Lawsuits And Laws On The Way In Response To Sony Data Breach

from the but-would-any-of-them-have-stopped-this? dept

Thu, Apr 28th 2011 6:02am — Mike Masnick

With Sony admitting that its PlayStation Network was hacked and that lots of personal info was accessed, you knew the reaction would be swift. Within a day we have class action lawsuits being filed and new laws being proposed. I agree that it was monumentally stupid of Sony to store passwords as plaintext rather than as hashes, which certainly leaves room for negligence claims, but will laws really make a difference? About the only reasonable response from a government official has been White House cyber boss Howard Schmidt (who has a history of being more reasonable than many of his colleagues), who noted that getting hacked is a risk of doing business, and it's not worth overreacting to Sony's situation:

"It's still a situation where specific incidents make it something it's not," he said. "Things make headlines that are just the risk of doing business in many cases."

But, of course that won't satisfy the class action lawyers or the politicians who are all over this. Beyond the plans to introduce laws, we've already seen that Senator Richard Blumenthal, who was a massive grandstander as Connecticut Attorney General, has continued his grandstanding ways with a public "demand for answers" from Sony.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: class action lawsuits, data breach, grandstanding, playstation network
Companies: sony

45 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 28 Apr 2011 @ 6:18am

Karma is a bitch.
[ link to this | view in chronology ]
abc gum, 28 Apr 2011 @ 6:18am

Wait a sec ... news laws proposed that would require passwords not be stored in plain text, wouldn't that contradict the previous proposal that all passwords be stored as plain text? Ohhhh yeah, that was France - never mind.
[ link to this | view in chronology ]
- Michael, 28 Apr 2011 @ 6:21am
  
  Re:
  The French have to keep them in plain text just in case the Germans want them.
  [ link to this | view in chronology ]
  - Anonymous Coward, 28 Apr 2011 @ 6:57am
    
    Re: Re:
    I know I shouldn't, but I lol'ed. French jokes never get old.
    [ link to this | view in chronology ]
- Anonymous Coward, 28 Apr 2011 @ 6:44am
  
  Re:
  It's the Schr�dinger's cat of Internet laws:
  
  You can either operate within the law or not, but you won't know it if you are (not?) until a lawsuit happens.
  [ link to this | view in chronology ]
- Anonymous Coward, 28 Apr 2011 @ 7:37am
  
  Re:
  You got it all wrong, the passwords are stored as plaintext then the hacker thinks: "who would be so stupid?, they must be encrypted" then he tries to decrypt them with no avail. hahaha
  [ link to this | view in chronology ]
stan, 28 Apr 2011 @ 6:25am

screw it im buying an X-BOX...
[ link to this | view in chronology ]
- Chargone (profile), 28 Apr 2011 @ 6:40am
  
  Re:
  i fail to see why one problem company stuffing up is reason to reward another problem company...
  [ link to this | view in chronology ]
  - harbingerofdoom (profile), 28 Apr 2011 @ 7:24am
    
    Re: Re:
    you fail to see it because you dont see it as a problem for yourself personally where a lot of people do.
    
    no one has said that the xbox or XBL runs perfectly and without a single flaw. ive never had a ps3 so the issue does not affect me. but my relatives and friends that do have a ps3 are looking at this as more of a last straw for various reasons.
    
    microsoft is far from perfect, but its hard to not give them a more serious look if this sony event is that major of an event for you.
    [ link to this | view in chronology ]
- Anonymous Coward, 28 Apr 2011 @ 7:21am
  
  Re:
  Here's your Xbo-oh sorry it RROD.
  [ link to this | view in chronology ]
  - harbingerofdoom (profile), 28 Apr 2011 @ 7:27am
    
    Re: Re:
    the rrod issue is not the issue it used to be and would likely affect very few buyers now.
    [ link to this | view in chronology ]
    - crade (profile), 28 Apr 2011 @ 7:32am
      
      Re: Re: Re:
      Have they fixed the problem where they keep charging you a monthly fee for online access yet?
      [ link to this | view in chronology ]
      - DCX2, 28 Apr 2011 @ 8:57am
        
        Re: Re: Re: Re:
        That monthly fee pays for actual senior software engineers to develop the network. People who actually know what they're doing. That tends to be expensive. It doesn't make that network invincible, but it vastly reduces the risk of incompetence.
        [ link to this | view in chronology ]
  - Anonymous Coward, 28 Apr 2011 @ 7:38am
    
