Lawsuits And Laws On The Way In Response To Sony Data Breach

from the but-would-any-of-them-have-stopped-this? dept

With Sony admitting that its PlayStation Network was hacked and that lots of personal info was accessed, you knew the reaction would be swift. Within a day we have class action lawsuits being filed and new laws being proposed. I agree that it was monumentally stupid of Sony to store passwords as plaintext rather than as hashes, which certainly leaves room for negligence claims, but will laws really make a difference? About the only reasonable response from a government official has been White House cyber boss Howard Schmidt (who has a history of being more reasonable than many of his colleagues), who noted that getting hacked is a risk of doing business, and it's not worth overreacting to Sony's situation:
"It's still a situation where specific incidents make it something it's not," he said. "Things make headlines that are just the risk of doing business in many cases."
But, of course that won't satisfy the class action lawyers or the politicians who are all over this. Beyond the plans to introduce laws, we've already seen that Senator Richard Blumenthal, who was a massive grandstander as Connecticut Attorney General, has continued his grandstanding ways with a public "demand for answers" from Sony.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Anonymous Coward, Apr 28th, 2011 @ 6:18am

    Karma is a bitch.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    abc gum, Apr 28th, 2011 @ 6:18am

    Wait a sec ... news laws proposed that would require passwords not be stored in plain text, wouldn't that contradict the previous proposal that all passwords be stored as plain text? Ohhhh yeah, that was France - never mind.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Michael, Apr 28th, 2011 @ 6:21am

    Re:

    The French have to keep them in plain text just in case the Germans want them.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    stan, Apr 28th, 2011 @ 6:25am

    screw it im buying an X-BOX...

     

    reply to this | link to this | view in thread ]

  5.  
    icon
    Chargone (profile), Apr 28th, 2011 @ 6:40am

    Re:

    i fail to see why one problem company stuffing up is reason to reward another problem company...

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, Apr 28th, 2011 @ 6:44am

    Re:

    It's the Schrödinger's cat of Internet laws:

    You can either operate within the law or not, but you won't know it if you are (not?) until a lawsuit happens.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    John Doe, Apr 28th, 2011 @ 6:46am

    Passwords should be stored as a one way hash

    There should be no way to decrypt a password. It should be done as a one way hash. You don't compare a user entered password to a decrypted stored password, you encrypt the user entered password and compare the result to the stored encrypted password. If they match, they are equal.

    Any website that can send you your password should be avoided because they should not even be able to tell you what your password is.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Apr 28th, 2011 @ 6:47am

    Just throw the PS out the window and never buy another Sony product EVER!

    Rootkits on Audio CDs
    Rootkits on PC games ( SECUROM )
    Then they use bait and switch marketing.

    Their network is toast anyway!

    Goodbye and Good Riddance Sony!

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    John Doe, Apr 28th, 2011 @ 6:50am

    Re:

    I try to avoid Sony whenever possible, mainly because they always try to create their own standard for things. For example, they developed the memory stick rather than going with compact flash, MMC, SD, etc. Now as I learn more about their other practices with rootkits and removing functionality after the purchase I have even more reason to avoid them.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous Coward, Apr 28th, 2011 @ 6:50am

    This lawsuit is actually a good thing: The PS3 dies and maybe then we can move on away from outdated gaming hardware.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, Apr 28th, 2011 @ 6:57am

    Re: Re:

    I know I shouldn't, but I lol'ed. French jokes never get old.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Anonymous Coward, Apr 28th, 2011 @ 7:00am

    I'm not particularly keen on legislating everything, either, but a judicious application of fines for any company that has a public-facing webserver that keeps passwords in either plaintext or a reversible encryption may not be a bad thing.

     

    reply to this | link to this | view in thread ]

  13.  
    icon
    Richard (profile), Apr 28th, 2011 @ 7:06am

    Further Negligence

    I think it is negligent to make yourself a target by your legal and business strategy.

    Remember the I hate you maxim!

     

    reply to this | link to this | view in thread ]

  14.  
    icon
    crade (profile), Apr 28th, 2011 @ 7:12am

    Yeah, it's a risk of doing business.. You are risking this happening. If no one cared and just forgave you right away when you got hacked and coughed up all their info, there would be no risk.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, Apr 28th, 2011 @ 7:16am

    Good luck with the Class action lawsuits, since the Supreme Court has taken that right away from us. I am pretty sure Sony's TOS requires arbitration to resolve any issues.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Natalie, Apr 28th, 2011 @ 7:21am

    Stupid.

