Hackers who last week broke into the website of television network PBS have turned their attention to Sony's movie division, publishing what appeared to be the email addresses and passwords belonging to at least 50,000 consumers who registered for online promotions. A group called LulzSec claimed responsibility for the attack …
This is not a repeat from last week
Nor is it a prepeat from next week. This is an article about a single incidence of Sony Pwnage. It differs little from the ones that went before, nor from the ones sure to come after except by the who and how, but it is a unique incident worthy of reportage.
That Sony's online security was weak and many people's information was compromised is not newsworthy at this point. But the specific ways that they were so compromised and their number is unique and so worthy of reporting.
Keep them coming!
Need to leave the house
and get more popcorn - this looks like it's gonna run longer than StarWars
what playstation users are thinking now...
That'll teach 'em
I haven't willingly touched a sony product since their rootkit fiasco (I had the fortune of cleaning up someones pc after that one). And I've seen the stuff they've done since. The only reaction you get from me over people being hurt over this barrage against sony is "That'll teach 'em the cost of doing business with the mafia".
Looks like its open season on Sony
… in more ways than one. Plain text again?!
After watching so much arrogance of Sony's Rookkits, their attitude to Linux, and the ensuing legal battles with the PS3 etc... Sony have been building anger against them for a long time, but they won't see it. They have pissed off a lot of people and Sony's continuing arrogance looks like its stirred up a Hornet's nest of public anger against them.
Its like I said last week. Whilst protesters are often considered criminals, Sony would do well to recognize how they treat the public has a direct causal link with how some more militant elements of the public will end up treating Sony in return. Usually that's against political power, but now we live in a world increasingly ruled by corporate power, its therefore no surprise the public will only take so much unfair behaviour before retaliating and now its becoming open season on Sony.
What worries me is what the governments are going to try to do. If they try to use this as an excuse to enforce more draconian measures over the Internet the shit is really going to hit the fan in all directions, but you just know the governments would love to try something more Orwellian to speed up and increase their already Orwellian moves. But they would do well to remember the news this year shows ever more people around the world have had enough of the rich and powerful and that isn't just governments, that includes the corporations as well. In a world increasingly influenced (and manipulated) by corporate power the corporations are now finding themselves in the firing line of peoples protests and anger. Sony are the first to feel that anger, but then Sony really have brought this on themselves.
But I can't see Sony backing down and saying sorry. They are going to try to hit back with more legal action, which will incite even more anger against Sony. The hackers have the technical upper hand by a long way and they are rightfully angry, but the law has authoritarian power, but if they try to use more authoritarian methods that's going to greatly inflame even more anger against Sony and the governments.
This really is like watching a revolution against corporate power, so Sony badly needs to rethink how they treat the public, as they need to realise their current dictatorial attitude has caused this anger. But like all dictators, they will continue to refuse to see they are wrong.
Sony Security: living up to the company motto
A lot of people?
"They have pissed off a lot of people and Sony's continuing arrogance looks like its stirred up a Hornet's nest of public anger against them."
It's a minority of people; a lot of people are pissed off at the hackers for attacking Sony and subsequently pissed off at Sony for not having good security.
Re: "This really is like watching a revolution against corporate power...."
That quote was close to my first thought after reading the article, but it seems someone beat me to saying it.
Regardless of the legality or even morality of the break-ins, I'm sort of glad to see this. With corporate power effectively owning the government, public opposition to it has been nearly impossible; we can vote out a corrupt politician but we can't vote out the guy who bribed him and will bribe his replacement. Legal methods of opposing corporate power do not work; boycotts, for example, almost have to fail when the company is big enough, the competition small enough, and the population that must be made to work in concert is huge and has little in common. The number of legal methods tends to shrink as corporations buy the laws they need to protect themselves from the public.
I make no statements on whether the current anti-Sony hacking spree is justified or not. But it seems to me that Sony's problems demonstrate that yes, it *is* still possible to bring effective force to bear on a powerful company, if its behavior becomes too consistently onerous.
I find this heartening.
Looks like its open season on Sony → # Posted Friday 3rd June 2011 08:49 GMT
I have been buying Sony TVs for some years , if they have become corporate scum like Americans, I will have to rethink my purchases .
So, it was "that easy" to hack?
Ironically so is the PS3 and the Playstation Network.. and hacking either of those will land you in a world of shit...
What's more worrying is.... how many more major corporations are storing our personal data on the digital equivalent of the back on an envelope?
And the sillyness continues :-)
Toy makers have no concept of security ... NEVER expect your toys to be secure beyond "here & now, not connected to anything else".
