Stolen Pixels #260: The Dark Fortress

 Pages 1 2 NEXT
 

Stolen Pixels #260: The Dark Fortress

Watch out hackers, Sony is ready for you!

Read Full Article

not a angry face on the side! Whatever will they do about that :O

All that's missing is a speech bubble saying "Bo" next to the angry face and no more hacking on the PS3, for sure.

and if that wont work, we can always say that we're very disappointed in them, and make them say that they're sorry!

its fool-proof...

Better yet, just hire Dr. Breen
image

I imagine Sony's firewalls will be treated something like There's a Monster at the End of this Book. That'll keep those dastardly hackers out for sure.

Ok the (Important!) made me LOL. Good stuff there. If it hadn't already been done I would be filling out a patent application for network connection over barbed wire http://www.patchrj45cable.com/t1-over-barbed-wire-anything-but-ethernet-2007.html

I love the addition of umlauts over the "A" in "Dark Fortress" on that sketch, really sold it for me. Umlauts evidently add credibility to anything, not just Metal musicians!

Awesome comic - one of my favorites. Beyond the comedy it also captures the approach that Sony has apparently taken to network security in the past. It will be interesting to see if this ends up being prophetic...

If the White House server, with the resources of the entire federal government behind it, can be hacked multiple times, why should Sony be any different? Sony's situation just makes clear what everybody should have long ago figured out: once you've become an attractive target for hackers, there's not much you can do but respond retroactively to them. There's no proactive defense. If they want in, they'll get in and there ain't nothing anyone can do to stop them.

Sure no hacker would venture in those black boxes now!

You had such a golden Shamus, GOLDEN chance to make a Mordor and all that joke in a subtle way, yet you dribbled into another 'Hur Hur, physical hacker touch joke'.

Why Shamus, WHY? You were the chosen one!

I normally love your stuff, but I think you missed the mark here, turning "We increased security, and no we're not going to tell you our internal architecture" into a fairly silly joke.

HankMan:
Better yet, just hire Dr. Breen
image

That's Dr. HAX, not Dr. Breen. Everyone knows that.

Alas, it didn't work...[1]

[1] Yeah, I know that's not PSN.

Hack sony, be a cool guy.

Holy crap; the "make.believe" think is their real advertising slogan. I thought you were just making fun of them. All you need to do is add the word "security" underneath.

I appreciated that umlaut, Shamus. You don't see enough of 'em these days.

RJ-45 is a connector standard, not a cable standard. I think you meant cat-5 or cat-6 cable with barbed wire. I'd like to see the IEEE standard for that!

JDKJ:
If the White House server, with the resources of the entire federal government behind it, can be hacked multiple times, why should Sony be any different?.

Because unlike the federal government, Sony has to keep it's customers happy to make a profit and stay in business. Bradley Manning (who is not a hacker) was able to "steal" (allegedly steal) secrets from the DOD by simply going to a DOD computer and burning them onto a Lady Gaga cd. They (the DOD) didn't even have basic Windows permissions set up properly! My point is, don't use the government as your gold standard for information security.

Haha, I like the nice touch of them spelling "deterrent" wrong and having to fix it.

Postal47:

JDKJ:
If the White House server, with the resources of the entire federal government behind it, can be hacked multiple times, why should Sony be any different?.

Because unlike the federal government, Sony has to keep it's customers happy to make a profit and stay in business. Bradley Manning (who is not a hacker) was able to "steal" (allegedly steal) secrets from the DOD by simply going to a DOD computer and burning them onto a Lady Gaga cd. They (the DOD) didn't even have basic Windows permissions set up properly! My point is, don't use the government as your gold standard for information security.

I think Manning's ability to take the information had less to do with the way Windows was set up and more to do with the fact that he had top secret clearance.

JDKJ:
There's no proactive defense. If they want in, they'll get in and there ain't nothing anyone can do to stop them.

