Sony's size and momentum must be pretty crazy. Or maybe it's our society. I just can't imagine a small record store in the 1960s, after being caught spying through the bedroom windows of its customers, ever staying in business.
I feel terrible for anyone caught in this. But maybe, just maybe, Sony isn't the company to do business with anymore?
Of course, every act of incompetence under the Sony name tarnishes that name, and in the marketplace, that's ultimately all that matters.
As it should. When these companies merge, buy other companies out, or execute reverse takeovers, there's always talk of "brand synergies" and all of the business advantages of having one set of products associated with another. There's absolutely no reason why that particular sword shouldn't have two edges to it.
As a consumer, I'm not the least bit interested in a detailed breakdown of the corporate structure. Sony pays brand managers very well to encourage me to think of it as a single monolithic company, and I'm happy to oblige.
Its fair for you to say you're not interested. However, if you're going to try to boycott a company to punish them for their behavior, being aware of exactly who is responsible is a good place to start.
Bertelsmann was just as aggressive with music protection. They had to issue replacement CDs that had anti-rip software to annoyed customers in 2001 for instance. The executive in charge at the time of the fiasco came over to Sony BMG from Bertelsmann.
I worked closely with some of the people involved in it at Sony BMG. One lesson I took away from it all was that even though it was a 50-50 merger, Sony had way more name recognition and therefore more on the line. As you said, they benefit from the goodwill disproportionately and they also took the brunt of the PR damage.
What actually happened to him? I don't think I ever heard.
http://www.npr.org/templates/story/story.php?storyId=4989260 (even here when they were interviewing him, the headline is just "Sony" but throughout it is "Sony BMG")
http://en.wikipedia.org/wiki/Thomas_Hesse (last few paragraphs)
Kids don't give a shit. Privacy is crap, they got their penis pictures on facebook. They want their fucking video games.
People playing games all day don't give a shit. They want their fucking games, stfu privacy and get moar kof33 and fucking get this shit online.
People with money to lose care. They care that their information is stolen because that could lead to their money being stolen.
People who know the value of information care. Thats few people though, since facebook exists.
In the end of the day people are willing to talk shit, when it comes to action that is a different story. How many people were so against EA's rootkits, but how many actually boycotted? Same with Apple? And now its same with Sony. Nobody will do anything. Nobody will boycott, the company will just shrug this off as an "opse".
Let's be all elitist and imply "kids" don't know the value of information, whatever that may be. More like they know the information PSN had on them didn't matter (some nickname and email). And yeah, they want they games online, that's why they paid for a PS3 and multiplayer videogames after all. And Sony promised online multiplay.
That's a badly made chain of arguments.
In this case, though, there are indications that financial data was disclosed. PSN (just like Steam and XBox Live) collects financial data to allow for online game purchases. Disclosure of that information is quite a serious matter. Yeah, the "kids" playing might not care about their PSN account, but the parents who enter credit card information to buy their kids games sure will.
A poorly made argument does not automatically render the conclusion false.
It sucks I have to chose between playing such awesome games and keeping my privacy and financial information safe.
PS3 is the last Sony product I'll ever buy.
A number of PE firms have been looking at doing this deal with Apple mentioned as a potential purchaser of the fabs, chips and personal computing divisions
Sony isn't a small record store.
This is a big F'N deal and I wouldn't be surprised if it cost Sony more than Microsoft's infamous 1 billion dollar write-down with the Xbox 360's Red Ring of Death.
I don't think this will kill PSN or the PS3, but it's going to significantly dent things. I'm curious to see how much media attention this gets and if we'll see a macro shift towards the Xbox 360 and Wii.
If I was Nintendo and particularly evil I would leverage this opportunity to tout the new system and emphasize the cutting-edge online modes with rock solid security. And MS can also talk about their great track record in the online world.
Banks, colleges, hospitals, and credit card processors do this all the time, and it doesn't cost them anywhere near a billion dollars despite the fact that they have vastly more personal information. Sure they usually only have a few hundred thousand records and not a few million, but even still the idea that this is going to cost them a billion dollars is absurd.
The direct damage from this won't be $1B (still tens of millions at least). But what about the impact of the lost sales and customers from the loss in credibility and trust? That is what could be huge.
