Sony Website Hacked By the "Lulz Boat"

[Yopaz]

SQL Injection? Plaintext user data? Seriously? I'm disappointed. With all due respect, Sony, but a company that large, with so much "experience" and that dabbles into electronics and gaming, so also programming should at least have one sane web admin that could mitigate the damage if not entirely prevent it. If that's true..then, i'm speechless.

Spoiler: Because XKCD said it less than month ago...

Agreed with this post. OK, so Sony messed up once, a lot of informations were stolen, luckily credit card informations was encrypted. They shut down the service to do some changes to it. Then they manage to prove they're doing the same mistake twice. I felt bad for them the first time. They were poorly prepared, sure, but they did take years to get hacked the first time so I guess it seemed sufficient. When they actually got hacked once they should know that they could get hacked again and improve their security in case they did get hacked rather than just rebuffing the security believing it could never happen again.
Also to the guy I quoted, that xkcd strip is one of my favourites, thanks for reminding me of it.

 

[Danpascooch]

An SQL injection? Seriously? A fucking SQL injection!?

That's the simplest type of hack in the world, if hacking were burglary, that would be the equivalent of checking if the front door was unlocked. Basically Sony left its front door open after being robbed blind just weeks ago, WHAT. THE. FUCK.

Don't even tell me none of this is Sony's fault, that's bullshit, I've always known it was bullshit, but now there's proof.

?She dresses seductively so raping her seemed like the thing to do?

That?s your argument.

Don't tell me what my argument is, especially when you're dead wrong. Did I say none of this was the hackers fault? Fuck no, did I say this was all Sony's fault? Also no.

Imagine you got a safe deposit box at a bank, and stored valuables in it, then the bank got robbed and you discovered they left both the vault and your box completely unlocked at night. Is the bank totally innocent? fuck no. You should be pissed at that bank, you trusted them with your valuables, of course the thieves are the problem, but you expect thieves to be thieves, they are scum, what you don't expect is the bank to not provide any protection whatsoever against them.

If that same woman in your example decided to walk naked at midnight alone through a bad part of town, I think it would be appropriate to ask her what the fuck she was thinking.

Your still going off incomplete info again. Wait until facts come out. Also going off your analogy I would ask what she is thinking but also help her instead of saying random people can do what they want with her. You need to realize these fucks need to be in prison they are getting away with identity theft and shifting the fault to the company to keep the anger away from themselves and you fell for it. When the hackers who did this are caught, then Sony will have to fix all that has happened and yes they will need to work on it even before the criminals are caught, but lay off the blame game until the facts are straight and these guys (hopefully) are in jail. For all we know they might have hacked the site and lied about the security they went through.

I am not insulting you but to lay everything at the feet of the company and part of the company that has little to do with the first hack is just absurd. I really hate these types of arguments if I actually could talk then I would sound a lot less angry than the typing implies. You have an opinion but I just cannot agree with it and sorry if I came off to strong. Still, I hold my view that the blame is more towards those responsible and only slightly at Sony?s feet.

You still think I have an opinion I don't have. I don't think anyone should do this to Sony, it's wrong and sick and they deserve to be in jail. But you know what, they are out there, and they aren't going to change, and there will always be more of them.

The reason I don't dedicate a post to shouting at them is because that's implied, anyone who doesn't think these hackers are wrong and should be punished is probably a sociopath who thinks people are entitled to do whatever they want.

Hackers are always going to be there, and they're not going to change. But what can change is the security of the company that is trusted with valuable information. Like I said before, banks don't just leave their vault unlocked and then say "don't yell at us, it's all the thieves fault", because that would be crazy, they have a responsibility to protect the items in the vault.

Let's say for the sake of argument that they did something much more advanced than an SQL injection (which I don't believe, but let's say I did). There is still one fact. Sony stores its user data in plaintext. Sony admitted to this itself after the initial hack, and there is absolutely no physically possible way that Lulzboat would have been able to break the encryption on tens of thousands of profiles the same day as the hack, the most powerful supercomputer in the world couldn't do that. Meaning that Sony is still not encrypting it after the big attack.

