Support NeoGAF

[snap0212]

I need to step away from this thread shortly because I genuinely don't want to come across as a so-called "apologist" (as has been mentioned in this thread multiple times), but this just strikes me as an entirely glass half-full kinda response.

At the end of the day: you can always do more, right? More, more, more, more, more. Put bars on the windows. Build a fortress around the building storing the servers. Hire the military to circle the perimeter. Move operations to a resolute island in the middle of the ocean. Y'know?

I'm sure there are LOTS of websites where you have data stored that have LESS security than Sony has. It's just you'll never know about it because those services are unlikely to get targeted.

If they're meeting regulations then they did enough. It's true, you can always do more. And they've been stung badly by this, they'd be idiots if they didn't invest more. But there's surely a point where you have to say "this is good enough". Surely?

Even then, a BBC article highlighted recently how services like PSN and XBOX Live have to sacrifice some security measures in favour of ease-of-use. Something worth considering.

You don't sound like an apologist, everything you said sounds reasonable to me. I still think there shouldn't be a point where you say “this is good enough”. Especially not when you've become the “enemy” of so many people. Better safe than sorry... I don't think that counts in the corporate world, though.

 

[PetriP-TNT]

You and others are greatly underestimating the potential danger here. You think you made a few phone calls and now you're in the clear? These people have your name and address and a skillful enough hacker doesn't need much more than that to socially engineer his way to identity theft.

They can have my shitty life, I don't care.

 

[darkwing]

One of the things that really bothers me about this whole debacle is the effect that it will have on developers. This must be absolutely devastating for Zipper, not to mention smaller devs who rely on PSN for various reasons.

devastating, look at Under Siege

 

[params7]

Anon's chatlog from before psn's hack :

[user12] I also know that the server that does the x-i-5 tickets is a bit more tight about the ciphers than any other system in sonyland
[user12] if sony is watching this channel they should know that running an older version of apache on a redhat server with known vulnerabilities is not wise, especially when that server freely reports its version and its the auth server
[user2] its not old version, they just didnt update the banner
[user12] I consider apache 2.2.15 old
[user2] which server
[user12] it also has known vulnerabilities
[user12] auth.np.ac.playstation.net
[user2] ya the displayed version u see via banner is not the real version
[user12] unless they updated it in the last couple weeks
[user12] I doubt that since its not trivial to change that
[user12] its a bit more invasive than just setting it to Prod like they do on their other servers
[user11] you know, watching this conversation makes me think about whether it was a good idea after all to buy a couple of games from psn using a visa card
[user2] its just backported security patches
[user11] i did remove all my info after downloading the games though
[user12] that is just psn not the store
[user12] they are running linux 2.6.9-2.6.24 on that box too
[user12] that too is old
[user2] lol @ buying on store
[user11] yes, but their general attitude towards security just seems…ugh
[user2] sony wont misuse the info i bet xD
[user2] but just prevent using cfw’s of unknown ppl
[user2] even better from ALL ppl
[user2] make ur own lol
[user12] so I doubt that they are spoofing the network stack on that box as well
[user12] my guess is that it really is undermaintained “it works why change anything”
[user2] could be
[user12] sony really should update that stuff to something more current
[user2] ya
[user2] but imagine
[user2] psn == 45 environments
[user2] and for example
[user2] every env has 50 subdomains
[user2] to external machines
[user2] its rly rly huge
[user2] who wants to do this xD
[user2] ppl r lazy
[user2] wont change

When hackers like that are able to pinpoint Sony's security holes and Sony has to hire an external company today to explain to them their gaping holes..really shows how well Sony knows their own PSN.

 

[VisanidethDM]

Obviously, this will probably boil over in the long term. People will buy stuff online, even Sony stuff!. That is, unless Sony continues to exhibit terrible PR, or something comes to light about their security undeniably being horrific and inadequate. In the meantime? Let people be angry that their product doesn't work.

I'll admit, I feel a degree of sympathy for Sony simply as a businessman. Being blamed for something out of your control is a common issue, and it's unbelievably frustrating. My first reaction is thinking "How would I feel if something similar happened to me?" and I can barely imagine how devastating this is probably for Sony. They may have fault? It's possible, but before I know, it's hard to be harsh with someone who's suffering.

