Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

cancel ×

306 comments

Welp (4, Insightful)

dragonhunter21 (1815102) | more than 3 years ago | (#36035970)

Well THERE'S your problem.

IANAL, but shouldn't users have the reasonable expectation that their data would be secured? Is there a suit here?

Re:Welp (3, Informative)

andrea.sartori (1603543) | more than 3 years ago | (#36036080)

I'm afraid stupidity is not a "suitable" (sorry...) offense. Maybe based on criminal negligence...

Re:Welp (5, Interesting)

alta (1263) | more than 3 years ago | (#36036156)

They are in gross violation of PCI. Criminal Negligence is "suitable"

They can be seriously damaged by this... I would love to see their ability to take credit cards revoked. That would put an end to their entire online business. Can you imagine Playstation Network if it was prepay, or paper billed only?

Re:Welp (0)

Anonymous Coward | more than 3 years ago | (#36036250)

Can you imagine Playstation Network if it was prepay, or paper billed only?

So it would be more or less what MS wants XBL to be?

Re:Welp (1)

kelemvor4 (1980226) | more than 3 years ago | (#36036336)

That would not happen, they'd just contract with a third party to take payments.

Re:Welp (5, Interesting)

JWSmythe (446288) | more than 3 years ago | (#36036256)

  How the hell did they maintain PCI compliance? At very least that requires the self-evaluation, and an external scan by a 3rd party. The self-evaluation, they could have easily lied on. The external scan? No way. Well, unless they had the scan pointed at a dummy server. That happens a lot more than it should. For the money I'm sure Sony was pushing through, it should have rated an on-site inspection. One company I worked for only pushed through about $50 million/yr. We were self-eval with external scan. They did threaten physical inspections every quarter, but never showed up. I guess they could have pointed at any rack and said "this is the rack". The insecurity is pure stupidity. There are so many ways to secure the network, from free (iptables on the machine) to inexpensive (dedicated firewall machine running Linux), to expensive hardware solutions. There's no excuse for this.

Re:Welp (1)

sxpert (139117) | more than 3 years ago | (#36036446)

definitely shows that PCI is bullshit ;)

Re:Welp (1)

Svpernova09 (978812) | more than 3 years ago | (#36036482)

heh. I'd like to know who the company was that certified them. If they even were certified.

Re:Welp (2)

hawguy (1600213) | more than 3 years ago | (#36036530)

definitely shows that PCI is bullshit ;)

They weren't PCI compliant since part of compliance requires applying security patches to in-scope systems, and if credit card numbers were passing through Apache or the web app running on Apache had access to credit card numbers, it was definitely in scope. And of course, storing unencrypted credit card numbers also violates PCI, but even if they were encrypted, if the hackers had control of the application they could have had the decryption keys.

Re:Welp (1)

jazzstep (677271) | more than 3 years ago | (#36036582)

definitely shows that PCI is bullshit ;)

Its only BS for companies that do not comply. I work for a company that takes PCI very seriously, our customer data is protected quite well.

Re:Welp (3, Insightful)

HiredMan (5546) | more than 3 years ago | (#36036682)

definitely shows that PCI is bullshit ;)

PCI certification is joke. It's in the best interests of all involved to severely limit the scope of the "certification" - due to cost, time, intrusiveness etc.- so only certain areas get tested. You can have your "certified" PCI system hooked up on a network to a botnet but insist that only your PCI computer get "certified". It's like going to doctor and telling him your arm hurts but he can only examine your arm. When it turns out to be a heart attack and you die the doctor only gets to say "His arm was fine when I checked it."

They like to brag that "no PCI certified system has ever been breached" but that's because when you're breached they forensically figure where you violated PCI and retro-actively revoke your certification. It's worse than bullshit it's an expensive fig leaf of security theater.

Re:Welp (0)

Anonymous Coward | more than 3 years ago | (#36036652)

They probably never got audited in any meaningful way. My theory is large companies don't get real audits because the audits are paid for by the auditee and therefore the auditor has a vested interest in keeping business from the large company. Some of our clients have been audited, and all have passed... The audit was rigorous and probably would have caught these issues.

My theory really is that once you reach a certain size, no one bothers.