Let's go back to the rape analogy, yes catching the rapists is the first priority, but someone needs to sit down with that fucking girl after she walks downtown naked at 3am for the second time and tell her to stop fucking doing that. And you can't wait until the rapists are caught to have that talk with her.

 

[Jumplion]

Do you see Sony denying this was an SQL injection? Because if it wasn't, that would be the first thing they would do.

The world of PR is quite a volatile thing. If they don't deny it, people think it's true. If they did deny it, people would just say they're lying. What does it even matter at this point?

 

[Blackpapa]

Can these people display Sony's terrible security without stealing everyone's shit?

They can, but I wouldn't believe it.

Insanity: doing the same thing over and over again and expecting different results.

Frankly without hard proof I wouldn't believe this, as I'd laugh out and ask "Do you want me to believe that Sony is run by glue-sniffing drooling madmen running around half-naked in soiled, dirty pajamas?"

Well Sony aimed a loaded gun at their foot with the PSN. When it fired it showed regret for it's actions and made sure that such a situation would never happen again. Sony, being Sony, didn't think that this would be a good reason not to wave a loaded gun at their OTHER foot, though.

I wonder, will they run out of limbs and bleed to death or will they learn?

I sincerely wish them the first. I only regret a lot of innocent people will lose their jobs, but I'm sure as the bloated corpse of Sony gets devoured by smaller, more agile companies, all will ultimately be for the better.

With a dedication to Sony:

http://www.youtube.com/watch?v=pzFekDIMtUQ

 

[GeorgW]

Okay, so Sony is horrible at internet security, but get over yourselves hackers if you really want to claim that you only did it to help. Oh, and Sony, it's time to upgrade the rest of your stuff as well. The gaming is fine now, and that's what I really care about, but these people are going to keep picking at scraps, so get on with it! It doesn't have to cost a lot of money, do it badly and quickly, but at least do it!
Sony's E3 press conference is looking better and better! That's the only thing these hackers are doing right now, picking on Sony is old news, now they're just feeding them stuff to say at E3!

 

[Danpascooch]

I'm fully able to believe it was an SQL injection, but for the sake of argument, let's say it's not, there is still one piece of information that is a fact.

No you can't, considering that both parties have something to gain from lying, particularly the hacker side as they so clearly want to make Sony look as bad as possible.

Sony keeps its user info in plaintext.

Sony admitted this themselves after the first hack, and there is no way Lulzboat would have been able to release the info on the same day as the hack if it was encrypted, so Sony kept it all in plaintext after the first disaster

No, this is false. Sony had specified that the user info was transferred in a hashtag sort of thing, though not specifically encrypted (the credit card info was encrypted). [http://blog.us.playstation.com/2011/05/02/playstation-network-security-update/] How secure that is, I have no idea, but don't be saying that they stored info in plain/cleartext when they (allegedly) did not. Many things they say can be dubious, as who's to say they didn't take their time with the hack? Who says that they've released information the same day they hacked? Could be the most secure thing in the world, or a sign that says "do not steal, pwease!", doesn't matter in the end.

Now, feel free to not believe them, I can't really stop you there, but then what will anyone believe in this whole shit storm? Neither party, ideally, though I'm apprehensive towards believing the people who have a bone to pick against a major corporation.

It's just stupidly frustrating, how can Sony still have security abysmally below average? It's so bat fuck insane it's starting to become funny.

That's if you're taking what the black-hat hackers are saying at face value. Personally, I don't really trust people who break into services, steal 1,000,000+ people's information, and then turn around and demand money from the very people they've stolen from.

It's below average because they store the user info in plaintext, I should have been more clear before, look at your link, that link clearly stated that the passwords were hashed, I'm talking about the user info. As in, email addresses, home addresses, possibly phone numbers if they opted to put that on their profile, ect. ect.

