Forgot your password?
typodupeerror
Sony

Sony Running Unpatched Servers With No Firewall 306

Posted by CmdrTaco
from the oh-yeah-that'll-be-fine dept.
ewhenn writes "Security experts monitoring open Internet forums learned months ago that Sony was using outdated versions of the Apache Web server software, which 'was unpatched and had no firewall installed.' The issue was 'reported in an open forum monitored by Sony employees' two to three months prior to the recent security breaches."
This discussion has been archived. No new comments can be posted.

Sony Running Unpatched Servers With No Firewall

Comments Filter:
  • Welp (Score:5, Insightful)

    by dragonhunter21 (1815102) on Thursday May 05, 2011 @11:47AM (#36035970) Journal

    Well THERE'S your problem.

    IANAL, but shouldn't users have the reasonable expectation that their data would be secured? Is there a suit here?

    • Re:Welp (Score:4, Informative)

      by andrea.sartori (1603543) on Thursday May 05, 2011 @11:56AM (#36036080) Journal
      I'm afraid stupidity is not a "suitable" (sorry...) offense. Maybe based on criminal negligence...
      • Re:Welp (Score:5, Interesting)

        by alta (1263) on Thursday May 05, 2011 @12:02PM (#36036156) Homepage Journal

        They are in gross violation of PCI. Criminal Negligence is "suitable"

        They can be seriously damaged by this... I would love to see their ability to take credit cards revoked. That would put an end to their entire online business. Can you imagine Playstation Network if it was prepay, or paper billed only?

        • Re:Welp (Score:5, Interesting)

          by JWSmythe (446288) <jwsmythe@[ ]mythe.com ['jws' in gap]> on Thursday May 05, 2011 @12:10PM (#36036256) Homepage Journal

            How the hell did they maintain PCI compliance? At very least that requires the self-evaluation, and an external scan by a 3rd party. The self-evaluation, they could have easily lied on. The external scan? No way. Well, unless they had the scan pointed at a dummy server. That happens a lot more than it should. For the money I'm sure Sony was pushing through, it should have rated an on-site inspection. One company I worked for only pushed through about $50 million/yr. We were self-eval with external scan. They did threaten physical inspections every quarter, but never showed up. I guess they could have pointed at any rack and said "this is the rack". The insecurity is pure stupidity. There are so many ways to secure the network, from free (iptables on the machine) to inexpensive (dedicated firewall machine running Linux), to expensive hardware solutions. There's no excuse for this.

          • by sxpert (139117)

            definitely shows that PCI is bullshit ;)

            • by hawguy (1600213)

              definitely shows that PCI is bullshit ;)

              They weren't PCI compliant since part of compliance requires applying security patches to in-scope systems, and if credit card numbers were passing through Apache or the web app running on Apache had access to credit card numbers, it was definitely in scope. And of course, storing unencrypted credit card numbers also violates PCI, but even if they were encrypted, if the hackers had control of the application they could have had the decryption keys.

            • Re:Welp (Score:4, Insightful)

              by HiredMan (5546) on Thursday May 05, 2011 @12:42PM (#36036682) Journal

              definitely shows that PCI is bullshit ;)

              PCI certification is joke. It's in the best interests of all involved to severely limit the scope of the "certification" - due to cost, time, intrusiveness etc.- so only certain areas get tested. You can have your "certified" PCI system hooked up on a network to a botnet but insist that only your PCI computer get "certified". It's like going to doctor and telling him your arm hurts but he can only examine your arm. When it turns out to be a heart attack and you die the doctor only gets to say "His arm was fine when I checked it."

              They like to brag that "no PCI certified system has ever been breached" but that's because when you're breached they forensically figure where you violated PCI and retro-actively revoke your certification. It's worse than bullshit it's an expensive fig leaf of security theater.

              • by hawguy (1600213) on Thursday May 05, 2011 @12:57PM (#36036882)

                PCI certification is joke. It's in the best interests of all involved to severely limit the scope of the "certification" - due to cost, time, intrusiveness etc.-

                You certainly can limit the scope to only those computers that have access to PCI protected data, but any computer that has access to that data or processes that data is in scope. I'm sure you can configure your network in such a way that allows a breach, but that's not really PCI DSS's fault - one standard can't be expected to provide complete security for all environments....they give you overall security recommendations, if your network allows access to the data by a botnet, then it's your job to fix it, don't think that just because you checked all of the checkboxes on the PCI-DSS checklist that your security job is done.

                so only certain areas get tested.

