Lulzsec Member Raynaldo Rivera Pleads Guilty To Sony Pictures Breach

hypnosec writes "Raynaldo Rivera has pleaded guilty at the US District Court for the Central District of California to hacking the Sony Pictures Entertainment website in May 2011. The 20-year-old in his plea agreement revealed that he joined Lulzsec in May of last year in a bid to help the hacking collective carry out cyberattacks on governments and businesses. Rivera, who surrendered to the FBI on August 28 this year, admitted that he was the one who launched an SQL injection attack against sonypictures.com that enabled him to extract confidential information from the website's database."

typo in summary

[MichaelSmith]

lof ast year

Well, he should plead guilty of wasting my time

[olsmeister]

After I spent an hour of my life watching him open Al Capone's empty vault.

xkcd

Bobby Tables

SONY was breached a bunch of times

[gelfling]

They clearly learned nothing and refused to learn anything or do anything. Lemme guess, SONY is run by copywrite attorneys and Hollywood 'content' types.

Re:SONY was breached a bunch of times

[gweihir]

Actually this problem is typically caused by MBA "beancounters" that do not have any skills or object knowledge with regard to the things they decide. They are also characterized by a hugely inflated ego and self-assessment. What then happens is best described as "save a penny, lose a million". Add to hat that external and independent security reviews are not done or only companies with no ethics are selected ("the customer is always right" is the road to hell in security evaluations) or reports are blatantly ignored. That is how Fuckupshima happened, that is how RSA was compromised (and why are they still in business????), that is why Sony was conceptually unable to even understand what happened to it.

Only solution: Massive corporate liability (They got your account hacked and cannot prove IT Sec due diligence? $1000 per count to the affected customer, unless the customer can prove even higher damage.) coupled with personal liability on the highest level (No external reviews? Glaring security holes not even looked for or ignored? CTO, CIO and CSO go to jail for a few years. If they can prove being blocked by the CEO and cooperate fully in the investigation, 30% sentence reduction, still at the very least 2 years they have to serve, and CEO goes to jail for a long time. All also have their salary and bonuses impounded for the time they did not perform.) Add to that surprise audits from time to time that have much the same impact if glaring security problems are found.

Of course, this will not happen. It would require a honest and competent government to put something like that in place. They do not exist, except occasionally in small countries.

These lulzsec guys are pathetic.

If they hadn't gloated so much and took the proper precautions, they wouldn't have been found. Don't tell anyone, not even anyone on your team, who you are.

Sony Should Go To Jail

[andrew3]

When does Sony go to jail, for developing rookits? I bet that affected people on a much larger scale. What about the false advertising regarding the OtherOS feature, which was removed via an updater/backdoor?

Sony screws its customers with DRM and anti-features and attacks software developers. I find it hard to feel sorry for them.

Re:Rookie mistake

[spiffmastercow]

How do you set up a server to prevent SQL injection? That's a systematic failure in the web app, not a flaw in the DB configuration.

sentencing

[planckscale]

Possibly 5 years in Jail and $605k in fines is the guilty plea bargain. Sound like a deal to me, go ahead and reciprocate by doing the same time and paying each user who was hacked by Sony and their drm rootkit.