Whether you are /aren't a supporter of sony is irrelevant . The people who have done this are in no way any different than Bin Laden and co .
To use a similar mode of thought to the attack on sony by the perpetrators : does this make the US government responsible for the death of thousands in the 911 attack on the 2 towers? Whatever reason or excuse the terrorists had for making the attack , it dosent make it right to attack innocent bystanders. If they had attacked the CIA hq or the white house , maybe they might have had a 'legitimate ' target for their gripes , but in the end its once again the average joe that takes the brunt. Did they steal from the CEO and board of sony /soe ? No . Like most chicken shits , they go for the obvious .
The potential that up to 100million users may have their lives disrupted by this attack on soe does make these terrorists (which is exactly what anonymous are) come into the same bracket as Bin Laden and co.
All this political 'outrage' and lawsuits against sony is simply self serving. Senator Blah Blah gets his face in the papers and a nice little bonus in the post from his friend the Lawyer and all is hunky dory . It dosen't help in the slightest the average Joe who just pays to play some games to relax when they have some spare time.
If these nubs who hacked sony are so talented , why dont they go out and make their own console or system , fully hackable etc and give the world what they strive to fight for? Thats their utopia isn't it? They do realise that Sony/ Microsoft/ Nintedo make their systems at a production loss ? They make their profit from the services and software post production.
If anonymous had any real gonads , they could put their collective knowledge into creating a niche market legitimately to supply and make hackable shit to serve fellow nubs and cease being 'anonymous' . But they never will , because they may have intellegence , but a total lack of wisdom , and definately spineless.
LOL we think alike. I am sure tehy will be hunted the same as Osama was and I hope they realize this adn that they are not going to get away with it. They have hurt way too many people in this only difference is is that no one died yet.
you guys seriously need to look at the larger picture
is it partly sony's fault? yes
will sony be hurt by this? yes
but who do you think is going to lose out more? thats easy - the customers. noone will suffer more than them, all because of a stupid gripe where sony didnt want you playing illegally copied software on their systems. you have millions of people's info out in the open during an illegal process to acquire them, to cause more harm to the customers of sony than to sony themselves. These hackers are nothing more than terrorists and should be treated as such. What they did is illegal no matter how you try to justify it (which in itself is sickening that people are sticking up for the hackers)
Is anyone actually defending the hackers? I haven't seen that, if so point me in that direction.
I'm just pointing fingers at sony.
Trust me TONS of people have been defending the hackers in this as to how Sony deserved what they got and everything else. I am sure these were not people who's information was actually stolen, however they sre sticking up for the hackers lol.
No one can deny that Sony may be partly at fault for this but at the same time the hackers should have not done this in the first place that is why hacking is ilegal under any circumstances unless it has to do with national security. But one thing that EVERYONE Has to also admit in this is that Sony has stepped up to the plate and is making sure tehy do not come back online until everything is secure and is going to help people get into identity theft program and give free stuff. Soney is doing more for people than I have seen a lot of companies do. As far as I am concerned Sony is doing what is expected of them and this is with them beong the victim as well as us and I saw that the only ones who are going to hurt out of this is us? The costumer? Wow how blind some are considering Sony is securing $1,000,000 for each person who's card information got taken as well as giving their PS3 players all kinds of freebies and I am sure they will do ALL kinds of stuff on EQ2 as they ALWAYS make up for unexpected downtime one way or another. On top of giving free month +1 day free fore everyday that things are down. So how can you say that the costum ers are the only ones this is costing. And that does not even count the 3 companies that Sony has hired to try to find the people who did this to us and make sure their system gets secured.
Wow to say only the costumers are going to suffer is pretty selfish I would say. Sony is losing money everday that the games are down as well. It behoves them to get these things back up ASAP and yet they are staying down until they are positive everything is ready and losing money while they are at it.
you have me all wrong...i am not villifying sony. I am trying to show those who are "sony haters" that not only will the company suffer, but millions of innocent customers who were not part of the "sony sucks" crowd and who wanted nothing more than to chill out to some video games.
you guys seriously need to look at the larger picture
is it partly sony's fault? yes
will sony be hurt by this? yes
but who do you think is going to lose out more? thats easy - the customers. noone will suffer more than them, all because of a stupid gripe where sony didnt want you playing illegally copied software on their systems. you have millions of people's info out in the open during an illegal process to acquire them, to cause more harm to the customers of sony than to sony themselves. These hackers are nothing more than terrorists and should be treated as such. What they did is illegal no matter how you try to justify it (which in itself is sickening that people are sticking up for the hackers)
Is anyone actually defending the hackers? I haven't seen that, if so point me in that direction.
I'm just pointing fingers at sony.
Trust me TONS of people have been defending the hackers in this as to how Sony deserved what they got and everything else. I am sure these were not people who's information was actually stolen, however they sre sticking up for the hackers lol.