    Re: Re:
    RROD don't steal your credit cards, jus sayin
    [ link to this | view in chronology ]
    - chris tatman (profile), 28 Apr 2011 @ 9:15am
      
      Re: Re: Re:
      your wrong on that because u still gotta pay 199 for a new console and you xbox fanboy will pay it like fools microsoft knowingly sent out a shoty product and the rrod aint dead its there just in a place your not aware of they just got rid of the lights
      [ link to this | view in chronology ]
      - Anonymous Coward, 28 Apr 2011 @ 3:37pm
        
        Re: Re: Re: Re:
        Sorry dude, your sentence structure makes no sense.
        [ link to this | view in chronology ]
John Doe, 28 Apr 2011 @ 6:46am

Passwords should be stored as a one way hash
There should be no way to decrypt a password. It should be done as a one way hash. You don't compare a user entered password to a decrypted stored password, you encrypt the user entered password and compare the result to the stored encrypted password. If they match, they are equal.

Any website that can send you your password should be avoided because they should not even be able to tell you what your password is.
[ link to this | view in chronology ]
- Anonymous Coward, 28 Apr 2011 @ 7:22am
  
  Re: Passwords should be stored as a one way hash
  It should also be salted to prevent things like dictionary attacks if the database gets compromised.
  [ link to this | view in chronology ]
  - Anon, 28 Apr 2011 @ 9:40am
    
    Re: Re: Passwords should be stored as a one way hash
    I also prefer the taste of salted passwords.
    [ link to this | view in chronology ]
- Josh in CharlotteNC (profile), 28 Apr 2011 @ 7:56am
  
  Re: Passwords should be stored as a one way hash
  There should be no way to decrypt a password. It should be done as a one way hash.
  
  There is no possible way to store a password that cannot be compromised in one way or another.
  
  Hashes are not strictly one-way. It is computationally expensive one way. If you know the hash method, its trivially easy to create a rainbow table (just takes a one-time investment of CPU time). Rainbow tables are available for all common hash methods for passwords at least up to 12 characters last I looked.
  
  Salt it, you say? Ok, but in order for the password to actually remain useful, your authentication systems will need to have that salt value stored so it can compare the stored password with what you're using to login, and that salt value can be compromised. That takes us right back to creating your own rainbow table for the hash method and salt value.
  
  That's not to say that Sony shouldn't have stored them in plaintext. Just don't be under the impression that just because your password is hashed means it is safe.
  [ link to this | view in chronology ]
  - DCX2, 28 Apr 2011 @ 9:03am
    
    Re: Re: Passwords should be stored as a one way hash
    There's also "peppering", where a salt is added inside the DB executable. Then you would need to compromise the DB, as well as the DB's executable binary.
    
    Also, although rainbow tables exist for a given hash, it is recommended to hash them multiple times, with a variety of different hashing algorithms, sometimes multiple times with the same hashing algorithm. This makes it more difficult, because the rainbow table must be generated for that combination of hashing.
    [ link to this | view in chronology ]
- Steve, 28 Apr 2011 @ 10:33am
  
  Re: Passwords should be stored as a one way hash
  Is that not the same? Checking hash to hash? No different than pass to pass? Only dif you dont know that pass but if you intercept the hash then it can be resent? I am not sure....is that how it works?
  [ link to this | view in chronology ]
Anonymous Coward, 28 Apr 2011 @ 6:47am

Just throw the PS out the window and never buy another Sony product EVER!

Rootkits on Audio CDs
Rootkits on PC games ( SECUROM )
Then they use bait and switch marketing.

Their network is toast anyway!

Goodbye and Good Riddance Sony!
[ link to this | view in chronology ]
- John Doe, 28 Apr 2011 @ 6:50am
  
  Re:
  I try to avoid Sony whenever possible, mainly because they always try to create their own standard for things. For example, they developed the memory stick rather than going with compact flash, MMC, SD, etc. Now as I learn more about their other practices with rootkits and removing functionality after the purchase I have even more reason to avoid them.
  [ link to this | view in chronology ]
Anonymous Coward, 28 Apr 2011 @ 6:50am

This lawsuit is actually a good thing: The PS3 dies and maybe then we can move on away from outdated gaming hardware.
[ link to this | view in chronology ]
- Anonymous Coward, 29 Apr 2011 @ 11:44am
  
  Re: cccc
  cccc
  [ link to this | view in chronology ]
Anonymous Coward, 28 Apr 2011 @ 7:00am

I'm not particularly keen on legislating everything, either, but a judicious application of fines for any company that has a public-facing webserver that keeps passwords in either plaintext or a reversible encryption may not be a bad thing.
[ link to this | view in chronology ]
Richard (profile), 28 Apr 2011 @ 7:06am

Further Negligence
I think it is negligent to make yourself a target by your legal and business strategy.

