The Sony Pictures Hack Was Even Worse Than Everyone Thought 528
An anonymous reader writes with today's installment of Sony hack news. "It's time to take a moment of silence for Sony Pictures, because more startling revelations about leaked information just came out and employees are starting to panic. BuzzFeed raked through some 40 gigabytes of data and found everything from medical records to unreleased scripts. This is probably the worst corporate hack in history. Meanwhile, Fusion's Kevin Roose is reporting on what exactly happened at Sony Pictures when the hack went down. The hack was evidently so extensive that even the company gym had to shut down. And once the hackers started releasing the data, people started 'freaking out,' one employee said. That saddest part about all of this is that the very worst is probably still to come. Hackers say they stole 100 terabytes of data in total. If only 40 gigabytes contained all of this damning information, just imagine what 100 terabytes contains."
... Everything? (Score:5, Funny)
Re:... Everything? (Score:5, Insightful)
If they got the accounts system, (which seems likely, given that Sony seems to have put every subsystem on the same network, employee medical records on the same network as raw film files) then any electronic receipt for purchase of items for office lunch rooms could include the model numbers for the sinks.
Re: (Score:3)
Doctor's notes for sick days, drug tests, smoking cessation programs and company provided vaccination records all seem likely.
Re:... Everything? (Score:5, Informative)
Don't forget disputed insurance claims, and new employee paperwork with medical and life insurance applications with records of pre-existing conditions.
Can't avoid medical records (Score:5, Insightful)
I employ people in the USA in small IT and EE/IC specialty design shops. Most expert-level employees seem to come with white or grey hair. One of my IT geeks is a "MT Dew Diabetic." Avoiding the maintenance of medical records is simply not an option in the USA, given our laws and court rulings. We have to comply with ADA (Americans with Disabilities Act), keep records of workman's comp medical restrictions, including very specific information, on what an employee may and may not do as well as provide emergency information to first responders. While often inconvenient, these are requirements I cannot avoid. Some of my employees have medical conditions (heart conditions, organ replacement, severe allergies, diabetes, unusual prescriptions of controlled sumstances, etc.) that they want known and available to first responders showing up at the office if they collapse clutching their heart or go into a sugar coma. Complicating this, if one of your customers is a Federal agency or Defense, you must, by law, have a "zero tolerance policy" for controlled substances. All this requires records to prove or excuse. For government accusations, corporations are "effectively guilty" until they prove themselves innocent with appropriate record keeping. Making this even more difficult, USA court rulings say we're also not allowed to store this information in their personal files, but must keep it in a separate, access controlled file, otherwise we could get sued if that person missed a pay raise or promotion because it was available to anyone reviewing their service and discipline records. The separate files seem silly when the teams are small enough that everyone knows each other very well anyway. Also, what if the employee who first greets the medics from the ambulance don't have easy access the secured medical files? Isn't that an even worse problem? Sued if you do. Sued if you don't. Sued if you didn't do it the nuanced way a team of $300/hr attorneys thinks you should have half-way done it. Nuisance suits are common in the USA.
As a practical matter, a lot of valuable talent is not healthy. Many experts are experts because they have been at a speciality for 30-60yrs. If you have an employee that has an epileptic seizure, you don't want the rest of the team to stand there confused and gawking. You want them to recognize it and intervening to protect that individual's head and spine from injury. I had an employee with mental health issues under the care of a psychiatrist. While she was physically 100% capable (she was young and athletic) yet she was restricted from certain emotionally triggering situations. You want their supervisor trained know what those are and how to avoid it. You want a written record, periodically refreshed, that her supervisor knows and understands. You could say "I don't want to deal with that" but then you lose out on some great talent. Imagine a physics institute that didn't want to deal with maintaining medical records for Stephan Hawking.
Re:Can't avoid medical records (Score:5, Interesting)
As a practical matter, a lot of valuable talent is not healthy.
This is so true. It is difficult to deal with as a boss and even more so as an employer. One of my guys is seriously over weight, and has a number of health complications that come with it. He is also highly intelligent and very capable. It is challenge because I want to be able to depend on him, and for the most part I can. But I also have to mitigate risk and make sure that there are people shadowing his projects and documenting his recommendations so that they can carry on if the time comes that he is no longer able to come into work.
As his boss, I want to have a legitimate, sincere conversation with him about his health and his value to the company. I also want to have it with him as a friend and someone who cares about him. But due to the way employment law works, I have to avoid the subject.
Re:... Everything? (Score:5, Informative)
Certainly legal. There's nobody who can't hold your medial information. .