No one can deny that Sony may be partly at fault for this but at the same time the hackers should have not done this in the first place that is why hacking is ilegal under any circumstances unless it has to do with national security. But one thing that EVERYONE Has to also admit in this is that Sony has stepped up to the plate and is making sure tehy do not come back online until everything is secure and is going to help people get into identity theft program and give free stuff. Soney is doing more for people than I have seen a lot of companies do. As far as I am concerned Sony is doing what is expected of them and this is with them beong the victim as well as us and I saw that the only ones who are going to hurt out of this is us? The costumer? Wow how blind some are considering Sony is securing $1,000,000 for each person who's card information got taken as well as giving their PS3 players all kinds of freebies and I am sure they will do ALL kinds of stuff on EQ2 as they ALWAYS make up for unexpected downtime one way or another. On top of giving free month +1 day free fore everyday that things are down. So how can you say that the costum ers are the only ones this is costing. And that does not even count the 3 companies that Sony has hired to try to find the people who did this to us and make sure their system gets secured.
Wow to say only the costumers are going to suffer is pretty selfish I would say. Sony is losing money everday that the games are down as well. It behoves them to get these things back up ASAP and yet they are staying down until they are positive everything is ready and losing money while they are at it.
Well... while I can definitely agree the customers are innocent and didnt deserve anything, I think an argument can be made that sony may have gotten what it deserved.
If you leave your car unlocked then you are asking for trouble.
Unethical hacking sucks, thief's, spammers, etc are a bane and its a pain in the ass not to mention expensive as hell to deal with them. (Although there is a part of me happy about it as I get a job due to them).
Sony is definitely working hard now, I think the main thing I and others are upset about is they are now working hard due to their butts being on the line, why werent they working this hard prior? This could have been easily avoided by testing a hotfix / patch and then rolling it out.
you guys seriously need to look at the larger picture
is it partly sony's fault? yes
will sony be hurt by this? yes
but who do you think is going to lose out more? thats easy - the customers. noone will suffer more than them, all because of a stupid gripe where sony didnt want you playing illegally copied software on their systems. you have millions of people's info out in the open during an illegal process to acquire them, to cause more harm to the customers of sony than to sony themselves. These hackers are nothing more than terrorists and should be treated as such. What they did is illegal no matter how you try to justify it (which in itself is sickening that people are sticking up for the hackers)
Is anyone actually defending the hackers? I haven't seen that, if so point me in that direction.
I'm just pointing fingers at sony.
Trust me TONS of people have been defending the hackers in this as to how Sony deserved what they got and everything else. I am sure these were not people who's information was actually stolen, however they sre sticking up for the hackers lol.
No one can deny that Sony may be partly at fault for this but at the same time the hackers should have not done this in the first place that is why hacking is ilegal under any circumstances unless it has to do with national security. But one thing that EVERYONE Has to also admit in this is that Sony has stepped up to the plate and is making sure tehy do not come back online until everything is secure and is going to help people get into identity theft program and give free stuff. Soney is doing more for people than I have seen a lot of companies do. As far as I am concerned Sony is doing what is expected of them and this is with them beong the victim as well as us and I saw that the only ones who are going to hurt out of this is us? The costumer? Wow how blind some are considering Sony is securing $1,000,000 for each person who's card information got taken as well as giving their PS3 players all kinds of freebies and I am sure they will do ALL kinds of stuff on EQ2 as they ALWAYS make up for unexpected downtime one way or another. On top of giving free month +1 day free fore everyday that things are down. So how can you say that the costum ers are the only ones this is costing. And that does not even count the 3 companies that Sony has hired to try to find the people who did this to us and make sure their system gets secured.
Wow to say only the costumers are going to suffer is pretty selfish I would say. Sony is losing money everday that the games are down as well. It behoves them to get these things back up ASAP and yet they are staying down until they are positive everything is ready and losing money while they are at it.
Well... while I can definitely agree the customers are innocent and didnt deserve anything, I think an argument can be made that sony may have gotten what it deserved.
If you leave your car unlocked then you are asking for trouble.
Unethical hacking sucks, thief's, spammers, etc are a bane and its a pain in the ass not to mention expensive as hell to deal with them. (Although there is a part of me happy about it as I get a job due to them).
Sony is definitely working hard now, I think the main thing I and others are upset about is they are now working hard due to their butts being on the line, why werent they working this hard prior? This could have been easily avoided by testing a hotfix / patch and then rolling it out.
even if you left the doors wide open, it is considered theft and is still illegal. no matter how idiotic you are, the thieves are still commiting a crime.
Whether you are /aren't a supporter of sony is irrelevant . The people who have done this are in no way any different than Bin Laden and co .
To use a similar mode of thought to the attack on sony by the perpetrators : does this make the US government responsible for the death of thousands in the 911 attack on the 2 towers? Whatever reason or excuse the terrorists had for making the attack , it dosent make it right to attack innocent bystanders. If they had attacked the CIA hq or the white house , maybe they might have had a 'legitimate ' target for their gripes , but in the end its once again the average joe that takes the brunt. Did they steal from the CEO and board of sony /soe ? No . Like most chicken shits , they go for the obvious .