Remember the I hate you maxim!
[ link to this | view in chronology ]
crade (profile), 28 Apr 2011 @ 7:12am

Yeah, it's a risk of doing business.. You are risking this happening. If no one cared and just forgave you right away when you got hacked and coughed up all their info, there would be no risk.
[ link to this | view in chronology ]
Anonymous Coward, 28 Apr 2011 @ 7:16am

Good luck with the Class action lawsuits, since the Supreme Court has taken that right away from us. I am pretty sure Sony's TOS requires arbitration to resolve any issues.
[ link to this | view in chronology ]
Natalie, 28 Apr 2011 @ 7:21am

Stupid.
People are sooo stupid. Yeah my stuff could have gotten hacked but you take that risk everyday you get on the computer. Everytime you use your debit card. Everytime you post something on Facebook, you put your stuff out there. You know the risk!!! Stop trying to blame it on everyone. Yes they may have been slow, BUT common sense will tell you that with todays people, of course they probably got some info. DUH!!!!!!! So, take precautions and watch out. Jeez people can't we just realize that people make mistakes even Sony. And, for godsakes we get on PSN for free.. What do you expect for a free service.. HELLO!!! Get a freakin life, and actually work. Don't try and put a lawsuit against someone, because you can't sit in your mom's basement and play for hours on end. You have to actually do SOMETHING WITH YOUR LIFE!! And, yes im sure the 50 to 100 of money you just MIGHT have in the bank, was REALLY TAKEN. I have had my Credit card stolen on the net. And, it was simply fixed. NO harm NO foul. im over it. SO GET THE HELL OVER IT AND MOVE ON!.. ;)
[ link to this | view in chronology ]
- Rick, 28 Apr 2011 @ 7:26am
  
  Re: Stupid.
  Let's see..
  "sit in your mom's basement..." check
  "actually do SOMETHING WITH YOUR LIFE" check
  "im sure the 50 to 100 of money you just MIGHT have in the bank..." check
  
  Obvious troll is obvious
  [ link to this | view in chronology ]
  - natalie, 28 Apr 2011 @ 7:59am
    
    Re: Re: Stupid.
    Troll?
    [ link to this | view in chronology ]
    - Anonymous Coward, 28 Apr 2011 @ 6:40pm
      
      Re: Re: Re: Stupid.
      Mirror?
      [ link to this | view in chronology ]
- Bengie, 28 Apr 2011 @ 7:36am
  
  Re: Stupid.
  This doesn't fall under "mistake", this falls under negligence.
  
  They willfully ignored 10+ year old industry security standards and this is what happens.
  
  With your logic, if a bank stored all of its money in an unprotected area and the money got stolen, it would be an "accident".
  [ link to this | view in chronology ]
- ohdear, 29 Apr 2011 @ 8:38pm
  
  Re: Stupid.
  I wish you were a troll and not a moron. But you aren't.
  [ link to this | view in chronology ]
Anonymous Coward, 28 Apr 2011 @ 7:38am

Geohot weighs in:
See: http://www.pcmag.com/article2/0,2817,2384561,00.asp

which reads in part:

Hotz put the blame for the outage on Sony executives "who declared a war on hackers, laughed at the idea of people penetrating the fortress that once was Sony, whined incessantly about piracy, and kept hiring more lawyers when they really needed to hire good security experts. Alienating the hacker community is not a good idea."

He's right.

Especially since no ethical, responsible, professional hacker is EVER going to work for Sony. They'll be left with the inferior, incompetent, clueless idiots they have now who are far too feeble-minded to fix the same mess that
they created.
[ link to this | view in chronology ]
Stuart, 28 Apr 2011 @ 7:39am

Live by the Sword Die by the Sword.
Live by governmental regulations to protect you.
Die by governmental regulations strangling you.
Perfect.
[ link to this | view in chronology ]
Anonymous Coward, 28 Apr 2011 @ 7:41am

The real thing is this: As much as I hate soney and I want to see it burn to the ground. It would not be a good thing for Xbox gamers. Because with playstation out of the way, there would be no arms race to over-innovate the other console and the games would start becoming crappier and crappier.
[ link to this | view in chronology ]
jilocasin (profile), 28 Apr 2011 @ 7:43am

Knee jerk laws are bad, but we do need to establish the rules of the road.
I agree that knee jerk laws are generally a bad idea. Having said that I think there _should_be_ a base line level of operations established by law.

