Sony Responds to Congress, Hires Security Firm, and More

Sony is having a busy news day today. First, a story has been circulating that the company has hired yet another security firm to help it with its investigation of the PlayStation Network security breach. According to, Sony has retained Data Forte, a company led by a former U.S. Naval Criminal Investigative Service officer. Security firms Guidance Software and Protiviti consultants are also involved in the investigation.

Another report from Edge claims that a group of hackers has restored Linux support to the PS3 via re-enabling "OtherOS" support. Homebrew developers released custom firmware today called "OtherOS++," describing it as "one small step for devs, one giant kick in the nuts for Sony." This custom firmware apparently allows a greater level of control over the system, with full access to the system’s inner workings. The only catch is that OtherOS++ can only be installed on consoles that are running an older version of the firmware. ‘

Meanwhile the House Subcommittee on Commerce, Manufacturing and Trade held a hearing today on the threat of data theft to American consumers. The hearing was inspired by Sony’s current security nightmare. The committee called several expert witnesses on two panels. The first panel consisted of David Vladeck, Director, Bureau of Consumer Protection, Federal Trade Commission; and Pablo Martinez, Deputy Special Agent in Charge, Criminal Investigative Division, U.S. Secret Service. The second panel featured Justin Brookman, Director, Consumer Privacy Project, Center for Democracy and Technology; and Dr. Gene Spafford, Executive Director, Purdue University. A representative for Chairperson Mary Bono Mack (R-CA) said Sony declined to testify today citing "an ongoing investigation" with outside security firms and law enforcement. C-Span has full coverage of the hearing here.

Finally, Sony’s Patrick Seybold issued a statement on the PlayStation Blog following the House Subcommittee on Commerce, Manufacturing and Trade hearing. The full statement can be found below:

"Today, the Subcommittee on Commerce, Manufacturing and Trade of the U.S. House of Representatives Committee on Energy and Commerce held a hearing in Washington, DC on “The Threat of Data Theft to American Consumers."

Kazuo Hirai, Chairman of the Board of Directors of Sony Computer Entertainment America, submitted written answers to questions posed by the subcommittee about the large-scale, criminal cyber-attack we have experienced. We wanted to share those answers with you (click here).

In summary, we told the subcommittee that in dealing with this cyber attack we followed four key principles:

Act with care and caution.
Provide relevant information to the public when it has been verified.
Take responsibility for our obligations to our customers.
Work with law enforcement authorities.

We also informed the subcommittee of the following:

Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack. We discovered that the intruders had planted a file on one of our Sony Online Entertainment servers named “Anonymous” with the words “We are Legion.” By April 25, forensic teams were able to confirm the scope of the personal data they believed had been taken, and could not rule out whether credit card information had been accessed. On April 26, we notified customers of those facts.

As of today, the major credit card companies have not reported any fraudulent transactions that they believe are the direct result of this cyber attack. Protecting individuals’ personal data is the highest priority and ensuring that the Internet can be made secure for commerce is also essential. Worldwide, countries and businesses will have to come together to ensure the safety of commerce over the Internet and find ways to combat cybercrime and cyber terrorism.

We are taking a number of steps to prevent future breaches, including enhanced levels of data protection and encryption; enhanced ability to detect software intrusions, unauthorized access and unusual activity patterns; additional firewalls; establishment of a new data center in an undisclosed location with increased security; and the naming of a new Chief Information Security Officer.

We told the subcommittee about our intent to offer complimentary identity theft protection to U.S. account holders and detailed the “Welcome Back” program that includes free downloads, 30 days of free membership in the PlayStation Plus premium subscription service; 30 days of free service for Music Unlimited subscribers; and extending PlayStation Plus and Music Unlimited subscriptions for the number of days services were unavailable.

We are working around the clock to have some PlayStation Network services restored and we’ll be providing specific details shortly. We hope this update is helpful to you, and we will continue to keep you posted as we work to restore our network and provide you with both the entertainment and the security you deserve."

Tweet about this on TwitterShare on FacebookShare on Google+Share on RedditEmail this to someone


  1. 0
    Erik says:

    Or like your car insurance being invalidated if you don’t lock your car door.  Oops.