This is the wrong forum for that analogy, but in short, yes the government was partially responsible. The two are similar in that in both cases, the one being attacked knew exactly how it would happen (and in your case, when).
you guys seriously need to look at the larger picture
is it partly sony's fault? yes
will sony be hurt by this? yes
but who do you think is going to lose out more? thats easy - the customers. noone will suffer more than them, all because of a stupid gripe where sony didnt want you playing illegally copied software on their systems. you have millions of people's info out in the open during an illegal process to acquire them, to cause more harm to the customers of sony than to sony themselves. These hackers are nothing more than terrorists and should be treated as such. What they did is illegal no matter how you try to justify it (which in itself is sickening that people are sticking up for the hackers)
Is anyone actually defending the hackers? I haven't seen that, if so point me in that direction.
I'm just pointing fingers at sony.
Trust me TONS of people have been defending the hackers in this as to how Sony deserved what they got and everything else. I am sure these were not people who's information was actually stolen, however they sre sticking up for the hackers lol.
No one can deny that Sony may be partly at fault for this but at the same time the hackers should have not done this in the first place that is why hacking is ilegal under any circumstances unless it has to do with national security. But one thing that EVERYONE Has to also admit in this is that Sony has stepped up to the plate and is making sure tehy do not come back online until everything is secure and is going to help people get into identity theft program and give free stuff. Soney is doing more for people than I have seen a lot of companies do. As far as I am concerned Sony is doing what is expected of them and this is with them beong the victim as well as us and I saw that the only ones who are going to hurt out of this is us? The costumer? Wow how blind some are considering Sony is securing $1,000,000 for each person who's card information got taken as well as giving their PS3 players all kinds of freebies and I am sure they will do ALL kinds of stuff on EQ2 as they ALWAYS make up for unexpected downtime one way or another. On top of giving free month +1 day free fore everyday that things are down. So how can you say that the costum ers are the only ones this is costing. And that does not even count the 3 companies that Sony has hired to try to find the people who did this to us and make sure their system gets secured.
Wow to say only the costumers are going to suffer is pretty selfish I would say. Sony is losing money everday that the games are down as well. It behoves them to get these things back up ASAP and yet they are staying down until they are positive everything is ready and losing money while they are at it.
Well... while I can definitely agree the customers are innocent and didnt deserve anything, I think an argument can be made that sony may have gotten what it deserved.
If you leave your car unlocked then you are asking for trouble.
Unethical hacking sucks, thief's, spammers, etc are a bane and its a pain in the ass not to mention expensive as hell to deal with them. (Although there is a part of me happy about it as I get a job due to them).
Sony is definitely working hard now, I think the main thing I and others are upset about is they are now working hard due to their butts being on the line, why werent they working this hard prior? This could have been easily avoided by testing a hotfix / patch and then rolling it out.
even if you left the doors wide open, it is considered theft and is still illegal. no matter how idiotic you are, the thieves are still commiting a crime.
Completely agree, the thief is still a thief and deserves to do time.
Im just saying there is some blame to go on the car owner for leaving his doors open, and if he is out some money, then he has along with the hackers, himself to blame.
We dont live in a Utopian society. There are evil people out there.
Make no mistake, Sony is NOT a bad corporation. In fact anyone of digital entertainment should be thankful to them and their contributions.
However, Sony under CEO Howard Stringer has been horrible. Even the founder of the Playstation ruined his own project or rather attempted to in order to oppose a non japanese person running Sony. While I think a person shouldnt be judged by their cultural origin, I have to agree with the Japanese that Sony has been better run thus far by the Japanese and their ethical standards for quality technology. Stringer is doing the unusual cost cutting methods while retaining the same brand pricing for more profit. This results in worse products, services and security loop holes such as this. He would rather sue than fix.
I do NOT hold the hackers accountable for reacting the way they did to the George Hotz case, and I hope Sony feels this long and hard. I look forward to better products from them under a new CEO.
Sony is great, the current CEO and buisiness model is NOT! Be neutral, be accurate, be factual. Brand Loyalty is only a sign of stupidity.
This very well may be true cosidering sony just twittered that they will be down all weekend. I bet money this is someone sony support p-off. Honestly I am an EQ2 player, but I hate sony support they are very very rude! With that said hacking them is not the way to deal with the problem.
Originally posted by Pyrostasis http://www.tomsguide.com/us/PSN-Hack-Exploit-Data-Theft-Credit-Cards,news-11050.html "Also present at the press conference was Chief Information Officer Shinji Hasejima, who revealed that the attack actually exploited a known vulnerability in the web application server platform used in PSN. According to the Reg, Hasejima admitted that though it was generally known, Sony management were not aware of it. To that end, the company has created a new role of chief information security officer in an effort to prevent history repeating itself. Hasejimi refused requests for more information on the server platform used, or the vulnerability exploited, for security reasons." It was a known vulnerability. Management claims to not have been aware, but anyone responsible for the system would have been. Management probably doesnt even know what an application server is, its the network admin and security teams job to handle that. It is interesting though that they are now hiring a "security" guy. I seriously doubt that they didnt have one prior, so either he's been terminated for incompetence, or they are creating a new position out of thin air for PR.
Yeah, that is what Sony in their letter to congress refers to as 'system software vulnerability', god knows what that is supposed to mean.
