Linked by Thom Holwerda on Thu 5th May 2011 21:07 UTC, submitted by sawboss
Games There's fail, there's epic fail, and then there's Sony. You may've thought it wasn't possible, but Sony has just outdone itself on the fail scale, forcing us to add yet another notch. During the congressional testimony this morning, Dr Gene Spafford of Purdue University revealed just how badly Sony managed its Playstation Network servers. It's... Bad.
Thread beginning with comment 471939
To read all comments associated with this story, please click here.
Wait a minute.
by Gullible Jones on Thu 5th May 2011 22:53 UTC
Gullible Jones
Member since:
2006-05-23

Just something to keep in mind: a lot of Linux distros ship "outdated" software with backported patches, so software being "obsolete" doesn't necessarily mean it lacks the latest security fixes.

Also, "firewall" could mean an actual firewall, or could mean a NIPS.

I do assume Spafford knows what he's talking about, but the details are not there; and while this is very much in line with the kind of poor security I've personally seen in corporate environments, I think I'll withhold judgment until I see something more... complete.

Reply Score: 2

RE: Wait a minute.
by orestes on Thu 5th May 2011 23:06 in reply to "Wait a minute."
orestes Member since:
2005-07-06

The word "unpatched" was specifically used.

Reply Parent Score: 5

RE: Wait a minute. uh.. patches..
by jabbotts on Fri 6th May 2011 13:55 in reply to "Wait a minute."
jabbotts Member since:
2007-09-06

One example of older version numbers is Iceweasel (firefox 3.6.?) in Debian. However, one example of up to date patches is Debian patching Iceweasel (firefox) or the relevant affected library.

When we're talking security, it's not the latest bleeding edge version release but the latest patch level which is important. Actually, having the latest bleeding edge version usually puts you at greater risk. There is a very good reason why Debian Stable freezes it's list of package versions and just applies security and stability related patches.

And here's the kicker.. hard to keep up to date?

aptitude update && aptitude full-upgrade

tadaa.. now your up to the latest patch version.. "not a big deal" (tm)

.. and lacking packet filtering rules.. really? If it's a linux kernel, it has packet filtering (a firewall) by default in the kernel.. just friggin use it.. iptables is your friend. And as always, every network attached device should be running filtering rules in addition to any mid level or perimiter filtering (firwalls) implemented.

In security terms, Sony wasn't even up to the stage of colouring with crayons. They got caught eating the crayon label paper and sticking broken bits of wax up there nose.

Reply Parent Score: 2

WereCatf Member since:
2006-02-15

.. and lacking packet filtering rules.. really? If it's a linux kernel, it has packet filtering (a firewall) by default in the kernel.. just friggin use it.. iptables is your friend.


Having ipfiltering on the same machine that is running Apache is pointless. If the attacker successfully breaks in there there is nothing stopping him from removing all the ipfilters, too. That's why you should always have a separate firewall that can only be managed from inside the internal network between Internet-side servers and the internal network.

Reply Parent Score: 2

orestes Member since:
2005-07-06

Haven't done much work with corporate machines I take it. Sane admins don't go off installing updates without understanding what they'll do to the running systems. Admins who wish to remain employed also don't run around rebooting mission critical systems whenever updates pop up.

That doesn't excuse piss poor security practices, but there's a hell of a lot more to the process than aptitude update && aptitude full-upgrade

Reply Parent Score: 2