Wrong.
HIPAA regulations are pretty strict about this. The company I work for does everything through a 3rd party because of this.
When I told my boss I had to have time off for surgery I was given the phone number for the 3rd party company and they handled everything. They contacted my doctor and obtained all the necessary medical information to verify that I was off work for a legitimate medical reason. When I was ready to return to work, I went to a doctor who examined me and then reported to the 3rd party company that I was OK. The third party company then notified my employer that I was OK to return to work. At no time was my employer ever given any medical information about me.
Re:... Everything? (Score:5, Informative)
Re:... Everything? (Score:5, Funny)
Re: (Score:3)
It's done that way because the HIPAA consultants lie. No more. No less.
When I worked in that space, I had COPA and HIPAA printed out and on me at all times. The part of HIPAA that was highlighted was the part noting "this should not be construed to mean encryption is required" Because I never met a HIPAA consultant who didn't insist that encryption is required.
They lie. All of them. The worse
Re: (Score:3)
People blame silly decisions on "PCI" all the time as well. I'm not a QSA but I do a lot of work in payments and took my last small company through PA-DSS level 1, so I've got some background there.
Having said that, anyone who touches a credit card should generally be in a PCI scope - even if you're a small mom-n-pop bookstore that takes Stripe. The worst abuse that I've seen though is trying to convince people that they should go all the way to "level one" compliance. The levels are based on your process
Re: (Score:3)
There is another huge loophole in HIPAA. It only applies if your company does electronic billing.
I am a volunteer with a fire department. The local ambulance agency was shocked when they were told that the fire department EMT's were not covered by the HIPAA law. Our fire department doesn't bill for our services, so HIPAA didn't apply to us. We protect peoples privacy, because it is the right thing to do, but have no legal exposure, if someone accidentally says something (at least exposure under HIPAA
Re:... Everything? (Score:4, Funny)
I know them too. its "SYSTEMD".
Lawsuits and Patents (Score:5, Interesting)
I mean it seems likely they got everything. Even the model numbers of the kitchen sinks.
I would expect they also got some fairly damning privileged information--emails exchanged with lawyers on everything from sexual harassment to copyright infringement suits. It's a BIG firm.
Plus Patents. Sony files THOUSANDS of patents a year. If that patent information (or research that could be patented) is published to the wild before SONY patents it, you have a LOT of new prior art and a fortune in IP at risk... SONY would have to patent everything within a year in the US; I am not sure that you even have that grace period everywhere else.
(a) NOVELTY; PRIOR ART.—A person shall be entitled to a patent unless— (1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention ...
(b) EXCEPTIONS.— (1) DISCLOSURES MADE 1 YEAR OR LESS BEFORE THE EFFECTIVE FILING DATE OF THE CLAIMED INVENTION.—A disclosure made 1 year or less before the effective filing date of a claimed invention shall not be prior art to the claimed invention under subsection (a)(1) if—
(A) the disclosure was made by the inventor or joint inventor or by another who obtained the subject matter disclosed directly or indirectly from the inventor or a joint inventor; or
(B) the subject matter disclosed had, before such disclosure, been publicly disclosed by the inventor or a joint inventor or another who obtained the subject matter disclosed directly or indirectly from the inventor or a joint inventor.
Re:Lawsuits and Patents (Score:4, Insightful)
Plus Patents. Sony files THOUSANDS of patents a year. If that patent information (or research that could be patented) is published to the wild before SONY patents it, you have a LOT of new prior art and a fortune in IP at risk... SONY would have to patent everything within a year in the US; I am not sure that you even have that grace period everywhere else.
I think you confuse Sony Pictures with Sony Corporation.
The former is unlikely to have a lot of patents, except for things like camera gimbals or ways to strip and reattach continuity reports to digital footage.
Re:Lawsuits and Patents (Score:5, Insightful)
The real risk to Sony Pictures is having the real books behind the Hollywood accounting revealed.
Re:Lawsuits and Patents (Score:5, Informative)
SONY would have to patent everything within a year in the US; I am not sure that you even have that grace period everywhere else.
No..... 1 year following lawful disclosure.
The unlawful disclosure of confidential information by criminals is subject to adjudication by the courts.
The unlawfully disclosed material may very well be deemed to be a condition that allows Sony to continue to pursue the patents, and publications made from unlawfully disclosed materials may be excluded from valid prior art.
Re: (Score:3)
by another who obtained the subject matter disclosed directly or indirectly from the inventor or a joint inventor; or
Illlegal theft of records doesn't count as disclosure.
