Security expert claims Sony ignored reports of server vulnerability

Friday, 6th May 2011 03:29 GMT By Brenna Hillier

Cyber-security expert Dr. Gene Spafford has told the U.S. House of Representatives’ Subcommittee on Commerce, Manufacturing and Trade that Sony allegedly ignored reports of gaping vulnerabilities on its servers.

Spafford, a professor of Computer Science at Indiana’s Purdue University, was asked to detail his testified suggestion that Sony had not taken adaquete security measures against hacking.

“On a few of the security mailing lists that I read, there were discussions that individuals who work in security and participate in the Sony network … had discovered that the network servers were hosted on … very old versions of Apache software that were unpatched and had no firewall installed,” he replied.

“These were potentially vulnerable, and that they had reported these in an open forum that was monitored by Sony employees, but had seen no response and no change or update to the software.”

Asked when this took place, Spafford answered “two to three months prior to the incident where the break-ins occurred”.

In written testimony, Spafford added that he has “no information about what protections [Sony] had in place”, but cited news reports suggesting these preotections were inadequate.

Thanks, Destructoid.



  1. theevilaires

    Did the warning come in the form of….SONY we are legion we will make you pay by attacking your servers?

    Wheres the evidence of the logs. I wanna see proof this was explained in front of SONY employees. If its true those incompetent fucks need to be fired asap.

    #1 4 years ago
  2. frostquake

    I agree, I want more Proof on this…this could be huge if true? But, show me the Money???

    #2 4 years ago

    If it’s true that they were using old versions of Apache with no firewall, then that’s bad enough.

    #3 4 years ago
  4. frostquake

    I know of Universities that are using Old versions of Apache software like this with no Firewalls, and have all their Students information, how they paid, and banking info..its crazy that they do this. There are people in positions like this, that don’t deserve to have their positions, it borders on being incompetent.

    I would be VERY VERY surprised if Sony was like this, though!

    #4 4 years ago
  5. NightCrawler1970


    U mean this “time to retire fella?”, “according your quote If its true those incompetent fucks need to be fired asap.”

    My answer is jaaaaa he need retirement or get fired..

    #5 4 years ago
  6. Cygnar

    How Spafford could know of “gaping vulnerabilities” in the PSN while at the same time having “no information about what protections [Sony] had in place” is beyond me.

    #6 4 years ago
  7. theevilaires

    ^ Exactly, maybe this guy has connections with Anonymous and thats where he’s getting his sources from.

    #7 4 years ago
  8. mojo

    what exactly is the point here?
    Everone knows this since february
    it was all in the chat log.

    #8 4 years ago
  9. Cygnar

    Sony was not attacked in February. It was attacked in April. Even assuming the chat log from February is true, messages from February do not tell us what security measures Sony used in April.

    Congress wants to know what security measures Sony used in April, not what it used in February. So, here is the point: while there were chat logs available for a couple of months before the attack, they do not tell Congress what it wants to know. While Dr. Spafford is an expert on security, he testified that he had no information regarding Sony’s security system at the time of the attack. His lack of knowledge means that he cannot assume that Sony changed nothing of importance between February and April, but this is his precise assumption. Therefore, in my opinion, Spafford does not have the information he needs to tell us whether Sony’s security was good enough at the time of the attack, because he doesn’t know what Sony actually had in place. If the best he could do was cite news articles, maybe Congress should have talked to the columnists instead of Spafford.

    #9 4 years ago
  10. mojo


    yeah noone knows if the chatlog was legit..
    but seeing this chatlog, appearing in february, states the exact same security issues as what this “expert” now claims i guess it has some truth in it.
    and by all means, sony should definatly know if the vulnerabilities in the log are true for there servers. So they had plenty of time to do something, which they didnt.
    Its sonys own fault. in every aspect sony fucked up big time.
    the only right decision was to immediatly shut down all services after they noticed the breach and only giving out confirmed information. but on a technical side… oh boy..

    “Sony was not attacked in February.”
    i didnt say that.

    #10 4 years ago
  11. strikkebil

    cancelling ps4…

    #11 4 years ago
  12. OlderGamer

    Regaurdless of what happens in terms of a Sony outcome. This should be a huge wake up call to anyone running an online service. Beit MS, Nintendo, Blizzard, Netflix, Gamefly, whomever. If you haven’t already secured your stuff, you need to get to it asap.

    Hacking like this can easily ruin most companies.

    I know Capt obvious, but still.

    #12 4 years ago
  13. Gekidami

    Update on this:

    Turns out Sony werent using an out of date version of Apache. I guess ‘Security experts’ should get off their hands and do some work, rather then believe any rubbish posted on the internet if they’re going to start sending letters to Congress.

    #13 4 years ago
  14. Robo_1

    Yes I read that. In the interest of balance, and the prevention of further FUD regarding the matter, I’d like to see this news given a story in itself.

    #14 4 years ago

Comments are now closed on this article.