The annonytwats, on the otherhand, should be rounded up & gunned down. They are not doing anything useful in the great scheme of things, and probably never will. Killing them all would be no loss to society.
And the sillyness continues :-)
Not if you STFU, it doesn't.
Not shutting the fuck up.
And still the sillyness continues :-)
Or were you trying to vaguely threaten me? Sorry, not gonna get results there, kiddo ... And please note that a double negative ... oh, hell, why do I bother ... Windmills & all that ... Looking forward to many more "thumbs down" from the illiterate. Ta in advance :-)
Death to "hacktivists" is a tad draconian but I too am getting a little tired of the antics by a bunch of snotty dirtbags who think they are some sort of modern revolutionary force. I agree we need to be careful to keep an eye on those that would seek to take our liberty, but this lot go too far.
Some website writes an article that simply has a pop at a website this lot support and next thing, the internet equivalent of the Viking hordes decends, burns the place to the ground and steals the valuables! These so called activists bang on about freedom of speech and liberty, at the first sign anyone has a pop at them or their mates, they are down on the offending party like a ton of bricks! Yeah, we support freedom of speech, except those that use it against us!
Catching the buggers and getting them out digging ditches or cleaning up old folks gardens for a bit would at least get to give something more useful to do than making trouble.
Re: Not shutting the fuck up.
That's rich coming from someone advocating mass murder.
You really are pathetic.
Not mass murder.
Chlorinating the gene pool.
When I were a lad, two wrongs didn't make a right, but euthanizing dogs with Parvo was considered "best practice", because it was better for the humans and the dogs over the long haul.
Don't get me wrong ... I like the idea of an open internet. I was sad when I had to kill the guest accounts on my internet facing servers in 1988. These annonytwats are a symptom of the problem, not the answer ... Don't glorify them. They are just as bad as the corporations they are trying to vilify. Maybe worse, in that they are intentionally causing the casual/ignorant user's data to become accessible to any and all criminals who care to access it.
Again, I'm anticipating plenty of "thumbs down" from people who aren't thinking this thing thru'. Enjoy, if that makes your weekend. Me, I'm trying to educate :-)
The cost of privacy
"All told, the attacks have exposed personally identifiable information for more than 100 million Sony customers and cost Sony at least $171 million."
So that's a cost of approx. $171 per person whose account details were stolen. It's no wonder businesses don't give a toss about their customers details, I spent that drinking last weekend.
Beer, because I spend more on it in a weekend than someones personal information costs Sony.
$171,000,000/100,000,000 customers = $1.71 per customer
So not even enough for a cup of coffee. That's how much of a shit Sony give
I think all that beer DavidB claims to drink each weekend must have impaired his ability to do basic maths.
Epic math fail for all to see all weekend. Time for the withdraw button but not sure it allows it after people reply.
When will it end
stick your face in the hornets nest and look what happens.
Althought why Sony haven't learned their lesson and encrypted their database's I will never know.
The site was unavailable when I tried to access it, so I'm just going off the article. If they have actually published the user details (email, password etc.) then they have no credibility whatsoever. You don't start complaining about a lack of security and then just show the contents to the world. Karma - 1 for them.
Sony is the new whipping boy
for any prankster or media outlet with more than two followers and a spare 5 minutes to rub together.
Personally I approve of this situation.
Not because I dislike Sony per se, I just like the idea that a big media company can be given such a persistent and ultraviolent beating by transient juvenile flashmobs that any notion of them being in control of public opinion will surely become laughable.
I could argue that it is your moral duty to laugh.
We want Linux back on our PS3's, ready to comply yet ?
Is that what it's about?
Some half-arsed gimped OS?
Some people need to get a life. Sony took it away because hackers tried to break it open. THEY are the ones that opened pandoras box.
Cell BE is garbage
>Some half-arsed gimped OS?
The OS is fine, the problem is Sony's hardware. The Cell BE was such a general purpose fail architecture its what finally got Apple to move to Intel. Its such a superior architecture that IBM killed off development and sales of any future revision.
With all the money Sony have invested in DRM systems to protect their data, they the F**k couldn't they invest in protecting (now-ex) customers data?
WTF is Sony up to? Did they hire cheap 16-year-olds to make all their websites?
(No pun intended to those 16-year-olds who *do* know how to build a secure webapp.)
Working as a web dev and seeing some of the code I've seen... I strongly suspect the average 16-year-old hobbiest would do a better job than some of the professionals.
