Sony PSN Hack: Leave GeoHot out of it

So I wandered by Geohot's latest place of residence today. I thought his posting was very well written and very nicely defined his stance. His work on opening up homebrew software on the PS3 was not aimed at enabling piracy, and he does not support or condone the PSN hack in any way. Despite this, he is flooded by comments blaming him either directly or indirectly for the hack. The level of ignorance in this matter is astounding. After two decades on the internet, you'd think I would not be surprised at this point, but I still am. I suppose i just can't shake this pesky hope in humanity.

I want to lay this out in terms that, hopefully, even the dumbest internet denizen can understand:

1. George Hotz , Fail0verflow and any other Homebrewers did not support this attack. Their work was aimed to restore functionality that was stripped away from devices that they had bought specifically for that functionality. I wonder how many people would have bought a 360 instead of a PS3 if Sony hadn't advertised the OtherOS functionality. It was certainly one of the reasons I bought my first PS3. George hotz and these others did not perpetrate this attack
2. There is no evidence that this attack even had anything to do with the homebrew console debate. Consider the following. 

• If this was about revenge or embarrassing Sony, the attack would need to be public as quickly as possible to try and prevent Sony from sweeping it under the rug. 
• Nobody has come forward to take responsibility for the breach. Instead the information leaked out from Sony inevitably as they shut down their own service to get a handle on the Incident.
• The breach targeted customer data including PII(Personally Identifiable Information) and potentially Credit Card Data. These are high value targets monetarily
• The above mentioned lack of disclosure/credit taking is more indicative of someone looking to steal this data and sell it for profit
• Some will try to argue that the attacker could have expected Sony to disclose the breach but that has two huge gaping holes. First, if Sony's security was poor enough to let the breach happen in the first place, why should there be any expectation that they have proper safeguards in place to alert them to the breach. They obviously believed they had no reason to ever expect an attack like this. Secondly, why assume Sony would even admit to the breach. Plenty of companies suffer these kinds of breaches and do not report them. It happens a lot more than you might think.

The point is, that there is no evidence to support the idea that this has anything to do with the home brew console debate. In fact the little bit of evidence we have so far points to a common data theft. To all of you people who are jumping on anonymous or any other media buzz right now, do some reading. these sorts of breaches happen all the time. This breach was essentially inevitable as long as Sony failed to correct the security flaws in their system. If you want somebody to blame you have two parties to go after: Sony, and the people who actually stole your data. Plenty of blame to go around, you can leave GeoHot out of it.

Ligatt Security Breach - Gone too far

The latest development in the Gregory D Evans/Ligatt Security internet drama has gotten me thinking. For anyone who might not be familiar with what this is all about, I suggest you check out a few resources on the subject:
http://attrition.org/errata/charlatan/gregory_evans/
http://www.theregister.co.uk/2010/06/22/worlds_no_1_hacker/
http://packetstormsecurity.org/news/view/18569/Gregory-D.-Evans-Tried-To-Subpoena-Security-Researchers-Passwords.html
and a must read at: https://365.rsaconference.com/blogs/securityreading/2010/06/10/how-to-become-the-worlds-no-1-hacker

In case you buy any of Gregory Evans' claims that he had permission to use those works, Chris Gates also known as carnal0wnage has publicly said that he never gave Evans permission and never received money from Evans. The saga is long and drawn out, and I won't rehash it here.

The latest development is that Evans and Ligatt Security were breached this week. Someone compromised his computer, and with it his email and twitter accounts. It seems two of his websites may also have been brought down as part of this attack. The simple fact of the matter is that this action was unacceptable. Apparently among the released information was the personal information of a lot of innocent people, including social security numbers, bank accounts, and routing numbers. Now let me clarify this even more. Even if it was only Gregory Evans personal information, this would be unacceptable. Mr. Evans has a lot to answer for, but even he does not deserve to have his important personal information exposed in such a manner. This can be seen as nothing more than a violation of people's rights to privacy, no matter how much you might not like them. Those of us who are security professionals have made it our jobs to stop or prevent such violations from happening. The thought that such an attack may have come from within the InfoSec community is a worrisome one.

I will admit in a moment of human weakness I allowed myself to be glad of this news. That is a terrible thing, and upon reflection I find it a little embarrassing. The Internet has a power to take any disagreements or arguments and magnify them out of control until all pretense of civility is slowly eroded away and we are left with a monstrosity that no longer serves any purpose but to sustain itself. I see the examples of this in the recent Penny Arcade 'scandal' as well as the Ligatt drama. If we are past the point of behaving like mature rational beings it is time for us to absent ourselves from the discussion. Toward that end I would like to point out the posts I have seen by two people Matt Jezorek and Sam Bowne. Their articles are well thought out and examples of clear rational thinking, despite Sam Bowne's own involvement in this saga. These are the people we should want speaking for us, and those of us who can add nothing better than what they already are(myself included) should probably just sit down and shut up now.

That is all.