                If you're relying on testing to protect your data, you're doing it wrong -- PCI outlines best practices to protect your data, scanning is only one part of the larger picture.

                They like to brag that "no PCI certified system has ever been breached" but that's because when you're breached they forensically figure where you violated PCI and retro-actively revoke your certification. It's worse than bullshit it's an expensive fig leaf of security theater.

                I've never heard that "no PCI certified system has ever been breached" and I'm pretty skeptical since I know a few ways to get data out our PCI compliant systems. However, If they found that you violated PCI standards, then you weren't really PCI compliant, were you?

                • by HiredMan (5546)

                  If you're relying on testing to protect your data, you're doing it wrong -- PCI outlines best practices to protect your data, scanning is only one part of the larger picture.

                  But they don't encourage the larger picture is my point. Their testing methodology encourages checklist thinking so you pass a limited test at 100% and you get your certification. Because you don't get any real protection from the certification - because they will retroactively deny your compliance after the fact - it becomes a necessary evil to be complied with not an active process. You're encouraged to think completely inside the box to get PCI certs but not rewarded in any way for taking a comprehensive

              • by Rich0 (548339)

                They like to brag that "no PCI certified system has ever been breached" but that's because when you're breached they forensically figure where you violated PCI and retro-actively revoke your certification. It's worse than bullshit it's an expensive fig leaf of security theater.

                Sounds like post-claim underwriting. Collect premiums from a customer up until they file a big claim. Then carefully examine history to find some violation, and deny claim. Be sure to refund premiums without interest to be nice. Of course, what they don't do is carefully check the histories of customers who DON'T file claims to see if they're paying for invalid insurance and should get refunds as well. Since the whole nature of insurance is that most people don't file big claims, you can make money han

            • by Amouth (879122)

              PCI if followed is effective.. compliance in the marketplace is bull shit.. BUT there is one thing that i like about Sony failing.

              If you claim to be PCI compliant but are not and you suffer a breach related to your failure to be compliant then you are liable for any fraud charges and cost to investigate and clean up said mess. Not to mention if it was a smaller out fit their ability to charge cards would be removed.

            • Re:Welp (Score:5, Informative)

              by MattW (97290) <matt@ender.com> on Thursday May 05, 2011 @01:48PM (#36037612) Homepage

              A friend of mine used to sit on the PCI board. He linked me to this recently:

              http://blog.imperva.com/2011/04/pcis-impact-on-security-quantified.html [imperva.com]

              PCI is one of the most defined and effective standards I've ever seen. Compare that to other standards some companies tout like ISO27001 or SAS70, which are absolutely toothless. (Because they assess only what you SAY that access, as they are standards for evaluating your declared controls.)

              PCI varies a lot depending on what tier the merchant is. If they are Tier 2 - Tier 4, the assessment is really only as good as their self-assessment/scan. The scan can be gamed simply by giving out a host or two which is properly locked down, and using that certificate. Tier 1 merchants (6 million+ transactions/year) have to undergo an audit with a certified assessor. I guess PSN doesn't do that many transactions per year? If the assessor does a bad job they will lose their certification.

              Also, if Sony lied about the state of their compliance, then they are exposed to enormous amounts of liability.

              • The parent sums PCI up very nicely. My company is looking at the feasibility of implementing PCI vs outsourcing credit cards. Since we would be a Tier 4 vendor, we would be able to do a self assessment. Talking with other companies in Tier 4 uncovered a wide range of compliance from almost nothing to almost complete compliance. If the web site you're giving your credit card to is not a Tier 1 vendor, be very very afraid.

          • by jimicus (737525)

            When a small business such as you or I might run fails to keep systems in PCI compliance, the bank can revoke our ability to take cards and we are in trouble.

            When a huge business such as Sony fails to keep systems in PCI compliance, the bank cannot revoke ability to take cards otherwise the bank's in trouble.

          • Having been through a few PCI audits as the "Point man" on the technology, I can tell you that the external audits are a joke. The auditor is usually not a tech. Often, it's a peon with a clipboard. On this clip board are check boxes. He askes you "Do you do X"? You say "Yes", he ( or she ) checks the box. Meanwhile, your company continues to have horrible business practices.

            This was a tier 1 audit too.

        • by nschubach (922175)

          I know I wouldn't use it... my Credit Cards give me a layer of protection and a buffer. So does Prepay (layer of monetary protection), but those are often a PITA to get and there are usually fees involved in getting them. (Unless I'm totally wrong here. I remember Prepay cards that you had to get at the store and are charged a percentage more than the value of the card. This usually involves predetermining that you need the card while you are at the store or making a special trip.)