That's below average, and it's still below average after the major hack, because if the user info was encrypted, LulzBoat wouldn't have been able to release it same-day, that would be physically impossible, the biggest supercomputer in the world couldn't break tens of thousands of user info files worth of encryption in less than a day. Now let's say they waited 3 weeks and broke the encryption, I actually assumed they released it same day to give Sony the benefit of the doubt, because if they waited a significant period of time that means one of two things:

1.) Sony didn't even notice the hack for days
or
2.) Sony knew it happened and didn't warn anyone

That would be even worse than not encrypting it.

No matter which way you look at it, Sony is not even close to fault-free here. People commonly misconstrue my argument to say I don't blame the hackers, believe me I do, they are the worst kind of scum, but that doesn't mean Sony is allowed to just leave its front door open at night, If I had a safe deposit box at a bank and it was broken into because the bank left their vault open at night, yes I would be pissed at the thieves, but I would also be pretty fucking pissed at the stupid bank

 

[Danpascooch]

Do you see Sony denying this was an SQL injection? Because if it wasn't, that would be the first thing they would do.

The world of PR is quite a volatile thing. If they don't deny it, people think it's true. If they did deny it, people would just say they're lying. What does it even matter at this point?

It matters because if Sony doesn't get its shit together we're looking at a third, and then a fourth, and then a fifth hack.

The threat of a hack doesn't just go away

 

[Tonimata]

...Insult to injury, anyone?

 

[Spoonius]

Looking for donations huh?

I hear Bill Gates is pretty charitable...

 

[TheGuiggleMonster]

How does one join this hacker group?

 

[Raesvelg]

There are some details about this that... confuse me.

So LulzSec says they compromised over a million accounts... but only actually got the info on a tiny fraction of that?

Due to "financial constraints"?

To be honest, it sounds... fishy.

If I were looking to damage Sony's reputation further, I'd hack them, then make it sound like a massive data breach that was easily accomplished. At this point, people will believe just about anything, after all, and all you'd really have to do was get SOME info out.

 

[Jumplion]

It's below average because they store the user info in plaintext, I should have been more clear before, look at your link, that link clearly stated that the passwords were hashed, I'm talking about the user info. As in, email addresses, home addresses, possibly phone numbers if they opted to put that on their profile, ect. ect.

While I will concede to this, I would like more evidence of them storing info in plaintext than just what you've heard/read before. Everyone is going around, pointing fingers, waving dicks, throwing shit across the room, it's hard to tell what is and isn't the truth at this point. Giving Sony the benefit of the doubt here, passwords would easily be included in "user information".

Now let's say they waited 3 weeks and broke the encryption, I actually assumed they released it same day to give Sony the benefit of the doubt, because if they waited a significant period of time that means one of two things:

1.) Sony didn't even notice the hack for days
or
2.) Sony knew it happened and didn't warn anyone

That would be even worse than not encrypting it.

Considering that this is Sony Pictures, something that has nothing to do with SCE, I doubt anyone really bothered to concentrate on that site. Now, that's not to say that Sony shouldn't have been prepared, but with everyone concentrating on the gaming side of things, this is just broadening the attack. Sony could/should have anticipated these kinds of attacks, but by this point I really don't give a shit one way or the other. I'm just blase about all this now.

No matter which way you look at it, Sony is not even close to fault-free here. People commonly misconstrue my argument to say I don't blame the hackers, believe me I do, they are the worst kind of scum, but that doesn't mean Sony is allowed to just leave its front door open at night, If I had a safe deposit box at a bank and it was broken into because the bank left their vault open at night, yes I would be pissed at the thieves, but I would also be pretty fucking pissed at the stupid bank

Of course Sony is at some fault here. The problem is that you are taking the hacker's argument at face value without any scrutiny or skepticism while completely downplaying the possibility of them skewing any facts. You are putting these hackers on a pedestal, whether that is your intention or not.

It matters because if Sony doesn't get its shit together we're looking at a third, and then a fourth, and then a fifth hack.

The threat of a hack doesn't just go away

And like I said, PR is a volatile thing. Considering that they've already been more open than many companies about this whole ordeal, I have to wonder if they have anything left to say at this point.

"Yeah, sure, it probably did or did not have no or some encryption, whatever, just let us find the assholes already."

