Daily Sony Hacking Occurs On Schedule

jjp9999 writes "LulzSec was compromised and a member of the group, Robert Cavanaugh, was arrested by the FBI on June 6. Meanwhile, LulzSec hacked Sony again, this time leaking the Sony Developer Network source code through file sharing websites."

Sounds like they're got inside access

[GodfatherofSoul]

Not a network guy, but if they're repeating these hacks so quickly and with such regularity I imagine their backdoor is still up.

Re:Sounds like they're got inside access

[NoSleepDemon]

I think Sony's chief failure in this whole incident is that they believe their customers like to take it in the back-door as frequently and as messily as they do.

Re:Sounds like they're got inside access

[MozeeToby]

Maybe you didn't read the earlier articles about just how horrible Sony's security setup is. Here's a hint: It's every bit bad enough that a dedicated group could find a different way into the system every day for weeks on end.

Re:Sounds like they're got inside access

Maybe you didn't read the earlier articles about just how horrible Sony's security setup is. Here's a hint: It's every bit bad enough that a dedicated group could find a different way into the system every day for weeks on end.

Yes, but think how much money they saved on IT!

Re:Sounds like they're got inside access

[tripleevenfall]

Well, no, I think this is one of the few times that the "terrorists", so to speak, actually won.

LulzSec said they would do this as revenge for Sony taking legal action against someone for jailbreaking the PS3. LulzSec has successfully cost Sony far, far more than jailbreaking ever would have.

Re:Sounds like they're got inside access

[TubeSteak]

Maybe you didn't read the earlier articles about just how horrible Sony's security setup is. Here's a hint: It's every bit bad enough that a dedicated group could find a different way into the system every day for weeks on end.

I don't think you're doing anyone a favor when you present Sony as a monolithic corporation.
It's not as simple as Sony vetting one security setup and replicating it across all websites tagged as Sony.
Sony is made of of endless domestic and international subcorporations, each with its own (poor) security setup.

At least these hacks are a return to the previous trend of defacements, revenge, and lulz,
as opposed to the last few years of organized crime, ID theft, and renting out botnets.

Re:Sounds like they're got inside access

[History's+Coming+To]

Either that or they sold something useful to the biggest geeks in the world and then took it away, but that would be daft.

Re:Sounds like they're got inside access

[Darinbob]

This is an important point. People seem to defend these actions because they're demonstrating security holes. On the contrary this group did not set out to expose security holes but instead were intent on causing disruption. They're not doing this out of any higher sense of moral values. It's bad guys vs bad guys.

Re:Sounds like they're got inside access

[Yvanhoe]

That is the nasty look of revenge. Sony unfairly used its weight against an innocent person, knowing very well that an individual cannot stand in front of an army of lawyers, and these hackers unfairly attack Sony causing as much disruption as they can. Two wrongs do not make a good, but this was not totally uncalled for. I can't help to see a bit of Robin Hood spirit there : "Trying to bankrupt someone to win in tribunal ? Let's let that cause you some comparable financial damages as well".

Re:Sounds like they're got inside access

[rbollinger]

Not to crush your Robin Hood hero imagery, but it looks like these guys really are just thugs.

http://news.cnet.com/8301-27080_3-20068939-245/exclusive-ceo-says-hackers-tried-to-extort-data-money

Re:Sounds like they're got inside access

[Darinbob]

You don't become Robin Hood merely by stealing from rich people. The Robin Hood legend is about the robbers who were different.

Lulzsec isn't showing themselves to be different, they've got no political manifesto, they're not righting wrongs, they're not pointing out injustices that the world is blind to, they're not influencing the views of the masses, etc.

Re:Sounds like they're got inside access

[TubeSteak]

Well, no, I think this is one of the few times that the "terrorists", so to speak, actually won.

10 years ago no one would have used the word "terrorists" (in quotations or otherwise) to describe straight forward black hat hacking.

There are at least a hundred definitions of "terrorism" and they all include violence or the threat of violence.
There's no violence here.

Re:Sounds like they're got inside access

[commandermonkey]

One of the few times? Seriously??

Can you name one "terrorist" attack that hasn't been severly one sided in terms of cost?