          Paper bill I guess I c

          • So does Prepay (layer of monetary protection), but those are often a PITA to get and there are usually fees involved in getting them.

            Yeah such a pain in the ass that's why you would just buy prepaid game cards instead of a prepaid credit card, I mean they're only offered at every convenience store, grocery store and department store. From XBLA points to F2P MMO networks they're just about everywhere these days and I've never seen a fee on one. 20 bucks of credits is 20 bucks of credits is 20 bucks of credits.

            • by nschubach (922175)

              That was one of my points though. You get home, sit down, take off your shoes, maybe get comfortable and go look through the games available to buy online. You see one you really like and want to get it. Doh, I have to run to the store to get a card...

              There's just a huge inconvenience in prepaid cards.

              You could stock up on a bunch of cards anticipating that you will be buying a game, but what if you buy a card for $20 and the game is $18? Now there's $2 sitting on that card and you may just throw the ca

            • by HAKdragon (193605)
              On top of that, if you have an account with Amazon, you can buy Microsoft Points (for Xbox 360) or Playstation Network Cards and they will just send you the code that you can redeem on the console (or through the web interface for your account).
        • by JamesP (688957)

          Really

          I found impossible to run a server without even Fail2Ban without running into some serious issues

          Rule 1 - Nothing should show up on a port scan besides HTTP/HTTPS and SSH (only if absolutely needed)
          Rule 2 - Fail2Ban everything that looks funny
          Rule 3 - nothing listens on 0.0.0.0 except as needed (even with a firewall)

          And that's only the beginning

        • by Furry Ice (136126)

          They are only in violation of PCI requirements if the unpatched servers in question processed/handled credit card numbers. I could not glean from TFA if this is the case. It's bad practice to leave unpatched servers that don't process sensitive data, but it's not uncommon, unfortunately.

      • Re:Welp (Score:4, Interesting)

        by Ancantus (1926920) on Thursday May 05, 2011 @12:04PM (#36036192) Homepage Journal

        From USLegal [uslegal.com]:

        The civil standard of negligence is defined according to a failure to follow the standard of conduct of a reasonable person in the same situation as the defendant. To show criminal negligence, the state must prove beyond a reasonable doubt the mental state involved in criminal negligence. Proof of that mental state requires that the failure to perceive a substantial and unjustifiable risk that a result will occur must be a gross deviation from the standard of a reasonable person.

        Bolding by me.

        IANAL, but I think this is a clear case of criminal negligence. Any IT tech would know better than to leave a unpatched HTTP server without a firewall up to the internet. If you were told on open forums that this was happening, and then loose 2 million credit card numbers? Well if that isn't criminal negligence, I don't know what is!

        • by g0bshiTe (596213) on Thursday May 05, 2011 @12:10PM (#36036254)

          Any IT tech would know better than to leave a unpatched HTTP server without a firewall up to the internet.

          Yet it still happens everyday.

          • by sribe (304414)

            Yet it still happens everyday.

            But probably not on servers that are storing millions of credit card numbers. That's a key difference.

            • Hey, there's an optimist left on /.!

            • by Ancantus (1926920)

              But probably not on servers that are storing millions of credit card numbers. That's a key difference.

              Exactly! Although it is never good to leave something exposed to the Internet unprotected, if its small there is very little risk (I have always been taught to assume that your system is constantly being attacked, better to be secure than sorry). But its entirely unacceptable to be so lax on security for something having access to their credit card database. I hope other companies that store credit card data are double-checking their security. If Sony made this mistake, others have as well.

            • Re: (Score:3, Interesting)

              by Anonymous Coward

              Yet it still happens everyday.

              But probably not on servers that are storing millions of credit card numbers. That's a key difference.

              I do security audits for a living and I'll tell you that this is actually quite common. Most companies don't give two shits about your data if they don't have direct financial liability.

              The servers that have serious security are the ones that store THEIR proprietary data (blueprints, special sauce, etc). Customer data, healthcare data... don't give two shits.

              I have broken into customer or employee data in almost every company I've audited during the last 4 years.

              I'll tell you also, that the PCI mandated

        • Re: (Score:3, Funny)

          by Wildclaw (15718)

          loose 2 million credit card numbers

          It isn't like those numbers actually can be used for anything.

          A number that people tell random merchants is obviously not something that is usable for any economic purposes. I can't imagine anyone using it to validate purchases as that would clearly be criminal negligence.

