
SonyPictures.com hacked, personal information and passwords compromised - ssclafani
http://pastebin.com/Y38gCS82
======
nborgo
For those put off by the first 40 lines, here's the good part:

"SonyPictures.com was owned by a very simple SQL injection, one of the most
primitive and common vulnerabilities, as we should all know by now. From a
single injection, we accessed EVERYTHING. Why do you put such faith in a
company that allows itself to become open to these simple attacks?

"What's worse is that every bit of data we took wasn't encrypted. Sony stored
over 1,000,000 passwords of its customers in plaintext, which means it's just
a matter of taking it. This is disgraceful and insecure: they were asking for
it.

~~~
dholowiski
Yikes - I believe in the PSN hack there was some question as to whether the
passwords were encrypted or not. I'm glad it's out in the open for this one.
Think we'll see Sony changing their name any time soon?

~~~
agotterer
I honestly don't think any of this news makes it to the mainstream. Go ask
your mom or non technical friend if they heard about the Sony hack. I'd bet
they haven't a clue what you're talking about. This only hurts them in the
tech circles and as a bunch of other people said, it will be forgotten by next
year.

~~~
panacea
It's the fourth story on The Guardian's website, and the fifth on the BBC
right now.

------
marcamillion
Seems Sony really has kicked up the swarm with that GeoHot clamp down.

I am fairly certain that there are some executive meetings that are seriously
questioning whether or not that initial action was wise.

I never thought this type of extortion could work, but Hot Damn. This is an
effective campaign.

Talk about relentless!

Edit: This is really a losing battle for Sony. They are too big, there are too
many vulnerabilities. They are too exposed. I know this sounds extreme, but
are we witnessing the end of Sony as we know it ? It sounds ridiculous on the
surface, but think about the distraction this has become. The billions of
dollars of civil liabilities they are now open to, and this is not stopping
any time soon. Talk about the perfect storm created by one anonymous group.
Kinda insane, but also feels kinda cool....in a weird way. There is something
liberating about a small group of 'anonymous' hackers taking on a Goliath of a
corporation and winning. And I am a Capitalist to the core.

Although, the likely, annoying outcome of this is that this strengthens the
hand of those that want a 'censored' Internet to prevent these types of things
from happening. So this could very well lead to the end of the internet as we
know it today. Also very hyperbolic, I know....but I believe it to be true.

~~~
pkulak
What the hell did they do that got people so pissed off?

~~~
nitrogen
Just in case you really don't know, the various branches of Sony have
demonstrated technological contempt for [their] customers for years. I'll omit
their insistence on promoting their own products over other standards and
general push for increased DRM, such as Minidisc/ATRAC, Blu-ray, etc. and
focus on their actual attacks.

It started with the CD root kit fiasco, in which music CDs distributed by Sony
infected Windows PCs with software designed to prevent the ripping of music
CDs to the computer, which also contained exploitable holes used by malware to
infect computers.

Sony then removed the Other OS (e.g. Linux) feature from the new version of
its PS3 consoles. This wasn't too egregious, but next they retroactively
removed Other OS from older consoles that originally supported it. That upset
a lot of people.

Along came GeoHot, a reverse engineer determined to get Other OS back, and no
doubt other less-outspoken hackers. So he and the others did, and along with
it recovered Sony's private key used to sign PS3 software, allowing Linux to
access all the hardware of the PS3, as well as running other homebrew
software.

Less-scrupulous individuals, not including GeoHot himself, used the
aforementioned work to run pirated software on the PS3. This upset Sony.

The straw that broke the camel's back, though, was Sony suing GeoHot into
oblivion (I personally suspect they also astroturfed gaming sites to get
GeoHot's hack associated with cheaters at Call of Duty, which it was not).
This is the final event that triggered the misguided but potent onslaught of
attacks against any and all Sony properties.

References:

[https://secure.wikimedia.org/wikipedia/en/wiki/Sony_BMG_copy...](https://secure.wikimedia.org/wikipedia/en/wiki/Sony_BMG_copy_protection_rootkit_scandal)

[https://secure.wikimedia.org/wikipedia/en/wiki/PlayStation_3...](https://secure.wikimedia.org/wikipedia/en/wiki/PlayStation_3#Private_key_compromised)

[Edit: fixed botched pronoun after partial sentence rewrite]

~~~
bluedanieru
Misguided?

~~~
nitrogen
I say misguided because it's highly unlikely the attacks will have the desired
outcome. I heard the most recent hack mentioned on the local NPR broadcast of
BBC radio, and all they said was that Sony was attacked again. I'm not aware
of any mainstream media saying why.

The only effect seems to be people portraying hackers negatively in general,
and at best, questioning why Sony was so vulnerable. The root motivation I
described above seems to get no mention.

------
daimyoyo
I've said this before and I'll say it again: Sony is facing a highly skilled
group of hackers that have made it their mission to ruin the company. If you
have sensitive data with any of Sonys products, I'd advise you to delete it
ASAP. This is not going away. Sony will be fighting attacks like this for
years to come and they have only themselves to blame.

