Another Sony password leak

Yep

Sony must be pretty stupid to have all passwords and SS numbers of their employees high and low in a folder called "Password". Idiots.

Yeah, what idiots being victims of the equivalent of a breaking and entering crime.

Nomad said:

Yeah, what idiots being victims of the equivalent of a breaking and entering crime.

Why can't we teach boys not to steal?!

This is reality. Being stupid and letting your customers down by being irresponsible isn't entirely forgivable, even if you didn't commit a crime.

Sony is not at fault for having a security system which gets broken and destroyed by hackers. The (black hat)hackers stealing your bank account information are the criminals and not the company storing it... I will laugh my ass off if it are the united states divisions of sony being hacked all the time, instead of the divisions in sony its home country...

I wouldn't even keep that stuff on a computer with Internet access. It can collect all the queries on a net computer then at the end of the day or every hour, someone can humanly fulfill them via lets say floppy disk from the net server to the PC with all of the numbers on them.

50,000 ssn + ids is literally 1.2 MB. Then you'd only need to trust the one guy that transfers the info over and the software the connects IDs to SSNs. That shit can be encrypted too. Duh.

If it's confirmed to be North Korea because of The Interview, they're more retarded than I thought. Probably about as retarded as Sony right now, heh.

Sony North Korean or North Korea was the hacking country? Like how China is now hacking as a 'government tactic.'

FireFish said:

Sony is not at fault for having a security system which gets broken and destroyed by hackers.

Yes they are, their security methods have been and continue to be far weaker than they should be. They're not doing all that they can, they're skimping.

That's like saying a bank is not at fault if robbers come in and take all of your money because they only felt like investing in a wooden padlock door for the vault entrance.

Blame the victim. Like a woman that gets raped. Shoulda been karen pepper sprai.

They have people hired to protect that shit. Its a target like anything famous.

Sodaholic said:

Yes they are, their security methods have been and continue to be far weaker than they should be. They're not doing all that they can, they're skimping.

That's like saying a bank is not at fault if robbers come in and take all of your money because they only felt like investing in a wooden padlock door for the vault entrance.

Your analogy might work if you said that the bank is at fault for using LAST year's top of the line safe door mechanism and haven't upgraded to the recent year's. Security is ever changing and evolving and every company can't always anticipate what "hackers" know and what technologies they can crack.

geo said:

Blame the victim. Like a woman that gets raped. Shoulda been karen pepper sprai.

They have people hired to protect that shit. Its a target like anything famous.

This.

Glaice said:

Sony must be pretty stupid to have all passwords and SS numbers of their employees high and low in a folder called "Password".

Uh-huh. At least name the folder something else, like "Dear hacker, please do not look here". Not that it necessarily helps, but it's worth a try.

A directory labeled "password", eh? I see Sony is continuing to seriously value security. This is so dumb, the only way I could see it happening is if it was some sort of zany plot to misdirect hackers.

Now I'll admit I'm not up-to-date with computer security, but I'm going to guess 2013 standards didn't involve labelling your sensitive password data as "Password".

geo said:

Blame the victim. Like a woman that gets raped. Shoulda been karen pepper sprai.

They have people hired to protect that shit. Its a target like anything famous.

If you handle people's personal data, you are liable for the proper handling of that data under virtually every developed nation's legal systems.

Even if you contract it out, you are still liable. If data was inadequately protected / encrypted by the third party, you are still liable.

Sony have become a bloated mess of a company with divisions doing crazy things. For me, they lost it when they genuinely believed atrac3 and minidisc could compete with mp3. With godawful proprietary hardware, software, firmware and USB ports, they've pissed me off so royally in the last 10-15 years that I've gone from being a big consumer to an almost Sony-free existence.

geo said:

Blame the victim. Like a woman that gets raped. Shoulda been karen pepper sprai.

They have people hired to protect that shit. Its a target like anything famous.

It must be nice living in a world with little accountability for irresponsibility. Our generation has done wonders.

geo said:

They have people hired to protect that shit.

Obviously not doing their jobs particularly well.