It was relatively "easy" for Microsoft to replace broken hardware. How easy and how much is it going to cost Sony to replace broken trust?
Agreed. Microsoft only wrote down the $1B as an expected total cost of fixing broken Xboxes. Who knows how much money they lost?
First, most of the time when we're talking about business and we talk about costs we're clearly talking about accounting costs. This applies to startups, too. When you're talking about accounting costs, you don't get to include economic costs (e.g., opportunity cost.)
Second, isn't trying to include these extra "costs" due to lost sales the same thing that the music industry is doing? That is, claiming that they lost trillions of dollars due to file sharing from, you got it, "lost sales." 
I don't think there's any real way to measure these costs, so let's stop trying.
People are asked to put value on intangibles all the time. You might want to write them all down to zero, but the rest of us value Wordsworth more than the dead trees his words are printed on.
Ex. If I make $2000 a week as a contractor on a steady contract, I know that the opportunity cost of taking a week of unpaid vacation time is $2000. That's a reasonable, measurable assumption.
However, I could also say that the opportunity cost of that week of vacation will be $12000, because there might be a one-week rush project that will come in that I can bill for $10000 in addition to my normal steady contract. Assuming there's not a pattern of that happening in the past, it's not a reasonable assumption and thus measurable in that way.
I'd say this second scenario is akin to the record companies assuming that every instance of piracy is also an instance of lost sales.
Goodwill can be measured in the sense that goodwill = purchase price - book value. No assumptions are involved in its calculations--goodwill is calculated based on two fixed values.
Opportunity costs are not as concrete. In your example above you state your opportunity cost is $2000...but what if that rush project comes through? What if your steady contract scales back for that week? There are assumptions involved; ideally your opportunity cost would be the expected value of all probable incomes during that week. Identifying those probabilities a priori is impossible.
My point is: opportunity costs are based on assumptions. They cannot be measured--only estimated.
My point was that Microsoft probably had some revenue trajectory with slope X before the write-down, and experienced a new revenue trajectory with slope Y < X after the write-down. I'm curious about the area between the two lines.
If T.J. Maxx can get away with it, Sony can too.
My PS3 has three PSN accounts on it, do three or four of my friends'. Everybody I know who has a 360 shares one Live account across everybody who uses the console.
Nope, companies usually don't leave any chance to point to the competition's faults and laugh, even if they themselves are worse in that regard.
I have to wonder how much data that is, in terms of storage. How could you even take that without someone noticing?
Hats off to whoever it was. Now, I'm off to change my passwords. Thank Christ I had the sense not to use a credit card to buy from PSN.
 On a related note, paypal refuses to let my change my password to something longer than 20 characters - or have spaces in my password. Why is this the case? Surely the only thing that an upper limit on the length of a password does is help the attacker.
Fact is people put most of that other information on Facebook anyway, so for 500 million people, you can quite easily find someone's age, birthday, pets, and much more just from their FB account.
Not to lessen the extent of this, but it's not nearly the biggest dataloss incident ever.
I don't have any stake in either company, but I was glad when Google rolled out 2-factor and I am especially glad to be able to finally use 2-factor for safeguarding my money.
"A well known hacker i don’t want to reveal here had all the Sony PlayStation Network functions 100% decrypted as well as providing some nice info about how Sony dealing with PSN members privacy in their online servers.
Apparently, Sony server gathered everything they can from the PSN connected PS3 console. When i said everything, i meant it. Here, i make all the list of what they squeezed from the IRC chat logs conversation between the hackers.
Sony monitors all messages over PSN.
All connected devices return values sent to Sony server returns TV, Firmware version, Firmware type, Console model
They also collects data in your USB attached device.
Credit card sent as plain text, example: creditCard.paymentMethodId=VISA&creditCard.holderN ame=Max&creditCard.cardNumber=4558254723658741&cre ditCard.expireYear=2012&creditCard.expireMonth=2&c reditCard.securityCode=214&creditCard.address.addr ess1=example street%2024%20&creditCard.address.city=city1%20&cr editCard.address.province=abc%20&creditCard.addres s.postalCode=12345%20
*The best part of all, the list is stored online and updated when u login PSN and random.
But, that’s not all, with the PSN functions fully decrypted, this hacker can use the function to get all games, DLC, you name it, from PSN store without paying anything."
