找回密码
 注册
搜索
查看: 1936|回复: 1

[业界] 美国国会对PSN被黑听证会初步结论:处理无诚意,技术不过关,玩忽职守,要承担责任

[复制链接]
发表于 2011-5-6 11:17 | 显示全部楼层 |阅读模式
原帖地址(国会听证会谴责索尼):

http://www.vg247.com/2011/05/04/ ... he-psn-breach-live/

另一贴地址(国会听证会怀疑索尼在关键位置没装防火墙):

http://www.industrygamers.com/ne ... firewall-installed/

以上两条新闻现在满世界都是了,自己google一下就好了。

Sony’s efforts on PSN breach called “half-hearted, half-baked,” at US Congressional hearing
Today, the US House Subcommittee on Commerce, Manufacturing and Trade held a hearing regarding the PSN breach, which was broadcasted live via C-SPAN., like most meet-ups between government officials. During the hearing, Representative and Chairman of the committee, Mary Bono-Mack, called Sony’s response to the matter “half-hearted,” and “half-baked.”




“In Sony’s case, company officials first revealed information about the data breach on their blog,” said Bono-Mack during the hearing (via Industry Gamers). “That’s right. A blog. I hate to pile on, but—in essence—Sony put the burden on consumers to ‘search’ for information, instead of accepting the burden of notifying them. If I have anything to do with it, that kind of half-hearted, half-baked response is not going to fly in the future.

“For me, the single most important question is simply this: Why weren’t Sony’s customers notified sooner of the cyberattack? I fundamentally believe that all consumers have a right to know when their personal information has been compromised, and Sony – as well as all other companies—have an overriding responsibility to alert them… immediately.”

The hearing was set to discuss the risk to consumers over the PSN data breaches, how the current investigation was going, what the current industry data security practices are comprised of along with how they can be changed, and what, if anything, can be used technologically to stop beaches like this in the future.

Not only was Sony being discussed, but also recent data breaches from Epsilon and ChoicePoint were pondered during the hearing as well.

Sony was not involved with the hearing, as it stated yesterday it was currently still involved in the investigation, but planned to comply with the deadline set by the hearing committee in answering all questions posed to it. This response, was posted earlier by Sony via its official PS Blog, and in it the firm blamed hacker group Anonymous for the recent security breach.

According to Sony, it found a file called Anonymous in its system files with the phrase “We Are Legion” attached to it.

“[Sony and Epsilon] must shoulder some of the blame for these stunning thefts, which shake the confidence of everyone who types in a credit card number and hits ‘enter’,” said Bono-Mack. “As Chairman of this Subcommittee, I am deeply troubled by these latest data breaches, and the decision by both Epsilon and Sony not to testify today. This is unacceptable.


“According to Epsilon, the company did not have time to prepare for our hearing—even though its data breach occurred more than a month ago. Sony, meanwhile, says it’s too busy with its ongoing investigation to appear. Well, what about the millions of American consumers who are still twisting in the wind because of these breaches? They deserve some straight answers, and I am determined to get them.”

The need to protect consumers via federal notification laws was also discussed, and if drafted and passed, it would make it a federal law for companies to notify consumers immediately should such a security breach occur again. Currently, laws such as this vary from state to state, with some not having a law on the matter present on the books at all.

Witnesses participating the hearing included: David Vladeck, director of the Federal Trade Commission’s Bureau of Consumer Protection along with Pablo Martinez, deputy special agent in charge of criminal investigations at the United States Secret Service.

Consumer advocate Justin Broookman and Technology and information security expert Eugene Spafford of Purdue University also participated.

PlayStation Network breach details are continuing to come out thanks to the congressional hearing today, in which Rep. Mary Bono Mack and others on the subcommittee ripped into both Sony and data firm Epsilon for their poor handling of the situation. One of the most startling revelations to come from the hearing is that several key parts of Sony's network didn't even have firewall protection.