It is important to point out that it does not necessarily mean that Sony has neglected anything. Underestimated? Probably.
It can be just as well a vulnerability in a software and absence of the fix as some inherited weakness of the system.
Note that he did not say that the vulnerability was fixed but the quote says: to improve and enhance such aspects. That isn't very clear either. If it was a vulnerability that could be fixed by patching the software, he could have just said that the vulnerability was fixed and never repeat again. Or his quote is relating to enhancing patching procedures as a whole.
Hopefully more information will be released with time, until then it is vain speculations lacking ground only.
"Also present at the press conference was Chief Information Officer Shinji Hasejima, who revealed that the attack actually exploited a “known vulnerability” in the web application server platform used in PSN. According to the Reg, Hasejima admitted that though it was generally known, Sony management were not aware of it. To that end, the company has created a new role of ‘chief information security officer’ in an effort to prevent history repeating itself. Hasejimi refused requests for more information on the server platform used, or the vulnerability exploited, for security reasons."
It was a known vulnerability. Management claims to not have been aware, but anyone responsible for the system would have been. Management probably doesnt even know what an application server is, its the network admin and security teams job to handle that.
It is interesting though that they are now hiring a "security" guy. I seriously doubt that they didnt have one prior, so either he's been terminated for incompetence, or they are creating a new position out of thin air for PR.
Yeah, that is what Sony in their letter to congress refers to as 'system software vulnerability', god knows what that is supposed to mean.
It is important to point out that it does not necessarily mean that Sony has neglected anything. Underestimated? Probably.
It can be just as well a vulnerability in a software and absence of the fix as some inherited weakness of the system.
Note that he did not say that the vulnerability was fixed but the quote says: “to improve and enhance such aspects”. That isn't very clear either. If it was a vulnerability that could be fixed by patching the software, he could have just said that the vulnerability was fixed and never repeat again. Or his quote is relating to enhancing patching procedures as a whole.
Hopefully more information will be released with time, until then it is vain speculations lacking ground only.
It is vague, but a few things are clear. The vulnerability was known, and apparently well known to everyone but management. I definitely over simplified by saying it was something as simple as a patch, it may be a lot more complicated than that.
However, if you are responsible for insuring the security of your customers private financial data you make sure you dont have any known vulnerabilities. Penatration testing and Vulnerabilitiy assesments along with risk assesment is pretty standard.
Either they had someone who didnt know his stuff handling this, which isnt gross negligence its just ignorance / stupidity, or they didnt think it was worth fixing / not that big a threat.
Odds are they were running out dated software that worked on a specific piece of internal software and they didnt want to bother updating both as it was extremely expensive. They probably wrongly assumed that it was vulnerable but they had other security measures in place to neutralize the threat.
Either way its like keeping a can of gasoline in a daycare center. Sure as long as no one brings a match we are fine, and no one is going to get burned, and besides we have a sprinkler system installed so there wont be a fire. Unfortunately there was a fire, someone got burned, and sony is left holding the bag.
You and I will just have to agree to disagree on this point. You are firm in your belief that sony did its best, I believe with what I know about security that someone on that team dropped the ball to the tune of several hundred million in potential damages.
Originally posted by PyrostasisYou and I will just have to agree to disagree on this point. You are firm in your belief that sony did its best, I believe with what I know about security that someone on that team dropped the ball to the tune of several hundred million in potential damages.
Your assumption about my stance towards Sony and the situation is incorrect.
I am not defending Sony, I am just considering available information and when I have to start from there, I cannot draw any conclusion because the information is insufficient.
I do not jump to conclusions and won't make one at all costs, there are times when you simply don't know.
What you are forgetting to consider in your daycare center analogy is why the gasoline can is there and if it can be moved elsewhere. Sometimes there are situations when the can of the gasoline must be in placed in daycare center and there is no way around.
As an IT security professional you will learn that companies do not operate on theory basis but security like everything else is about compromise. You will work with tools and resources that are available, will try to do your best and that there are issues no budget can solve.
A bit ironically, you will also learn how extremely careful you will need to be with your formulations and information you are giving out because the information is sensitive.
You and I will just have to agree to disagree on this point. You are firm in your belief that sony did its best, I believe with what I know about security that someone on that team dropped the ball to the tune of several hundred million in potential damages.
Your assumption about my stance towards Sony and the situation is incorrect.
I am not defending Sony, I am just considering available information and when I have to start from there, I cannot draw any conclusion because the information is insufficient.
I do not jump to conclusions and won't make one at all costs, there are times when you simply don't know.
What you are forgetting to consider in your daycare center analogy is why the gasoline can is there and if it can be moved elsewhere. Sometimes there are situations when the can of the gasoline must be in place
As an IT security professional you will learn that companies do not operates on theory basis but security like everything else is about compromise. You will work with tools and resources that are available, will try to do your best and that there are issues that no budget can solve.
A bit ironically, you will also learn how extremely careful you will need to be with your formulations and information you are giving out because the information is sensitive.
You can compromise on some areas, security is not one of them. When you are a multibillion dollar company handling billions in transactions and tons of private financial information you do not have an option to compromise when it comes to security.
