Sony Compromised, Again

Konsalik writes "The hacker group LulzSec on Thursday posted information it took from Sony Entertainment and Sony BMG on its site, called the LulzBoat. Lulz Security said it broke into servers that run SonyPictures.com. The information includes about a million usernames and passwords of customers in the US, the Netherlands and Belgium and is available for download and posted on the group's site."

I wonder if the hackers would stop..

[Barrinmw]

...if sony came out and apologized for being asshats and promising to never do it again.

Re:I wonder if the hackers would stop..

[MarkvW]

I certainly wouldn't hold Sony to a promise that was extorted from them.

Re:I wonder if the hackers would stop..

[Labcoat+Samurai]

If the point of the hack is just to embarass Sony, they don't need to post customer information on their website. That is potentially hurting real people who are not responsible for Sony's activities. And no, paying for a Sony product does not make you responsible for their activities, particularly when it's you, the customer, who generally gets screwed by such activities.

That's like exposing a wife beater by publishing the names and addresses of all his past wives.

Re:I wonder if the hackers would stop..

[ATMAvatar]

Strictly speaking in a free market sense, paying for Sony products does make you partially responsible. Why, you ask? Because the invisible hand that supposedly corrects poor behavior in corporations is supposed to be the swath of customers who will willfully boycott products in response. Continuing to purchase the corporation's products serves only to reinforce any behavior the it may be involved in.

Re:I wonder if the hackers would stop..

[PopeRatzo]

I certainly wouldn't hold Sony to a promise that was extorted from them.

But it would still be a nice gesture on their part, dicks that they are.

It still would not change my unwillingness to ever purchase another Sony product, though. I cannot say that I am not experiencing some measure of schadenfreude at Sony's misfortune.

It is wrong of course, what Lulzboat is doing. Comedic, but wrong. Karmacly satisfying, but wrong. I would discourage them in the strongest terms from continuing to kick the shit out of one of the biggest transnational corporations in the world and making said transnational corporations look like a bunch of arrogant, incompetent nincompoops. So knock it off misters, or somebody's gonna cry. Don't make me get up.

Re:I wonder if the hackers would stop..

[arth1]

I think what the GP was suggesting would be if Sony, on their own, came out and apologized for being so negligent. Of course that will never happen.

It wouldn't be enough. At this point, I would want Howard Stringer fired (not allowed to resign, but actually fired) before I would consider buying Sony again.

And this from someone who at present has:
1 Sony HD TV
1 Sony high-end Receiver
1 Sony low-end Receiver/DVD combo
1 Sony BD player
1 Sony LocationFree
3 Sony Laptops
1 Sony PDA
1 Sony PSP
1 Sony CD Walkman
and lots of less expensive Sony stuff.
This revenue stream has now stopped, and yes, it will take Stringer's head on a platter before I would consider Sony again, or stop telling friends and family to avoid Sony like the plague. Else, they;re not taking this seriously, and then I will reciprocate that and not take Sony seriously.

Re:I wonder if the hackers would stop..

[MimeticLie]

Sony is a big company with a lot of activities, and not all of them are objectionable.

Given their poor hardware quality, rootkits, data breaches, exploding batteries, inventing fake movie critics, removing advertised features, obnoxious viral marketing, spying on environmental activists, being seen as one of the two worst companies in America, and whatever else I couldn't think of off the top of my head, I'd say "most" rather than "not all".

Re:I wonder if the hackers would stop..

[aeoo]

Forget about shoulds and look at reality. I'm talking about responsibility and how it works.

For example, I think that the water should be dry, and when I step into it, I am not responsible for getting wet on the account of my "should" thinking. Does it work like that in reality? No, it does not.

Ask yourself: can customer behavior patterns influence the direction of Sony as a corporation? For example, can a boycott influence Sony's attitude at the executive levels? I think the answer is that a real boycott does have such an ability. So to the extent customers have the ability to influence corporate behaviors, the customers become responsible for exercising that ability with due diligence.

At the same time, does Sony need to wait to get boycotted in order to improve their behavior? Of course not. What does this mean? It means Sony holds a primary proximate responsibility for their own behaviors. Sony executives have more influence over what Sony does than do all the Sony customers put together. At the same time, the amount of influence the Sony customers have is not zero.

So this is a correct and balanced way to understand responsibility. Responsibility is always commensurate with the power you have to influence something. The more power, the more responsibility you have. And our or your power can get as low as epsilon, but never absolute 0. So we always have some responsibility for everything, however tiny it may be.

