Go watch Chobits and tell me you don't want a synthetic human companion.....
611 publicly visible posts • joined 20 Mar 2007
Ever heard that word all you panic merchants? Cumulative is not the same as concurrent. Even if the 13 counts against Swartz had a cumulative maximum penalty of 30 years, it's more than likely that due to mitigating factors (such as no financial loss, no violence and no personal gain) he'd have felt the light end of the sentencing spectrum. Then we come to the simple fact that the sentences would likely have been served concurrently as is common in cases with multiple counts.
The truth here is that someone broke the law repeatedly and faced a period of time in a minimum security setting. The fact that he killed himself does not make the justice system wrong for prosecuting someone that broke the law. Just like his offenses, his decision to kill himself was his alone. We have no idea what advice his lawyers were giving. given the facts of the case I would hope that they would have been level headed and pointed out the likelihood of a light sentence if found guilty.
Regardless, it seems somewhat asinine to blast the justice system is a criminal decides to kill them self rather than face the music. Just because we call the crime white collar and it obviously was not a particularly severe offense does not alter the fact that it was an offense.
How can anyone in Apple, Samsung or any other tech company claim to have originated any of this stuff? Touch screen tablet devices? Touch screen phones (in reality little more than shrunken touch screen tablets with phone capability)?
The concepts that these devices lean upon existed long before anyone had the technology necessary to put an actual device together. That's kind of the thing about science fiction, you know? PADDs, Tricorders, and so on and so forth. The concepts embodied in the fictional devices ultimately lead to real devices once the technology is there to support it.
As for obviousness, if you have a roughly pad sized touch screen device, and you're using a GUI related to a WIMP interface, then a grid of icons that you select by tapping is a completely obvious solution. So's that rectangular shape. I mean really none of this should be patentable at all, all this BS with software patents has gone too far, there are so many applications that the USPTO can't properly evaluate them, and then corporates choose to use these horribly weak, but granted, patents in legal action against their competition. Pretty bloody sad that they can;t compete with products and choose instead to compete with dubious patents in and attempt to bully competitors.
Pathetic. USPTO should be ashamed, US legislature should be ashamed, US courts should be ashamed, Apple should be ashamed. It's time that this nonsense stopped, patents are becoming meaningless.
OK, so I know the judge apparently ruled that 2001 could not be cited as prior art against the 'patent' of a computing device in a 'pad' format with a touch interface. My question is why? The patents in this case are so fecking trivial it makes your eyes water. And since when could someone patent the look and feel of a device?
But, function over form please. Let's review. Patents are granted for truly new innovations that have no prior art (similar prior occurrence) and are non-obvious to a practitioner in the field.
So, let's say you watched 2001 or Star Trek and so you already have the idea of a touch pad device. Further more you've watched innumerable other science fiction movies/shows where similar touch enabled devices appeared. On top of that you've worked with some of the early touch devices and track pads and now the technology has advanced enough that you can actually integrate a touch screen into a rectangular device less than an inch thick. What do you think you're going to produce? Oh, I know, a clam-shell designed laptop with a keyboard? Probably not, how about a touch sensitive device aka a tablet? since the controls are all touch based you don't have many buttons. The size of the device is pretty much decided by the size of screen. 100 different practitioners in the field would produce similar devices independently.
I just don't get how Apple is winning these cases, their logic and reasoning is just a big pile of self serving shite. When you sit down and look at making a portable touch screen device that can act as a notebook, an e reader, a video viewer and a web browser, there are very few ways you can go with the design. The same is true of the GUI since everything is based on windows/icons and the ability to select by touch. There really are only so many ways to slice a potato, and that's what this and other recent Apple cases come down to.
The standard I would always go back to would be the original Startac flip phones. They were the first real device that actually functioned as a communicator and even used the flip action to accept and end calls - just like the communicators on StarTrek. Can anyone honestly argue that Motorola came up with those concepts on their own? Sure, their hinge mechanism could be patented, but not the clam-shell design or open to answer feature. This is the same kind of thing to me, and this is what is killing the tech industry. Companies somehow being able to patent things that truly are obvious.
Thanks USPTO you guys do such a fantastic job of rubber stamping applications. You rock! The amount of money that will be spent invalidating unreasonable patents is incalculable, and the amount lost to the economy thanks to their restrictive effect of patents is similarly uncountable - and all of that waste comes thanks to the USPTO and legal system.
Let's see if we can wrap this up in 3 paragraphs shall we?
Rootkit - Sony BMG, not Sony corporation, makes a true stupid move because they haven't got the first clue about the implications of the DRM software that they have been sold by a British company. When those implications become painfully clear they recall all the affected CDs and destroy all the 3 million unsold discs with the pernicious software on it. They issue a quick fix to help remove the offending DRM, which turns out to be insecure itself, and then finally they get it right and remove it. This all happened within 6 months of them acquiring the DRM software BTW, so it's not like they sold this stuff for years and did nothing to correct it. The decisions with respect to XCP and the whole DRM on CD fiasco were entirely local to Sony BMG and the 100,000 other employees of Sony didn;t have a clue it was happening, and I suspect some of those 100,000 might even have been affected by the XCP software themselves. Of course this happened some 8 years ago and Sony corporation not only recalled the CDs and made some restitution, they also recognized it was wrong.