Getting hacked is the cost of doing business on the internet, that's a given.

The occasional kitchen fire is the cost of doing business as a restaurant. We have laws that minimize the number of kitchen fires and the damage that can occur when they do happen. We regulate what can be stored where, the maximum number of people allowed and establish evacuation routes. Requirements for fire extinguishers, type and placement. There are rules about who must be notified and how soon. Sure it's a cost of doing business, but we expect commercial kitchens to live up to a certain minimum standard. You follow the standard, bad things are less likely to happen and when they do they will probably be less severe. If it turns out worse then at least you weren't negligent.

We need laws that state the minimums for operating a commercial business on the internet. You don't store spare propane tanks over the stoves in a restaurant, you don't store users passwords as plain text. You need to maintain at least this (some defined) level of security. You need to notify these (some defined) people within this (some defined) period of time in the event of a breach.

We are seeing some of it starting, such as the VISA PCI DSS requirements, but they are mostly voluntary. We needs laws that establish a baseline, backed up by penalties with REAL TEETH. So that it isn't cheaper to ignore them and consider whatever token fine amount as 'the cost of doing business'.

Real privacy and consumer protection laws. Real commercial baselines.

Until that happens we can expect to see more internet versions of the Triangle Shirtwaist Factory fire. (https://secure.wikimedia.org/wikipedia/en/wiki/Triangle_Shirtwaist_Factory_fire)
[ link to this | view in chronology ]
big al, 28 Apr 2011 @ 7:52am

welll...............................
but but but ...this IS the sony way.... sue em until they die!!! right or wrong got nothing to do with the suit...sue em until they give up... sony's screwup SUE em....bad luck...SUE em. remember it's the sony way!!!
[ link to this | view in chronology ]
DCX2, 28 Apr 2011 @ 9:09am

As much as I hate Sony...
I've been Sony free since the Rootkit back in 2005. But as much as I hate Sony, I don't want to see the company go down. Sony provides a lot of good jobs, and some of their people are even smart!

I just wish they'd wise up a bit. Stop using proprietary formats when off-the-shelf will do. Stop treating customers as their enemy.
[ link to this | view in chronology ]
Beta (profile), 28 Apr 2011 @ 9:19am

you get what you pay for
As long as people will sacrifice a lot of security for a little convenience, that's what the market will bring.

How about a two-key system? Instead of a human-memorizable password (like "NinjaDood4") which I must type in with my fingers -- and trust the server not to store or reveal -- every time, I could have a key pair: the server sends me a session key encryped with my public key, and I'm good to go. Nobody can decrypt that without my private key, the server doesn't know my private key, and nobody can break the encryption for another century or so. If the company wants to, say, sign me up for an expensive new service, they'd better be able to show my private-key-signed authorization, or they'll have to give back every dime. This system can still be hacked, but it's a whole lot more secure than what we have-- however it would require a tiny bit of effort to implement, and the consumers aren't demanding it.

Credit cards are ridiculously insecure, but the demand for a more secure (but slightly less convenient) solution just isn't there.

And don't get me started on SS numbers.
[ link to this | view in chronology ]
Vincent Clement (profile), 28 Apr 2011 @ 9:54am

I'd be more worried about the use of answers for security questions and birth dates than passwords. In some cases we are talking about names, birth dates, addresses and credit card info. This has long-term potential for identify theft.
[ link to this | view in chronology ]
Ron Rezendes (profile), 28 Apr 2011 @ 10:07am

When litigation is a business model...
The corporatocracy that we have become here in the US insists that litigation is a business model. That fact is proven by the government employees that enjoy the fruits of their labor when they leave their office to work for the very corporations they were supported by to get into office in the first place. The laws are in place to favor the business of extreme litigation and ridiculous awards based on psychedelic accounting figures that could only make sense to those without a moral compass.

Well paytards, if you want to live by the sword (courts), I'll be happy to watch you die by the sword (courts).

Looking forward to watching Sony get dragged naked over the coals, broken glass, and beds of nails before coming to rest in a pool of isopropyl alcohol.
[ link to this | view in chronology ]