Re:Welp (1)

nschubach (922175) | more than 3 years ago | (#36036422)

I know I wouldn't use it... my Credit Cards give me a layer of protection and a buffer. So does Prepay (layer of monetary protection), but those are often a PITA to get and there are usually fees involved in getting them. (Unless I'm totally wrong here. I remember Prepay cards that you had to get at the store and are charged a percentage more than the value of the card. This usually involves predetermining that you need the card while you are at the store or making a special trip.)

Paper bill I guess I could handle, but that's also a huge pain and involves me checking my mail more than once every 2 months to clean out the garbage coupons. (Ah, the joys of online banking!)

Re:Welp (1)

negRo_slim (636783) | more than 3 years ago | (#36036538)

So does Prepay (layer of monetary protection), but those are often a PITA to get and there are usually fees involved in getting them.

Yeah such a pain in the ass that's why you would just buy prepaid game cards instead of a prepaid credit card, I mean they're only offered at every convenience store, grocery store and department store. From XBLA points to F2P MMO networks they're just about everywhere these days and I've never seen a fee on one. 20 bucks of credits is 20 bucks of credits is 20 bucks of credits.

Re:Welp (0)

Anonymous Coward | more than 3 years ago | (#36036436)

The lawsuit will be settled for $5 of PSN credit. Of course to use it you must agree to the new EULA that (thanks to AT&T) excludes future class action lawsuits.

Re:Welp (1)

defaria (741527) | more than 3 years ago | (#36036684)

Yeah sure. I have never, to my knowledge, purchased *anything* through Playstation Network! In fact I'm pretty sure they don't even have my credit card number at all and thus I'm not worried about these breaches personally. When I want to use my Playstation to play a games it's because I went to GameStop and purchased the medium there. I don't buy movies on PSN either - I stream them from my Linux systems that I get over the net and from Playon. And I don't purchase stupid avatars and other "virtual stuff". So when you say "can you imagine Playstation Network if it was prepay, or paper billed only?" my answer is that from my perspective, that's what they've always been.

Re:Welp (3, Interesting)

Ancantus (1926920) | more than 3 years ago | (#36036192)

From USLegal [uslegal.com] :

The civil standard of negligence is defined according to a failure to follow the standard of conduct of a reasonable person in the same situation as the defendant. To show criminal negligence, the state must prove beyond a reasonable doubt the mental state involved in criminal negligence. Proof of that mental state requires that the failure to perceive a substantial and unjustifiable risk that a result will occur must be a gross deviation from the standard of a reasonable person.

Bolding by me.

IANAL, but I think this is a clear case of criminal negligence. Any IT tech would know better than to leave a unpatched HTTP server without a firewall up to the internet. If you were told on open forums that this was happening, and then loose 2 million credit card numbers? Well if that isn't criminal negligence, I don't know what is!

Re:Welp (3)

g0bshiTe (596213) | more than 3 years ago | (#36036254)

Any IT tech would know better than to leave a unpatched HTTP server without a firewall up to the internet.

Yet it still happens everyday.

Re:Welp (1)

sribe (304414) | more than 3 years ago | (#36036304)

Yet it still happens everyday.

But probably not on servers that are storing millions of credit card numbers. That's a key difference.

Re:Welp (1)

Mongoose Disciple (722373) | more than 3 years ago | (#36036370)

Hey, there's an optimist left on /.!

Re:Welp (1)

Ancantus (1926920) | more than 3 years ago | (#36036432)

But probably not on servers that are storing millions of credit card numbers. That's a key difference.

Exactly! Although it is never good to leave something exposed to the Internet unprotected, if its small there is very little risk (I have always been taught to assume that your system is constantly being attacked, better to be secure than sorry). But its entirely unacceptable to be so lax on security for something having access to their credit card database. I hope other companies that store credit card data are double-checking their security. If Sony made this mistake, others have as well.

Re:Welp (3, Interesting)

Anonymous Coward | more than 3 years ago | (#36036702)

Yet it still happens everyday.

But probably not on servers that are storing millions of credit card numbers. That's a key difference.

I do security audits for a living and I'll tell you that this is actually quite common. Most companies don't give two shits about your data if they don't have direct financial liability.

