So why doesn't Sony patch the vulnerability and deploy new servers? Perhaps it's because they don't have any good backups to restore from..
Perhaps they don't know how they were cracked? Also fairly likely is that as they bring the services back up they need to re-patch and re-check every service for vulnerabilities. Their last clean backup may still contain vulnerabilities.
Even if they were properly encrypted though, it's not beyond imagining that attackers could use rainbow tables or simply run brute force matching looking for relatively common passwords.
Even if they enforced "strong" passwords, some people will still have chosen relatively easy to guess passwords (eg. MyDumbPass123), and once you figure out how they hashed the password database it wouldn't be hard to come up with a few million of these passwords. Then a brute force attack would pick up a few of the low hanging fruits. Sure, it might take a few weeks of processing time, but it's conceivable. That alone is enough to make a company recommend everyone change all their passwords.
Of course, the security questions are probably a bigger hazard.
There is a difference between "hot" and "dangerously hot". If I go to a store and buy coffee, I expect it to be hot... not dangerously hot.
Let's put it another way. If I walk into a store and buy coffee, I expect to be able to drink it. I wouldn't be overly surprised if after spilling it on myself, I went "wow, that's hot!" but I don't expect to have to go to the hospital. It's coffee. Coffee is supposed to be safe. Yeah, if I spill hot coffee on myself I expect to hop around a little and my skin might be tender for a day or so, but that's very different from having to go to the hospital and get $20k worth of medical care.
If you don't want coffee that is too hot don't buy it at McDonalds
Really? That's your argument? That people should know when coffee is too hot and shouldn't accidentally spill it?
So, does McDonald's advertise it's coffee as "dangerously hot!" or label it with "handle with care"? How am I supposed to know that when I pick up a coffee from McDonald's that I better treat it with extra-special care to make sure I never spill it? You know, as opposed to plenty of other coffee shops which sell their coffee at a temperature that will only scald you a bit?
Why should the government dictate how how coffee can be?
You do know governments have a ton of rules about pretty much all aspects of food preparation?
Didn't she get all the penalty money?
You're still not quite getting that it wasn't about her. She sued for coverage of her medical bills. Here, from the wikipedia entry on the subject:
Other documents obtained from McDonald's showed that from 1982 to 1992 the company had received more than 700 reports of people burned by McDonald's coffee to varying degrees of severity, and had settled claims arising from scalding injuries for more than $500,000.
Basically what happened was she was trying to recoup her medical bills and the court awarded her most of that. Then the court looked at McDonald's history and decided that they just weren't getting the hint and wouldn't change their (apparently dangerous) policy of serving extra hot coffee. So they slapped them with some punitive damages to make them take notice. Yeah, I think that money went to her, but the point wasn't to GIVE her money the point was to PENALIZE McDonald's to attempt to give them incentive to serve safe food.
And btw, I think the actual amount she got was more along the lines of $600k. Not millions.
Ok, think it through. How many coffees is that restaurant going to sell over the course of a year? Let's assume that they only sell 100 coffees a day over 360 days a year, for 36,000 coffees. Over a 5 year period that's 180k coffees served. What are the odds that someone is going to spill a coffee on themselves immediately after being handed the coffee, over those 5 years? Well, I'd say it's pretty much guaranteed. At some point the drive through person is going to hand it to someone and something is going to slip, and fresh from the pot coffee is going to spill all over someone. Or some similar accident will happen.
Now, we've established that people WILL spill the coffee on themselves. Ok, but bad things happen all the time, right? People WILL crash cars into trees. Well, the people who make the cars are under an obligation to take steps to make crashing into trees safer, even though you're not supposed to drive your car into a tree. Similarly since we know that sooner or later someone is going to spill coffee on themselves, then the restaurant making the coffee should take reasonable steps to limit the damage, right?
1. McDonalds served it's coffee hotter than was meant to be drunk immediately, with the intention that the coffee would cool to drinkable temperatures by the time you got to the office.
2. McDonalds had been warned in the past that it's coffee was too hot, and told to reduce the temperature that it was being served at.
3. It kept serving the too-hot coffee despite being explicitly warned not to, and despite the fact that sooner or later someone would spill the too-hot coffee on themselves.
4. She sued for medical bill coverage only. She got 80% of her medical bills covered because she was found 20% liable. The court then also decided* to apply penalties to McDonalds in excess of these bills in order to convince McDonalds that it should follow the law. Because otherwise from McDonalds perspective it should keep operating in an unsafe manner because it makes more money that way (ie. paying out medical bills for burns is less money than the extra they make serving too-hot coffee).
So basically this case wasn't anywhere near as simple as the "lol, dumb bitch spilled coffee on herself and she sued for millions" that a lot of people seem to think it was. It actually makes a lot of sense, and I think it's a good example of justice arriving at the correct result even though the results are a bit counter intuitive if you don't look very closely.
Your basic approach does seem to be vulnerable to someone registering a large number of "sleeper" accounts that wait to be called in to be a juror about something they care about (perhaps an upcoming attack). To help counter this:
1. An account can't be selected as a juror unless it's been active for a minimum amount of time, with actual activity. (Say, a month.)