This was debunked. It's encrypted on the wire.
The data is POSTed over SSL. C'mon, do you really think Sony sends credit card data across the wire in plaintext? If so, it would have been discovered the day the PS3 launched, like five years ago. And, its discovery wouldn't have required any system hacking, as described above. Is it amateur hour here?
If Sony was trusting all transactions on the dev network, that seems like they weren't protecting the assets of the movie/TV studios and record labels (not sure if they sell music through the PS Store).
Either way, this seems like a larger shit-storm than just user account details being stolen. It could very well impact future content deals for Sony, and possibly help the other, more trustworthy companies that have demonstrated discipline.
I'm curious if this means they store everyone's password in plain-text, or if by "password" they really mean a hash of some sort.
Unlike passwords, the encryption for the cc#s has to be reversible. That's part of the reason why they introduced CVCs, right?
Simplifying just a bit -- The one time you pass the # along to the bank, they give you back a transaction ID you can use to do future things with that card. The bank knows the number, looks it up by that ID.
While only marginally better depending on the type of attack and permissions gained by the attacker, if all they got was static data on disk, then it would be secure.
Something as big as PSN has multiple servers reading the same DB and must be able to tolerate failures without forcing everyone to re-enter their CC #. The keys must be stored persistently somewhere.
Whenever the server needs to be started, two of those people must enter their key shares. That enables the server to reconstruct the key, which is then stored in memory.
The numbers probably also cross the wire in plain text between the web server and the database too.
Why on earth would you ever do that?
And I have better password practices than most. Credit cards might be an immediate thought, but how many other physical and intangible assets does your password give a hacker access to?
Passwords should always be salted and hashed.
Credit card info should always be HSM-protected so that it is irretrievable except through a hardware API.
What was Sony thinking!?
How could you suggest such a thing?! That would have cost Sony thousands of dollars extra!
Does anyone see any reason why these companies should do anything other than store the data locally on your system, encrypted/obfuscated, and then only ever send once, via encrypted connection, and then immediately delete the info remotely?
I mean, if someone breaks in to my house and steals my PS3, they already have access to all of that information.
iTunes comes to mind:
Either that, or perhaps there could be statutory penalties for data breaches. For example, if there was mandatory compensation of, say, $100/person for a data breach, companies might be incentivized to better think about whether they really need to store this data, and whether they're storing it safely.
A big player like sony should have been complying with PCI standards - but from what I've seen, that's not so difficult to pass and then forget about - people take shortcuts - and how many companies out there have ever had their processing revoked for NOT complying with PCI? That would be an interesting statistic.
And as an employee at a couple of PCI compliant shops, I can attest that even full PCI compliance still leaves a lot of holes (enough that some organizations have formed their own compliance exams above and beyond PCI).
And, ironically, something which I think Sony forgot here. :)
Really we're talking about the equivalent of automatic field filling, and the entire internet functions on that (at least in my browser).
But don't hold that against me. :-)
I clicked around a bit in the linked psx-scene forums and it looked like there was a decent basis for it.
Time to get a new identity! =)
There will already be a lawsuit of some sort. Imagine how bad it would be for them if they hadn't shut it down.
That's what I was thinking: in most cases of user accounts being compromised, the solution is "change your passwords on this and other sites". Here you need to change your birthday, cancel your credit card, move out, change your name… kind of a hassle.
Sounds like they added "example.com" into the list by mistake... It has no MX from what I can tell.
And, you know, your mom probably won't be too happy when you pop out of your time machine, a week before your birth, and tell her she needs to induce labor.
Interesting. Is it not fair to also say the negligent actions that made these malicious ones possible had an impact?
I'm completely sick of the way these press releases sound.
I guess I gave them too much credit.
(Also, DoS. Note that you can't stop people from changing passwords when the system is under load, as that sets you up for a combined compromise-password-hashes-then-DoS attack...)
Seriously? Even Sony is keeping passwords in plaintext? There wasn't a single competent person involved in the design of PSN who might have mentioned that was a terrible idea?
> "We thank you for your patience as we complete our investigation of this incident, and we regret any inconvenience."
Sony apologizes only to Chuck Norris.
I wouldn't be surprised if that blog post cost them well into 6 figures for legal fees. And that it took the full week to draft and approve--it is probably the reason this announcement took so long to emerge.
