How much fault should be placed on Sony for the infamous hacking that occurred just recently?

Sony had a responsibility to secure the private data and credit card information of their customers.

I would say that compromising the security and privacy of millions of people to prove a point that Sony security is flawed is incredibly wrong.

That every single person who’s identity is stolen thanks to the info they put out there, even if its only how to crack Sony’s system… can thank these hackers.

And that the ends do not even remotely come close to justifying the means

@tedd It is my understanding that Sony is giving free credit protection to anyone who has an account with them, so the hackers technically got their point across since it’s still coming out of Sony’s pocket.

In my opinion, the hackers, although they say they did it to show the vulnerability of the system (or so i’ve heard).
To me that sounds like a thief who is breaking in to my house, takes my checks with him and tells me that my home is not criminal-safe.
He might do nothing with my checks, but i don’t have them anymore.

Sony is partly responsible, I’d say. But I place more of the blame on the hackers. I’ve said it before, and I’ll say it again: FUCK hackers.

Sorry – for those who don’t know the story behind Sony and their recent encounters with hackers. Here is an article of the original incident…much more followed.

@rebbel I completely agree with you. But lets say you are Sony and have a pretty large bank account. You go after hacker George Hotz. How do you not stop the hackers from breaking down your security and breaching your network when you are anticipating their coming?? I still feel that Sony should have better prepared itself for this… To use your example, lets say before that thief broke into your apartment to steal your checks, you had radded out all his buddies and are suing them for millions of dollars… you’d probably install a better security system just in case….

Our homes are secure only because people don’t want to be caught, it’s simply not that hard to physically get into a house and back out with your things.

Now imagine if someone could break into your house anonymously and from anywhere in the world. Where failed attempts wouldn’t result in getting caught. Then imagine hundreds or thousands of people could make the attempt on their own schedule, with each attempt becoming more informed and better planned.

That’s what public network security comes down to essentially. Honest security experts will tell you there’s always a way in, and there’s probably a way to get at information you wouldn’t like others to have. The goal of security is to make it as difficult as possible and to try and control the damage someone can do so you’re not the easiest target out there. The hope is it’s easier for criminals to spend their time somewhere else or on more noble ends.

Does it suck that someone got a hold of all that information? Absolutely. Is it unexpected? I don’t think so.

Hackers are completely to blame unless Sony was willfully negligent with customer information. If their goal was to improve Sony’s security, they could simply send them the records they were able to get at as proof, instructions how they were able to do it, a recommendation how to fix it, and a bill.

It’s not that hard to go from criminal to consultant.

@funkdaddy I can definitely see where you are coming from. But Sony could have approached that in a better way… instead of suing George Hotz, maybe they should have considered hiring him. This could have prevented this huge ordeal that has costed Sony hundreds of millions of dollars not to mention save some face I guess I am more upset with how Sony handled the situation from start to finish.

Doesn’t it all just boils down to this: no matter if i keep all the doors and windows of my home wide open and have Welcome! door mats on the back and front…, keep your ff-ing hands off of my property.

@rebbel Its funny you phrase “doors and windows of my home wide open” because essentially that is what SONY is doing. If it was just their company that was at risk, fine, it’s on them, but they also have the responsibility of protecting user data. The hacker Lulzsec claims that the information he took from Sony had passwords in plaintext which is just adding to the information that is getting me more upset with Sony. It’s as if SONY isn’t even taking minimum security steps to protect their client information. Shame on Sony. A company as big as they are should have the money to hire the best network security and programmers out there, and they are getting just obliterated by hackers, some of which are very young (George Hotz for example is only 21). The lack of control Sony has for their network infrastructure is just a slap in the face to those trusting individuals who invested into Sony.

@rebbel And I will go back to your analogy – if you had some of your friends credit cards and wallets at your place and you knew someone might be paying you a visit for something you did, you wouldn’t keep your doors unlocked with their stuff on the table just for the taking.

Assuming that what you say about Sony’s security policy is right and i don’t doubt that they could maybe have shown more responsibility for their customers.
But, i still think in the end (or the beginning) people should keep their hands to themselves, no matter the tempting opportunities.

@RandomMrAdam
I would, but i shouldn’t have to.

@rebbel Maybe this doesn’t reach you on a professional level. And I take it from your lack of belief that the hackers found usernames and passwords in plain text (which they took screenshots and posted to prove) but for a company the size of Sony to be going after a hacker that rooted their system and to announce it publicly was a big mistake. Unless of course they were prepared for the backlash It is one thing to kick someone when they are down, but its not smart to kick at a hornets nest either. Sony took on a battle that they are losing and now their customers are paying the ultimate sacrifice. That, to me, is blame on the part of Sony.