Dr. Gene Spafford, a professor of computer science at Perdue University since 1987 and an expert in information security (he's the editor of the oldest journal in the field of information security), was part of a panel that provided testimony on just how terribly weak Sony's system was. Spafford pointed out that numerous weaknesses in Sony's system actually became evident via security mailing lists a considerable time (read: months) before the breach occurred.

Worse yet, Spafford noted that key parts of PSN actually ran on Apache servers that "were unpatched and had no firewall installed." He said that this was known because of comments in a forum frequently visited by Sony employees.

Bottom line: if the severe network weaknesses were known months in advance and Sony made no attempts to enhance the security of their systems, even as major threats were being made publicly by Anonymous, then Sony looks highly culpable for negligence in this fiasco.
 楼主| 发表于 2011-5-6 11:18 | 显示全部楼层
因为索尼说自己最近太忙,不能参加听证会,但是美国国会要求他们必须在5月3号前回答他们的问题,所以索尼就回答了国会的问题,但没有出场。

然后以代表宇宙正义为己任的美国爸爸就索尼的做出的文字回答,自己开跟自己玩弄听证会,也不管索尼在不在场,听证会照开,而且自顾自的就开始做初步结论了:

结论一:索尼无诚意.

原因是被黑了后,第一时间是在博客上发布被破信息,居然不是第一时间通知到每个用户,还得让用户自己知道自己信息被盗,后来虽然通知太晚了,连这点责任都不想承担,太无诚意。

因此国会目前正在讨论制定第一条法律,今后如果被黑必须立刻主动通知用户。


大家要知道,国会不能直接惩罚索尼,但是可以立法,虽然法律不能直接针对索尼但是执行起来可以紧盯着你来做,对索尼的影响更大方面是在之后国会批斗完索尼造成的舆论影响,随之可能而来诉讼潮和对品牌口碑的影响,国会倒是不可能对索尼直接做什么,因为法律不允许。

结论二:索尼技术不给力,需要对自己的玩忽职守负责。

因为听证会上索尼不来,所以国会的专家就索尼原来回答他们的问题,自行给索尼下定义了,目前经“砖家”分析说索尼系统关键位置上根本没装防火墙,服务器也不打补丁,而判断的"依据"为“砖家”上某论坛,看到号称索尼员工说咱们的PSN服务器不打补丁关键位置没防火墙,因此美国爸爸经过“砖家”严谨科学,一丝不苟的研究得出初步结论,索尼防护技术不给力,玩忽职守,需要承担责任。我不是在黑国会砖家,他的结论就是这么的出来的,不信看我英文红字的部分,老实说我看过索尼内部泄露出来的关于PSN被黑的原理资料,也在这里发过,在那泄露资料来看,系统是有防火墙的,但不知道“砖家”这个关键位置没防火墙是啥意思。

结论三:索尼不当面来解释,不可接受,说早晚你要给我们直接答案。

索尼给的国会解释这次作案很可能是匿名团体黑客做的,因为索尼经过周密调查,最后终于在PSN系统里发现有文件写着“我们是匿名团体”的字样的决定性证据!ORZ!(匿名黑客团体做事向来高调,要黑哪里向来承认,且往往先发通知,这次匿名团体一开始就承认攻击了索尼服务器但是没黑PSN)。

这里要说明下,虽然这个解释显得很那啥很让人ORZ,但这真的是索尼给国会的解释,自己去看英文红字部分好了。

国会上做了句发言“你说你索尼忙,你就让我们美国消费者就在这里因为你的破解在这干瞪眼?我们必须要从索尼那里得到直接的答案。"
您需要登录后才可以回帖 登录 | 注册

本版积分规则

Archiver|手机版|虎纹猫家园

GMT+8, 2024-11-28 07:27 , Processed in 0.021402 second(s), 14 queries .

Powered by Discuz! X3.5

© 2001-2024 Discuz! Team.

快速回复 返回顶部 返回列表