• Oklahoma city - for less than $5k there was 82.5Million in investigative cost alone
• 9/11 -4 Planes, Several buildings, more expensive airport security, loss of jobs, etc have been estimated at over 2 trillion. +10 years of expensive war in Afghanistan
• Anthrax Attacks - for the cost of 7 letters we got a clean up that the FBI put over 1billion and the war in Iraq
• Liquid bombers - didn't even happen and we got more security theater and still have restrictions on liquids
• Times square bomber - unsuccessful attack that got politically elites talking about suspending Miranda
• Underwear bomb - Super expensive scanners and more security theater.

Seriously, what "terrorist" attack in the last 10 years were you thinking of that hasn't caused a serous disproportionate response? Why do you think there seem to be more attacks in the last few years? For every couple thousand spent blowing, or attempting to blow, something up we spend hundreds or millions/billions/trillions reacting to it and every few large attacks causes the US to give away more of the "freedom(s)" that the terrorists hate. Over the last decade

the "terrorists", so to speak, [have] won.

Re:Sounds like they're got inside access

[Pseudonym+Authority]

exclusive-ceo-says-hackers-tried-to-extort-data-money

ceo-says-hackers-tried-to-extort-data-money

ceo-says-hackers

ceo-says

ceo-says

Hmmm, I question the credibility of that.

Re:Sounds like they're got inside access

[Opportunist]

Well, first of all it would be the CSOs or more specifically the CISOs job, and I bet he's currently getting very little sleep. But allow me to explain just why this could happen, and why the CISO "didn't do his job". I'm fairly sure the poor guy is now getting to feel the fallout of something that he couldn't even have done any better. Since I have his job (in another rather large company), I can only assume what creek he's stuck in, without the budget for paddles.

First of all, he most likely has to beg, steal and borrow whatever budget he had in the first place. Security is notoriously underfunded in every company, and I seriously doubt that it's any different with Sony. The reason for this is very simple: Security produces no revenue. It is the first thing that gets axed when the revenue starts to shrink since it is the one aspect the shareholders and rating agencies will not notice. Unless there's an attack, of course. It can be compared to an insurance, which is also just an expense until disaster strikes and the insurance can be claimed. How many people first of all cash in their life insurance the moment they need money and cancel all their health and retirement insurances to cut costs? It's not different with companies. You trade expense for risk, and since your rating and shareholder value is not affected by risk but by expense... well, do the math.

Also, it highly depends on the reporting structure of the company. I do not know the structure Sony uses, but essentially there are three possible people the CISO could report to: CIO, CEO or directly to the board (all assuming the CISO an CSO position is rolled into one, which is likely in this setup). Of course, reporting to the board and hence having their ear would be very beneficial, I just doubt that he has that much luck. CEO works too, but the worst that could happen to a CSO is to be under the CIO and hence dependent on him for his budget. You may rest assured that he'll be stuck with the leftovers, whatever is left after every "productive" group is funded will be his budget. That's usually not too much.

So what the CISO most likely did is build the best security system he could with his limited funds. Of course there was no money for audits or security consultations, and even the best informed and knowledgeable CISO suffers from Schneier's law: Any person can invent a security system so clever that he or she can't imagine a way of breaking it. No matter how good you are, you need an outsider to test your defenses to make sure that everything is as it should be. Now, I'm fairly sure he didn't have the money to do just that. Well, LulzSec did it for him now.

So shit hits fan. What happens now? Well, the sensible thing, and something said CISO certainly recommended, is to shut down and find out what happened. Initially, that is what was done. And I am fairly convinced that he did what he could to beg, steal and borrow so he could get some consultants and auditors on board to find the leak and seal it. This takes time. And most of all, money. And even with this breach right there, I'm not too convinced that the money faucet was turned on for him. OTOH, he had a lot of time pressure in his back to get the services back online, preferably immediately. There is now very little you can actually DO in just one week, you certainly cannot fix the mistakes of years of neglect.

That guy had no chance to avoid or clean up this mess. But rest assured that he'll be fired for it.

Re:Sounds like they're got inside access

[Xest]

"At least these hacks are a return to the previous trend of defacements, revenge, and lulz, as opposed to the last few years of organized crime, ID theft, and renting out botnets."