Sony should know that the hacker community is one that best not to be disturbed. But they took a chance and kicked the hornets nest and they are not only taking a beating, they are not doing their job to keep customer data safe. Its just so very unprofessional of a company of that caliper.

Sony is culpable and should be held totally accountable to their customers. The hackers got in, it seems, because Sony is not a “smart” technology company just a marketing company ( PR guys are running for excuses to give the public) looking for the max for the dollar.

@Tropical_Willie A company doesn’t have to be a “Technology Company” to employ a network security team. I worked for a technology consulting firm for mid-sized companies and we always practiced safe security measures that Sony seems to be completely dismissing (i.e. encryption of personal data). As the story starts to further unfold, it continues to make Sony look worse and worse. First, they wait a week to tell people they got hacked (leaving a week vulnerability for those who had data potentially stolen) and then they continue to promise “it’ll be up next week” and now its going on 2 months and they’ve been hacked multiple times. They definitely need those PR guys working overtime when they eventually get their act together and secure their network.

I consider any company above the level of hot dog stand, a technology company.
Sony would have a hard time running a hot dog stand – - IMHO.

The last hack was a damn SQL injection. And the passwords were stored in plaintext. My motherfucking blog is safe from these things. my blog. This is security 101 shit here. This is absolutely inexcusable .

And geohot isn’t a break into websites hacker. He is a hardware hacker. He is the dude that was responsible for the original jailbreak of the iPhone.

Reading this morning the same group that hacked Sony has now also hacked PBS.org, an FBI affiliate, and Nintendo (which claimed no information was taken).

But I still blame sony (sarcasm)

http://news.yahoo.com/s/digitaltrends/20110605/tc_digitaltrends/nintendohackedbylulzsecnoharmdone

@tedd No information was stolen from Nintendo, so they must have their act together. And obviously I am upset with hackers because they were the ones who stole the data. But I am more upset with Sony for skipping out on even the most basics of security measures to protect their customers.

It’s like if you had your money in a bank, and the bank had all the customers money in the vault but there was no combination to the lock… Sure, there is security, but once you get past that its just a matter of taking whats there.

The lack of knowledge about network security from the general population is probably the reason why more people aren’t upset with Sony. But as @johnpowell said, anything stored in plaintext, especially user password data, should be encrypted. There is no excuse for that. Hackers are nothing new, and Sony should know better.

@RandomMrAdam – I completely disagree.

I understand password storage, encryption, and the options available. I understand SQL injection, how it works, how to execute it, and how to stop it.

It’s not lack of knowledge, it’s experience and an understanding that those problems probably came into play when either through one person (of a team of hundreds) not understanding, or due to outside requirements on the project.

Even though I understand both, I’ve been guilty of making both mistakes, a quick run through of how they’ve happened to me, even though I know better.

First, unencrypted passwords. One project I worked on had been got two early complaints from customers that the registration form wasn’t allowing them to register even though they had it filled out perfectly. I wasn’t able to recreate the problem, so wrote a quick piece of code that stored the entries from the registration form any time there was an error. That way we could go back and see what troubles people were having.

Only after going through the results did I realize we were storing passwords in plain text. Not because of a lack of understanding, but because we were trying to be proactive and fix a problem.

Second, SQL Injection. I’ve probably been guilty of this many times for quick internal tools that were never meant to see the public. Sony could have a tool internally, a developer’s tool, or even just a quick piece of code to run reports. You’re not thinking that Mary from accounting is going to try SQL injection on your code, so you put it together without cleaning the input on the one field she has access to. You’ve just introduced a security vulnerability if anyone ever gets access to that.

Network security is constantly evolving to combat new tricks, vulnerabilities, and hacks. You can’t always review all code each time one is found and unfortunately it leads to problems, especially when you have hundreds of online “properties” like Sony does. Once someone is “inside” any small lapse you’ve made ANYWHERE can expose the whole system.

@johnpowell mentions blog software specifically and I believe he’s using WordPress if I remember right. Even with a team of badasses and constant public review of the code by thousands of developers who make their money with the software, it still has security vulnerabilities from time to time.

They know people will try, they do their best to secure the system, they have constant review by thousands of knowledgeable users, and they STILL get hacked. In this case I’d argue they have better resources than Sony and it shows the scope of the problem.

WordPress actually has a very realistic look at security called Hardening WordPress, it goes through the number of concerns you look at when trying to secure your site.

The first line from that primer is

Security is an interesting topic, with a lot of shades of gray. WordPress developers take security very seriously, but as with any other system, there are potential security issues that may arise and there are always trade offs when balancing security and convenience.

Couldn’t say it any better.

@RandomMrAdam Why did you send me this? haha