For those put off by the first 40 lines, here's the good part:
"SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?
"What's worse is that every bit of data we took wasn't encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it. This is disgraceful and insecure: they were asking for it.
ONE MILLION email addresses and clear-text passwords. Ouch.
That far surpasses the Gawker hack since all of Gawker's passwords were encrypted with a somewhat easily reversible hash (for simple passwords) and only a subset of those passwords were recovered.
Imagine what governments could do with all those email/password combinations. Cross reference email addresses with a target internal database and an agency could (is) within minutes begin to systematically download an enormous amount of emails and other private data.
And the spammers...
And nobody ever uses the same password across different systems, right?
> Imagine what governments could do with all those email/password combinations. Cross reference email addresses with a target internal database and an agency could (is) within minutes begin to systematically download an enormous amount of emails and other private data.
Sadly, governments don't need a hack like this to get at email.
Hard to believe after initial hack they didn't launch a group wide memo from the CEO to encrypt all personal data. Could have brought some DLP vendor in to find it and roll out rapid database level encryption without changing application code. SQL injection vulnerabilities in this day and age is unforgivable but unfortunatly not uncommon. Sony will not be the only global company with hundreds of such vulnerabilities
Yikes - I believe in the PSN hack there was some question as to whether the passwords were encrypted or not. I'm glad it's out in the open for this one. Think we'll see Sony changing their name any time soon?
> Think we'll see Sony changing their name any time soon?
Doubtful, 90% of people won't remember this in a year, just like barely anyone remembers about the BP oil spill or the Toyota brake incident.
Sony might drop their name from some of their tech enterprises. The next playstation will probably just be Playstation rather than Sony, but that's likely the biggest. Considering that Sony Bravia's are often sold as just 'Bravia', I don't see it as a huge change.
I'm not so sure. A lot of people still remember the fact that Sony smuggled a malware payload on to Audio CD's and that was in 2005 (http://en.wikipedia.org/wiki/Sony_rootkit).
I for one make it my business to remember people and to point what an evil company with a totally twisted mindset Sony actually is.
Add to that their mindboggling technical ineptitude, which is so bad that I'm sure this will be remembered in a year's time.
(I'm aware that technically Sony BMG was behind the rootkit scandal. But hey: there's the SONY brand name very clearly to see, here)
I know, I was calling bullshit on it the first time I heard it. What I liked was that the incidence of actual problems (IIRC dealerships installing the wrong size mat that would ride up) was almost identical for the rates found at other companies.
I honestly don't think any of this news makes it to the mainstream. Go ask your mom or non technical friend if they heard about the Sony hack. I'd bet they haven't a clue what you're talking about. This only hurts them in the tech circles and as a bunch of other people said, it will be forgotten by next year.
My mom has certainly heard about the Sony hack. My younger brother (still at home) has a PS3.
This is different though. It's not as newsworthy since Sony is getting hacked every other week at this point, and Sony probably won't shut down any services over it.
I hope they change the CEO at least. He has treated this situation with arrogance ("just a minor glitch") and it's not like he did an amazing job at Sony over the past few years in the business side either.
SonyPictures.com has been owned,
this is its SQLi hole:
## http://www.sonypictures.com/homevideo/ghostbusters/photoupload/view.php?id=12838 ##
TEAR THE LIVING SHIT OUT OF IT WHILE YOU CAN; TAKE FROM THEM EVERYTHING!
Seems Sony really has kicked up the swarm with that GeoHot clamp down.
I am fairly certain that there are some executive meetings that are seriously questioning whether or not that initial action was wise.
I never thought this type of extortion could work, but Hot Damn. This is an effective campaign.
Talk about relentless!
Edit: This is really a losing battle for Sony. They are too big, there are too many vulnerabilities. They are too exposed. I know this sounds extreme, but are we witnessing the end of Sony as we know it ? It sounds ridiculous on the surface, but think about the distraction this has become. The billions of dollars of civil liabilities they are now open to, and this is not stopping any time soon. Talk about the perfect storm created by one anonymous group. Kinda insane, but also feels kinda cool....in a weird way. There is something liberating about a small group of 'anonymous' hackers taking on a Goliath of a corporation and winning. And I am a Capitalist to the core.
Although, the likely, annoying outcome of this is that this strengthens the hand of those that want a 'censored' Internet to prevent these types of things from happening. So this could very well lead to the end of the internet as we know it today. Also very hyperbolic, I know....but I believe it to be true.