Re: ... Everything? (Score:5, Interesting)
That's bad, but I remember when
they released a root kit disguised as a music Compact Disc.
Re: (Score:3)
Why are breaches being marketed so hard, what's the REAL agenda?
It should be serving as a wake-up call to companies that it is time to take data security seriously. Incredibly, it seems to be falling on deaf ears. I guess it's easier to ignore the issue.
They've had plenty of wakeup calls (Score:3)
Re: ... Everything? (Score:4, Funny)
Re: (Score:3)
If they'd had traffic shaping in place, there's no way anyone would have got 100 terrabytes of anything out of the company ;-)
And no way to have automated offsite backups either.
If I were interested in a company's data, gaining access to backups and backup servers is where I'd initially focus anyhow. You get the data from a multitude of machines without having to access all of them.
Easiest are probably a fairly common corporate backup system where the policies are set on the server for convenience, so if you gain access to the server, you can tell it to drop encryption and automatically store a copy at $remote_host. Instant pot
Re: ... Everything? (Score:5, Informative)
Not a lot, actually. The most important aspect of real security is compartmentalization—ensuring that you don't have any high-value individual targets:
None of those things should cost significant amounts of money. They're just simple policy decisions. And with a scheme like the above, you typically wouldn't see attacks like this being successful in the absence of a massive zero-day remote kernel exploit.
If you want added security, you could write a piece of software in a few minutes that logs all traffic by IP address and port, then compares it with traffic requested by the user's web browser (by continuously reading the browser's history and uploading any new locations every couple of minutes), and flags anything that doesn't match. Automatically ignore any automatic updates by software that your IT department installed, plus any known addresses owned by your OS manufacturer. If you see any other traffic, shut off the port immediately, and contact the user to verify that the traffic is expected. If so, whitelist that IP and port after verifying that the software the user is running is legit.
Finally, add mail server rules that sanity check any email attachments, and similar rules for your HTTP proxy. If someone receives a disk image, ZIP archive, or other archive, extract the contents and ensure that there are no executables within it. If there are, allow the attachment if the executable is signed by a trusted authority. Otherwise, store a copy of the attachment in a secure location, and either filter it from the mail archive or refuse to send the final packet of data to the web browser. Flag it for review.
Like the two guys running away from the grizzly bear, security doesn't have to be flawless; it just has to be robust enough to convince the attacker to go after an easier target.
Re: (Score:3)
Some parts of this can be done even cheaper.
Don't hook up enough external bandwidth such that someone can copy 100 terabytes of data without anyone noticing. Even at gigibit Ethernet speed that takes an incredibly long time to copy that much data.
Sure, they have to move high-def movie clips, maybe even entire movies around between their various sites. But anyone stealing that much data would have to be INSIDE their network with a suitcase full of terabyte drives, or outside their network with a couple mon
Re: ... Everything? (Score:5, Insightful)
Chances are they do have high bandwidth links for copying high resolution video files around, and that pipe will not be fully utilised all the time, there would be plenty of downtime when there was a lot of bandwidth available for exfiltrating data, and because high bandwidth usage is not uncommon it could easily go unnoticed. It doesn't matter if it takes a long time, so long as it hasn't been noticed you can sit on there for weeks or months gradually copying stuff.
Also in one of the other stories about this hack i read that they had access for over a year.
Over what time interval? (Score:5, Insightful)
How long was the attack taking place? What kind of Internet connection does Sony Pictures have? To ex-filtrate 100 TB of data is going to take a while, no matter how you cut it. My guess is that number is significantly inflated.
Re:Over what time interval? (Score:5, Insightful)
If you hit a server or many of them you'll get a fair bit better speed than if you hit a private person with american public tire shitternet. And as long as you're no detected it really doesn't matter if it takes 24 hours or 100 days.
Re:Over what time interval? (Score:4, Informative)
What kind of Internet connection does Sony Pictures have? To ex-filtrate 100 TB of data is going to take a while, no matter how you cut it. My guess is that number is significantly inflated.
Who says this was done over the internet?
Send in a North Korean agent posing as a janitor to jack into the network from the inside. Plug in a device, let it download, then come get it the next night.
Re: (Score:3)
Comment removed (Score:5, Funny)
Re:Over what time interval? (Score:4, Informative)
My internet connection at home is 100mbps = 12MB/s.
= 43GB/hr
= 1TB / day
= 100 TB in 100 days.
Spread that out across 10 machines and you're looking at a little over a week.
