
Sony blames 'Anonymous' for data theft  - armored
http://www.reuters.com/article/2011/05/04/sony-idUSN0422224820110504
======
jrockway
I don't think Anonymous did this, but if they did, that's excellent. The
attorney general's office is "taking the matter seriously", which is fine...
one dude will go to jail for this. If one person is willing to "go down" and
take a big corporation with them, we're going to run out of big corporations
long before we run out of hackers.

(I personally wouldn't do this, but I do consider it respectable.)

You could argue that selling the credit card numbers makes it look more
criminal than "for spite", but I think you have to sell the credit card
numbers in order to damage Sony.

------
sdh
FTA:

"The attack that stole the personal data of millions of Sony customers was
launched separately, while the company was distracted protecting itself
against the denial-of-service campaign, Sony said."

Wow. I didn't think they could do better than "most people don't know what a
rootkit is, so why should they care about it?" but I was wrong.

Sony Command: Quick! All security personnel are immediately ordered to drop
what they're doing and guard against that DOS attack!

Sony Security: But Sir, won't that leave our user data "un-guarded"

Sony Command: We don't have time for that now, Soldier, now move Move MOVE!!

------
famousactress
_"Sony has been the victim of a very carefully planned, very professional,
highly sophisticated criminal cyber attack"_

Uggh. First off, sorry Sony.. _Who_ has been the victim?

Second, wrapping big fancy words to make this seem like some sort of magical
act of God that no company could have with-standed is patently obnoxious. Is
Sony not equally capable of careful planning, and stocked with highly
professional and sophisticated criminal cyber defense professionals?

~~~
rhizome
They're speaking to their shareholders with the same words.

------
naner
Scapegoat. Sony is trying to dodge responsibility.

Also I can see this being used as pretext for more legal controls over the
Internet.

~~~
lawnchair_larry
Glass half full: I can see it being used for more legal controls over what you
can do with customer data, and how bad your security can be.

------
epochwolf
What's the connection between a denial of service attack and intrusion? The
only connection I see is a DoS could make detecting intrusion more difficult.
I don't see how it would make actually getting in any easier.

~~~
famousactress
I was wondering the same thing. At this point, the fact that they don't offer
further explanation makes me think it's pretty much even money on whether
something was completely embarrassingly architected, or they still have no
idea how the intrusion occurred.

------
mrspandex
"They released a statement via YouTube last month saying that while the
group's organizers had not stolen the data, it was possible some members of
the group were involved in the matter."

Just about anyone could claim to be part of "Anonymous" and submit a video
saying just about anything. If you can't verify something, you probably
shouldn't be including it in the news.

------
maqr
Someone needs to explain to business people that these types of internet-based
intrusions can _only_ happen as a result of poor technical security.

Where is the incentive for real security? Businesses need to be directly
responsible when these kind of break-ins happen. It can't be treated as if
they had a physical break-in where we go looking for the thieves. It must be
treated as a security failure and the company must take full responsibility.
Of course, this doesn't happen, so Sony is free to blame "the hackers" and
call it a day.

Meanwhile, everyone's data on PSN is compromised. Even if you think that
perfect internet security is impossible, there is absolutely no excuse for not
hashing passwords or encrypting credit card data.

The public needs to realize that break-ins to a physical location (which are
always possible with enough firepower) are distinctly different from internet-
based break-ins, which are almost always avoidable or can at least have their
scope greatly limited.

If technical holes exist, it's inevitable that they'll be exploited. I blame
Sony far more than the intruders.

~~~
epochwolf
According to other sources that have been linked on HN the passwords were
hashed, and the credit cards where encrypted in a seperate database[0].

0: I have not found information on how secure the encryption was

------
noctrine
What does this have to do with the data lost in a hack from 2007? It seems to
me that Sony has, in general, bad security and this whole ordeal recently has
made them aware that they have been in a vulnerable position.