    • Re:Welp (Score:5, Informative)

      by akpoff (683177) * on Thursday May 05, 2011 @12:11PM (#36036258) Homepage

      Quite possibly. Sony's responsibilities to their customers might not rise to the level of Fiduciary Responsbility [wikipedia.org] but customers do have a reasonable expectation of due care [thefreedictionary.com], at least with their credit card information and likely with their account information.

      Further, to receive full indemnification from the payment-card industry against claims of fraud, you must be PCI compliant [wikipedia.org]. Were Sony PCI compliant having un-patched software on public-facing servers? Doesn't seem like it. This could potentially open Sony up to all kinds of claims.

      Even if Sony somehow manage to escape civil and criminal justice ramifications, carelessness is no way to run a business. Sony's reputation is already tarnished in the tech world. They may finally get the public scrutiny and drop in reputation and market-share they've earned and so well deserve.

    • Is there a suit here?

      Given the attitude of most suits on website security, almost certainly.

    • In Massachusetts, there most definitely is. After the TJX breach, there was a big push to get businesses that hold personal information to take appropriate precautions. This culminated in M.G.L. Chapter 93H and corresponding regulations, which among other things makes data breaches actionable if the business did squat all to prevent it.

      Lately, our Attorney General has been doing everything she can to keep herself in the news, and I would not be surprised if she files suit against Sony post haste.

  • by hedwards (940851) on Thursday May 05, 2011 @11:47AM (#36035978)

    Isn't that the typical response in situations like this, clearly the crackers figured it out because you mentioned that we're unpatched without a firewall.

    • by sribe (304414)

      Isn't that the typical response in situations like this, clearly the crackers figured it out because you mentioned that we're unpatched without a firewall.

      Of course, and "the gun dropped out of my pants and went off by accident" is also a typical response to certain other situations. Typical doesn't mean it will actually work as a defense ;-)

      • by hedwards (940851)

        Indeed, I wasn't implying that it was a valid excuse, just that they'll use it and a lot of corporate apologists will buy into it because God forbid a corporation be forced to account for its own incompetence.

  • Normally I would find it unbelievable but Sony continues to surprise me in all of the worst ways.
  • by chemicaldave (1776600) on Thursday May 05, 2011 @11:50AM (#36036010)
    Aren't there privacy laws in the US that mandate fines for this kind of incompetence?
    • by xMrFishx (1956084)
      Yeah but generally it's best if they're just put down. It prevents further incompetence in the future.
      • As a user of SONY products, I'd prefer if my purchases weren't totally in vain. Besides, all of those fired sysadmins would have to find jobs somewhere.
        • by rubycodez (864176)
          "Put down" does not mean fired, guess again. Hint, it's a phrase for a specific action in farming and veterinary clinics for animals which are incurable or too expensive to cure.
          • by g0bshiTe (596213)
            I say put the two together, and stream it. "Sony IT Admins put down via fire. LIVE STREAM".
      • by Verdatum (1257828)
        "Curiously enough, an edition of the Encyclopedia Galactica that had the good fortune to fall through a time warp from a thousand years in the future defined the IT division of the Sony Corporation as 'a bunch of mindless jerks who were the first against the wall when the revolution came.' "
    • they can show there are some commonly accepted best practices
    • by Beryllium Sphere(tm) (193358) on Thursday May 05, 2011 @12:01PM (#36036154) Homepage Journal

      In general, no. However, if you publish a privacy policy that you don't really follow, that's considered deception and it's possible to get in trouble for it.

      The big issue here is that if they have credit card data, they're contractually bound by a private sector standard called PCI DSS, and Visa and Mastercard can impose penalties. They were blatantly out of compliance with rules in the standard requiring firewalls and a program of keeping up with patches.

    • Not really, but if you are going to get sued for damages in a multi-billion dollar class action law suit one of the key points is going to be negligence. If this story is true, establishing negligence is going to be easy.

  • by RichMan (8097) on Thursday May 05, 2011 @11:51AM (#36036018)

    *SARCASM*

    Sony's defense will be that this state is "standard industry practice" and to expect Sony to have taken more elaborate steps at being secure like updating the software or running firewalls and other protection services as well as things like honeypots and other intrusion detections measures is just not done by major internet service providers.

