Tuesday, May 03, 2011

Your Comments On Outageddon

These are all anonymous, for reasons that will become apparent.

Working as an IT professional, I can tell you there are some REALLY smart people out there. Incredibly smart people. The man who is head of IT security at my place of business (who I will call Steve) is probably the smartest man I have ever met. Steve’s firewalls are rock solid and he sees EVERYTHING. In the 15+ years that I have worked here, there has NEVER been any sort of network intrusion into the company’s networks. While this company is not as big as Sony, it is still plenty big and presents a tasty target to random hacker X. Point is, if my company has a ‘Steve’, why doesn’t Sony? In fact, Sony should have a team of Steves monitoring this stuff constantly. The fact they obviously don’t is incredible to me.

A different, professional source:
So you want to know what the most egregious thing about the breach is? Not that it happened. Frankly, almost any organization can be breached. Not that credit card data was taken, even though it probably wasn't adequately protected. No, the worst thing about it is that Sony was apparently so careless with personal data that they lost both passwords and secret question/secret answer pairs. They are so careless with customer data that they didn't even bother to hash those pieces of data (information security 101 stuff).

The problem is that most organizations use a limited number of secret questions/answers, such as "where were you born" or "mother's maiden name". Giving the bad guys that information, on top of all of the other stuff means that even if you, say, change your banking password, they could change it to something else by saying they forgot it and answering the secret question (assuming that you use the same secret question pair, which most people do). Basically anyplace where you use the same email address as you used on PSN is now at severe risk because of Sony's unmatched stupidity.

Site Meter