 

[Philip Petrunak]

Jesus, what's with all the hacker hate? They aren't hurting people. They're just pointing out a whole in a dam. Thanks to their actions, countless companies are realizing their own vulnerabilities and fixing them, protecting our data.

Let's face it, it we had the equivalent of grey-hat hackers for the banking industry 6 years ago, do you have any idea how many people would still have their homes? Sometimes the only way to convince someone of their gaping wound is to poor salt in it, and maybe they're pissed about it now, but they're better off than if the bled out and died.

 

[Blackpapa]

Of course Sony is at some fault here. The problem is that you are taking the hacker's argument at face value without any scrutiny or skepticism while completely downplaying the possibility of them skewing any facts. You are putting these hackers on a pedestal, whether that is your intention or not.

What I know is that those hackers are not very skilled. Is it possible they're a bunch of whitepaper-writing CS majors who bet over who can write the prettiest rhyming shellcode using alphanumerics only? Sure.

Is it probable? No.

Of course you may believe that all this is some sort of grand conspiracy. That their twitter account is actually the work of a cabal of Sony's competitors' clandestine marketing departament while the hack on sonymusic.co.jp itself was an elaborate scheme that involved drilling a tunnel under their server room, kidnapping the administrator's family, spraying mind-altering substances and replacing the goldfish at the office with a cybernetic replica equipped with surveillance equipment, instead of a stupid simple SQL injection. Yeah, I get it, it's possible and we can't know for sure. But it's not probable.

 

[GonzoGamer]

Also, I must have missed the memo that said, "Everyone gang up on Sony for the next couple of months." Seriously, their online stuff has been attacked how many times now? More than I can be bothered keeping track of anyway.

Really. I thought everyone got it. It went to the tune of "Sony sues hacker - geohots."

Whatever excuse these guys are using, Sony has been in a long running war with hackers and both sides just keep making things worse.

I'm expecting they're probably going to try something else on PSN just in time for E3. That'll be a fun day for Jack Trenton.
They might even pull it off but I don't think they can take Sony down completely like they're threatening to.

I seriously doubt this is still about Geohot. As far as I knew, that matter was closed.

And lets be honest, what's the thinking there?

***

"Sony's suing a hacker! We need to persuade them that they're wrong. What's the best way of doing that?"

"I dunno. Hacking the PSN, causing chaos and disruption for millions of innocent people?"

"Brilliant! That'll get everyone on our side!"

"Oh, and as an added bonus, we should start hacking other things to do with Sony, just to prove to them why hackers should not be sued."

***

I know, I know, it probably wasn't the same group thats attacked everything, but you see my point. These kind of attacks are hardly going to cause Sony to reconsider anything that they did during Geohot's trial.

For sure.
I didn?t mean to imply this was just because of the lawsuit. Sony was feuding with hackers long before that...long before the ps3 was even launched. It?s been going on for a while but it first became apparent to me when I got a psp, and I?m sure it was going on before that too. But when the psp started getting hacked, Sony started coming up with a new update every week that was designed to keep hackers from opening up the devise. The problem was that their measures were more of a pain to the legitimate consumers who bought new games and downloaded demos. I?m imagining hacker?s wouldn?t give a crap about updated firmware and would probably at that point just download new games.
Now it seems the ps3 is doomed to the same fate.
The geohots thing was just the latest of Sony?s open antagonism of hackers. I?m not saying Sony has to take it lying down, just that they shouldn?t be dbags about it and they shouldn?t take measures that will only end up screwing over their legitimate customers by taking away features like otherOS or over-updating with firmware that brings no added functionality to the devise. Those measures didn?t slow hackers down, they just annoy the legitimate users; some of whom will probably turn to hacking when they're fed up. It?s all so very counter-intuitive, it?s amazing that the brand has survived this long.

 

[Harry Mason]

"We're releasing people's personal information to help them!"
Yeah... Shut up, Lulzboat.

