Lawsuits And Laws On The Way In Response To Sony Data Breach
from the but-would-any-of-them-have-stopped-this? dept
With Sony admitting that its PlayStation Network was hacked and that lots of personal info was accessed, you knew the reaction would be swift. Within a day we have class action lawsuits being filed and new laws being proposed. I agree that it was monumentally stupid of Sony to store passwords as plaintext rather than as hashes, which certainly leaves room for negligence claims, but will laws really make a difference? About the only reasonable response from a government official has been White House cyber boss Howard Schmidt (who has a history of being more reasonable than many of his colleagues), who noted that getting hacked is a risk of doing business, and it’s not worth overreacting to Sony’s situation:
“It’s still a situation where specific incidents make it something it’s not,” he said. “Things make headlines that are just the risk of doing business in many cases.”
But, of course that won’t satisfy the class action lawyers or the politicians who are all over this. Beyond the plans to introduce laws, we’ve already seen that Senator Richard Blumenthal, who was a massive grandstander as Connecticut Attorney General, has continued his grandstanding ways with a public “demand for answers” from Sony.
Filed Under: class action lawsuits, data breach, grandstanding, playstation network
Companies: sony
Comments on “Lawsuits And Laws On The Way In Response To Sony Data Breach”
Karma is a bitch.
Wait a sec … news laws proposed that would require passwords not be stored in plain text, wouldn’t that contradict the previous proposal that all passwords be stored as plain text? Ohhhh yeah, that was France – never mind.
Re: Re:
The French have to keep them in plain text just in case the Germans want them.
Re: Re: Re:
I know I shouldn’t, but I lol’ed. French jokes never get old.
Re: Re:
It’s the Schr?dinger’s cat of Internet laws:
You can either operate within the law or not, but you won’t know it if you are (not?) until a lawsuit happens.
Re: Re:
You got it all wrong, the passwords are stored as plaintext then the hacker thinks: “who would be so stupid?, they must be encrypted” then he tries to decrypt them with no avail. hahaha
screw it im buying an X-BOX…
Re: Re:
i fail to see why one problem company stuffing up is reason to reward another problem company…
Re: Re: Re:
you fail to see it because you dont see it as a problem for yourself personally where a lot of people do.
no one has said that the xbox or XBL runs perfectly and without a single flaw. ive never had a ps3 so the issue does not affect me. but my relatives and friends that do have a ps3 are looking at this as more of a last straw for various reasons.
microsoft is far from perfect, but its hard to not give them a more serious look if this sony event is that major of an event for you.
Re: Re:
Here’s your Xbo-oh sorry it RROD.
Re: Re: Re:
the rrod issue is not the issue it used to be and would likely affect very few buyers now.
Re: Re: Re: Re:
Have they fixed the problem where they keep charging you a monthly fee for online access yet?
Re: Re: Re:2 Re:
That monthly fee pays for actual senior software engineers to develop the network. People who actually know what they’re doing. That tends to be expensive. It doesn’t make that network invincible, but it vastly reduces the risk of incompetence.
Re: Re: Re:
RROD don’t steal your credit cards, jus sayin
Re: Re: Re: Re:
your wrong on that because u still gotta pay 199 for a new console and you xbox fanboy will pay it like fools microsoft knowingly sent out a shoty product and the rrod aint dead its there just in a place your not aware of they just got rid of the lights
Re: Re: Re:2 Re:
Sorry dude, your sentence structure makes no sense.
Passwords should be stored as a one way hash
There should be no way to decrypt a password. It should be done as a one way hash. You don’t compare a user entered password to a decrypted stored password, you encrypt the user entered password and compare the result to the stored encrypted password. If they match, they are equal.
Any website that can send you your password should be avoided because they should not even be able to tell you what your password is.
Re: Passwords should be stored as a one way hash
It should also be salted to prevent things like dictionary attacks if the database gets compromised.
Re: Re: Passwords should be stored as a one way hash
I also prefer the taste of salted passwords.
Re: Passwords should be stored as a one way hash
There should be no way to decrypt a password. It should be done as a one way hash.
There is no possible way to store a password that cannot be compromised in one way or another.
Hashes are not strictly one-way. It is computationally expensive one way. If you know the hash method, its trivially easy to create a rainbow table (just takes a one-time investment of CPU time). Rainbow tables are available for all common hash methods for passwords at least up to 12 characters last I looked.