I don't think we're witnessing the end of Sony, but we are certainly witnessing the end of their online ventures.
What is very interesting is that all of their Web properties seem so stove-piped. No common architectural direction, no standards, no common security defenses.
It's almost as if Sony's marketing departments are leading all Web development efforts for the company. No serious enterprise ever lets that happen.
My experience with working for companies of a similar size in the beverage, fast food and running shoe industries is that the cost in money and time of developing on the corporate mandated development platform makes it impossible for marketing departments to deliver their crazy websites. This results in the marketing department paying to host websites outside of the corporate infrastructure. So I expect that Sony is letting its marketing departments lead their web development effort since most of the sites will be marketing sites.
I'd be surprised if the majority of their web properties were built in-house. A large chunk of the Japanese software industry is composed of companies that fight over contracts from the MNCs to do those kinds of projects (websites, software for embedded systems, customized software for internal use).
Sony is not a Goliath. Sony is the old, senile neighbor shaking his fists as the kids throw stones at his windows.
They have a huge surface area to be targeted and very few people tasked with defending them, against god knows how many hackers that take joy in doing this. And it takes only one to wreak havoc, and they can only do something with the person after the damage is done.
This is true for most corporations with online presence, but Sony gave the hackers a reason to target them specifically.
As someone who doesn't own any Sony products and doesn't know or is in the groups making this madness, I can just sit back and enjoy some popcorn.
I didn't see anything being attributed to anonymous here.. just some hackers looking to hop on the bandwagon, stumbling across a very simple vulnerability in one of the many Sony properties.
I think you're right. I was lurking in the anonops irc earlier and there was quite a bit of chatter about lulzsec. There was some talk about paying lulzsec to attack new targets, but I'm pretty sure it was idle chatter. Either way, it seems probable that there's some significant overlap in membership.
Just in case you really don't know, the various branches of Sony have demonstrated technological contempt for [their] customers for years. I'll omit their insistence on promoting their own products over other standards and general push for increased DRM, such as Minidisc/ATRAC, Blu-ray, etc. and focus on their actual attacks.
It started with the CD root kit fiasco, in which music CDs distributed by Sony infected Windows PCs with software designed to prevent the ripping of music CDs to the computer, which also contained exploitable holes used by malware to infect computers.
Sony then removed the Other OS (e.g. Linux) feature from the new version of its PS3 consoles. This wasn't too egregious, but next they retroactively removed Other OS from older consoles that originally supported it. That upset a lot of people.
Along came GeoHot, a reverse engineer determined to get Other OS back, and no doubt other less-outspoken hackers. So he and the others did, and along with it recovered Sony's private key used to sign PS3 software, allowing Linux to access all the hardware of the PS3, as well as running other homebrew software.
Less-scrupulous individuals, not including GeoHot himself, used the aforementioned work to run pirated software on the PS3. This upset Sony.
The straw that broke the camel's back, though, was Sony suing GeoHot into oblivion (I personally suspect they also astroturfed gaming sites to get GeoHot's hack associated with cheaters at Call of Duty, which it was not). This is the final event that triggered the misguided but potent onslaught of attacks against any and all Sony properties.
>I personally suspect they also astroturfed gaming sites to get GeoHot's hack associated with cheaters at Call of Duty, which it was not
I don't know about that. Remember, the vast majority of gamers only know hackers as one of two things: people who take over websites, and people who cheat in video games. GeoHot being a "PS3 hacker" would likely naturally have led these people to assume the latter, and the combination of general ignorance of the issue and an emotionally charged reaction to cheaters likely enabled that rumour to spread virally. I certainly don't think astroturfing was necessary to spread that rumour, and barring any evidence showing Sony's complicity in doing so I'm happy to apply Occam's Razor and assume it spread naturally.
Never presume malice where stupidity will suffice.
I say misguided because it's highly unlikely the attacks will have the desired outcome. I heard the most recent hack mentioned on the local NPR broadcast of BBC radio, and all they said was that Sony was attacked again. I'm not aware of any mainstream media saying why.
The only effect seems to be people portraying hackers negatively in general, and at best, questioning why Sony was so vulnerable. The root motivation I described above seems to get no mention.
