Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

5/20/2011
02:59 PM
Rob Enderle
Rob Enderle
Commentary
50%
50%

Sony A Poster Child For Self-Destructive Security

Sony has repeatedly made poor decisions in security and control -- costing the company billions of dollars and giving critical markets it once controlled to Apple, Microsoft, and Nintendo

It is hard to not feel sorry for Sony.

Here is a company that owned the personal technology market in the '90s before Steve Jobs took over Apple, and then gave that market to Apple on a platter because of some misguided security solutions. Over the years in its attempts to secure control of its platforms, Sony has reduced its profits and gone into a long, slow decline. Finally, and recently, its current security breaches seem to be the result of Sony's trying to once again overly secure its consumer products and, in this case, undersecure its environment.

I’ve been watching Sony for a number of decades, and have seen it make incredibly foolish security decisions that, while they often accomplished the goal, also did horrid things to profits and revenue.

In the game console market in the '90s, for instance, there was an aftermarket product that allowed kids to play PlayStation games on their PCs, and Sony moved aggressively to kill it. Now recognizing that game consoles are sold at a loss, in the case of the latest platform, that loss was initially estimated at more than $500 per console. The companies make this up by getting royalties on the games. So you would think that every customer who bought something that consumed these very profitable games and eliminated the very unprofitable game console sale would be welcomed with opened arms. Not so with Sony.

Sony could have bought or emulated this technology and put it into its own PCs, giving those products an advantage in market. That would have made the game division more profitable and also would have benefited the VAIO division. But the two historically don’t like each other enough to coordinate a solution that would benefit both. In short, in order to secure the control of the game player, Sony gave up revenues and profits.

A few years after Sony had acquired a massive stake in music and movie properties, the company had the opportunity to create an ecosystem where Sony buyers could get easier access to this content. But Sony was so worried about theft that it wrapped the content and the Sony players with massive Digital Rights Management solutions, and even put rootkits onto music CDs, which opened PCs up to attack and had a number of prominent technology advocates calling for a general Sony boycott.

Apple, which had no content, took the market easily from Sony by providing a vastly better user experience and showcasing that Sony was its own worst enemy.

Now fast-forward to Blu-Ray, where the market was getting ready to move to the vastly less expensive and easier-to-use HD-DVD format. Sony bought the market for hundreds of millions of dollars in order to control the spec, put the hardware into its PlayStation 3, which caused it to be priced out of the market, stalled the move to HD on disks -- and now the market is moving to steaming and bypassing HD disks. The cost of this in terms of hard cash and lost revenue (Sony gave up game console market leadership to Nintendo and Microsoft) has to be in the billions.

And because Sony wanted to keep a single programmer from restoring a little-used Linux option that was discontinued in the PlayStation 3, Sony pissed off a large number of hackers who then attacked Sony. But that wasn’t the whole story: Evidently, Sony had been running unpatched and unsecured Apache servers for months, and this was widely known. Given how rabid Sony was about controlling its own stuff, one of the only conclusions you could draw is that the reason it didn’t properly secure its customer’s data is because it wasn’t Sony's data. Makes you feel warm and fuzzy about Sony, doesn’t it?

In other words, it never stepped back from the decision and looked at the total cost benefit analysis.

Sony hasn't shifted its PlayStation billing system and repository to a secure hosting company likely because it thinks it's maintaining control and containing costs, when instead it's on a path to go out of the gaming business. These are all penny-wise, pound-foolish decisions, and we should learn from them so we can both warn others and avoid them ourselves.

Just remember Sony, the company that pretty much has security'ed itself to death.

--Rob Enderle is president and founder of The Enderle Group. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10694
PUBLISHED: 2019-12-12
The express install, which is the suggested way to install Puppet Enterprise, gives the user a URL at the end of the install to set the admin password. If they do not use that URL, there is an overlooked default password for the admin user. This was resolved in Puppet Enterprise 2019.0.3 and 2018.1....
CVE-2019-10695
PUBLISHED: 2019-12-12
When using the cd4pe::root_configuration task to configure a Continuous Delivery for PE installation, the root user�s username and password were exposed in the job�s Job Details pane in the PE console. These issues have been resolved in version 1.2.1 of the ...
CVE-2019-5085
PUBLISHED: 2019-12-12
An exploitable code execution vulnerability exists in the DICOM packet-parsing functionality of LEADTOOLS libltdic.so, version 20.0.2019.3.15. A specially crafted packet can cause an integer overflow, resulting in heap corruption. An attacker can send a packet to trigger this vulnerability.
CVE-2019-5090
PUBLISHED: 2019-12-12
An exploitable information disclosure vulnerability exists in the DICOM packet-parsing functionality of LEADTOOLS libltdic.so, version 20.0.2019.3.15. A specially crafted packet can cause an out-of-bounds read, resulting in information disclosure. An attacker can send a packet to trigger this vulner...
CVE-2019-5091
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the Dicom-packet parsing functionality of LEADTOOLS libltdic.so version 20.0.2019.3.15. A specially crafted packet can cause an infinite loop, resulting in a denial of service. An attacker can send a packet to trigger this vulnerability.