Latest or all posts or last 15, 30, 90 or 180 days.
Welcome to
In-depth review coverage is by subscription.
Also by Lloyd: and
First-time visitor

Apple 15.4" MacBook Pro with Touch Bar (…

SAVE $350 Z CAM E1 Mini 4K Interchangeabl…
SAVE $100 Sigma sd Quattro H Mirrorless
SAVE $100 Sigma MC-11 Mount Converter/Len…
SAVE $100 Sony a5100 Mirrorless (Black, B…
SAVE $400 Sony a7R II Mirrorless
SAVE $80 Sony DSC-RX100
SAVE $200 LG V30S ThinQ 128GB Smartphone…
NEW! SAVE $100 ZEISS 18mm f/2.8 Bati…
SAVE $1251 ZEISS 15mm f/2.8 Distagon T* ZF…
SAVE $623 ZEISS 135mm f/2 Apo Sonnar T* Z…
SAVE $200 Sony a7R III Mirrorless
NEW! SAVE $100 ZEISS 18mm f/2.8 Bati…
SAVE $1251 ZEISS 15mm f/2.8 Distagon T* ZF…
SAVE $623 ZEISS 135mm f/2 Apo Sonnar T* Z…
$20 FREE ITEMS SAVE $450 Canon EOS 7D Mark II DSLR
$101 FREE ITEMS SAVE $500 Canon EOS 80D DSLR with 18-135m…
$115 FREE ITEMS SAVE $650 Canon 18-135mm f/3.5-5.6 EOS 7D…
$556 FREE ITEMS SAVE $800 Nikon D810 DSLR with 24-120mm
$466 FREE ITEMS SAVE $1100 Nikon D750 DSLR with 24-120mm
$468 FREE ITEMS SAVE $470 Nikon D500 DSLR with 16-80mm
$61 FREE ITEMS SAVE $570 Nikon D7500 DSLR with 16-80mm
SAVE $300 Sony 24-70mm f/4 Vario-Tessar T…
$20 FREE ITEMS SAVE $450 Canon EOS 77D DSLR with 18-135m…
SAVE $400 Olympus OM-D E-M1 Mark II Mirro…
SAVE $350 Olympus OM-D E-M5 Mark II Mirro…
SAVE $400 Panasonic Lumix DMC-GX85 Mirror…
SAVE $300 Panasonic Lumix DMC-G7 Mirrorle…
SKU SOA7R324704K
SAVE $1500 Pentax 645Z Medium Format DSLR
SAVE $200 Pentax K-1 DSLR
$466 FREE ITEMS SAVE $1100 Nikon D750 DSLR with 24-120mm
$466 FREE ITEMS SAVE $500 Nikon D750 DSLR
SAVE $100 Sigma 30mm f/1.4 sd Quattro Mir…
SAVE $450 Canon EOS 7D Mark II DSLR Body…
SAVE $100 Sony a6000 Mirrorless Body
$9 FREE ITEMS SAVE $160 Steiner 8x32 XC Binocular
View all 45 deals…

Durable and fast, up to 1800MB/s

Sony Pictures Hacked: Do You Really Want to Update your Camera Firmware with a Sony Updater that Runs as 'root'?

A month ago I wrote in Sony Firmware Updater: a Security Risk that the Sony firmware carried serious security risks, because it runs as a kernel extension (complete control over the system). It was a prescient blog post.

If you have not been following it, the IT infrastructure of Sony Pictures was hacked, taking down large chunks of Sony’s operations for at least a week, according to news reports. As well as exposing all sorts of juicy stuff to public view, like internal emails, as the Wall Street Journal reports in At Sony Pictures, Drama in Email. And a lot more apparently.

Ask your self a simple question: do you want to run a Sony updater that runs as “root” (total control over the system) from a company that has been hacked in one of the most devastating IT attacks in memory? (update: Sony private keys have been stolen).

Why would the perp stop at Sony Pictures—what’s to stop malware from being inserted into the Sony updater, which having complete control over your system as root, could do anything it wants, such as keylogging all your passwords, and then emptying your financial accounts, or similar fun stuff. Without Sony having a clue. Or you. Until you find that all your your bank accounts are empty.

Sony private keys stolen

This was written after the previous paragraph was written, before your author knew that keypairs had been stolen.

A PFX file usually contains the private key corresponding to the public key.

Compromise of the private key of a public/private keypair is a massive security blunder with huge ramifications: all content signed by that key is reported as “verified”. Yet reports that Sony PFX files containing private keys have been stolen.

If the PFX files are not protected with unusually strong passwords, password cracking can be employed (using massively parallel services). Once a private key is compromised, hacker malware can be inserted into desired content, then signed with the now compromised private key. The software/content would be valid by definition, since it is signed. Sony should immediately revoke all of its stolen public/private keypairs for that reason. Yet so far, it seems that Sony is mum on the stolen keypair issue. Which if correct is grossly and perhaps criminally irresponsible, because of the huge worldwide potential for damage by compromise of user systems.

It is inconceivable that a private key used by a major corporation to sign software be on any web-accessible computer. It is gross negligence. Yet this is what Sony has apparently made its practice, for how could PFX files otherwise have been stolen.

Put simply, the smart move is to assume that ALL Sony digitally-signed content/software might be compromised (soon or in coming months). As per

So far dozens of PFX files have been leaked online. PFX files contain the needed private key and certificate. Such files are password protected, but those passwords can be guessed or cracked. Not all of these PFX files will be of immediate value to attackers.

