

Sony’s problem is memes, not security - tsunamifury
http://www.leavesofcode.com/2011/06/sonys-problem-is-memes-not-security.html

======
derefr
To be specific, it is a meme now that Sony has bad security. Because of this,
hackers are more willing to attempt hacks against Sony, because A. they feel
greater confidence in their chances at success, and B. people spread stories
that confirm preconceptions, so succeeding in a way that confirms the "Sony
has bad security" preconception will increase their reach, and therefore their
feeling of reward.

Take, in juxtaposition, OSX's security. It is a meme that OSX is more secure
than Windows—even though the opposite is true, as each Defcon competition
proves. However, because of the prevalence of the meme, few amateurs are
willing to attempt to hack OSX; most virus, worm and exploit writers instead
tend to get their start hacking Windows. Then, because people tend to fall
into patterns of doing what has brought them success in the past, when these
people become security professionals (whether white-hat or black-hat) they
specialize themselves to the Windows malware/exploit ecosystem—and the meme
perpetuates itself.

~~~
InclinedPlane
There are also quite a lot more Windows machines than OSX machines. Hacking
Windows has a higher expected rate of return (whether it's information
extraction, phishing, botnet creation, etc.)

------
jrockway
_Fighting to keep their system closed, to keep users from something as
innocuous as installing Linux on their hardware is not worth the trouble at
this point. Learn when the winds have changes, and go with it._

Just to play Devil's advocate...

Perhaps Sony is taking the "maximize shareholder revenue" avenue. What is
their financial loss for months of PSN downtime? A few people switch to xbox
live? They have to provide a few free accounts?

For their other hacked services, they can simply shut them off as failed
experiments, fire all the developers, and save even more money.

Because there is not some huge fine for leaking all the credit card
information, this doesn't affect Sony at all, financially. But allowing people
to run Linux means they may take a loss on a lot more devices (and if they
don't take that loss, people will buy Wiis or Xboxes instead), and it makes
piracy a lot easier. If piracy becomes too rampant, developers will stop
targeting the Playstation, killing the entire line of business.

So while it makes them look dumb to keep getting hacked over and over again,
maybe it isn't hurting them at all.

~~~
sawyer
The problem is that now Sony's laughable security has become a meme that's
growing in strength with every breach.

In the last week I've mentioned Sony's situation to a number of lay people
who've never owned a Sony gaming machine but have all heard about these
security issues and insist they'll never trust Sony with personal information
ever again.

Every time a new headline is printed it strengthens this image.

~~~
jrockway
_they'll never trust Sony with personal information ever again_

Fair enough, but Sony isn't in the "personal information" business. They can
always create some new company to handle the PSN billing, which is the only
personal information that matters to their bottom line.

~~~
46Bit
Such divisions rarely will actually occur to someone considering whether to
use a Sony product. More generally though, I question that most people are
going to think about this too much before buying - they'll think more about
the downtime.

------
thirsteh
Agreed, but their problems are memes AND security. They could have had the
bastard image and still established a secure infrastructure (like, for
example, the TSA).

~~~
tsunamifury
Certainly true that they should have better security, but at a point when so
much stirred up, no amount of security will protect you from the havoc of
thousands of determined hackers. Its better, at that point, to try to quell
the storm than build stronger walls.

~~~
thirsteh
I agree that by acting smarter they could have limited their exposure, and by
limiting their exposure, avoided being hacked so many times (i.e.
<http://throwingfire.com/security-through-obscurity/>), but a company as large
as Sony really should've gotten their security auditing act together a decade
ago. All of the vulnerabilities that were exploited in the past few days were
scriptkiddie-things -- SQL injections and archaic versions of Apache. I mean,
come on.

------
sixtofour
Sony's problem is having people around who think storing passwords in the
clear is OK.

~~~
ary
You would be _very_ surprised at the number of people in management positions
at any size company that think this is OK.

At the jobs (consulting and otherwise) I've held in the last few years 75% of
the companies stored passwords in plaintext. I'm _not_ justifying it in any
way shape or form, but Sony shouldn't be singled out. Until there is an
immediate and clear financial incentive to use proper security companies are
going to continue to ignore it.

~~~
46Bit
I'd say that's neither surprising nor something to be annoyed about. It's the
developers who should know better, and their responsibility alone to inform
management about why.

~~~
sixtofour
Worker: Boss, this is bad, we shouldn't do this.

Boss: If we don't save passwords, how can we email passwords back when they
forget them?

Worker: . . .

Boss: Don't change anything.

------
rhdoenges
That opening paragraph is the most beautiful writing about memes that I have
ever read. Absolutely lucid.

~~~
GrantS
Hmmm, I would say that honor should go to Richard Dawkins who coined the term
itself 35 years ago:
<http://www.rubinghscience.org/memetics/dawkinsmemes.html>

