SONY, I AM DISAPPOINT

SONY, I AM DISAPPOINT”
For Immediate Distribution
Press Release
May 7th, 2011
A 'HiveMind Effort' from
Anonymous Holdings LLC (Bermuda)
Yesterday, an article appeared in Financial Times, alleging Anonymous' involvement in the data and
identity theft of some hundred million users of Sony's Playstation Network and Sony Online
Entertainment. This crime is now being investigated by the Homeland Security Agency (HSA), the
Department of Justice (DOJ), and other legal entities.
Once again Anonymous has been blamed for a security breach, this time by the journalist Joseph
Menn, in his article "Hackers point finger over Sony incursion" [1]. Here, Anonymous wishes to lay
out our case against these allegations and false assumptions:
First, let us consider a different article by Menn published on the Financial Times website and
entitled "Hackers Warned of Arrest" [2]. This poor piece of journalism has already been extensively
referenced in the Sony matter and is being used by many people who oppose Anonymous as proof of
guilt. The only quoted source used by Menn was the now infamous Aaron Barr, former CEO of the
humiliated HBGary. Barr made the claim that a chat room called #anonymous, founded by the identity
"Q", was irrefutable proof that this "Q" began the movement known as Anonymous. Confident in his
assertion, he attempted to sell this and other pieces of so-called "intelligence" about the nature of
Anonymous to the U.S. FBI.
His information, however, was incorrect. It would be considered common knowledge that
Anonymous began as a "meme", or shared belief, at the turn of the century and later developed to
become a "global collective conscience" in 2006. But it was not until 2008 that Anonymous became a
true display of "power in numbers". Organised protests against the "Church" of Scientology were
staged in over 140 cities around the world, forever associating the Guy Fawkes mask and the right to
protest with the movement.
Second, just like Anonymous, John Doe and Joe Bloggs are placeholders, rather than proper names,
and are available for free use without repercussions. However because of this, there is no membership
to Anonymous and anyone can claim to be a "member". It could be said that "Anonymous is
anonymous to Anonymous".

Barr and Menn did not pause to protect the integrity of their professions, but instead made clearly
misinformed assumptions, and accordingly published a factually incorrect article. The article was
highly scrutinized as being blatantly biased against Anonymous and its participants, and many readers
pointed out obvious inconsistencies in the technicalities, and the physical time line.
Third, in the primary article, Menn claims that a "member" of Anonymous, Kayla, made comments
as an apparent admission of guilt from the "leaders". Kayla reportedly said, "If you say you are
Anonymous, and do something as Anonymous, then Anonymous did it". This statement is inherently
weak; an equivalent statement would be that "I confess to being human. Humans performed the attack".
Andy Greenburg at Forbes [3] got it right.

---

Finally, Menn's reference to "technical details" [1] regarding a vulnerability in Sony's network
without revealing actual content isn't useful. Until the forensics reports are released we don't know
which exploit was used. The forensic investigators need to conclude their work, and speculation in
articles, blogs and comments brings the factual results no closer.
Menn's anonymous source claims that "a few ops disappeared" but so has a solid chunk of software
infrastructure including NickServ and channel bots over attacks during the PSN outages. Menn's other
quotes are a vague mixture of assertions and denials. During the PSN downtime, Anonymous closed
#opsony and put "sony" on the automatic kick list as 'profanity' last week.

Is all of this attention on Anonymous acting as a distraction from other problems, and overhyping the
nature of the DDoS attacks? Sony's recurring issues are beyond providing free game credits:

In order to process credit cards, every company needs to be PCI compliant. "If you are a merchant
that accepts payment cards, you are required to be compliant with the PCI Data Security Standard" [4].
Since Sony's network was "unpatched and had no firewall installed" [5], that is a clear violation of the
PCI standards and ongoing reviews [4], thus likely to be criminal negligence [see Further Reading].
More importantly, "I can't think of a major data breach where the company was PCI compliant," said
Ira Rothken, the lead attorney handling the class action lawsuit [6].

