Speaking as someone who had to wipe several computers and reinstall the operating system because the Sony/BMG rootkit disabled the DVD drive, I need to say I am deriving some satisfaction from this: Lulzsec has hit Sony. Again. For like the, what, 10th incident in the last couple months? I’m not an anarchist and I am not cool with the vast majority of espionage, credit card fraud, hacking, and defacement that goes on. I pretty consistently come down on the other side of the fence on all that stuff. In fact I spend most of my time trying to teach people how to protect themselves from those intrusions. But just this once – and I am not too proud to admit it – I have this total case of schadenfreude going. And not just because Sony intentionally wrote and distributed malware to their customers – it’s for all the bad business practices they have engaged in. Like trying to stop the secondary market from reselling video games. It’s for spending huge amounts of engineering efforts to discourage customers from customizing PlayStations. It’s for watermarking that deteriorated video and audio quality. It’s for the CD: not the CD medium co-developed with Phillips, but telling us it sounded better than anything else. It’s for telling us Trinitron was better – and charging more for it – when it offered inferior picture quality. It’s for deteriorating the quality of their products while pushing prices higher. It’s for trying to make ‘ripping’ illegal. Sony has been fabulously successful financially, not by striving to make customers happy, but by identifying lucrative markets and owning them in a monopoly or bust model – think Betamax, Blu-ray, PlayStation, Walkman, etc.
So while it may sound harsh, I find it incredibly ironic that a company which tries to control its customer experience to the nth degree has completely lost control of its own systems. It’s wrong, I know, but it’s making me chuckle every time I hear of another breach.
Before I forget: Rich and I will be in San Jose all next week for the Cloud Security Alliance Certification course. Things are pretty hectic but I am sure we could meet up at least one night while we are there. Ping us if you are interested!
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
Favorite Securosis Posts
- Mike Rothman: Understanding and Selecting a File Activity Monitoring Solution. Interesting new technology that you need to understand. Read it.
- Rich: Cloud Security Training: June 8-9 in San Jose.
- Adrian Lane: A Different Take on the Defense Contractor/RSA Breach Miasma.
Other Securosis Posts
- Incite 6/1/2011: Cherries vs. M&Ms.
- Tokenization vs. Encryption: Options for Compliance.
- Friday Summary: May 27, 2011.
Favorite Outside Posts
- Adrian Lane: Botnet Suspect Sought Job at Google. I can only imagine the look on Dmitri’s face when he saw this – innocent or not.
- Mike Rothman: BoA data leak destroys trust. But at what scale? Are customers rushing for the door because their bank was breached? Since there are no numbers people just assume they do. As a contrarian, that’s a bad assumption.
- Rich Mogull: Clouds, WAFs, Messaging Buses and API Security…
Project Quant Posts
- DB Quant: Index.
- NSO Quant: Index of Posts.
- NSO Quant: Health Metrics–Device Health.
- NSO Quant: Manage Metrics–Monitor Issues/Tune IDS/IPS.
Research Reports and Presentations
- Understanding and Selecting a File Activity Monitoring Solution.
- Database Activity Monitoring: Software vs. Appliance.
- React Faster and Better: New Approaches for Advanced Incident Response.
- Measuring and Optimizing Database Security Operations (DBQuant).
- Network Security in the Age of Any Computing.
Top News and Posts
- ElcomSoft Breaks iOS 4 Encryption.
- An Anatomy of a Boy in the Browser Attack. Usually, stay away from vendor blogs, but Imperva has had some good posts lately.
- Lulzsec has hit Sony. Again. For the, what, 5th10th breach in the last couple months?
- PBS Totally Hosed by Lulzsec. They got just about every single database. Ouch. Where do they find the time to post funny Tupac articles?
- Apple Malware Patch Defeated And by the time you read this there will probably be a new patch for the old patch.
- Apple Malware Patch.
- Android Users Get Malware. It’s a feature.
- Gmail Users Compromised.
No favorite comment this week.
Reader interactions
2 Replies to “Friday Summary: June 3, 2011”
We all have our dark sides. I’m surprised there are people in security who don’t, to some degree or other; or at least hide it under layers of public superficiality.
There’s no justifying an argument like this (except maybe in veins of full disclosure and/or breaking things to make them better or maybe diving into the ‘hacker ethic’), but I completely understand the whole schadenfreude thing in cases like this. And before getting too far, schadenfreude is more about deriving some pleasure at the expense of someone else, as opposed to supporting the vehicle of that displeasure.
We should condemn the attackers as well as unacceptable security actions. But that doesn’t mean we can’t derive some measure of satisfaction from essentially sticking it to “the man,” or a smugness that “we’re right” yet again, or, at the very least, the satisfaction that the system will get better for the breaches. I would even go so far as to hypothesize that a majority of the best minds in security/hacking share this darker side to a healthy degree.
@Adrian
I am disappointed that you feel that what constitutes yet another breach of Sony systems is something that pleasure can be derived from due to past activities by Sony.
Despite Sony’s past antics (of which I admit there are many), the fact is that in all of this, it is Sony’s own customers who are being significantly affected and inconvenienced. Although (as far as I am aware) the Sony Pictures breach doesn’t directly affect me, I (like many others) am affected by the PSN breach and am unsure longer term whether there will be any lasting affects to myself.
The fact that you have made a public statement which effectively supports the actions of these malcontents from LulzSec (or whoever they are) because Sony ‘deserves it’ is disappointing from a security professional whose past writings and output I have enjoyed reading.
Surely we as security professionals should be condemning both the idiots that have done this AND Sony for not ensuring that what would appear to be basic security protections are in place, not indirectly supporting these criminals?