Sony Website Hacked By the "Lulz Boat"

[Blackpapa]

Or, alternatively, target the higher-ups rather than the innocent bystanders (hopefully without malice). That is real damage that can easily paint Sony in a bad light while avoiding any backwards ass-logic these guys are doing now.

Please expand on that, I'll be taking notes.

Alrighty then.

This is going to take a while...

While I would never advocate for any sort of illegal hacking (I'm the kind of guy who just wishes everyone would just get along huggy-wuggy much), targeting the higher ups, and possibly the lower positions like engineers and such, would be a much more viable option than attacking the consumer.

The engineers, while directly responsible for poor security, probably alerted their superiors that security is sub-par and additional funds need to be deployed for this purpose. The bigwigs, seeing as investing in security wouldn't get them any additional underage Thai strippers on their next year's exclusive shareholder's vacation, denied this request and allocated money to a place where it would make more immediate returns.

Unless the people who are responsible for PSN genuinely didn't think about security, which makes me wonder when did Sony start hiring specialists off of craigslist.

OTOH trying to squarely lay the blame on specific individuals is hard as well, as a corporation is more than the sum of the people involved in it. In a perfect world we could pluck the corrupt CEO and all would be fine - here the hackers would have to run what would amount to no less than a full investigation to understand which people made which decisions under which circumstances, why, did they realize the implications of their consequences and were those decisions made with bad faith or not.

As long as anonymous can't hack people's brains (insert joke about how Hoglund's password was hacked) that kind of precision targeting is beyond Anonymous and probably most government agencies.

First off, if you hack and get a bunch of CEOs info and stuff you can easily make them look incompetent. But for god's sake, don't be cruel to their families or terrorize their homes, that only makes you look like an even bigger ass. Instead, hijack their Twitter account or something and post some funny (read: Not offensive) pictures or somesuch, making it obvious someone got control of it. Make their jobs harder to do by causing a ruckus, this is much more fun and enjoyable for everyone else (except, of course, the higher ups).

I'm pretty sure most of them are too busy deciding which Mercedes to buy this season to find time to twitter. Even if, how do you know you got the right guy in a suit? How do you know if that particular guy is the most deserving? Sony isn't a skeleton operation like HBGary.

Warn them that if they do not change their ways, things like this will continue to happen. Slowly but surely you could potentially get up to the big stuff, like hacking for their information on PSN or something, and if push comes to shove eventually, maybe you can hack into something like PSN, but don't steal anything dumbass! Leave a note saying "Hey, don't fuck with us, this could have been a lot worse." Show them that you are not to be trifled with, but not because you're a lunatic who wants attention.

I can guarantee that posting funny messages on an executive's twitter would accomplish nothing. You seem to realize this and admit that scaling the intensity of attacks up to the point of being harmful to the company is a viable tactic. You sure are playing the devil's advocate on this one.

You do realize however that Sony wouldn't blink before fabricating lies about the extent of such a breach? It's exactly what they've been doing since t+0. Honesty isn't one of their strong traits and they're the kind of company that when caught a hand in the cookie jar are likely to deny it's their hand.

Still, this would technically still make them criminals, but hey, at least one with some semblance of ethics and morals. Like I said, I do not advocate for this kind of shit, but it'd at least make a helluvah lot more sense than "Their security is shit! To prove that, we stole everyone's info! Now, can we have some money so we can continue to hack and publish private information? We are so helping you guys, we swear!"

I doubt anonymous or lulzsec is actually responsible for the PSN hack in the first place.

Then again a company that time and time again proves that they can't or don't want to understand the concept of ethics would be unaffected by ethical behavior. It's a bad metaphor, but trying to convince a somali warlord to stop whichever ethnic cleansing he's doing using the power of love and friendship may be the right approach, but ultimately fruitless.

 

[Blackpapa]

Well I could do that, granted, but I'm sure I'll come up with something that sounds even fancier.

Better yet, code it and post a link to the dump once you're done.

Did I just disarm your silly argument from the previous post?

 

[Jumplion]

As long as anonymous can't hack people's brains (insert joke about how Hoglund's password was hacked) that kind of precision targeting is beyond Anonymous and probably most government agencies.

Anonymous? Going for precision targets? It's more likely than you think. Infact, just as Anon had started their operation against Sony, they had already acquired the information of said CEOs and other higher positions, and plenty of times they've gotten information from the people they trolled(lololol'd). While I would rather avoid the engineers, it would be more likely that the higher-ups didn't bother with security. That is what they'd be aiming for.