Sony did not demand the IP addresses of anyone to do with anything. Their lawyers did. It's not a technical distinction it's a huge distinction. The IP addresses were requested by Sony's lawyers so that they could be used to determine how many people that had viewed GeoHots published information actually were in the jurisdiction of the court. that was the only purpose that the information could serve. The list of addresses was never given to Sony, nor could it have been. The ip addresses themselves are hardly a private piece of information and do not contain any personally identifying information in any case. As usual the media and ill-informed fanbois who still have a rootkit stuck halfway up their nether regions jumped up and down and waved their hands n the air without bothering to look at the scope of request, the limitations imposed by the court or the purpose of the request in the first place.
I always love it when people say that launching the PS3 at $600 was somehow an offense worthy of putting people out of a job. First of all, the PS3 debuted at $500, not $600, get that through your thick skulls please. Secondly, the build cost of the least expensive PS3 at the time of launch was approximately $850. So at the launch prices Sony was losing anything up to $400 per unit (about $350 per 20GB system) sold. Sounds to me like that launch price was quite a gift to consumers that were getting a $1000 system for half the price. My, how totally offensive it was of them to do that.
What's that? You want to talk about their lack of security on PSN? OK, so let me ask a few questions before we break into that discussion... Was the PSN hack the largest data breach ever? No, it wasn't. Were passwords stored in plain text (as often alleged by ill-informed morons)? No, they were not. Were Credit Card numbers and verification codes stolen from PSN? No, there is no indication that the CC processing systems were penetrated. 1 old development database was plundered at SEO that had a small number of expired card numbers on it, but that's about it. besides the CC database was encrypted. Did Sony take an unconscionable amount of time to reveal the hack? No, they didn't within 48 hours of confirming there was an attack they issued a public statement that they had been attacked, within about another 48 hours they issued a statement based on the preliminary third party analysis that they could not find any reason to believe that credit card information was stolen, but advised out of an "abundance of caution" that people check their accounts anyway. It did not take weeks or even months for Sony to come forward with this information. Nor did Sony stint on the counter measures used to protect customers since they shut down their entire network to ensure the security of their customers. Ah, but let's not let facts get in the way of accusing Sony of mistreating customers data and having no security...
What? You think that there is still more? Because you don;t like their phones they should fail and people should be out of a job? Really? Because I'm pretty sure that the folks working at Sony did not mean to offend you so mightily by not being the ones to deliver you an iPhone.
Oh, wait, I know, you were one of the 10 people world wide outside of the USAF and a couple of academic establishments using Linux on a PS3. Nasty Sony, imagine trying to protect their PS3 against pirates and hackers. Why they should have issued an optional firmware that maintained the security of the PS3 by optionally removing Linux. that way you would have had the choice of removing Linux and staying on the PSN, or keeping Linux and leaving PSN for the moment. Oh, hang on they did do that and you *did* have the choice. And as it happens, Sony was absolutely damned well right considering that Linux was used as a vector of attack which ultimately broke through the hypervisor and beyond.. almost as if Sony was trying to protect their system against security threats wasn't it?
Yeah, Betamax! and don't forget Mini-disc. Those bastards at Sony obviously had it coming for producing those those products. Oh, let's not forget BluRay. How exactly was developing a superior high definition video format for the home an offensive action? Good grief they sod their main BluRay player at a huge loss for years, is that forcing it down your throats? You had a choice, buy or do not buy. Not to mention the fact that BluRay isn;t Sony proprietary technology, there is a whole industry group behind it that includes everyone except Toshiba. Although Since Toshiba failed to spoil the Bluray party with their HD-DVD proprietary format, Toshiba might have rejoined the BluRay group again.
See, this Sony hatred really is odd to me. I think it's interesting that the real Sony hate started in 2005, at about the same time as the BluRay/HD-DVD struggle started, and about the same time as the Xbox 360 fell into the market. It's almost as if on cue there was an increase in Sony hate in the year before PS3 arrived. almost like it was orchestrated by a group that just didn;t want the PS3, or Sony to do well... With a PR gift like the BMG rootkit it was pretty easy going for that movement of hate. What amazes me is just how many people really buy into the Sony hate without really having any objective reasons for doing so.
Well, not that this adds much to the story, but way back in the mists of time I wrote a Arm emulation in C. It was binary compatible with the ARM processor that was in the original Archimedes series of computers. The idea was actually to test the impact of cache memory in a high performance architecture. To do that I needed complete traces of binaries running on a processor. Being a totally logical student I decided to build my own ARM emulator and virtual cache memory system.