Passwords in spreadsheets are a recipe for disaster, why not just stick them to the undersides of keyboards on Post-it notes, like most idiots do. Funnily enough, that would actually be a little more secure than Sony's approach.

I handle a lot of personal data over the past 15 years. Mostly via online stores, but also with hospitals and clinics with SSNs. Next year we're going to tackle law enforcement also with SSNs. I'm not looking forward to that. I need to hire a team, but that's if the lawyer can get a contract to us before mid January. Its already been 2 months.

We've even had to setup a dummy company 12 years ago so if we failed in security, that company gets sued, the company will close. Never fucked up or lost anything. Personally I hate the task, but I love it to prove I'm the best and I've always been a defender. *steps off high horse* After every giant data breach we get emails from our biggest client worrying if it could happen to him. Then we tell him nah everything is custom.

The password folder being labeled password is unforgivable, unless its a dummy folder. Instead 1,000 folder and files labeled things like 'rueurewpuhoifdhjvsvdkj' and 'ckjxjlcxjhxciuxdviuo' mar the system. Each password is its own file. Each SSN is its own file on an offline computer. Good luck looking through them all. Not just that, but the files themselves don't have file extensions. In fact several servers have 'pass' as a folder full of fake info using a different encryption. So if anyone does break in, they go straight for the fake ignoring the 1,000 folders of crazy random letters. Its a bitch to open 1 of those folders to wait for it to load.

The custom software knows all. Plus it makes dummy files and folders with the same exact info. Like fake users and passwords of non existing users. So if anything is compromised and a hacker says yes I have Bob Smith's credit card info, user name and password completely unencrypted. Well there is no Bob Smith. For ever 1 real SSN there are 10 fakes. I've often had arguments with my manager about the need for 10, because its extra file space. Not just that but no one's SSN is directly hooked to their name, just an encrypted ID that only the software knows. That's all the software's job.

Then what you do is come up with your own encryption system. Not just that, but have the custom software come up with several different encryption systems automatically so not even you know how to encrypt it. If you crack the encryption with 1, that doesn't mean you can use the same crack to decrypt the next one.

Put an offer on a hacker board, $10 to anyone that can break the encryption. Setup a fake site with the encryption so no one traces it back to the main site. If anyone breaks the encryption time to start over again.

Again, SSNs should never be on a computer hooked to the Internet. It should be in a room with one man trusted to carry out moving info from the net computer to the offline PC that has no USB, just a floppy disk. Relying on the custom software to make sense of it all.

Awww shoot, which bandwagon should I jump on? Obviously I think it's important that Sony take its security seriously, so the "blame Sony" bandwagon seems pretty tempting. On the other hand, there's really no such thing as a perfect security system - unless you ensure those files are physically inaccessible from the outside world (stored on computers completely cut off from the Internet), there is always going to be a chance someone will gain unauthorized access to them.

Ultimately, I guess my thoughts lie somewhat more on the side of, "What the hackers did was wrong, I don't see why it's treated differently than if they broke in and stole stuff in real life." I mean, if someone breaks into a home or a business, no one's ever gonna defend the thieves by saying that if they had better security, it wouldn't have happened. Online, however, it's almost treated like if their security has a hole or whatever, even an unforeseen one, then breaking in and stealing shit is fair game. To me, that almost encourages the hackers, because a lot of people see it as, "Well it's not really a crime unless you get caught." Or to put it another way, the morality of it is somewhat removed because the blame gets put on the victim for not having security that's up to snuff - no one gets really angry at the hackers who broke in, so the moral connection is somewhat lost.

Jump on both band wagons. Its everyone's fault. Their fault for working for Sony. Sony's fault for not having good enough employees to defend it. The fault of the criminals for stealing it. The fault of the US government for giving SSNs without the ability to change compromised numbers like credit cards and bank accounts.

Blame. Its what people talk about.

The North Korea theory sound ridiculous. Aren't they like 50 years behind in technology? Where would pro hackers come from?