A well known cracker named George Hotz (GeoHot), best known for iPhone jailbreaking, began to target the PS3's security to enable full access to the PS3's graphics capabilities via the Linux install option that the PS3 originally shipped with. Sony was concerned that that would enable piracy, so they removed the Linux install option in a firmware update.
If you refused to install that firmware update, you could continue using your PS3 with that Linux installation, but you wouldn't be able to play new games or potentially play online. Basically, compute clusters that relied on that install continued working, and continue to work today.
The removal of that option incensed many PS3 purchasers, tech writers, hackers, etc. George Hotz then went on to crack the PS3's security anyway, enabling arbitrary code to run on the device (including applications that would let you run pirated PS3 games). Sony sued Hotz, ostensibly because he enabled massive piracy. This further incensed varied and sundry "hacking" organizations which began to target Sony. Eventually, Sony dropped the case against Hotz, for reasons that are difficult to discern (bad publicity for the most part). At this point, various hacking groups were able to penetrate the Playstation Network as well as many other Sony properties, resulting in hundreds of millions of dollars of lost income at this point.
That's exactly what George Hotz does. He breaks security. iPhone security, PS3 security, etc. He's not a hacker according to the RMS definition, the pg definition, or probably most of the classical definitions. He may fit the current journalist's definition of "hacker" which is much closer to RMS' cracker. Since the web site we are on is named hacker news after the original definition, I think we should probably go with cracker for the people that primarily break security.
However, he primarily breaks security on devices he purchased, so that he and others can repurpose them for their own needs and desires. That is a very "hacker" thing to do. "I have this device. Can I make it do something useful?"
If he were primarily breaking security on other people's computer systems, then the distinction would likely be merited.
I disagree with this, let's not forget RMS did a lot of "cracking" himself, like the ITS password hack and some shady things like reverse engineering code from Symbolics and gave it to Lisp Machine.
GeoHotz did a hard and ingenious hack to get his ps3 to do things it's not longer suposed to do. That's not cracking per se. I think cracking mostly happens with things like these folks did. Using a simple SQL injection (probably automated) to hack Sony's site.
It's all in the ingenuity level. That where the distinction should be.
Sony is a big member of the RIAA and MPAA who have been suing people for a decade for downloading mp3s because it's "lost revenues". They recently carried these practices over from alienating people who have little clue about technology but really like music, to people who actively work to hack consoles and phones.
It's rather safe to fire a gun into a crowd and expect no one will challenge you. It's rather different to fire a gun into an army division and not expect everyone to fire back with better guns than your shitty pistol.
Sony has secured its customer data like it's a fucking fire alarm. Sure it has the illusion of safety hidden behind that plate of glass, but when you provide people with a hammer to break the glass and pull the handle it's really rather pointless. They're going to bitch and moan in front of congress, parliament and every other government that asks them WTF about cyber security and blah. When they've installed a turn style at their revenue source and got surprised when people started stealing.
> I know this sounds extreme, but are we witnessing the end of Sony as we know it ?
Well, Sony (and the rest of Japanese industry) has been on a downward spiral for the last 2 decades. This is just the final blow. Their end has been in sight for at least 5 years now.
I am fairly certain that there are some executive meetings that are seriously questioning whether or not that initial action was wise.
The only thing happening in those executive meetings at Sony is a discussion of which lobbyists to hire and which laws to buy in order to punish their legitimate paying customers even further.
I've said this before and I'll say it again: Sony is facing a highly skilled group of hackers that have made it their mission to ruin the company. If you have sensitive data with any of Sonys products, I'd advise you to delete it ASAP. This is not going away. Sony will be fighting attacks like this for years to come and they have only themselves to blame.
I don't know that deleting it will do much good. Most web apps for performance reasons don't actually do a delete against the database, rather mark a record as deleted and perhaps run a batch job later to clean deleted records from the database. If you've got access to the database via SQL injection, you'll have access to all those "deleted" records as well. Even of you go through the website and update each field with empty, anonyomoua, or incorrect data; I suspect there's a high chance of backups being available to anyone who's 0wned their servers...
My advice would be to assume any data Sony has about you is already in the hands of attackers, and do whatever you can to minimize the usefulness of that to the attackers (which largely means ensure the password you used at any Sony site isn't useable anywhere else online)
Heh - yeah maybe... I was imagining a shared hosting cpanel account with a bunch of dated backup.tgz files sitting in the home directory which only ever get removed when the webhost complains about disk space usage...
lolwut, SQLi is sophisticated and takes mad skills now? The methods employed are very low-brow to be charitable, brah. To be completely honest, I don't think Lulzsec is the first to discover this at all. They're just being loud about it all. For a sophisticated popular hack recently, look at the work by zerofor0wned or the Stuxnet worm (not classifying the two in the same category of course).
