The CEO of Daybreak, formerly Sony Online Entertainment, is not happy. John Smedley’s plane was grounded after a bomb threat last August, a move infamous hacker group Lizard Squad took credit for. A Lizard Squad member was recently sentenced, but Smedley wants more.
Lizard Squad was, of course, also responsible for taking down Xbox Live and PlayStation Network last Christmas.
17-year-old Julius “zeekill” Kivimaki is the hacker in question, and he’ll serve a two-year sentence with zero prison time. His online activities will, however, be monitored by authorities.
In a series of tweets, Smedley articulated his dissatisfaction with how sentencing went.
When you see him talking at @what_security, know that’s Kivimaki’s Twitter account. He’s been tweeting recently, and his bio describes him as the “untouchable hacker god.” OK, then.
Take it away, John.
Interesting day for the good guys – http://t.co/J44lKLI0Tm
— John Smedley (@j_smedley) July 8, 2015
that was the piece of garbage that brought my plane down, leaked my information and did all kinds of other crap to me.
— John Smedley (@j_smedley) July 8, 2015
It’s important to note – he was convicted of crimes that had nothing to do YET with the PSN DDOS over Christmas (yes he was part of that)
— John Smedley (@j_smedley) July 8, 2015
and he still has 15 other criminal cases awaiting prosecution in Finland. I may go after his parents in Civil court too. Little dirtbag
— John Smedley (@j_smedley) July 8, 2015
so stay tuned because @what_security – Here’s his Twitter address. He’s a sociopath and will get what’s coming to him.
— John Smedley (@j_smedley) July 8, 2015
what they won’t tell you is he did time in jail already and got his ass kicked hard inside. @what_security – tell us that story Julius.
— John Smedley (@j_smedley) July 8, 2015
The FBI nailed this guy literally immediately. It took the Finnish government a long time to catch up.
— John Smedley (@j_smedley) July 8, 2015
I got to talk to this dirtbag once when he called and pretended to be someone else.
— John Smedley (@j_smedley) July 8, 2015
I also got to listen to the entire conversation between him and American Airlines the day he called in the bomb threat.
— John Smedley (@j_smedley) July 8, 2015
His parents need to be held accountable for his actions in addition to his going to jail. @what_security – So I’m coming for you Julius.
— John Smedley (@j_smedley) July 8, 2015
Tell us how you really feel! (Actually, it’s hard to blame him for being so angry.)
Comments
93 responses to “Daybreak CEO To Convicted Lizard Squad Hacker: ‘I’m Coming For You’”
Yeah get over there bro and lawyer him right in the face
I think he should try a shoryuken instead.
Best legally untouchable threat ever made!
Maybe you should have, you know, had decent security in place…
What makes you think they didn’t?
Pretty much every report I read on the incidents involved.
Any chance you can link to one? I haven’t seen any reports on Sony’s security that were evidence-based rather than speculative.
https://en.wikipedia.org/wiki/2011_PlayStation_Network_outage#Unencrypted_personal_details
http://www.cio.com/article/2439324/risk-management/your-guide-to-good-enough-compliance.html
http://mashable.com/2014/12/02/sony-hack-passwords/
http://mashable.com/2014/12/02/sony-pictures-security-leak/
http://www.scmagazine.com/sony-breach-extends-to-deloitte/article/386548/
Clear continuing case of poor data management and security measures.
In the first link, as the article says, the passwords were hashed. One way hashes are stronger than encryption depending on the hash algorithm employed. Encryption is designed to be decrypted, one way hashes are not. Salted password hashing is considered to be one of the most secure ways to store passwords. What do you propose they should do differently?
All of your remaining links are about Sony Pictures Entertainment (SPE). SPE is a separate company to Sony Computer Entertainment (SCE). The way Sony is structured at the corporate level, these companies are completely independent of each other. For one, SPE is an American company, SCE is a Japanese company. SCE’s security practices can’t be inferred from SPE’s security practices.
Well then, this will be enlightening for you:
http://attrition.org/security/rant/sony_aka_sownage.html
Sorry, are you really using one quote in a wiki article to dispense with every other pertinent fact?
Interesting how you and nofool downvoted in the exact same out-of-sequence pattern within three minutes of each other. If they’d just gone down the page it probably wouldn’t have drawn attention, but when you hopped from one post up to a higher one and then down to one in between, and then nofool made the same pattern of votes, you seem to have inadvertently shown your hand.
Are disagreements on the internet so important to you that you’d resort to sockpuppet accounts to manipulate the votes? Surely you’re not that petty. I rarely downvote anyone, but this kind of childish nonsense deserves it.