An uncompressed 4k film in DPX is 10bit * 4096 x 2214 * 3 = 32 MB / frame * 24 fps * 60 seconds/minute * 60minutes/hour = 2.63 TB per *version*. Then there are Subtitled and Closed caption versions. A single film often has 10TB. They might have just stolen 10-20 films. And those servers presumably are on very fast connections capable of remote review over something like cinesync.
Re: (Score:3)
The Digital Cinema Distribution Master (DCDM [digitalpreservation.gov]) contains uncompressed audio and video, but timed text elements like subtitles are stored in XML.
DCDMs are turned into the Digital Cinema Package (DCP [wikipedia.org]) for distribution to theaters, which is an encrypted file of JPEG 2000 video at a max 250 Mbps.
Re:Over what time interval? (Score:4, Informative)
"Then there are Subtitled and Closed caption versions."
Except those are separate TEXT FILES moron.
Motion picture subtitles (as they are distributed on disc) are not text-based. They are a subpicture that is overlayed on the original video.
Yes, they wouldn't take up a lot of room, given the majority of the picture is the designated mask (clear) "color" and the limits on the number of other colors used, but they are not text files.
Re: (Score:3)
"Motion picture subtitles (as they are distributed on disc) are not text-based"
Do you actually do any ripping with hardware/media made this decade?
They dropped the images crap from DVD and went to time-coded text files with a chosen system font to display. Smaller, more efficient.
Uh, no they didn't.
Doom9: How to deal with Blu-Ray subtitles. [doom9.org]
They still appear to be PGS (subpicture) based.
Re: (Score:3)
How long was the attack taking place? What kind of Internet connection does Sony Pictures have? To ex-filtrate 100 TB of data is going to take a while, no matter how you cut it. My guess is that number is significantly inflated.
Given the level of access these people had, they likely just issued a request to the DBAs to send a copy of the backups via UPS to Kim Jung Uns house directly.
Re: (Score:3)
One of the stories on this mentioned they had access for a year...
Sony pictures likely has extremely fast internet connections at multiple sites, as they deal with movies its highly likely they will be sending large high resolution video files around.
Re:Over what time interval? (Score:4, Interesting)
Hours and minutes. Its obvious to me, a former backup/dr guru in another life, this data was either walked out of Sony itself in 2-3 plastic bins, or fell off the back of an offsite storage truck.
Re:Over what time interval? (Score:5, Insightful)
The big question is, how did they not notice that much data going out regardless of time frame.
Re: (Score:3)
Exactly my thought. You may be completely freaking clueless, but seeing 100TB leaving will leave a mark. Hell, I noticed a very minor routing (inbound) issue between ISP's in netflow data a few years ago just by looking at graphs.
Wow. Just wow.
Re: Over what time interval? (Score:5, Informative)
Re: Over what time interval? (Score:5, Insightful)
This. And consider that it may well have been taken out on a bunch of physical drives rather than the Internet. Pretty much everyone is saying this has some component of physical access - likely from a disgruntled employee. If the person or persons downloaded a couple of hundred GB every day to some hard drives, likely no one would notice. So it likely didn't happen all at once.
IF this is true, it makes the timing suspicious for NK involvement. If this had been ongoing for say, 6 months, it was well before the Kim could get his panties in a bunch over the Interview. But what do I know?
Re: (Score:3)
Re: Over what time interval? (Score:4, Informative)
RAID doesn't really work like this.
Imagine you have a 6 disks raid6 - you need 4 to have the array working in a degraded state. Unless you steal 4 disks *at once* you won't be able to rebuild it offsite. Unless you get drives from RAID1 arrays you're better off smuggling in a 2tb 2.5 usb drive. If their physical security is any close to the IT security you can probably smuggle a f-ing NAS inside and nobody would care.
Re:Over what time interval? (Score:4, Informative)
I've heard before that in high end movies they push a lot of data around, each day they upload the raw footage to their studio back home which edits it and makes dailies that the filming crew review to make sure it comes out as they want before sets are torn down and actors leave for other jobs. They could do it on location but it's hard to get the people and equipment to follow you around and besides that way you can take advantage of time zone differences. I think I saw that in the LotR extras, Peter Jackson was filming in New Zealand, they edited in the US and it was ready for review next morning.
Consider that 50GB of an actual BluRay has probably been many terabytes of footage because of lack of compression, cameras rolling before and after scenes and many takes. I'm quite seriously suggesting that 100TB might not be that insanely much for a company rigged to handle huge data flows on a regular basis.