    -Ultimately what will do in mankind is a person’s fear of their own freedom-

  2. 0
    JoshuaOrrizonte says:

    Holy inappropriate and offensive comparison, Batman! This is nothing like a woman being gang raped at all, first of all, and second of all, those arguments get used in court all the damn time- if the woman who is raped even gets the cops to arrest her rapist!

    I know that you support Sony 100%, but could you try not to make hurtful and offensive comparisons like that one?

  3. 0
    Craig R. says:

    And only you are claiming that nobody is calling for the hackers to be punished.

    Maybe you should work on that self-filter before accusing others of being idiots?

  4. 0
    Neeneko says:

    Well, details have not come out so it is hard to say if it was the firmware hack that did it (though if it was the firmware hack, then that opens up the possibility that the ‘stolen personal information’ is a bit of a mistruth)…

    It was also reported that Sony was running outdated versions of Apache on their servers, so it might have been a run of the mill attack on servers.   There is also speculation that since the intrusion was detected a few days after they fired 200+ employees from their on-line division that it was an inside job revenge hack.

    Oh, as for your similar scenario.  Yeah.. try talking to some rape victims.. those arguments are still used in courts (even in child molestation cases).  Not defending their use, but pointing out that they ARE used in courts all the time.

    I would also not call it a similar scenario.  Depending on the actual details, some versions describe Sony as having a poorly designed system with weak security.   It is true that hackers will be able to break most systems via technology or social engineering.. but companies that fail to adiquitly secure a system deserve ridicule for it.  You don’t take on a responsibility like that and then not follow through with what is needed. If a bank failed to lock its vault, while people would be annoyed at the robbers the bank would still shoulder blame.

  5. 0
    jedidethfreak says:

    I don’t think they’re "in favor" of the hackers, but I do find it troubling that all anyone is concentrating on is Sony’s security, which was hacked through illegal custom firmware in the first place.  It’s not like the security measures put in place were shaky to begin with – they were beaten by people who were breaking the law merely by posessing the tech to beat it.  Then they used it, breaking the law again.

    A similar scenario.

    A beautiful woman goes home.  Three men run in and gang rape her.  Everyone’s response?  "WHY DIDN’T SHE LOCK THE DOOR!!!"

    There isn’t a court in the whole country that would allow that sentence to escape anyone’s mouth.  There isn’t a newspaper or journalist who’d allow that to be printed or spoken on-air.  There sure as hell wouldn’t be any US Senators demanding to know why she didn’t do enough to prevent her own rape.  However, we’re doing exactly that with Sony.

    With the first link, the chain is forged.

  6. 0
    Adamas Draconis says:

    Ahhh yes, I assume you mean the much touted (pre-release) feature of XP to let you access your desktop from any windows computer in the world. Then scrambling for a patch because , SURPRISE SURPRISE, people were using that same feature to crack everything in sight from day 1.



    Hunting the shadows of the troubled dreams.

  7. 0
    Lou says:

    No wonder people call you an idiot.

    Nobody is claiming that people who bash Sony are in favot of the hackers so get your facts straight before you make a fool out of yourself. But that’s just a little too complicated for you is it?

  8. 0
    Thad says:

    Indeed.  It’s utterly asinine for people to suggest that criticizing Sony automatically means you support the people who actually breached the network.  But of course by this point I’ve come to expect that level of discourse from the GP comments section.

    In real life, it is of course entirely possible for both the infiltrators to be guilty of a crime and Sony to be guilty of negligence.  But that’s just a little too complicated for some of the posters here I fear.  Hell, one of them even called me an idiot for saying so.

  9. 0
    Neeneko says:

    And this is my beef…

    I see people calling for the heads of the hackers all over the place.  I also see people like you who seem to think that if people are annoyed at Sony that they somehow are not annoyed at the hackers too.

    This is not a zero sum situation.  Railing against Sony for thier behavior is not an endorcement of the hacker’s attack.

    It also remains to be seen exactly what was stolen or the nature of the attack.  I have seen in multiple hacking trials over the years prosecutors trying to twist ‘this person got into a system and didn’t really do anything’ into ‘since they accessed the system they read and stole everything on it!’

  10. 0
    Erik says:

    Yeah, this isn’t good will.  This isn’t even "it’s cheaper to keep a loyal customer than attract a new one".  That is what companies which haven’t screwed up this major do.  This is "It is cheaper to try and throw some free crap at our customers and pray to god that they don’t sue our balls off".