The servers that have serious security are the ones that store THEIR proprietary data (blueprints, special sauce, etc). Customer data, healthcare data... don't give two shits.

I have broken into customer or employee data in almost every company I've audited during the last 4 years.

I'll tell you also, that the PCI mandated "scans" are just that. Automated scans. They send you the PDF, you do trivial remediation and it's done. Even the biggest players seldom do more than that, and they make a concerted effort to do exactly the minimum amount, because anything more affects the quarterly profit margin.

So... still... we break into every place we visit...

And I'm not particularly super "leet"... I'm sure there are plenty of guys who could lay waste to these places I go to with far more ease, speed and stealth.

Re:Welp (2, Funny)

Wildclaw (15718) | more than 3 years ago | (#36036624)

loose 2 million credit card numbers

It isn't like those numbers actually can be used for anything.

A number that people tell random merchants is obviously not something that is usable for any economic purposes. I can't imagine anyone using it to validate purchases as that would clearly be criminal negligence.

Re:Welp (1)

Anonymous Coward | more than 3 years ago | (#36036244)

The UK Data Protection Act includes clauses to the effect of requiring the data collector to ensure all the collectee's data is sufficiently secure. I'd say there's a pretty strong case to be made that the security Sony had was nowhere near sufficient. Seeing as how I'm one of SOE's UK customers and they've just informed me my credit card details "may" have been stolen, I'm p*ssed enough to get legal on their asses at the moment.

I'm just not rich enough.

Re:Welp (5, Informative)

akpoff (683177) | more than 3 years ago | (#36036258)

Quite possibly. Sony's responsibilities to their customers might not rise to the level of Fiduciary Responsbility [wikipedia.org] but customers do have a reasonable expectation of due care [thefreedictionary.com] , at least with their credit card information and likely with their account information.

Further, to receive full indemnification from the payment-card industry against claims of fraud, you must be PCI compliant [wikipedia.org] . Were Sony PCI compliant having un-patched software on public-facing servers? Doesn't seem like it. This could potentially open Sony up to all kinds of claims.

Even if Sony somehow manage to escape civil and criminal justice ramifications, carelessness is no way to run a business. Sony's reputation is already tarnished in the tech world. They may finally get the public scrutiny and drop in reputation and market-share they've earned and so well deserve.

Re:Welp (0)

Anonymous Coward | more than 3 years ago | (#36036486)

Sony's too big to not be PCI compliant.

Re:Welp (-1)

Anonymous Coward | more than 3 years ago | (#36036372)

You realise the basis for this claim is an IRC chat log...
Hardly a reliable source of information..... Slashdot epic fail....

I have to wonder, are ALL Americans as dumb as the poster of this "news"?

Re:Welp (2)

DeadCatX2 (950953) | more than 3 years ago | (#36036668)

The basis of this claim is Dr. Gene Spafford of Purdue University. He was giving testimony before Congress.

If you have proof that this man is lying, then let's see YOU go before Congress and testify.

Re:Welp (1)

Chris Mattern (191822) | more than 3 years ago | (#36036510)

Is there a suit here?

Given the attitude of most suits on website security, almost certainly.

Re:Welp (0)

Anonymous Coward | more than 3 years ago | (#36036542)

You realize the basis for this claim is an IRC chat log...

Hardly a reliable source of information..... Slashdot epic fail....

So now security researchers are to blame? (3, Informative)

hedwards (940851) | more than 3 years ago | (#36035978)

Isn't that the typical response in situations like this, clearly the crackers figured it out because you mentioned that we're unpatched without a firewall.

Re:So now security researchers are to blame? (0)

Anonymous Coward | more than 3 years ago | (#36036070)

Yea, but really Sony's guys should have seen that as well and taken action.
Then again, they should have been *taking action* all along. What century do they think this is?

Re:So now security researchers are to blame? (3, Insightful)

h4rr4r (612664) | more than 3 years ago | (#36036096)

The Sony IT folks probably wanted too, but their idiot managers prevented them. Because if the update broke something or needed downtime they can't have that.