Sony has been accused of false billing, especially in the repairs department: customers who provided
credit card details for an MMORPG are charged $150 for repairs to PS3s that they don't own; repairs
are double billed and then referred to retailers; equipment is charged $150 multiple times (2-4) for
repairs that aren't performed. [7 and Further Reading]

A decent credit card transaction gateway includes recurring billing as an option. Data mining by
corporations has a profit motive, but as Sony has demonstrated it can be a massive liability. Why not
start a discussion about corporate responsibility to protect user information, especially since they didn't
need it to begin with?
Sony's response to the U.S. Senate [8] is to request more laws and further the myth of "best
practices." Since Sony was warned of security holes months in advance [5], one of those "best
practices" would be to accept the advice of the experts. In Sony's passing the blame there is no
justification for the collection and retention of personal information they didn't need.

Outraged about the blatant coverup and shameful misdeeds, other internet hacker groups will
apparently proceed with attacks [9] over Sony's mishandling of the matter. These reactions prove that
requesting legislation to cover up corporate crimes and the abuse of law is frowned upon by all online
communities, not just the Legion of Anonymous. Apparently Sony will have to learn the hard way that
corporate malfeasance will not go unpunished. When the dust settles Sony may have more to fear from
a massive class action lawsuit by their user base than the brief actions of the Global Hacker Nerd
Brigade, Anonymous... Let THE GAMEs begin. :>

Knowledge is free.
We are Anonymous.
We are Legion.
We do not forgive.
We do not forget.
Expect us.

---

----== REFERENCES ==----
1 Bradshaw, Tim; Menn, Joseph, "Hackers point finger over Sony incursion," Financial
Times Technology (6 May 2011): accessed 6 May 2011, http://www.ft.com/cms/s/2/d0a21040-7800-
11e0-b90e-00144feabdc0.html.
1a Bradshaw, Tim; Menn, Joseph, "Hackers admit Anonymous likely behind Sony attacks" Financial
Times (6 May 2011): Duplicate article, name changed 6 May 2011
Reference: http://www.techmeme.com/110506/p32.
2 Menn, Joseph, "Cyberactivists Warned of Arrest," Financial Times Technology (4 February 2011):
accessed 6 May 2011, http://www.ft.com/cms/s/0/87dc140e-3099-11e0-9de3-00144feabdc0.html.
mirror: http://www.siasat.com/english/news/cyberactivists-warned-arrest
3 Greenburg, Andy, "Anonymous Faces Identity Dilemma Over Sony Hack," Forbes The Firewall (5
May 2011): accessed 6 May 2011, http://blogs.forbes.com/andygreenberg/2011/05/05/anonymous-
faces-identity-dilemma-over-sony-hack/.
4 PCI Standards Council, "PCI SSC Data Security Standards Overview," PCI Standards
Council (2011): accessed 7 May
2011, https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml.
5 Aamoth, Doug, "Security Expert: Sony's Network Was 'Unpatched and Had No Firewall
Installed'," Techland Gaming (5 May 2011): accessed 6 May
2011, http://techland.time.com/2011/05/05/security-expert-sonys-network-unpatched-and-had-no-
firewall-installed/.
6 Tech Firm Admin, "Rothken law firm announces filing of class-action lawsuit against Sony for
Playstation Network security breach," Tech Firma (27 April 2011): accessed 7 May
2011), http://www.techfirm.com/home/rothken-law-firm-announces-filing-of-class-action-lawsuit-
ag.html.
7 Complaints.com Google site search, accessed 7 May 2011. <http://search.complaints.com/search?
btnG=Search%2BComplaints.com&site=complaints&q=sony>.
8 Blumenthal, Richard, "Blumenthal on Sony Response: 'A Strong First Step'," Senator Richard
Blumenthal - United States Senator for Connecticut Press (7 May 2011): accessed 6 May
2011, http://blumenthal.senate.gov/press/release/index.cfm?id=E347AED3-DF21-493D-BAA6-
BAFA9FF12F84.
9 Ogg, Brillig, "Exclusive: Third attack against Sony planned," cnet News (5 May 2011): accessed 7
May 2011, http://news.cnet.com/8301-31021_3-20060227-260.html?tag=mncol;posts.