    This is very much the boquet of roses given to a woman after being caught in bed with her sister.

    -Ultimately what will do in mankind is a person’s fear of their own freedom-

  11. 0
    hellfire7885 says:

    Honestly, any PR right now is bad PR as long as the nwtwork is down. Offering this package means nothing if peopel can’t use it.

  12. 0
    Craig R. says:

    "yet nobody is demanding the heads of the criminals"

    You mean that wasn’t a given?

    The problem with these types of situations is that, it seems more often than not, the criminal is caught in the end, but the companies who were broken into learn nothing.

    It’s as if an exec says, "Well, it happened to Company X, but it will never happen to us!" And then they just sit back and pray that they’re not the next ones in the news.

    So, with all the data losses and ‘break-ins’ in recent years, it’s time we start holding companies just as responsible for their complete failures to increase their own security.


    On top of that, it would be rather easy for Sony or the hackers themselves to try and put the focus on Anonymous as being responsible with such a ‘clue’. After all, Anonymous were making idiots of themselves publicly proclaiming that they would bring Sony down, so they make an easy scapegoat.

  13. 0
    DorthLous says:

    It’s not Good Will. It’s PR. They are trying to avoid a public image destruction. Mind you, it doesn’t mean they should have one or that they are not doing the right steps to avoid it, but still, let’s call a duck a duck.

  14. 0
    Dinasis says:

    Right. It’s good will on the company’s part. The Welcome Back program with Sony, Microsoft offering Undertow after Xbox Live went down from the traffic overload at the end of 2007, game and software developers releasing post-release patches to fix a title.

    Even from the Steam Subscriber Agreement: "You understand that neither this Agreement nor the terms associated with a particular Subscription entitles you to future updates, new versions or other enhancements of the Software associated with a particular Subscription although Valve may choose to provide such updates, etc. in its sole discretion."

    It’s all good will that they’re not obligated to offer. They do it because it’s easier and cheaper to keep a loyal customer than to attract new ones. Nowadays, it’s expected. Nowadays, it’s perceived as an entitlement.

  15. 0
    Dinasis says:

    At the same time, a letter from Kaz Hirai doesn’t prove anything one way or the other and, until they find who made this file, it doesn’t mean the group Anonymous, as opposed to an individual withholding a handle/alias, is responsible either.

    Yes, the real crime was perpetrated by an individual (as Sony has stated before), but that doesn’t mean Sony isn’t still culpable. The FBI, FTC, two dozen US Attorney Generals, the Canadian government, the EU, all of them have a legitimate legal reason to be taking a hard look at Sony, they’re just guilty of a different fault. The issue for Sony is whether their security philosophy is a fault or a crime.

  16. 0
    Lou says:

    This is my main beef with all this.

    Evveryone is crying and whinning about personal information being compromised and yet nobody is demanding the heads of the criminals. I want the bastards involved in this attack captured, convicted and with a nice fat jail sentence next to bubba so he can recreate scenes from Deliverance on the posterior of this arrogant jerk off. If people are so pissed at the privacy being invaded might as well close Facebook and every other social network cause no matter how much information you are concealing from them they STILL know who you are, what you like, where you REALLY live and everything else in between. And they’ll sell this information to the highest bidder in a freaking blink of an eye.

  17. 0
    Dinasis says:

    I was talking about the Welcome Back program, but sure.

    Also, I said "legal issues and personal financial issues aside" for a reason.

  18. 0
    jedidethfreak says:

    While you are correct, that Sony really was in dire need to shore up their security, that doesn’t change the fact that they were targeted, and were the victim of the crime.  However, people are so concerned with setting Sony ablaze that they forget the real criminals are the people who did this to Sony and – by extension – all PSN users.

    With the first link, the chain is forged.

  19. 0
    Zerodash says:

    Yes, Sony customers are ENTITLED to have their private data and credit card numbers protected.

    Sony customers sure as hell are ENTITLED to be informed the moment there is even the possibility that their private info and credit card numbers have been compromised.  

    What exactly is so unreasonable about expecting these things?

  20. 0
    hellfire7885 says:

    It’s also not helping that these thieves caused even more damage to even the idea of hacking.