Hobbiests tend to actually give a shit about their code... and aren't governed by clueless managers demanding a project be complete within an impossible timeframe of course.
You've got to laugh
I'm actually finding this whole situation pretty funny - given how disproportionate big firms can be against 'the little people', its really tickling me to see them fight back and give the big boys a kicking!
Sony sure must regret some of its decisions these past months...
NB - hackings bad, don't do it, mkay?
let's just review...
Let's just recall briefly what Sony did to piss people off so much. They sold the Playstation 3 with nice compute hardware and encouraged owners to install alternate OS's (Linux) on the device. Lots used this functionality, including for scientific research which Sony was happy to brag about in their publicity. Then they took the feature away in a system upgrade ('optional', the alternative being no more use as a gaming system). Some of their customers tried legal recourse by suing them, but were rebuffed when the judge said Sony never promised to keep the OtherOS functionality ('WTF' indeed...). Amazingly enough, some owners remained dissatisfied and worked out how to circumvent the DRM and restore the ability to run Linux. So Sony brought suit against these customers, but that failed because of jurisdictional issues (and nothing about people being able use hardware they own as they please).
So every day now bright, motivated coders wake up and look at this hardware, and remember this story. They also remember spousal unit using it as yet another example of money wasted on technology that didn't work out. Probably they don't get that same feeling of enjoyment any more using it for games or Linux (unless maybe it is contributing to another successful attack against Sony). For some this will have been 4-figure ($ or £) investments in hardware plus even more in time spent coding the system.
None of this condones vigilante (cyber) attacks or the theft of private data from individuals with no input to the situation anyway, but my guess is there's still a lot of people out there who feel Sony's punishment hasn't yet balanced the personal pain they inflicted. Clearly most of the news industry can't seem to include any of this in their reports, but I continue to wonder if this is understood at all in Sony's boardroom.
RE: let's just review...
I think you're giving the hackers waaaaaay too much credit. I think a more likely timeline for the typical hack would be as follows:
NOON: Wake up when Mom comes in and starts screaming about not having got job yet.
1PM: Surf pr0n.
2PM: Surf alt news channels and hacker forums.
3PM: Bored, look at jobsites to keep Mom quiet.
3:05PM: Chat with fellow losers on 4Chan, bitch about Sony even though don't even own a Sony product.
5PM: Hatch plan to use 1337 skillz to scan all Sony webistes with fellow losers, objective being to "show them".
5.05PM: Having exhausted very limited skillz, download hacking tool (and compromise own PC with buit-in and hidden rootkit), start automated scan of Sony websites.
5.10PM: Get a hit, follow online instructions from the hacking tool, get inside minor Sony website run by a third-party.
6:00PM: Having satisfied childish desire for vandalism, download some of the user database (can't downlaod all becuase harddrive is full of pr0n and also now full off scammer/spammer sh*t from the rootkit that came with the hacking tool).
6:05PM and for rest of the night: Brag on IRC, 4chan and wherever I can about how 1337 we are, pretend it was a major Sony site, but not mentioning the hacking tool, enjoy praise from fellow losers.
"Brag on IRC, 4chan and wherever I can"
Forgot to change that one to the third person.
Looks like you just posted a page from your diary Matt.
Looks more like a page from the diary of the Sony server admin.
Personal!! pain!! shocker!!
Personal pain???? have you lost your marbles??? What personal pain do you have from choosing to keep Linux or remove it??? You either want a) online gaming or b) linux, how could you want both anyway.
1. Linux was being phased out of the new slim model anyway
2. Whats the point in having it
3. What purpose does it serve for gaming
4. Sony wouldnt earn any money on a linux only sale
5. What's the point in having it?
6. You can choose between keeping it or removing it.
RE: Personal!! pain!! shocker!!
As I understand it, Sony did use advertising with the PS2 as Linux-ready and supplied additional bits (OtherOS, Ethernet adapter, harddrive) so you could use it as a "PC" but retain the ability to boot it up as an ordinary PS2 for gaming. They added a feature to the PS3 after launch to allow the same for the PS3, but then decided it introduced a "security risk" and dropped it from development for the PS3 Slim model. They then released a firmware update (3.21) that killed the dual-boot option and made the PS3s that could already dual-boot into game-only PS3s. Many users that want to keep the dual-boot capability simply didn't install the firmware update. Probably a bit simplified, but that's the sequence of events as I can find it. You could argue that Sony removed a paid-for feature from a product, but you could also argue that the security of the service they offered was paramount. Just imagine the screaming if someone had introduced a virus that attacked PS3s via the Sony network. I'm betting the vast majority of PS3 buyers had zero interest in using Linux on the PS3 and therefore the security of the service given to them outweighed the loss to a few hobbiests.