I recorded the processor traces for memory access and then fired them at the cache memory simulation. I got what you might call the expected results too - cache memory turns out to be really effective (surprise, surprise). But the fun thing was building the emulation of a complete CPU in C. It ran at 3000-4000 instructions per second which wasn't bad considering all the debug code and trace code embedded within it. Of course it never saw the light of day outside my college days, but I still remember coding the thing. The design of the ARM was so clear that you could almost psuedo code the instruction set.
The minds behind the original design are some of the best i the industry. Truly.
Remember Sony and the whole PS3 security debacle? There's this persistent train of thought among the people who are proponents of such hacking efforts that when you buy the machine, you automatically have ownership not just of the hardware, but of the software (which is wrong - legally speaking). Now, the reason I mention this is not to get that whole discussion going again, so let's just not go there, but rather to emphasize something that has always been stated in such examples. The purchaser owns the hardware.
Let me say that again, the purchaser owns the hardware. The firmware is software stored electronically, and is not part of the hardware and is therefore not owned. But, the purchaser of a piece of hardware owns that piece of hardware. Now, here's the important part of that;
If a company designs a custom crypto algorithm into hardware and sells that device to people, the purchasers *own* it. they can do whatever they want with it, they can peel it open, put it under an electron microscope, scan it, analyze it, do whatever they want - because they own it, it's perfectly legal. That custom crypto algorithm that is physically expressed in the hardware, well, the purchaser owns that too. There is nothing to stop them from analyzing and reverse engineering it, nothing. The law only says anything about what can be done with the knowledge gained through reverse engineering. However since most people engaged in cracking custom crypto systems to make products that facilitate piracy are in the business of breaking the law anyway, it really doesn't matter to them, does it?
Perhaps appropriately, if the crypto is expressed in software there is more recourse in the law against those attempting to crack it, than there is if the crypto is done in hardware, because software is protected by copyright, license terms and all sorts of other wonderful legal tools.
So, as this kind of thing becomes ever more possible, expect to see crypto moving to software again, and expect hardware to come with very small amounts of flash memory that can physically only be flashed once, and which cannot be read off chip, unless you happen to have a rig that allows you to tap the various data bus lines on the die itself, which is not something that is currently feasible outside of the blue sky research done in places like IBM. That will be used to store fragments of code and or key fragments that can be used in an isolated secure processing environment to provide runtime crypto services. Either that or I think we'll see other solutions such as requiring an always on connection and regularly updating crypto services through encrypted software updates. Of course that will require the constant refreshing of the encrypted content too, but in a world of apparently limitless bandwidth, that isn't impossible.
Either way, the industry will not stand by and watch hardware crypto fall without some level of response, and since it's practically impossible to prevent someone from looking at the physical architecture of a piece of silicon, I'm sure we will see hybrid solutions that also reflect the legality of cracking attempts.
The fuel rod casings reached high enough temperatures to become flexible and fail - they melted. the Fuel pellets on the other hand did not melt (as far as anyone knows). The evidence that the fuel itself did not melt is actually pretty solid because there has been no measurable release of fuel from any of the reactors, only fission products.
...the metal cladding on the fuel rods was melted, or heated beyond tolerance and ceased to hold it's shape. Either way, the fuel pellets were released from the fuel rods, but the actual fuel did *not* melt. that's why you have seen no release of fuel material to the environment.
Where is all the vitriolic scorn that is directed at Sony every time there is an SQL injection attack on some tiny system of theirs these days? We can be scornful of a consumer entertainment conglomerate having a few security issues, but when a firm that is dedicated to internet security gets hacked through an SQL injection attack we talk about it as if it's small news?
Eh? Seems like if anyone deserves scorn after an attack, it's a company that specializes in Internet security
I can't help wondering why some want to hold Sony to a higher degree of scrutiny than a leading defense contractor. I note that even the article takes a conciliatory tone over the attack.
Good grief, this is a major defense contractor that works on highly classified projects, and yet their network was penetrated and will be down for a period of at least two weeks for remote access users all of whom now have to get new tokens. Should we not expect that if anyone can secure a network against attack it would be a leading defense contractor that is a clear target for foreign sponsored cyber attacks?
I can't help but wonder whether that Amazon cloud computing service was used to brute force some SecureID tokens in order to do an end run around all the usual PSN security and access things from the 'inside'
That's pretty much what was being attempted at LM. Interesting. I'm thinking that anyone using SecureID wants to re issue tokens, or try something else.
That kind of paranoid thinking has got fail written all over it. Whether Hotz firmware allowed piracy or not, the keys were released by him along with what amounted to an How To guide. You'll note, if you re-read my post I did not mention the firmware he produced, although I would definitely challenge it's legality on the basis that I don't for a nano-second believe that Hotz penned all 100% of the code he posts as firmware, and in fact he's either modifying Sony's code and/or incorporating their code in his 'custom' firmware.