Sorry keiranj, but Zombie Jesus is on point with this one.
Two different Sony hacks are being conflated here. There’s the PSN hack, and then there’s the North Korea gets pissy about “The Interview” hack. This guy was the CEO in charge of the PSN area, thus the only article that actually applies to *his* performance is the first article. He wouldn’t have control over the security for Sony Pictures – which is what the other articles refer to, and occurred after he left anyway. Blaming him for bad security at Sony Picture Entertainment would be like blaming someone at Bungie for Halo 4.
So in reference to customer data storage for the PSN attack:
Credit card information – encrypted. Assuming they’re using standard encryption techniques (which is almost certain to be the case), this information is secure.
Passwords – hashed. Again, assuming they’re using a decent hash function (again, almost certain to be the case), these are secure. Hash functions are one-way. If you’ve got the hash, you can’t recover the password. That’s how hashes work.
User data – Appears to be cleartext. This is potentially bad. That said, what this data is will probably vary. I’m guessing username/name/email account and maybe some other personal details? In all likelihood, it’s probably details that anyone dedicated enough to probably track down anyway. No, that doesn’t make it great, and if you’re really going to try to protect customers, you’d encrypt it. That said, the assumption would be that if an attacker is able to directly query the database that this information is stored in, other defenses have seriously been breached.
What ISN’T covered is the way the attacks breached the network security to get IN to the network in the first place. THAT is where I would consider the real weakness must have been, but obviously Sony aren’t going to publish how they protect their network – because that would be stupid.
In effect, the evidence that you’ve provided doesn’t really amount to much except “Sony could have done more to protect customer personal information.” Yes. It could have. Companies can pretty much *always* do more to protect their data, but they have to decided WHERE to draw the line and the amount of time and money spent on protecting it doesn’t warrant the protection provided.
In other words, I’d suggest learning about computer security before commenting on it.
Unfortunately, you’ve entirely missed my point. I’ll summarise and reiterate for your benefit. To start, I am referring to Sony as a whole, as the individual divisions, while having different management structures and employees, would not be using drastically different network elements or structure or security.
Since Sony’s DRM rootkits, they have seen, consistently, for over a decade, more than their fair share of attacks. These attacks were detailed here: http://attrition.org/security/rant/sony_aka_sownage.html
Through this time, Sony have failed to increase their security to reflect the increased attention from hackers. I base this on the number of successful attacks, across multiple Sony divisions.
So they are aware they are a target, yet they are consistently penetrated. For an extended period of time, across multiple divisions, with extensive highly publicised damage to their brand.
I believe this shows a “clear continuing case of poor data management and security measures.”. They are bringing a knife to a gun fight every single time they get hacked, and penetrated, regularly, consistently, over a decade. You can detail that they are secure to an industry standard, but they have an obligation to go above the industry standard due to the long history of targeted attacks they suffered and continue to suffer. Across different branches of the company.
As far as “where to draw the line”, restoring the PSN after the 2011 attack cost an est $171M. Then there was the compensation to the customers whose details were compromised. No figures on that, I’d maybe put it at the $50M mark. Can’t find any public data on what they spend on security, but I’d feel safe betting its under 1% of that total.
In other words, you can’t validate their security with a track record this appalling for this long.
Sony is a target because of their past actions with DRM. So while I don’t support the hackings, Sony should know, certainly by now, that they need to focus continually and extra hard on security. They brought this on themselves.
Again, what makes you think they haven’t focused continually and extra hard on security? You seem to be implying that there’s such thing as perfect security, and they could have attained it if only they had tried.
Did my best to up-vote you to normal, even registered to this site to do so, specifically in support for the pure genius way you outed the petty sock-puppetry behavior!
BTW @ Kotoku, as an illustrator, Up yours for mandating Gravatar!
*Pantomimes an angry, yet socially acceptable gesture towards Kotoku staffer in charge of the mandate.
I didn’t get notified of your reply, sorry. This has been happening a lot lately. In any case, welcome to Kotaku =)
Some good old fashioned ‘blame the victim’ mentality right there.
Not at all. Maybe if you had googled “Sony DRM”, you would have found the actions I specifically mentioned: https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal
You don’t commit these actions and not expect repercussions.
What are you on? That’s all related to DRM on music CD’s in 2005. So you’re saying because of that, it gives fuckwits like this guy the green light to attack and bring down their other services and make threats that effect the livelihood of Sony’s employees and family?