Footage n Accounting same system? (Score:3)
Putting on my IT geek hat, I'd say the term "system" or "same system" is rapidly losing its meaning in the age of "server fabric" and virtualized computing resources. You have systems of systems. Accessing everything from video editing apps to timecard and budgeting submission apps or web-pages from the same workstation, possibly at your home, on the day you telecommuted, using your "federated security credential" on your key-logging terminal. The key-logging pretty much by-passes all security from full-
Re: (Score:3)
Re:Over what time interval? (Score:4, Interesting)
"The big question is, how did they not notice that much data going out regardless of time frame."
. Sony's big as fuck. From the PSN to their streaming services to their daily/nightly/hourly backups, that data transfer is *HUGE*. My old H2OFarm job saw us pushing 20TB raw data DAILY, and half of that was high-def video from my remote feeds.
Please. Quit living and thinking in the 90s. we're two decades ahead. Catch up with Moore's Law.
Re: (Score:3)
And our ability to secure information & monitor data flow on networks remained stagnant in that time?
Re: (Score:3, Funny)
Catch up with Moore's Law.
I'm trying to, I think I can manage in 18 months or so ...
Re: (Score:3)
So wait...
Kim Jung is an underpants gnome?
???
Re: (Score:3)
Obvisouly a while but its not out of the question. Sony pissed off North Korea several months ago when they announced The Interview. If it takes a week to download ~100TB at ~1Gbps then a couple weeks/months is all they need for all that data.
Agreed, but, isn't someone monitoring internet usage? 100 TB being downloaded even in a week to 10 days is an increase of multiple terabytes a day over whatever they normally use. One would think that would cause a spike on a graph somewhere, that someone ought to have investigated.
I've been hosting websites for years, and the only time I was ever compromised (one server turned into a spam mail server -- how embarrassing) I caught it almost immediately by a sudden spike in the network traffic.
As someone e
Re: (Score:3)
100 TB being downloaded even in a week to 10 days is an increase of multiple terabytes a day over whatever they normally use.
You need to pay attention not to raw numbers, but to percentages. If it was a 10 TB per day transferred, whether that will show up as a "spike in data usage" depends on what their normal usage is. If it's 100 TB per day, then yes - a 10% spike would be noticeable. On the other hand, if they're commonly transferring in the petabyte range, we're talking a 1% or less increase - that's within normal daily variances just about anywhere, and would never be noticed.
Re:Over what time interval? (Score:5, Funny)
Trouble is they're all marked up with Sharpie around the outside...
Re: (Score:3)
What do you mean? An African or European year?
100 terabytes of data - a few movies? (Score:5, Informative)
100 terabytes of data is easily consumed by the raw uncut footage of a few movies, easily. So it could be a whole bunch of stuff that really hurts them or it could just be a couple movies that were shot by M. Night Shyamalan that suck so hard no one cares.
Re: (Score:2, Funny)
Twist, M. Night Shyamalan was phone the whole time...
Re: (Score:3)
Yeah but... imagine the harm to Sony's reputation if an unreleased M. Night movie got out...
Re: (Score:3)
Some of the rumoured files were financial data - even stuff like "Diaz - Cameron - Passport.PDF" for goodness sakes.
More info is on one of the reddit threads but it's apparently VERY nasty.
Medical records? (Score:2)
What is Sony doing with medical records?
Re: (Score:2)
Re: (Score:3)
That's what I thought. I guess "insurance information" doesn't have enough scare factor for a story.
Re: (Score:3)
Sony is not a covered entity under HIPAA, unless there's a new Sony medical clinic, hospital, or Sony administered health plan I hadn't heard of?
Even if you are a covered entity under HIPAA, employee records are exempt from the privacy rule, as long as the reason the record is there is because they are an employee and the record is not used to provide medical treatment or health services.
Not just insurance info (Score:3)
I've just been reading some of the articles, and it seems that in fact Sony has unfortunately been storing a lot of communication that contains discussion of medical issues amongst other things.
This is an example of where a company could have done a better job of assessing the risk of retained data becoming a liability and applied suitable retention policies and other risk mitigation strategies like encryped storage (some articles suggest most files were not meaningfully protected).
IT folks and legal depart
Re: (Score:3)
It could be related to FMLA claims. When someone claims FMLA there is certain medical documentation that may need to be shared with an employer (although as it is still covered by the HIPAA laws, great care has to be taken to ensure it is not exposed like it apparently was).
Sad? Saddest? (Score:5, Insightful)
So Sony with its rookits and DRM get owned. Good. How does it feel, Sony? How does it feel?
Hope this causes massive losses for them and horrors for its employees.