Jack, if you have a PS3 and have ever played online, or started PSN, you have agreed to many terms, including the license for the firmware. The very nature of your own arguments strongly suggests that you are more than aware of the terms of the license. As to your line about your PROPERTY, you're a damned fool if you believe that. Software is licensed, hardware is sold. You do not own the software.
Zongo, Sony doesn't give a darn what you do to the hardware, as soon as you physically modify the hardware beyond the scope of permitted upgrades they consider the warranty nullified and don't care about your **hardware**. The system software running on that hardware is not part of the hardware, it is stored on the hardware but it is a separate element, and Sony does very much care what you do with that. That's why it's encumbered with license terms.
I honestly can't see what is so hard with the concept that you buy the hardware and license the software. If you break the software license, be aware of the terms is provides in the case of one or other side breaking the license.
I've been following PS3 and the attempts to hack it since before GeoHot drilled his first hole in a motherboard. I know what happened and when. Facts are facts, and they do not line up with your passionately held opinions. Remember though, no matter how dear you hold your opinion, a single fact can make your opinion irrelevant.
You know, if you actually go back through the history of Sony, the PS3 and all of this bullcrap that's been going on and look objectively at Sony, the various hackers and others, as well as the Media reactions, it's actually very hard to see where Sony has treated anyone particularly badly.
Sony sued GeoHot et al after the metldr key was published along with information on how to use it to circumvent all copy protection on the PS3. They obtained court orders against one German hacker who was engaged in similar works of publishing protected information about the PS3's security mechanisms. All of these actions were taken in the realm of the legal system in the relevant countries. Sony's attorneys asked for some information pertaining to the locations of people that viewed the information published by GeoHot for the very limited legal purpose of establishing the jurisdiction for the court case n California against GeoHot. That was horribly mis-reported by the world plus dog as if Sony Corporation was seeking personal information on millions of people. That was never the case, nor could it have been. the court did not order that, and the information that was ordered could only go to Sony's attorneys, not Sony. Had Sony obtained additional information and mis-used it as so many alleged they wanted to, Sony would have been near instantly indicted at a high level by government prosecutors. It's ludicrous to make the kinds of claims some do about things like those subpoenas to establish jurisdiction.
Regarding the whole OtherOS, Sony was in the end vindicated in their removal of OtherOS in response to GeoHots original hacking of the hypervisor - yes children, Sony reacted to defend their platform against hacking. the hacking predated the removal of OtherOS, not that anyone bothers to mention that little factoid anywhere. It would not be necessary for anyone to 'restore' otherOS had the little moron GeoHot not indulged in his little egofest of publicly proclaiming he had 'pwned' the PS3. Oh, but, I guess we should forget that it's HIS own fricking fault that OtherOS was removed, otherwise we can't cast the little guttersnipe as a freedom fighter trying to restore what the greedy corporation took.
Oh, I guess we should also point out that for those so married to their OtherOS that they'd rather break the law, cost companies millions of dollars and adversely affect millions of consumers than give it up, you didn't have to give up OtherOS. If you were so bloody keen on it, you simply didn't need to install the firmware upgrade that disabled it. Yeah, I know you would lose access to PSN then, well, so what? PSN is a free service and you have to meet it's requirements to use it. But is that minor inconvenience really a justification for all that has happened? Really? I mean, really? You couldn't just have put up with a minor inconvenience rather than have all that has occurred since?
Oh, and while we're at it, since GeoHot was the reason for OtherOS getting the boot, why are you blaming Sony again since it was not them that attacked the system?
Actually, when you look at it all, Sony has not been the one mistreating anyone. But I know I'll get downvoted for saying so. The media, the hackers, the anonymous, the freetard gamer population who bear no consequences for their words, these people have been treating Sony like public enemy number one. Hell, I've seen more vitriol aimed at Sony than Osama Bin Laden. That's plain stupid, but it's truly the case.
As for dictatorial actions, did you read GeoHot's terms for settlement with Sony when their action first started in court? That was dictatorial. The ultimate settlement that had GeoHot all but grovel in apology is a far cry from his demands earlier. That should tell you something about the merits of his case. Perhaps that should tell you something about the merits of this entire thing.
Ah well, I know none of this will change your mind, but perhaps someone reading it might take a moment or two to stop and actually think...
The sued after some a$$hat called GeoHot decided to publish the Metldr key that was not required to restore OtherOS, but which effectively allowed hackers to ignore any semblence of copy protection on games - resulting in the ability to load pirated copies of games on custom firmware systems. Get your facts straight at least.
Are you still blathering on about the BMG CD rootkit fiasco of more than 6 years ago as if it was current and universal? Holy crap, can we apply just a modeerate amount of perspective and stop talking like there is a current issue - which there is not? Well, not unless you count the millions of malware attacks a day that attempt to root kit your PC that have nothing to do with Sony.