I absolutely agree with this, for some years now I've been concerned that real hackers had disspeared, many grown up and moved on, others gone over to organised crime. That new kids entering the scene were either too scared by the police to try more harmless hacking and those that weren't just going for the money in the crime game.

It was a concern because it's fundamentally the spirit that the internet was built on and is vital in keeping the internet free. I believe the encroachment of companies on the internet in the last decade trying to push for tough government restrictions on freedom is a result of a lack of backlash from hackers which was seen leading into the 90s. People like DVD Jon and the breaking of various other DRM regimes and such were rare examples where people were willing to step over into the grey area of legality to put consumer interest back in the forefront of the corporate onslaught against digital rights and freedoms.

So yeah, I welcome this recent action, it's embarassing to a company that frankly deserves embarassment from it's rootkit stuff to it's RIAA activities, and it's government lobbying for reduced personal freedoms.

Frankly, in the coming years I hope to see more of it. Between Wikileaks, the various Anonymous actions, the Arab spring, and so forth I sincerely hope this is a decade that will be as much about discontent of private citizens lashing back at their governments as the last decade was about governments and corporations controlling and restricting private citizens actions and movements, and castrating their long held freedoms.

I almost feel sorry for Sony

[v1]

no wait, I don't. Get me some popcorn, this is a good show.

Re:I almost feel sorry for Sony

[elrous0]

I just imagine someone hacking their presentation at E3 while they're live onstage. That would be some serious lulz.

Re:I almost feel sorry for Sony

Shhh! You'll tip them off to our plan, fool!

Re:I almost feel sorry for Sony

[theshowmecanuck]

Wouldn't it be ironic if they used a root kit? Or would that be poetic justice?

TFA Is Sparse On Information

[WrongSizeGlass]

TFA doesn't tell us much except that Sony got hacked and some guy got arrested. The summary sums up the whole thing.

Re:TFA Is Sparse On Information

[Nrrqshrr]

For once the summary is good enough. We can't complain.

Re:TFA Is Sparse On Information

[TheGothicGuardian]

As someone who enjoys reading articles, I found the summary to be too good.

Arrested

[Hatta]

Guess the seven proxies weren't enough.

How did this arrest go down? This is clearly a more interesting development then yet another Sony hack. Hopefully there will be more information forthcoming.

Re:Arrested

[Delgul]

Might be they arrested one of the seven proxies? ;-)

Robert Cavanaugh (Not Apart of Lulzsec)

This kid isn't apart of LulzSec, he was in the process of being recruited. As you can see his arrest as no effect on LulzSec.

Re:Robert Cavanaugh (Not Apart of Lulzsec)

[mirix]

That would mean he is apart of lulzsec - not that that makes him a part of it, or anything like that.

Story innacurate according to the group

[Capeman]

The posted details here: http://pastebin.com/yut4P6qN

Re:Bad Porn

[creat3d]

I beg to disagree. Rape jokes concerning Sony ARE funny.

Re:I lost track

so how does any of this relate to removing OtherOS anymore?

You don't let people hack your consoles, they find something else to hack. Idle hands and all that. :)

Re:poor, silly sony

[Dachannien]

Don't they realize they would gain much more by apologizing for and desisting against GeoHot

What part of "settled out of court" don't you understand?

Re:poor, silly sony

[krelian]

Paragraphs, learn how to use them.

What is the point, really?

[mark-t]

I mean, these intrusions are happening with such frequency that I can't imagine there's still a point to be proven... plus, reading about it all the time on slashdot is starting to feel like seeing a headline for a traffic light changing color.

Go FBI!

[Haeleth]

Seriously, I expect this will be modded into oblivion because Slashdot hates Sony and loves anyone who sticks it to the man (see also: Wikileaks, Anonymous, etc).

But they are criminals, and therefore I for one am glad that the FBI has had some little success in tracking them down, and look forward eagerly to the day when the ringleaders are forced to defend their actions in court.

The fact that they are committing crimes against someone you hate cannot justify those crimes. Indeed it must not, because turning a blind eye to crime just because you don't like the victim leads to mob rule. It is the antithesis of the rule of law on which our society is founded, which protects our rights as well as Sony's. That's one slope that history has proven time and time again to be very slippery indeed.