I know someone that briefly worked for a third party company that Sony had outsourced a fairly large project to (building some social networking features into the web based side of PSN). I found it really surprising at the time that Sony had outsourced that sort of thing, but I'm getting the feeling now that it must have been a fairly common practice.
Given the wildly different business sectors that Sony is involved in, it's really not so surprising that their security varies considerably amongst them. Somehow I doubt lulzsec would be anywhere nearly as successful if they were attempting to steal semiconductor manufacturing information from the Japanese offices. Although that might just make it all the more insulting to Sony's customers who just had all of their personal information stolen.
The question is whether Sony is really an outlier in terms of security, or if most big corps are getting by with security by obscurity (or no one cares about hacking them).
This level of professional negligence isn't reserved exclusively for megacorps. There's YC companies writing their own PHP frameworks that will enable these flaws to live on for another generation.
They're probably getting away with the appearance of security: if the crackers didn't publicize this, and Sony didn't, we would ever know.
So how many companies who store personal information are being compromised these days? I have a feeling that Sony is not unusual in their level of insecurity.
Disagree on absurdity. I'm certain that if you focused enough eyes on any company with as much surface area exposed to the internet you'd poke just as many holes.
What's worse is that every bit of data we took wasn't encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it. This is disgraceful and insecure: they were asking for it.
I'm not sure that is true for any company with as much surface area. I would be extremely disappointed if it were true of any of Canada's five major banks, for example. Google has been under continuous hacking attack from China and so far they haven't had to 'fess up to storing passwords in plaintext.
"Any" is probably an exaggeration. I'd cede that and accept "most." We can hope that Google is an exception because of the caliber of employee they hire, since obviously they also have a lot of domain knowledge. But, I think that only means we're quibbling about the embarrassment level of these breaches.
Sorry for the delay... Parenting! Any ways, I agree we shouldn't quibble about any/most.
I also agree that a big surface area (such as units with independent web strategies all over the world) increases the likelihood of there being some breach of security. What I find embarrassing here is that we aren't talking about one of the Sony properties having a breach, it's lots and lots of them.
I suggest that this is symptomatic of a problem with Sony itself, not just the surface area they present. What I'd expect from a well-managed company with a big surface area is yes, some property might have a breach, but that would be the exception.
It's beginning to look like Sony's lax security with respect to customer information is the rule and not the exception.
Understand regarding parenting. I do that myself. :-)
I do see your point about Sony, and they may in fact be an outlier here. I think I've been accustomed to the story of customer information breaches from large corporations though, and so maybe I'm overly pessimistic?
Banks hopefully encrypt them, but even a cursory glance when logging in to most nowadays shows they don't hash them (asking for individual characters). Or at least, you hope they aren't storing hashes of individual characters of your password ... even with salt.
SonyPictures.com was owned by a very simple SQL injection... From a single injection, we accessed EVERYTHING ... every bit of data we took wasn't encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext...
I have to disagree. Lots of big companies are not great at security, but this is just horrible!
Given how much bad publicity and legal exposure costs a corporation of Sony's size I'd say that getting their affairs in order across the board should have been a bigger priority. As it is wildly unreasonable not to have taken a good hard look at every piece of infrastructure after the fist major breach I'd say absurd describes this situation pretty well.
Even if they had hired all of the top ranked security firms the first day PSN was hacked, they would still be open to attacks like this. The amount of public properties Sony hosts internationally is huge -- it would take a long time securing it all.
I had to stop a previous employer from doing just that in 2003. It was bad practice then, too. Big companies are just more susceptible to these kinds of short-cuts. Especially shortcuts with no clear benefit except to a lazy programmer.
Failing to encrypt user passwords isn't a short-cut; it's an inexcusable and egregious failure — especially when it's done by a company that has the resources to do it right in the first place.
11 times in the last 2 months or so. 11, very high-profile cases with tons of customers' and employees' details. And always the same trivial things; SQLi, no encryption/plaintext databases, lack of first-line security like firewalls, etc.
