Sony's Plan To Tighten Security and Fight Hacktivism

mask.of.sanity writes "Sony Entertainment Network is rebuilding its information security posture to defend against hacktivism. It includes a security operations center that serves as a nerve center collating information on everything from staff phone calls, to CCTV, to PlayStation gamers. If it is successful, the counter intelligence-based system will be deployed across the entire company. 'At Sony, we are modifying our programs to deal less with state-sponsored [attacks] and more with socially-motivated hackers. It will be different,' said Chief Security Officer Brett Wahlin."

Cheaper strategy

[mcbridematt]

Don't be dicks.

Re:Cheaper strategy

[DigiShaman]

Cuts both ways. While Sony has pissed me off lately, the hackers equally so. As a casual gamer, I'm so sick and tired of all these angsty hackers posing an "up your ass with a stance" attitude. Why the hell should I have to take flak from both sides just enjoy a little gaming? I tell ya, it's simply not worth my time or my security being compromised.

Screw this, I'm gaming elsewhere.

Re:Cheaper strategy

[sjames]

He who lies down with dogs gets up with fleas.

You might want to check the species of your bedfellow.

It's not like Sony's sins are minor. They include bait and switch and mass hacking on a scale Anon. can't even aspire to. Because they have money, they have gone un-punished.

So, yeah, gaming elsewhere is probably a good idea.

Re:Cheaper strategy

[artor3]

Evidence also suggests that the internet never, ever, ever forgives. Sony is evil in the minds of internet-people, and no amount of "being neutral" will change that any time soon. Are they just supposed to suffer all the beatdowns they get over the next ten years until people start to say, "Hey, that rootkit thing was a long time ago..."?

Wrong use of word?

Hacktivism is to protest political ends. I belive the term is misused here...

Wrong way of thinking

[gzipped_tar]

As part of the society, you should think about how not to become a target of hacking activism. Especially when it's impossible to crush every one of the "hackers".

Better yet, convert them into your loyal customers, and even better, direct their anger to your competitors.

Re:Wrong way of thinking

I'll grant you that just based on statistics and human nature, any company with a sufficiently-large customer base will invariably really piss off some minority sub-group of their customers. However, there's a difference between pissing off minor subgroups on some matter of debate (e.g. "Wal-mart sells eyeliner that was tested on rabbits! Let's protest these animal-haters!"), and taking flatly evil, anti-consumer actions that affect the entire customer-base in a negative way (e.g. several notable Sony debacles from the past).

It's like the difference between BofA hiking a subset of their customers' credit card interest rates to pad their profits (with due notice, according to the rules), and BofA deciding "Hey, traditional bank fees aren't really working out for us, so we've decided to just start stealing a flat 1.5% of everyone's checking balance every month". They're categorically different, and so is the response from the customer base.

Companies who avoid the really huge, categorically evil, moves tend not to get swamped in hacktivist attacks all the time. I work directly on internet-facing services (including in a security capacity) at a Fortune 1K company that's heavily involved in the tech/consumer world, and we've never had a hacktivist attack to date. We might someday, and we have some plans for that sort of event because it's irresponsible not to. But really our primary defense against this is that when *I* go into a meeting with a product development group, and I hear them suggest something really stupid that would likely cause a public Internet-based backlash, I flat-out tell them it's a stupid and irresponsible thing to do, and they back down.

Sony is getting exactly what they deserve, and it's deplorable that rather than try to turn their *actions* around, they've accepted that they're always going to act evil and modified their security policies to suit a constant condition of "We have a giant target painted on our backs".

Re:*clap* *clap*

[Ihmhi]

You have to read between the lines here man.

They're not saying "We were attacked for being a socially irresponsible company, so we're going to do less evil shit." They're saying "We were attacked for doing evil shit, so we're going to keep doing evil shit and make it harder to successfully attack us."

Re:wrong medication

Here's a start:

1. Bring back OtherOS
2. Stop supporting CSS, AACS, HDCP and other forms of DRM
3. Apologise for installing rookits on people's computers without their knowledge
4. Apologise for taking legal action against people who circumvented their digital restrictions

Re:wrong medication

[peppepz]

2. Stop supporting CSS, AACS, HDCP and other forms of DRM

That is, stop playing DVD, Blu-Rays, and drop the ability to connect to HDMI and DVI displays? If you don't like the above mentioned technologies, you can play unprotected media and connect the PS3 via SCART, VGA or component cables anyway.