Re:So now security researchers are to blame? (2)

kimvette (919543) | more than 3 years ago | (#36036168)

they'd rather be hacked and incur weeks of downtime by doing the wrong thing,m rather than a couple of minutes of downtime doing the right thing.

This is typical Sony as of late. Why should their infrastructure management be any better than the way they treat customers?

Re:So now security researchers are to blame? (2)

Anonymous Coward | more than 3 years ago | (#36036260)

Well yes. Thats management for you. It'll be the techies that take the hit for it as well, not the management that called for it. Sony has major management problems; and this is just another example.

Re:So now security researchers are to blame? (1)

h4rr4r (612664) | more than 3 years ago | (#36036284)

Not just Sony. This is pretty common in corporate America, from what I have seen via consulting gigs.

Re:So now security researchers are to blame? (2)

Mongoose Disciple (722373) | more than 3 years ago | (#36036410)

Yeah.

For a few years, a friend of mine had the kind of security consulting job wherein companies would hire him to try to compromise their systems and provide them with recommendations of what they needed to do to tighten up their security. I thought that sounded like a lot of fun when he first described it, but he then added that it was actually a really boring and depressing job most days because the same small handful of unpatched exploits would give him root or the equivalent on 95%+ of companies systems in under 5 minutes.

That was a couple years ago (he's since doing a different job) but I doubt things are much different.

Re:So now security researchers are to blame? (2)

h4rr4r (612664) | more than 3 years ago | (#36036658)

For really depressing a typical cheap job (what these customers want) it starts with a OpenVas or similar scan, then you give them the print out and get to hear their sysadmins say that this is the same thing they already told their boss. Come back in 6 months, run the same scan and find the same vulnerabilities. Every time management acts shocked, sysadmins say "No Duh", rinse and repeat.

Security in typical companies is a last thought and overruled at every turn.

Re:So now security researchers are to blame? (3, Insightful)

Calydor (739835) | more than 3 years ago | (#36036188)

Sadly, 'taken action' in cases such as this usually involves post deletions and forum bans.

Updating and getting a firewall costs money, banning people from a forum doesn't.

Obviously it's better to treat the symptom than cure the disease.

Re:So now security researchers are to blame? (0)

Anonymous Coward | more than 3 years ago | (#36036306)

"What century do they think this is?"

The century of the fruitbat.

Re:So now security researchers are to blame? (1)

sribe (304414) | more than 3 years ago | (#36036332)

Isn't that the typical response in situations like this, clearly the crackers figured it out because you mentioned that we're unpatched without a firewall.

Of course, and "the gun dropped out of my pants and went off by accident" is also a typical response to certain other situations. Typical doesn't mean it will actually work as a defense ;-)

I don't find this shocking (1)

mec_cool (757885) | more than 3 years ago | (#36035980)

Am the only one running apache without a firewall ?

Re:I don't find this shocking (4, Informative)

karnal (22275) | more than 3 years ago | (#36036074)

As someone who works in protecting a large environment, I would never allow a server to run "open" on the internet without restricting access to the machine via a firewall. Any exploit that works against the machine could give external users access to other ports - which with a firewall in place, wouldn't cause instant chaos. There are definitely other avenues that you could work against here - but by whitelisting only what's needed from outside to inside, you'll be an order of magnitude safer against attacks you may not be knowledgeable about.

Re:I don't find this shocking (1)

g0bshiTe (596213) | more than 3 years ago | (#36036286)

A whitelist that protects what's needed from outside to inside, does nothing against an exploit that spawns an internal shell listening from inside to out. Even then depending on the configuration and the level that the server was compromised a web page with a pass-through script will run most anything from within a web browser and the Apache server on port 80 again useless firewall.

Re:I don't find this shocking (1)

somersault (912633) | more than 3 years ago | (#36036108)

Are you also not keeping it up to date? It's the combination that makes it really bad.

Re:I don't find this shocking (1)

x*yy*x (2058140) | more than 3 years ago | (#36036142)

Yeah, I was thinking the same.. Why the hell would you need to run firewall for a HTTP server? Clearly something like Sony isn't running their web servers on their internal infrastructure, and the HTTP server needs access to DB server anyway. You can't just firewall it off. And also

reported in an open forum monitored by Sony employees

Why the hell they only posted it on a forum, made assumptions that Sony employees monitor and didn't actually report directly to Sony, if there was something actually wrong?

