As Sony's PlayStation Network outage settles into its third week, the hacker group Anonymous has once again denied involvement while New York's attorney general has issued subpoenas to Sony. And a computer expert has testified to Congress that Sony knew it was using outdated software .
Anonymous on Thursday again denied responsibility for bringing down Sony's network. On its site, anonops.blogspot.com, the group initially posted on April 24 a statement titled For Once We Didn't Do It. On Thursday, a photo of three men wearing Guy Fawkes masks -- a symbol of revolution -- was posted on the site with the message, "Let's be clear, we are legion, but it wasn't us. You are incompetent, Sony." The phrase "We are legion" is one of the group's slogans.
Sony has said a file was found on its servers titled Anonymous and containing the phrase "We are legion." On a press release posted Wednesday on dailykos.com, a group called Anonymous Enterprises LLC (Bermuda) said this was a frame-up.
"Whoever broke into Sony's servers to steal credit-card info and left a document blaming Anonymous clearly wanted Anonymous to be blamed for the most significant digital theft in history," the release read in part. But, it added, "no one who is actually associated with our movement would do something that would prompt a massive law-enforcement response."
The Hackers News blog said Thursday that it had evidence another attack was being planned on Sony's networks, although it didn't say by whom.
Whoever broke in, New York Attorney General Eric Schneiderman wants some answers about how the company protects user information. He issued subpoenas Tuesday to Sony Computer Entertainment America, Sony Network Entertainment, and Sony Online Entertainment.
In a hearing on Tuesday before the House Commerce, Manufacturing and Trade subcommittee, Purdue University's Dr. Gene Spafford said Sony knew for months that it was using outdated software on its servers.
He said observers of Internet-based forums learned months before the security breach in April that Sony had old versions of the Apache web server, which, he said, "was unpatched and had no firewall installed."
Subcommittee Chairman Rep. Mary Bono Mack (R-Calif.) called Sony's actions "half-hearted, half baked," especially its decision to initially notify users of the security breach through its company blog rather than more direct communications. Sony has said it wanted to get all the necessary information before contacting consumers directly.
Meanwhile, Shinji Hasejima, Sony's head of information, told a press conference earlier this week that the company knew of security vulnerabilities, but "was not convinced of it."
Although Sony has been releasing information in dribs and drabs, it now appears that confidential data for as many as 100 million users or so may have been exposed, and possibly taken.
In addition to the PlayStation Network, which was shut down on April 20, Sony's Qriocity music service has been down, and, on Sunday, Sony took down the massively multiplayer online games on its Sony Online Entertainment network, because, the company said, it also had been compromised. PSN provides games for downloading, and SOE hosts games like EverQuest.
According to news reports, Sony has determined that at least some of the attacks could be traced to a server in Malaysia, although it's not yet clear if the attackers were based there.