I'm pretty sure most of them are too busy deciding which Mercedes to buy this season to find time to twitter. Even if, how do you know you got the right guy in a suit? How do you know if that particular guy is the most deserving? Sony isn't a skeleton operation like HBGary.

Pshaw, plenty have twitter. And, infact, if I am not mistaken (which is a likely possibility), some accounts of some sort of social media were hijacked if only breifly. I think many of the things I stated were basically along the lines of what happened before the outage, albeit at a smaller scale.

As for how we know which is more deserving, as cruel as it sounds, I don't think it would matter, at least not to hacktivist groups like Anon. It's the idea behind those hacks, and in their eyes the CEO who (allegedly) denied reinforcing security is the one who should be aimed at.

I can guarantee that posting funny messages on an executive's twitter would accomplish nothing. You seem to realize this and admit that scaling the intensity of attacks up to the point of being harmful to the company is a viable tactic. You sure are playing the devil's advocate on this one.

As I said before, if these people had not stolen a single iota of information, I would be more convinced to go to their side. But they stole info. That is where I, at least personally, draw the line. You can ramp up the intensity of attacks against the bigwigs. But you don't fuck the consumers. That, again, is where I personally draw the line. So long as they seclude their attack to those who (supposedly) "deserve" it, we can all lean back and enjoy the show.

And besides, it's the idea behind these attacks. I'm not talking about silly knock knock jokes here, I'm talking about trollulz-worthy hacks. You show their vulnerabilities while at the same time promoting your strengths. You make them look weak, look foolish because they can barely keep their own information intact. People aren't giving other people enough credit when thinking of this hypothetical scenario.

You do realize however that Sony wouldn't blink before fabricating lies about the extent of such a breach? It's exactly what they've been doing since t+0. Honesty isn't one of their strong traits and they're the kind of company that when caught a hand in the cookie jar are likely to deny it's their hand.

Regardless of who is allegedly "lying", we can't be certain that either group is telling the "truth" either. I don't want to take any specific side here (though I am probably looking like it)

I doubt anonymous or lulzsec is actually responsible for the PSN hack in the first place.

Then again a company that time and time again proves that they can't or don't want to understand the concept of ethics would be unaffected by ethical behavior. It's a bad metaphor, but trying to convince a somali warlord to stop whichever ethnic cleansing he's doing using the power of love and friendship may be the right approach, but ultimately fruitless.

Doesn't really matter who did and didn't do it at this point. I'm simply stating how these hackers would have more easily proven their point if they wanted to make a point in the first place. And I'm afraid I don't quite understand your metaphor, could you elaborate on that?

 

[Bad Cluster]

The message is right. Even our guild site which was working from a free hosting had its information encrypted. We were hacked once, and only email addresses were exposed. This was on free hosting, a hobby site, amateur. Here, we are talking about Sony, major corporation, if you think about it, its outrageous.

Too bad they posted most of that information available to the internet public, this is very bad move which overshadows their initial intent no matter what they say, this is far from harmless lulz.

Some of this emails are active I'm sure, and most of them could belong to people who aren't very savvy and could not be aware of this event. Same people could be using the same password for all their activities, something savvy people know not to do.

 

[Davroth]

Better yet, code it and post a link to the dump once you're done.

Did I just disarm your silly argument from the previous post?

let me answer that with a question. Do you know the difference between an argument and an opinion?

And please do tell, because yours is all that matters to me.

 

[Woe Is You]

On one hand, I find it puzzling that people don't believe that a multi-faceted multinational company that a) has knowingly installed security holes in their customer's hard drives, b) had all the PS3 keys generated with a "random" number that turned out to be constant and c) had outdated software on centralized servers that contained info on all their customers would continue to disregard simple things as encryption to make sure their customer's data isn't instantly usable. There's no reason to side with Sony in this as they obviously don't give a shit about their customers. They aren't the good guys. Their way to respond to the ordeal that was in part due to their own incompetence by promoting their subscription service should be proof enough of this.

I know, I know, I haven't liked Sony since the whole rootkit crap they pulled.

On the other, it's not any wiser siding with vigilantes here. A very interesting question would be this: how would you hurt Sony if what you did had no effect on their customers? And, more importantly, how do you do it legally when big corps are basically the ones these days writing the laws (and lobbying them)? Not condoning anything Lulzsec is doing but I find these interesting questions.

