Slashdot Mirror
The Sony Pictures Hack Was Even Worse Than Everyone Thought
An anonymous reader writes with today's installment of Sony hack news. "It's time to take a moment of silence for Sony Pictures, because more startling revelations about leaked information just came out and employees are starting to panic. BuzzFeed raked through some 40 gigabytes of data and found everything from medical records to unreleased scripts. This is probably the worst corporate hack in history. Meanwhile, Fusion's Kevin Roose is reporting on what exactly happened at Sony Pictures when the hack went down. The hack was evidently so extensive that even the company gym had to shut down. And once the hackers started releasing the data, people started 'freaking out,' one employee said. That saddest part about all of this is that the very worst is probably still to come. Hackers say they stole 100 terabytes of data in total. If only 40 gigabytes contained all of this damning information, just imagine what 100 terabytes contains."
100 terabytes of data is easily consumed by the raw uncut footage of a few movies, easily. So it could be a whole bunch of stuff that really hurts them or it could just be a couple movies that were shot by M. Night Shyamalan that suck so hard no one cares.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
http://en.m.wikipedia.org/wiki... TL, DNR: 9 years ago, Sony was root kitting the machines of people who bought their CDs, and living about it.
What kind of Internet connection does Sony Pictures have? To ex-filtrate 100 TB of data is going to take a while, no matter how you cut it. My guess is that number is significantly inflated.
Who says this was done over the internet?
Send in a North Korean agent posing as a janitor to jack into the network from the inside. Plug in a device, let it download, then come get it the next night.
My internet connection at home is 100mbps = 12MB/s.
= 43GB/hr
= 1TB / day
= 100 TB in 100 days.
Spread that out across 10 machines and you're looking at a little over a week.
An uncompressed 4k film in DPX is 10bit * 4096 x 2214 * 3 = 32 MB / frame * 24 fps * 60 seconds/minute * 60minutes/hour = 2.63 TB per *version*. Then there are Subtitled and Closed caption versions. A single film often has 10TB. They might have just stolen 10-20 films. And those servers presumably are on very fast connections capable of remote review over something like cinesync.
Sony Pictures is likely sending out huge amounts of data as it is. It's the movie industry. Their daily backups could be 100 TiB.
SONY would have to patent everything within a year in the US; I am not sure that you even have that grace period everywhere else.
No..... 1 year following lawful disclosure.
The unlawful disclosure of confidential information by criminals is subject to adjudication by the courts.
The unlawfully disclosed material may very well be deemed to be a condition that allows Sony to continue to pursue the patents, and publications made from unlawfully disclosed materials may be excluded from valid prior art.
Don't forget disputed insurance claims, and new employee paperwork with medical and life insurance applications with records of pre-existing conditions.
I've heard before that in high end movies they push a lot of data around, each day they upload the raw footage to their studio back home which edits it and makes dailies that the filming crew review to make sure it comes out as they want before sets are torn down and actors leave for other jobs. They could do it on location but it's hard to get the people and equipment to follow you around and besides that way you can take advantage of time zone differences. I think I saw that in the LotR extras, Peter Jackson was filming in New Zealand, they edited in the US and it was ready for review next morning.
Consider that 50GB of an actual BluRay has probably been many terabytes of footage because of lack of compression, cameras rolling before and after scenes and many takes. I'm quite seriously suggesting that 100TB might not be that insanely much for a company rigged to handle huge data flows on a regular basis.
Live today, because you never know what tomorrow brings
With all the state-sponsored corporate & military espionage caused by China & Russia, with the never-ending probes from government agencies like the NSA/DHS/GCHQ/etc., with malware & ransomware attacks that can encrypt data in (generally) unbreakable forms, with criminal hacking organizations making off with millions of credit card numbers from retailers, with apparently no network controls as to how much data leaves company firewalls & where it goes, and so on, why aren't there more internal air-gapped networks in companies???
