Slashdot Mirror
Lawsuit Claims Sony Canned Security Staff Just Before Data Breach
Stoobalou writes "A lawsuit filed this week suggests that Sony sacked a group of employees from its network security division just two weeks before the company's servers were hacked and its customers' credit card details were leaked. The suit, which seeks class action status, is being brought by victims of the massive data breach that took place in April."
Service Unavailable Guru Meditation: XID: 1643227444 Varnish cache server
to the internet
Fixes my ability to view Slashdot articles.
I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
Or too late
Like 2 weeks was enough to cause the massive problems Sony had. Hah.
No, more like, Sony found out they were incompetent and was firing them for that. Too little too late, obviously.
And what should have Sony done, when they realized they weren't secure? Shut down their entire business for months until they could hopefully secure things?
I'm not pulling 'months' from nowhere, either. Sony's Japanese PSN is still down while they secure it because the government won't let them bring it back up.
"If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
It's not like they were in the middle of implementing a new security schema when they were let go. I'm pretty sure the fail of Sony to protect customer information occurred months before this.
Since when does being a Socialist mean 'someone who has a different opinion than me'?
"They weren't doing their jobs so we fired them. Why do you think the intrusion happened in the first place?"
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
Those responsible for the sacking have also been sacked.
Unless it's a class action suit*, the lawyers represent the victims. When you need a lawyer, you NEED a lawyer.
*RTFA? Ewe muss bee knew hear!
Free Martian Whores!
And none of them hacked in to change the PowerPoint for shareholders to porn?
They must have not learned from our article earlier this week...
Or, perhaps, they fired the people who tried to tell them the emperor has no clothes? Seems to me you are assuming an awful lot.
From a legal prospect it would seem as an amazing scape goat. Also it could prove Sony had a role in letting the service continue running on cruise control while knowing it was likely to break down.
A loop, by its nature, continues. If that didn't make sense, start reading this sentence again.
... is to suspect that if you fire someone in IT Security and your organization is hacked 2 weeks later... hmmm, who would be your first suspect?
I8-D
Were they all canned as a corporate profit/cost saving measure or because they were complaining about problems/security flaws and their upper management didn't want to hear about it? Or maybe they were all incompetent?
That's what really makes the difference in this case.
Maybe they were fired because they complained too much that Sony didn't care about security. Or that they upped that complain into the CEO, that preferred the CIO version. Maybe they threatened to make the problem public and their boss didn't like it. Maybe they weren't seen as productive because they kept fixing things the entire day, instead of helping build new things, and were understaffed. Maybe the company didn't like the policies they tried to put in place, so not only didn't accept the policies, but also fired them (this option seems to be quite likely). Maybe they weren't competent enough to put some good security in place, but still dedicated enough to security so that they anoyed people. Or, finally maybe they were justly fired by incompentence.
Rethinking email
Indeed, given the severity of the vulnerabilities, it's hard for me to believe that this wasn't something that Sony's executive board knew about. If they're like many other businesses, they didn't feel like paying the cost of securing the service and got bitten on the ass. Whether it was an inside job or not, the exploit wasn't particularly sophisticated and should have long since been patched.
Or quite possibly the security people informed the management about the problems and asked for budget to fix and were told no. I am guessing not many people saying they were at fault actually work for corporations...
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
But then again, he couldn't read anyway.
Sometimes the light at the end of the tunnel is the headlight of an oncoming train.
I could honestly care less why they sacked them. I just want something out of SONY. For the PS3 storing open text negligence, for taking away a feature I paid for (Linux- Other OS) and not giving a rats ass about me, for the Rootkit they put on my system with no real punishment, for the liars that lobbied the Bluray to win over the far superior technology that was HDDVD, for well, "EVERYTHING SONY". For the rootkit alone, their senior staff should have been criminally prosecuted. If I was to put a rootkit on a SONY Server by giving an employee a cd to listen to at work, I'd certainly be in jail. The best part- I went to GTPlanet (for the Gran Turismo Game, GT5) after this and the dam Fanboi mentality of today is every post I saw that complained or said anything remotely bad was shut down by 100 posts saying Sony is such a great company for trying to rebuild everything and that it is so great they are looking out by telling everyone about it..blah blah blah I've had enough- Boycott these thieving asshats. I want my $0.99 from the Class Action Suit. It's almost as good as a company changing the law like Verizon and ATT with their "Unlimited" Plans that are actually 5GB or less.... Truth in advertising? But I digress... I only mention them because they are also tops up there on the list with Sony of companies that do what they please and colude but yet give lots of $$ to lobby their cause to a corrupt (or rather incompetent) judicial system.