Funnily enough, I thought that taking legal action to protect legally protected information and systems was...well...legal. Seems to me, that you have a chip on your shoulder about something and have elected to blame Sony for it regardless of cause.
...means that root access to OS and Database services was attained? Oh really? Where' did you get that computer science degree son, the box of cereal you opened this morning?
That's just a ridiculous thing to say. Website defacing has been going on since the web started and does not require or imply root level access, or much elevated access at all.
If I break a law, I am aware of that, and prepared to accept the consequence. that is the gist of what you are saying.
Well, OK then. That's nice. However the hacktivists here, and the hackers cracking the PS3 do not accept the consequence of their illegal acts. In fact they believe that they have done nothing wrong because they believe that the laws are wrong, and therefore do not apply.
Even if you decide to break a law, knowing what it is and what the consequences are, you are still paying attention to it, you are still respecting it because you are aware your actions carry consequences. If you were simply ignoring the law, you would not accept that there are consequences, and would do as many in this hacktivist scene have.
As for your example about marijuana, governments have been considering legalization for decades now, and not one has done it, nor are they likely to.
The law is that which separates civilization from anarchy.
Utter bollocks? Yes, keep telling yourself that, one day you'll grow up and realize you buy the hardware to run the software. The software is a separate product, and even if you're allowed to use it for free, that comes under certain terms and conditions that restrict what you can, and cannot do with it.. Firmware is software that you are allowed to use for free, it is, for your convenience, installed on the PS3 you buy, but it is still considered a separate thing and governed by it's own license and terms.
Sony didn't place a rootkit on CDs, BMG did, yes they are owned by Sony. However, Sony, and SCE in particular had nothing to do with that at all. Not to mention the fact that they admitted the wrongdoing and had to make good. Never mind that the music CD fiasco affected a relatively small number of people in fact, let's all just trot it out as an excuse to hate years later shall we?
I don't even know how to begin to address the rest of your post since Sony as a Japanese company has little or nothing to do with politically motivated US Supreme court decisions relating to the insane topic of granting corporations rights as individuals. Personally, I think you are letting your own irrational hatred cloud your judgement with respect to Sony. Though I suspect that we agree on the utter folly of granting corporations individual rights in the US.
four separate security groups (that we know of) working with Sony's own in-house team.
What I find interesting is that URL exploit that was found on the password reset page last week. that looked to me like a day 1 kind of flaw, and yet it was not found until now. The odds are it was never even exploited in anger. But it has taken an unprecedented degree of scrutiny on their network security to find these things. I wonder how many other companies with big networks are aware of how insecure they really are?
Since anonymous has virtually no control of it's 'membership' it's impossible to know whether there is a large number of criminals who operate under the guise of Anonymous. I rather suspect that there are, after all, if some naive group of script kiddies is going to do as they do, why not take advantage of such a perfect smoke screen.
My problem with this kind of Hacktivism is two-fold.
First is the pompous crap emanating from the hacking community and Anonymous. I mean, seriously, do they honestly believe the stuff they say? Secondly, there is a really simple problem with all of this. the law. The law exists to protect society, and provide a structure by which wrong doing is punished. You can't simply decide which laws you will respect and which you will ignore. Either you have law or you do not.. If we're supposed to accept that it's OK for hackers to ignore intellectual property laws or computer mis-use laws or privacy laws because they are inconvenient or because there is some higher purpose, then does that mean we accept that anyone can decide which laws they will pay attention to because in their mind it's convenient or has a higher purpose?
That's completely ridiculous as most people accept. As soon as you start allowing people to ignore laws they dislike you set a horrible precedent that can open up the possibility of people ignoring all kinds of laws. Does the world really need to give criminals that kind of a break?
The law is the law. Law varies from country to country, but in general most western nations have similar legal systems and laws governing intellectual property and computer mis-use. If you break the law, you pay the price, even if you claim your some kind of virtual freedom fighter trying to restore OtherOS.
The subpoenas from Sony's Attorneys were for sufficient information to establish jurisdiction in the Californian court. The data did not, nor would it ever, go to Sony. Sony is not trying to silence people who talk about the Ps3, or people who modify their hardware. You can turn your Ps3 into a Foreman grill if you like, they don't care. If you start discussing protected information such as encryption methods, or keys or how to circumvent those things, they care. If you put that discussion on the Internet, they care, of you modify your Ps3 with custom firmware that allows the breaking of game copy protection or PSN security - they care.
Sony sued GeoHot in the US civil court. GeoHot was never in any danger of jail time (try telling that to the usual hot heads that bleat about Sony trying to put him away for good). Sony did not in any way act illegally, they use the civil law in the US just like everyone else can.