Re:I don't find this shocking (4, Funny)

MobileTatsu-NJG (946591) | more than 3 years ago | (#36036242)

Am the only one running apache without a firewall ?

No, we're all running your machine, too!

This seems like a case for... (1)

xMrFishx (1956084) | more than 3 years ago | (#36035986)

Doing It Wrong!

Re:This seems like a case for... (2)

Verdatum (1257828) | more than 3 years ago | (#36036046)

I mean dear God, this isn't a case for Slashdot, it's a case for Failblog!

:facepalm: (2)

kiloechonovember (1704288) | more than 3 years ago | (#36035988)

Normally I would find it unbelievable but Sony continues to surprise me in all of the worst ways.

EPIC Fail (0)

halfEvilTech (1171369) | more than 3 years ago | (#36036004)

I mean who puts Windows (any flavor) servers public facing to the internet without a firewall..

Well apparently the Jeopardy answer would be- Who is Sony?

Re:EPIC Fail (5, Funny)

Anonymous Coward | more than 3 years ago | (#36036036)

The problme was with unpatched Apache - maybe if they had been running IIS they would have been OK :)

Re:EPIC Fail (2)

Bobfrankly1 (1043848) | more than 3 years ago | (#36036280)

The problme was with unpatched Apache - maybe if they had been running IIS they would have been OK :)

I thought Apache was only meant for casino websites ran off the reservation.

Re:EPIC Fail (5, Funny)

Mongoose Disciple (722373) | more than 3 years ago | (#36036476)

You laugh, but when you think about it and weigh PSN against XBox Live, Sony failed so hard they made Microsoft's security look good by comparison.

That's a special kind of failure. That's the full retard, if you will.

Re:EPIC Fail (0)

Anonymous Coward | more than 3 years ago | (#36036102)

No need for a firewall if the WAN interface only has the HTTP port open.

All management will be on the discrete LAN interface cards.

No big deal here.

Firewalls sound exciting to domestic users but have very limited use-cases.

Re:EPIC Fail (1)

Anonymous Coward | more than 3 years ago | (#36036152)

my firewall log would beg to disagree

Re:EPIC Fail (0)

Anonymous Coward | more than 3 years ago | (#36036248)

Fail Indeed. Jeopardy requires you give the question that yields the given answer. Plus it's just bad form to answer a question with a question. Don't you think? :)

Re:EPIC Fail (2)

MobileTatsu-NJG (946591) | more than 3 years ago | (#36036350)

I mean who puts servers using any operating system public facing to the internet without a firewall..

FTFY.

Criminal Negligence? (2)

chemicaldave (1776600) | more than 3 years ago | (#36036010)

Aren't there privacy laws in the US that mandate fines for this kind of incompetence?

Re:Criminal Negligence? (2)

xMrFishx (1956084) | more than 3 years ago | (#36036020)

Yeah but generally it's best if they're just put down. It prevents further incompetence in the future.

Re:Criminal Negligence? (1)

chemicaldave (1776600) | more than 3 years ago | (#36036050)

As a user of SONY products, I'd prefer if my purchases weren't totally in vain. Besides, all of those fired sysadmins would have to find jobs somewhere.

Re:Criminal Negligence? (1)

rubycodez (864176) | more than 3 years ago | (#36036110)

"Put down" does not mean fired, guess again. Hint, it's a phrase for a specific action in farming and veterinary clinics for animals which are incurable or too expensive to cure.

Re:Criminal Negligence? (2)

g0bshiTe (596213) | more than 3 years ago | (#36036326)

I say put the two together, and stream it. "Sony IT Admins put down via fire. LIVE STREAM".

Re:Criminal Negligence? (0)

Anonymous Coward | more than 3 years ago | (#36036270)

As a user of SONY products, I'd prefer if my purchases weren't totally in vain.

Oh, I wouldn't worry about that. You've helped an organization destroy freedoms throughout the world. No one can ever take that away from you.