Spoiler

I guess this maybe makes me a 360° apologist, but as both a consumer and a businessman, I compare the two experiences, and while as a consumer I'm pampered (even when I'm screwed over, I'm elegantly made unaware of it), as a businessman I have to fight day after day with little to no-one taking my side ever, being it the customer, or the government, or my competitors. It's a much harder life, and it probably makes my outlook on some of the most entitled, ridicolous and spoiled complaints we're capable of raising as customers more cynical than it should be. I'm not asserting this is the case, but it can happen.

 

[plagiarize]

If forming opinion on facts and not factoids is being an apologist, then I'll gladly be labeled one.

it is a fact that this is one of the biggest breaches of personal data ever. it is a fact that we were not warned that this may have happened until a week of the service being down. it is a fact that Sony were hacked. it is a fact that millions of people now have had their personal data stolen and that this potentially damaging to them beyond losing a week of PSN time.

sony are in no way wholly responsible. they are most likely not mostly responsible, but they are quite likely to be at least partially to blame for this. it may well be true that without certain mistakes on Sony's part that this could have been prevented.

again that won't make them wholly responsible, but it will absolutely make them culpable. given the warnings that made the rounds earlier this year hinting that this was possible... well it makes it seem very plausible to me that Sony are culpable.

I really don't see this "incident" as something newsworthy. I lost around 15 minutes about it. I consider anyone spending hours screaming about this or claiming this is devastating for their lives either very young/immature or insane, but that's for another discussion.

what's fifteen minutes times seven million? it's news worthy for the previously mentioned 'one of the largest data breaches ever' thing. you may not find that interesting, and that's fine, but that doesn't stop it being newsworthy.

I find the issue of the situation Sony stands in now a lot more interesting. This is sort of a first in the industry and what the consequences will be is much hotter topic than reading a blog report from 2000 people complaining about how Sony/hackers wasted 20 minutes of their lives.

if you really think data thieves look to target specific people i can only presume you don't know much about data theft. i can definately presume that you've never been the target of random online fraud (as i have).

these people don't need your credit card number to do serious damage with everything else they might have stolen about you.

 

[Zoe]

You don't sound like an apologist, everything you said sounds reasonable to me. I still think there shouldn't be a point where you say “this is good enough”. Especially not when you've become the “enemy” of so many people. Better safe than sorry... I don't think that counts in the corporate world, though.

In business you have to draw a line somewhere or your product will never get out. You'll always find tweaks you can do here and there. You have to deploy and just schedule an appropriate date for the next patch.

 

[Gary Whitta]

Thread is moving too fast to check, but I presume this was posted?

http://www.youtube.com/watch?v=Cwn4R_GexLM

(Audio NSFW)

 

[Mercury Fred]

I can't wait to see the CEO of Sony ramming a samurai sword into his stomach. (Of course all live during the Sony press conference.)

Well, they would win best conference that way.

 

[Zoe]

Anon's chatlog from before psn's hack :

That's from February.

And I guarantee this hack was not done through the PS3.

 

[The_Darkest_Red]

devastating, look at Under Siege

I know... I feel so bad for those guys. Hopefully Sony will promote some games to make up for this, although I fear that a lot of the damage will be done regardless.

 

[Neuromancer]

They can have my shitty life, I don't care.

=(

Thread is moving too fast to check, but I presume this was posted?

http://www.youtube.com/watch?v=Cwn4R_GexLM

(Audio NSFW)

I hadn't seen it

 

[SolidSnakex]

I know... I feel so bad for those guys. Hopefully Sony will promote some games to make up for this, although I fear that a lot of the damage will be done regardless.

They've already informed at least one dev that they'll be giving their game additional marketing once PSN is up to make up for the down time.

 

[WretchedTruman]

I can't wait to see the CEO of Sony ramming a samurai sword into his stomach. (Of course all live during the Sony press conference.)

funny that you mentioned that; Stringer, their CEO, is welsh. Yeah, a Welsh man running the company - guess how well that went over with the Japanese shareholders?