It's not that Sony, like Google, is plotting to insert DRM into the open standard that governs the Web.

3. Apologise for installing rookits on people's computers without their knowledge

Done. Seven years ago. And by the way, did Apple and other phone manufacturers issue any apology for installing CarrierIQ, which had privacy implications several orders of magnitude greater, on millions of phones?

4. Apologise for taking legal action against people who circumvented their digital restrictions

Do Google apologise when they do just that?

Re:*clap* *clap*

[Sneeka2]

And guess who designed Blu-ray and shoveled tons of money into the project to push it into the market to destroy to rival HD DVD format: Sony. Learn your history.

Also, comparing two very specific systems which are by definition very closed (gaming consoles) and a music player (which I guess you're going for with that Apple jibe) is hardly an objective comparison in the big picture. If that's all you know about these respective companies, fine, but please stay in your mom's basement.

Re:*clap* *clap*

Of all technologies, you choose to use DRM infested blu-ray as an example of user-friendly products?

Where to all these sock-puppets come from? Can we block them at the door? I guess some simple questions around OS and consumer gadgets should be enough to deter the worst.

Re:wrong medication

[Sneeka2]

2. Stop supporting CSS, AACS, HDCP and other forms of DRM

That is, stop playing DVD, Blu-Rays, and drop the ability to connect to HDMI and DVI displays?

That's the point, come up with a frickin' format that does not use DRM and distribute movies in said format (Sony is a mayor distributor and user of DRM'd formats).

If you don't like the above mentioned technologies, you can play unprotected media and connect the PS3 via SCART, VGA or component cables anyway.

We know you love your PS3, but why do the rest of us have to put up with crippled discs we want to play elsewhere?

It's not that Sony, like Google, is plotting to insert DRM into the open standard that governs the Web.

No, because they've already inserted their DRM everywhere that matters to them.

3. Apologise for installing rookits on people's computers without their knowledge

Done. Seven years ago. And by the way, did Apple and other phone manufacturers issue any apology for installing CarrierIQ...

Interesting that you'd pick the one company by name that was the least weasel-worded about what it did and didn't use CarrieIQ for.

Who decides what methods are legitimate?

[Geof]

Political activists use legitimate methods to increase their influence.

And who, pray tell, decides what is legitimate?

Answering that question is what politics is all about. The point of engaging in politics is to determine legitimacy. Look at any political movement and you will see this struggle to define legitimacy. Legitimacy is not the starting point: it is the outcome. You are begging the question.

Which is, of course, because you are trying to propagate your definition of what is legitimate. You are not describing politics: you are engaged in it. You are not a disinterested obsever: you are a participant.

Uh

[AdamJS]

Why not orient your company and your policies so as not to actively piss off people who like tinkering with their own electronics and people who don't like DRM and spyware-riddled merchandise?

Re:*clap* *clap*

[Ihmhi]

I think once a business reaches a certain critical mass, evil is inevitable.

Are there any companies in the Fortune 500 (or even Fortune 1000) that aren't complete monsters?

Re:Hacktivists

[leromarinvit]

Political activists use legitimate methods to increase their influence.

So Rosa Parks wasn't an activist when she sat on the whites-only seat on the bus? Her entire point was that what should have been legitimate wasn't. Activism isn't about increasing your influence (that's more NGO territory - lobbying for a good cause), it's about bringing public attention to your cause. Very often the most effective way of doing that is publicly defying the rules to make a point.

Re:*clap* *clap*

[peppepz]

That sucks. I'll only buy game consoles that distribute games on non-proprietary storage. Which one can I buy?

Re:*clap* *clap*

[SuricouRaven]

I think you have it backwards: If the company management isn't willing to do evil, the company will never reach that mass. Sooner or later the time will come when the management must choose between their principles and their duty to maximise profits - they can't have both.

Re:*clap* *clap*

[Sneeka2]

Both HD-DVD and Blu-Ray were proprietary, patent- and DRM-laden standards. ... For once, the technically best format (Blu-Ray) won.

