Sony Corp. has written to the U.S. Congress offering details of what it claims to know about a recent historic data breach. It claims to have found evidence implicating the hacker group Anonymous in the attack.  (Source: U.S. Congress)

Anonymous is loosely organized with no official leaders. Members in April organized distributed denial of service (DDoS) attacks against Sony websites, which they would later brag about in postings.  (Source: Flickr/Skepchick)

The FBI is investigating the breach and is expected to announce criminal charges against those involved once it finds out more.  (Source: FBI)
Company says it does not know whether its 12 million on-file credit cars were stolen

Today Sony Corp. (6758) dropped a bombshell.  In a letter to the U.S. Congress, Kazuo Hirai, Chairman of Sony's American Board of Directors admits that his company now believes all 77 million accounts related to the PlayStation Network were accessed.

He says that it was unclear what pieces of information were taken from the database entries for each user.  Most notably, he says that Sony, at present, has no way of knowing whether hackers offloaded the 12.3 million customer credit cards the company had on file, including 5.6 million cards belonging to U.S. customers.

I. Sony Blames Anonymous

The letter also drops a bombshell claim.  Sony's investigators claim to have found a file named Anonymous on the company's servers that states:
We are Legion
That phrase is commonly used by the group Anonymous.  Its appearance indicates that either:
a.) Anonymous was involved with the breach or...
b) Someone is trying to frame members of Anonymous.

Anonymous is a loosely organized group of hackers affiliated with the site 4Chan.  The group has no real leaders or ethical guidelines.  Its members contact each other over IRC chats and organize hacking operations that particular groups of individuals feel passionate about.

Recently some members of Anonymous attacked Sony's online properties with distributed denial of service attacks, in response to Sony's decision to ban Linux homebrews on the PlayStation 3 and to sue famed hardware hacker George "GeoHot" Hotz for posting keys to jailbreak the console.

Mr. Hotz has since settled with Sony and vocally distanced himself from the recent attacks saying he did not support them and had no involvement, though he chastised Sony for its poor security.  Mr. Hotz is a past victim of identity theft, so it's an understandably sensitive subject for him.

At the time of the DDoS attacks (April 2011) members of Anonymous vocally bragged about those actions online.  The group wrote:

Dear Greedy Motherf*ckers (sic) SONY,

Congratulations! You are now receiving the attention of Anonymous. Your recent legal actions against fellow internet citizens, GeoHot and Graf_Chokolo have been deemed an unforgivable offense against free speech and internet freedom, primary sources of free lulz (and you know how we feel about lulz.)

You have abused the judicial system in an attempt to censor information about how your products work. You have victimized your own customers merely for possessing and sharing information, and continue to target those who seek this information. In doing so you have violated the privacy of thousands of innocent people who only sought the free distribution of information. Your suppression of this information is motivated by corporate greed and the desire for complete control over the actions of individuals who purchase and use your products, at least when those actions threaten to undermine the corrupt stranglehold you seek to maintain over copywrong, oops, "copyright".

Your corrupt business practices are indicative of a corporate philosophy that would deny consumers the right to use products they have paid for, and rightfully own, in the manner of their choosing. Perhaps you should alert your customers to the fact that they are apparently only renting your products? In light of this assault on both rights and free expression, Anonymous, the notoriously handsome rulers of the internet, would like to inform you that you have only been "renting" your web domains. Having trodden upon Anonymous' rights, you must now be trodden on.

If you disagree with the disciplinary actions against your private parts domains, then we trust you can also understand our motivations for these actions. You own your domains. You paid for them with your own money. Now Anonymous is attacking your private property because we disagree with your actions. And that seems, dare we say it, "wrong." Sound familiar?

Let Anonymous teach you a few important lessons that your mother forgot:
1. Don't do it to someone else if you don't want it to be done to you.
2. Information is free.
3. We own this. Forever.
As for the "judges" and complicit legal entities who have enabled these cowards: You are no better than SONY itself in our eyes and remain guilty of undermining the well-being of the populace and subverting your judicial mandate.

We are Anonymous.
We are Legion.
We do not Forgive.
We do not Forget.
Expect us.

DDoS attacks fall under the gray area of U.S. computer laws as they represent sending the equivalent of thousands of legitimate webpage requests over a short timespan.  Some DDoS attackers resort to more blatantly illegal tactics -- such as infecting computers and using them as an attacking botnet.  It is unclear whether Anonymous used such tactics in their attacks on Sony.

Also unclear is whether Sony's claim of its file discovery implicating Anonymous in this new, separate attack is authentic, or whether the company (or some other party with a vendetta against Anonymous) is looking to seek revenge on the group for past attacks by framing its members as the perpetrators of the massive recent intrusion.

II. Intrusion is Historic

That question is very pressing, as the Sony breach is perhaps the largest online loss of customer information in history.  The Sony letter fails to address the recent loss of 24 million other records from Sony Online Entertainment (SOE).  Between those two losses, as many as 101 million customers may have been exposed (though likely a substantial number of SOE subscribers were also PSN subscribers).

Likely the historic nature of the intrusion will lead to some serious criminal charges if the government can successfully identify whom is to blame.

It is very likely that the freedom of U.S. members of Anonymous who participated in the initial attacks against Sony may very well hang in the balance of whether the company's claims are substantiated.

For customers, the prospect of lost credit cards is bad.  The prospect of lost passwords, email addresses, and real names is even worse, as it means that an individual could gain access to their private accounts, without additional precautions.

Outraged, customers in Canada have filed a class action lawsuit against Sony.  Similar suits are expected in the U.S. and the European Union.

The government is also contemplating criminal and/or civil penalties against Sony.  The company knew about the breach for two days before notifying the government -- something some politicians say was negligent.  The question of whether that negligence was criminal will surely be debated.

"This is about the Internet.  Everything on the Internet is encrypted. This is not a BlackBerry-only issue. If they can't deal with the Internet, they should shut it off." -- RIM co-CEO Michael Lazaridis

Most Popular Articles

Copyright 2018 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki