

Ask HN: Why is it so easy for Anonymous to hack websites like that of Sony? - b2spirit

Are the Sony developers just incompetent or are the Anonymous guys just super smart?
======
samarudge
At the time they were hacked, at least according to multiple sources, Sony had
no firewalls and were using old versions of Apache and RedHat that hadn't been
updated to the latest security patches. So yes the Sony sysadmins are
incompetent, but I think the leaders at Anonymous are a bit smart too. You
also have to consider that if 100 people are looking for a security hole in
the same piece of software, they're probably, eventually, going to find it.

------
qF
Neither, making a 100% sure that every security hole is plugged takes time,
and as such money. Corporations simply do not want to pay extra for this (in
most cases).

The Anonymous guys on the other hand do it in their free time and as such have
a far greater amount of time available to find bugs than the developers had to
find&fix them.

On top of that most "hacks" by Anonymous are done using automated tools that
find and exploit SQL Injection vulnerabilities. Combine that with that Anon
doesn't publicize about the times they don't get in, it's easy to make it look
like you know what you're doing. But if they find a SQLi vulnerability in 1 in
every 10.000 websites they 'test' it's suddenly not that impressive any more.

~~~
b2spirit
Thanks. That is a good answer.

------
madhouse
What may seem easy, may not be. When written down and explained, things often
sound trivial (so do the Anonymous hacks too), but it often takes a lot more
than trivialities to actually do it.

They're not super smart, nor are the Sony developers/admins super incompetent.
They're just average people making mistakes or taking advantage of others'
mistakes.

Could Sony have done better? Yes, of course! They made some very stupid
mistakes. Does that make the admins incompetent? Not necessarily. Nor do the
holes in their systems make Anonymous super-smart.

------
pcharles
I'd go with the latter. Remember, the highly paid web guys at the large
organizations find out about alot of the 0-day attacks around the same time
the rest of us do.

