain text should be fired on the spot.

      I agree that saving passwords as hashes presents a much better security model, but you are just wrong to think that there is no reason to keep them in plain text.

      The real world isn't quite so black and white!

      1) It's "unfriendly" to require users to change their password every time. If the user is able to authenticate themselves sufficiently by other means, it may be perfectly legit to give them their password. Sorry, but real users often have a tough time figuring out how to turn on the computer, let alone remember a 12-digit password made of random letters, numbers, symbols and mixed case.

      2) Done right, passwords can be invalidated at any time, forcing end users to re-specify a new password. Sufficient logging can also make it pretty clear if you have a security breach on your hands by noting other details of the login process. (EG: Source IP, etc)

      3) Many (most?) breaches nowadays don't consist of somebody knowing the passwords, but in the "lost password" process which presents its own security issues - for example, email is sent in plaintext. Against this type of attack, hashes provide no security benefit whatsoever.

      4) Debugging: It's nice when, as a developer, you are given access to real, honest-to-god data so that you can code to what's really happening rather than contrived, artificial data sets. Part of working in this type of environment is to be able to access dev copies of databases as users in question. Yes, you can set the passwords as part of the snapshot/replication process, but that does add overhead.

      I guess what I'm saying is that storing hashes is like requiring super-strong passwords so that users end up with their password on a sticky note next to the computer: yes you get theoretically better security but it doesn't always work out that way in practice.

      Like many decisions, you really have to evaluate this on a case-by-case basis, and you may offset some of the risk by doing things like enforcing the use of SQL prepared statements, or standardizing your data input validation!

      And, in all truth, passwords are a terrible, terrible security tool, they just happen to have a better mix of usability, security, and convenience than anything else that's been developed thus far.

      --
      I have no problem with your religion until you decide it's reason to deprive others of the truth.
  7. Pull the damn cables already! by AAWood · · Score: 3, Insightful

    Seriously, how long until Sony head office just tells every department to yank their network cables until a full security audit is done? This is just embarrassing at this point.

    1. Re:Pull the damn cables already! by lennier1 · · Score: 3, Insightful

      I get the impression they're not even trying anymore.

    2. Re:Pull the damn cables already! by Captain+Spam · · Score: 3, Insightful

      Seriously, how long until Sony head office just tells every department to yank their network cables until a full security audit is done? This is just embarrassing at this point.

      What costs more, cutting off all online sales and hiring an audit team for X amount of time, or closing your eyes and ears reeeeeeeeeeally tight until everyone forgets about this in a couple months?

      Er... hang on, let me clarify: What costs more in the short term, within the attention span of the CEO/CIO a modern multi-bazillion dollar megaconglomerate? Remember to factor in that "admitting we made a mistake" is a near-infinite cost in this case! If you never admit it, it never happened!

      --
      Demanding constant attention will only lead to attention.
  8. Pinkertons by Gotung · · Score: 5, Interesting

    I wonder if this rise in internet vigilante-ism is going to birth a corporate funded internet version of the Pinkertons. I.E. a group of black hat hackers paid by big corporations to hunt down and ruin groups like Anonymous through less than legal means.

    1. Re:Pinkertons by rsborg · · Score: 3, Insightful

      I wonder if this rise in internet vigilante-ism is going to birth a corporate funded internet version of the Pinkertons. I.E. a group of black hat hackers paid by big corporations to hunt down and ruin groups like Anonymous through less than legal means.

      I wouldn't put it past the entrenched powers to use whatever means necessary to get this done (ie, either digital brown-shirts, or burning down the commons through excessive and unconstitutional legislation that's been "purchased"). I'm guessing it'll be a combination of both, but in the short term, expect more of the "internet death sentence" type of reaction.

      I do posit this is going to get much worse. Every day, it feels like the seemingly paranoid rants by RMS seem more like the prophetic prognostications of a Cassandra who's seen the future hoping to help us avoid it.

      --
      Make sure everyone's vote counts: Verified Voting
  9. Almost feel bad for them by 19thNervousBreakdown · · Score: 4, Insightful

    Feel bad for them? The fuck? "They" are a corporation, whose only reason for existence is to make money. Sure, there might be individuals working there with morals, but the company itself has none at all--regardless of what US law says, it's not a person.

    This corporation has spied on, sued, made vulnerable to other attacks, and bullied its customers, potential customers, competitors, and little bald children with cancer who were lying in a bed that Sony had to put its muddy boot up on to tie its laces. And, probably because it thought it could get away with overworking or undertraining its net admins, it cut corners when it came to security. The security of its customers' credit card info. Who, after all the bullshit Sony pulled, still paid for their shit, and put their credit at risk, unlike those who "stole" from Sony, who won't have what they bought taken away at the first whim, who aren't badgered every time they want to watch a movie on a different device, who don't have to sit through unskippable guilt-trips and FBI warnings, and don't have to pay again when the disc gets scratched.

    Almost feel bad for them? Ha! I'm not even close to feeling bad for them. There is no possible amount of "suffering" that could make me feel bad for them. Call me when Sony wakes up one morning with a pain in its left arm and is forced to face its own mortality.

    --
    <xml><I><am><so><damn>Web 2.0</damn></so></am></I></xml>
    1. Re:Almost feel bad for them by ddd0004 · · Score: 2

      You know there are some IT staff with Sony who are getting the double beat down of getting their ass chewed and working an 80+ hour week. Most places I've worked couldn't be bothered to improve security because the people who make decisions are only concerned with ROI as a number and then they attempt to choose the bigger number. It's always foot jammed on the gas pedal on new developments and no concern with of existing infrastructure.

  10. Has anything been accomplished? by meridiangod · · Score: 2

    I get it, they've done a ton of unpopular things, but what has all of this hacking done? Do they really think it's made them think twice about potentially unpopular business decisions? Are a ton of other hacker just jumping on a bandwagon because they can? Do you think that losing all that money will inspire them to do good by their consumers? I can only speculate as to the true intentions of the hackers out there, but it kinda bothers me when I get the impression that people are doing this to "get back at them for something they did that I don't like or agree with." If that's really the case, I wish they would just get over it already and move on. I am personally getting sick of reading about Sony.

  11. Re:does this expression require children be involv by outsider007 · · Score: 5, Funny

    Agree. Sony has screwed more kids than the catholic church.

    --
    If you mod me down the terrorists will have won
  12. Did they piss anyone off? Yes; Are they dumb? Yep. by VortexCortex · · Score: 2

    The bad guys heard in the news, "Sony hacked -- Cause: Unpatched Apache web servers," and just realized, "Holy shit that's the dumbest thing ever! Sony is totally crackable; Let's go crack the other vulnerable Sony servers -- If they were dumb once, they were likely dumb all over the place!"

    Granted, pissing off a bunch of hackers/crackers is not a smart move, but being known for having poor security practices is even worse.