Why are Sony getting more hate than the actual hackers?

[Communist partisan]

I dunno, don't even care. I got a xbox and don't play online and that's how I want it.

 

[TelHybrid]

There's no evidence to support that the hackers even took the details. All that's been confirmed is that due to a flaw in their security system, the hackers could have taken the details.

Furthermore, none of this would have happened if Sony weren't such pricks about what people are and aren't allowed to do with their hardware, and constantly removing advertised features like otheros.

Not only that, but they have a corporate responsibility to keep information safe. It's their fault for having a poor security system.

Side note: I found it amusing how Sony emailed PSN members about the situation, and nowhere in that email did they include a single word of apology.

 

[nbamaniac]

IMO Sony HAS to take the flak. It was their screw up. It was and still is the company's responsibility to keep everything in shape, especially important customer information. Thank goodness I ain't involved in any of this.

Oh and yeah, those hackers have to die.. D:

 

[Casual Shinji]

No catastrophy of this size has ever hit Sony, and they were caught off guard, panicked, or whatever. Eitherway, they handled it poorly, like a hostage rescue gone bad.

Sony deserves some of the blame, that's for sure. But I'd rather we catch the hackers first before we start flogging Sony. Unlike the hackers, Sony isn't going anywhere.

 

[Jeronus]

Right this is seriously getting on my nerves, why are people directing all their hate about this PSN hack towards Sony and not the people who hacked PSN and took their details. Sony didn't choose to get hacked so why are they being blamed for it. Yes their security could have probably been better but surely any security system is hackable anyway. Maybe I'm wrong about this whole thing, I don't know, I just think all the Sony hate is a bit unreasonable. What are your opinions on this?

I look at it this way. People don't hate Sony. They're disappointment is wearing a thin veil of hate on the outside but really they are just feel extremely let down. It is like when your child comes home with a poor report card. You don't hate them but you are still going to shout, fuss, and rant at them for their failure to meet your high expectations. Remember the next time you see someone who says "Fuck you, Sony" or "Sony sucks" that they are expressing their disappointment and not their hate. People use the word "hate" but that's the frustration talking.

 

[spartandude]

Sony has admitted that while Card information was encrypted (still not giving us a definate of whether it was stolen) the rest of the info wasnt, being such a large and prestigious compnay they had a leagle responsibility to keep all personal records safe and they didnt
also it comes with the idea that they lost all of it, xbox line and steam havnt and they likely have had hacking attempts
also as many people said we know who sony are, we dont know who the hackers are

 

[OldGus]

Correct, but that then falls down to points 2 and 3 - if they left out third party testing on their software that also falls into the catagory of their fault. I work in IT - this is something that is done regularly against our systems.

I apologize. I didn't realize I was talking to a professional. I'm just too used to idiots who automatically place all the blame on the main user or company because they think the only way security could be breached is someone carelessly giving away their password, or something similar.

Also serious security holes are patched within days of their discovery, if not hours. Not keeping up with security patches would also be their fault.

I would agree that part of the blame then lies on them, as having all of the information stolen for every account definitely constitutes a serious hole, regardless of the determination of the hacker.
the next part is really long, soooo....

Spoiler

They should also be using multiple layers of security - that way if a vulnerability is discovered in one then they might get through that layer, but then they get stuck at the next one. As long as all layers are maintained correctly and you have enough of them then the odds of them all being compromised are basically zero. It is the responsibility of Sony to make sure there are enough layers of security.

I will agree that there are ways to reduce the risk of a system being hacked, but there are almost no ways to completely eliminate that risk as long as it is able to download information from an outside source, especially if that information can be accessed or added remotely. A system like PSN by its nature (and arguably the same for XBLA,) must do exactly that.

This is where multiple layers of security come in again. Lets look for instance at the sign up process to an online service. They take info from the user and store it - thus creating an potential security risk. So what can they do?

1. Run checks on the data from the console for validity before sending it to the servers (formatted correctly etc - this will stop the risk of code injection).

2. Run the same check server side - this means they have to compromise the local checking of data and THEN get the server to accept it.