Which is a polite and flowery way of apologizing for the ongoing interruption of service.
Personally, I have a couple passwords in use for low-risk services (like PSN) and just went and changed all my other passwords :)
In this case, Sony is too cheap to do even that, pointing you towards where you could download your credit report online. Ridiculous.
It's like you're actively trying to make me never trust you again.
I am not making this up.
Of course those security questions are nearly useless anyway.
The problem you run into is that communicating both the nature of the breach and convincing people to respond accordingly is incredibly hard.
This will continue to happen across many sites. I think after enough of these breaches, though, people will start to think about the protection of their online identities a lot differently, which is good, albeit at a painful cost.
There's an app called Strip that looks pretty good. I'm listening to other suggestions.
>To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports.
>We have also provided names and contact information for the three major U.S. credit bureaus below. At no charge, U.S. residents can have these credit bureaus place a “fraud alert” on your file that alerts creditors to take additional steps to verify your identity prior to granting credit in your name.
I see neither disclosure happening any time soon.
I hate sony, but I still feel bad for them.
How many times does this have to happen before people realize that passwords are never to be stored in plaintext? The only exception is a client-side program that needs to log you in and in an ideal world that would be handled by a Kerberos-like ticket system.
It could also mean that the attacker was in a position to observe the plaintext supplied by the user after it was decrypted (from SSL) but before it was authenticated (with a password hash algorithm).
Or it could be that they're just not being too particular about the details, on the side of being overly conservative.
"Hope it come back quickly"
And ultimately that's what people care about, that information most of them already share it via Facebook for FREE, funny thing, is that we already get spam deliver to our homes in shape of publicity.
About the credit cards, these days most credit card issuers have pretty good security so they'll let you know and block your credit card if people used it in a weird way and believe me, I was a "victim" a couple of times already and it works very well.
I join the 1st commenter. I wont be changing my credit cards because of this and I just care about playing my online games again... really I already got bored of Gran Turismo, Final Fantasy offline ;-).
This spells for Sony, yes, but even worse for the uncountable people whose credit card numbers just got nabbed. One hacker on the loose...
The worst part is that this public breach is only a single event. All the companies that have our information could be hacked and Sony is only a visible example. It's similar to the BP oil spill: what other oil companies weren't running tight rigs? The disasters happened to BP and Sony, yes, but it is a reflection on their industries.
I know my street addresses, home and work, my e-mail addresses, significant URLs, credit cards, expired credit cards, buying habits, posts, messages, family relationships (mother, wife, ex-wife, kids, ex-girlfriends) etc are stored in a lot (probably more than a hundred) places. I have no expectation all that data will be kept secret for any length of time. I seriously doubt much of that data could be kept form a dedicated googler with lots of free time, much less from a determined criminal who wanted that data.
It is interesting how this announcement differs from the Japanese announcement. Japanese people are so paranoid about their identity that this cannot go well for Sony in Japan.
It does not seem like Sony is preparing people for any sort of identity theft in Japan other than calling the card companies. They apologized and remarked at how they are gearing-up to better protect their users when the service reopens.
I choose not to be part of Facebook because I'd rather they didn't know every detail of my life. Now I have to consider if I want to use products from Sony because of concerns that they can't even protect my private data, which they force me to give them in order to use their services.
A quick gmail search tells me that they had my mailing address and full name, but I have no idea if I ever gave them my CC or DOB or SSN or Gitmo prisoner bar code or whatever else.
I'm glad I use lastpass because I have a nice list of sites to update password info, but I imagine this process is going to take quite a while. Too bad I repeated that password so many times.
How many of you are willing to bet Sony will use the intrusion as an argument for material damages in court against GeoHot, somehow linking his exploit with the mode of intrusion?
This is pure speculation of course. But I'm willing to bet serious money that Sony's "outside, recognized security firm" has been "requested (hint-hint, wink-wink)" to be on special lookout for any sign the exploit was a vector for the intrusion.
Am I the only one reacting on this? It's like they make it sound like YOU need to take care when it's they are the one to blame.
Same with Skype on Android when they sent you an messaging telling you that YOU should be careful to install software because they have made a security hole for that software.
