After Hours

Sony's scapegoat for the PSN compromise fights back

Sony has cast some blame for its PlayStation Network security problems in the direction of Anonymous, but Anonymous has denied any involvement.

Back on 22 April, Anonymous was quick to comment on the PlayStation Network compromise in a statement titled, "For Once We Didn't Do It":

While it could be the case that other Anons have acted by themselves, AnonOps was not related to this incident and takes no responsibility for it. A more likely explanation is that Sony is taking advantage of Anonymous' previous ill-will towards the company to distract users from the fact the outage is actually an internal problem with the company's servers.

An amusing sign-off summed up the Anonymous reaction:

TL;DR

Sony Is Incompetent

Following the US House of Representatives Subcommittee on Commerce, Manufacturing and Trade's 4 May hearing, "The Threat of Data Theft to American Consumers", Sony rushed to respond -- after it failed to send a representative as requested by the committee. Sony used Anonymous to scapegoat some of its recent Playstation Network security compromise problems in PlayStation.Blog's "Sony's Response to the U.S. House of Representatives":

We discovered that the intruders had planted a file on one of our Sony Online Entertainment servers named "Anonymous" with the words "We are Legion."

As pointed out by people associated with Anonymous "leadership", there is no way to independently verify the source of such a file if it exists. Is Anonymous the all-purposes bogeyman of corporate IT security now -- or is it just Sony's bogeyman when it wants to deflect attention from its own failings? Anonymous has some choice words on the subject in response to Sony's implication that the PSN compromise was an Anonymous operation.

Anonymous does have a recent history of harassing Sony, at least in part as a response to Sony's litigative attacks on PlayStation hacker George Hotz, whose goal was to provide a means for users to install Linux on their PlayStations. Sony took exception to Hotz' activities, and Anonymous took exception to Sony's strong-arm tactics, which ended in a gag order for Hotz. Anonymous' retaliations against Sony had apparently been confined to denial of service attacks against the corporation's websites and similar nuisance actions. Taking action that essentially targets customers is not consistent with common Anonymous tactics.

Since Sony's accusations, Anonymous has offered further denials of involvement, including a letterhead press release under the auspices of "Anonymous Enterprises LLC (Bermuda)". At some length, it spells out the rationale for Anonymous activities targeting Sony, and reasoning that suggests the PSN compromise is antithetical to Anonymous aims. A summary of the core message closes the letter:

If a legitimate and honest investigation into the credit card theft is conducted, Anonymous will not be found liable. While we are a distributed and decentralized group, our leadership does not condone credit card theft. We are concerned with erosion of privacy and fair use, the spread of corporate feudalism, the abuse of power and the justifications of executives and leaders who believe themselves immune personally and financially for the actions they undertake in the name of corporations and public office.

Anonymous will continue its work in support of transparency and individual liberty; our adversaries will continue their work in support of secrecy and control. The FBI will continue to investigate us for crimes of civil disobedience while continuing to ignore the crimes planned by major corporations which use their services.

It has been suggested that even if Anonymous did not launch the PSN compromise itself, Anonymous activities may have unwittingly provided some cover for the attackers who compromised the PlayStation Network. Whether you regard this as meaning that Anonymous is partly to blame for the PSN breach or not -- or whether you believe it at all -- likely depends on your level of sympathy for Anonymous' stated goals and methods.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

24 comments
HAL 9000
HAL 9000

Apparently their Security is so good that they had to shut down every part of the site that requires a Log In in an attempt to protect their users Personal Details. Seems to me that it was just a Train Wreck looking for a place to happen and completely reinforces my belief that most of the So Called Secure Sites are only secure as long as no one looks at them too closely. :^0 Col

Dr_Zinj
Dr_Zinj

Sony does have a valid gripe against Anonymous as the DDOS attack did distract from noticing other intrusions that did the data steal. But that's the only grounds they have to complain. Sony's security at the time of the attack was not robust enough to deter the hack, nor as robust as economically practical. (Neither is the security of most cloud companies, but that's a different discussion.) Dedicated Denial of Service attacks, when properly used, are a vaild method of civil disobedience. Proper use of DDOS requires the attackers to be publicly identifiable, prosecutable, and to not cause harm to bystanders. In the case of Sony, attacking the companies business servers is kosher. Maybe criminal, but really it's a civil infraction. Attacking the companies production servers (PS, On-line entertainment, etc.) deprives their customers of the product they paid for, but have no control over i.e. innocent bystanders. That's stealing from the customer base, and decidedly NOT kosher, and definately criminal. Anonymous, by definition, isn't engaged in valid civil disobedience. If you don't have the courage of your convictions to face up to the consequences of your protest, then your message is weak, and your cause is not justifiable. It takes guts to light up a joint on the Capital steps, or lie down in a Senator's office, or sit at a white's only bar, and then be arrested, jailed, and go to court. Intestinal fortitude that no member of Anonymous has.

OH Smeg
OH Smeg

After all if they can point their Finger at a organization impossible to confront in Court and blame them for their problems it's the perfect opportunity to deflect any criticism of Sony itself. But no matter even if Anonymous was directly involved isn't it' still Sony's Obligation to Secure their Systems to prevent things like this from happening? While Anonymous may have the means to perform an attack like this surely Sony has the means to Secure their own systems and if they don't what are the implications for all On Line Transactions? Col

seanferd
seanferd

Sony may be "grasping at straws". Also, Sony's security "may suck". Despite, you know, killing the Other OS option on PS3.

bboyd
bboyd

AnonOps doesn't fit the bill for either how it was done or why. Sounds like if Sony isn't lying that they got red herring files dropped during the attack.

Editor's Picks