Sony responded to the questions from the U.S. House of Representatives' Subcommittee on Commerce, Manufacturing and Trade with an open letter yesterday. But Dr. Gene Spafford, professor at the department of Computer Science at Purdue University, noted something interesting when speaking at the hearing.
Apparently, the Apache Web server software that Sony used was an outdated version and it also didn't have a firewall installed. Oooops.
Even better, that issue seems to have been "reported in an open forum monitored by Sony employees" about 2-3 months before the Anonymous attacks and subsequent other hacks happened. I think it's safe to say that if Anonymous knew about this, its attacks would've been more successful.
Actually, page 7 of this PDF that was inaccessible at the time of writing (maybe it hated foreigners) only said:
"Presumably, both companies are large enough that they could have afforded to spend an appropriate amount on security and privacy protections of their data; I have no information about what protections they had in place, although some news reports indicate that Sony was running software that was badly out of date, and had been warned about that risk."
Awesome. Thanks to the commenters for pointing out my failing though! It was deserved and I love you all. Community member KwikPwn also found the YouTube video of the hearing (the official webcast still gives 404 error) that shows Dr. Stafford's comments on the outdated Apache software and the lack of a firewall. Take a look for yourself!
Sony Was Using Outdated Software Prior to PSN Breach [GamePro] [Image]
Contest:
2:20 PM on 05.05.2011 | 
Anybody who comes in here and comments with a defense of Sony is officially a fucking asshole loser with a misguided sense of loyalty to a multinational corporation that makes black boxes filled with computer components. You need to get a life and get over it.
This can't be good for Sony. A billion dollar company that fails to protect customer data to the greatest possible standards is negligence of the highest degree. It might not have stopped them from getting hacked but at least the could have said they had tried.
Now I know how "open" they really are. Fucking morons.
No one?
Companies don't care about us. I get that. Microsoft and Nintendo don't care about consumers either. But every company should know that if you are this careless, lots of people will not buy your products.
I'm still going to get Uncharted 3, because it will probably be my GOTY. But other than that I'm done with Playstation.
The truth will come out!
Yeah, no way I'm getting a PS4.
I would hope that if people tried to hack the Nintendo wifi all the numbers they would get are friend codes that used credit cards.
But for all we know, no one never thought of hacking their wii and destroying Nintendo's 70millionz? Community from the inside out.
I want to know more, and I want it to be real information instead of this "I read it somewhere, maybe" thing.
My heart goes out to all of you who unknowingly fed your information to this monstrosity of a network setup.
My sympathies sony for the shitkicking you are going to continue receiving. You deserve it.
Sony knew about their lame security and did nothing, spent all this money on protecting it's property through litigation, and gave everyone the run around about everything.
tl;dr Fuck you if you defend Sony.
Their online suuuuuuure is more open. Hah, j/k, except seriously.
way to tell 'em.
"up yours sony! i mean... i'm still buying your stuff for a little while... but then! UP YOURS SONY"
So arguably my home computer has tighter security than their corporate systems... I find that somehow less than reassuring.
As far as I know, he cited no sources, and had zero first-hand information. It's likely he was talking about the same forum posts everyone else has mentioned, which is amazing that he would bring up in a real situation. If we're using forum posts as proof, then I can prove the existence of El Chupacabra really fast.
If it's true, then it certainly deserves attention, and there definitely needs to be an inquiry, but people taking what Spafford said as anything close to being fact are either jumping the gun or being willfully mislead.
http://republicans.energycommerce.house.gov/Media/file/Hearings/CTCP/050411/Spafford.pdf
@EDS
You mad bro?
I'm not defending Sony, I just got a new CreditCard and moved on with my life, maybe it's because I sit upstairs in a Credit Union all day and know shit gets stolen all the time, who knows. If Sony was aware of old firmware and did nothing, than that is shitty of them, doesn't mean I won't turn my PS3 on and play online.
They need to make a Kevin Butler commercial or something around this.
Fucking epic fail.
At least we know now that Sony really doesn't give a shit about users security. I guess it's pretty easy now to sue Sony. Having no firewall is pretty much the real life analogy of having no door.
Damnit Sony, I tried to defend you, I really did, but you fucked up. HARD. Inexcusable if true.
The GamePro article does not mesh with the transcripts at all, and comes close to being an outright lie.
DIDJA SEE WHUT I DID DERE
This guy may be an expert in the field, but if he has never seen the system in question his opinions worth nothing.
Can everyone wait for actual facts to surface before you pull an eternaldeathslayer and say something that stupid.
There's a CSI team going over this, wait for them to come with the official report theeeeeen state an opinion.
Also, did you mean Kotaku, or am I missing a gaming blog? :)