Re:Criminal Negligence? (2)

Verdatum (1257828) | more than 3 years ago | (#36036104)

"Curiously enough, an edition of the Encyclopedia Galactica that had the good fortune to fall through a time warp from a thousand years in the future defined the IT division of the Sony Corporation as 'a bunch of mindless jerks who were the first against the wall when the revolution came.' "

Lawyers will have field day! (1)

peter303 (12292) | more than 3 years ago | (#36036062)

they can show there are some commonly accepted best practices

Re:Criminal Negligence? (4, Informative)

Beryllium Sphere(tm) (193358) | more than 3 years ago | (#36036154)

In general, no. However, if you publish a privacy policy that you don't really follow, that's considered deception and it's possible to get in trouble for it.

The big issue here is that if they have credit card data, they're contractually bound by a private sector standard called PCI DSS, and Visa and Mastercard can impose penalties. They were blatantly out of compliance with rules in the standard requiring firewalls and a program of keeping up with patches.

Re:Criminal Negligence? (0)

Anonymous Coward | more than 3 years ago | (#36036508)

Yeah, and those penalties will be passed to the consumer in increased charges, subscriptions, etc. Great.

Re:Criminal Negligence? (0)

Anonymous Coward | more than 3 years ago | (#36036170)

Massachusetts has a state law that can fine companies who allow personal information to be leaked like this (it was a response to the TJX fiasco). I expect fines to be levied at some point since I'm sure there were MA residents among those whose info was stolen.

Re:Criminal Negligence? (1)

the eric conspiracy (20178) | more than 3 years ago | (#36036644)

Not really, but if you are going to get sued for damages in a multi-billion dollar class action law suit one of the key points is going to be negligence. If this story is true, establishing negligence is going to be easy.

standard industry practice (2)

RichMan (8097) | more than 3 years ago | (#36036018)

*SARCASM*

Sony's defense will be that this state is "standard industry practice" and to expect Sony to have taken more elaborate steps at being secure like updating the software or running firewalls and other protection services as well as things like honeypots and other intrusion detections measures is just not done by major internet service providers.

But, but, but... (4, Funny)

Kamiza Ikioi (893310) | more than 3 years ago | (#36036044)

... I thought the super hackers at Anonymous are all to blame! I mean, sure, most members of Anonymous are the ones spending hours ENJOYING the PSN. But, you mean to tell me that Sony, a multinational corporation, covered up their own culpability and then lied and blamed it on an innocent (in this case) group of hacktivists? Like, Wooo, just like Cereal Killer from the movie Hackers [availableimages.com] told us!

Re:But, but, but... (1, Insightful)

LWATCDR (28044) | more than 3 years ago | (#36036136)

I don't know if Anonymous is too blame for this. They are still after all a bunch if vindictive thugs and the Internet version of a street gang but that doesn't make them guilty of this.
But just because the door has a cheap lock on it doesn't mean the criminal isn't to blame.

Re:But, but, but... (0)

Anonymous Coward | more than 3 years ago | (#36036610)

Awww u mad?

Oblig (1)

ctrimm (1955430) | more than 3 years ago | (#36036180)

Hack the planet!

Re:Oblig (1)

Kamiza Ikioi (893310) | more than 3 years ago | (#36036362)

Better watch out for Agent Gill with comments like that.

Oh Yea...It was Anonymous` fault. (1, Informative)

fatbuckel (1714764) | more than 3 years ago | (#36036052)

What a pile of tools. Ya know, Sony made a pile of money in the early sixtys ripping off German Reel to Reel tape machines. Yes, that`s counterfeiting.

no security == no security breaches (0)

mrnick (108356) | more than 3 years ago | (#36036060)

Yeah, yeah... It's still illegal to break(?) into someone's house even if they leave the door open, but it does really make Sony look a bit foolish. Bring on the lawsuits!

OMG My lvl 75 Warrior Mage Presit was hacked, and I'm missing 3 bags of plenty and all my GOLD!!!!! (lol)

Re:no security == no security breaches (2)

somersault (912633) | more than 3 years ago | (#36036264)

If your house is holding many people's credit card details, and more, in a supposedly secure fashion, then it makes you look a bit more than foolish.