  • by Kamiza Ikioi (893310) on Thursday May 05, 2011 @11:54AM (#36036044) Homepage

    ... I thought the super hackers at Anonymous are all to blame! I mean, sure, most members of Anonymous are the ones spending hours ENJOYING the PSN. But, you mean to tell me that Sony, a multinational corporation, covered up their own culpability and then lied and blamed it on an innocent (in this case) group of hacktivists? Like, Wooo, just like Cereal Killer from the movie Hackers [availableimages.com] told us!

    • Re: (Score:2, Insightful)

      by LWATCDR (28044)

      I don't know if Anonymous is too blame for this. They are still after all a bunch if vindictive thugs and the Internet version of a street gang but that doesn't make them guilty of this.
      But just because the door has a cheap lock on it doesn't mean the criminal isn't to blame.

  • by LWATCDR (28044) on Thursday May 05, 2011 @11:55AM (#36036064) Homepage Journal

    According to Spafford, security experts monitoring open Internet forums learned months ago that Sony was using outdated versions of the Apache Web server software, which "was unpatched and had no firewall installed."

    Which version?
    And what do they mean where not running a firewall? And this was reported on a forum?

    You know that I heard that CmdrTaco is running Slashdot on an unpatched Windows 95 box using Boa 1.0 and isn't using a firewall.

    Can we not repeat unsubstantiated rumors? I really hope this is just really bad reporting and our that Congress is not taking statements like "It was reported on a forum" as evidence. Now if they have proof that this is true and it was reported on a forum it is interesting but just reported a forum is junk.

  • They first had to get around the impenetrable wall set up by sony. Then they had to find the data, which sony hid in the most secure place they could. What better place to hide something than right in plain sight labeled "Credit Card Info". Sony you sly fox, using reverse psychology on hackers.
  • by samjam (256347) on Thursday May 05, 2011 @11:57AM (#36036094) Homepage Journal

    Sony took more care to lock the customer out of equipment the customer owned on the customers premises to "protect Sony's IP" than they took to protect the customers data running only Sony's servers at Sony's premises.

    Looks like they need to move their security staff to the hosting side.

    Sam

    • by Plekto (1018050)

      This is absolutely typical for most large Japanese companies. The infrastructure is absolutely vertical and they admit to nothing. PR and the face that you present to the world is everything, and well, all of the rest is just stuff you should be a good worker and not ask about. Typical management is not too different than in the U.S. though, which is to tell the workers to "do it" and leave the rest of the thing to some guy five levels down the chain to make work. Just, that if there's a problem, the

  • The thread was deleted for "security reasons" and nothing else happened.

    No, I did not read TFA, but I know Sony.

  • it's Anonymous's fault! Hacking poor Sony's vulnerable servers...the gall! [/sarcasm]
  • by flogger (524072) <non@nonegiven> on Thursday May 05, 2011 @12:46PM (#36036736) Journal
    About a year ago, My credit card was billed 150$ for Playstation repairs by Sony. I don; town a playstation. The only credit card info Sony had on me was for an everquest account that I had.

    I contacted Sony and let them know that I did not pay for repairs as I do not own a playstation. I was told that they would not remove the charge and that I would have to contest it thought the credit card company. They also informed me that if the charge was contested, they (Sony) would cancel the playstation network account associated with the playstation that was repaired.

    I contested the charge through the credit card company and went through the whole hassle of changing ALL credit cards and notifying all business that I do transactions with.

    Maybe Sony is charging people for 150 here and there to pay for their lawyers. Now that people are calling Sony on the fraudulent charges, they can say that they were hacked....

    (Yea, I know, Who would steal credit card numbers from Sony and use the same info to buy Sony stuff.)

    I had stopped buying everything sony, cancelled my EQ, etc when the Rootkit fiasco hit and I was burned by that for putting a CD in my computer.

    Bastards.
    • I contacted Sony and let them know that I did not pay for repairs as I do not own a playstation. I was told that they would not remove the charge and that I would have to contest it thought the credit card company. They also informed me that if the charge was contested, they (Sony) would cancel the playstation network account associated with the playstation that was repaired.

      Actually, this sounds perfectly reasonable.

      Sony has no way of knowing whether you are the person who put the charge on the card or no

  • So... (Score:5, Insightful)

    by Capeman (589717) on Thursday May 05, 2011 @12:58PM (#36036904)
    Everytime a new PS3 firmware comes out, with "security updates" you are almost forced to install it or you lose PSN, plus other features, but they don't care about updating and securing their servers?
  • by Animats (122034) on Thursday May 05, 2011 @01:00PM (#36036928) Homepage

    It's likely that Sony went off-line not because they wanted to, but because VISA International [visa.com] and/or MasterCard Worldwide ordered them to. See my post on "What To Do if Compromised" [slashdot.org]. The contract that merchants must sign to accept credit cards gives the credit card companies the right to send in a VISA fraud team, a Cardholder Information Security Team, and a computer forensics team. VISA can insist that compromised systems containing credit card data be taken off line until examined. For a big breach, VISA probably invoked their right to do all that.