 

[Blackpapa]

Anonymous? Going for precision targets? It's more likely than you think. Infact, just as Anon had started their operation against Sony, they had already acquired the information of said CEOs and other higher positions, and plenty of times they've gotten information from the people they trolled(lololol'd). While I would rather avoid the engineers, it would be more likely that the higher-ups didn't bother with security. That is what they'd be aiming for.

Going for a single target is one thing, going for the right target is another thing entirely.

Pshaw, plenty have twitter. And, infact, if I am not mistaken (which is a likely possibility), some accounts of some sort of social media were hijacked if only breifly. I think many of the things I stated were basically along the lines of what happened before the outage, albeit at a smaller scale.

Those people can afford to buy a new laptop every time their twitter account gets hacked. Even if buying a laptop in such a scenario is completely missing the point. As you noted it didn't generate much attention, instead it was perceived as little more than a nuisance.

As I said before, if these people had not stolen a single iota of information, I would be more convinced to go to their side. But they stole info. That is where I, at least personally, draw the line. You can ramp up the intensity of attacks against the bigwigs. But you don't fuck the consumers. That, again, is where I personally draw the line. So long as they seclude their attack to those who (supposedly) "deserve" it, we can all lean back and enjoy the show.

Well, if I was to be engaged in activities of this sort, and I am not, I would try to convince the hackers to instead try to obtain crucial business data. Financial reports, trade secrets, technical specs, the fruits of R&D investment, internal documents. Then release it all free of charge and uncensored.

The problem with this is that unlike the personal data of it's customers, Sony actually puts reasonable effort to protect this data - which is the reason millions of accounts and/or passwords were leaked, but no internal documents of value. It would be a win-win situation however. The clients aren't affected and Sony gets it where it hurts.

Also the lulz from this would be epic.

And besides, it's the idea behind these attacks. I'm not talking about silly knock knock jokes here, I'm talking about trollulz-worthy hacks. You show their vulnerabilities while at the same time promoting your strengths. You make them look weak, look foolish because they can barely keep their own information intact. People aren't giving other people enough credit when thinking of this hypothetical scenario.

The point isn't to show Sony doesn't give two shits about it's customers, their privacy, wellbeing or obligations they have towards them. That's already clear. The point is to make Sony look back on it's policies.

Regardless of who is allegedly "lying", we can't be certain that either group is telling the "truth" either. I don't want to take any specific side here (though I am probably looking like it)

We can't, but for me personally it's enough to know that anonymous is not doing this for profit, but for an ideological purpose. That tips the scales for me, though I might be biased.

Doesn't really matter who did and didn't do it at this point. I'm simply stating how these hackers would have more easily proven their point if they wanted to make a point in the first place. And I'm afraid I don't quite understand your metaphor, could you elaborate on that?

Well, Sony is notorious for unethical behavior. There's just too much to list. As such merely pointing out a flaw in their security wouldn't prompt the intended reaction, or any at all. Sony doesn't care about it's customers, only about it's revenue. Which is why all attacks against Sony, if they are to be effective at achieving their goal, must strike at their revenue, not appeal to their good side - because as a corporation, they don't have one.

Or to expand on the metaphor - when dealing with a deprived entity that eschews the concepts of fairness and ethics, appealing to that entity using fairness and ethics is unlikely to be successful.

 

[Blackpapa]

Better yet, code it and post a link to the dump once you're done.

Did I just disarm your silly argument from the previous post?

let me answer that with a question. Do you know the difference between an argument and an opinion?

And please do tell, because yours is all that matters to me.

I think I do, I always understood an argument as a kind of directed opinion supported by logic, fact and reason intended to influence the way the subject matter is perceived by the recipient.

If I'm wrong, and I could be, English not being my first language, point out where and let's not turn this into a metadiscussion.

 

[Jumplion]

Those people can afford to buy a new laptop every time their twitter account gets hacked. Even if buying a laptop in such a scenario is completely missing the point. As you noted it didn't generate much attention, instead it was perceived as little more than a nuisance.

Only because it was relatively short and not very widespread.

Well, if I was to be engaged in activities of this sort, and I am not, I would try to convince the hackers to instead try to obtain crucial business data. Financial reports, trade secrets, technical specs, the fruits of R&D investment, internal documents. Then release it all free of charge and uncensored.

The problem with this is that unlike the personal data of it's customers, Sony actually puts reasonable effort to protect this data - which is the reason millions of accounts and/or passwords were leaked, but no internal documents of value. It would be a win-win situation however. The clients aren't affected and Sony gets it where it hurts.

I freely admit that it is a murky area to delve into. What you suggest is pretty much criminal, but then again so is what I suggested. Criminals with a cause are still criminals, after all.