    People are sooo stupid. Yeah my stuff could have gotten hacked but you take that risk everyday you get on the computer. Everytime you use your debit card. Everytime you post something on Facebook, you put your stuff out there. You know the risk!!! Stop trying to blame it on everyone. Yes they may have been slow, BUT common sense will tell you that with todays people, of course they probably got some info. DUH!!!!!!! So, take precautions and watch out. Jeez people can't we just realize that people make mistakes even Sony. And, for godsakes we get on PSN for free.. What do you expect for a free service.. HELLO!!! Get a freakin life, and actually work. Don't try and put a lawsuit against someone, because you can't sit in your mom's basement and play for hours on end. You have to actually do SOMETHING WITH YOUR LIFE!! And, yes im sure the 50 to 100 of money you just MIGHT have in the bank, was REALLY TAKEN. I have had my Credit card stolen on the net. And, it was simply fixed. NO harm NO foul. im over it. SO GET THE HELL OVER IT AND MOVE ON!.. ;)

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Anonymous Coward, Apr 28th, 2011 @ 7:21am

    Re:

    Here's your Xbo-oh sorry it RROD.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Anonymous Coward, Apr 28th, 2011 @ 7:22am

    Re: Passwords should be stored as a one way hash

    It should also be salted to prevent things like dictionary attacks if the database gets compromised.

     

    reply to this | link to this | view in thread ]

  19.  
    icon
    harbingerofdoom (profile), Apr 28th, 2011 @ 7:24am

    Re: Re:

    you fail to see it because you dont see it as a problem for yourself personally where a lot of people do.

    no one has said that the xbox or XBL runs perfectly and without a single flaw. ive never had a ps3 so the issue does not affect me. but my relatives and friends that do have a ps3 are looking at this as more of a last straw for various reasons.

    microsoft is far from perfect, but its hard to not give them a more serious look if this sony event is that major of an event for you.

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Rick, Apr 28th, 2011 @ 7:26am

    Re: Stupid.

    Let's see..
    "sit in your mom's basement..." check
    "actually do SOMETHING WITH YOUR LIFE" check
    "im sure the 50 to 100 of money you just MIGHT have in the bank..." check

    Obvious troll is obvious

     

    reply to this | link to this | view in thread ]

  21.  
    icon
    harbingerofdoom (profile), Apr 28th, 2011 @ 7:27am

    Re: Re:

    the rrod issue is not the issue it used to be and would likely affect very few buyers now.

     

    reply to this | link to this | view in thread ]

  22.  
    icon
    crade (profile), Apr 28th, 2011 @ 7:32am

    Re: Re: Re:

    Have they fixed the problem where they keep charging you a monthly fee for online access yet?

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Bengie, Apr 28th, 2011 @ 7:36am

    Re: Stupid.

    This doesn't fall under "mistake", this falls under negligence.

    They willfully ignored 10+ year old industry security standards and this is what happens.

    With your logic, if a bank stored all of its money in an unprotected area and the money got stolen, it would be an "accident".

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Anonymous Coward, Apr 28th, 2011 @ 7:37am

    Re:

    You got it all wrong, the passwords are stored as plaintext then the hacker thinks: "who would be so stupid?, they must be encrypted" then he tries to decrypt them with no avail. hahaha

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Anonymous Coward, Apr 28th, 2011 @ 7:38am

    Geohot weighs in:

    See: http://www.pcmag.com/article2/0,2817,2384561,00.asp

    which reads in part:

    Hotz put the blame for the outage on Sony executives "who declared a war on hackers, laughed at the idea of people penetrating the fortress that once was Sony, whined incessantly about piracy, and kept hiring more lawyers when they really needed to hire good security experts. Alienating the hacker community is not a good idea."

    He's right.

    Especially since no ethical, responsible, professional hacker is EVER going to work for Sony. They'll be left with the inferior, incompetent, clueless idiots they have now who are far too feeble-minded to fix the same mess that
    they created.

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Anonymous Coward, Apr 28th, 2011 @ 7:38am

    Re: Re:

    RROD don't steal your credit cards, jus sayin

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    Stuart, Apr 28th, 2011 @ 7:39am

    Live by the Sword Die by the Sword.

    Live by governmental regulations to protect you.
    Die by governmental regulations strangling you.
    Perfect.