3. The data will be stored by a process - this process has the permissions of the user who executed the process. Create a specific user for this purpose and restrict their access to being able to do nothing other then take the data and put it into the database. This way even if you get past 1 and 2 and make this process run some code it will only run with the permissions availible to the process it runs as.

4. Now for anything to happen the code that was run needs to be an exploit of its own that grants privileged account access. This means you need knowledge of the server - what OS is it running? What services and what versions of those services? Do they have any known exploits that could give you more access? If you don't know this stuff you've got no hope of getting any further, unless you can find it out by using your previous code execution on the database process. If it's set up right you can't.. but even if it's not..

5. Log everything and check those logs. This way you will see the database process running commands it shouldn't, or at least trying. When it happens, you go find out why.

Now I did skip a bunch of other things you'd do in that situation, however basically, noone is going to break in using that form. If however there was no data checking and a badly set up database that hadn't been patched running as the root user? That server would be compromised in about 10 minutes.

THAT is the kind of thinking that needs to go into every aspect of services like the PSN. Anything else is just idiotic.

I may be silly for thinking it, but I was thinking that was exactly what they were doing, and they had slipped up somewhere, or missed something, or met a particularly determined hacker. If this isn't the case, then they're like a bank owner who builds their bank right next to a baseball field. If a baseball comes flying through their window, its their fault for not having stronger glass. However, I feel the current reaction of "Its all Sony's fault!" with the only information people saying this go off of being that all the data was compromised (breathe, then point) is more like a person in a car blowing through the front window, grabbing the 5-ton safe and running off, and the customer then saying its all the bank owner's fault for not having strong enough windows. They didn't take all the money out of the safe and leave it in front of the bank overnight where a random mob could walk by and pick it up bit by bit (at least I think not), someone broke in and took it. Whoever did this or however they did this, it either took a lot of time, or a lot of force, so I think at least a small part blame rests with the hacker(s).
Now, actually addressing your list of security measures,

Spoiler

which I think would be at least a good minimum, then adding my own paranoia to the mix, what I in the same situation would do would be at least to separate information out over several networked servers, and have it so that they are accessible only through a centralized hub. Here is a more methodical explanation...
1. User creates account for information with a password and a confirmation number (which is automatically created by the server, then stored on their console. It would effectively mean that A: the customer would never know this number unless they actually went looking for it, and B: in order to access the personal info, like name, address, credit card, etc. they would have to either use the original console the name and password are registered to, or go through a long process to change consoles that would involve generating a new CN.)
2. When accessing private information, the UN, PW, and CN are all required. When properly given, this activates a process for the user in the central hub that will use different passwords to access the specific server this information is stored on, and a filing number and seperate password embedded in the program to access said information.
I realize this is overly complicated, and probably prohibitively expensive to set up, but that way if there is an attempt to hack it, there's very little chance of actually getting all the information, and even less of a chance of being able to immediately access it. But, again, I'm paranoid.

I've heard how exactly the PSN was compromised, but haven't confirmed it so I won't comment there.. however I can say that if what I heard was true then it was COMPLETELY their fault and could have been easily prevented.

I will assume that so far what you've heard is a rumor, and so will thank you for keeping it under your hat. Also, as I am now aware that you are a professional, I will assume that your opinion based on that information that they've screwed up is also professional. I am not a professional, and I'm not privy to such information, so on account of both of those, I will respect your opinion as more informed, and thus better in this case. That being said, I think you would agree that they started out with a cock-up, but their response to it made a real bell-end of it. But that you could probably discern from my earlier post in this forum.
If you didn't read it though, a simple summing up is, yes, they were responsible for security of that information and they screwed up, but where they really screwed up was waiting until the last possible moment to admit it, then admitting it in such a way as if to say they are now no longer responsible for it in any way and don't have to do/aren't doing anything to fix it. I think people have a right to be angry at that part, and I think that honestly, Sony should definitely be spending resources trying to fix it, as they have a legal, professional, personal, and moral responsibility here.
Either way, I concede that that is just my opinion, and I'm not an expert in law, business, or IT. It may be incorrect, and to be perfectly honest, the only reason I'm being emotionally neutral about this issue is that I've not been personally affected.