Re:no security == no security breaches (1)

nanospook (521118) | more than 3 years ago | (#36036288)

Did you say LOL just in case some tool took your statement seriuosly :P

Wow lots of speculation but no proof. (2)

LWATCDR (28044) | more than 3 years ago | (#36036064)

According to Spafford, security experts monitoring open Internet forums learned months ago that Sony was using outdated versions of the Apache Web server software, which "was unpatched and had no firewall installed."

Which version?
And what do they mean where not running a firewall? And this was reported on a forum?

You know that I heard that CmdrTaco is running Slashdot on an unpatched Windows 95 box using Boa 1.0 and isn't using a firewall.

Can we not repeat unsubstantiated rumors? I really hope this is just really bad reporting and our that Congress is not taking statements like "It was reported on a forum" as evidence. Now if they have proof that this is true and it was reported on a forum it is interesting but just reported a forum is junk.

Re:Wow lots of speculation but no proof. (0)

Anonymous Coward | more than 3 years ago | (#36036670)

Dr. Spafford is a highly respected, old-school information security expert. He is not given to sensationalism, and would not make a claim like this at a congressional hearing based on some Internet rumor (even if the could ignore the threat of being sued by Sony).

1 million $ per citizen terror savings awards (0)

Anonymous Coward | more than 3 years ago | (#36036078)

after the disarmament is even further underway, so many resources will be freed up, that the real atmosphere might even return to quell the unending atmostfear of discomfort caused by the chosen ones life0cidal holycost activities. the citizen 'bailout' oddly enough, would cost 1/10th of the bank rescues, 1/100th of the unproven war efforts, & leave each citizen with more 'stability', than ever before, it's all gone, again

Risky to use the same lock on all doors (1)

Coisiche (2000870) | more than 3 years ago | (#36036082)

Ok, so it was specifically in regard to their internet forums but it does tend to suggest a fair amount of complacency regarding security which would extend beyond those forums.

Well that would seem to be proven.

Elite Hackers. (2)

dadelbunts (1727498) | more than 3 years ago | (#36036088)

They first had to get around the impenetrable wall set up by sony. Then they had to find the data, which sony hid in the most secure place they could. What better place to hide something than right in plain sight labeled "Credit Card Info". Sony you sly fox, using reverse psychology on hackers.

Re:Elite Hackers. (1)

berashith (222128) | more than 3 years ago | (#36036540)

I always hide information in a file called README. No one ever looks in there.

If they had cared enough... (3, Insightful)

samjam (256347) | more than 3 years ago | (#36036094)

Sony took more care to lock the customer out of equipment the customer owned on the customers premises to "protect Sony's IP" than they took to protect the customers data running only Sony's servers at Sony's premises.

Looks like they need to move their security staff to the hosting side.

Sam

Boy (1)

jimmerz28 (1928616) | more than 3 years ago | (#36036126)

This just keeps getting better and better!

Lemme guess what the response was (1)

Opportunist (166417) | more than 3 years ago | (#36036184)

The thread was deleted for "security reasons" and nothing else happened.

No, I did not read TFA, but I know Sony.

Willful Negligence - Lawyers will be happy (0)

Anonymous Coward | more than 3 years ago | (#36036328)

If this is indeed true then I suspect a very strong case can be made for willful negligence:

Willful Negligence. Intentional performance of an unreasonable act in disregard of a known risk, making it highly probable that harm will be caused. Willful negligence usually involves a conscious indifference to the consequences. There is no clear distinction between willful negligence and gross negligence.

How do they know? (0)

Anonymous Coward | more than 3 years ago | (#36036352)

According to TFA, the security experts were merely monitoring the forums. Apparently a forum user stated that Apache was outdated and that the server was without a firewall. Sounds like a pretty dubious claim to me.

According to Spafford, security experts monitoring open Internet forums learned months ago that Sony was using outdated versions of the Apache Web server software, which "was unpatched and had no firewall installed."

Hardly possible (0, Flamebait)

Artem Tashkinov (764309) | more than 3 years ago | (#36036354)

Just unpatched Apache HTTP server and absence of firewall could hardly be a reason/means for a successful intrusion/exploitation. I know a lot of popular web servers which have not so fresh apache server and they don't run any sort of firewall, yet user' data is safe and no intrusions have occured.