Not DRM. rootkit monitoring software. Thats not managing your digital media, that is actively tracking and monitoring all customers without their knowledge. Also, if you would actually read my initial comment, you would see that I expressly state that I don’t support the hacks. I just point out that Sony are a high profile target for their past actions. They need to be better at security, and provided information on a track record of them failing at it.
If you have any data supporting how conscientious Sony is about security that would be great, otherwise you aren’t presenting an argument, just flaming your opinions wildly.
There is also the PSN hack of 2011, the 2014 Sony pictures hack. Here’s a good list of all the attacks: http://attrition.org/security/rant/sony_aka_sownage.html
I was not trying to present and argument for Sony.
If you had read my comment (see I can be condescending too), it is directed at you and your backwards mentality and the DRM / Rootkit example you were bringing up is irrelevant to SOE / SCE as it had nothing to do with those divisions of Sony.
So you have no opinion or argument, you are just attacking my comment?
Read the link below. Every division of Sony has been vulnerable and attacked multiple times. The attacks stem from the DRM rootkit scandal. Since then, attacking Sony is popular among hackers. They are a target because of that specific action. You’ve been schooled, sourced and now just plain ignored. Beyond this, you can do your own research and I’ll accept your apology later.
Source on that?
Actually, don’t worry, I don’t care.
Actually, here you go, straight from Giz…
http://gizmodo.com/why-sony-keeps-getting-hacked-1667259233
Unfortunately, even the best security in the world won’t stop these assholes…
how did this get a downvote, its completely true.
One of the idiots has been downvoting me for years for no reason, not even sure why? It’s a reg on here’s fake account he/she uses to downvote. It’s really pretty sad. Told them once I’d never actually acknowledge them again so I’m sticking to it 🙂
im pretty sure we’ve offended each other once or twice before on differing views. so what. we supposed to be grudge holding sheep? some plebs, i tell ya.
Probably. Offences happen in a thread, you move on. It’s part of the forum life. lol
Well in that case…Up-vote..
Yes it will. In fact, it’s very easy to stop intrusions which is why it doesn’t happen more often. It’s lapses in judgement and security usually through human error that creates the security flaw in the first place. Like sending passwords externally via email, or using the same password for everything. These guys generally get in via dumbass brute force attacks and guessing common passwords like BigKnockers69. It’s not like the movie Hackers.
Keep in mind that protection against DDoS attacks is not really security related. It’s more a case of reliability and designing a good network topology to handle load either via scaling or using a piece of network infrastructure that can throttle and drop packets via some sort of circuit breaker. But the very nature of DDoS attacks means that these packets are coming from thousands of different IP addresses which makes it hard to determine which packets to drop. But there are some smarts built into load balancers to do this.
Noone ever said it was like the movie hackers, but noone ever said the security of any of these companies was impenetrable. No system is flawless and 100% secure, there will always be a way to exploit a weakness, it just takes time and someone with the right mindset to do so.
…Correction; The Whole-ASS…
Would that validate making a bomb threat against an aircraft like this muppet did?
Security only makes it harder. The only way to make a computer system completely secure is to never turn it on. And even then, there’s probably ways to get data off it.
This. There is no such thing as a fool proof system. And even if getting inside is beyond someone’s talent, they can always just ddos the shit out of it – just like the Lizard Squad script kiddies do. Everyone likes to say ‘they must’ve had shit security.’ Not necessarily. Anything can be broken into – or at the very least taken down – with the right skills, determination and resources. Anything.
So because you are not covered from toe to crown in kevlar, it’s basically an invitation for me to riddle you with bullets and get away with it?
Maybe she shouldn’t have dressed like a slut?
Also, I think saying “I’m coming for you” could be construed as a threat, which is probably somewhat illegal?
Not entirely smart to write that, but things like this are usually taken into context once they reach this level. Unless you don’t have money backing you 😉 . In terms of legal proceedings. I think we don’t really have to play ‘defender’ to the lizard squad fuckwits actions or condemn Sony…
It’s not a threat…. it’s a promise.
He’s threatening litigation, so it’s probably easy enough to argue that that’s what it refers to.
So is making bomb threats.
Well, I guess he could have said something a little less obvious, but “I’m going to exercise my legal rights to the fullest extent possible” doesn’t quite have the same ring as “I’m coming for you.” My other choice would have been “Be afraid, Julius. Be very afraid…”
blub Guest
July 9, 2015 11:35 am
Yeah get over there bro and lawyer him right in the face
————————————————————————————-
I’m gonna go with this…Best legally untouchable threat ever made!
He could be bringing pizza or about to give him a lift home.
