Sony's Servers: outdated software, unpatched and no firewall

[BladeVenom]

Even after it was publicly disclosed that their systems were vulnerable, they never fixed them. So Sony left the door wide open, and didn't even care. Talk about criminally negligent.
http://consumerist.com/2011/05/secu...re-was-obsolete-months-before-psn-breach.html

 

[freegeeks]

must be crappy sys admins maintaining these systems

 

[JockoJohnson]

Even after it was publicly disclosed that their systems were vulnerable, they never fixed them. So Sony left the door wide open, and didn't even care. Talk about criminally negligent.
http://consumerist.com/2011/05/secu...re-was-obsolete-months-before-psn-breach.html

After reading the comments in the link, and if even half are true, I hope Sony gets sued for everything. That is truly pathetic if they were aware of it all for months. One of the comments even mentioned that the PSN was shut down NOT due to the breach but that people could download everything for free.

 

[bfdd]

Sony is done. After the DRM bullshit they pulled a few years ago, I told myself I'll be extremely cautious buying Sony products. After this... yeah, never again. So glad I skipped on buying a PS3 for myself last Christmas.

 

[jackschmittusa]

I have been boycotting Sony since the since their rootkit fiasco. The keep finding new ways to make me think it is the right choice.

They have never cared about their customers, and prove it over and over again.

 

[Schadenfroh]

My word, that is some pretty pitiful incompetence, they are going to get their asses handed to them in court.

After the DRM bullshit they pulled a few years ago, I told myself I'll be extremely cautious buying Sony products.

You mean the SonyBMG music rootkit? To be fair, that music company was a joint venture that Sony did not hold a majority stake in at the time.

If you are referring to SecuROM in video games, then yes, that is their crappy software.

 

[BrunoPuntzJones]

must be crappy sys admins maintaining these systems

IT is a source of expense, not revenue. Usually low on the totem pole when IT asks for money to fix stuff.

Could be negligent or incompetent system admins, or it could be they were doing the best with what they had available.

 

[bfdd]

My word, that is some pretty pitiful incompetence, they are going to get their asses handed to them in court.


You mean the SonyBMG music rootkit? To be fair, that music company was a joint venture that Sony did not hold a majority stake in at the time.

If you are referring to SecuROM in video games, then yes, that is their crappy software.

I was talking the rootkit fiasco, but SecuROM is terrible as well. So we'll just say I was talking about both. I don't really care if SonyBMG was a subsidiary of the larger Sony Corp, it held their name and their money behind it.

 

[Lithium381]

Could be negligent or incompetent system admins, or it could be they were doing the best with what they had available.

That's what my wife says to me with the same tone..

 

[lord_emperor]

IT is a source of expense, not revenue. Usually low on the totem pole when IT asks for money to fix stuff.

Could be negligent or incompetent system admins, or it could be they were doing the best with what they had available.

sudo update apache doesn't take a lot of resources.

 

[Jaskalas]

sudo update apache doesn't take a lot of resources.

If the server doesn't function or boot after that update? Wouldn't be the first time. Can't just throw that command around on a live production machine. You have to have verified and reproducible results.

 

[dmcowen674]

Sony's Servers: outdated software, unpatched and no firewall

Even after it was publicly disclosed that their systems were vulnerable, they never fixed them. So Sony left the door wide open, and didn't even care. Talk about criminally negligent.
http://consumerist.com/2011/05/secu...re-was-obsolete-months-before-psn-breach.html

must be crappy sys admins maintaining these systems

Someone there should be facing 120 years prison time and $800,000 in fines

 

[shurato]

If the server doesn't function or boot after that update? Wouldn't be the first time. Can't just throw that command around on a live production machine. You have to have verified and reproducible results.

That's why there are trained IT professionals that deal with things like that. There's always a chance any server may not function or boot after an update/reboot. Sony should have the resources to maintain a top notch IT staff. If it is really true there wasn't even a firewall, that's pretty much criminal negligence. I can't believe this is really the case... When I used to be a consultant, we had 1 man operations even running business class firewalls on their servers.

