Sony: the company that kicked the hornet's Nest

George Hotz Jeff Christensen/AP Photo

By Michael Riley and Ashlee Vance

There is an Internet phenomenon known as the Streisand Effect. This happens when a person or company trying to suppress a piece of information and, in doing so, unintentionally popularizes the. It carries the name of Barbra Streisand because of her failed lawsuit 2003 tries to remove pictures of her Malibu House from the Web — who had, of course, people flock to the site that hosted the photos.

In the future could be a backlash in the realm of cybersecurity are referred to as the Sony Effect. The Japanese conglomerate is still dealing with the consequences of an April hacking incident that targeted his Playstation and Sony Online Entertainment networks, which are approximately 100 million people used to play video games, watching movies and listening to music online. The attack resulted in the second-biggest battle in American history, exposing records including credit-card numbers and forcing Sony (SNE) to pull the plug on the networks for an indefinite period of time. (Sony hopes that they back online by the end of May.) A full accounting of the disaster, both in terms of the dollar and in damage to the PlayStation brand, will take months if not years.

Sony may have inadvertently set the crisis on themselves. While other technology companies have been working to an uneasy truce with hackers, Sony has thwarted them with lawsuits and prosecution. At the same time say security experts Sony essentially the keys in the car, not adequately protect or even monitor crucial parts of the server infrastructure. "They seemed to work in an environment where no one really had assessed the risks," says Eugene h. Spafford, computer science professor at the University of Purdue during a congressional hearing on the Sony hack on May 4, testified.

The impetus for the attack can come at the beginning of this year, after a spat between Sony and a 21-year-old hacker named George "geohot" Hotz. He is legendary in hacker circles for "Unlocking" the first generation iPhone when he was 17, find a way past from Apple (AAPL) security layers and the opening of the device for use with any mobile carrier. Last year, discovered Hotz how to "mod" the PlayStation console, so the "homebrew" games made by amateurs and other unsanctioned software. Hotz published his technique in an online diary; Sony called for him to take it down. A federal judge ordered the seizure of his computers and Twitter and PayPal account records on 28 January. "Trying to sue a member in good standing of the existence not do them any favors," says Dave Aitel, a so-called white-hat hacker who helps businesses identify security issues. Anonymous, the amorphous hacker collective that the websites of MasterCard (MA) and other payments processors in December, vowed revenge.

The incident Hotz was in February followed by a German police raid on the apartment of Alexander Egorenkov, another hacker who distributed software that allows PlayStation consoles homemade games. Other technology companies have found ways to channel hackers energy without resorting to litigation. Microsoft (MSFT), for example, may be hackers to her Kinect gaming device to unlock and invites some of them to the conferences. Google (GOOG) pays white-hat hackers who help identify bugs. Sony is much more uncompromising, says Robert Vamosi, a senior analyst at security firm Mocana. "Hardware manufacturers as Sony just not very good about listening when a researcher safety presents them with an error," says Vamosi.

Sony settled his case against Hotz on 31 March, when he agreed to take the PlayStation hacking information. By that point, someone was already testing Sony's network for weaknesses. Bret McDanel, a veteran security researcher, says a program known as penetration testing software, which methodically a network for vulnerabilities, checks started Sony's PlayStation Network scan at 7: 09 pm on March 3. McDanel know this because Sony left one of the server logs, that all activity performed by a machine, completely unguarded on the open Web. "With these logs in the public domain a potential attacker insight into the system," he says.

McDanel says that the probers uses an off-the-shelf program that is easy to obtain and not very stealthy. Everyone check the server logs have been telltale signs to recognize and prevent intrusions, and Sony was "negligence" for failing to do so, he says. On 15 april, after six weeks of the scan, the penetration software suddenly stopped, probably because "they found what they had been looking for, a vulnerability in the network," says McDanel. Four days later, Sony noticed the first signs of a break-in. A spokesman for the company says that Sony was the victim of "a very sophisticated attack" and that of the company network "had several security measures in place."

No one has taken credit for the attack, although Sony executives told Congress that they left by the hackers file that reads found "We are legion" — the motto of Anonymous. Who can the perpetrator, Sony now has good reason to become familiar with the mechanics of the Streisand Effect. After all, possesses the Streisand the label.

The bottom line: Security experts say that Sony should have recognized the signs of an imminent attack, that 100 million accounts in jeopardy.

Riley is a reporter for Bloomberg News. Vance is a technology writer for Bloomberg BusinessWeek.