North Korea and South Korea are two seperate cases, one should not generalize everything as Korea... The official live feed on youtube for the ''korean broadcasting system world'' devision can or will show you bits and pieces of life in South Korea inbetween the drama series. cities, cars, computers, modern hospitals reconstructing living people their broken skulls, happy children, and English subtitles.

Memfis said:

The North Korea theory sound ridiculous. Aren't they like 50 years behind in technology? Where would pro hackers come from?

They are in-dated enough to build their own OS. Which is more than what could be said for many first-world, democratic countries (especially in Yurope) that just swallow whatever comes from the USA, when it comes to software.

FireFish said:

North Korea and South Korea are two seperate cases, one should not generalize everything as Korea... The official live feed on youtube for the ''korean broadcasting system world'' devision can or will show you bits and pieces of life in South Korea inbetween the drama series. cities, cars, computers, modern hospitals reconstructing living people their broken skulls, happy children, and English subtitles.

What the hell are you even talking about?

Maes said:

They are in-dated enough to build their own OS. Which is more than what could be said for many first-world, democratic countries (especially in Yurope) that just swallow whatever comes from the USA, when it comes to software.

And what the hell are YOU talking about?

South Korea? Government-built OSes? Is everyone just freestyling on whatever irrelevant crap crosses their minds?

I was merely replying to Memphis' calling NK tech 50 years out of date, and I duly noticed that they aren't exactly using Altairs 8800 (though that'd be "only" 40 years outdated).

And certainly, if they can design their own "gov't sanctioned OS", they certainly can train pro hackers, especially if their mission is to wreak havoc on dirty capitalist pigs ;-)

BTW, in regimes such as NK, everything MUST be gov't sanctioned, or otherwise it simply doesn't exist, on several levels.

Maes responded to Memfis his note about being 50 years behind the loop, by providing an example of them being up to date. And i noted the generalization of Korea as a bad thing to do while adding to the topic and also adding to the remark about technology.

I do not get how a moderator can be so hyper-active in his quest to ridicule posters and create a sense of arrogance around his internet persona...

No, no, I agree with that part - NK is apparently investing heavily into cybernetic warfare, or whatever is the latest buzzword for government's hackers. I was a bit surprised that NK hackers would leave behind some of those snarky pieces of hacker wisdom about securing your system better instead of... more formal blackmail, heh.

FireFish: But no one is talking about "Korea" or "South Korea". We're only talking about "Best Korea" and you're interfering by lecturing us on something everyone with a brain knows.

Maes said:

They are in-dated enough to build their own OS.

A few years ago many Russian news agencies reported that a 15 years old school kid developed his own OS. Unsurprisingly, it was just some Linux distro with a customized desktop and silly stuff like that. I wonder if this Red Star OS is any different.

Memfis said:

A few years ago many Russian news agencies reported that a 15 years old school kid developed his own OS. Unsurprisingly, it was just some Linux distro with a customized desktop and silly stuff like that. I wonder if this Red Star OS is any different.

Well, I understand your scepticism. Ages ago (2000-something?) Greek TV news ran a story about the "most computer-savvy kid in Greece", "Greece's youngest computer wizard"...which turned out to be simply the youngest recipient of the ECDL in Greece at the time, at 14 yo or something :-)

However, NK use their own internal network, and I presume they'd need a lot of extra security, checks, censorship or other special features on top of vanilla Linux. In any case, way beyond a simple customized desktop, and much more customization than one could do with a Windows-based OS.

Maes said:

However, NK use their own internal network, and I presume they'd need a lot of extra security, checks, censorship or other special features on top of vanilla Linux.

Easy solution for that, but is Kim Jong Un a fan of Android or iOS?

Memfis said:

A few years ago many Russian news agencies reported that a 15 years old school kid developed his own OS. Unsurprisingly, it was just some Linux distro with a customized desktop and silly stuff like that. I wonder if this Red Star OS is any different.

Yeah, here in Chicago they had a segment on an 8 year old that came up with his own amazing game app all on a car ride back from Florida. Researched how to do it and made it, put it on the app store all on the ride home. Its a good simple game. What does the father do for a living? Designs apps.

A man that designs apps is nothing special, a kid that designs it is something news worthy.