Lawsuits And Laws On The Way In Response To Sony Data Breach
from the but-would-any-of-them-have-stopped-this? dept
With Sony admitting that its PlayStation Network was hacked and that lots of personal info was accessed, you knew the reaction would be swift. Within a day we have class action lawsuits being filed and new laws being proposed. I agree that it was monumentally stupid of Sony to store passwords as plaintext rather than as hashes, which certainly leaves room for negligence claims, but will laws really make a difference? About the only reasonable response from a government official has been White House cyber boss Howard Schmidt (who has a history of being more reasonable than many of his colleagues), who noted that getting hacked is a risk of doing business, and it's not worth overreacting to Sony's situation:"It's still a situation where specific incidents make it something it's not," he said. "Things make headlines that are just the risk of doing business in many cases."But, of course that won't satisfy the class action lawyers or the politicians who are all over this. Beyond the plans to introduce laws, we've already seen that Senator Richard Blumenthal, who was a massive grandstander as Connecticut Attorney General, has continued his grandstanding ways with a public "demand for answers" from Sony.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: class action lawsuits, data breach, grandstanding, playstation network
Companies: sony
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
You can either operate within the law or not, but you won't know it if you are (not?) until a lawsuit happens.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
no one has said that the xbox or XBL runs perfectly and without a single flaw. ive never had a ps3 so the issue does not affect me. but my relatives and friends that do have a ps3 are looking at this as more of a last straw for various reasons.
microsoft is far from perfect, but its hard to not give them a more serious look if this sony event is that major of an event for you.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Passwords should be stored as a one way hash
Any website that can send you your password should be avoided because they should not even be able to tell you what your password is.
[ link to this | view in chronology ]
Re: Passwords should be stored as a one way hash
[ link to this | view in chronology ]
Re: Re: Passwords should be stored as a one way hash
[ link to this | view in chronology ]
Re: Passwords should be stored as a one way hash
There is no possible way to store a password that cannot be compromised in one way or another.
Hashes are not strictly one-way. It is computationally expensive one way. If you know the hash method, its trivially easy to create a rainbow table (just takes a one-time investment of CPU time). Rainbow tables are available for all common hash methods for passwords at least up to 12 characters last I looked.
Salt it, you say? Ok, but in order for the password to actually remain useful, your authentication systems will need to have that salt value stored so it can compare the stored password with what you're using to login, and that salt value can be compromised. That takes us right back to creating your own rainbow table for the hash method and salt value.
That's not to say that Sony shouldn't have stored them in plaintext. Just don't be under the impression that just because your password is hashed means it is safe.
[ link to this | view in chronology ]
Re: Re: Passwords should be stored as a one way hash
Also, although rainbow tables exist for a given hash, it is recommended to hash them multiple times, with a variety of different hashing algorithms, sometimes multiple times with the same hashing algorithm. This makes it more difficult, because the rainbow table must be generated for that combination of hashing.
[ link to this | view in chronology ]
Re: Passwords should be stored as a one way hash
[ link to this | view in chronology ]
Rootkits on Audio CDs
Rootkits on PC games ( SECUROM )
Then they use bait and switch marketing.
Their network is toast anyway!
Goodbye and Good Riddance Sony!
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re: cccc
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Further Negligence
Remember the I hate you maxim!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Stupid.
[ link to this | view in chronology ]
Re: Stupid.
"sit in your mom's basement..." check
"actually do SOMETHING WITH YOUR LIFE" check
"im sure the 50 to 100 of money you just MIGHT have in the bank..." check
Obvious troll is obvious
[ link to this | view in chronology ]
Re: Re: Stupid.
[ link to this | view in chronology ]
Re: Re: Re: Stupid.
[ link to this | view in chronology ]
Re: Stupid.
They willfully ignored 10+ year old industry security standards and this is what happens.
With your logic, if a bank stored all of its money in an unprotected area and the money got stolen, it would be an "accident".
[ link to this | view in chronology ]
Re: Stupid.
[ link to this | view in chronology ]
Geohot weighs in:
which reads in part:
Hotz put the blame for the outage on Sony executives "who declared a war on hackers, laughed at the idea of people penetrating the fortress that once was Sony, whined incessantly about piracy, and kept hiring more lawyers when they really needed to hire good security experts. Alienating the hacker community is not a good idea."
He's right.
Especially since no ethical, responsible, professional hacker is EVER going to work for Sony. They'll be left with the inferior, incompetent, clueless idiots they have now who are far too feeble-minded to fix the same mess that
they created.
[ link to this | view in chronology ]
Live by the Sword Die by the Sword.
Die by governmental regulations strangling you.
Perfect.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Knee jerk laws are bad, but we do need to establish the rules of the road.
Getting hacked is the cost of doing business on the internet, that's a given.
The occasional kitchen fire is the cost of doing business as a restaurant. We have laws that minimize the number of kitchen fires and the damage that can occur when they do happen. We regulate what can be stored where, the maximum number of people allowed and establish evacuation routes. Requirements for fire extinguishers, type and placement. There are rules about who must be notified and how soon. Sure it's a cost of doing business, but we expect commercial kitchens to live up to a certain minimum standard. You follow the standard, bad things are less likely to happen and when they do they will probably be less severe. If it turns out worse then at least you weren't negligent.
We need laws that state the minimums for operating a commercial business on the internet. You don't store spare propane tanks over the stoves in a restaurant, you don't store users passwords as plain text. You need to maintain at least this (some defined) level of security. You need to notify these (some defined) people within this (some defined) period of time in the event of a breach.
We are seeing some of it starting, such as the VISA PCI DSS requirements, but they are mostly voluntary. We needs laws that establish a baseline, backed up by penalties with REAL TEETH. So that it isn't cheaper to ignore them and consider whatever token fine amount as 'the cost of doing business'.
Real privacy and consumer protection laws. Real commercial baselines.
Until that happens we can expect to see more internet versions of the Triangle Shirtwaist Factory fire. (https://secure.wikimedia.org/wikipedia/en/wiki/Triangle_Shirtwaist_Factory_fire)
[ link to this | view in chronology ]
welll...............................
[ link to this | view in chronology ]
As much as I hate Sony...
I just wish they'd wise up a bit. Stop using proprietary formats when off-the-shelf will do. Stop treating customers as their enemy.
[ link to this | view in chronology ]
you get what you pay for
How about a two-key system? Instead of a human-memorizable password (like "NinjaDood4") which I must type in with my fingers -- and trust the server not to store or reveal -- every time, I could have a key pair: the server sends me a session key encryped with my public key, and I'm good to go. Nobody can decrypt that without my private key, the server doesn't know my private key, and nobody can break the encryption for another century or so. If the company wants to, say, sign me up for an expensive new service, they'd better be able to show my private-key-signed authorization, or they'll have to give back every dime. This system can still be hacked, but it's a whole lot more secure than what we have-- however it would require a tiny bit of effort to implement, and the consumers aren't demanding it.
Credit cards are ridiculously insecure, but the demand for a more secure (but slightly less convenient) solution just isn't there.
And don't get me started on SS numbers.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
When litigation is a business model...
Well paytards, if you want to live by the sword (courts), I'll be happy to watch you die by the sword (courts).
Looking forward to watching Sony get dragged naked over the coals, broken glass, and beds of nails before coming to rest in a pool of isopropyl alcohol.
[ link to this | view in chronology ]