I'll just let these two sentences stand next to each other. They're too good. :)

It's not that Sony beat HD DVD which undermines your argument, it's that Blu-ray is a horrible technology, mostly exactly because it's DRM-laden. The blue laser is nice, the DRM and all the crap that goes onto a typical Blu-ray disc is not. What won is simply one of the two evils. Therefore, choosing Blu-ray as an "open" technology to show how good Sony is in using open technologies is just... let's call it a bad example.

Both are very closed, but one is a lot more open than the other (the PS3)

So one sucks less than the other, that doesn't make it a great example for "open".

whereas the post I was responding to was claiming that Sony uses proprietary formats.

Because the PS3 is the only device Sony is selling?

Anti-Social

[Doc+Ruby]

Evidently Sony learned nothing from the cause/effect relationship of their brutal approach to both security and their users. Sony set the stage by deploying rootkits and other security attacks on their own customers. Then they retroactively deleted the Linux (OtherOS) option from PS3s, many of which they'd sold to hackers for the very purpose of "hacking Sony". Though OtherOS had been crippled from the beginning, there was little effort by PS3 hackers to crack the lockout from the hardware, until Sony tried shutting all OtherOS users down. Then hacking the PS3 became necessary for every PS3 Linux user.

It was a case of "when guns (OtherOSes) are outlawed, only outlaws will have guns (OtherOSes)". Why stop at just keeping what you paid for, when you had actually paid for more than you'd originally gotten? Sony had destroyed any ethical relationship, and the community was organized.

Now, I'm not pinning all or even most of the attacks on Sony beyond keeping Linux on the small PS3 Linux community - maybe not even any of them. But that episode showed the world Sony was a legitimate target. Then after some success in keeping what they paid for resulted in arresting the hacker, Sony was now a legit target for both legitimate hacking and just plain "bash the bad guy". Combine that with Sony's copyright overreaches, its region-encoding scams, its DVD backup denials (also broken and showing Sony both greedy and vulnerable) - Sony fanned the flames of backlash.

Now Sony is just escalating the conflict. It would be a lot cheaper to give hackers back Linux, this time with some support, to give them more of a common interest with Sony. Instead Sony is further defining itself as an enemy instead of a partner. Sony's awareness of social networks seems to be purely as either enemy or marketing victim. This will not end well. In fact it will not end, and many will suffer.

Re:*clap* *clap*

[macs4all]

Isn't that kinda how these big businesses work in general these days? Microsoft, Apple, Sony, Samsung, Motorola, Oracle, Intel, Dell, etc? I guess I'm just saying if someone has an issue with Sony they probably have an issue with the whole industry & it's practices, not /just/ Sony...

Apple removed DRM from iTunes music. Sony installed Rootkits.

Apple has no DRM on its OS. Sony has aggressively fought against Playstation hacking.

Apple has a Cloud service which mirrors your music to all your devices, regardless of where it came from. Sony?

Apple had a marketing slogan "Rip. Mix. Burn.". Sony created Blu-Ray as an unsuccessful defense against DeCSS.

Apple builds AirPlay into OS X and iOS. Sony creates SACD's DSD format as an (unsuccessful) attempt to stop CD copying (betcha didn't know that one!).

Apple actively and significantly contributes to the F/OSS Community. Sony, OTOH has been caught USING F/OSS code without attribution and in violation of those project's licensing (libarc) in its game, ICO, and parts of LAME (id3lib and more) in an OCX control.

Yep. no way whatsoever to tell those two companies apart by their respective actions.

Re:*clap* *clap*

[betterunixthanunix]

No, iOS has DRM that is designed to prevent its user from running software that Apple does not approve of. You can read more than the first sentence, you know...

Re:*clap* *clap*

[AngryDeuce]

A PC?

Re:Sony rootkit

[gtall]

Why is this insightful? It is the same mentality that makes the MidEast a battleground for 6000 years.

Re:*clap* *clap*

[mcgrew]

NO OTHER COMPANY would have done ANYTHING different.

What other company has knowingly and purposely installed malware on paying customers' computers? What other company has shipped a product and then removed some of its functionality after it's already been bought and paid for?

I was a victim of XCP. Don't expect ME to buy anything else from Sony, ever again. If I did to Sony's computers what Sony did to mine when my daughter innocently installed their damned trojan, I'd be in prison.

Sony doesn't deserve to live. I wish averyone who owned Sony stock would sell it, and I wish people would stop buying Sony products. Sony is evil and doesn't deserve your business.