The same is true of your home, if an intruder wants in they will get in, doesn't mean you shouldn't bother locking your doors and using an alarm.

I don't think anyone expects Sony's servers to be unassailable, but they could have been more secure and better monitored. There are hackers who do things for the prestige, or an axe to grind, but the typical criminal hacker is doing things to make money - the easier the target the easier it is to make that money, if you make something suffieciently hard and the reward for success isn't that great they will be discouraged and look at juicier targets.

Anti-Robot Man:

JDKJ:
There's no proactive defense. If they want in, they'll get in and there ain't nothing anyone can do to stop them.

The same is true of your home, if an intruder wants in they will get in, doesn't mean you shouldn't bother locking your doors and using an alarm.

I don't think anyone expects Sony's servers to be unassailable, but they could have been more secure and better monitored. There are hackers who do things for the prestige, or an axe to grind, but the typical criminal hacker is doing things to make money - the easier the target the easier it is to make that money, if you make something suffieciently hard and the reward for success isn't that great they will be discouraged and look at juicier targets.

But it doesn't appear in Sony's case that financial gain is the objective. That it could be is undermined by the fact that the data stolen from the San Diego server hasn't been used in any reported fraudulent activity and the data stolen from the Greece server was posted to the internet. If it is the case that financial gain isn't what motivates the hacks, then the hackers are unlikely to move on to easier pickings no matter how unattractive a target Sony tries to make itself. They're likely to continue their hactivities unabated. And, if they do, it'll only be a matter of time before another one of Sony's servers is hacked.

And if the motivation wasn't financial gain, then there's little Sony could have done in the first instance to prevent the San Diego hack. The hackers, not being calculating criminals, would have kept on attempting to intrude until they found a way to intrude. Regardless of how "secure" Sony's server was at the time.

The double dot above the a makes it even more scary.

JDKJ:

But it doesn't appear in Sony's case that financial gain is the objective. That it could be is undermined by the fact that the data stolen from the San Diego server hasn't been used in any reported fraudulent activity and the data stolen from the Greece server was posted to the internet. If it is the case that financial gain isn't what motivates the hacks, then the hackers are unlikely to move on to easier pickings no matter how unattractive a target Sony tries to make itself. They're likely to continue their hactivities unabated. And, if they do, it'll only be a matter of time before another one of Sony's servers is hacked.

And if the motivation wasn't financial gain, then there's little Sony could have done in the first instance to prevent the San Diego hack. The hackers, not being calculating criminals, would have kept on attempting to intrude until they found a way to intrude. Regardless of how "secure" Sony's server was at the time.

I agree in this particular case that the most prominent attacks were specifically to hurt Sony (and it's userbase). But I find it highly improbable that the motive isn't finacial gain for many hackers. If it wasn't wouldn't they stick to DoS attacks, why go after userdata/accounts?
Even if the attacks were entirely ideological/vandalism, we could argue that Sony could have taken the preventative step of not antagonising the hacking community to the degree they did - particularly if they were aware that their system was as vulnerable as it proved to be. I'm not saying they could have anticipated the level of attacks they received, nor should they let piracy slide, but the combination of antagonising hackers with a network with a dubious level of security was a terrible miscalculation on their part. We're still seeing reports of relatively simple and easy attacks being viable.

I understand how fast any security tech becomes vulnerable, but the only viable option is to keep on the bleeding edge as much as possible, time & difficulty are the only deterrent - this incident has been and will continue to be extremely costly for Sony. I hope both they and other companies learn that network security and data protection have to be among their highest priorities.

JDKJ:

Postal47:

JDKJ:
If the White House server, with the resources of the entire federal government behind it, can be hacked multiple times, why should Sony be any different?.

Because unlike the federal government, Sony has to keep it's customers happy to make a profit and stay in business. Bradley Manning (who is not a hacker) was able to "steal" (allegedly steal) secrets from the DOD by simply going to a DOD computer and burning them onto a Lady Gaga cd. They (the DOD) didn't even have basic Windows permissions set up properly! My point is, don't use the government as your gold standard for information security.

