Sony May Have Been Using Outdated Security Software, Claims Expert

[Matthew Lynch]

As I said in an earlier thread covering this debacle, It was Sony's fault...now proven.

My suspitions that it was their fault was when i read that they refused to attend a hearing over this.

This is why I own an xbox instead.

 

[Xanthious]

After erring on the side of the bottom line worked so well for BP no wonder Sony didn't want to update the security on their servers. Hell, it's not like they were storing the unencrypted personal information of millions and millions of people . . . oh wait.

If this is demonstrably true then Sony deserves this shit storm they are currently standing in the middle of. They deserve every lawsuit, subpoena, and fine they are going to be hit with three or four times over so maybe they won't have to be reminded a second time not to cut corners with the sensitive information their customers entrust to them.


Personally, I'd like to see Sony eat a grand total that's in the TENS OF BILLIONS when this is all said and done so the message really sinks in. Maybe costing them a quarter or two worth of profit will be just the thing to get the message across.

 

[marioandsonic]

http://ingame.msnbc.msn.com/_news/2011/05/05/6593542-report-hackers-plan-third-attack-on-sony?gt1=43001

There's now rumors that a third attack will happen.

Damn.

 

[Reyalsfeihc]

This is why everytime I hear PSN users say "ooooh PSN is free and Xbox Live isn`t" I used to chuckle. You know what that means when you don`t pay for the service? Literally NO money is going toward improving the network, expanding it, and ensuring it`s secure. Although I don`t know the state of Microsoft`s security I'm almost positive it`s better than this. And to all PS3 owners, you have my condolences

 

[Outcast107]

http://ingame.msnbc.msn.com/_news/2011/05/05/6593542-report-hackers-plan-third-attack-on-sony?gt1=43001

There's now rumors that a third attack will happen.

Damn.

Once I saw this I thought of this for some reason.

[video] http://www.youtube.com/watch?v=tfslY_AvhLw

Edit: not saying they should get attack again. Just thought of the guy doing this sitting back all evil.

 

[Elamdri]

This is why everytime I hear PSN users say "ooooh PSN is free and Xbox Live isn`t" I used to chuckle. You know what that means when you don`t pay for the service? Literally NO money is going toward improving the network, expanding it, and ensuring it`s secure. Although I don`t know the state of Microsoft`s security I'm almost positive it`s better than this. And to all PS3 owners, you have my condolences

Those types of arguments are for the poor plebs without the disposable income to have both systems.

 

[Echo136]

Im tired of all this doomsaying and bad news. Just bring back the PSN.

 

[ThisIsSnake]

As I said in another website:

This guy lost me at 'Purdue University'.
Frankly, I'm surprised it took someone this long to try and cash in on the whole mess by accusing Sony of something along these lines - whether it's real or not.

That said, kudos to The Escapist for being pretty much the only news source who pointed out what should've been obvious to any serious journo: the guy has no insider knowledge, admitted it openly and even mentioned it's all based on random forum reading.

You shouldn't be surprised that a self-titled security expert would believe everything he read on a random forum: he's working at an university. There are some areas of expertise where only the incompetent would remain attached to a university when they could do way better at the real market out there, and TI definitely is one of those.

I just looked him up on wikipedia, he apparently is something of an expert on security:

"Eugene Howard Spafford (born 1956), commonly known as Spaf,[1] is a professor of computer science at Purdue University and a leading computer security expert.

A historically significant Internet figure, he is renowned for first analyzing the Morris Worm, one of the earliest computer worms, and his prominent role in the Usenet backbone cabal. Spafford was a member of the President's Information Technology Advisory Committee 2003-2005,[2] has been an advisor to the National Science Foundation (NSF), and serves as an advisor to over a dozen other government agencies and major corporations."

He doesn't seem like those self appointed experts who say things like this to get some attention. Still, what he said was hearsay that is still unproven if he's heard something like that he probably felt it necessary to report it. I'm skeptical whether that's the case considering Sony's reputation for electronics and dedication to the PSN in the past.

 

[RvLeshrac]

As I said in another website:

This guy lost me at 'Purdue University'.
Frankly, I'm surprised it took someone this long to try and cash in on the whole mess by accusing Sony of something along these lines - whether it's real or not.

That said, kudos to The Escapist for being pretty much the only news source who pointed out what should've been obvious to any serious journo: the guy has no insider knowledge, admitted it openly and even mentioned it's all based on random forum reading.

You shouldn't be surprised that a self-titled security expert would believe everything he read on a random forum: he's working at an university. There are some areas of expertise where only the incompetent would remain attached to a university when they could do way better at the real market out there, and TI definitely is one of those.

I just looked him up on wikipedia, he apparently is something of an expert on security:

"Eugene Howard Spafford (born 1956), commonly known as Spaf,[1] is a professor of computer science at Purdue University and a leading computer security expert.

A historically significant Internet figure, he is renowned for first analyzing the Morris Worm, one of the earliest computer worms, and his prominent role in the Usenet backbone cabal. Spafford was a member of the President's Information Technology Advisory Committee 2003-2005,[2] has been an advisor to the National Science Foundation (NSF), and serves as an advisor to over a dozen other government agencies and major corporations."