And, hey, maybe they'll put up such a good defence that the jury will refuse to convict them and the balance of power between corporations and common people will be shifted, and that would probably be good too. But it should be done in courts or congress, not by vigilante mobs deciding to lynch a corporation that offended them.

Re:Go FBI!

[h4rr4r]

And, hey, maybe they'll put up such a good defence that the jury will refuse to convict them and the balance of power between corporations and common people will be shifted, and that would probably be good too. But it should be done in courts or congress, not by vigilante mobs deciding to lynch a corporation that offended them.

Does it hurt to be that naive?

Sure they are breaking the law, and they are probably bad people, but this is like watching Stalin fight Hitler. No matter who loses we win. In reality since they attacked Sony expect jail sentences, had they gone after a small company the FBI would not even care.

Re:Go FBI!

[houghi]

Where was the FBI when Sony hacked our systems?

We KNOW where the ringleaders are who did that and I am also looking forward eagerly to the day when the ringleaders are forced to defend their actions in court.

My guess is that yours comes first and mine won't come at all.

So yeah, I stick it to the man, because there is REASON to do so.

Re:Go FBI!

[Princeofcups]

But it should be done in courts or congress, not by vigilante mobs deciding to lynch a corporation that offended them.

Yes it should, but it won't be. Those same corporations own those politicians and courts lock stock and barrel. The only time we ever see any government action against a corporation is when it's one corporation verses another, biggest bastard take all. There is no realistic legal action that any individual can take against a corporation. The laws and legal processes make sure of that.

Laws were broken and heads were busted the last time that individual American's actions had any effect on the state of their country. We have been way too complacent for the past 30 years. I do not advocate any particular form of law breaking, but it's a legitimate form of social protest. Remember, today's villains are often tomorrow's heroes.

Re:Go FBI!

[Risen888]

I'm losing all the mods I made thus far (and resisting the temptation to downmod you just because you coughed up that stupid "I'll get modded down for this" crap, which is my usual policy for such whiny attention-seeking dickweedism), but I can't let this go by uncontested.

turning a blind eye to crime just because you don't like the victim leads to mob rule. It is the antithesis of the rule of law on which our society is founded, which protects our rights as well as Sony's.

That's just crazy. Our society in no way "protects our rights as well as Sony's." Our legal system is designed to protect Sony's "rights" (which are not rights, but privileges granted to an artificial construct called Sony) at the expense of our rights (which are in fact, as enumerated in our Constitution, actual and legal rights). The idea you propose here matches neither the theoretical nor the actual system under which we live. And you know it.

That's one slope that history has proven time and time again to be very slippery indeed.

I'd say the exact same thing, but I don't think we're talking about the same slope.

And, hey, maybe they'll put up such a good defence that the jury will refuse to convict them and the balance of power between corporations and common people will be shifted, and that would probably be good too. But it should be done in courts or congress, not by vigilante mobs deciding to lynch a corporation that offended them.

Because that happens in courtrooms across this great land of ours every day, doesn't it? Congresscritters are pushing each other out of the way to champion Joe Everyman against the nefarious interests of Big Media, aren't they? And our well-informed, socially aware, and technologically savvy courts deal defeat after defeat to these villains! Why, it's a wonder things like this ever happen given the enlightened society and legal code under which we live!

Are you fucking kidding me?

Are you for some reason under the impression that those people work for you or something? I can assure you they do not.

Given all that, I'd like to hear a realistic alternative to vigilante mobs.

Re:Go FBI!

[Xest]

Your unwavering view that the rule of law is moral and just is disturbing.

I live in the UK where we have a first past the post voting system such that most governments are elected to have a majority giving them 100% of power with the support of only 30% - 35% of the population. This has led to schemes such as the ID card database which well over half the population opposed. Many laws are similarly opposed by such large proportions, but due to the nature of our voting system may be passed anyway.

I do not respect laws which go against the will of the majority and I do not even respect laws which go against the will of even a large minority. A law which negatively effects less than 1% of the population may be moral and just, but a law that even 20% of the population believe is unfair must surely be classed as an unacceptably high level of persecution.

So you can call them criminals for breaking some arbitrary law, and that's fine, but it really doesn't matter if what they do is still moral, ethical, and has the support of a non-negligible portion of the population, which, they certainly appear to have.