The importance of leaked code-signing keys cannot be overestimated. Software signed by a trusted publishing house will generally be trusted by the operating system, security software and first responders. It's an extremely powerful way for attackers to stay below the radar.

IEEE times hits the nail on the head with “cavalier” in How Not to Be Sony Pictures:

The scope of the recent hack of Sony Pictures — in which unidentified infiltrators breached the Hollywood studio’s firewall, absconded with many terabytes of sensitive information and now regularly leak batches of damaging documents to the media — is only beginning to be grasped. It will take years and perhaps some expensive lawsuits too before anyone knows for certain how vast a problem Sony’s digital Valdez may be.

But the take-away for the rest of the world beyond Sony and Hollywood is plain: Being cavalier about cybersecurity, as Sony’s attitude in recent years has been characterized is like playing a game of corporate Russian roulette.

Sony counter attacks?

Stolen content has appeared on various sites, and apparently Sony is attacking sites hosting the content, a dubious practice at best, and possibly illegal here in the USA. That article does not cite its sources, other than “two people with direct knowledge of the matter”, so it could be incorrect, but it would not be out of character with Sony’s past ethical lapses.

The Cloud

Now forgetting Sony, consider whether the 'Cloud' is safe: Apple and Google and so on are tempting targets for all hackers. Do you want to store your stuff in the Cloud? The idea of storing anything sensitive in The Cloud is a really bad idea, just by the constant and ongoing security breaches one can read about every week. The advice here is “think about it”. But hey, cats don’t do it and celebrities do.

But all such stuff is trivial in the Big Picture. And Sony is just the canary in the coal mine. News reports indicate USA power infrastructure has been hacked. Consider the taking down of critical infrastructure of all kinds by skilled hackers backed by a foreign government. The recent turkish pipeline explosion was a non-event in terms of all the internet-connected gear that was supposed to monitor the pipeline and report failures. But stuff blew up and burned nonethelss.

Now consider the same 'turkish' ideas applied simultaneously to every power plant, nuke plant, electrical and pumping and substation, dams, ventilation systems, pipelines and railroads and hospitals and even home power meters (installed by mandate on every home here in California by jackasses with no concept of security risks). All at once with a few keystrokes, everything everywhere stops working. Stuff shuts down, blows up. Maybe a nuke melts down for good measure. Well, to put any critical infrastructure on the internet is criminally negligent by design. Cut off the water and power and nothing works—possibly for weeks and month if hackers persist. Millions die in urban areas from deprivation of food and water (consider even simple things, like cutting off natural gas supply in a severe cold front in winter). Riots and anarchy reign. Or just shoot out a few key transformers across the country. Yet this national security threat hardly registers with any of our professional politicians. The next war may not have a shot fired.

See also

B&H Deal ZoneDeals by Brand/Category/Savings
Deals expire in 21 hours unless noted. Certain deals may last longer.
$999 SAVE $700 = 41.0% $101 FREE ITEMS Canon EOS 6D DSLR in Cameras: DSLR
$649 SAVE $250 = 27.0% $20 FREE ITEMS Canon EOS 77D DSLR in Cameras: DSLR
$1049 SAVE $450 = 30.0% $20 FREE ITEMS Canon EOS 77D DSLR with 18-135mm USM in Cameras: DSLR
$1349 SAVE $450 = 25.0% $20 FREE ITEMS Canon EOS 7D Mark II DSLR in Cameras: DSLR
$1299 SAVE $500 = 27.0% $101 FREE ITEMS Canon EOS 80D DSLR with 18-135mm in Cameras: DSLR
$2497 SAVE $470 = 15.0% $468 FREE ITEMS Nikon D500 DSLR with 16-80mm in Cameras: DSLR
$1497 SAVE $500 = 25.0% $466 FREE ITEMS Nikon D750 DSLR in Cameras: DSLR
$1997 SAVE $1100 = 35.0% $466 FREE ITEMS Nikon D750 DSLR with 24-120mm in Cameras: DSLR
$1747 SAVE $570 = 24.0% $61 FREE ITEMS Nikon D7500 DSLR with 16-80mm in Cameras: DSLR
$3297 SAVE $800 = 19.0% $556 FREE ITEMS Nikon D810 DSLR with 24-120mm in Cameras: DSLR
$1697 SAVE $200 = 10.0% Pentax K-1 DSLR in Cameras: DSLR
$1998 SAVE $400 = 16.0% Sony a7R II Mirrorless in Cameras: Mirrorless
$368 SAVE $80 = 17.0% Sony DSC-RX100 in Cameras: Point and Shoot
$648 SAVE $100 = 13.0% $37 FREE ITEMS Sony DSC-RX100 III in Cameras: Point and Shoot
$300 SAVE $160 = 34.0% $9 FREE ITEMS Steiner 8x32 XC Binocular in All Other Categories
$1399 SAVE $100 = 6.0% ZEISS 18mm f/2.8 Batis in Lenses: Mirrorless

diglloyd Inc. | FTC Disclosure | PRIVACY POLICY | Trademarks | Terms of Use
Contact | About Lloyd Chambers | Consulting | Photo Tours
RSS Feeds | Twitter
Copyright © 2008-2017 diglloyd Inc, all rights reserved.