It is just sad that all these hackers think they're doing everybody a favor by attacking "evil corporations" like Sony. But while they may be right in exposing Sony's lousy security, meanwhile they hurt one million people by releasing their information out into the public in a way that can never be taken back.
Unless you think hurting one company you deem bad outweighs hurting a million innocent private citizens, then your priorities are a bit messed up.
Every Sony customer is an inadvertent supporter of Sony's abuses, and most of them don't care about Sony's morality, they just love the products. If hackers make being a Sony customer unpleasant, then they may be able to hurt Sony's bottom line. It seems far more likely to work than an online petition or boycott...
Unpleasant is the word your choosing to use? Having my credit card information that links to my bank account, and the only bank account I have, and then having that fucked with is more than unpleasant. I'm thankful when the PSN network was compromised I wasn't one of those people with the claims of large sums of money being circulated out of the bank. ( Yes I know, could easily be coincidental evidence. Not the point. )
By all means the cause is more than plausible with Sony's abysmal track record. The methods are absurd and obnoxious, but by all means keep hiding behind this tired old excuse that the end result is to hurt Sony. The people you're trying to help will have no sympathy when you're caught and sentenced.
Irritating, painful, expensive? Choose your favorite word to describe your experience as a Sony customer, I guess.
but by all means keep hiding behind this tired old excuse that the end result is to hurt Sony
It's not an excuse, it's a hope. I sincerely hope that this will hurt Sony's bottom line in the near future. I hope that some time soon, the general public will associate Sony with being screwed over, and that they factor that in with the price of that shiny PS3 they want. I hope that Sony will be humbled and beg customers to come back, rather than treating them like shit. This is hardly the first time Sony's customers have been screwed by Sony's customer-hostile policies, so I don't expect it, but I certainly do hope for it.
The people you're trying to help will have no sympathy when you're caught and sentenced.
When I'm caught and sentenced? For schadenfreude, or do you think I'm behind this attack? My handle is easily associated with my meatspace ID; if anybody that mattered thought I was behind this, I'd most certainly be chatting with the FBI right now instead of with you.
>Irritating, painful, expensive? Choose your favorite word to describe your experience as a Sony customer, I guess.
Disruptive. I've been going paperless( in regards to money )since 2008, this was a flat out disruption on my day to day life.
>This is hardly the first time Sony's customers have been screwed by Sony's customer-hostile policies, so I don't expect it, but I certainly do hope for it.
Sony's abysmal history is public knowledge, that still had little choice in the limited choice I had with buying a gaming system.
>When I'm caught and sentenced? For schadenfreude, or do you think I'm behind this attack?
Kudos for missing that hyperbole.
By all means keep downvoting me. How many of you disagreeing with my point about the extremity of these methods were effected by any this? That's what I thought.
Actually a much more reasonable step to take would be to release the data, but to de-identify it in such a way that individual people couldn't have their identities compromised or lives ruined.
I agree that Sony should be taken to task here, but even the simple step of randomizing the password field would be a good idea.
The public is already predisposed to believing any hacking claims targeted at Sony at the moment. I wouldn't exactly frame their actions as reckless or lacking in logic either. How about malicious? I am particularly put off by this line:
"This is disgraceful and insecure: they were asking for it."
I get it, they have poor security, as a customer, this makes me really angry. But the general tone there is kind of similar to what you get when people accuse rape victims of being complicit in the rape. "She was askin' for it!"
That's sort of like saying that software piracy is theft.
Blaming victims for rape is dangerous because it discourages victims from coming forward, and adds to intense feelings of shame and guilt that come with sexual violation. It also tends to come with suggestions that women should restrict their behavior, not seeking to be attractive or acting in 'risky' stereotypically male ways.
Criticizing a cooperation for failing to follow security best practice, and speculating about the effect of outsourcing or technology is completely different. I'd say that as a lot of people here run websites, it's probably a good idea too.
I probably should not have used rape as the example there. What I was really trying to convey is that a crime was committed, and the perpetrators have set things up to shift the public's blame to Sony.
This seems more comparable to a bunch of people finally ganging up to beat the shit out of a bully who had a history of treating weaker individuals badly.
> tone there is kind of similar to what you get when people accuse rape victims of being complicit
Not when there are hostile state actors who have presumably been enjoying that access for years without publishing it. These guys just told us about it.
I'm not saying there's no logic. I'm just saying it's some pretty messed up logic.