The irony of your comment though is that Sony truly has broken laws in many countries but due to it's size and power to lobby, has got away scott free. Even if you do truly believe in the rule of law above what is simply ethically and morally right then your position is still highly hypocritical. If Sony was correctly punished for it's illegal actions then this may not have even happened in the first place.

Those vigilante mobs are merely the powerless majority being sick of their voice being ignored, just like in Tunisia, Egypt, Libya, Syria and so forth where coincidentally, their actions of protest and government overthrow were illegal too.

Some more info

The article is pretty bad:

One member of the group, Robert Cavanaugh, was apprehended and taken into custody by the FBI after an apparent counter hack, according to an internal chat log from their private IRC server, posted through SecList, a network mapper website.

SecList? I think they meant the full-disclosure mailing list, which happens to be archived by seclists.org, which happens to be a "sister site" of insecure.org (the home of the nmap network mapper).

Anyway, here is the relevant post

you attack its weak point for massive damage

[Thud457]

heaven forbid they hack the presentation and the CEO starts blindly reading blather about a giant enemy crab off the teleprompter. That would be mortifying.

Not always black and white

[manekineko2]

Indeed it must not, because turning a blind eye to crime just because you don't like the victim leads to mob rule. It is the antithesis of the rule of law on which our society is founded, which protects our rights as well as Sony's. That's one slope that history has proven time and time again to be very slippery indeed.

I don't think the history has conclusively proven at all whether the rule of law enforced blindly without regards to who is right or wrong is a good thing.

For example, the Underground Railroad illegally helping escaped slaves, or every revolution in the history of the world.

Obviously the importance of the cause is different here, but it helps make my point clearer by using high-profile examples.

Re:Bad Porn

[xMrFishx]

Although it also comes with the downside of being a holding group, umbrella naming. To Average Joe (via the sensationalist media), Sony X and Sony Y are the same thing. As it all masquerades under the name Sony, hacking Sony Music and Sony TV is essentially the same thing, even if, to the rest of us, it isn't. Ultimately though, I find the whole thing very funny and am rather enjoying watching.

Nope, Safety is a Myth

[IBitOBear]

Just like the TSA hasn't stopped a single act of terror, only passengers have done that; most security measures cannot stop a determined professional.

Safety and Security are largely mythological, the concepts are sold to a public that feels the need to exist with impunity.

In point of fact, it is largely manners that keeps people safe and secure. Most of us do not act on our darker natures because it would be rude.

Sony has demonstrated that they don't care about being well-mannered, and that they honestly believe that technology can keep them safe. They believe in DRM and they believe that they have the right to change a deal they have already made as if they were Darth Vader. They believe in their own Empire and they are willing to use any means necessary to maintain their grasp.

In point of fact, the technological community is simply having a very high immune response to this bad actor in their midst.

If Sony were to just come out, apologize for being douche-bags and promise never to do it again, they attacks would taper off quickly. They don't even have to mean it.

For all that the *IAA have been idiots and evil, they didn't mess with the technologists as a whole, so they have gotten a pass so far. They also don't actually do anything, so they have been impossible to strike.

Sony, as a member of *IAA(s) _and_ as a first person actor in technology via the PS3 etc, _and_ having stepped far across the line with the Hotz thing, has simply taken the first hit of lightning.

Thing is, the community at large has now learned that they _can_ make a company pay. The frontier has been opened. The Streisand Effect is real, and it will, sadly, take the business world a little longer to learn that "The Angry Villagers Rule" is real as well.

The torches are alight and the pitchforks are out and waving.

In the technological circles, the technologists are peasants, but they do feed the nation and they do strike back.

Companies need to rediscover their manners.

Re:Nope, Safety is a Myth

[memyselfandeye]

Wait what? You talk about 'bad manners' as agents of malcontent.

I don't know where you come from, but I would consider it 'bad manners' to crack a security system just because you don't like a person, organization, or company... just as I would consider it 'bad manners' to punch someone in the face because I think they have 'bad manners.' Isn't it 'bad manners' to force someone to do something they would rather not... such as change their password because you just stole it from them?