You can compromise on desktop speed, the corporate jet, repainting the office, bobs bonus, but you dont compromise the out dated webserver. I just dont see how you cant see that.
We aren't talking about a mom and pop shop with 12 computers. We are talking sony, a multibillion dollar company who just completely screwed 100 million people due to out dated well known vulnerabilities.
Originally posted by Pyrostasis You can compromise on desktop speed, the corporate jet, repainting the office, bobs bonus, but you dont compromise the out dated webserver. I just dont see how you cant see that.
See what? Do you have any information what web server was supposedly outdated? Do you have any information what this server was used for? Where it was placed in the infrastructure? etc..
Neither what he says implies this supposed server was playing a role in the breach.
I cannot say if Spafford was misquoted only or he went overconfident at the congress. I did not find a transcript or full video to verify.
However there is a full quote from his testimony:
"I have no information about what protections they had in place, although some news reports indicate that Sony was running software that was badly out of date, and had been warned about that risk."
He does not have any first hand experience nor any access to reliable source of information, nor he verified his information, he only states what he could read on some forums.
What he says makes huge headlines but means very little.
You can compromise on desktop speed, the corporate jet, repainting the office, bobs bonus, but you dont compromise the out dated webserver. I just dont see how you cant see that.
See what? Do you have any information what web server was supposedly outdated? Do you have any information what this server was used for? Where it was placed in the infrastructure? etc..
Neither what he says implies this supposed server was playing a role in the breach.
I cannot say if Spafford was misquoted only or he went overconfident at the congress. I did not find a transcript or full video to verify.
However there is a full quote from his testimony:
"I have no information about what protections they had in place, although some
news reports indicate that Sony was running software that was badly out of date, and had
been warned about that risk."
He does not have any first hand experience nor any access to reliable source of information, nor he verified his information, he only states what he could read on some forums.
What he says makes huge headlines but means very little.
They released a flow chart showing the attack and the webserver.
The attack came from the out dated software on the webserver.
Many folks in the security field had mentioned apache and samba being the issue.
Dude in front of congress states it was an out dated version of a webserver running apache and that they were aware of it months before hand.
Originally posted by Pyrostasis They released a flow chart showing the attack and the webserver. The attack came from the out dated software on the webserver. Many folks in the security field had mentioned apache and samba being the issue. Dude in front of congress states it was an out dated version of a webserver running apache and that they were aware of it months before hand. But thats not enough to prove it... okie doke.
Who is 'they'? Please provide links or just identify your source at least.
Yeah, because 'dude' states something in front of the congress hearing which is just a political charade, it must be true and implies whatever fits your boat, right?
They released a flow chart showing the attack and the webserver.
The attack came from the out dated software on the webserver.
Many folks in the security field had mentioned apache and samba being the issue.
Dude in front of congress states it was an out dated version of a webserver running apache and that they were aware of it months before hand.
But thats not enough to prove it... okie doke.
Who is 'they'? Please provide links or just identify your source at least.
Yeah, because 'dude' states something in front of the congress hearing which is just a political charade, it must be true and implies whatever fits your boat, right?
They as in the CEO's of said company (sony) in their press release.
And if you dont believe a Doc, with a PHD, testifying under oath, before congress... then thats cool man. Rock on with your bad self.
The proof has been presented, its pretty undeniable. If you dont wish to look at the facts that I have linked and presented, thats your call.
Originally posted by Pyrostasis And if you dont believe a Doc, with a PHD, testifying under oath, before congress... then thats cool man. Rock on with your bad self.
Ever heard of fallacy of defective induction named appeal to authority?
You would not get far with IT security with such attitude.
Whether you are /aren't a supporter of sony is irrelevant . The people who have done this are in no way any different than Bin Laden and co .
To use a similar mode of thought to the attack on sony by the perpetrators : does this make the US government responsible for the death of thousands in the 911 attack on the 2 towers? Whatever reason or excuse the terrorists had for making the attack , it dosent make it right to attack innocent bystanders. If they had attacked the CIA hq or the white house , maybe they might have had a 'legitimate ' target for their gripes , but in the end its once again the average joe that takes the brunt. Did they steal from the CEO and board of sony /soe ? No . Like most chicken shits , they go for the obvious .
This is the wrong forum for that analogy, but in short, yes the government was partially responsible. The two are similar in that in both cases, the one being attacked knew exactly how it would happen (and in your case, when).
Partial responsibility, all around.
I thought the analogy was in the right place. Details aside , all that is going to result is that a few politicians get extra media coverage , Lawyers make even more money , a few 'plaintiffs' who happen to have used a PS3 once get a nice bonus from a lawsuit , and everyone else who dosen't fall into those 3 category's will end up paying for it all.
Did sony mess up ? yes ! Are the hackers some sort of crusaders against the evil empire ? no! If sony goes belly up , I can bet all the directors will retire with a nice bonus and your average sony employee is left to sweep the streets or take out the garbage. The same way the President of the USA / Prime Minister of Uk and the rest of their cronies will be off and given a lifetime pension and honorary executive postion in some corporate establishment , while the rest of the country has to pay off billions of debt in taxes for the rest of their lives.