Sony has been targeted for several major intrusions lately and I'm certain they have lost a great deal of money because of it.
Now if hackers want to damage Sony, how about finding a way that doesn't also involve millions of regular people in the process.
I got my one and only Sony product (PS3) because I use it for something. Not because I support Sony in every decision they make, and I definitely think they should do something about that joke for security they have going on.
But why should the user be punished and shat on by some idiot hackers just because he/she decided they wanted a cheap system to play games on, for example?
They could do a million things to hurt Sony financially instead of fucking over millions of end users who aren't connected to the company at all. (I'm counting all the affected users of all the latest Sony attacks, in case someone has a problem with the figures.)
Also, I think they chose to release the stolen data out of ill-will towards Sony rather than it being an attempt to point out security flaws. Because if security flaws where the real issue they attack Sony, then they wouldn't release the info to everyone since that seems quite counter intuitive.
I don't think you get it. I got root access of a box today, reported it to the company, and was told he couldn't notify the developers until next week because they're in meetings. The person was actually more concerned because I mentioned I was blown off the first time I reported a security issue (emailed password, non-https logins/signups, etc). Meanwhile, I can instantly copy/destroy/deface hundreds of sites, all of which have paid initial fees between $10,000-$50,000 for the service and pay annual fees for continued service.
These companies are fucking stupid and the only way to make them change their ways is to kick them in the balls and piss on them while they're down. Otherwise, nothing happens and others who were less kind don't tell them and harvest the data unbeknownst to anybody. How's that for "real issues"? The real issue is the companies fucking suck and it pisses us off when they don't do a goddamn thing when we report it to them.
Agreed. However, I think the scariest risks are governments becomes more justified in unconstitutional(USA) policies, which effect all of us on more substantial levels.
Considering Sony's lack of security, it would be careless not to assume that the information is already in the hands of the malicious hackers. A group of mischievous ones publicly releasing it doesn't add much harm, and publicizes the fact that your information is not secure in a way that makes people take notice.
Also they're ignoring the employees of Sony they're hurting too. If Sony loses money, it's not the management who get hurt, it's the low level employees. It's such a shame we now parade these people as heros, when a few years ago they would have been berated for not disclosing this information properly.
Companies like Sony make claims that their Intellectual Property is worth X amount in court and go after individuals for huge amounts of money. I think you could argue that people's Personal Information is worth at least X + Y more.
If someone takes them to court and a huge, ridiculous, judgement is handed out, then maybe these companies will think twice about securing their customers data. Seriously, unencrypted password fields? A SQL injection?
This series of hackings is everything that's wrong with the software industry in a microcosm. Sony is a multi-billion dollar international company, and yet they can't even hire competent enough software and security professionals to ensure that their public facing websites holding personal data for millions of people don't have noob level security vulnerabilities.
Software is still more alchemy than chemistry today. There are no objective measures or well-trusted authorities which can be used to ensure that any given developer or any given piece of software meets a certain degree of competence or quality. Only the subjective judgment of fellow alchemists can reliably gauge the quality of another alchemist, and then often only with a rather lot of effort. The most fundamental consequence of this is that no organization can easily produce high quality software merely by throwing enough money at it. This is a competitive advantage for small high-talent shops but it has some rather negative consequences for the rest of the world.
I have seen lots of web work for Sony-sized companies being awarded to design-heavy advertising agencies with incompetent backend developers when such work should be undertaken by people skilled in making the plumbing of public-facing, secure and scalable websites. This is the kind of mistake only a junior makes that should never pass the most complacent code-review process.
Like an old friend of mine used to say, "you pay peanuts, you buy monkeys"
I've actually been one of those developers working on a site for a major corporation who outsourced the development and design to an advertising agency. I wouldn't be surprised if there were a few holes in our site, despite the external security audit.
The main issue is that the advertising agency handled the development very poorly. Expectations and specifications were not well defined, budgets were not set appropriately, and project management was largely absent. This leads to my fellow developer and I, who were brought in because the agency lacked developer talent, having to scramble to get all the features in before the deadline.
I would blame some of this on lack of technical project management as well, not just on the coders.
I have to agree with you: the result cannot be blamed on the programmers alone. What I saw was a cultural mismatch, all the way from the control of the requirements to the selection of personnel. Making an ad is not the same as making a web application, the attributes of a good writer or artists are not what define a good programmer. I have successfully introduced a measure of sanity in two agencies I worked for, with great results (I really love making people's lives better), but that's not the whole market.