I don't know of a single nation that forces people to buy Playstations, Sony Music, or Sony TVs. If you don't like it, don't associate with them. Anything else is 'bad manners.'

Re:Nope, Safety is a Myth

[Darinbob]

If sony admitted faults, the lulz would not go away. They are not being hacked out of any sense of moral indignation but because it seems like a funny idea. These are not even up to the very low moral level of vigilantes, they are merely causing disruption for it's own sake. These people are not "the community."

Re:Nope, Safety is a Myth

[IBitOBear]

Ah, but in objective view, we are into "the contractors working on the Death Star" debate. Blindly supporting one bad actor (Sony) and then complaining about suffering the fallout from another bad actor (hackers) is a tad disingenuous.

You may not have _known_ you were supporting a bad actor, but its not so much that you happened to be in a bar when a brawl broke out, more you got into his car and rode to the convenience store, sat there in the car while he attempted a robbery, and then complain about getting hit with broken glass when the store clerk shoots back.

This is, in my humble opinion, a case of _nobody_ being innocent and nobody being right. Everybody knows, or should have known, that Sony is a draconian evil empire as far as DRM and generally bing that least trustworthy entity "a corporation".

The problem is that there is no other battlefield available to the revolting parties. They see themselves as revolutionaries, and they are not necessarily wrong in that perception.

Revolution is always messy.

I, personally, avoid Sony. I _do_ play Xbox whit Xbox Live, knowing full well what exposure that brings. I don't use windows except as work requires, nor mac (I use Linux at home and as the supervisor in most of my Windows work stuff). I don't use debit cards, only credit cards to interact with the Internet entities at large.

The internet is "the bad part of town", I know not to bring my good car (the debit cards on real accounts) and I know to stay out of the seediest bits, but I have business there. I don't get to pick the street gangs, the corrupt cops, or the organized criminals that populate place. I pay my money and I take my chance. You to.

We don't know how this is going to shake out. The history will be written by the winners, as it always is.

Innocence is as much a myth as safety or security. Privacy is largely in that same boat.

Back when I was a kid my grandmother used to say "a secret, once told, is a secret no longer" and that becomes orders of magnitude more true on the Internet or in the realms of alleged mental property.

I said that Sony took the first lightning bolt. The storm is far from over. Some people are going to get wet, some people are going to get struck down, some things will burn and some things will grow. Fore every minute of playstation network downtime there is an improved chance of increased fairness in the credit reporting regulations. We don't know the unintended consequences yet.

This thing gripping us economically here in the "new world", the same chaos that is gripping the "third world" in the flesh. The hackers believe they are hacking in your best long-term interests. Sony is claiming that their interests and your interests are the same. The waves rush outward from there.

Re:Nope, Safety is a Myth

[Omnifarious]

I'm guessing that at least part of the fun is the support they're getting. If that support evaporated, I think they'd find other targets. They want bitcoin donations, they talk about how many people follow them on twitter. They care about the support they get. So I don't think your assessment is entirely accurate.

Re:Nope, Safety is a Myth

[sjames]

Throughout time, the penalty for having bad manners has often been others showing you none in return until you get the point.

For example, make a lewd comment to someone's wife and indeed he will punch your face because he thinks you have bad manners.

Re:Nope, Safety is a Myth

[artor3]

This is not a revolt any more than a mugging is a revolt. Your attempts to romanticize common thugs is pathetic.

Also, I don't even own a playstation. I just understand the difference between right and wrong.

Re:Disjoined from reality.

[shutdown+-p+now]

Actually, a website vulnerable to SQL injection really is completely inane in 2011. This is something that every DB framework knows how to handle, and also something that has been explained in detail again and again for over a decade. There is no excuse for having something like that on a production website, period.

It's not like not wearing a bulletproof vest, it's more like going out in the street naked with $100 bills glued all over you at 3am in Detroit. In these circumstances, it is entirely appropriate to blame the victim of a crime as well as the perpetrators.

lulzsec == pwnt?

[synthesizerpatel]

http://seclists.org/fulldisclosure/2011/Jun/75

Here are some pics of him.

[crow_t_robot]

http://89.248.164.63/dox/xyz/

(for the lulz)...spoiler alert: mIRC, smoke weed errrday, WinXP, Amazon shopping spree