Oh, and by the way, regarding the user license agreement that people are so fond of virtually shredding; when you buy hardware, you buy only the hardware, nothing else. The firmware that comes installed on the hardware is *not* yours, it is not part of the hardware and is not part of the purchase price. the firmware is software that you use subject to license terms. that is how Sonftware is sold and distributed. All that free open source software is governed by the GPL, if you break the GPL, you will end up in court, it happens every day. Just because Sony is a large corporation and has their own specific license terms for their software does not alter the fact that the software is licensed to you under the terms of the license. just as access to PSN is granted under certain terms of service. Neither the software license nor the terms of service for PSN are invalidated because someone labels them an EULA and unenforceable. Software licenses have to be enforceable otherwise software will simply not continue to be be a profitable business. Terms of service on networks have to be enforceable to prevent rogue devices on proprietary networks and to prevent unauthorized access. It's their network, if they don't want modded PS3s on it, that's their right. the fact that you have modded your PS3 does not put Sony in the wrong when they perma ban your console and PSN ID.
Last, all the glee at Sony's discomfort comes not at the expense of some disembodied evil corporate entity. It comes at the expense of ordinary working people working for Sony in whatever capacity who no longer have a job thanks to the economic impacts of hacking or piracy. Yeah, that's right, people do lose their jobs when companies lose profits thanks to criminals. So all that 'dancing for joy' crap that people indulge in over the heroic hackers attacking the evil Sony, comes at the expense of ordinary people who have in no way done anyone any harm.
I guess it's easier to think of Sony as a disembodied Sith Lord though since looking at it in a realistic way means you have to recognize that real people can get hurt.
Whatever Graf did, in Germany Sony has sufficient strength of case against him to gain two court orders that involved the police seizing items from Graf. Not Sony, the German police. Sorry, but whatever your personal opinions of the laws, if you break them, there are consequences. Graf seems to think that because 'hacking the PS3 is his life' he should be exempt from German computer mis-use laws, It doesn't work that way BTW, Graf also published a great deal of information about the PS3 firmware's innards, much of which is useful to those attempting to break the platform's security, pirate games and access PSN in unauthorized ways.
Excellent post. This is all targeted at Sony today, and for whatever reason Sony has garnered a great deal of hatred from a certain fraction of the tech community (hatred that is far in excess of any wrong doing that Sony, or BMG could ever have been accused of). However, Next year, tomorrow, whenever it could easily be someone else. there is a bigger picture that goes far beyond the petty hatred for Sony and the glee at their discomfort.
Sony and others are supposed to just give up and take no action to protect their products and services in case a bunch of cyber-terrorists decide to go after them? What's next? Protection money?
Suggesting that Sony shouldn't have tried to protect the PS3 after people (including Hotz) publicly posted various keys and information that lead directly or piracy and platform insecurity because the hackers threaten revenge is like telling someone to give in to blackmail. You simply can't do that.
It's ridiculous to expect any company to give in to the implied threats of a bunch of malcontents, anarchists and script kiddies if said company tries to protect it's products. There's no way in hell that's sustainable, and no one should expect it to be. I know lots of commenters here have a hatred for Sony that goes so deep as to be irrational, but I would hope that even they can see that if you take Sony out of this discussion and substitute any leading tech company in instead, you cannot expect them to give in to that kind of blackmail or threat. It's just impossible. You cannot do business in a situation where your ability to do business is governed by the whim of a few entitlement minded hackers and their egotistical friends in dark places.
Ha! Typical security for beginners by Microsoft. Ah well they probably deserve it. But how could they be so lax and allow such an attack. it's unthinkable, and they still cannot tell us how many people were affected?
Come on Microsoft! How many users affected, how much personal information at risk, what is Microsoft doing to mitigate the harm of this attack? I want to know, and I want to know NOW!
Perhaps Congress should get involved and demands some answers....like they did with Sony?
Take a 4 year old console that's been heavily played. Stir in a power hungry CPU and GPU combination that put's out considerable watts of heat. Add some thermal paste that is aging, and 1 aging fan that contains 4 years of accumulated dust and grime. Mix well and add to a PSU that's aging and less efficient than it used to be and you have a recipe for excess heat production in an environment that cannot remove the heat as effectively as it could when new.
Now, take that recipe and bake with new games that push the performance of the hardware further and further and you end up with a situation where older consoles stand a decent chance of overheating - thanks to their age. It's inevitable really. Heck, I have an older PC at home that needed a new video card because the Geforce 7x00 series GPU in it fried itself after 5 years, and that's in a well ventilated case with two extra fans.
This isn't the firmware, as much as the haters and conspiracy theorists would like it to be, it just isn't. It's consoles that were state of the art when built, and running at the edge of the envelope in terms of the thermal performance of the system. There's really no surprise here for anyone, A system's thermal performance will decrease as it ages, it simply will not remove as much heat as it did when new. yet at the same time the PSU becomes less efficient and produces more heat and software places ever greater demands on the hardware resulting in more heat.