I think Manning's ability to take the information had less to do with the way Windows was set up and more to do with the fact that he had top secret clearance.

I don't know for sure what level security clearance he had, but as he was not very high ranking or in a sensitive position, I wouldn't think it would be that high. Also, from everything I've read about the case, none of the info he leaked was classified top secret. The windows permissions problem I referenced was related to the fact that they can't prove that Manning took the files because they didn't have secure, individual logins for each user on their pcs, which is very basic security stuff.

Anti-Robot Man:

JDKJ:

But it doesn't appear in Sony's case that financial gain is the objective. That it could be is undermined by the fact that the data stolen from the San Diego server hasn't been used in any reported fraudulent activity and the data stolen from the Greece server was posted to the internet. If it is the case that financial gain isn't what motivates the hacks, then the hackers are unlikely to move on to easier pickings no matter how unattractive a target Sony tries to make itself. They're likely to continue their hactivities unabated. And, if they do, it'll only be a matter of time before another one of Sony's servers is hacked.

And if the motivation wasn't financial gain, then there's little Sony could have done in the first instance to prevent the San Diego hack. The hackers, not being calculating criminals, would have kept on attempting to intrude until they found a way to intrude. Regardless of how "secure" Sony's server was at the time.

I agree in this particular case that the most prominent attacks were specifically to hurt Sony (and it's userbase). But I find it highly improbable that the motive isn't finacial gain for many hackers. If it wasn't wouldn't they stick to DoS attacks, why go after userdata/accounts?
Even if the attacks were entirely ideological/vandalism, we could argue that Sony could have taken the preventative step of not antagonising the hacking community to the degree they did - particularly if they were aware that their system was as vulnerable as it proved to be. I'm not saying they could have anticipated the level of attacks they received, nor should they let piracy slide, but the combination of antagonising hackers with a network with a dubious level of security was a terrible miscalculation on their part. We're still seeing reports of relatively simple and easy attacks being viable.

I understand how fast any security tech becomes vulnerable, but the only viable option is to keep on the bleeding edge as much as possible, time & difficulty are the only deterrent - this incident has been and will continue to be extremely costly for Sony. I hope both they and other companies learn that network security and data protection have to be among their highest priorities.

That's quite the dilemma, isn't it? The choice between making the pirates happy or making the hackers happy. Fucked if you do, fucked if you don't.

I don't think specifically hurting the userbase was intended. That's just a collateral consequence about which the hackers don't give a rat's ass.

Postal47:

JDKJ:

Postal47:

Because unlike the federal government, Sony has to keep it's customers happy to make a profit and stay in business. Bradley Manning (who is not a hacker) was able to "steal" (allegedly steal) secrets from the DOD by simply going to a DOD computer and burning them onto a Lady Gaga cd. They (the DOD) didn't even have basic Windows permissions set up properly! My point is, don't use the government as your gold standard for information security.

I think Manning's ability to take the information had less to do with the way Windows was set up and more to do with the fact that he had top secret clearance.

I don't know for sure what level security clearance he had, but as he was not very high ranking or in a sensitive position, I wouldn't think it would be that high. Also, from everything I've read about the case, none of the info he leaked was classified top secret. The windows permissions problem I referenced was related to the fact that they can't prove that Manning took the files because they didn't have secure, individual logins for each user on their pcs, which is very basic security stuff.

Instead of guessing and since you're sitting right in front of the internet, why don't you just do a quick Google search of "Bradley Manning" AND "clearance?" Then you'll know for a fact that he was an intelligence analyst with "top secret" clearance, the highest level of security clearance the Army can grant.

The computer from which he downloaded the information was contained in a guarded room to which only those with "top secret" clearance were admitted.