Salt it, you say? Ok, but in order for the password to actually remain useful, your authentication systems will need to have that salt value stored so it can compare the stored password with what you’re using to login, and that salt value can be compromised. That takes us right back to creating your own rainbow table for the hash method and salt value.
That’s not to say that Sony shouldn’t have stored them in plaintext. Just don’t be under the impression that just because your password is hashed means it is safe.
Re: Re: Passwords should be stored as a one way hash
There’s also “peppering”, where a salt is added inside the DB executable. Then you would need to compromise the DB, as well as the DB’s executable binary.
Also, although rainbow tables exist for a given hash, it is recommended to hash them multiple times, with a variety of different hashing algorithms, sometimes multiple times with the same hashing algorithm. This makes it more difficult, because the rainbow table must be generated for that combination of hashing.
Re: Passwords should be stored as a one way hash
Is that not the same? Checking hash to hash? No different than pass to pass? Only dif you dont know that pass but if you intercept the hash then it can be resent? I am not sure….is that how it works?
Just throw the PS out the window and never buy another Sony product EVER!
Rootkits on Audio CDs
Rootkits on PC games ( SECUROM )
Then they use bait and switch marketing.
Their network is toast anyway!
Goodbye and Good Riddance Sony!
Re: Re:
I try to avoid Sony whenever possible, mainly because they always try to create their own standard for things. For example, they developed the memory stick rather than going with compact flash, MMC, SD, etc. Now as I learn more about their other practices with rootkits and removing functionality after the purchase I have even more reason to avoid them.
This lawsuit is actually a good thing: The PS3 dies and maybe then we can move on away from outdated gaming hardware.
Re: cccc
cccc
I’m not particularly keen on legislating everything, either, but a judicious application of fines for any company that has a public-facing webserver that keeps passwords in either plaintext or a reversible encryption may not be a bad thing.
Further Negligence
I think it is negligent to make yourself a target by your legal and business strategy.
Remember the I hate you maxim!
Yeah, it’s a risk of doing business.. You are risking this happening. If no one cared and just forgave you right away when you got hacked and coughed up all their info, there would be no risk.
Good luck with the Class action lawsuits, since the Supreme Court has taken that right away from us. I am pretty sure Sony’s TOS requires arbitration to resolve any issues.
Stupid.
People are sooo stupid. Yeah my stuff could have gotten hacked but you take that risk everyday you get on the computer. Everytime you use your debit card. Everytime you post something on Facebook, you put your stuff out there. You know the risk!!! Stop trying to blame it on everyone. Yes they may have been slow, BUT common sense will tell you that with todays people, of course they probably got some info. DUH!!!!!!! So, take precautions and watch out. Jeez people can’t we just realize that people make mistakes even Sony. And, for godsakes we get on PSN for free.. What do you expect for a free service.. HELLO!!! Get a freakin life, and actually work. Don’t try and put a lawsuit against someone, because you can’t sit in your mom’s basement and play for hours on end. You have to actually do SOMETHING WITH YOUR LIFE!! And, yes im sure the 50 to 100 of money you just MIGHT have in the bank, was REALLY TAKEN. I have had my Credit card stolen on the net. And, it was simply fixed. NO harm NO foul. im over it. SO GET THE HELL OVER IT AND MOVE ON!.. 😉
Re: Stupid.
Let’s see..
“sit in your mom’s basement…” check
“actually do SOMETHING WITH YOUR LIFE” check
“im sure the 50 to 100 of money you just MIGHT have in the bank…” check
Obvious troll is obvious
Re: Re: Stupid.
Troll?
Re: Re: Re: Stupid.
Mirror?
Re: Stupid.
This doesn’t fall under “mistake”, this falls under negligence.
They willfully ignored 10+ year old industry security standards and this is what happens.
With your logic, if a bank stored all of its money in an unprotected area and the money got stolen, it would be an “accident”.
Re: Stupid.
I wish you were a troll and not a moron. But you aren’t.
Geohot weighs in:
See: http://www.pcmag.com/article2/0,2817,2384561,00.asp
which reads in part:
Hotz put the blame for the outage on Sony executives “who declared a war on hackers, laughed at the idea of people penetrating the fortress that once was Sony, whined incessantly about piracy, and kept hiring more lawyers when they really needed to hire good security experts. Alienating the hacker community is not a good idea.”