This has hit the point of absurdity. If you are working on military plane designs, working on your next corporate acquisition, or even making movies or music worth tens of millions of $$$, why would you put your prized, unreleased digital files on computers that have Internet access? What kind of batshit stupidity is that? What, so your employees can browse Facebook & check Outlook e-mail at the same time? Such an air-gapped network would easily become an island--one that doesn't need Windows Updates, can stay on an old service pack, gets no software updates that solves 2 problems and but makes a new one (e.g. we know the bugs), and the like. And if those employees really need their Outlook e-mail, IM, or the Inter-Webs where they work, they can have a 2nd very low-end PC, connected to the main network, with a KVM between the two. Might even increase efficiency, given the mind's inability to multitask well. Or give them freaking iPads on a wireless network that's not connected to their "sensitive" work computer.
It boggles the mind that given all these problems, which are increasing in frequency & cost every day, we still have little more than software firewalls & hardware routers between a company's most highly-sensitive assets (files & computers) and the big-bad-Wild-West-no-holds-barred-Internet.
Windows 3.1x calc: 3.11 - 3.10 = 0.00
"How long before we see Sony's flagship console jailbroken like the PS3?"
Not very long. A grep on the server hosted by a nice Anon shows that there are keys in there for various things - app signing, etc.
Sony's going to get ripped a new one hard.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Certainly legal. There's nobody who can't hold your medial information. .
Wrong.
HIPAA regulations are pretty strict about this. The company I work for does everything through a 3rd party because of this.
When I told my boss I had to have time off for surgery I was given the phone number for the 3rd party company and they handled everything. They contacted my doctor and obtained all the necessary medical information to verify that I was off work for a legitimate medical reason. When I was ready to return to work, I went to a doctor who examined me and then reported to the 3rd party company that I was OK. The third party company then notified my employer that I was OK to return to work. At no time was my employer ever given any medical information about me.
Your employer could have held the information, but every system involved with access & storage would have to meet physical and electronic security requirements. Outsourcing is cheaper, and a business structured around PHI-compliance would have an interest in minimizing their liability.
"Then there are Subtitled and Closed caption versions."
Except those are separate TEXT FILES moron.
Motion picture subtitles (as they are distributed on disc) are not text-based. They are a subpicture that is overlayed on the original video.
Yes, they wouldn't take up a lot of room, given the majority of the picture is the designated mask (clear) "color" and the limits on the number of other colors used, but they are not text files.
Not a lot, actually. The most important aspect of real security is compartmentalization—ensuring that you don't have any high-value individual targets:
None of those things should cost significant amounts of money. They're just simple policy decisions. And with a scheme like the above, you typically wouldn't see attacks like this being successful in the absence of a massive zero-day remote kernel exploit.
If you want added security, you could write a piece of software in a few minutes that logs all traffic by IP address and port, then compares it with traffic requested by the user's web browser (by continuously reading the browser's history and uploading any new locations every couple of minutes), and flags anything that doesn't match. Automatically ignore any automatic updates by software that your IT department installed, plus any known addresses owned by your OS manufacturer. If you see any other traffic, shut off the port immediately, and contact the user to verify that the traffic is expected. If so, whitelist that IP and port after verifying that the software the user is running is legit.
Finally, add mail server rules that sanity check any email attachments, and similar rules for your HTTP proxy. If someone receives a disk image, ZIP archive, or other archive, extract the contents and ensure that there are no executables within it. If there are, allow the attachment if the executable is signed by a trusted authority. Otherwise, store a copy of the attachment in a secure location, and either filter it from the mail archive or refuse to send the final packet of data to the web browser. Flag it for review.
Like the two guys running away from the grizzly bear, security doesn't have to be flawless; it just has to be robust enough to convince the attacker to go after an easier target.
Check out my sci-fi/humor trilogy at PatriotsBooks.
RAID doesn't really work like this.
Imagine you have a 6 disks raid6 - you need 4 to have the array working in a degraded state. Unless you steal 4 disks *at once* you won't be able to rebuild it offsite. Unless you get drives from RAID1 arrays you're better off smuggling in a 2tb 2.5 usb drive. If their physical security is any close to the IT security you can probably smuggle a f-ing NAS inside and nobody would care.