Though, honestly, after all this shit, I would not be surprised if Sony protected their more pertinent info only slightly better than they do now.

The point isn't to show Sony doesn't give two shits about it's customers, their privacy, wellbeing or obligations they have towards them. That's already clear. The point is to make Sony look back on it's policies.

Also the lulz from this would be epic.

At this point, I don't think even the hackers know what they're hacking for.

We can't, but for me personally it's enough to know that anonymous is not doing this for profit, but for an ideological purpose. That tips the scales for me, though I might be biased.

Since this isn't Anon (allegedly), there is no ideological purpose behind this. LulzSec have no morals, at least compared to Anon. It's in their name, they're doing this purely for the lulz and to make a fool out of Sony. I'd say that they have more than enough reason to skew the facts.

Well, Sony is notorious for unethical behavior. There's just too much to list. As such merely pointing out a flaw in their security wouldn't prompt the intended reaction, or any at all. Sony doesn't care about it's customers, only about it's revenue. Which is why all attacks against Sony, if they are to be effective at achieving their goal, must strike at their revenue, not appeal to their good side - because as a corporation, they don't have one.

Or to expand on the metaphor - when dealing with a deprived entity that eschews the concepts of fairness and ethics, appealing to that entity using fairness and ethics is unlikely to be successful.

Plenty of companies are "notorious" for their "unethical" behavior, I don't really see why one should single Sony out of all of them. But, really, that's not exactly the point. And my examples would not merely be "pointing out the flaws" of their system, it would be actively making a mockery of said system. It is not the fault of the consumers (and I will say I am one of them) that a company is making some unethical decisions, and as such they should not be holding the burden of these attacks.

In the end, I think we both agree and disagree on certain aspects. This thread has gone long enough, though if you'd like we can continue this conversation though PM.

 

[Danpascooch]

It's below average because they store the user info in plaintext, I should have been more clear before, look at your link, that link clearly stated that the passwords were hashed, I'm talking about the user info. As in, email addresses, home addresses, possibly phone numbers if they opted to put that on their profile, ect. ect.

While I will concede to this, I would like more evidence of them storing info in plaintext than just what you've heard/read before. Everyone is going around, pointing fingers, waving dicks, throwing shit across the room, it's hard to tell what is and isn't the truth at this point. Giving Sony the benefit of the doubt here, passwords would easily be included in "user information".

Now let's say they waited 3 weeks and broke the encryption, I actually assumed they released it same day to give Sony the benefit of the doubt, because if they waited a significant period of time that means one of two things:

1.) Sony didn't even notice the hack for days
or
2.) Sony knew it happened and didn't warn anyone

That would be even worse than not encrypting it.

Considering that this is Sony Pictures, something that has nothing to do with SCE, I doubt anyone really bothered to concentrate on that site. Now, that's not to say that Sony shouldn't have been prepared, but with everyone concentrating on the gaming side of things, this is just broadening the attack. Sony could/should have anticipated these kinds of attacks, but by this point I really don't give a shit one way or the other. I'm just blase about all this now.

No matter which way you look at it, Sony is not even close to fault-free here. People commonly misconstrue my argument to say I don't blame the hackers, believe me I do, they are the worst kind of scum, but that doesn't mean Sony is allowed to just leave its front door open at night, If I had a safe deposit box at a bank and it was broken into because the bank left their vault open at night, yes I would be pissed at the thieves, but I would also be pretty fucking pissed at the stupid bank

Of course Sony is at some fault here. The problem is that you are taking the hacker's argument at face value without any scrutiny or skepticism while completely downplaying the possibility of them skewing any facts. You are putting these hackers on a pedestal, whether that is your intention or not.

It matters because if Sony doesn't get its shit together we're looking at a third, and then a fourth, and then a fifth hack.

The threat of a hack doesn't just go away

And like I said, PR is a volatile thing. Considering that they've already been more open than many companies about this whole ordeal, I have to wonder if they have anything left to say at this point.

"Yeah, sure, it probably did or did not have no or some encryption, whatever, just let us find the assholes already."

We can't know if other companies would be more open because so few have gone through something on this scale, millions of accounts have had their info stolen and PSN was down well over a month, very few companies have experienced something that ridiculous.

Did you seriously say you want more evidence than "what I read before"? So no text based source will be enough for you? Jesus, talk about stacking the debate. Here's a quote from a Sony rep himself

Q: Was my personal data encrypted?
A: All of the data was protected, and access was restricted both physically and through the perimeter and security of the network. The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.

