Perimeter
5/20/2011
02:59 PM
Rob Enderle
Rob Enderle
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Sony A Poster Child For Self-Destructive Security

Sony has repeatedly made poor decisions in security and control -- costing the company billions of dollars and giving critical markets it once controlled to Apple, Microsoft, and Nintendo

It is hard to not feel sorry for Sony.

Here is a company that owned the personal technology market in the '90s before Steve Jobs took over Apple, and then gave that market to Apple on a platter because of some misguided security solutions. Over the years in its attempts to secure control of its platforms, Sony has reduced its profits and gone into a long, slow decline. Finally, and recently, its current security breaches seem to be the result of Sony's trying to once again overly secure its consumer products and, in this case, undersecure its environment.

I’ve been watching Sony for a number of decades, and have seen it make incredibly foolish security decisions that, while they often accomplished the goal, also did horrid things to profits and revenue.

In the game console market in the '90s, for instance, there was an aftermarket product that allowed kids to play PlayStation games on their PCs, and Sony moved aggressively to kill it. Now recognizing that game consoles are sold at a loss, in the case of the latest platform, that loss was initially estimated at more than $500 per console. The companies make this up by getting royalties on the games. So you would think that every customer who bought something that consumed these very profitable games and eliminated the very unprofitable game console sale would be welcomed with opened arms. Not so with Sony.

Sony could have bought or emulated this technology and put it into its own PCs, giving those products an advantage in market. That would have made the game division more profitable and also would have benefited the VAIO division. But the two historically don’t like each other enough to coordinate a solution that would benefit both. In short, in order to secure the control of the game player, Sony gave up revenues and profits.

A few years after Sony had acquired a massive stake in music and movie properties, the company had the opportunity to create an ecosystem where Sony buyers could get easier access to this content. But Sony was so worried about theft that it wrapped the content and the Sony players with massive Digital Rights Management solutions, and even put rootkits onto music CDs, which opened PCs up to attack and had a number of prominent technology advocates calling for a general Sony boycott.

Apple, which had no content, took the market easily from Sony by providing a vastly better user experience and showcasing that Sony was its own worst enemy.

Now fast-forward to Blu-Ray, where the market was getting ready to move to the vastly less expensive and easier-to-use HD-DVD format. Sony bought the market for hundreds of millions of dollars in order to control the spec, put the hardware into its PlayStation 3, which caused it to be priced out of the market, stalled the move to HD on disks -- and now the market is moving to steaming and bypassing HD disks. The cost of this in terms of hard cash and lost revenue (Sony gave up game console market leadership to Nintendo and Microsoft) has to be in the billions.

And because Sony wanted to keep a single programmer from restoring a little-used Linux option that was discontinued in the PlayStation 3, Sony pissed off a large number of hackers who then attacked Sony. But that wasn’t the whole story: Evidently, Sony had been running unpatched and unsecured Apache servers for months, and this was widely known. Given how rabid Sony was about controlling its own stuff, one of the only conclusions you could draw is that the reason it didn’t properly secure its customer’s data is because it wasn’t Sony's data. Makes you feel warm and fuzzy about Sony, doesn’t it?

In other words, it never stepped back from the decision and looked at the total cost benefit analysis.

Sony hasn't shifted its PlayStation billing system and repository to a secure hosting company likely because it thinks it's maintaining control and containing costs, when instead it's on a path to go out of the gaming business. These are all penny-wise, pound-foolish decisions, and we should learn from them so we can both warn others and avoid them ourselves.

Just remember Sony, the company that pretty much has security'ed itself to death.

--Rob Enderle is president and founder of The Enderle Group. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-6651
Published: 2014-07-31
Multiple directory traversal vulnerabilities in the Vitamin plugin before 1.1.0 for WordPress allow remote attackers to access arbitrary files via a .. (dot dot) in the path parameter to (1) add_headers.php or (2) minify.php.

CVE-2014-2970
Published: 2014-07-31
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-5139. Reason: This candidate is a duplicate of CVE-2014-5139, and has also been used to refer to an unrelated topic that is currently outside the scope of CVE. This unrelated topic is a LibreSSL code change adding functionality ...

CVE-2014-3488
Published: 2014-07-31
The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.

CVE-2014-3554
Published: 2014-07-31
Buffer overflow in the ndp_msg_opt_dnssl_domain function in libndp allows remote routers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS Search List (DNSSL) in an IPv6 router advertisement.

CVE-2014-5171
Published: 2014-07-31
SAP HANA Extend Application Services (XS) does not encrypt transmissions for applications that enable form based authentication using SSL, which allows remote attackers to obtain credentials and other sensitive information by sniffing the network.

Best of the Web
Dark Reading Radio