Lawsuits And Laws On The Way In Response To Sony Data Breach

from the but-would-any-of-them-have-stopped-this? dept

With Sony admitting that its PlayStation Network was hacked and that lots of personal info was accessed, you knew the reaction would be swift. Within a day we have class action lawsuits being filed and new laws being proposed. I agree that it was monumentally stupid of Sony to store passwords as plaintext rather than as hashes, which certainly leaves room for negligence claims, but will laws really make a difference? About the only reasonable response from a government official has been White House cyber boss Howard Schmidt (who has a history of being more reasonable than many of his colleagues), who noted that getting hacked is a risk of doing business, and it’s not worth overreacting to Sony’s situation:

“It’s still a situation where specific incidents make it something it’s not,” he said. “Things make headlines that are just the risk of doing business in many cases.”

But, of course that won’t satisfy the class action lawyers or the politicians who are all over this. Beyond the plans to introduce laws, we’ve already seen that Senator Richard Blumenthal, who was a massive grandstander as Connecticut Attorney General, has continued his grandstanding ways with a public “demand for answers” from Sony.

Filed Under: , , ,
Companies: sony

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Lawsuits And Laws On The Way In Response To Sony Data Breach”

Subscribe: RSS Leave a comment
45 Comments
harbingerofdoom (profile) says:

Re: Re: Re:

you fail to see it because you dont see it as a problem for yourself personally where a lot of people do.

no one has said that the xbox or XBL runs perfectly and without a single flaw. ive never had a ps3 so the issue does not affect me. but my relatives and friends that do have a ps3 are looking at this as more of a last straw for various reasons.

microsoft is far from perfect, but its hard to not give them a more serious look if this sony event is that major of an event for you.

John Doe says:

Passwords should be stored as a one way hash

There should be no way to decrypt a password. It should be done as a one way hash. You don’t compare a user entered password to a decrypted stored password, you encrypt the user entered password and compare the result to the stored encrypted password. If they match, they are equal.

Any website that can send you your password should be avoided because they should not even be able to tell you what your password is.

Josh in CharlotteNC (profile) says:

Re: Passwords should be stored as a one way hash

There should be no way to decrypt a password. It should be done as a one way hash.

There is no possible way to store a password that cannot be compromised in one way or another.

Hashes are not strictly one-way. It is computationally expensive one way. If you know the hash method, its trivially easy to create a rainbow table (just takes a one-time investment of CPU time). Rainbow tables are available for all common hash methods for passwords at least up to 12 characters last I looked.

Salt it, you say? Ok, but in order for the password to actually remain useful, your authentication systems will need to have that salt value stored so it can compare the stored password with what you’re using to login, and that salt value can be compromised. That takes us right back to creating your own rainbow table for the hash method and salt value.

That’s not to say that Sony shouldn’t have stored them in plaintext. Just don’t be under the impression that just because your password is hashed means it is safe.

DCX2 says:

Re: Re: Passwords should be stored as a one way hash

There’s also “peppering”, where a salt is added inside the DB executable. Then you would need to compromise the DB, as well as the DB’s executable binary.

Also, although rainbow tables exist for a given hash, it is recommended to hash them multiple times, with a variety of different hashing algorithms, sometimes multiple times with the same hashing algorithm. This makes it more difficult, because the rainbow table must be generated for that combination of hashing.

John Doe says:

Re: Re:

I try to avoid Sony whenever possible, mainly because they always try to create their own standard for things. For example, they developed the memory stick rather than going with compact flash, MMC, SD, etc. Now as I learn more about their other practices with rootkits and removing functionality after the purchase I have even more reason to avoid them.

Natalie says:

Stupid.

People are sooo stupid. Yeah my stuff could have gotten hacked but you take that risk everyday you get on the computer. Everytime you use your debit card. Everytime you post something on Facebook, you put your stuff out there. You know the risk!!! Stop trying to blame it on everyone. Yes they may have been slow, BUT common sense will tell you that with todays people, of course they probably got some info. DUH!!!!!!! So, take precautions and watch out. Jeez people can’t we just realize that people make mistakes even Sony. And, for godsakes we get on PSN for free.. What do you expect for a free service.. HELLO!!! Get a freakin life, and actually work. Don’t try and put a lawsuit against someone, because you can’t sit in your mom’s basement and play for hours on end. You have to actually do SOMETHING WITH YOUR LIFE!! And, yes im sure the 50 to 100 of money you just MIGHT have in the bank, was REALLY TAKEN. I have had my Credit card stolen on the net. And, it was simply fixed. NO harm NO foul. im over it. SO GET THE HELL OVER IT AND MOVE ON!.. ūüėČ