(http://blog.us.playstation.com/2011/04/27/qa-1-for-playstation-network-and-qriocity-services/)

It's bullshit, and like I said before, either this hack was unencrypted data, or Lulzboat sat on it for a significant amount of time, and Sony either didn't notice or didn't report it, no matter what way you look at it, Sony fucked up, they keep fucking up, and show no signs of getting their shit together. How many hacks will it take Sony? 50?

 

[AdumbroDeus]

What's your point?

People who know the technique are telling you that it's ridiculously easy to execute, so what if other people are bandwagoning? Point is it's something that any admin with due diligence could've dealt with easily.

Simply put, my point is that these hackers have every possible reason to lie, because their only goal is to discredit Sony. Everything else you've said, you said on the assumption that these hackers are telling the undiluted truth. Excuse me for not takinjg criminals at their word, particularly about how they committed their crimes. Bluntly, you're making my point for me very nicely. Thank you.

The point is that you didn't actually make that point within your post, you just got uppity about bandwagoning and people saying an sql injection is an easy attack.

Yes we have no reason to trust the hackers, but honestly we have less reason to trust sony, and it's not like they've released any sort of statement the opposite effect. Sony has always been a very disingenuous company, keep in mind that their music division DID install rootkits on our computers.

It's pretty sad when Black hat hackers surpass your company in terms of reputation for honesty.

 

[danirax]

well thats what you get for wanting to know personal info,
I bet if sony didnt had it, they wouldnt have been hacked for the 1 billion time.....

 

[MajorDolphin]

Oh look, they're trying to re-brand themselves after all the backlash the takedown created.

 

[Jumplion]

Did you seriously say you want more evidence than "what I read before"? So no text based source will be enough for you? Jesus, talk about stacking the debate. Here's a quote from a Sony rep himself;

Q: Was my personal data encrypted?
A: All of the data was protected, and access was restricted both physically and through the perimeter and security of the network. The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.

(http://blog.us.playstation.com/2011/04/27/qa-1-for-playstation-network-and-qriocity-services/)[/quote]

No, I assumed you were basing this "Sony stored their info in plaintext" stuff on things that other people have claimed of Sony. And that still didn't prove your point. Nowhere does that state that it was in plain/cleartext, stating that it was all protected in some fashion, and my previous link showed that it was in some sort of hashtag. To what extent, I don't know, but in that case neither of our sources prove anything.

It's bullshit, and like I said before, either this hack was unencrypted data, or Lulzboat sat on it for a significant amount of time, and Sony either didn't notice or didn't report it, no matter what way you look at it, Sony fucked up, they keep fucking up, and show no signs of getting their shit together. How many hacks will it take Sony? 50?

Like I said, I am not really disputing whether Sony is at fault here or not. I am saying that you are giving the hackers too much credit and believing every word that they have stated. Both parties have a reason to lye. Why favor one group over the other just because one of the probably/sort of deserved whateverthehell is happening?

 

[Davroth]

I think I do, I always understood an argument as a kind of directed opinion supported by logic, fact and reason intended to influence the way the subject matter is perceived by the recipient.

If I'm wrong, and I could be, English not being my first language, point out where and let's not turn this into a metadiscussion.

Oh very good. How come you call the rather colourful metaphor I provided with my opinion an argument? Did you not take the time and try to understand the context of what I wrote?

 

[Ziadaine_v1legacy]

What kind of bat-shit retards would donate to a bunch of criminals, ruining not only a large global company, but the millions of users of it?

This is now beyond the point of sheer patheticness for this "Lulzboat" group of asshats.

 

[jakefongloo]

An SQL injection? Seriously? A fucking SQL injection!?

That's the simplest type of hack in the world, if hacking were burglary, that would be the equivalent of checking if the front door was unlocked. Basically Sony left its front door open after being robbed blind just weeks ago, WHAT. THE. FUCK.

Don't even tell me none of this is Sony's fault, that's bullshit, I've always known it was bullshit, but now there's proof.

Lol of the week.

Not so much the last couple of lines (that's personal opinion though) but that front door analogy was pretty good.

 

[Haukur Isleifsson]

And what about the innocent costumer who might object to his personal information being posted online? There simply must be a better way to do what they are claiming to do.

 

[brumley53]

I wouldn't be surprised if they're just saying it was an SQL injection and completely unencrypted. As much as sony have kind of fucked shit up these past few months, I don't trust these attentionwhoring "Hacktivists" in the slightest.