Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

5/20/2011
02:59 PM
Rob Enderle
Rob Enderle
Commentary
50%
50%

Sony A Poster Child For Self-Destructive Security

Sony has repeatedly made poor decisions in security and control -- costing the company billions of dollars and giving critical markets it once controlled to Apple, Microsoft, and Nintendo

It is hard to not feel sorry for Sony.

Here is a company that owned the personal technology market in the '90s before Steve Jobs took over Apple, and then gave that market to Apple on a platter because of some misguided security solutions. Over the years in its attempts to secure control of its platforms, Sony has reduced its profits and gone into a long, slow decline. Finally, and recently, its current security breaches seem to be the result of Sony's trying to once again overly secure its consumer products and, in this case, undersecure its environment.

I’ve been watching Sony for a number of decades, and have seen it make incredibly foolish security decisions that, while they often accomplished the goal, also did horrid things to profits and revenue.

In the game console market in the '90s, for instance, there was an aftermarket product that allowed kids to play PlayStation games on their PCs, and Sony moved aggressively to kill it. Now recognizing that game consoles are sold at a loss, in the case of the latest platform, that loss was initially estimated at more than $500 per console. The companies make this up by getting royalties on the games. So you would think that every customer who bought something that consumed these very profitable games and eliminated the very unprofitable game console sale would be welcomed with opened arms. Not so with Sony.

Sony could have bought or emulated this technology and put it into its own PCs, giving those products an advantage in market. That would have made the game division more profitable and also would have benefited the VAIO division. But the two historically don’t like each other enough to coordinate a solution that would benefit both. In short, in order to secure the control of the game player, Sony gave up revenues and profits.

A few years after Sony had acquired a massive stake in music and movie properties, the company had the opportunity to create an ecosystem where Sony buyers could get easier access to this content. But Sony was so worried about theft that it wrapped the content and the Sony players with massive Digital Rights Management solutions, and even put rootkits onto music CDs, which opened PCs up to attack and had a number of prominent technology advocates calling for a general Sony boycott.

Apple, which had no content, took the market easily from Sony by providing a vastly better user experience and showcasing that Sony was its own worst enemy.

Now fast-forward to Blu-Ray, where the market was getting ready to move to the vastly less expensive and easier-to-use HD-DVD format. Sony bought the market for hundreds of millions of dollars in order to control the spec, put the hardware into its PlayStation 3, which caused it to be priced out of the market, stalled the move to HD on disks -- and now the market is moving to steaming and bypassing HD disks. The cost of this in terms of hard cash and lost revenue (Sony gave up game console market leadership to Nintendo and Microsoft) has to be in the billions.

And because Sony wanted to keep a single programmer from restoring a little-used Linux option that was discontinued in the PlayStation 3, Sony pissed off a large number of hackers who then attacked Sony. But that wasn’t the whole story: Evidently, Sony had been running unpatched and unsecured Apache servers for months, and this was widely known. Given how rabid Sony was about controlling its own stuff, one of the only conclusions you could draw is that the reason it didn’t properly secure its customer’s data is because it wasn’t Sony's data. Makes you feel warm and fuzzy about Sony, doesn’t it?

In other words, it never stepped back from the decision and looked at the total cost benefit analysis.

Sony hasn't shifted its PlayStation billing system and repository to a secure hosting company likely because it thinks it's maintaining control and containing costs, when instead it's on a path to go out of the gaming business. These are all penny-wise, pound-foolish decisions, and we should learn from them so we can both warn others and avoid them ourselves.

Just remember Sony, the company that pretty much has security'ed itself to death.

--Rob Enderle is president and founder of The Enderle Group. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Inside North Korea's Rapid Evolution to Cyber Superpower
Kelly Sheridan, Staff Editor, Dark Reading,  12/1/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29565
PUBLISHED: 2020-12-04
An issue was discovered in OpenStack Horizon before 15.3.2, 16.x before 16.2.1, 17.x and 18.x before 18.3.3, 18.4.x, and 18.5.x. There is a lack of validation of the "next" parameter, which would allow someone to supply a malicious URL in Horizon that can cause an automatic redirect to the...
CVE-2020-5675
PUBLISHED: 2020-12-04
Out-of-bounds read issue in GT21 model of GOT2000 series (GT2107-WTBD all versions, GT2107-WTSD all versions, GT2104-RTBD all versions, GT2104-PMBD all versions, and GT2103-PMBD all versions), GS21 model of GOT series (GS2110-WTBD all versions and GS2107-WTBD all versions), and Tension Controller LE...
CVE-2020-29562
PUBLISHED: 2020-12-04
The iconv function in the GNU C Library (aka glibc or libc6) 2.30 to 2.32, when converting UCS4 text containing an irreversible character, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.
CVE-2020-28916
PUBLISHED: 2020-12-04
hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop via an RX descriptor with a NULL buffer address.
CVE-2020-29561
PUBLISHED: 2020-12-04
An issue was discovered in SonicBOOM riscv-boom 3.0.0. For LR, it does not avoid acquiring a reservation in the case where a load translates successfully but still generates an exception.