Anonymous Coward says:

Geohot weighs in:

See: http://www.pcmag.com/article2/0,2817,2384561,00.asp

which reads in part:

Hotz put the blame for the outage on Sony executives “who declared a war on hackers, laughed at the idea of people penetrating the fortress that once was Sony, whined incessantly about piracy, and kept hiring more lawyers when they really needed to hire good security experts. Alienating the hacker community is not a good idea.”

He’s right.

Especially since no ethical, responsible, professional hacker is EVER going to work for Sony. They’ll be left with the inferior, incompetent, clueless idiots they have now who are far too feeble-minded to fix the same mess that
they created.

jilocasin (profile) says:

Knee jerk laws are bad, but we do need to establish the rules of the road.

I agree that knee jerk laws are generally a bad idea. Having said that I think there _should_be_ a base line level of operations established by law.

Getting hacked is the cost of doing business on the internet, that’s a given.

The occasional kitchen fire is the cost of doing business as a restaurant. We have laws that minimize the number of kitchen fires and the damage that can occur when they do happen. We regulate what can be stored where, the maximum number of people allowed and establish evacuation routes. Requirements for fire extinguishers, type and placement. There are rules about who must be notified and how soon. Sure it’s a cost of doing business, but we expect commercial kitchens to live up to a certain minimum standard. You follow the standard, bad things are less likely to happen and when they do they will probably be less severe. If it turns out worse then at least you weren’t negligent.

We need laws that state the minimums for operating a commercial business on the internet. You don’t store spare propane tanks over the stoves in a restaurant, you don’t store users passwords as plain text. You need to maintain at least this (some defined) level of security. You need to notify these (some defined) people within this (some defined) period of time in the event of a breach.

We are seeing some of it starting, such as the VISA PCI DSS requirements, but they are mostly voluntary. We needs laws that establish a baseline, backed up by penalties with REAL TEETH. So that it isn’t cheaper to ignore them and consider whatever token fine amount as ‘the cost of doing business’.

Real privacy and consumer protection laws. Real commercial baselines.

Until that happens we can expect to see more internet versions of the Triangle Shirtwaist Factory fire. (https://secure.wikimedia.org/wikipedia/en/wiki/Triangle_Shirtwaist_Factory_fire)

DCX2 says:

As much as I hate Sony...

I’ve been Sony free since the Rootkit back in 2005. But as much as I hate Sony, I don’t want to see the company go down. Sony provides a lot of good jobs, and some of their people are even smart!

I just wish they’d wise up a bit. Stop using proprietary formats when off-the-shelf will do. Stop treating customers as their enemy.

Beta (profile) says:

you get what you pay for

As long as people will sacrifice a lot of security for a little convenience, that’s what the market will bring.

How about a two-key system? Instead of a human-memorizable password (like “NinjaDood4”) which I must type in with my fingers — and trust the server not to store or reveal — every time, I could have a key pair: the server sends me a session key encryped with my public key, and I’m good to go. Nobody can decrypt that without my private key, the server doesn’t know my private key, and nobody can break the encryption for another century or so. If the company wants to, say, sign me up for an expensive new service, they’d better be able to show my private-key-signed authorization, or they’ll have to give back every dime. This system can still be hacked, but it’s a whole lot more secure than what we have– however it would require a tiny bit of effort to implement, and the consumers aren’t demanding it.

Credit cards are ridiculously insecure, but the demand for a more secure (but slightly less convenient) solution just isn’t there.

And don’t get me started on SS numbers.

Ron Rezendes (profile) says:

When litigation is a business model...

The corporatocracy that we have become here in the US insists that litigation is a business model. That fact is proven by the government employees that enjoy the fruits of their labor when they leave their office to work for the very corporations they were supported by to get into office in the first place. The laws are in place to favor the business of extreme litigation and ridiculous awards based on psychedelic accounting figures that could only make sense to those without a moral compass.

Well paytards, if you want to live by the sword (courts), I’ll be happy to watch you die by the sword (courts).

Looking forward to watching Sony get dragged naked over the coals, broken glass, and beds of nails before coming to rest in a pool of isopropyl alcohol.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop ¬Ľ

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...