You said "no level". Ever talked to somebody that handles highly classified data in some TLAs? No, did not think so. Sure, it is expensive, but you can keep any and all types of attackers out if you invest enough and have the right people defining processes and implementing controls, except for those attackers that can come to you and break down your door or those that can plant people with you long-term. This "there is no way to protect yourself" meme is just BS for the uninformed and has nothing to do with professional risk-management.

What Schneier is talking about is the setting of a large, commercial enterprise that must be profitable. And even there you can keep all that would find your data commercially valuable out, you just need to understand the business aspects of security. True, against resourceful fanatics, that may not be enough. But Sony did clearly not even have the basic level of protection they needed in place. My take is this was some random group of big-ego-mediocre-skill hackers that got lucky and that are now grand-standing. Remember LulzSec? If they were still active, this would be right up their alley.

That is a big "if" there at the end.

Many people that have nothing important to do in their lives are always in a hurry. That servers to project the image of "success". It is a beginner's mistake, but one frequently made.

I really do not care how _you_ waste your time. While it may be true you are in a dead-end job that you do not enjoy and "working" on you phone is your escape from it, I do enjoy my work and I like being efficient at it. I do realize that professional quality-level tools are not the right fit for most people and please, by all means, stick with your toy. As long as BB survives and puts out an actually useful phone now and then, I am fine. You cannot dominate the market with something that is actually really good, people are just too stupid for that.

There is people that understand what is going on, and then there is people like you. Pathetic. But keep pushing your lies, you are just getting more and more obvious every time.

The funny thing is that you are way off. Statistics about gamers show that they have significant disposable income, often families and the "basement dweller" type basically does not exists. I think people with your broken "understanding" of things have become entirely obsolete.

While even that is not really true, who said these attackers where high-skill? That they copied terabytes of data points squarely into the low-skill area, as this is an activity with an extreme risk of being noticed.

There are no useful metrics for black-swan events. That is why messing this up must come with a huge personal risk for those in charge.

No. Really not. They messed up to an extreme degree. They do not deserve any "slack", they deserve to be crucified. Sure, they have large data-flows, but these need to go via controlled channels that look at what gets transferred. Transferring thousands of emails? If that does not raise several red flags, then they either have nothing in place or what they have is fundamentally broken.

Nonsense. You have no clue.

Remember RSA labs that kept the master keys to SecureID on their network? There is nothing simple or easy here and, of course, security costs money and in capitalism you only spend money if there is an expected gain. Unless people high up in management go to prison or the company is fined heavily on such events, nothing is going to change.

This is the right question to ask! IT security st Sony must have been exceptionally bad. Large flows of data from inside to outside is what is most interesting. Competent attackers will only export the minimal amount of data needed, because data export ("data leakage") is the activity with by fas the highest risk of being detected. That "terabytes" were exported shows that there basically was no working security in place and also that the attackers were not very good at this as they did some very risky things.

All you need is security good enough to keep the attackers out. The trick is to find what level that requires. Asking for "absolute security" just shows that you have no clue how security works.

Indeed, it can. You do not need to have absolute security at all (which is what amateurs routinely demand), just enough to demotivate attackers and make them go looking someplace else.

For all we know, Sony did invite this attack and opened its doors wide for anybody wanting in. At the very least you can make this hard for the attacker and add a high risk if early detection. Saying "you can't protect yourself" is sending entirely the wrong message.