This seems like a really dumb idea. He’s just begging for someone to mess with him.
Hey, he’s the rich one. People are ALREADY messing with him and if you ask me, THAT’S the dumb idea. Who’s really more powerful, who has more resources at his disposal, some dumbshit wannabe hacker kid, or the CEO of a massive multi-million dollar company?
But that’s what makes him such a juicy target. He’s well off, successful, traditionally powerful, and taking this all super personally enough that he’s willing to give them a response rather than ignoring them. It’s like trolling the monopoly guy. He may have the resources that messing with him will probably end badly, but there’s a ton of stupid kids who think they’ll get away with it and he’s not impervious to SWATing.
I can absolutely understand his anger. However, I think we really should be careful about parents being held accountable for the actions of their children when they start hitting mid-adolescence.
The guy needs to be sent to the chair for disrupting my Xbox time during Christmas.
Most likely get offered a job to work with the FBI
He made a bomb threat against an aircraft; that’s pretty much terrorism. I really doubt the FBI take those kind of people and give them high paying security jobs AND high level access to FBI security.
True, the U.S. usually trains people for that job before they become terrorists.
But seriously, you would be surprised. I doubt they would hire this kid, he has done nothing special in terms of skill and they pinned him fairly quickly themselves, but the U.S. security agencies are known for hiring skilled hackers.
Actually, thats exactly what they do. The majority of cyber criminals go on to successful careers in security.
Source?
“Catch me if you can”
http://www.theguardian.com/technology/2011/jun/06/us-hackers-fbi-informer
Do I need to provide further? Or can you google it yourself?
The link doesn’t substantiate any of your statement. It says that one person believes as many as 25% of hackers are informants, but makes no indication they’re paid and specifically mentions the fact that many are likely helping the FBI out of intimidation and threat of jail sentences. It makes no mention of careers or the computer security industry.
Your claims appear to be that the FBI “take[s] those kind of people and give[s] them high paying security jobs AND high level access to FBI security”, and that the ‘majority’ of cyber criminals go on to lead successful careers in computer security. The link you provided doesn’t support either of these claims, are you able to substantiate them?
I never mentioned FBI. See below for more links since you won’t look it up for yourself. I honestly thought this was widely known and didn’t do more than a cursory google search and take the first result.
@keiranj You said “that’s exactly what they do” in reply to scruffy’s comment that the FBI wouldn’t give them high-paying jobs, the context seemed pretty clear that the FBI was the subject.
In any case, the articles you linked don’t really support your claim that this sort of thing happens in the majority, which is the main thing I took issue with in your earlier comment. I did look for sources to support that notion and didn’t find any, which is why I asked you where you got the impression that the majority of hackers end up in the security industry.
@zombiejesus Its by nature a clandestine industry. You aren’t going to get solid statistics on hackers working for the FBI. I have my opinion based on sources I can’t link to. I linked to articles showing the trend, that hackers in the majority when caught end up getting high paid gigs working security.
Have I proven hackers work for the FBI? Yes. That’s the first part of my initial comment.
The second part of my initial comment states “careers in security”. That is not specifically the FBI. You may be mistaking my comment as an attack on scruffy’s mistaken comment. It was not. It was to further discussion and educate a few ppl, as it has done. No white knight needed here, you can move along.
I don’t think “FBI Informer” is a paying gig, dude. In fact, the “threat of prison” written right up there in the subheading would indicate these hackers may not exactly be willing participants in these situations. It seems to be an ongoing myth that if you can only hack someone’s security, they’ll see how talented you are and hire you. But in reality, it’s as likely as breaking into someone’s house to convince them you’re a great locksmith. They’re not going to give you a job; they’re just going to call the police.
Again, I never mentioned the FBI.
http://americanfreepress.net/?p=4863
http://www.pcmag.com/slideshow/story/266255/7-hackers-who-got-legit-jobs-from-their-exploits
@keiranj
Never mentioned FBI? You posted an article about the FBI. The link even has FBI in it! But you “never mentioned it”?
You’ve also mentioned previously that you have “opinions based on sources you can’t link to”. Opinions are not facts. Facts are facts. And if you can’t prove it, then it’s not a fact.
@scruffy
I did explain a lazy google produced that result. Are you ignoring the other links I posted? Great work!
I’ve supported and explained my opinion enough. You don’t agree? Your turn to prove that.
@keiranj
“I did explain a lazy Google produced that result”
So is that justification for an outright lie? You posted a story about FBI informants, then claimed (twice!) to have NEVER mentioned the FBI.