~~~
bigiain
I don't know that deleting it will do much good. Most web apps for performance
reasons don't actually do a delete against the database, rather mark a record
as deleted and perhaps run a batch job later to clean deleted records from the
database. If you've got access to the database via SQL injection, you'll have
access to all those "deleted" records as well. Even of you go through the
website and update each field with empty, anonyomoua, or incorrect data; I
suspect there's a high chance of backups being available to anyone who's 0wned
their servers...

My advice would be to assume any data Sony has about you is already in the
hands of attackers, and do whatever you can to minimize the usefulness of that
to the attackers (which largely means ensure the password you used at any Sony
site isn't useable anywhere else online)

~~~
natural219
Alternatively, you could SQL inject their databases yourself and personally
delete your information.

~~~
mcantor
Anything less would not qualify as due diligence!

------
9999
I know someone that briefly worked for a third party company that Sony had
outsourced a fairly large project to (building some social networking features
into the web based side of PSN). I found it really surprising at the time that
Sony had outsourced that sort of thing, but I'm getting the feeling now that
it must have been a fairly common practice.

Given the wildly different business sectors that Sony is involved in, it's
really not so surprising that their security varies considerably amongst them.
Somehow I doubt lulzsec would be anywhere nearly as successful if they were
attempting to steal semiconductor manufacturing information from the Japanese
offices. Although that might just make it all the more insulting to Sony's
customers who just had all of their personal information stolen.

------
ary
At first it was embarrassing, now it's just absurd.

~~~
kevindication
Disagree on absurdity. I'm certain that if you focused enough eyes on any
company with as much surface area exposed to the internet you'd poke just as
many holes.

~~~
raganwald
_What's worse is that every bit of data we took wasn't encrypted. Sony stored
over 1,000,000 passwords of its customers in plaintext, which means it's just
a matter of taking it. This is disgraceful and insecure: they were asking for
it._

I'm not sure that is true for any company with as much surface area. I would
be extremely disappointed if it were true of any of Canada's five major banks,
for example. Google has been under continuous hacking attack from China and so
far they haven't had to 'fess up to storing passwords in plaintext.

~~~
kevindication
"Any" is _probably_ an exaggeration. I'd cede that and accept "most." We can
hope that Google is an exception because of the caliber of employee they hire,
since obviously they also have a lot of domain knowledge. But, I think that
only means we're quibbling about the embarrassment level of these breaches.

~~~
raganwald
Sorry for the delay... Parenting! Any ways, I agree we shouldn't quibble about
any/most.

I also agree that a big surface area (such as units with independent web
strategies all over the world) increases the likelihood of there being some
breach of security. What I find embarrassing here is that we aren't talking
about one of the Sony properties having a breach, it's lots and lots of them.

I suggest that this is symptomatic of a problem with Sony itself, not just the
surface area they present. What I'd expect from a well-managed company with a
big surface area is yes, some property might have a breach, but that would be
the exception. It's beginning to look like Sony's lax security with respect to
customer information is the rule and not the exception.

JM2C, I am not claiming I know this for a fact.

~~~
kevindication
Understand regarding parenting. I do that myself. :-)

I do see your point about Sony, and they may in fact be an outlier here. I
think I've been accustomed to the story of customer information breaches from
large corporations though, and so maybe I'm overly pessimistic?

------
Joakim
It is just sad that all these hackers think they're doing everybody a favor by
attacking "evil corporations" like Sony. But while they may be right in
exposing Sony's lousy security, meanwhile they hurt one million people by
releasing their information out into the public in a way that can never be
taken back.

Unless you think hurting one company you deem bad outweighs hurting a million
innocent private citizens, then your priorities are a bit messed up.

~~~
pyre
If they didn't release the information:

1) Sony would just accuse them of lying and people (the general public) would
just believe Sony over a bunch of anonymous hackers.

2) Change doesn't happen unless people get off their butts. This is a way to
motivate that change.

