Sony servers worked on an outdated version of Apache
Today at a congressional hearing about the hacking, PSN was testified by independent security expert Dr. Jan Spafford of the University of Purdue. He said that the Sony servers worked on the unpatched version of the Apache web server with known vulnerabilities and “no firewall”.
Sony was aware of this two or three months before the incident, which led to more than 100 million users leaking personal data. According to Spafford, this issue was "discussed in an open forum moderated by Sony employees."
So the clouds are gathering over Sony. If Spafford’s information is confirmed, then companies are facing serious lawsuits alleging criminal negligence, and this is already a criminal case. Of course, you can argue about the presence of crime in the actions of Sony, but if you deliberately leave unprotected a server with millions of credit cards - what is it, if not criminal negligence?
For example, according to Russian law, “a crime is considered committed by negligence if the person who committed it foreseen the possibility of the onset of the dangerous consequences of his action or inaction, but thoughtlessly hoped for their prevention (criminal arrogance).” In American criminal law, about the same interpretation .
')
Of course, the usual administrators and technical staff of Sony may be hurt that a Apache update may lead to a criminal case, but it is quite possible here.
On the other hand, is it possible to take the “discussion on the forum” as evidence in court and cite as an argument at a hearing in Congress? Who will verify the accuracy of this information, in the sense that they will - make notarized copies of forum web pages or hear witnesses who have seen this message on the forum? Something I can not believe.
Dr. Spafford did not explain which version of Apache was on PSN servers and what he meant by the lack of a firewall. Apparently, I mean a module like ModSecurity . It is strange that Sony did not have anything like that.
Sony was aware of this two or three months before the incident, which led to more than 100 million users leaking personal data. According to Spafford, this issue was "discussed in an open forum moderated by Sony employees."
So the clouds are gathering over Sony. If Spafford’s information is confirmed, then companies are facing serious lawsuits alleging criminal negligence, and this is already a criminal case. Of course, you can argue about the presence of crime in the actions of Sony, but if you deliberately leave unprotected a server with millions of credit cards - what is it, if not criminal negligence?
For example, according to Russian law, “a crime is considered committed by negligence if the person who committed it foreseen the possibility of the onset of the dangerous consequences of his action or inaction, but thoughtlessly hoped for their prevention (criminal arrogance).” In American criminal law, about the same interpretation .
')
Of course, the usual administrators and technical staff of Sony may be hurt that a Apache update may lead to a criminal case, but it is quite possible here.
On the other hand, is it possible to take the “discussion on the forum” as evidence in court and cite as an argument at a hearing in Congress? Who will verify the accuracy of this information, in the sense that they will - make notarized copies of forum web pages or hear witnesses who have seen this message on the forum? Something I can not believe.
Dr. Spafford did not explain which version of Apache was on PSN servers and what he meant by the lack of a firewall. Apparently, I mean a module like ModSecurity . It is strange that Sony did not have anything like that.
Source: https://habr.com/ru/post/118803/
All Articles