The system is designed to cope with that, but some will perform less well than the reference design, and they may suffer a failure as the heat outpaces the cooling. Anything else would be a great surprise.
What can be done? Well, if you own an older PS3, have it professionally cleaned, have new thermal paste applied to the heat sink, consider replacing the power supply with a newer, more efficient one and possibly replace the fan with a new one. these are all sensible precautions you would take with an older PC - assuming you wanted to keep it running. Why would we imagine a PS3 (or 360) would be any different?
It used to be the case that if you sold someone military grade encryption (DES) you had to do checks into who they were and verify them, and even have them obtain a license from the DoD. Considering that Amazon is selling what amounts to supercomputing for hire, one has to wonder why they are not required by law to more carefully check their clients. The same would be true of any cloud vendor offering cloud computing services. I mean, in this case they're saying that the people who did this used fake information and stolen card numbers. I don't know, but it sure seems like those are things that should have prevented the account from being opened in the first place.
Time to add to the internet security playbook. If you run any kind of customer facing network, It's time that your firewalls and monitoring systems had rules for Cloud Computing sources. In fact I'd completely block their addresses on the firewalls and filters, set rules in the firewalls, filters and monitoring systems to check incoming packets for anything suggesting the packet claim from a cloud source, and once again block, quarantine and/or isolate such packets.
health.net - 1.9 million customer details including names, addresses, **social security numbers**, and **credit/debit card details** (not disclosed for months after the attack)
Heartland Payments - 130 million Credit/Debit card records (not disclosed for months after the attack)
TJX - 45 million cardholder details including card numbers (was not disclosed for *years*)
The attackers here got names, email/postal address information, dates of birth and password hashes. They did not get the primary card databases, which were encrypted in any case, and in fact the only confirmed information theft of CC data was 900 active card numbers in a 4 year old backup/development database at SOE. Sony came forward within 2 days of the outage, and 4 days later with only the preliminary analysis complete they warned customers. In a very real sense Sony nearly jumped the gun by informing people so quickly. Typically such attacks and data breaches are not reported publicly for months afterwards because of the time taken to analyze the attack and restore/strengthen systems. Yet despite that, Sony got castigated for being *slow* to respond, when they were in fact abnormally *fast* to respond and advise customers. As much as non-technical gamers wish to decry their response, or people pre-disposed to hate on Sony wish to use this as a stick to beat Sony, the reality is that hacks happen and Sony has responded extremely quickly and strongly to the attack, and they have in reality done far more than any organization I can remember to compensate their customers. Attacks happen, and a determined attacker may be able to break into any network - given time. So, it's not just about the precautions you take, it's about how you respond. Were there flaws in Sony's Security? Sure, of course there were. That said, you could challenge any network of similar size and scope to prove itself free from security flaws. So, blame where blame is due, but let's keep this in perspective. If you accept that attacks are going to happen and no security is perfect, then what matter as much or more is how the victim of the hack responds to protect their customers. If you compare Sony's reaction to those of others, there is a contrast, and Sony doesn't look bad at all.
There's a story at Computer world that talks more about this if you want further reference.
You almost have to ask why the tech media jumped on Sony so strongly, when they soft pedal the coverage of other breaches - Last Pass anyone?
Try this article for some perspective...
...have some degree of this kind of thing. It's rare to find a network or organization of any significant size that is so disciplined with it's patching that there are no servers with unpatched vulnerabilities on them. And no, before some smart arse says it, Sony is not some kind of exception to that, and they really were not/are not out of the ordinary. right now there are hundreds of CIOs and thousands of network managers and architects praying that no one looks in their general direction because they know damned well that they would be hacked just as deeply as Sony have been if someone noticed them.
It's very much time though, that not just companies like Sony give this kind of thing the intense focus and attention it deserves. No, it's time that Governments, law enforcement and society in general started looking at the fact that in an economy that is dependent on information systems and the Internet to continue doing business, there is a duty of care on companies to ensure their systems are fully patched - yes, but at the same time there is also a desperate need for laws and regulations designed to foster a greater focus on data security and on creating an environment where cyber crimes are more easily detected, prevented, traced and solved. At the moment, a well executed attack may never yield a perpetrator to the authorities, if that situation continues, than the usefulness of this digital economy and our dependence on it presents a danger to our continued economic well-being.
Interesting story, I wonder where the hate is? Surely after Sony's example, every organization that get's hacked should be subject to several stories that offer increasingly speculative worst case scenarios and bias against the organization that was hacked? Where are all the words of blame? Good lord, this is a password management company, they were a target the moment they commenced operation, and they know/knew it. Considering the service they offer, I can only hope that they quickly determine how someone got into their systems and do take the opportunity to improve their hashing.
SOE lost a 12,700 record database of CC details that was around 4 years old. Only 900 (approximately) of those card numbers remained active.