I don't necessarily agree with it, but you're talking as if there is no logic
behind this other than recklessness.

~~~
9999
The public is already predisposed to believing any hacking claims targeted at
Sony at the moment. I wouldn't exactly frame their actions as reckless or
lacking in logic either. How about malicious? I am particularly put off by
this line:

"This is disgraceful and insecure: they were asking for it."

I get it, they have poor security, as a customer, this makes me really angry.
But the general tone there is kind of similar to what you get when people
accuse rape victims of being complicit in the rape. "She was askin' for it!"

~~~
shubble
That's sort of like saying that software piracy is theft.

Blaming victims for rape is dangerous because it discourages victims from
coming forward, and adds to intense feelings of shame and guilt that come with
sexual violation. It also tends to come with suggestions that women should
restrict their behavior, not seeking to be attractive or acting in 'risky'
stereotypically male ways.

Criticizing a cooperation for failing to follow security best practice, and
speculating about the effect of outsourcing or technology is completely
different. I'd say that as a lot of people here run websites, it's probably a
good idea too.

~~~
9999
I probably should not have used rape as the example there. What I was really
trying to convey is that a crime was committed, and the perpetrators have set
things up to shift the public's blame to Sony.

------
cjboco
Companies like Sony make claims that their Intellectual Property is worth X
amount in court and go after individuals for huge amounts of money. I think
you could argue that people's Personal Information is worth at least X + Y
more.

If someone takes them to court and a huge, ridiculous, judgement is handed
out, then maybe these companies will think twice about securing their
customers data. Seriously, unencrypted password fields? A SQL injection?

Of course, I'm just dreaming.

------
InclinedPlane
This series of hackings is everything that's wrong with the software industry
in a microcosm. Sony is a multi-billion dollar international company, and yet
they can't even hire competent enough software and security professionals to
ensure that their public facing websites holding personal data for millions of
people don't have noob level security vulnerabilities.

Software is still more alchemy than chemistry today. There are no objective
measures or well-trusted authorities which can be used to ensure that any
given developer or any given piece of software meets a certain degree of
competence or quality. Only the subjective judgment of fellow alchemists can
reliably gauge the quality of another alchemist, and then often only with a
rather lot of effort. The most fundamental consequence of this is that no
organization can easily produce high quality software merely by throwing
enough money at it. This is a competitive advantage for small high-talent
shops but it has some rather negative consequences for the rest of the world.

------
rbanffy
I have seen lots of web work for Sony-sized companies being awarded to design-
heavy advertising agencies with incompetent backend developers when such work
should be undertaken by people skilled in making the plumbing of public-
facing, secure and scalable websites. This is the kind of mistake only a
junior makes that should never pass the most complacent code-review process.

Like an old friend of mine used to say, "you pay peanuts, you buy monkeys"

~~~
Periodic
I've actually been one of those developers working on a site for a major
corporation who outsourced the development and design to an advertising
agency. I wouldn't be surprised if there were a few holes in our site, despite
the external security audit.

The main issue is that the advertising agency handled the development very
poorly. Expectations and specifications were not well defined, budgets were
not set appropriately, and project management was largely absent. This leads
to my fellow developer and I, who were brought in because the agency lacked
developer talent, having to scramble to get all the features in before the
deadline.

I would blame some of this on lack of technical project management as well,
not just on the coders.

~~~
rbanffy
I have to agree with you: the result cannot be blamed on the programmers
alone. What I saw was a cultural mismatch, all the way from the control of the
requirements to the selection of personnel. Making an ad is not the same as
making a web application, the attributes of a good writer or artists are not
what define a good programmer. I have successfully introduced a measure of
sanity in two agencies I worked for, with great results (I really love making
people's lives better), but that's not the whole market.

Yet, I can understand a bit of this mindset. Far too many websites are to be
discarded by the end of the campaign. When so many products are supposed to
last a month or so, people often forget about how sausages should be made.

------
jrockway
Dear megacorps: don't make the Internets mad.

~~~
dholowiski
More specifically, don't make Anonymous mad.

~~~
qu4z-2
No, pretty much just don't make the internet mad. Have I not been keeping up,
and these attacks have all been linked back to Anonymous in some credible way?
(I realise the problem with that question)

------
citricsquid
<http://twitter.com/#!/LulzSec/status/76388576832651265>

Stay classy

~~~
DrCatbox
Another imaginary currency. Very bad.