So it's not "all like this" or "all like that." The reality is somewhere between what you're talking about and what your opponent is talking about. I would say Sony has about 70% responsibility to govern its own behaviors in a moral way and all the customers put together have about 30%, roughly. You can even see it as a 50/50 split, but you have to remember that the customer side of the 50 is shared out among all the customers, while the Sony side is concentrated in the hands of the very few powerful executives.

Re:I wonder if the hackers would stop..

[similar_name]

I just want to be sure I understand your point. Unless something personally affects you you don't care? Most people feel this way? That does explain a lot about the world.

Re:I wonder if the hackers would stop..

[man_the_king]

Ah so you guys (similar_name and TheCount22) take issue with him not caring about something that didn't affect him personally - yet you were okay and did not take issue with the hundreds of /. users who DID NOT CARE about the millions of PSN users and were jubilantly cheering the PSN hack - precisely because they were not affected. And wanted too much for Sony to fail, even if that was the expense of millions of people.

Hypocrisy - look it up.

Re:I wonder if the hackers would stop..

[causality]

Ah so you guys (similar_name and TheCount22) take issue with him not caring about something that didn't affect him personally - yet you were okay and did not take issue with the hundreds of /. users who DID NOT CARE about the millions of PSN users and were jubilantly cheering the PSN hack - precisely because they were not affected. And wanted too much for Sony to fail, even if that was the expense of millions of people.

Hypocrisy - look it up.

There's no hypocrisy there because it's not really injustice. More generally, not everything unfortunate is an instance of injustice. Not everything preventable is an instance of injustice.

Corporations are like the political status quo. It exists the way that it is until people are actually prepared to do things differently. Sony can conduct its business practices because customers continue to reward it with money. By making sure there are no financial repercussions attached to undesirable business practices, those customers are at least as responsible for the corporate culture at Sony as its management team. You could even argue that management is merely giving the customers what they want.

The only reason why Sony has millions of customers who worry about this hack is because they continued to patronize Sony so long as Sony's faults didn't personally make them suffer. Finally, Sony's faults make them suffer. Now some of them start to get the idea that it's not so easy to overlook when it happens to them personally. They may start to think that other complaints they have heard suddenly have merit. Cause, meet Effect.

It's too bad the mainstream level of awareness is so thick-headed; it is not sharp and agile and independent. It requires some kind of charismatic leader to honestly explain these things; the people who could pull that off make more money by doing the opposite. Masses of people take too long to figure out that what they're supporting is not acting in their interests. It's a shame they often insist on learning this the hard way after ignoring many warning signs.

Here's the part that even those with the very best of intentions may not understand: as crazy as it is, they are choosing this and it is not my place to tell them how they should choose or what lesson they should need to learn. They are getting what they are choosing and that's why there is no injustice. If that is to change, they would need less insulation between their decisions and the consequences they experience, including less misguided sympathy.

They are not victims because victims don't get to choose. What they're really missing is a sense of personal responsibility and with it, an understanding of cause and effect that doesn't come from pointing fingers or playing blame games.

Whether or not some Slashdotter's personal feelings include delight in the notion of Sony failing is a petty concern. It can distract you from a deeper appreciation of the issue.

Re:I wonder if the hackers would stop..

[Evtim]

No, it explains a lot about the present culture of the world, especially USA and the the rest of the western world. Someone posted it already in another discussion, but.. [http://www.youtube.com/watch?v=4Z9WVZddH9w] Zeitgeist: Moving Forward.

Re:I wonder if the hackers would stop..

[ianare]

This is a very similar argument to the one Bin Laden used to (partly) justify the 9/11 attacks, and other attacks on civilians. It goes something like this : because America is a democracy, its citizens have a direct responsibility for the actions their government takes, and attacks on civilians are justified as retaliation for years of American imperialism and belligerence.

It's true that the US government has acted aggressively towards Muslim countries, and that its policies in many parts of the Muslim world are viewed as neo-colonist. It's also true that US citizens elect their government officials. It does not, however, justify terrorist attacks, and the people that have been killed or injured in these attacks are certainly victims, for the simple reason that the mass murder of civilians can NEVER be justified, for any reason. I think we can all agree on this ?

So Sony has acted in ways which are anti-consumer, and this for years without most of their customers knowing or caring. Now Sony gets hacked and millions of their customer's details are stolen and exposed, and this is somehow the customers' fault for having chosen Sony ? Sony's customers are simply victims caught in the crossfire of two opposing, and equally immoral groups.

Re:I wonder if the hackers would stop..

[mogness]

I think you're stretching a little bit, comparing someone boycotting Sony products with someone ignoring the existence of concentration camps. I'd love to see you explain how those two things are even remotely alike.

Re:I wonder if the hackers would stop..