They released a flow chart showing the attack and the webserver.
The attack came from the out dated software on the webserver.
Many folks in the security field had mentioned apache and samba being the issue.
Dude in front of congress states it was an out dated version of a webserver running apache and that they were aware of it months before hand.
But thats not enough to prove it... okie doke.
Who is 'they'? Please provide links or just identify your source at least.
Yeah, because 'dude' states something in front of the congress hearing which is just a political charade, it must be true and implies whatever fits your boat, right?
They as in the CEO's of said company (sony) in their press release.
And if you dont believe a Doc, with a PHD, testifying under oath, before congress... then thats cool man. Rock on with your bad self.
The proof has been presented, its pretty undeniable. If you dont wish to look at the facts that I have linked and presented, thats your call.
And you're playing Rift and trying to give a lesson about webserver security?
Sadest thing about all this is the players who suffer for some renegades. No, we don't talk about the renegades and their clear illegal activities, just the publisher.
It's no wonder why the world can't distinguish right or wrong anymore, they can't even seem to understand the real enemy here.
And if you dont believe a Doc, with a PHD, testifying under oath, before congress... then thats cool man. Rock on with your bad self.
Ever heard of fallacy of defective induction named appeal to authority?
You would not get far with IT security with such attitude.
Yes but I am now speaking to someone who apparently has no knowledge of IT or security.
Sony screwed up with their webserver, they have stated this, its a fact. This webserver and its vulnerability were used to gain access and escalate privledge and gain further access and eventually obtain the critical data. This is also a fact.
The only question that remains, was the vulnerability known, was it preventable, and is sony negligent?
It was a known vulnerability in the security world, assuming who ever was responsible for maintaining security in SOE and PSN's network was remotely competent he knew the problem. Why wasnt it fixed?
Was it preventable? Yes. Why wasnt it?
Is sony negligent. That depends.
My logic is fine my friend, the facts are in. The only question to be asked here is, why wasnt it fixed and should sony be nailed for gross negligence.
They released a flow chart showing the attack and the webserver.
The attack came from the out dated software on the webserver.
Many folks in the security field had mentioned apache and samba being the issue.
Dude in front of congress states it was an out dated version of a webserver running apache and that they were aware of it months before hand.
But thats not enough to prove it... okie doke.
Who is 'they'? Please provide links or just identify your source at least.
Yeah, because 'dude' states something in front of the congress hearing which is just a political charade, it must be true and implies whatever fits your boat, right?
They as in the CEO's of said company (sony) in their press release.
And if you dont believe a Doc, with a PHD, testifying under oath, before congress... then thats cool man. Rock on with your bad self.
The proof has been presented, its pretty undeniable. If you dont wish to look at the facts that I have linked and presented, thats your call.
And you're playing Rift and trying to give a lesson about webserver security?
Sadest thing about all this is the players who suffer for some renegades. No, we don't talk about the renegades and their clear illegal activities, just the publisher.
It's no wonder why the world can't distinguish right or wrong anymore, they can't even seem to understand the real enemy here.
How does rifts vulnerability in their security last month have anything to do with me and security?
I wasn't aware that I was reponsible for that.... does that happen to come with a paycheck?
If we go purely based on what Sony has told us, they knew of the vunerability but they left it open.
They might have a good reason why (IE, they were planning on patching it 2seconds before the hacking happened) but the fact remains, they knew about it but they did nothing about it (on their production systems) when the hacking occured.
One can spin this to the end of time but the facts* do not seem to be in Sony's favor.
*I am assuming what Sony has told us are facts
Gdemami - Informing people about your thoughts and impressions is not a review, it's a blog.
They released a flow chart showing the attack and the webserver.
The attack came from the out dated software on the webserver.
Many folks in the security field had mentioned apache and samba being the issue.
Dude in front of congress states it was an out dated version of a webserver running apache and that they were aware of it months before hand.
But thats not enough to prove it... okie doke.
Who is 'they'? Please provide links or just identify your source at least.
Yeah, because 'dude' states something in front of the congress hearing which is just a political charade, it must be true and implies whatever fits your boat, right?
They as in the CEO's of said company (sony) in their press release.
And if you dont believe a Doc, with a PHD, testifying under oath, before congress... then thats cool man. Rock on with your bad self.
The proof has been presented, its pretty undeniable. If you dont wish to look at the facts that I have linked and presented, thats your call.
And you're playing Rift and trying to give a lesson about webserver security?
Sadest thing about all this is the players who suffer for some renegades. No, we don't talk about the renegades and their clear illegal activities, just the publisher.
It's no wonder why the world can't distinguish right or wrong anymore, they can't even seem to understand the real enemy here.
How does rifts vulnerability in their security last month have anything to do with me and security?
I wasn't aware that I was reponsible for that.... does that happen to come with a paycheck?
It's called: an observation.
Consumers are indeed responsible for their own security, too. It's called...responsibility.
Comments
LOL we think alike. I am sure tehy will be hunted the same as Osama was and I hope they realize this adn that they are not going to get away with it. They have hurt way too many people in this only difference is is that no one died yet.
you have me all wrong...i am not villifying sony. I am trying to show those who are "sony haters" that not only will the company suffer, but millions of innocent customers who were not part of the "sony sucks" crowd and who wanted nothing more than to chill out to some video games.