Sony and their investigators have to date found no evidence to suggest that the PSN card database was accessed or taken. They have been able to confirm that the personal information such as names, addresses and usernames were accessed and taken. Considering that they are able to determine that the personal information was transferred off their servers by the hackers, the same logging, audit capability and tracing would allow them to see whether the CC data had also been accessed and taken. Obviously, it's essentially impossible to be 100% certain it was not. However in the absence of evidence from the investigation and auditing being done and with card issuers indicating they have seen no indication of fraud as a result of the hack either, it seems that Sony's statement that the card data was not taken holds a decent amount of water. They took so long to find the SOE hack because they were concentrating on PSN and only switched attention to SOE once their primary work had been completed and they were sweeping the rest of Sony's network in preparation to turn portions of PSN back on.
Janedoe is right in that the information isn't really much more than we give to many other sites online with far less reliable security. It's also true to say that hundreds of millions of people offer up far more information about themselves for free in environments that Facebook that are about as secure as a wet paper bag.
On the other hand, PSN is a closed network, so you do expect that the information remains secure.
In the real world of course, every system is vulnerable to attack in some way or another, it's all about how attractive the target is and how determined the attacker is. In the case of Sony and PSN it appears that a fairly large sense of entitlement and faux righteousness fueled some of the attack, plus PSN represents a fairly juicy target with some 10 million PSN users having card information on their account.
It should also be noted by Mr Anonymous coward that PSN passwords were not stored in plain text, they were hashed - Sony stated this clearly at their big press conference with Kaz Hirai. So, let's please put the stupidity to bed. CC data was encrypted and there's no indication it was stolen. PSN passwords were not stored on PSN, certainly not in plain text, and in fact only the hashes were keep. No word on how robust the hashing/salting was, but if a password hashing algorithm allows a password system to function properly, it's hackable - given enough resources. That is, sadly, one of the fundamental truths of password hashing, it has to be consistently repeatable to work, so it's attackable.
The least excusable element of the entire situation is that known vulnerabilities were allowed to remain on their systems for sufficient time to be exploited in an attack. Of course, that's not particularly unusual in the world today, but it's most definitely not excusable. Network service operators have to take care to patch known vulnerabilities or at least mitigate if there is no patch. It would seem that their internal security procedures need tightening up.
However if there is something I have learned over the last two weeks, it is that there is a crap-load of baseless and irrational hatred for Sony present among a large segment of US/UK techies, gamers and other associated groups. So much so that for two weeks people have wildly claimed that the systems were wide open - they were not. That passwords were stored as plain text - they were not and that cc data was unprotected - it was encrypted, secured and apparently not taken.
Could Sony have done better - sure. But then I could point to about 99 out of 100 organizations with an online presence and say that they could do better without any fear of contradiction.
Sorry, I'm just struggling to see why it is that we should all be so angry or outraged with Sony. Their systems were secure, they employed a variety of measures including firewalls, password hashing and data encryption and other precautions. It's not like they made no effort to protect the systems. None of the wild accusations about plaintext passwords or unencrypted card data are/were true. So, why are people still pushing the outrage and anger button?
PSN exists across many different legal jurisdictions. Just the UK for example with the data protection act has various laws which lay out the duty of care that a company has to protect data held by it. PSN has to accord to all the various laws and guidelines laid out across all the countries it operates in. That means that it is essentially a best case blend of all of the various regulation.
Either way, password hashing is so standard and has been for such a long time that it's completely unthinkable that passwords would not be hashed - at least. It is also noteworthy that with PSN if you forget your password, there is no password recovery option. If the passwords were stored on PSN they would be available for recovery by the use of your security question, but they are not. Instead the standard procedure of answering the security question correctly nets you an email to your registered account with a one time random password that you can use to get back into PSN, but you have to change the password when you log in. That procedure is a strong hint, along with all the other evidence, that passwords are not held by PSN, and that in fact they are hashed.
Now, how strong and salty the hashing is, is anyone's guess. Rainbow tables are easily obtained, and even if Sony really pushed the boat out the very nature of hashing passwords in such a way that they are still useful means that with sufficient time and resource a hacker group could compromise shorter and obvious passwords within a reasonable amount of time.
But the point is that if the password hashes were obtained ( clearly, they were), it's possible for any given user's password to be compromised. Hence the enforced password change when PSN restarts.
It's quite depressing how many tech journalists and site have made total arses of themselves by making lots of wild assumptions and accusations about the security of PSN, the security of CC data, and the security of passwords. Due to the international and national laws that Sony has to obey, and the card processing industry's own guidelines and practices, it's always been the case that there is a near certainty that passwords are not stored on PSN, only the hash values, and that CC data was properly encrypted and held separately from other user information. I mean, good god, even the crappy $150 e-commerce solutions consumers can buy to run their own T-shirt shop online can handle both of those requirements.
I guess it's just so fashionable to attack Sony that many people who know better simply cannot help taking leave of their senses.