[cpu6502]

>>>what has Sony really done that warrants this kind of behavior? Are they dumping toxic chemicals? Causing global warming? Killing babies?

Nothing that extreme, but they are still violating individual rights:
- Selling PS3s with "other OS" capability, and then turning it off. AKA bait-and-switch aka false advertising. Also illegal in Europe (where customers can demand refunds)
- Installing software from Music CD that killed customer's computers (made them unbootable)
- Bricked PS3s that were modded to play emulators (like SNES or Atari-Stella)
- Sued people for Millions of dollars, because they downloaded 5 songs.
- Prosecuted a man who posted how to open-up your PS3 and mod it to play HD DVDs (and other stuff)
- Used extradition to remove a customer from Europe to US, so they could sentence the customer to 20 years for hacking his console.

NOW do you understand why /.'rs hate Sony?
And why we boycott them?
Educate yourself about these corporations, and the evils they commit, rather than just blindly buying everything.

People are just blind...

[Frosty+Piss]

Groan...

Certainly Sony has some major responsibility here...

But when will people stop trusting the Intertubes security implicitly and just blindly dumping all their personal info into various "secure" web sites and Internet connected systems?

People are just blind...

Re:People are just blind...

[Jarik_Tentsu]

With an attitude like that, I assume you don't buy much stuff online.

At this stage, we should be able to trust internet security for major corporations to protect our data. What happens if PayPal gets hacked? "When will people stop trusting the intertubes security implicitly"?

I think its a rather reasonable expectations to expect a company like Sony to protect its user information.

What are they trying to prove at this point?

[Derekloffin]

That the hacking community has 0 sense of morality at this point? That is more and more the impression I'm getting. This isn't going to help. If anything it is going to be more fuel to the camp that wants our governments to have insane legal powers to combat this stupidity.

Re:What are they trying to prove at this point?

[captaindomon]

But they aren't crimes against a faceless corporation in this instance. This is a crime against thousands of individual humans who just had their credentials stolen and published.

Re:What are they trying to prove at this point?

[kaffiene]

Case in point - I've been pro open source, anti IP laws, anti harsh pirating / copying fines for a very long time. I'm pretty liberal and I don't like big corporations. But this shit just pisses me off. They don't like Sony so they fuck over the services that millions of paying customers are using and expose all their personal details? What a pack of pricks. That ain't cool, that's fucked up and selfish.

Re:What are they trying to prove at this point?

[kaffiene]

When they expose the personal details of millions of innocent customers? Jesus, use your fucking brain

Re:What are they trying to prove at this point?

[node+3]

Sony continues to be a target because Sony refuses to learn its lesson. And make no mistake, that lesson is about the consequences of abusing your customers, not about network security.

And what lesson is that? There are legitimate, legal, recourses is Sony did anything wrong. Shit, they didn't even do something that even 1/10th of 1% of their users even knew about, let alone had any expectation of ever using.

Seriously, walk up to anyone on the street, ask if them they have a PS3, then if so, ask them if they either:

A. Knew was "Other OS" was.
B. Ever used it, or had plans to.

If it was something Sony needed to "learn a lesson" over, it would have resulted in loss of market share. All this really is is a bunch of juvenile criminals who think they have the right to do whatever they want. I can only imagine how sad their lives must truly be to think this as some kind of moral crusade.

Re:What are they trying to prove at this point?

[arth1]

So..... If your car manufacturer (this is /. after all) removed the tow point on your car when you had it in for service, without giving you a choice, it would be fine with you? After all, only a tiny fraction of drivers would know about it, and even fewer use it...

See http://en.wikipedia.org/wiki/Argumentum_ad_populum for why your argument is bullshit.

Re:What are they trying to prove at this point?

[Maudib]

This industry is actively trying to undermine democracy, destroy individual property rights and trampel everyday civil liberties.

The people who give money to Sony and other RIAA/MPAA groups are part of the problem. They shouldn't be targeted, but any harms they derive from being customers of Sony are their own damn fault.

Look, if the mafia sets up shop in your neighborhood but you choose to work with them, don't complain if you get hurt when the rest of the community fights back.

Re:What are they trying to prove at this point?

[geminidomino]

Not to either condemn nor endorse LulzSec's actions, but WRT:

There are legitimate, legal, recourses is Sony did anything wrong.

"Illegal" and "Wrong" are completely orthogonal concepts.

Re:What are they trying to prove at this point?

[Charliemopps]

Lets just say that the hacking community has exactly the same sense of morality that Sony does.

Re:What are they trying to prove at this point?