He doesn't seem like those self appointed experts who say things like this to get some attention. Still, what he said was hearsay that is still unproven if he's heard something like that he probably felt it necessary to report it. I'm skeptical whether that's the case considering Sony's reputation for electronics and dedication to the PSN in the past.

Security researchers confirmed the reports months ago. Not hard to do when you allow your webserver to report versions to the world.

 

[lazarus1209]

*cough* BP Oil Spill again *cough*

Not that bad, yet...Nobody at Sony has come out and said that it's not fair that they pay to clean the mess up and that their customers should do it.

Although that may only because their customers and side victims already ARE paying for it...

Not that bad yet? Not that bad ever. Let's keep this in perspective. Eleven people DIED in the Deepwater Horizon accident. Businesses that depended on the Gulf (fishermen, tourism, etc..) were severely impacted and some did not survive. Not to mention the extraordinary impact that millions of gallons of crude has had, and will continue to have on the environment.

Now, I'm not saying this hasn't been a big deal, but there have been larger scams, including this one that saw 40 million credit cards stolen:

http://articles.sfgate.com/2008-08-06/news/17123391_1_credit-card-card-numbers-identity-theft-case

I know this is a big deal, but it's not nearly on the scale of comparison.

 

[Siege_TF]

This is how security works IRL too, it's reactive rather than proactive. First you have glass on the store windows. They get broken. Then you add plexiglass. It gets broken too. Then you add a telescoping shutter. Then the shutter gets ripped out by a chain attached to a truck. Then you get a security guard. Then he gets mugged. Then you arm him. Then he gets shot.

The only thing stopping this cycle from turning to armed conflict is how motivated both parties are, and with the risk of personal injury being nonexistant in online crime and very large amounts of cash to be plundered... Well...

 

[Reed Spacer]

Sony May Have Been Using Outdated Security Software, Claims Expert

"No! Really?" he says without a trace of sarcasm.

 

[JDKJ]

As I said in another website:

This guy lost me at 'Purdue University'.
Frankly, I'm surprised it took someone this long to try and cash in on the whole mess by accusing Sony of something along these lines - whether it's real or not.

That said, kudos to The Escapist for being pretty much the only news source who pointed out what should've been obvious to any serious journo: the guy has no insider knowledge, admitted it openly and even mentioned it's all based on random forum reading.

You shouldn't be surprised that a self-titled security expert would believe everything he read on a random forum: he's working at an university. There are some areas of expertise where only the incompetent would remain attached to a university when they could do way better at the real market out there, and TI definitely is one of those.

I just looked him up on wikipedia, he apparently is something of an expert on security:

"Eugene Howard Spafford (born 1956), commonly known as Spaf,[1] is a professor of computer science at Purdue University and a leading computer security expert.

A historically significant Internet figure, he is renowned for first analyzing the Morris Worm, one of the earliest computer worms, and his prominent role in the Usenet backbone cabal. Spafford was a member of the President's Information Technology Advisory Committee 2003-2005,[2] has been an advisor to the National Science Foundation (NSF), and serves as an advisor to over a dozen other government agencies and major corporations."

He doesn't seem like those self appointed experts who say things like this to get some attention. Still, what he said was hearsay that is still unproven if he's heard something like that he probably felt it necessary to report it. I'm skeptical whether that's the case considering Sony's reputation for electronics and dedication to the PSN in the past.

Bear in mind that congressional hearings are rarely held and conducted in an impartial and objective manner. They're usually nothing more than a dog and pony show intended to provide the justification for legislation. I have no doubt that the Subcommittee cherry picked their "expert" and knew beforehand that his testimony would be unfavorable to Sony. That's why they picked him.

 

[JDKJ]

I find it interesting that they had to hire security experts after the fact. I know their network is massive but they certainly should have had some white hats on staff that knew their stuff.

""As soon as we discovered the potential scope of the intrusion, we shut down the PlayStation Network and Qriocity services and hired some of the best technical experts in the field to determine what happened,""
http://www.escapistmagazine.com/news/view/109812-Sony-CEO-Speaks-Out-on-PSN-Catastrophe

The in-house IT security staff of a company do not serve the same function as outside IT forensic experts. In-house security staff are more like security guards. Their expertise lies in crime prevention. Forensic experts are more like detectives. Their expertise isn't in prevention. Their expertise lies in figuring out what happen after the crime has been committed.

 

[Smooth Operator]

Oh god, nothing better then an expert guessing what might have been wrong, how about we get a priest in on that action and have him guess if it was gods will.

 

[pdgeorge]

What I'm willing to bet, that if nothing malicious ends up happening with that data (I can picture it being sold to market research groups who can then turn around and say 'these details were obtained in studies' and then sell the details right back to Sony... But that's not malicious, just massively douchey) then chances are the people who did the hackings might have even been one of the people internally (or externally) who told Sony "Guys! This is how vulnerable you are" saw nothing happened, so they decided to prove it.