He’s right.
Especially since no ethical, responsible, professional hacker is EVER going to work for Sony. They’ll be left with the inferior, incompetent, clueless idiots they have now who are far too feeble-minded to fix the same mess that
they created.
Live by the Sword Die by the Sword.
Live by governmental regulations to protect you.
Die by governmental regulations strangling you.
Perfect.
The real thing is this: As much as I hate soney and I want to see it burn to the ground. It would not be a good thing for Xbox gamers. Because with playstation out of the way, there would be no arms race to over-innovate the other console and the games would start becoming crappier and crappier.
Knee jerk laws are bad, but we do need to establish the rules of the road.
I agree that knee jerk laws are generally a bad idea. Having said that I think there _should_be_ a base line level of operations established by law.
Getting hacked is the cost of doing business on the internet, that’s a given.
The occasional kitchen fire is the cost of doing business as a restaurant. We have laws that minimize the number of kitchen fires and the damage that can occur when they do happen. We regulate what can be stored where, the maximum number of people allowed and establish evacuation routes. Requirements for fire extinguishers, type and placement. There are rules about who must be notified and how soon. Sure it’s a cost of doing business, but we expect commercial kitchens to live up to a certain minimum standard. You follow the standard, bad things are less likely to happen and when they do they will probably be less severe. If it turns out worse then at least you weren’t negligent.
We need laws that state the minimums for operating a commercial business on the internet. You don’t store spare propane tanks over the stoves in a restaurant, you don’t store users passwords as plain text. You need to maintain at least this (some defined) level of security. You need to notify these (some defined) people within this (some defined) period of time in the event of a breach.
We are seeing some of it starting, such as the VISA PCI DSS requirements, but they are mostly voluntary. We needs laws that establish a baseline, backed up by penalties with REAL TEETH. So that it isn’t cheaper to ignore them and consider whatever token fine amount as ‘the cost of doing business’.
Real privacy and consumer protection laws. Real commercial baselines.
Until that happens we can expect to see more internet versions of the Triangle Shirtwaist Factory fire. (https://secure.wikimedia.org/wikipedia/en/wiki/Triangle_Shirtwaist_Factory_fire)
welll...............................
but but but …this IS the sony way…. sue em until they die!!! right or wrong got nothing to do with the suit…sue em until they give up… sony’s screwup SUE em….bad luck…SUE em. remember it’s the sony way!!!
As much as I hate Sony...
I’ve been Sony free since the Rootkit back in 2005. But as much as I hate Sony, I don’t want to see the company go down. Sony provides a lot of good jobs, and some of their people are even smart!
I just wish they’d wise up a bit. Stop using proprietary formats when off-the-shelf will do. Stop treating customers as their enemy.
you get what you pay for
As long as people will sacrifice a lot of security for a little convenience, that’s what the market will bring.
How about a two-key system? Instead of a human-memorizable password (like “NinjaDood4”) which I must type in with my fingers — and trust the server not to store or reveal — every time, I could have a key pair: the server sends me a session key encryped with my public key, and I’m good to go. Nobody can decrypt that without my private key, the server doesn’t know my private key, and nobody can break the encryption for another century or so. If the company wants to, say, sign me up for an expensive new service, they’d better be able to show my private-key-signed authorization, or they’ll have to give back every dime. This system can still be hacked, but it’s a whole lot more secure than what we have– however it would require a tiny bit of effort to implement, and the consumers aren’t demanding it.
Credit cards are ridiculously insecure, but the demand for a more secure (but slightly less convenient) solution just isn’t there.
And don’t get me started on SS numbers.
I’d be more worried about the use of answers for security questions and birth dates than passwords. In some cases we are talking about names, birth dates, addresses and credit card info. This has long-term potential for identify theft.
When litigation is a business model...
The corporatocracy that we have become here in the US insists that litigation is a business model. That fact is proven by the government employees that enjoy the fruits of their labor when they leave their office to work for the very corporations they were supported by to get into office in the first place. The laws are in place to favor the business of extreme litigation and ridiculous awards based on psychedelic accounting figures that could only make sense to those without a moral compass.
Well paytards, if you want to live by the sword (courts), I’ll be happy to watch you die by the sword (courts).
Looking forward to watching Sony get dragged naked over the coals, broken glass, and beds of nails before coming to rest in a pool of isopropyl alcohol.