It's more likely their platform contained SQL injection vulnerabilities or other vulnerable/outdated software 'cause apache web server has a good record of being immune to attacks.

One should always remember that a properly configured web server should never expose any unnecessary services to the WAN in case your firewall rules are not correct or they are not properly enforced. E.g., if you run a usual web server, theoretically and in the best case scenario you should have the only listening port: 80 (or/and 443 for SSL connections) and maybe port 22 for incoming SSH connections (but I personally always reconfigure SSH daemon to listen on any other port other than 22).

Re:Hardly possible (1)

LearnToSpell (694184) | more than 3 years ago | (#36036470)

Lemme know when you graduate high school, and you're looking for a sysadmin job, so I don't hire you.

Surely Sony Server Software Shall Stay Secure (1)

glittermage (650813) | more than 3 years ago | (#36036384)

Right now I am glad that I don't use PS3, PSN, or SOE products or services as I am a computer gamer & wasn't interested in SOE games. I don't use Sony hardware in my PC since the Sony rootkit issue. I did have some respect for the Sony brand when it came to electronics and non-PC hardware but after this fiasco I will take my money elsewhere. As I register my products I don't want a company with lax security & little respect for my information to handle my any of my data. The only way for Sony to make a little face is to terminate all employees (individual contributor & management) who had a part in securing systems with user data. That would mean all the way up the management chain if high level execs had a part, even a small part.

Don't forget (1)

drb226 (1938360) | more than 3 years ago | (#36036424)

it's Anonymous's fault! Hacking poor Sony's vulnerable servers...the gall! [/sarcasm]

Firewall (0)

Anonymous Coward | more than 3 years ago | (#36036462)

Doesn't putting your web server behind a firewall rather defeat the point of a web server?

Idiots everywhere.. (1)

Zoidbot (1194453) | more than 3 years ago | (#36036588)

You realism the basis for this claim is an IRC chat log...

Hardly a reliable source of information..... Slashdot epic fail....

It's amazing how many idiots are replying to this "news" and just assume it's totally true....

Is this like. (0)

Anonymous Coward | more than 3 years ago | (#36036596)

Is this like how it was fact 77 million unencrypted credit cards were stolen and all were damned to fraud ruination? I mean thats what all the news sites were declaring. But come to find out sony had them encrypted and didnt have the ccv codes with them.

Come on you guys, this is just crap meant to get site hits and nothing else. Do you really, honestly think a multi billion dollars worldwide company thats been around as long as sony would be running old software with no protection? Idiots.

When this first happened you all hated and bashed sony, then you sided with sony and now your bashing them again. Your all just limp idiots who will ride on whatever bandwagon is popular at that second. You have no minds of your own and just want a reason to complain and give your pathetic armchair legal information out like you actually know what your saying because you have no self esteems and giant egos.

You guys are pathetic.

I wonder... (0)

Anonymous Coward | more than 3 years ago | (#36036680)

... if they're sending a letter to my old address in the dorms, when I used to play EverQuest 1 on my old P3-450 running Windows 98 (First Edition).

Too bad mail forwarding for that address ended 9 years 6 months ago.

This could be a cover-up. (2)

flogger (524072) | more than 3 years ago | (#36036736)

About a year ago, My credit card was billed 150$ for Playstation repairs by Sony. I don; town a playstation. The only credit card info Sony had on me was for an everquest account that I had.

I contacted Sony and let them know that I did not pay for repairs as I do not own a playstation. I was told that they would not remove the charge and that I would have to contest it thought the credit card company. They also informed me that if the charge was contested, they (Sony) would cancel the playstation network account associated with the playstation that was repaired.

I contested the charge through the credit card company and went through the whole hassle of changing ALL credit cards and notifying all business that I do transactions with.

Maybe Sony is charging people for 150 here and there to pay for their lawyers. Now that people are calling Sony on the fraudulent charges, they can say that they were hacked....

(Yea, I know, Who would steal credit card numbers from Sony and use the same info to buy Sony stuff.)

I had stopped buying everything sony, cancelled my EQ, etc when the Rootkit fiasco hit and I was burned by that for putting a CD in my computer.

Bastards.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...