The same thing has happened heaps, my mates uncle (who I know, this isn't 'friend of a friend') worked at a place that did cash drops at precise times, it was obvious to outside observers when the maximum amount of money would be available.
After they never listened to him, he just turned around and robbed them. Yes it sounds like a dick move but he gave all the money back. People don't know how at risk of getting kicked in the balls until it happens. After the day it happens they will forever watch peoples feet more carefully and maybe wear a cup in situations when it's more likely to happen.

 

[McMullen]

As I said in another website:

This guy lost me at 'Purdue University'.
Frankly, I'm surprised it took someone this long to try and cash in on the whole mess by accusing Sony of something along these lines - whether it's real or not.

That said, kudos to The Escapist for being pretty much the only news source who pointed out what should've been obvious to any serious journo: the guy has no insider knowledge, admitted it openly and even mentioned it's all based on random forum reading.

You shouldn't be surprised that a self-titled security expert would believe everything he read on a random forum: he's working at an university. There are some areas of expertise where only the incompetent would remain attached to a university when they could do way better at the real market out there, and TI definitely is one of those.

Methinks I detect a certain amount of bias there. It seems you are as quick to groundlessly reject the claims of anyone associated with Purdue as you accuse them of groundlessly making them.

Care to explain why?

 

[McMullen]

Doesn't suprise me in the least.

Any business decision will weigh the cost of doing something vs the cost of not doing something. This is not really news or unique to Sony. Lets face it - people could have written their own custom dedicated OS that JUST runs the PSN and does nothing else hence is 100% secure. However the cost of this would be MASSIVE.

Banks COULD encase their vaults in 200 feet of DU for maximum security, but the costs of doing so would far outweigh the gain to security.

Spoiler

Yes, but installing patches and firewalls and encasing your servers in DU are at opposite ends of the diligence spectrum. I've worked in multiple places where installing Windows Updates is considered a minimum security precaution- to the point where consistently failing to do so could get you fired. In a professional environment, especially one where you are handling sensitive information for customers, not patching your OS and not installing firewalls is absolutely and blatantly negligent, to the point where I had assumed it was illegal. Guess I was wrong.

 

[Phishfood]

Yes, but installing patches and firewalls and encasing your servers in DU are at opposite ends of the diligence spectrum. I've worked in multiple places where installing Windows Updates is considered a minimum security precaution- to the point where consistently failing to do so could get you fired. In a professional environment, especially one where you are handling sensitive information for customers, not patching your OS and not installing firewalls is absolutely and blatantly negligent, to the point where I had assumed it was illegal. Guess I was wrong.

Sure, DU is a physical precaution, logging software would be electronic but the decision making is the same. *shrug* the unfortunate thing is that there is likely one IT guy recomending security, one business manager saying "thats so expensive" and in this case a PR guy saying "the downtime to upgrade is unacceptable". I work with personal data on a far too regular basis, its a constant battle with the boss to keep the antivirus software installed. Thats not even a cost issue, he just thinks its a waste of time that slows down the pcs.

So I can fully understand how even Sony can fall into a similar trap. I'd also point out we have very little proof that XBL et al are any better.

 

[McMullen]

Yes, but installing patches and firewalls and encasing your servers in DU are at opposite ends of the diligence spectrum. I've worked in multiple places where installing Windows Updates is considered a minimum security precaution- to the point where consistently failing to do so could get you fired. In a professional environment, especially one where you are handling sensitive information for customers, not patching your OS and not installing firewalls is absolutely and blatantly negligent, to the point where I had assumed it was illegal. Guess I was wrong.

Sure, DU is a physical precaution, logging software would be electronic but the decision making is the same. *shrug* the unfortunate thing is that there is likely one IT guy recomending security, one business manager saying "thats so expensive" and in this case a PR guy saying "the downtime to upgrade is unacceptable". I work with personal data on a far too regular basis, its a constant battle with the boss to keep the antivirus software installed. Thats not even a cost issue, he just thinks its a waste of time that slows down the pcs.

So I can fully understand how even Sony can fall into a similar trap. I'd also point out we have very little proof that XBL et al are any better.

Yes, I had assumed that that was the reason that Sony hadn't (if the claims are true) patched their servers or installed firewalls. I'm saying that those people need to be fired and it needs to sink into the heads of managers everywhere that this shit is not acceptable. The things that happen in the technology industry often point to managers that don't know and don't care about the nature of their products and the effects and issues their products will have years after the shipping date. This needs to stop.

If the claims about Sony's lax security policies are true, then I take back what I said about Sony being a victim. Managers throughout the world need to have the shit scared out of them. They need to see everyone at Sony that had anything to do with this go bankrupt for life. They need to realize that they have obligations to more than just their release dates. They need to realize that there are consequences for not understanding your product and how it will fare in the wild, or not doing anything about it. Red rings of death, DRM that keeps paying customers from playing single-player games, and paper-thin security on customer data servers are all symptoms of a corporate mentality that has completely the wrong priorities, and the people who perpetuate it need to have examples made of them.