Yet, I can understand a bit of this mindset. Far too many websites are to be discarded by the end of the campaign. When so many products are supposed to last a month or so, people often forget about how sausages should be made.
No, pretty much just don't make the internet mad.
Have I not been keeping up, and these attacks have all been linked back to Anonymous in some credible way? (I realise the problem with that question)
Bitcoin is just another imaginary currency. But now its technofreaks imagining it, what a difference. A real adventure into economics and currencies would be to strive for a society with no currency, where people do things for the lulz. Not for the coins man.
I don't get this anti-Bitcoin thing at all. I'm not for or against it, it's interesting tech for sure - fascinating even - and obviously polarizing to some. But I just don't get this attitude at all, at least amongst HN'ers.
The thing that struck me first about this was the fact that it is in impeccable English, yet written as a kid would write. Something smells funny about that.
What is to stop a competitor of Sony from trying to take them down under the guise of disenfranchised youth.
Or maybe we shouldn't stereotype, and assume these people - like you and I - can use proper grammar without even having to spend 10 minutes proofreading?
What is the benefit of publishing all the stolen data now? I guess it's proof for a successful attack, but it doesn't have any other benefit now, does it?
Hey, I'm curious whether my information was compromised in this attack, but I'm too lazy to figure out how to figure out whether it was. If someone has downloaded the released data and is looking for a weekend project (and the weekend's coming up), I'd love a site that lets me easily determine whether I'm affected.
Given the concurrent China stories, I wonder how many of these independent releases are just uncovering things that China farms like rice, and checks on them like they're rss feeds.
While this is incredibly embarrassing for Sony, as it exposes gross incompetence, can someone explain why the FBI/law enforcement is not able to shutdown the hackers by filing criminal charges against the owners/operators of lulzsecurity.com, since they are openly admitting that they are behind all of the attacks.
First, selling unofficial/unreleased parts with an Apple logo on them and jailbreaking are completely different. You can sell all the cases and backplates you want, but you can't start putting someone else's trademarks on them.
Apple has gone after jailbreakers? Thats news to me. Geohot has hacked (as far as I know) almost every iDevice Apple has put out, but Apple didn't take him to court because of it.
I didn't say that Apple took them to court. http://www.wired.com/threatlevel/2009/07/jailbreak/ I am just saying that Apple is using every means available to them to prevent other people using their software or hardware in a different way.
Do you really think that's true? My impression is more like they're doing just enough to convince groups like the RIAA and MPAA that they're "followinusingusty best practice" until such a time that they are in a powerful enough position to admit "actually, we don't care much about your DRM and your failing business model, it's upsetting our users so it's gone." like they did with the DRM on iTunes music. Maybe Jobs's Pixar relationship will make Apple's movie industry support stronger than their music industry support turned out to be, but long term who knows?
I don't think a rational justification is really important to these people, but I believe a lot of the initial anger came from sony removing features from the original playstation.
A major feature, removed by automatic patching, as a non-legal reaction to a previous jail beak attempt, was the ability to run a second OS such as linux.
You might recall stories about people using networks of play-stations running linux, with their unusual cell processor architecture, to crack wpa, or model the weather.
This wasn't to sony's benefit. The playstation was a cheap way of getting the cell chip rather than buying blades full of them from IBM, absolutely because sony sold the consoles below cost and hoped to make the money back from game royalties.
The ability to run pirate, or unlicensed home-brew games threatened sonys ability to recoup this money from normal users, so they pulled second OS.
A lot of users chose the playstation over alternatives because it would run linux. It was a nice dual use 'TV media PC' and console. Sony removed the feature that they paid money for. The users were upset, probably more upset than they were by the hotz thing which was a bit abstract.
But I don't think these hackers cared, personally.
Apple actually treads carefully with the jailbreak thing. It's cat and mouse security and patching games, not suing people, and since the government ruling that allows jailbreaking (for now), they haven't even said they are fighting jailbreakers (which they used to, at least for PR purposes to please developers).
count down until someone adapts the bitcoin-blocker extension to also block blatantly obvious sony network security breaches that popup every hour on the front page... 3. 2. 1
"SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?
"What's worse is that every bit of data we took wasn't encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it. This is disgraceful and insecure: they were asking for it.