Sony: It Is Not Our Broken System, It’s The Internet’s Fault

Posted: May 18, 2011 at 6:39 am

Howard Stringer, the disgraced CEO of Sony (NYSE: SNE), made the remarkably disingenuous or perhaps naive comment that all Internet systems have the same weaknesses as the hacked PlayStation network.

“It’s the beginning, unfortunately, or the shape of things to come,” said Stringer to the WSJ, “It’s not a brave new world; it’s a bad new world.” And, it is. Google’s (NASDAQ: GOOG) Gmail system was hacked in China. Federal government servers have been the targets of hackers who probably wanted access to confidential information.

What Stringer is doing is a rhetorical sleight of hand. He is arguing that Sony cannot take care of its own problem because of a larger systematic one. That’s nonsense, of course.

Remember, Sony’s servers were compromised and not those of competitors like Microsoft (NASDAQ: MSFT) or Nintendo, which highlights the weakness of Stringer’s argument. These two companies may have more secure networks, or they may have been lucky. But, bad luck is not an excuse for business failure, or, if it is then good IT management does not mean much.

More: http://247wallst.com/2011/05/18/sony-it-is-not-our-broken-system-its-the-internets-fault/

Pretty obvious that they don't have a clue on how to properly secure a system!

Watch closely, this is how a company dies.

I think there is some truth in Stringer's argument - which is basically the internet can be itself used as a tool to attack companies.

Hackers can easily attack Microsoft, Nintendo and/or the WSJ. They just have not done it yet. No matter how much "protection" you have, they can and will break it, if they really want to do it.

Just like we can't stop a madman to strap a bomb onto his belt and blow himself up in Grand Central Station.... what, Grand Central Station didn't have enough security?

The internet is a pathway, and it is a two-way street. We can pass all the laws we want, but it won't prevent the criminals from driving on the street.

in comparing a building being blown up to someone breaking into a building, continuously for two days, loading the contents into trucks outside the main entrance... and not being noticed until 77 million desks and all their contents were taken.

It's easy to destroy something and render it useless.

It is much more difficult to steal something and not get caught. When someone steals a train from Grand Central Station and puts it up for sale on eBay... and no one knows who did it, or how they did it! I will agree that Grand Central Station did not have enough security.

This has nothing to do with laws and criminals... it has everything to do with leaving the keys on the front seat and the windows rolled down on a red Ferrari with a bumper sticker, "passwords and credit card data in trunk!" Then blaming those bad elements in society for your loss.

I'm not taking the hackers side. I simply am stating that if you leave your wallet in a crowded train station... you shouldn't expect to ever see it again. You were the one at fault for not protecting your wallet, not the rest of the world. Laws don't fix stupid.

I am not defending Sony... I am just agreeing with the point he made that the internet can be used against a company.

Sony DID have security on their servers... they didn't leave it "like a red Ferrari with a sign asking to steal" - that is a false analogy.
The people who broke into Sony's server KNEW they were committing a crime. Sony and their customers are the victims.

Criminals can hack into ANY company... even the US Defense Department! The internet makes it easy... they break into servers and at the same also make it very hard to trace your criminal activities.
Should Sony have invest MORE in security. SURE! Now go home add add two more deadbolts to your own front door, and don't tell me I didn't warn you.

Sony server security, at whatever level it was at, still was not enough. You can argue if they needed more, but my point is there is no safe you can't crack.

If you had millions of dollars to wreak havoc on a company, you could just go bribe the employees in charge of security, and get all the keys to the servers. So no matter how much "locks" you put on the front door, they are going to come in through the backdoor.

The people who make the argument "that Sony should go out of business if they can't protect their users personal information" are just asking for MORE hackers to try to "put companies out of business".

What type of authentication was being used to validate the users that gained entry?
Were the Apache servers and all modules up to date, shielding the system from well-know exploits?
Was all personal identifying data encrypted within the database?
Was the credit card information contain in the profile or stored in a separate or third-party database?

By not implementing hardened and proven techniques to shield from threats in all of these areas, you are inviting crime.

No, the Internet does not make it easy to hack into systems connected to it. That is like saying highways make it easy for thieves to get into your bank's vault. Flaws in security methodologies and implementation provide unauthorized entry.

You stated:

Sony has hundreds of millions invested in the PlayStation Network. If the security of the system was even done in a half-ass way, they would have been able to detect two days worth of traffic, sending the massive amounts of data contained in 77 million profiles out over the internet. Their IDS, Server and Network health monitors should have also picked up on these spikes. For them to realize this after two full days shows utter incompetence. Lying to the public about the theft is another issue of ethics that I will not even get into.

And yes it is true that no single safe is impenetrable... this is why security systems are designed in several layers using different technologies at every level. Think of it as a safe, in a safe, in a safe, in a locked room that has a guard and a third party system monitoring the camera feed. And the stuff in the inner most safe is useless to anyone unless they have a code that is stored in three other secured systems that utilize different technologies for security. The locked system would only provide a limited access token that is only good for a single user and single session... for their own data only.

Sure, a few accounts could be breached because no system is perfect. But it would take many lifetimes to crack 77 million accounts.


If I was responsible for your valuable information, as well as 77 million others... Hell, if I was only holding 1 dollar from each of the 77 million people, and everyone in the world knew it... Then I would certainly add additional securities to the place which housed it (and I doubt I would have to change my front door). But, thanks for the warning.

No, they are not using Apache Servers... you wrote a big long diatribe like you know something about server security... Sony has MILLIONS invested in their server departments... and they are not running Apache.

Most experts indicates that the hackers got into Sony with inside information. Go buy a clue... stop posting about subjects in which you have not purchased a clue before you post.

Here's what third parties have discovered, and what Sony has yet to comment on:

1. Sony was running outdated, unpatched versions of the Apache web server for all Playstation services, including authentication (login) service
2. Sony had these servers directly connected to the Internet, without firewalls or other security mechanisms
3. The configuration of the Apache servers was naive allowing, for instance, the Apache server to report its version number and other information useful to a hacker
4. All of these issues were discussed in open forums which Sony employees were known to monitor, at least two to three months before the hack occurred

More: http://www.dailykos.com/story/2011/05/06/973857/-Sony-Playstation-Network-HackWorse-Than-You-Think

Security expert: Sony used outdated software before Playstation Network breach



http://venturebeat.com/2011/05/05/sony-apache-software-outdated/

But I'm certain that you will argue that you know more that a security expert @ Purdue University that has enough credentials to testify in front of congress on this very subject.



Welcome to my ignore list. Have a nice life.

"stop posting about subjects in which you have not purchased a clue before you post."

Everyone's an expert. :eyes:

regarding child abuse & molestation?

Seems remarkably similar to me....

I don't think, in the long run, corporations like that can ever build the walls high enough, but complaining that they have to build walls at all just demonstrates their obliviousness to the conditions they have helped to create.

n/t