---

----== FURTHER READING ==----
PCI compliance:
http://usa.visa.com/merchants/risk_management/cisp.html
http://www.merchantprocessingresource.com/howtobecompliant.htm
http://definitions.uslegal.com/c/criminal-negligence/
The civil standard of negligence is defined according to a failure to follow the standard of conduct of a
reasonable person in the same situation as the defendant. To show criminal negligence, the state must
prove beyond a reasonable doubt the mental state involved in criminal negligence. Proof of that mental
state requires that the failure to perceive a substantial and unjustifiable risk that a result will occur must
be a gross deviation from the standard of a reasonable person.
Sony sample complaint database:
http://sony.pissedconsumer.com/
http://www.consumeraffairs.com/home_electronics/sony.html
http://search.complaints.com/search?btnG=Search%2BComplaints.com&site=complaints&q=sony
Sony sample single complaints:
http://slashdot.org/comments.pl?sid=2128948&cid=36036736
http://www.confusedthoughts.com/2011/05/sony-pci-compliant
http://open.salon.com/blog/sarbonn/2011/05/04/because_of_sonys_incompetence_were_all_screwed

News:
http://www.networkworld.com/news/2011/050211-sony-playstation-lawsuit.html?hpg1=bn
http://www.computerworld.com/s/article/9205885/Sony_sends_dangerous_message_with_PS3_lawsuit
_says_EFF

----== OUTLINE ==----
1. Menn, Joseph, "Cyberactivists Warned of Arrest"
a. Joseph Menn used HBGary CEO Aaron Barr as a source.
b. Aaron Barr claimed to have identified various "leaders" of Anonymous
c. "Q" had created an IRC channel named #Anonymous which has similar permissions as a forum
user creating a thread. Any user can do this on any IRC network, it is by no means proof of authority.
d. Aaron Barr claimed "Q" was a co-founder based on the creation of the IRC channel.
e. The use of "Anonymous", as a meme was active back in 2003, as a collective in 2005, with the
Scientology protests in early 2008.
f. Barr's claims were refuted based on technical and time line information
g. Joseph Menn published the outlandish claims as fact
2. John Doe, Joe Bloggs and Anonymous are all name placeholders not proper names.
a. Anyone can claim anonymity.
b. Many quotes are attributed to anonymous authors but the hackivist collective "Anonymous" didn't
write them. They existed hundreds of years before the internet.
c. The collective Anonymous existed years before Menn published that it was cofounded by "Q".
d. Anyone can be a "member" of Anonymous.
3. Menn publishes another article entitled, "Hackers Admit Anonymous Likely Behind Sony Attack."
a. Kayla tells Menn that "If you say you are Anonymous, and do something as Anonymous, then
Anonymous did it."
b. "I confess to being human. Humans did it." That is an equivalent confession.
c. Menn claims that Kayla's comments are some sort of admission of guilt by the "leaders" of

---

Anonymous.
d. Andy Greenburg at Forbes got it right
4. Menn's quotes
a. forensics investigation
b. Anon Infrastructure outages
c. attempting control over chaos and infamy
5. Sony Crimes - PCI Compliance
a. Credit Card = PCI Compliance as law
b. No firewall
c. Criminal Negligence
d. violate 'standard of reasonable person'
6. Sony Crimes - Overbilling
a. details, link
b. further reading
7. Sony Data Mining
a. credit card gateway
b. profit vs liability
c. corporate responsibility
8. Sony Coverup
a. Requesting laws after violating laws
b. "best practices"
c. passing blame
d. data retention

----== FOR THE PRESS ==----
There is no membership to Anonymous, ie. anyone can participate. "We are Legion" implies both
"the masses" and that anyone can be a "member". Anonymous laughs at the "search for a leader". Our
press releases are peer written, peer reviewed, and peer edited. Even that process is democratic with
anyone present able to contribute. This isn't restricted even to "members" since anyone present has edit
abilities. (Case in point, during the drafting process for this someone rewrote the entire draft with
profanity. lulz)

IRC channels or 'chat rooms' are created with a topic. Anonymous allows anyone to join, and anyone
can create a chat room. Operations are aimed at a specific target, and an operation has a chat room.
Thus, anyone can create a chat room and an Op. If there are duplicate chat rooms, someone goes
around and suggests they merge. If there are discussions for illegal activities, the users are
kicked/banned. Influencing Anonymous is like herding lolcats. No Operation chat room directed
Anonymous to steal customer data from Sony. Hence, it wasn't "sanctioned" with a chat room and
stealing credit cards has never been collectively condoned. Exposing crimes by corporations and
governments is collectively condoned.
Join us on IRC at irc.anonops.ru - Port 6667

---