

Sony Hacked Again: SQL injection attack against SonyMusic.gr exposes user data - kefs
http://nakedsecurity.sophos.com/2011/05/22/sony-bmg-greece-the-latest-hacked-sony-site/

======
jbk
> when this is over, Sony may end up being one of the most secure web assets
> on the net.

Sorry to be harsh, but this is a wishful thinking.

When you've been very careless about security for years (PS3 random seed not
random, music rootkit that was hackable, OMA master key leaked, PSN servers
not up-to-date, PSN trusting the PS3s, etc...), you don't simply turn into a
"secure" company, unless you spend years of corporate policies and formation,
trying to change the habits of your employees...

Changing (or creating new) employees reflexes and habitudes isn't something
easy at all, especially when you are an international company, with different
cultures on board. This can be a herculean task.

I wish they will succeed, though...

~~~
fleitz
Yeah, it's going to take 3-5 years, look how long it took Microsoft.

~~~
guywithabike
Or it may never happen. Security is a culture and a way-of-life. It's not a
couple of technologies, a new CTO, and a couple policy emails and training
sessions.

~~~
drivebyacct2
Yes, but culture isn't immutable. And a top-down, company wide focus on
security and proper training is a damn good place to start.

The problem is getting middle management on board. It's no good if mid-level
managers tell their direct reports to go to the training and then go back to
business as normal with the same old priorities and no extra time/focus on the
new security aspects.

------
riobard
Lesson learned: go fix your security issues _before_ pissing off tons of
hackers by lawsuits.

~~~
Derbasti
We'll see about 'lesson learned'. At the moment, Sony does not look like they
learned anything. But I sure hope they will.

~~~
JoachimSchipper
"It could be that the purpose of your life is only to serve as a warning to
others." -- <http://www.despair.com/mis24x30prin.html>

~~~
joshu
D.H. Banes: I believe, umm, that certain people in life are meant to fall by
the wayside; to serve as warnings to the rest of us; signs posts along the
way.

Igby: To where?

D.H. Banes: Success.

------
tytso
Not having any inside knowledge, I don't _know_ this, but it's always seemed
to me that Sony has never been able to write software to save its life.
Whether it's PSN, or the pathetic web store for the Sony eReader, or the
equally pathetic Mac and PC software for the Sony eReader, Sony software has
consistently disappointed me.

Given how brilliant Sony's hardware designers have historically been, I wonder
if there is something fundamental going on. Could it be that Sony is simply
not good at hiring and retaining good software engineers, perhaps because the
hardware engineers get all of the kudos and awards and perks? If so, Sony
wouldn't be the only company that has had that problem. Before I gave up on
Nokia smartphones (my last Nokia phone was the E70) I've had similar
suspicions about Nokia products. I loved their hardware design, but the
software didn't seem to live up to the promise of the hardware...

~~~
mosburger
I'm a consultant who is wrapping up a gig w/ a division of Sony, and I will
say that Sony as a company is very _very_ silo'ed. The various divisions of
Sony almost never communicate amongst each other, and there's a shit-ton of
duplicate efforts within groups. I'm very surprised they were able to develop
a PSP Phone.

I guess I'm thinking that trying to diagnose the problems with their software
as a corporate culture thing might be a bit misguided as Sony literally
behaves like several completely separate companies running in parallel,
unaware of each other. Although _perhaps_ the quality of their software would
improve if they worked together and leveraged each other's work. Seems like a
stretch, though.

~~~
Splines
_I'm very surprised they were able to develop a PSP Phone._

I'm very surprised that they did it at all. In my opinion it creates a
confusing story for PSP owners looking to upgrade. NGP or PSP Phone?

Sometimes I wonder if the two teams were even aware of each other's existence.

------
charlesju
The problem here is that they have created a beacon for all hackers that want
to create a name for themselves. Of course they are going to have security
loopholes, most web assets do, but their standards now have to magnified by a
magnitude to keep intruders out.

~~~
alnayyir
Sony's incoherence just as a matter of how much surface area they have exposed
to the public only multiplies this problem.

~~~
robin_reala
Yeah, this is it. It only takes one SQL injection for Sony to make the news
these days. Just think about the number of web properties Sony has. I wouldn’t
like to have to job of securing those in the first place, let alone with a
bunch crackers with a reason to target you and the associated press coverage.

Not to say that this is good; it’s awful for your users data to be exposed.

~~~
dspillett
If a company or group is so big that it can not operate securely, then it is
either too big or in need of major rearrangement.

Right now Sony are in the unenviable position of needing to fire-fight their
many security issues while the high power spotlight is on them lighting other
stray bits of touch paper. Hopefully (yeah, these hope is naive in the extreme
I know) Sony will take away from this the need to get security right on all
levels _before_ the first attack and subsequent media attention, and hopefully
other companies are taking the situation as a wake-up call and instigating a
meaningful review of their own security mind-set (or at least double checking
their policies and their adherence to them if sufficient security mind-set is
already in place).

~~~
alnayyir
>can not operate securely

Nobody can, size just makes it worse. Welcome to the reality of security.

~~~
dspillett
Perfect security is not possible, this is true.

But it would seem that Sony's general culture in that arena is significantly
below what could be reasonably expected, and hopefully everyone else is now
actively checking to make sure theirs isn't...

------
swaits
Sony Music != Sony Pictures != Sony Computer (PlayStation) != Sony Electronics
(TVs, etc.)

------
kefs
More details: [http://www.thehackernews.com/2011/05/sony-bgm-greece-hack-
co...](http://www.thehackernews.com/2011/05/sony-bgm-greece-hack-complete-
details.html)

------
arapidhs
And PSN still under maintenance in greece.

