| I kind of see two separate questions here, so I'll answer both. > [The breach] raises the question though, what would it take for a company with a reputation as tarnished as Sony's to earn back your respect and patronage? Certainly it's a hard problem for companies to assure users that their privacy is being respected, their data is safe, and their products are wholesome. The common response involving phrases like "we are working closely with law enforcement"[0] might assuage most laypeople, but this canned answer is not satisfying for the technical crowd who understand how challenging infosec is. Unfortunately, operational security is a critical aspect of respecting customer privacy, and the bar is not very high at many companies where the standard response is anything less than rebuilding from the ground up. Obviously, most companies do not do that, even after a severe intrusion. That is not practical unless your infrastructure allows (cold backups, all workstations are thin clients or easily flashed, etc.), so there's really no way to go "above and beyond" other companies in that aspect. So really, what we are left with is: since we can't trust any given company to have complete omnipotence and control over its network, especially where many networks may be covertly compromised[1], what is a company to do from a PR perspective in order to assure users that doing business with them is no more harmful than doing business with another company? If I were faced with this question in a vacuum, I would have to concede that I couldn't fault Sony for having been hacked - it could happen to any company, respectable or not. But we're not in a vacuum. > [Sony's past behavior] raises the question though, what would it take for a company with a reputation as tarnished as Sony's to earn back your respect and patronage? Sony is actively hostile to the consumer[2][3] and operationally negligent[4]. Full stop. Quite frankly, these behaviors are inexcusable and it would take a massive organizational change for me to even consider patronizing Sony[5]. Their attitude towards their customers is completely orthogonal to how a company should behave - at this point, it's not constructive for me to rant, so I will spare the rest of my opinion. But when a company is inevitably compromised and realizes it needs to regain the trust of its customers and partners, its past will precede it, and in this case Sony's past precludes forgiveness. [0] http://www.businessinsider.com/sony-execs-hack-response-empl... [1] http://arstechnica.com/security/2014/12/critical-networks-in... [2] http://en.wikipedia.org/wiki/OtherOS [3] http://en.wikipedia.org/wiki/Sony_Computer_Entertainment_Ame... [4] http://en.wikipedia.org/wiki/PlayStation_Network_outage#Unen... [5] I feel that your question may be hitting on "what exactly would that organizational change have to be?" - if this is the case, I couldn't tell you. I have no idea who calls the shots at Sony, but a good first start would be to replace them. I'd also like to see more companies active in areas where they contribute to open-source ecosystems, have bug bounties, encourage tinkerers to hack on their hardware and developers to modulate their software, the list goes on. Really, the answer could be the same as the answer to "What makes Mozilla different from Sony?", but my answer is starting to read more like a stream-of-conciousness than a coherent response, so I'll stop here. |