[cyphercell]

Nope. A logical fallacy is a logical fallacy. Any user who purchased a PS3 with the expectation that "other os" would be available has cause for grievance. Now, I don't really think that's the only reason this is happening. I was pissed this time around until it occurred to me that, damn, there are suddenly repercussions for leveraging your development folks past sane tolerances. No longer is it just okay to abandon security because it isn't a bullet point on a brochure. Way more important than running yellow dog from my living room television. IMHO

Annoying..

[laxguy]

Personally I'm pretty tired of hearing this shit.. at this point is it really even worth the effort? SQL injections? Script-kiddies leeching off of unsecured websites.. this shit happens every day. Any else suspicious about the line "said that the group has more, but can’t copy all of the information it stole." Why can't they copy all the data? Probably because the "hack" wasn't as big as they want everyone to believe.

Do they have a choice?

[saikou]

In most cases people don't really have much choice.
You go to register to do something, and marketing department demands that registration form has a mandatory City, Address, Zip, blah blah, whatever their data appetite demands (and probably with data validation too, so doing New York, Blah Street, won't work).
Sure, some people will stop right there. But if "free" thing you gain access to by filling out registration form seems compelling enough, people will fill in the address.
And only a few of them will be clever enough to give some other (easily remembered, in case of site's trickery) address.
That data will live in archive forever, because marketing will never ever allow deleting anything.
Until it gets stolen (heck, probably afterwards too, but there will be a marketing blurb about being very secure, tested daily for hacker intrusions and stuff like that, wash, rinse, repeat)

Sony company culture of indifference won't change

[Lead+Butthead]

Sony company culture of indifference won't change over a few hacks. It may have made them look stupid (and that's got to hurt their ego) but ultimately the data being lost doesn't contain those of their officers, and frankly I don't think Sony gives a flying f_ck what happens to their customers (as demonstrated by rootkit) or their rights (demonstrated by repeatedly removing features from products and lied about it despite being caught lying.)

Re:The money quote

[nedlohs]

How is that a money quote?

Or do you mean showing the stupidity of the person asking the question?

Re:Sony company culture of indifference won't chan

[quickgold192]

Yeah, this'll hurt them like Kazaa hurts the MPAA - it won't. In fact, it'll more likely lead to the govt giving more public companies "emergency" legal powers to smack down anyone they suspect of being against them. Especially since today CNN had a "are your passwords safe online? Are YOU safe online?" special earlier today.

Re:Sony company culture of indifference won't chan

[hexagonc]

I don't know. . . repeatedly losing this much customer data or really any customer data is a serious public relations blunder. Sony Computer Entertainment already lost this console generation. I don't know if it can handle too much more egg on its face. At some point this is going to start making a serious dent in the bottom line.

Sounds like a Honey Pot for computer viruses

[XxtraLarGe]

I wanted to go to the site to see if my name was on the list, but then I realized they're the types that would probably have the latest version of MacDefender just waiting for me.

Re:Sony company culture of indifference won't chan

[brainzach]

The hackers don't give a flying fuck about the customers either by releasing all their personal information on the Internet.

If they really cared about the customers, they would have released the information to a trusted 3rd party to verify instead of to the public. They decided not to do that because they knew releasing it to the public would cause a much greater financial loss to Sony at the expense of its customers. The Hackers have no moral high ground here.

Line of criminal thought

[JimboFBX]

It has been said that criminals try to rationalize their crimes often times by thinking that they are just playing by the rules of life, even if its not the rules of society. An example would be a car thief who finds a car unlocked in downtown New York. They might steal the vehicle and rationalize it as a sort of "finders keepers", where if they didn't steal it, someone else would come along and steal it instead. "If I don't, someone else will, so I might as well benefit". You might say that is a ridiculous assertion to make, but if you found a $50 laying in the parking lot, you would probably pick it up and keep it thinking that someone else would take it if you didn't, and any hope of the original owner finding their missing $50 is a lost cause.

So when someone does virtual breaking and entering because the virtual back door was virtually unlocked, you have to ask what line of thought is crossing their minds. When my neighbor's door is unlocked, should I enter it and steal their TV because I think someone else is bound to do it instead?

Re:Line of criminal thought

[TheCount22]

It has been said that criminals try to rationalize their crimes often times by thinking that they are just playing by the rules of life, even if its not the rules of society. An example would be a car thief who finds a car unlocked in downtown New York. They might steal the vehicle and rationalize it as a sort of "finders keepers", where if they didn't steal it, someone else would come along and steal it instead. "If I don't, someone else will, so I might as well benefit". You might say that is a ridiculous assertion to make, but if you found a $50 laying in the parking lot, you would probably pick it up and keep it thinking that someone else would take it if you didn't, and any hope of the original owner finding their missing $50 is a lost cause.