Re:Sad? Saddest? (Score:5, Insightful)
Bearing a grudge against a company for the decisions of it's higher-ups is one thing, wishing horrors upon the majority of employees who are probably everyday folk earning a living - many probably sharing your view on the matter of the rootkit saga - might be going a little too far...
Re: Sad? Saddest? (Score:2, Insightful)
No fuck that. Fuck the higher ups and every step of the ladder that supports them. They are all responsible.
Re: (Score:3, Insightful)
No. By that logic we are responsible for the governments actions in all things, because we support them. Fuck the NSA, fuck the pentagon, fuck the whitehouse. I don't care. Lay a hand on Snowden, lay a hand on the soldiers, lay a on the housekeepers; then we have a problem. You and I would come to blows if we met IRL, simply because you are a reprehensible prick who can't figure out that people do what they have to for their families, and that you cannot use the crimes of a few to condemn many.
Say that to t
Re: Sad? Saddest? (Score:4, Interesting)
No fuck that. Fuck the higher ups and every step of the ladder that supports them. They are all responsible.
That's the kind of thinking that causes people to turn into terrorists with all of the associated be-headings of completely innocent people and other moronic actions. It's fucking stupid. Stop it.
You don't have perfect knowledge and you never will, so quit acting like you do.
Re: (Score:3)
And you feel that this is equivalent, do you? What % of Sony employees do you believe actually had a hand in the decision to use the DRM, knew how it worked, and knew that it had a backdoor?
If I had to guess, it would probably be fewer than 50.
I would also guess that most people involved in shipping off the Jews knew they were doing something pretty bad.
Re:Sad? Saddest? (Score:5, Funny)
And, Godwin'd. That's a wrap everyone, have a great evening, see you in the next thread.
Re:Sad? Saddest? (Score:4, Insightful)
Really, a rootkit done once, a decade ago by some idiot in Sony music? Massive losses, more jobs lost, more people out of work, this economy even worse.
Hopefully they fix their security, behave better as a company and no one loses jobs, Hopefully idiot posts like yours don't come to fruition either.
Sauce for the goose; sauce for the gander (Score:5, Informative)
Re:Sauce for the goose; sauce for the gander (Score:4, Informative)
I feel sorry for their employees who's information was compromised, but I can't say the same about the company. They are still on my "do not buy" list, and I buy a lot of the sort of things that they sell. Still waiting for an apology for the rootkit.
Re:Sauce for the goose; sauce for the gander (Score:5, Funny)
Wouldn't it be interesting if the initial breach into their systems was an exploit on a server that involved the sony rootkit because an IT stooge wanted to listen to some tunes while reviewing log files years ago.
Re: (Score:3)
http://en.m.wikipedia.org/wiki... [wikipedia.org]
TL, DNR: 9 years ago, Sony was root kitting the machines of people who bought their CDs, and living about it.
Mark Russinovich of Sysinternals (at the time) has a very good article on this. You can learn a lot through it, least I did.
http://blogs.technet.com/b/mar... [technet.com]
His first post I can't find in the time I have, is intense as well as much longer.
PS4 keys? (Score:3, Interesting)
How long before we see Sony's flagship console jailbroken like the PS3?
For that matter... we'll probably see the PS3's keys brought up to the current version, as well.
Re: (Score:3, Interesting)
To clarify.... I know this is Sony Pictures, but if the hack was this invasive into Sony's IT infrastructure, it's very possible they penetrated the entire Sony network.
All we are seeing at the moment is from Sony Pictures, but we may see a lot more in the next few weeks.
Re: (Score:3)
I'd agree with you, if not for one thing: The torrent was seeded from a number of Amazon instances that form part of the playstation network infrastructure. That suggests that, while the hack focused on sony pictures, playstation didn't escape entirely. Which means there is hope that the right keys were released too.
Kevin Roose's article (Score:3)
In case anyone else was looking for the missing link in TFS, Kevin Roose's article at Fusion is here [fusion.net].
Scripts leaked (Score:5, Funny)
At first they thought the data was fake; all the scripts read like movies everyone has seen already.
What's the bigger picture? (Score:5, Interesting)
Was this hack the result of poor security, or will every single company in the world now see what has happened, over-react, and unleash draconian security measures that far exceed the point of diminishing returns?
No matter what you think of Sony, this will not be good for the productivity of the corporate working world.
Re: (Score:3)
No matter what you think of Sony, this will not be good for the productivity of the corporate working world.