Bitcoin is just another imaginary currency. But now its technofreaks imagining
it, what a difference. A real adventure into economics and currencies would be
to strive for a society with no currency, where people do things for the lulz.
Not for the coins man.

~~~
evo_9
Man are you a spook?

I don't get this anti-Bitcoin thing at all. I'm not for or against it, it's
interesting tech for sure - fascinating even - and obviously polarizing to
some. But I just don't get this attitude at all, at least amongst HN'ers.

~~~
mrlinx
this was for me a good explanation: [http://www.quora.com/Is-the-
cryptocurrency-Bitcoin-a-good-id...](http://www.quora.com/Is-the-
cryptocurrency-Bitcoin-a-good-idea)

~~~
evo_9
Thanks, that is a good read.

Edit: Typo.

------
wbhart
The thing that struck me first about this was the fact that it is in
impeccable English, yet written as a kid would write. Something smells funny
about that.

What is to stop a competitor of Sony from trying to take them down under the
guise of disenfranchised youth.

~~~
praeclarum
Funny, I didn't notice until you mentioned that. It is nicely written, and
apostrophe use seems all right. :-)

Not sure if I buy the "as a kid would write" bit, but it is surprising to see
this. Maybe the hacker just took 10 mins and proofread his own text?

~~~
JackWebbHeller
Or maybe we shouldn't stereotype, and assume these people - like you and I -
can use proper grammar without even having to spend 10 minutes proofreading?

~~~
praeclarum
Speak for yourself, I have to proofread and edit everything I write! :-)

------
scrrr
What is the benefit of publishing all the stolen data now? I guess it's proof
for a successful attack, but it doesn't have any other benefit now, does it?

~~~
oliciv
It makes the people who have data included in the leak care that bit more, and
makes hit hit that bit closer to home?

------
jerryr
Hey, I'm curious whether my information was compromised in this attack, but
I'm too lazy to figure out how to figure out whether it was. If someone has
downloaded the released data and is looking for a weekend project (and the
weekend's coming up), I'd love a site that lets me easily determine whether
I'm affected.

------
kefs
It's worth noting that this is the same group that gained access to the
complete Fox.com X-Factor contestant database last month.

<http://news.ycombinator.com/item?id=2525865>

<http://thepiratebay.org/user/LulzSec>

------
sucuri2
All the info here: <http://lulzsecurity.com/releases/>

~~~
shii
Isn't it a little strange their irc is on 2600? I thought they owned them the
same night as PBS...

~~~
Spyplane
If you follow their twitter, they are trying to be ironic. They took down some
of the irc servers again to be funny the day before.

------
shii
This is the #sownage promised by Lulzsec a couple of days ago during the PBS
fiasco a couple of days ago[1] by the same group.

Sony is getting owned on all fronts several times a week for the last month or
so.

[1]: <http://apps.ycombinator.com/item?id=2598798>

------
niels_olson
Given the concurrent China stories, I wonder how many of these independent
releases are just uncovering things that China farms like rice, and checks on
them like they're rss feeds.

------
hitechsites
While this is incredibly embarrassing for Sony, as it exposes gross
incompetence, can someone explain why the FBI/law enforcement is not able to
shutdown the hackers by filing criminal charges against the owners/operators
of lulzsecurity.com, since they are openly admitting that they are behind all
of the attacks.

------
clistctrl
Is there a particular reason people are focused on revenging Sony?

~~~
henrikschroder
[http://en.wikipedia.org/wiki/Sony_Computer_Entertainment_Ame...](http://en.wikipedia.org/wiki/Sony_Computer_Entertainment_America_v._George_Hotz)

~~~
mtw
so why isn't there anything done against Apple? Apple's lawyers are on the
back of anyone who makes white iPhone cases, jailbreakers, etc.

~~~
radicaldreamer
First, selling unofficial/unreleased parts with an Apple logo on them and
jailbreaking are completely different. You can sell all the cases and
backplates you want, but you can't start putting someone else's trademarks on
them.

Second, Apple hasn't sued any jailbreakers.

~~~
city41
I'd also be willing to bet Apple isn't very susceptible to SQL injection nor
do I suspect they store passwords in plaintext.

~~~
moe
And your bet is based on what?

Looking at the URLs that iTunes and friends use behind the scenes it doesn't
seem like the apple web-stuff was built by competent programmers either.

Try a few random clicks on <https://iforgot.apple.com> and look at the url-bar
and firebug to get an idea.

------
gcb
count down until someone adapts the bitcoin-blocker extension to also block
blatantly obvious sony network security breaches that popup every hour on the
front page... 3. 2. 1