So when someone does virtual breaking and entering because the virtual back door was virtually unlocked, you have to ask what line of thought is crossing their minds. When my neighbor's door is unlocked, should I enter it and steal their TV because I think someone else is bound to do it instead?

While I don't condemn what these guys are doing. I have to admit it does make me smile every time Sony gets hacked. A bit like seeing a bully failing a math exam.

Re:Sony company culture of indifference won't chan

In many ways, the MPAA has lost. We have to keep in mind what they were really trying to hold on to, the same old way of doing things. They have lost that battle, have been forced to change and are slowly doing so. It isn't that Kazaa or Napster or any one thing caused it, nor that it was some kind of unified (or righteous) movement. It was a bunch of factors mixed together. Their rigidity and shortsightedness being the largest culprit.

Basically, the MPAA has been forced into a change they should have been making anyway.

I see the same thing going on here, actually. There are multiple things going on, on different levels, simultaneously. The main thing going on here is this: "lulz", Removing a promised functionality from a device. Telling Sony to stop doing business the way it has. People are fed up.
Remember the timeline of what has transpired here.
1.) Sony removes OtherOS option from PS3. A gaff. A small number of people bought the PS3 for this feature alone. They were forced into either a) upgrading firmware and losing said ability in order to keep using the console for games, etc. or b) buying ANOTHER ps3. Basically, they fucked over some people (not new for Sony).
2.) Communities of customers begin seeking a way to return this functionality (one that was a selling point for many and one that shouldn't have been removed in the first place.) No big deal, no one really cared.
3.) GeoHot gives people back the ability to do this. Again, not many people cared. Except Sony.
4.) Sony opts for the unpopular and morally wrong thing to do - sue (bully) GeoHot. A major gaff. This outrages people even further AND does nothing to fix the problem of this workaround. People who didn't previously care, now care a lot.
5.) Now that their customers have been pissed on multiple times, some of them decide to piss off Sony.
6.) They decide to perform a DDoS and to bit of a nuisance to Sony. ("lulz" ensue)
7.) Once they do this, someone decided to perform a SQL injection. (fuck it!)
8.) From this, according to them, they got access to EVERYTHING. Also, according to them, they are shocked and appalled. According to them, they decide to expose this negligence on the part of Sony in order to warn its customers. ("lolholyshitwtfbbq - guize, look!")
This also
A) embarrasses Sony ("lulz")
B) gains the attention of mass media ("lulz")
C) gets various figures up in arms about some (non-existent) "dangerous hacktivist group" ("lulz")

As for the customers whose data has been compromised or released, it is an unfortunate side-effect; collateral damage, if you will.

In the process, a couple of valuable and enlightening things have been learned by many parties:
1) Sony has shitty security. - This is news to many people who had assumed that Sony would be pretty safe to deal with, being such a large company. Surprising, a bit unsettling, but somewhat forgivable being that corporations often look to cut costs. For those with some knowledge it is disturbing in and of itself since they aren't PCI compliant. This may be illegal (criminal) in some states. (AFAIK there is no federal law regarding PCI compliance).
2) Sony keeps customer data in the clear. - (I am glad I'm not a customer. - They REALLY must not care about their customers). Not only is this not PCI compliant it is JUST STUPID. It also has me convinced (along with everything else, including their history of rootkits, etc..) to NEVER be a customer of Sony.
3) Sony is a bully who either hates its customers, or doesn't want them anymore.

As for the release of the customer I see it as a positive, not a negative. Those who have had their data compromised can now know this for certain, see it in black and white even, and take appropriate action to protect themselves from possible wrongdoing. Besides, who knows whether or not this data had already been compromised? Apparently, it was trivial to do so and thus it would not surprise me if it had already been compromised before all of this. No one would have known this had

Comedic?

[YesIAmAScript]

Posting people's emails and passwords?

It's not comedic. These people are stealing user info and posting it and you say Sony looks like arrogant nincompoops?

Uh-huh.

Re:The hackers will be punished. Severely.

[Tolkien]

Sony has been begging to be smacked around by mob justice for a LONG time. Now it's finally happening. I say good.

Thank you, exactly

[unassimilatible]

This criminal organization LulzSec hurt the end user. Isn't that what the Slashdot crowd claims to be for? LulzSec exhibited utter lawlessness that, if perpetrated by Sony or Apple or Google or the Department of Homeland Security, it would have all the supposed Slashdot "Libertarians" howling. Read my sig for more details.

I can't believe how many people here are defending the action of LulzSec (not the hack, the posting of info, utterly and completely indefensible).