    The thieves who do it for nothing other than personal gain, be it to play games without ever paying or to steal other people’s money doesn’t help at all.

  21. 0
    Grif says:

    And, again, the humor is lost. Sometimes I don’t even know why I try.

    For the love of pie, people need to grow a sense of humor and stop taking everything at face value.

    If I really thought it was Anonymous, I would have said so a long time ago.


    "Power means nothing without honor and pride." My video game review site.

    Atlanta Video Games Examiner for

  22. 0
    Alex says:

    Especially given the nature of Anonymous. And that’s assuming the message isn’t a red herring to begin with. It’s just as likely that the hacker knew of Anonymous’s recent hostility towards Sony and planted that message to shift attention towards them.

    I’m not under the affluence of incohol as some thinkle peep I am. I’m not half as thunk as you might drink. I fool so feelish I don’t know who is me, and the drunker I stand here, the longer I get.

  23. 0
    Lou says:

    The BBB is like a security blanket. Is there when you need it but it doesn’t mean its any good. the company is utterly useless. They have no enforcement powers and a case is marked as solved when the company replies to them reguardless of the actions even if they don’t do squat since they replied to the enitity is marked as a closed case and a positive mark for the company. Type Better Business Bureau on the Rip-off report website and you’ll see over 400 complaints. Not to mention several articles portraying the utter incompetence. And it’s a shame though being a member used to mean something.

    Need proof?


  24. 0
    LegallyBlindGamer says:

    While I understand both sides of the issue. I think both sides are at fault here. The hackers should not have attacked PSN, and Sony should have been more proactive with security. The fact that they were not proactive proves that they do not care about their customers, at least to me. I know I am not going to buy another Sony product any time soon. Microsoft and Nintendo have been accredited by the Better Business Bureau since the late 80s, and Sony has received an F rating from the BBB for poor customer service. Here’s the links if you don’t believe me.

  25. 0
    DorthLous says:

    "…and they definitively possess Weapons of Mass Destruction…"

    or, since it seems to be more to your liking

    "…I will close Guantanamo Bay…"

    or let’s go with a classic

    "…I did not have sex with this woman…"

    or, well, anything Nixon said past a certain point, really…

    In other words, there’s a huge step between saying something and proving something, ESPECIALLY when it conveniently align with the spokesman main goals. Again, not that whoever did it didn’t think himself part of Anonymous, but there is a lot to prove just to prove that, and even then, it doesn’t mean the act of the few reflects on the many.

  26. 0
    Grif says:

    Looks like it was Anonymous after all. All who didn’t see this coming, raise your hand.




    "Power means nothing without honor and pride." My video game review site.

    Atlanta Video Games Examiner for

  27. 0
    Dinasis says:

    And Sony’s customers are actually entitled to anything in the wake of this?

    Legal issues and personal financial issues aside, I think this is GREAT. Why? Because it serves as a huge wake-up call. Everyone loves Windows XP, or at least compared to Windows Vista and 7. I listened to a bit of perspective in a recent netcast about when XP first came out and remembered that I purposely chose Windows ME on a new computer in the pre-XP SP1 days because I’d heard Windows XP was so insecure. Microsoft even halted development of Windows for a while to rethink how they did security in the wake of XP.

    Sony clearly had work to do on the security front. The positive thing that absolutely must to come out of this is for Sony and other companies in all ranges of industry to rethink their digital security systems and do what they have to to better prevent similar disasters in the future.



  28. 0
    hellfire7885 says:

    They misspelled malevolent, but I see that was your point.

     It won’t surprise me if some are trying to find these hackers and turn in some of the most selfish people on the planet.

    Sur,e hacking CAN unlock features of a system someone might want ot use, but incidents like this destroy and good reputation in short order.

    ANd looking at a few things, I heard Anonymous was behidn the Ddos attacks that crippled the network, so, even if they didn’t steal the data themselves, they enabled it.

  29. 0
    Zerodash says:

    It may be far too early to determine if Anonymous really is behind this- I am amazed at how all of a sudden this PSN outage is somehow the result of benevolence on the part of hackers (judging by the comments on stories like this on the internets).  

    These people aren’t saving lives or bringing freedom to opressed people-  being angry because a company is trying to stop your ability to steal software is not justification for stealing personal information and credit cards.  This sense of entitlement is staggering. 

Leave a Reply