Well... while I can definitely agree the customers are innocent and didnt deserve anything, I think an argument can be made that sony may have gotten what it deserved.
If you leave your car unlocked then you are asking for trouble.
Unethical hacking sucks, thief's, spammers, etc are a bane and its a pain in the ass not to mention expensive as hell to deal with them. (Although there is a part of me happy about it as I get a job due to them).
Sony is definitely working hard now, I think the main thing I and others are upset about is they are now working hard due to their butts being on the line, why werent they working this hard prior? This could have been easily avoided by testing a hotfix / patch and then rolling it out.
even if you left the doors wide open, it is considered theft and is still illegal. no matter how idiotic you are, the thieves are still commiting a crime.
This is the wrong forum for that analogy, but in short, yes the government was partially responsible. The two are similar in that in both cases, the one being attacked knew exactly how it would happen (and in your case, when).
Partial responsibility, all around.
Completely agree, the thief is still a thief and deserves to do time.
Im just saying there is some blame to go on the car owner for leaving his doors open, and if he is out some money, then he has along with the hackers, himself to blame.
We dont live in a Utopian society. There are evil people out there.
Make no mistake, Sony is NOT a bad corporation. In fact anyone of digital entertainment should be thankful to them and their contributions.
However, Sony under CEO Howard Stringer has been horrible. Even the founder of the Playstation ruined his own project or rather attempted to in order to oppose a non japanese person running Sony. While I think a person shouldnt be judged by their cultural origin, I have to agree with the Japanese that Sony has been better run thus far by the Japanese and their ethical standards for quality technology. Stringer is doing the unusual cost cutting methods while retaining the same brand pricing for more profit. This results in worse products, services and security loop holes such as this. He would rather sue than fix.
I do NOT hold the hackers accountable for reacting the way they did to the George Hotz case, and I hope Sony feels this long and hard. I look forward to better products from them under a new CEO.
Sony is great, the current CEO and buisiness model is NOT! Be neutral, be accurate, be factual. Brand Loyalty is only a sign of stupidity.
This very well may be true cosidering sony just twittered that they will be down all weekend. I bet money this is someone sony support p-off. Honestly I am an EQ2 player, but I hate sony support they are very very rude! With that said hacking them is not the way to deal with the problem.
Yeah, that is what Sony in their letter to congress refers to as 'system software vulnerability', god knows what that is supposed to mean.
It is important to point out that it does not necessarily mean that Sony has neglected anything. Underestimated? Probably.
It can be just as well a vulnerability in a software and absence of the fix as some inherited weakness of the system.
Note that he did not say that the vulnerability was fixed but the quote says: to improve and enhance such aspects. That isn't very clear either. If it was a vulnerability that could be fixed by patching the software, he could have just said that the vulnerability was fixed and never repeat again. Or his quote is relating to enhancing patching procedures as a whole.
Hopefully more information will be released with time, until then it is vain speculations lacking ground only.
geez you are as bad as a conspiracy theorist.. any evidence that contradicts your beliefs is disregarded almost as soon as its shown.
Here is a link to an article about the congressional testimony yesterday.
http://consumerist.com/2011/05/security-expert-sony-knew-its-software-was-obsolete-months-before-psn-breach.html
I'm sure the greying PHD teaching professor is willfully lieing to congress and risking going to jail to bring down sony..
He is just making up things when he says sony was running outdated security software and they knew.
It is vague, but a few things are clear. The vulnerability was known, and apparently well known to everyone but management. I definitely over simplified by saying it was something as simple as a patch, it may be a lot more complicated than that.
However, if you are responsible for insuring the security of your customers private financial data you make sure you dont have any known vulnerabilities. Penatration testing and Vulnerabilitiy assesments along with risk assesment is pretty standard.
Either they had someone who didnt know his stuff handling this, which isnt gross negligence its just ignorance / stupidity, or they didnt think it was worth fixing / not that big a threat.
Odds are they were running out dated software that worked on a specific piece of internal software and they didnt want to bother updating both as it was extremely expensive. They probably wrongly assumed that it was vulnerable but they had other security measures in place to neutralize the threat.
Either way its like keeping a can of gasoline in a daycare center. Sure as long as no one brings a match we are fine, and no one is going to get burned, and besides we have a sprinkler system installed so there wont be a fire. Unfortunately there was a fire, someone got burned, and sony is left holding the bag.
You and I will just have to agree to disagree on this point. You are firm in your belief that sony did its best, I believe with what I know about security that someone on that team dropped the ball to the tune of several hundred million in potential damages.
Checkmate sir, good find.
I'm sure the class action lawyer is currently cackling his ass off, I know I would be.
Your assumption about my stance towards Sony and the situation is incorrect.
I am not defending Sony, I am just considering available information and when I have to start from there, I cannot draw any conclusion because the information is insufficient.
I do not jump to conclusions and won't make one at all costs, there are times when you simply don't know.