Honestly, I'm about sick of this bullcrap. Sony is a very powerful company, and it's like a big dog all these little "hacktivists" have been poking with a stick. A big dog that is being pretty patient and humble about the whole thing, but will eventually lash out and bite some idiots head off. The PSN hack was basically never traced back to ANYONE. This "Lulzboat" is bragging outright on the internet. They might as well slap their balls up on a stump and invite Sony to do some stomping.

That being said, who gives a flying Frankenstein about "Sony Pictures?" I mean, congratulations on getting all that phone book information, but what would someone do with my password? Find out what my favorite movie is? You could have just asked, Lulzboat, it's the Darjeeling Limited...

 

[smithy1234]

I think you underestimate the amount of knowledge the public has about hacking into websites... If the group wanted to make sure everyone knew this was really simple then they sure as hell aren't doing a good job at it by saying it's SQL Injection, when you take into account the fact that your average joe probably thinks an SQL injection is like hacking into the fucking pentagon. This was not a PR strategy to discredit Sony, it was some hackers claiming responsibility for a hack and that's it.

You give them too much credit by saying they're lying about their methods to make it seem like the attack was easy when your normal pedestrian off the street probably doesn't even know what MySQL is...

I'll give you credit. When you shovel bullshit, you use both hands. The original article removes most of the need for a true understanding of what level hacking was required. Read the language used. "Primitive." "Simple." "Botched." These words, and others, were chosen to make the task seem basic and easy. In fact, the article directly says as much.

Seriously, who needs to know a lot about hacking, when the artcile itself directly tells people that the hack was simple and the security was "primitive?" Giving the name of an actual hacking technique seems, to me, like this group is using a trope called the "Genius Bonus." That way, a couple people who actually do know something about hacking will chime in with "My God! That was it? Sony, you fudge-donkeys!" Or, something to that effect. Then, people who don't know jack shit on the subject will see that post, and try to seem smart on the subject. "They're right! Sony sucks! Fuck you, Sony!" Have you actually read this thread? That's exactly what happened.

In fact, if you look one post below this one, you will see an example of precisely what I'm talking about.

This is getting stupid now okay I'm just going to say that there's no point in lying about their methods, I really can't see a reason why they would do that. Yes saying it's SQL Injection makes it look easy but honestly, if it were some other method they would have said so and then what would everyone be crying about? "OMG These hackers are terrible, they used BLIND Sql Injection, it was actually difficult to hack into Sony's database so that means their security was actually moderately good but their DB still got hacked! So.. Sony isn't so bad but their security was still pretty shit...Wahhhh".

It won't make a huge difference if it turned out it was something else so why lie about it? Bottom line is that Sony was hacked into again, PERIOD, whether it was sort of hard or really easy isn't the point. The point is that they were hacked into again because their security isn't amazing for the large company it is. This wasn't a complicated statement and the fact that people have found something to argue about and call deceptive is fucking beyond me.

 

[Jumplion]

Of course you may believe that all this is some sort of grand conspiracy. That their twitter account is actually the work of a cabal of Sony's competitors' clandestine marketing departament while the hack on sonymusic.co.jp itself was an elaborate scheme that involved drilling a tunnel under their server room, kidnapping the administrator's family, spraying mind-altering substances and replacing the goldfish at the office with a cybernetic replica equipped with surveillance equipment, instead of a stupid simple SQL injection. Yeah, I get it, it's possible and we can't know for sure. But it's not probable.

Don't try to insultingly make me out as some conspiracy nut as I have not even remotely claimed anything as ludicrous as you are trying to paint me. I don't really appreciate the strawman here. I'm not thinking of a conspiracy, only that they can easily skew facts. They could lie about how much information they stole (as they only gave a few), they could lie how long it took, they could lie about the methods used, they could lie about the security measures, they could lie about how much resources they need to gouge money off of people, they could lie about a dozen things in this situation. Why the hell should I trust these hackers when I can't trust anybody in this situation?

It is not a good idea to take any group's info at face value. That is what some people are doing here. I'm being skeptical of every bit of info that they toss out. Considering that they've got some bones to pick with Sony, I doubt they'd be above skewing the facts.