 

[btkadams]

You and some others are greatly underestimating the potential danger here. You think you made a few phone calls and now you're in the clear? These people have your name and address and a skillful enough hacker doesn't need much more than that to socially engineer his way to identity theft.

your name and address is already pretty public.

 

[-Pyromaniac-]

I know I'm responding like 6 pages late to Metal but 2006 was hilarious. There were people that GENUINELY thought that Sony would go bankrupt and be doomed foreverzz. Even media outlets, lol.

Mass hysteria is hysterical.

 

[VisanidethDM]

You and some others are greatly underestimating the potential danger here. You think you made a few phone calls and now you're in the clear? These people have your name and address and a skillful enough hacker doesn't need much more than that to socially engineer his way to identity theft.

What can they do with my identity?

Who in the blazes is gonna scroll through 75 million names and pick mine if he didn't know me already, and do.... exactly what? Call me? Ring at my door to give me advertisement?

Really, it's not like serial killers are now rejoycing because they have essential info that will allow them to murder people.

People keeps talking about identity theft. What is anyone actually gonna do with your identity? The most "dangerous" thing I can imagine is opening a line of debt I'm not ever gonna dish a penny for.


What am I supposed to be afraid for? And I said that as an extremely reserved person who loathes even the idea of opening Facebook or joining any sort of social network.

 

[theDeeDubs]

The sad thing is we may never know how negligent Sony was. I don't consider myself paranoid or irrationally upset. I'm just annoyed by it all. My new card is on its way and all of my relevant passwords have been changed. I'm debating over jumping ship instead of just bitching about it. I've been a huge Sony fanboy this generation, but I firmly believe in putting my money where my mouth is. As soon as my card comes in I will probably be buying a 360 and it will be my new console of choice for multiplats.

 

[Ichabod]

Thread is moving too fast to check, but I presume this was posted?

http://www.youtube.com/watch?v=Cwn4R_GexLM

(Audio NSFW)

lmfao!

 

[Zoe]

People keeps talking about identity theft. What is anyone actually gonna do with your identity? The most "dangerous" thing I can imagine is opening a line of debt I'm not ever gonna dish a penny for.

Which shouldn't be possible without an SSN/<insert appropriate national ID>.

 

[Massa]

Anon's chatlog from before psn's hack :





When hackers like that are able to pinpoint Sony's security holes and Sony has to hire an external company today to explain to them their gaping holes..really shows how well Sony knows their own PSN.

"It's too old!" is not a security hole, in particular if they're running Red Hat stuff. RHEL 4 was released in 2005 (with linux 2.6.9) and is still being supported by Red Hat with security patches and updates. EOL for that is February 2012.

 

[WretchedTruman]

You and some others are greatly underestimating the potential danger here. You think you made a few phone calls and now you're in the clear? These people have your name and address and a skillful enough hacker doesn't need much more than that to socially engineer his way to identity theft.

They can find that shit on my Facebook, for Christ's sake.

 

[x3sphere]

Being from there of course doesn't make it automatically legit, but even if it was, the CC encryption portion of that chat has nothing to with the situation at hand. It was saying that the CC info you submit from your console is not being encrypted before it was sent over HTTPS (which still doesn't make it unsafe, as it just means it was single instead of double encrypted), so he was saying that if you install a CFW made by someone malicious, they could easily put some code in there that would transmit your CC info to them as plaintext, over regular HTTP. basically, a problem only if you install some shady CFW, and nothing to do with this.

I know this. Regardless, the vulnerabilities discussed in that log were real. Plenty of people in the PS3 scene knew about them. Sony was running an outdated version of Apache with known exploits. There's several other ways the hacker could've gotten in though so whether this was the cause who knows.

The OS they were running on the auth server was very outdated too, though it's possible they applied custom patches rather than updating the kernel.

 

[get2sammyb]

You don't sound like an apologist, everything you said sounds reasonable to me. I still think there shouldn't be a point where you say “this is good enough”. Especially not when you've become the “enemy” of so many people. Better safe than sorry... I don't think that counts in the corporate world, though.