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Anonymous Coward, Apr 28th, 2011 @ 7:41am

    The real thing is this: As much as I hate soney and I want to see it burn to the ground. It would not be a good thing for Xbox gamers. Because with playstation out of the way, there would be no arms race to over-innovate the other console and the games would start becoming crappier and crappier.

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    jilocasin, Apr 28th, 2011 @ 7:43am

    Knee jerk laws are bad, but we do need to establish the rules of the road.

    I agree that knee jerk laws are generally a bad idea. Having said that I think there _should_be_ a base line level of operations established by law.

    Getting hacked is the cost of doing business on the internet, that's a given.

    The occasional kitchen fire is the cost of doing business as a restaurant. We have laws that minimize the number of kitchen fires and the damage that can occur when they do happen. We regulate what can be stored where, the maximum number of people allowed and establish evacuation routes. Requirements for fire extinguishers, type and placement. There are rules about who must be notified and how soon. Sure it's a cost of doing business, but we expect commercial kitchens to live up to a certain minimum standard. You follow the standard, bad things are less likely to happen and when they do they will probably be less severe. If it turns out worse then at least you weren't negligent.

    We need laws that state the minimums for operating a commercial business on the internet. You don't store spare propane tanks over the stoves in a restaurant, you don't store users passwords as plain text. You need to maintain at least this (some defined) level of security. You need to notify these (some defined) people within this (some defined) period of time in the event of a breach.

    We are seeing some of it starting, such as the VISA PCI DSS requirements, but they are mostly voluntary. We needs laws that establish a baseline, backed up by penalties with REAL TEETH. So that it isn't cheaper to ignore them and consider whatever token fine amount as 'the cost of doing business'.

    Real privacy and consumer protection laws. Real commercial baselines.

    Until that happens we can expect to see more internet versions of the Triangle Shirtwaist Factory fire. (https://secure.wikimedia.org/wikipedia/en/wiki/Triangle_Shirtwaist_Factory_fire)

     

    reply to this | link to this | view in thread ]

  30.  
    identicon
    big al, Apr 28th, 2011 @ 7:52am

    welll...............................

    but but but ...this IS the sony way.... sue em until they die!!! right or wrong got nothing to do with the suit...sue em until they give up... sony's screwup SUE em....bad luck...SUE em. remember it's the sony way!!!

     

    reply to this | link to this | view in thread ]

  31.  
    icon
    Josh in CharlotteNC (profile), Apr 28th, 2011 @ 7:56am

    Re: Passwords should be stored as a one way hash

    There should be no way to decrypt a password. It should be done as a one way hash.

    There is no possible way to store a password that cannot be compromised in one way or another.

    Hashes are not strictly one-way. It is computationally expensive one way. If you know the hash method, its trivially easy to create a rainbow table (just takes a one-time investment of CPU time). Rainbow tables are available for all common hash methods for passwords at least up to 12 characters last I looked.

    Salt it, you say? Ok, but in order for the password to actually remain useful, your authentication systems will need to have that salt value stored so it can compare the stored password with what you're using to login, and that salt value can be compromised. That takes us right back to creating your own rainbow table for the hash method and salt value.

    That's not to say that Sony shouldn't have stored them in plaintext. Just don't be under the impression that just because your password is hashed means it is safe.

     

    reply to this | link to this | view in thread ]

  32.  
    identicon
    natalie, Apr 28th, 2011 @ 7:59am

    Re: Re: Stupid.

    Troll?

     

    reply to this | link to this | view in thread ]

  33.  
    identicon
    DCX2, Apr 28th, 2011 @ 8:57am

    Re: Re: Re: Re:

    That monthly fee pays for actual senior software engineers to develop the network. People who actually know what they're doing. That tends to be expensive. It doesn't make that network invincible, but it vastly reduces the risk of incompetence.

     

    reply to this | link to this | view in thread ]

  34.  
    identicon
    DCX2, Apr 28th, 2011 @ 9:03am

    Re: Re: Passwords should be stored as a one way hash

    There's also "peppering", where a salt is added inside the DB executable. Then you would need to compromise the DB, as well as the DB's executable binary.

    Also, although rainbow tables exist for a given hash, it is recommended to hash them multiple times, with a variety of different hashing algorithms, sometimes multiple times with the same hashing algorithm. This makes it more difficult, because the rainbow table must be generated for that combination of hashing.