So, for all those pretending they have some moral right to go trashing Sony's websites, the answer would seem obvious - keep your PS3 at the old firmware prior to 3.21, or buy a PS2 (or just a cheap PC of eBay, it would probably be a better Linux PC than a PS3 anyway), and just STFU. It is ironic that the haxors are moaning about Sony's security when Sony removed the dual-boot because it introduced security issues!
2 Sides to every argument
Let's just recall briefly what Sony did to be victimised by a bunch of criminals who have illegally accessed their customer data. They sold the Playstation 3 with nice computer hardware and gave owners the option to install alternate OS's (Linux) on the device. A tiny minority used this functionality (as evidence - of the 70+ PS3 owners I have contact with, I know of 1 (me) who used this option), including for scientific research (not me if I'm honest) which Sony was happy to brag about in their publicity, as none of their rivals had been so nice. As a result of people using OtherOS to bypass the security within the PS3, and then publishing how to do it, they took the feature away in a system upgrade ('optional', the alternative being no more use as a gaming system which was extremely unlikely to impact anyone using the PS3 for scientific research) in an effort to ensure games continued to be developed. Some of their customers tried legal recourse by suing them, but were rebuffed when the judge said Sony never promised to keep the OtherOS functionality, as stated in their published T&Cs which these same customers had agreed to. So, now on a legal roll, Sony brought suit against the customers who had broken their agreements and tried their best to encourage software piracy (OK - gave people the option :)), but that failed because of jurisdictional issues (which means that the T&Cs are still legally binding).
So every day now bright, motivated coders drag themselves out of their pits and look at this hardware, and remember this story. They also remember their beloved using it as yet another example of money wasted on technology that didn't work out due to PSN being taken down as a result of hacktivists activities. Probably they don't get that same feeling of enjoyment any more using it for games (because of previously stated hacktivist activity) or Linux (assuming they ever used it). For some this will have been 4-figure ($ or £) investments in hardware and software and yet they still can't shoot their friends in the face online due to previously stated hacktivist activities (although this facility is now, finally, restored).
None of this condones vigilante (cyber) attacks or the theft of private data from individuals with no input to the situation anyway, but my guess is there's still a lot of people out there who feel the hacktivists's punishment hasn't yet even started to balance the personal inconvenience they have had inflicted on them (not to mention costs to Sony, 3rd party devs etc…). Clearly most of the news industry can't seem to include any of this in their reports, they just dumb the whole thing down to the Sony are bad message, but I think after announcing this has so far cost Sony at least $170 million it is understood all too clearly in Sony's boardroom - don't trust Linux users .. err … I mean do no evil.
I only take issue with one of your points. Your timeline is out of kilter. IIRC (and that’s a fairly big if) OtherOS was removed as a result of the decoding and then publication of the security keys.
I am being devils advocate above btw, no need to flame me. IMHO Sony are complete arseholes. But so is every other big tech corporation, particularly in the console market. Microsoft (no explanation needed – the name is enough). Nintendo have achieved levels of control freakery over the years that Sony and MS can only dream of. (Surely Apple have a console coming out - they seem perfect for this sector :)) The whole thing stinks, but there is a legal way of letting any company know if you feel strongly about their practices. Don't give them your money. It's really, really that simple.
Hacktivism is great at making a point. This has generated publicity that marketing execs would kill for. People know the story (Sony are bad). Stop now. If people agree with the hacktivists they will stop buying Sony. But carrying on the vendetta suggests the people behind it don't want the public to make a free and informed choice, it suggests they want to force them to believe what they believe or make it impossible for the public to choose an option they don't like. That isn't hacktivism, that's fundamentalism.
Matt Bryant, @10:14
"Never a truer word spoken in jest."
RE: "Brag on IRC, 4chan and wherever I can"
If I was into net crime, I wouldn't be as stupid as to advertise my "victories" on websites and channels known to be frequented by law enforcement agents.
Also, I never download pr0n. Never. <Cough, looks away>
@ Matt Bryant
"You could argue that Sony removed a paid-for feature from a product, but you could also argue that the security of the service they offered was paramount. "
And I'll bet you even kept a straight face when you typed that!
(It looks like a bit like Sony threw a party, and was was keeping a jealous eye on the cookie jar after padlocking it, but left their jewel box and liquor cabinet unlocked and unguarded on the patio, considering how things have worked out!)
