The December 2022 issue of IEEE Spectrum is here!

Close bar

Yesterday was a big day for Sony in a number of different ways.

First, Sony announced that it had restored access to its PlayStation Store.The store was taken down in wake of the hack attack in mid-April.

What should have been good news was tempered a bit as well. According to a story at the LA Times, "The Welcome Back package Sony promised last month alongside ID-theft insurance isn't yet available in the online storefront." This continued delay will likely irritate a number of Playstation Network (PSN) users who keep being thanked by Sony for their patience in light of the inconvenience of both the hack attack and its own delayed response in preventing any further harm that may stem from the attack.

In addition, Sony and Epsilon - which had a breach of its own earlier this year - testified yesterday about the details of their individual hack attacks before the US House Energy and Commerce Committee's Subcommittee on Commerce, Manufacturing, and Trade. Both companies defended their IT security and customer breach notification processes.

According to this article at Government Executive, Sony Network Entertainment President Tim Schaaff told the Subcommittee that,

"Despite taking what we believe were extremely appropriate and substantial steps to build a safe and protected network, hackers were able to get into our network."

And according to this story at the Boston Globe, Mr. Schaaff also told the Subcommittee that:

"We believe the security we had was very, very strong and we were in good shape."

Of course, Mr. Schaaff didn't say what benchmark Sony was measuring against when he claimed the Sony's network security was "very, very strong." Many IT security folks - and especially hackers - have not been impressed by Sony's security measures pre- or post-hack attack.

Sony and Epsilon both said that they supported some sort of federal legislation that would create a uniform national standard for data breach notification (see Sony's congressional testimony (PDF) here and Epsilon's testimony (PDF) here. Mr. Schaaff also gave some issues to consider as the law is being crafted:

"Laws - and common sense - provide for companies to investigate breaches, gather the facts, and then report data losses publicly. If you reverse that order - issuing vague or speculative statements before you have specific and reliable information - you either confuse and panic people, without giving them useful facts, or you bombard them with so many announcements that they become background noise."

Overlooking the fact that this statement was a backdoor way of again justifying Sony's extremely slow notification of its customers about the PSN hack, the ideas highlighted by Mr. Schaaff have merit and should be contemplated.

Finally, as I mentioned, Sony's new IT security measures have not impressed hackers much. To drive home the point, reports first surfaced last night and seem to be confirmed today that a hacking group by the name of Lulzsec has stolen detailed information from 1 million "users who entered Sony competitions run by its Pictures Entertainment web site," this article at the International Business Times reports.

The information includes "names, birth dates, addresses, emails, phone numbers and passwords" the IBT story says.

Lulzsec claims that it hacked into Sony's network to show how vulnerable the company still is to simple cyber attack vectors.

If this keeps up, I am going to have to start developing a "Sony got hacked" blog post template.

The Conversation (0)

Why the Internet Needs the InterPlanetary File System

Peer-to-peer file sharing would make the Internet far more efficient

12 min read
Horizontal
An illustration of a series
Carl De Torres
LightBlue

When the COVID-19 pandemic erupted in early 2020, the world made an unprecedented shift to remote work. As a precaution, some Internet providers scaled back service levels temporarily, although that probably wasn’t necessary for countries in Asia, Europe, and North America, which were generally able to cope with the surge in demand caused by people teleworking (and binge-watching Netflix). That’s because most of their networks were overprovisioned, with more capacity than they usually need. But in countries without the same level of investment in network infrastructure, the picture was less rosy: Internet service providers (ISPs) in South Africa and Venezuela, for instance, reported significant strain.

But is overprovisioning the only way to ensure resilience? We don’t think so. To understand the alternative approach we’re championing, though, you first need to recall how the Internet works.

Keep Reading ↓Show less