Perimeter
5/20/2011
02:59 PM
Rob Enderle
Rob Enderle
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Sony A Poster Child For Self-Destructive Security

Sony has repeatedly made poor decisions in security and control -- costing the company billions of dollars and giving critical markets it once controlled to Apple, Microsoft, and Nintendo

It is hard to not feel sorry for Sony.

Here is a company that owned the personal technology market in the '90s before Steve Jobs took over Apple, and then gave that market to Apple on a platter because of some misguided security solutions. Over the years in its attempts to secure control of its platforms, Sony has reduced its profits and gone into a long, slow decline. Finally, and recently, its current security breaches seem to be the result of Sony's trying to once again overly secure its consumer products and, in this case, undersecure its environment.

I’ve been watching Sony for a number of decades, and have seen it make incredibly foolish security decisions that, while they often accomplished the goal, also did horrid things to profits and revenue.

In the game console market in the '90s, for instance, there was an aftermarket product that allowed kids to play PlayStation games on their PCs, and Sony moved aggressively to kill it. Now recognizing that game consoles are sold at a loss, in the case of the latest platform, that loss was initially estimated at more than $500 per console. The companies make this up by getting royalties on the games. So you would think that every customer who bought something that consumed these very profitable games and eliminated the very unprofitable game console sale would be welcomed with opened arms. Not so with Sony.

Sony could have bought or emulated this technology and put it into its own PCs, giving those products an advantage in market. That would have made the game division more profitable and also would have benefited the VAIO division. But the two historically don’t like each other enough to coordinate a solution that would benefit both. In short, in order to secure the control of the game player, Sony gave up revenues and profits.

A few years after Sony had acquired a massive stake in music and movie properties, the company had the opportunity to create an ecosystem where Sony buyers could get easier access to this content. But Sony was so worried about theft that it wrapped the content and the Sony players with massive Digital Rights Management solutions, and even put rootkits onto music CDs, which opened PCs up to attack and had a number of prominent technology advocates calling for a general Sony boycott.

Apple, which had no content, took the market easily from Sony by providing a vastly better user experience and showcasing that Sony was its own worst enemy.

Now fast-forward to Blu-Ray, where the market was getting ready to move to the vastly less expensive and easier-to-use HD-DVD format. Sony bought the market for hundreds of millions of dollars in order to control the spec, put the hardware into its PlayStation 3, which caused it to be priced out of the market, stalled the move to HD on disks -- and now the market is moving to steaming and bypassing HD disks. The cost of this in terms of hard cash and lost revenue (Sony gave up game console market leadership to Nintendo and Microsoft) has to be in the billions.

And because Sony wanted to keep a single programmer from restoring a little-used Linux option that was discontinued in the PlayStation 3, Sony pissed off a large number of hackers who then attacked Sony. But that wasn’t the whole story: Evidently, Sony had been running unpatched and unsecured Apache servers for months, and this was widely known. Given how rabid Sony was about controlling its own stuff, one of the only conclusions you could draw is that the reason it didn’t properly secure its customer’s data is because it wasn’t Sony's data. Makes you feel warm and fuzzy about Sony, doesn’t it?

In other words, it never stepped back from the decision and looked at the total cost benefit analysis.

Sony hasn't shifted its PlayStation billing system and repository to a secure hosting company likely because it thinks it's maintaining control and containing costs, when instead it's on a path to go out of the gaming business. These are all penny-wise, pound-foolish decisions, and we should learn from them so we can both warn others and avoid them ourselves.

Just remember Sony, the company that pretty much has security'ed itself to death.

--Rob Enderle is president and founder of The Enderle Group. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0985
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName parameter.

CVE-2014-0986
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the GotoCmd parameter.

CVE-2014-0987
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName2 parameter.

CVE-2014-0988
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode parameter.

CVE-2014-0989
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode2 parameter.

Best of the Web
Dark Reading Radio