"Computers are a lot like Air Conditioners" "They both work great until you start opening Windows"
I can't see a bunch of disgruntled ex-employees creating this entire security breach in two weeks.
I _can_ see a bunch of losers getting fired for not doing their jobs.
But I can also _totally_ see a bunch of disgruntled ex-employees, after being forced to work for ages with a broken security system which they did not themselves build, "accidentally" letting slip some inside info about that system's existing vulverabilities in the weeks after being fired. "Yeah? You don't reckon you need security staff? Lets just see if thats right..."
As sm62704's sig used to say a long time ago, his original account was mcgrew and he lost the password. It has apparently been recovered.
So as he said, "Ewe muss bee knew hear"
Jesus was a liberal
The relevant question here isn't when they were sacked, or how many were sacked, but why they were sacked. The article doesn't really answer the question that matters. :^(
I've worked at SONY, though not in the security group. To do anything, there were at least 10 meetings to "decide to do something" followed by another 20 meetings to decide "WHAT" to do. Often, the WHAT wouldn't be possible, because the doers weren't invited.
SONY can spend lots and lots of money on things they believe will make them money and $0 on stuff that doesn't ... like security.
Where I worked was filled with IBM-Japan running AIX systems. Half of these people were really sharp and the other half, well, not so much. I never met or heard anything about the Data Security team, but that wasn't my role while I was there, so it isn't surprising.
SONY wasn't much different from any other large company that hadn't needed to worry about security previously. I bet going forward SONY will make a security review part of every project going forward. It will be a checklist item that leads to 15 other checklists.
Pick any other consumer company, perhaps Emerson or Westinghouse. Do you think they have much real data security either?
We know someone on that team was incompetent. That shit with key not being random has been there for years.
Can't live with them, and when you finally get rid of them, what follows is worse.
On a related note, why not trial-fire all these stupid managers and see what happens?
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
But I feel it's appropriate to say hahahahahahaha.
If there was a lesson to be learned I feel it was probably lost amongst all the inevitable finger pointing and 'covering of ass' and other machinations. But don't worry, the appropriate tech staff not involved in the decision were reprimanded for not picking up the slack left but the involuntary departure of the security team.
Rest assured, no management was harmed in the production of this stupidity.
My ism, it's full of beliefs.
Do you also blame poorly paid policemen for crime?
I do believe Sony was negligent in its handling of sensitive customer information, though this is probably more common than we'd like to think. The vast majority of these exploits were found with an off-the-shell point-and-click vulnerability finder. That one website should fall to this sort of thing is a shame, when 20+ do over the span of a few weeks, its another matter entirely. Sony could have prevented many of these simply by running the exact same publicly named tool themselves after the first 2-3 incidents. That more Sony websites continue to be breached daily by the same method is simply inexcusable.
All of that said, these security holes didn't just magically appear after these people were fired, they were there for months if not years. If these people were not competent enough to find such trivial exploits, then they really didn't deserve to keep their jobs and having them on staff after the attacks began likely would not have improved the situation.
As I wrote to SOE support about the everquest2.com service and characters profiles being outdated and bugged, they replied straight it was due to the service having no staff to fix anything. I thing this tell much about the state of lays-offs and ability to secure or update services. The everquest2.com website identify users using station SOE logins.
Here is the reply the gave:
Subject: Bugged character profiles [Incident: 110619-000022]
Response Via Email (TSR Steven G.) 06/23/2011 09:15 AM
Greetings leagris,
Thank you for contacting Sony Online Entertainment. Unfortunately, since the EQ2 players site was converted to a free service, there is not a team set to maintain/update the site. We have no ETA when or if a team will be added to maintain/update the site. We are sorry for the inconvenience that this may cause. If you have further questions, feel free to contact us.
Regards,
CSR Steven G.
Léa Gris