JDKJ:

Postal47:

JDKJ:

I think Manning's ability to take the information had less to do with the way Windows was set up and more to do with the fact that he had top secret clearance.

I don't know for sure what level security clearance he had, but as he was not very high ranking or in a sensitive position, I wouldn't think it would be that high. Also, from everything I've read about the case, none of the info he leaked was classified top secret. The windows permissions problem I referenced was related to the fact that they can't prove that Manning took the files because they didn't have secure, individual logins for each user on their pcs, which is very basic security stuff.

Instead of guessing and since you're sitting right in front of the internet, why don't you just do a quick Google search of "Bradley Manning" AND "clearance?" Then you'll know for a fact that he was an intelligence analyst with "top secret" clearance, the highest level of security clearance the Army

The computer from which he downloaded the information was contained in a guarded room to which only those with "top secret" clearance were admitted.

Postal47:

JDKJ:

Postal47:

I don't know for sure what level security clearance he had, but as he was not very high ranking or in a sensitive position, I wouldn't think it would be that high. Also, from everything I've read about the case, none of the info he leaked was classified top secret. The windows permissions problem I referenced was related to the fact that they can't prove that Manning took the files because they didn't have secure, individual logins for each user on their pcs, which is very basic security stuff.

Instead of guessing and since you're sitting right in front of the internet, why don't you just do a quick Google search of "Bradley Manning" AND "clearance?" Then you'll know for a fact that he was an intelligence analyst with "top secret" clearance, the highest level of security clearance the Army can grant.

Which does not in any way discount the two points I made.

The computer from which he downloaded the information was contained in a guarded room to which only those with "top secret" clearance were admitted.

Well, yes, it kinda does. Your points, as I understand them, are that the Army's computer set-up was lacking in security owing to a lack of a user log-in requirement which somehow made it easy for Manning to take the information. But the fact that the computer from which he took the information was in a room guarded by Military Police who don't allow access by anyone who doesn't have "top secret" clearance and Manning had the clearance required to access and use the computer does discount your points. The Army's mistake doesn't lie in not having some freakin' log-in requirement on a computer. It lies in giving a clearly mentally disturbed person "top secret" clearance.

So the computer was in a locked and guarded room, but they let him enter and leave the room with removable media? Physical security is a major part of network security. P.S. You'd be mentally disturbed too if you were put in solitary confinement for almost a year.

Postal47:
So the computer was in a locked and guarded room, but they let him enter and leave the room with removable media? Physical security is a major part of network security. P.S. You'd be mentally disturbed too if you were put in solitary confinement for almost a year.

Can I ask why you chose the Manning case as an example of whatever when it seems to me that you don't know much about the facts of that case?

P.S.: Manning was manifesting odd behavior long before he was arrested by the military. In fact, he was about to be discharged from the Army for "adjustment disorder."

Well done Shamus. Perhaps SONY should also add some liquid cooling that is red, which is fueled by hacker blood!

I didn't know his security clearance, so I automatically don't know anything else about the case? I've read extensively about this case, but I've read mainly about his detainment, not his alleged crime, because frankly I don't care much about the allegations. I have never claimed to be an expert on the case, and I've politely taken you at your word about every aspect of the case, because contrary to your prior statement I am not sitting in front of a computer, I am writing this from my phone on my breaks from work, and I don't have much time for fact checking. Yes, I have heard the claims that Manning had issues prior to his alleged crimes, but this only a) makes the nature of his detainment that much more despicable and b) makes the Army's network security policies look that much worse. My initial point about the Manning case was that the Army neglected basic physical security measures on their network, and nothing I have heard so far contradicts that point.

They better make it a very scary face or else it won't work very well.

 Pages 1 2 NEXT

Reply to Thread

Log in or Register to Comment
Have an account? Login below:
With Facebook:Login With Facebook
or
Username:  
Password:  
  
Not registered? To sign up for an account with The Escapist:
Register With Facebook
Register With Facebook
or
Registered for a free account here