I don't know what kind of forensic tools Sony's using, hopefully they have something like SenSage.
We kept the family PS3 patched-up in good faith. Is there now a reasonable way for me to install Linux?
Seriously, the kids are probably moving to Xbox and I have some supercomputing I'd like to do.
I am not a big fan of MSFT usually, but the next time I am buying a console I'm not buying a PS4.
Buy a Nintendo next time...
The parent is true, there are a lot more attacks than you hear about. Sony only loses here, they lie and under play it they look bad, they over play the concerns and they look bad, they tell the world too soon they look bad, they take their time and they look bad. It's just all around shitty. What's the reasonable way for them to report this or should they just lie like a lot of other companies?
Their business concerns are merely for their own good to try to protect their brand, not to actually benefit their customers. They will spend more on just PR, never mind making good any actual losses, than on just doing it right in the first place. At this point, they deserve to look shitty, because they were shitty. In the case of lying about it, that should be a serious corporate crime (and I think this sort of disclosure is required in most jurisdictions.)
More generally, why do businesses pay almost anything to protect their good names, but only after they themselves have let their reputation fall into the deep shit? Look at how much BP must have spent over the deepwater horizon spill, compared to how much it would have cost to maintain their equipment. Never mind the banking crisis. An ounce of rational prevention is worth a tonne of PR fire-fighting — why do companies struggle so much with mitigating downside risk?
It could be said that that's what they're doing.
They're saying more than they have to.
This whole thing seems like a great example of incompetence.
While this is a bad security breach, if you follow security news at all you'd know computer security is a joke. The Rustock botnet operated for FIVE years with impunity on as many as 2.4 million rooted machines. People didn't even know they were owned; their computers worked perfectly fine like nothing was wrong. Every system at pwn2own gets owned in seconds and you can bet the black hats were there first. Everyone gets compromised. The only thing stopping a crippling cyber attack is whether someone feels it is beneficial to do so.
I do not especially fault Sony for this. Google gets hacked. Microsoft gets hacked. The NSA gets hacked. The DoD gets hacked. JP Morgan Chase gets hacked. Just add another multi-national to the list. It's a systemic problem that nobody really cares enough about nor can we do much about it if we did care.
EDIT: Just to give you another idea of how screwed we are from a security perspective. To paraphrase George Carlin, some programmers are really stupid. Did you ever notice how much stupid software you see? Think of how stupid the average programmer is, and realize half the programmers are stupider than that. And that bottom half? They probably work in IT, managing over engineered address books and accounting ledgers of the world while smarter people worry about cooler problems.
It's one thing to be attacked by determined people and fail eventually -- given enough time, everyone does -- but it's a completely different matter to give the keys to the castle to anyone with a rooted PS3.
(I'm not taking any chances, either way)
Especially considering the sentences immediately after the "there is no evidence..." statement, I'd be wary. I might just be jaded and they're really just trying to be forthcoming and helpful, but all that CYA-type-speak after that line makes me at least a little bit dubious that they're revealing all the details just yet.
Sony did piss off a lot of hackers, though, so maybe they had it coming...
a moot point? moot? really? i like your choice of words. Heh.
In fact, I'd be peeing my pants if I saw that in the SQL-dump I just downloaded through a couple of proxies.
"We realize that targeting the PSN is not a good idea. We have therefore temporarily suspended our action, until a method is found that will not severely impact Sony customers." -- Anonymous
Then they went on to say something about how Anonymous is a diverse group and they can't control everyone, blah blah blah.
Where is Godzilla to stomp Sony's ass when we need him?
Assuming a 10-character random alphanumeric, that'd be 62¹⁰ possibilities (26 uppercase + 26 lowercase + 10 numbers = 62). Even given an insanely fast brcypt of 1µs, that's over thirteen thousand years to get to a 50% chance.
Now, if your hash is a bad one, say MD5, then you're in trouble. GPUs could brute force that ten-character password within a year.
Howard Stringer is Sony emperor... I mean Chairman, President and CEO. And he comes from Sony Entertainment (US) . He was the one pushing stuff like the Audio CD rootkit, DRM everything and BluRay in all PS3 consoles to force a format war. Some people consider this last trick as the move that got the previous admin gutted, I mean restructured, back in 2005. And he got the top job. Amazing guy.