On an unrelated note, I've had 2 playstation 3's die on me. I don't even use one for gaming but for Blu-ray movies and a media center.
Don't think I'll be buying anymore Sony products for a while.

 

[Londo_Jowo]

must be crappy sys admins maintaining these systems

Probably educated/trained at DeVrys or ITT Tech.

 

[Tsavo]

Probably educated/trained at DeVrys or ITT Tech.

Hey! I had a co-worker that was trained at Devry. She was good at what she did. I don't know what she did, but she did it well.

 

[wuliheron]

Even after it was publicly disclosed that their systems were vulnerable, they never fixed them. So Sony left the door wide open, and didn't even care. Talk about criminally negligent.
http://consumerist.com/2011/05/secu...re-was-obsolete-months-before-psn-breach.html

Sony didn't just leave the door wide open, they left it open after stirring the hornet's nest. First they took Geohot to court and pressured him into settling out of court when he did nothing illegal, then they went after every little kid and hacker that pirated one of their games without first making sure their asses were covered. Even after Anonymous hacked their servers they still didn't bother to cover their fat asses. That's not criminal neglect, but outright sadism and masochism.

 

[freegeeks]

IT is a source of expense, not revenue. Usually low on the totem pole when IT asks for money to fix stuff.

Could be negligent or incompetent system admins, or it could be they were doing the best with what they had available.

yeah but running unpatched apache webservers with known vulnerabilities?
keeping the basic stuff up to date is not a million dollar investment, it's the day to day responsibility of the sys admin

 

[freegeeks]

If the server doesn't function or boot after that update? Wouldn't be the first time. Can't just throw that command around on a live production machine. You have to have verified and reproducible results.

if they don't have some kind of test setup that is a mirror of the live, then they are the most incompetent morons. We are talking here about a system that serves millions of customers

seriously, not patching known security issues in stuff like apache is just beyond stupid

 

[Ancalagon44]

Yeah its hard to believe that they wouldnt have a staging or UAT system for stability testing.

I dont think Sony's give away will be enough to repair damage to its brand image either, especially if knowledge of why the attack happened (ie negligence) gets out. How many consumers will never trust Sony with their credit card information again? I know I wouldnt.

 

[Dr. Zaus]

Sony's got a principle they live by: Lead, don't follow.

Which is great... except in technology, where following means industry standards.

Fuck Sony.

 

[Cerb]

For those of you finding the Akamai 404:
http://www.youtube.com/watch?v=2P58L1deENg

About 55 minutes in is where it gets relevant.

 

[PokerGuy]

Sony has always shown disdain for their customers' interests. The rootkit and their use of DRM etc is pretty damning, and this is all just icing on the cake. I hope it ends up with people around the world suing Sony into oblivion, they certainly deserve it. No impact to me though, I own no sony products (including movies, music, games), and have no intention of doing so.

 

[Vette73]

Contact Jack, President and CEO Sony Computer Entertainment America, and tell him what ya think.

http://consumerist.com/2010/02/reach-playstations-ceo.html

 

[Cerb]

Contact Jack, President and CEO Sony Computer Entertainment America, and tell him what ya think.

http://consumerist.com/2010/02/reach-playstations-ceo.html

"Dear Jack,

I haven't been buying anything with the Sony label on it since around 2003, and don't plan to do so again. Anything you do now will be too little, too late. Even if you reinvented your company, like IBM did, and copied Nintendo's customer-loving ways in that process, I would hesitate for many years, before I would again be willing to buy a Sony product."

Um...yeah, maybe not.

 

[Exterous]

yeah but running unpatched apache webservers with known vulnerabilities?
keeping the basic stuff up to date is not a million dollar investment, it's the day to day responsibility of the sys admin

Until more comes out I am not going to immediately jump on the sys admins. I have seen too much bureaucratic bullshit get in the way of good (hell - even basic) security practices. I wouldn't surprise me to find out that they wanted to patch them but some dumbass and/or stupid policy kept them from doing so