You are absolutely correct. However, perhaps it's time to acknowledge that much of the productivity increases that the Internet brought to the workplace are only possible because systems could be built that didn't assume that the company was under constant assault - a condition that is very likely no longer true.
My guess, however, is that real security won't happen until there's significant loss of l
$1tr question--Why is all this Internet-facing??? (Score:5, Informative)
This has hit the point of absurdity. If you are working on military plane designs, working on your next corporate acquisition, or even making movies or music worth tens of millions of $$$, why would you put your prized, unreleased digital files on computers that have Internet access? What kind of batshit stupidity is that? What, so your employees can browse Facebook & check Outlook e-mail at the same time? Such an air-gapped network would easily become an island--one that doesn't need Windows Updates, can stay on an old service pack, gets no software updates that solves 2 problems and but makes a new one (e.g. we know the bugs), and the like. And if those employees really need their Outlook e-mail, IM, or the Inter-Webs where they work, they can have a 2nd very low-end PC, connected to the main network, with a KVM between the two. Might even increase efficiency, given the mind's inability to multitask well. Or give them freaking iPads on a wireless network that's not connected to their "sensitive" work computer.
It boggles the mind that given all these problems, which are increasing in frequency & cost every day, we still have little more than software firewalls & hardware routers between a company's most highly-sensitive assets (files & computers) and the big-bad-Wild-West-no-holds-barred-Internet.
Re:$1tr question--Why is all this Internet-facing? (Score:4)
Well, it is probably linked to the fact most of these companies are international companies with employees all over the world needing some form of interaction with the data.
If you really want to get an internal network that is disconnected from the internet, it means that you will need an army of monkey copying data using memory sticks to feed the data bank and bringing reports back to the employee that needs it. And that induces super high latency in the system.
The problem seems difficult to me. Completely isolated networks might have an unreasonnable operational cost. (Though a massive data breach might just be as bad.)
Too lazy to protect themselves (Score:3)
"In the letter, Sony defended its decision to wait five days to admit its security had been compromised and called on the government to help make the internet safer."
They asked for outside help (expected the government to stop it) and apparently took security a bit lax in one area.
"In the letter, Sony defended its decision to wait five days to admit its security had been compromised and called on the government to help make the internet safer." http://www.buzzfeed.com/tomgar... [buzzfeed.com]
I did get two free simple games over that one, I expect money this time they need to take their security a bit more serious. I mean even shutting down the gym (who knows why, terminals?
Once burnt twice shy, not something Sony is familiar with.
Bad news, good news (Score:3)
My condoleances.
On the other hand, it's very beneficial for our society that this sort of data now becomes a matter of public record simply because I'm pretty sure that the extent of data that is collected on employees hasn't been documented quite so clearly and unequivocally before.
Besides which, it's well-documented that law-makers and public opinion generally aren't pro-active on basis of insight, intelligence, or commonsense. No, it always requires one or two actual cases of things going totally wrong to get people's attention. And even then it takes a couple of repeats before the shoot-the-messenger reflex can be bypassed and the underlying issues addressed.
In addition, the release of business information gives a valuable historical reference on how the corporate world works in a way that transcends books and even court records (which are usually sealed anyway where commercial interests are concerned).
So, in this respect, society as a whole benefits from this example of computer-burglary. Now if we could only make the data available in its entirety, or at least in coherent chunks ...
Ah, Karma (Score:3)
Remember back a few years ago, when Sony decided the best way to combat piracy was to install a rootkit on the machines of anybody who played one of their CD's?
I hope I can be forgiven for reminding them of a couple of good old adages. Adages like, "What goes around comes around", "Karma's a bitch", and "Sauce for the goose is sauce for the gander".
And I hope they'll forgive me for my complete lack of sympathy.
Re:North Korea? (Score:5, Interesting)
I think what happened most likely was, NK officials went to China, hired "internet baddies", and paid them to fuck Sony Pictures in the ass with their biggest internet broomstick.
No technical expertise or infrastructure needed.
Re:North Korea? (Score:5, Funny)
think what happened most likely was, NK officials went to China, hired "internet baddies", and paid them to fuck Sony Pictures in the ass with their biggest internet broomstick.
No technical expertise or infrastructure needed.
My guess is that a manager with too much access recklessly inserted a 2005-era music CD from Sony...
No expertise at all required to be a manager.
Re:North Korea? (Score:5, Interesting)
There's a lot of talk going around right now, mainly from Sony itself, that North Korea is likely behind it. Seriously though - would expect a bunch of people who don't know what Internet is, who likely don't live and breathe IT, security - basically everything capitalism stands for, let alone having a pipe fast enough to rip 100TB of data... Now I understand they could be trained and based elsewhere, but might as well say the Martians did it...