    The process is expensive for the merchant who doesn't have the VISA-required security measures in place. They get hit with fines from VISA, the cost of the forensics work, and chargebacks from compromised credit cards. "If a Visa member fails to immediately notify Visa Inc. Fraud Control of the suspected or confirmed loss or theft of any Visa transaction information, the member will be subject to a penalty of $100,000 per incident. Members are subject to fines, up to $500,000 per incident, for any merchant or service provider that is compromised and not compliant at the time of the incident." Worse, from a business perspective, they can't accept credit cards again until VISA's team says they're secure.

    Then comes the "Account Data Compromise Recovery [visa.com] phase. For the next 13 months, the merchant gets hit with charges related to compromised credit cards.

    A merchant-side compromise of credit card data means the merchant gets stuck with all the costs of the breach.

    • If Sony could really be responsible for all the losses created by all the breached credit card information, it might be a good idea to short Sony stock. Think about it, 77M credit cards, $100 average hit, is $7.7B (with a "B") dollars...
      • by xero314 (722674)
        It's actually 12 million credit cards, and many of those have probably been canceled before any fraud was able to appear. Never mind the fact that not a single cause of fraud has been associated with the intrusion, and with 12 million cards you would think a pattern of fraud would start to appear pretty quickly. That's not to say it won't happen, or that people should not take the necessary precautions, just that so far there have been no incidents, so shorting a valuable stock is probably not the wisest
      • by woolpert (1442969) on Thursday May 05, 2011 @02:56PM (#36038766)

        The time to short the stock is well past.
        One shorts when public information is low and you have special knowledge of the situation, be that insider information, a unique knowledge of the industry, or particular experience.

        Shorting Sony at this point in time, when all the smart money (which knows more than you) has already set a rational price based on reasonable odds is nothing more than tying your hands.

        Unlike a traditional (long) position you would have locked yourself into a time window, preventing you from a full range of actions based on later information.

  • They were depending on Anonymous to keep the servers patched, hence the blame. "Expect Us" was logicaly taken to mean "Expect us between 2 to 5 on Friday to apply the service packs".
  • As a long-time subscriber to SOE games, I can say that I am just flat-out disappointed.

    It's not just anger, it's not just disbelief... it's disappointment. As if I just found out that my kid is the bully at school, steals lunch money, and spouts hate speech.

    I know that the people I know, personally, in SOE (devs, community relations) didn't have control over this, but some people at most levels had to know.

    Ouch, guys. Ouch.

    (http://t0.gstatic.com/images?q=tbn:ANd9GcQngiRrhTv_0WdVtJjX3aUV8a4o7zuyAY_CTUwHPpFdm

  • The ad for a free copy of "Vulnerability Management for Dummies" that appeared beside this article when I first clicked on it was a nice touch.

  • GUTEN TAG, Wii Gehts, Wednesday (NTN) — Sony has revealed that the Playstation Network security breach, which compromised 24.6 million credit cards, was entirely the work of evil hackers from Anonymous [newstechnica.com], and nothing to do with their own incompetence, honest.

    [newstechnica.com]"We discovered a file making a clear reference to 'Username unknown,'" the company said in a letter to the US Congress on Wednesday, "and a blank user icon which therefore was anonymous. D'you see what that means? It means George Hotz and his hacker friends are loathsome criminal masterminds! So obviously we can't be held liable for negligence in the face of forces like these. In conclusion, give us money."

    The letter details the company’s actions over the past two weeks. It says Sony acted with "care and caution" in deciding how to act and how long it thought it could get away without telling anyone. "We did not want to cause confusion and cause customers to take unnecessary actions, such as stopping their credit card payments to us."

    "We have suffered a very carefully planned, very professional, highly sophisticated criminal cyberattack, which has led to people committing the heinous hate crime of jailbreaking their PS3s. In accordance with our campaign contributions, we ask that you impose the death penalty for such offenses."

    The letter concluded that the breakin was quite definitely the work of Anonymous. "We were going to blame Al-Qaeda, but we figured after Monday that you probably wouldn't buy that."

If I had only known, I would have been a locksmith. -- Albert Einstein

Working...