Sigh, store passwords/usernames plaintext, simple flaws, sql injection, have we a 'bot that writes these stories please?
It's always the same old story, idiot complacent megacorp ignores basic good practice, loses buckets of data about customers, wrings hands, squeezes onion bag and promises to be good and fix the problem, blames nasty hackers for all their stupidity.
Sony should know better by now given their recent woes.
Sony should be fined !
This is simply outrageous!
Sony should be fined a hefty fine for not protecting user's private data adequately. Storing any private data in unencrypted form surely constitutes a breach of private data protection laws?
At least European Commission should fine them - say EUR 1000 per customer times a million customers? That would maybe finally teach Sony a lesson!
Errm, except is a US company, US customers, so really nothing to do with us.
Or are you too stupid to comprehend that?
Obviously, this all depends if you believe the words of common thieves that claim to have taken this stuff... I don't
Fines don't really work
Corporation (n): An ingenious device for obtaining individual profit without individual responsibility.
Until you can *personally* fine the board of directors (and ensure that they don't just claim it back as expenses or a bonus), or you can *personally* jail the board of directors, they're basically immune to the law.
Sure you can fine the company, but that comes from the shareholders. The shareholders can *demand* a change of the board, but that means golden parachutes for all! The directors walk with a fat wallet, and head into another post just as soon as possible. After all, do you think people would be so pissed off if Fred Goodwin was actually jailed, rather than sent scuttling on his merry way with a warm handshake and enough cash to choke a donkey?
Sony Corporation is headquartered in Tokyo. Sony Corporation of America, based in New York City, is the U.S. subsidiary. Sony's website goes to great pains to point out that they are a global company, so yes, it does have to do with you too.
Why do they have a US subsidiary? To fool Americans that they are an American Company.
(See also; Sony Corporate motto - "Make Believe".)
" This is disgraceful and insecure: they were asking for it."
Except of course, it's the customers who have really been harmed. It's their data that's been posted, not Sony's.
Yeah Sony should have encrypted, and seems to have a security model representative of swiss cheese, but it's not really them this hurt.
I know the old theory;
1. post customer details
2. Customers complain to Company/Stop using company
3. Company improves policies
But the reality is that's not what'll happen. Affected customers will just blame it on the hackers and so the above theory fails.
Bunch of bored kids on a crusade for lulz, whats new?
@AC "Except of course, it's the customers who have really been harmed"
You completely forget, if the appalling Sony security hadn't been shown up as still bad, other groups of people with real criminal intent could have got to the data first. At least this way people know the data is leaked and so change their passwords quickly and are very careful about dealing with Sony until Sony finally act professionally and protect people's data, which they should have been doing from day one.
Too many corporations have a lax attitude to peoples data. Information is leaking all over the place. I've lost count of the number of times corporations have treated peoples data with appallingly bad security.
Plus you also overlook what Sony has done to incite so much anger against it.
Whilst it has brought the shoddy security into the limelight (multiple times over!), there's still no need for them to have actually published the username/passwords they recovered.
Of course, it is the easiest way of verifying that you _have_ breached their system, but given the number of breaches Sony have had recently I'm not sure people would require such a high standard of proof at this point.
As for overlooking what Sony has done, not at all. _SONY_ have done a lot to incite anger, but that's Sony and not their customers. It's not Sony's board of directors who have had their data leaked (unless they were customers) it's their customers.
Sony could literally rape and pillage, it wouldn't make it right to disclose their customers details. Target Sony not their customers (he says despite not being affected)
And yeah, too many corporations are far too lax. Some go so far as being indifferent, but in certain areas I'm begining to wonder regarding storage of passwords etc;
Company A sells Bricks (first thing came to mind)
They decide to sell bricks through their website, but users must register first
Company A contracts SuperWebDev to build said site (or at least the functionality)
Although ultimately Company A _is_ responsible for the data and any breaches, they've probably not got a clue about password storage (and yes, they should read and learn). Ultimately it's the cowboy firm SuperWebDev (apologies if it's a real company!) that decided to cut corners and store in plaintext.
Yes companies need to learn just how stupid it is, but perhaps it's time to name and shame those developers who _still_ seem to be churning out systems that store creds in plaintext. Lets face it, generating a salted hash isn't hard whatsoever (anyone ever tried it in BrainFuck? bet that's hard!)
I hate what Sony do and have done, I make a personal point of trying to avoid their products but it's their customers who are really taking the bullets, not Sony. A large proportion of those customers aren't going to understand the reasoning for their account being compromised and so will stay with Sony. Different tactics are needed!