You obviously don't understand North Korea. Despite their terrible economy, widespread hunger, and stunning lack of technology in the hands of citizens, they still have an active standing army of over one million people, and count many, many more as available reserves. "Defense" spending is big there, so if they decide to hack, they can hack, and they will put government resources behind with little trouble because they have no fear of internal or national backlash. I doubt North Korea publishes accurate statistics, but it is a safe bet that they spend a much higher proportion of their GDP on defense (which includes hacking, propaganda, and internal oppression) than most countries. Militarily they are relatively weak on a per man basis due to most units being woefully equipped (and fed), but when they get the notion to do something (think nukes), they do it.
This may not have been North Korea, and I have no idea really, but one can't assume it wasn't them because simply because they are poor and uber-wacky.
Re:Make peace with Kim Jung Eun (Score:4, Funny)
How did 100 TB get to North Korea over their dial up modem without anybody else noticing?
NSA sleeping that the wheel?
Five-eyes? All navel gazing?
Nobodies looking at the data going to North Korea?
More and more this seems like a false flag.
Re: (Score:3)
And there we have it. All those bazillions of taxpayer dollars wasted listening in on Aunt Tilly's scintillating description of the quilting bee and they totally missed the biggest ever hacking of a corporate system by a hostile foreign power.
Their faces would be beet red if they weren't so shameless.
Re: (Score:3)
Hackers say they stole 100 terabytes of data in total
Indeed. At, say, 100 Mbps (~ 10MB/s) on the Internet - that's fast - that would take 10 million seconds, or 116 days full time...
Re: (Score:2)
It doesn't burn. It just warms the heart. ;)
Or just raw video for a single movie... (Score:5, Interesting)
Re: (Score:3)
This is either bullshit, or you're doing it very, very wrong.
Even assuming a dumbass flat file at 4 KB per row for 62 days, that's over a thousand rows per second.
Re:Good God! (Score:5, Interesting)
As you yourself said, "their connections, the power they have to move the industry" carry a lot of weight. A lot of people inside and outside Sony could have their reputations ruined by these leaks. The film industry is full of gossip and jealousy, and people often say things in private that can be incendiary if they get loose. If someone with big clout is offended, a lot of current and future deals could go out the window. Grudges are real, and can last a lifetime.
And even non-bigwigs can be wrecked. Suppose someone takes time off, or has other issues from stress and uses prescription medication as a result. This could easily end up in personal records. This gets out, and that person could find themselves unemployable anywhere. Not even able to get a minimum wage job in retail or fast food, much less the entertainment industry. Remember, there are a lot of show hires and workers are transient, so there are a lot of ex-employees with records at Sony.
Sony could be on the hook for a huge class actions suit, particularly if you consider ex-employees. No matter how long ago it was, if you name shows up online as a result of this breach you have a valid reason to sue.
And Sony is not a well regarded company in Hollywood. They are known for squeezing the life out of people and then giving them the boot. They routinely have layoffs while they are advertising for new hires. (Everyone in Hollywood does this, but Sony is a prime example.)
They keep a few people around but nobody lasts because it's cheaper, and transient workers are no threat to bad upper (or middle) management. Bad practice can be hidden if there is no one around to complain or remind anyone of previous mistakes. (Just ask anyone who has been cycled through Disney about this.)
Given the combination of ill will and a lot of ex-workers, don't be surprised when the civil actions start. Sony doesn't have a leg to stand on, particularly on personal records. They had no partitioned networks/systems, no encryption, and didn't detect the breach until they were screwed. It's going to be just like drug lawsuits: there will be multiple late night commercials fishing for anyone who worked at Sony to join in.
Hollywood is a schadenfreude kind of town. There will be a lot of movie industry types who will derive a lot of satisfaction from watching Sony suffer mightily because of this.
Re: (Score:3)
Is there any information about how long it took hackers to steal this 100TB? Did no one notice the unusual amount of traffic? I have a 40Mbit connection at home and with overhead I can usually download at up to 4Mbytes/sec. At that rate 100TB is something like 300 days of 24/7 downloading. Even if I had a gigabit connection directly to sony that would take 12 days!
Clearly this was not done by someone in his mom's basement with a 40Mbit Time Warner connection to his laptop. It was perpetrated by someone with considerable resources and a considerable ax to grind. Going after employees but stealing everything related to them is not cool, but screw Sony, they kind of had it coming.