And you posted links from stories on the Internet (such as the PC Mag article, which has almost no sources provided)? Do you honestly believe EVERYTHING you read online (such as opinion pieces, like the Gizmodo article)? Do you believe conspiracy theorist websites as well? Hell, did you believe the media when they said Saddam had weapons of mass destruction, or that refugees were throwing children overboard?
@scruffy How about you debate the point instead of attacking me personally? Do you always harass ppl who don’t share your opinion?
@keiranj
You’ve lied. You’ve used links to opinion pieces and articles that can’t even provide basic sources. If calling out your BS is an attack, then maybe stop spreading BS on the Internet, and you won’t be “attacked”. Honestly, your research methods put you in the same group as Anti-vaxxers.
@scruffy I can’t link to the sources that informed my opinions. Not everything is on the internet, or on the internet in a linkable format. And I really have no obligation to educate you. I provided articles, you provided flames. I support my opinion, you repeatedly resort to insults, rather than deal with the topic at hand. Unfortunately, I expect many of your comments will get modded out, removing my perfectly appropriate responses.
@keiranj
“Can’t link to articles” That just sounds like an excuse. How can you prove something without the evidence to back it up?
Now you’re throwing accusations that I’m “flaming” and that I’ve “repeatedly resorted to insults”…… Such as what, exactly? Go check my previous statements, and tell me which parts are these supposed “repeated insults”. As you probably know, these forums show when a comment has been edited, and none of my comments have been.
@scruffy http://gph.is/1maJhlG
dirtnasty – “Most likely get offered a job to work with the FBI”
keiranj – “Actually, thats exactly what they do. The majority of cyber criminals go on to successful careers in security.”
keiranj – “I never mentioned FBI.”
keiranj – “Have I proven hackers work for the FBI? Yes. That’s the first part of my initial comment.”
keiranj – “Again, I never mentioned the FBI.”
Your argument lacks internal consistency.
If we follow your line of thinking, police informants would now be called police officers. Your comments are ridiculous.
Thankfully, your white knighting is not needed here. I’ve proven all I feel obligated to prove. I’m quite happy with the schooling thats been generously applied.
Yes, you have been quite emphatically schooled. I’m glad we agree on that point at least.
Poor silly little boy, why haven’t you replied to my post in the other article? Your several paragraphs were breezily dismissed, a consequence of you not reading the preceeding posts and underestimating, as again in this case, your own levels of ignorance.
It would seem to fall within the terms of the US-Finland extradition treaty as making a false statement to a government agency or official. Interestingly, he could be extradited if he was ever involved in a prison mutiny.
Pretty sure industry/law enforcement agencies would want hackers with real security knowledge and expertise, not children that just botnet the shit out of everything they see. They’re not hackers, they’re just wannabe anarchists and trolls.
nope thats too easy, he need to locked away in a padded cell and forced to listen to nothing but the wheels on the bus for 23hrs a day for 10 years
If the the 17 year old child has more charges to answer too, commenting on pending legal cases publicly isn’t a very bright thing to do I would think. ….and the comment on his parents is just stupid, don’t let this guy on twitter ever again.
Thanks for identifying the *real* victims in this fiasco keiranj. Yeah, we should all feel sorry for the poor little 16 TRILLION dollar company and their poor DRM that’s been revealed time & time again for what it is. Greed may be good, but revenge is an absolute zero beyatch! 🙂
So the correct course of action is for hackers to punish the customers? And what has Sony’s DRM got to do with ruining things for XBox Live users?
The two or so blokes measuring their google search ability e-peens for the first 50 odd posts is pretty funny. Whenever the internet is a conversation medium, people always have a win/lose right/wrong mentality.
There is no right answer. You both walked away rationalizing “I won, I’m right and he’s wrong”.
There’s no black and white. You can write up a list explaining why SCE ‘deserve’ what’s been dealt to them and you can write up a list explaining all the things any hackers have done wrong, along with why they should be punished. Neither list would discredit the facts of the each other’s list (facts that would likely be hidden gems within the deserts of your biased points of view).
Stop attacking each other. Deposit your perspectives and realise you’re not going to change the other guy’s point of view. I bet you’d both be way more amicable if you were talking face to face.
My 2cents:
Daybreak CEO is only making himself look weak and vulnerable by venting to the public like this. He should have kept this kind of thing low key or at least professional and without all the anger in his posts. All he’s done in my eyes is show he’s losing control – not a great situation to be in as a CEO.
Wow, Fuck this guy. No middle aged CEO should be able to taunt a kid for being beaten up in prison and still think that he’s one of the “good guys”.