What you are forgetting to consider in your daycare center analogy is why the gasoline can is there and if it can be moved elsewhere. Sometimes there are situations when the can of the gasoline must be in placed in daycare center and there is no way around.
As an IT security professional you will learn that companies do not operate on theory basis but security like everything else is about compromise. You will work with tools and resources that are available, will try to do your best and that there are issues no budget can solve.
A bit ironically, you will also learn how extremely careful you will need to be with your formulations and information you are giving out because the information is sensitive.
You can compromise on some areas, security is not one of them. When you are a multibillion dollar company handling billions in transactions and tons of private financial information you do not have an option to compromise when it comes to security.
You can compromise on desktop speed, the corporate jet, repainting the office, bobs bonus, but you dont compromise the out dated webserver. I just dont see how you cant see that.
We aren't talking about a mom and pop shop with 12 computers. We are talking sony, a multibillion dollar company who just completely screwed 100 million people due to out dated well known vulnerabilities.
See what? Do you have any information what web server was supposedly outdated? Do you have any information what this server was used for? Where it was placed in the infrastructure? etc..
Neither what he says implies this supposed server was playing a role in the breach.
I cannot say if Spafford was misquoted only or he went overconfident at the congress. I did not find a transcript or full video to verify.
However there is a full quote from his testimony:
"I have no information about what protections they had in place, although some
news reports indicate that Sony was running software that was badly out of date, and had
been warned about that risk."
He does not have any first hand experience nor any access to reliable source of information, nor he verified his information, he only states what he could read on some forums.
What he says makes huge headlines but means very little.
They released a flow chart showing the attack and the webserver.
The attack came from the out dated software on the webserver.
Many folks in the security field had mentioned apache and samba being the issue.
Dude in front of congress states it was an out dated version of a webserver running apache and that they were aware of it months before hand.
But thats not enough to prove it... okie doke.
Who is 'they'? Please provide links or just identify your source at least.
Yeah, because 'dude' states something in front of the congress hearing which is just a political charade, it must be true and implies whatever fits your boat, right?
They as in the CEO's of said company (sony) in their press release.
And if you dont believe a Doc, with a PHD, testifying under oath, before congress... then thats cool man. Rock on with your bad self.
The proof has been presented, its pretty undeniable. If you dont wish to look at the facts that I have linked and presented, thats your call.
Ever heard of fallacy of defective induction named appeal to authority?
You would not get far with IT security with such attitude.
I thought the analogy was in the right place. Details aside , all that is going to result is that a few politicians get extra media coverage , Lawyers make even more money , a few 'plaintiffs' who happen to have used a PS3 once get a nice bonus from a lawsuit , and everyone else who dosen't fall into those 3 category's will end up paying for it all.
Did sony mess up ? yes ! Are the hackers some sort of crusaders against the evil empire ? no! If sony goes belly up , I can bet all the directors will retire with a nice bonus and your average sony employee is left to sweep the streets or take out the garbage. The same way the President of the USA / Prime Minister of Uk and the rest of their cronies will be off and given a lifetime pension and honorary executive postion in some corporate establishment , while the rest of the country has to pay off billions of debt in taxes for the rest of their lives.
And you're playing Rift and trying to give a lesson about webserver security?
Sadest thing about all this is the players who suffer for some renegades. No, we don't talk about the renegades and their clear illegal activities, just the publisher.
It's no wonder why the world can't distinguish right or wrong anymore, they can't even seem to understand the real enemy here.
.:| Kevyne@Shandris - Armory |:. - When WoW was #1 - .:| I AM A HOLY PALADIN - Guild Theme |:.
Yes but I am now speaking to someone who apparently has no knowledge of IT or security.
Sony screwed up with their webserver, they have stated this, its a fact. This webserver and its vulnerability were used to gain access and escalate privledge and gain further access and eventually obtain the critical data. This is also a fact.
The only question that remains, was the vulnerability known, was it preventable, and is sony negligent?
It was a known vulnerability in the security world, assuming who ever was responsible for maintaining security in SOE and PSN's network was remotely competent he knew the problem. Why wasnt it fixed?
Was it preventable? Yes. Why wasnt it?
Is sony negligent. That depends.
My logic is fine my friend, the facts are in. The only question to be asked here is, why wasnt it fixed and should sony be nailed for gross negligence.
How does rifts vulnerability in their security last month have anything to do with me and security?
I wasn't aware that I was reponsible for that.... does that happen to come with a paycheck?
If we go purely based on what Sony has told us, they knew of the vunerability but they left it open.
They might have a good reason why (IE, they were planning on patching it 2seconds before the hacking happened) but the fact remains, they knew about it but they did nothing about it (on their production systems) when the hacking occured.
One can spin this to the end of time but the facts* do not seem to be in Sony's favor.
*I am assuming what Sony has told us are facts
Gdemami -
Informing people about your thoughts and impressions is not a review, it's a blog.
It's called: an observation.
Consumers are indeed responsible for their own security, too. It's called...responsibility.
Security 101.
.:| Kevyne@Shandris - Armory |:. - When WoW was #1 - .:| I AM A HOLY PALADIN - Guild Theme |:.