     

    reply to this | link to this | view in thread ]

  35.  
    identicon
    DCX2, Apr 28th, 2011 @ 9:09am

    As much as I hate Sony...

    I've been Sony free since the Rootkit back in 2005. But as much as I hate Sony, I don't want to see the company go down. Sony provides a lot of good jobs, and some of their people are even smart!

    I just wish they'd wise up a bit. Stop using proprietary formats when off-the-shelf will do. Stop treating customers as their enemy.

     

    reply to this | link to this | view in thread ]

  36.  
    icon
    chris tatman (profile), Apr 28th, 2011 @ 9:15am

    Re: Re: Re:

    your wrong on that because u still gotta pay 199 for a new console and you xbox fanboy will pay it like fools microsoft knowingly sent out a shoty product and the rrod aint dead its there just in a place your not aware of they just got rid of the lights

     

    reply to this | link to this | view in thread ]

  37.  
    icon
    Beta (profile), Apr 28th, 2011 @ 9:19am

    you get what you pay for

    As long as people will sacrifice a lot of security for a little convenience, that's what the market will bring.

    How about a two-key system? Instead of a human-memorizable password (like "NinjaDood4") which I must type in with my fingers -- and trust the server not to store or reveal -- every time, I could have a key pair: the server sends me a session key encryped with my public key, and I'm good to go. Nobody can decrypt that without my private key, the server doesn't know my private key, and nobody can break the encryption for another century or so. If the company wants to, say, sign me up for an expensive new service, they'd better be able to show my private-key-signed authorization, or they'll have to give back every dime. This system can still be hacked, but it's a whole lot more secure than what we have-- however it would require a tiny bit of effort to implement, and the consumers aren't demanding it.

    Credit cards are ridiculously insecure, but the demand for a more secure (but slightly less convenient) solution just isn't there.

    And don't get me started on SS numbers.

     

    reply to this | link to this | view in thread ]

  38.  
    identicon
    Anon, Apr 28th, 2011 @ 9:40am

    Re: Re: Passwords should be stored as a one way hash

    I also prefer the taste of salted passwords.

     

    reply to this | link to this | view in thread ]

  39.  
    icon
    Vincent Clement (profile), Apr 28th, 2011 @ 9:54am

    I'd be more worried about the use of answers for security questions and birth dates than passwords. In some cases we are talking about names, birth dates, addresses and credit card info. This has long-term potential for identify theft.

     

    reply to this | link to this | view in thread ]

  40.  
    icon
    Ron Rezendes (profile), Apr 28th, 2011 @ 10:07am

    When litigation is a business model...

    The corporatocracy that we have become here in the US insists that litigation is a business model. That fact is proven by the government employees that enjoy the fruits of their labor when they leave their office to work for the very corporations they were supported by to get into office in the first place. The laws are in place to favor the business of extreme litigation and ridiculous awards based on psychedelic accounting figures that could only make sense to those without a moral compass.

    Well paytards, if you want to live by the sword (courts), I'll be happy to watch you die by the sword (courts).

    Looking forward to watching Sony get dragged naked over the coals, broken glass, and beds of nails before coming to rest in a pool of isopropyl alcohol.

     

    reply to this | link to this | view in thread ]

  41.  
    identicon
    Steve, Apr 28th, 2011 @ 10:33am

    Re: Passwords should be stored as a one way hash

    Is that not the same? Checking hash to hash? No different than pass to pass? Only dif you dont know that pass but if you intercept the hash then it can be resent? I am not sure....is that how it works?

     

    reply to this | link to this | view in thread ]

  42.  
    identicon
    Anonymous Coward, Apr 28th, 2011 @ 3:37pm

    Re: Re: Re: Re:

    Sorry dude, your sentence structure makes no sense.

     

    reply to this | link to this | view in thread ]

  43.  
    identicon
    Anonymous Coward, Apr 28th, 2011 @ 6:40pm

    Re: Re: Re: Stupid.

    Mirror?

     

    reply to this | link to this | view in thread ]

  44.  
    identicon
    Anonymous Coward, Apr 29th, 2011 @ 11:44am

    Re: cccc

    cccc

     

    reply to this | link to this | view in thread ]

  45.  
    identicon
    ohdear, Apr 29th, 2011 @ 8:38pm

    Re: Stupid.

    I wish you were a troll and not a moron. But you aren't.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This