2. Jurors which consistently ignore their "duty" get dropped from the list.
[p]
You would also want to attempt to weed out vandals from your juror list:
3. Jurors which consistently vote counter to the majority get dropped from the list.
To handle borderline cases I would try:
4. For the crowd-sourcing system to function, a minimum of 2/3rds majority is required.
5. If a 2/3rds majority isn't achieved, then a paid moderator looks at the complaint.
Slashdot Mirror
So why doesn't Sony patch the vulnerability and deploy new servers? Perhaps it's because they don't have any good backups to restore from..
Perhaps they don't know how they were cracked? Also fairly likely is that as they bring the services back up they need to re-patch and re-check every service for vulnerabilities. Their last clean backup may still contain vulnerabilities.
Even if they were properly encrypted though, it's not beyond imagining that attackers could use rainbow tables or simply run brute force matching looking for relatively common passwords.
Even if they enforced "strong" passwords, some people will still have chosen relatively easy to guess passwords (eg. MyDumbPass123), and once you figure out how they hashed the password database it wouldn't be hard to come up with a few million of these passwords. Then a brute force attack would pick up a few of the low hanging fruits. Sure, it might take a few weeks of processing time, but it's conceivable. That alone is enough to make a company recommend everyone change all their passwords.
Of course, the security questions are probably a bigger hazard.
Let's put it another way. If I walk into a store and buy coffee, I expect to be able to drink it. I wouldn't be overly surprised if after spilling it on myself, I went "wow, that's hot!" but I don't expect to have to go to the hospital. It's coffee. Coffee is supposed to be safe. Yeah, if I spill hot coffee on myself I expect to hop around a little and my skin might be tender for a day or so, but that's very different from having to go to the hospital and get $20k worth of medical care.
If you don't want coffee that is too hot don't buy it at McDonalds
Really? That's your argument? That people should know when coffee is too hot and shouldn't accidentally spill it?
So, does McDonald's advertise it's coffee as "dangerously hot!" or label it with "handle with care"? How am I supposed to know that when I pick up a coffee from McDonald's that I better treat it with extra-special care to make sure I never spill it? You know, as opposed to plenty of other coffee shops which sell their coffee at a temperature that will only scald you a bit?
Why should the government dictate how how coffee can be?
You do know governments have a ton of rules about pretty much all aspects of food preparation?
Didn't she get all the penalty money?
You're still not quite getting that it wasn't about her. She sued for coverage of her medical bills. Here, from the wikipedia entry on the subject:
Other documents obtained from McDonald's showed that from 1982 to 1992 the company had received more than 700 reports of people burned by McDonald's coffee to varying degrees of severity, and had settled claims arising from scalding injuries for more than $500,000.
Basically what happened was she was trying to recoup her medical bills and the court awarded her most of that. Then the court looked at McDonald's history and decided that they just weren't getting the hint and wouldn't change their (apparently dangerous) policy of serving extra hot coffee. So they slapped them with some punitive damages to make them take notice. Yeah, I think that money went to her, but the point wasn't to GIVE her money the point was to PENALIZE McDonald's to attempt to give them incentive to serve safe food.
And btw, I think the actual amount she got was more along the lines of $600k. Not millions.
Now, we've established that people WILL spill the coffee on themselves. Ok, but bad things happen all the time, right? People WILL crash cars into trees. Well, the people who make the cars are under an obligation to take steps to make crashing into trees safer, even though you're not supposed to drive your car into a tree. Similarly since we know that sooner or later someone is going to spill coffee on themselves, then the restaurant making the coffee should take reasonable steps to limit the damage, right?
1. McDonalds served it's coffee hotter than was meant to be drunk immediately, with the intention that the coffee would cool to drinkable temperatures by the time you got to the office.
2. McDonalds had been warned in the past that it's coffee was too hot, and told to reduce the temperature that it was being served at.
3. It kept serving the too-hot coffee despite being explicitly warned not to, and despite the fact that sooner or later someone would spill the too-hot coffee on themselves.
4. She sued for medical bill coverage only. She got 80% of her medical bills covered because she was found 20% liable. The court then also decided* to apply penalties to McDonalds in excess of these bills in order to convince McDonalds that it should follow the law. Because otherwise from McDonalds perspective it should keep operating in an unsafe manner because it makes more money that way (ie. paying out medical bills for burns is less money than the extra they make serving too-hot coffee).
So basically this case wasn't anywhere near as simple as the "lol, dumb bitch spilled coffee on herself and she sued for millions" that a lot of people seem to think it was. It actually makes a lot of sense, and I think it's a good example of justice arriving at the correct result even though the results are a bit counter intuitive if you don't look very closely.
Your basic approach does seem to be vulnerable to someone registering a large number of "sleeper" accounts that wait to be called in to be a juror about something they care about (perhaps an upcoming attack). To help counter this: 1. An account can't be selected as a juror unless it's been active for a minimum amount of time, with actual activity. (Say, a month.) 2. Jurors which consistently ignore their "duty" get dropped from the list. [p] You would also want to attempt to weed out vandals from your juror list: 3. Jurors which consistently vote counter to the majority get dropped from the list. To handle borderline cases I would try: 4. For the crowd-sourcing system to function, a minimum of 2/3rds majority is required. 5. If a 2/3rds majority isn't achieved, then a paid moderator looks at the complaint.