Realistically though, there's a scenario where Sony could fulfil every $$$ of their worth towards security. I'm sure they could spend every cent of their assets on ensuring the safety of users' information, but then they'd have no reason to store it in the first place because they'd have nothing to sell. Totally exaggerated, but you can ALWAYS do more so it has to be balanced against "this is good enough".

This is true of all businesses.

 

[kinoki]

Not to be paranoid but I just saw a 1,98kr (cirka 2 cents, Sweden representin') reservation on my debit card. It starts. Dum-dum.

 

[Vagabundo]

What can they do with my identity?

Who in the blazes is gonna scroll through 75 million names and pick mine if he didn't know me already, and do.... exactly what? Call me? Ring at my door to give me advertisement?

Really, it's not like serial killers are now rejoycing because they have essential info that will allow them to murder people.

People keeps talking about identity theft. What is anyone actually gonna do with your identity? The most "dangerous" thing I can imagine is opening a line of debt I'm not ever gonna dish a penny for.


What am I supposed to be afraid for? And I said that as an extremely reserved person who loathes even the idea of opening Facebook or joining any sort of social network.

ID theft is pretty bad. It is a major pain in the ass. Yeah they can ruin you credit rating and it is very very difficult to fix it.

 

[Zoe]

ID theft is pretty bad. It is a major pain in the ass. Yeah they can ruin you credit rating and it is very very difficult to fix it.

How can they ruin your credit rating without opening lines of credit?

 

[Metalmurphy]

Anon's chatlog from before psn's hack :





When hackers like that are able to pinpoint Sony's security holes and Sony has to hire an external company today to explain to them their gaping holes..really shows how well Sony knows their own PSN.

What security hole did they pinpoint exactly?...

 

[VisanidethDM]

it is a fact that this is one of the biggest breaches of personal data ever. it is a fact that we were not warned that this may have happened until a week of the service being down. it is a fact that Sony were hacked. it is a fact that millions of people now have had their personal data stolen and that this potentially damaging to them beyond losing a week of PSN time.

sony are in no way wholly responsible. they are most likely not mostly responsible, but they are quite likely to be at least partially to blame for this. it may well be true that without certain mistakes on Sony's part that this could have been prevented.

again that won't make them wholly responsible, but it will absolutely make them culpable. given the warnings that made the rounds earlier this year hinting that this was possible... well it makes it seem very plausible to me that Sony are culpable.

That's reasonable, but don't you think Sony is already gonna pay a price probably disproportionate to whatever fault they may have?

what's fifteen minutes times seven million? it's news worthy for the previously mentioned 'one of the largest data breaches ever' thing. you may not find that interesting, and that's fine, but that doesn't stop it being newsworthy.

if you really think data thieves look to target specific people i can only presume you don't know much about data theft. i can definately presume that you've never been the target of random online fraud (as i have).

these people don't need your credit card number to do serious damage with everything else they might have stolen about you.

Once again, define "serious damage". Between me and my family members, we've probably seen at least half a dozen CC scams, and we never lost a real penny.

 

[plagiarize]

What can they do with my identity?

Who in the blazes is gonna scroll through 75 million names and pick mine if he didn't know me already, and do.... exactly what? Call me? Ring at my door to give me advertisement?

Really, it's not like serial killers are now rejoycing because they have essential info that will allow them to murder people.

People keeps talking about identity theft. What is anyone actually gonna do with your identity? The most "dangerous" thing I can imagine is opening a line of debt I'm not ever gonna dish a penny for.


What am I supposed to be afraid for? And I said that as an extremely reserved person who loathes even the idea of opening Facebook or joining any sort of social network.

loans and mortgages could be taken out in your name. your credit rating could be ruined as a result. they could take over your bank account. you wouldn't be singled out, you would be picked at random.

they have more than your name and address. they may have security questions and their answers. if they get into your e-mail, they've basically got everything. if you've answered the same security questions for your e-mail as you did psn, they can get your e-mail even if you used a different password.

 

[AndyMoogle]

Not to be paranoid but I just saw a 1,98kr (cirka 2 cents, Sweden representin') reservation on my debit card. It starts. Dum-dum.

2 cents is nowhere near 1.98SEK. It's more like 33 US cents, or 22 Euro cents.

 

[Divvy]

They also have your purchasing history. If you are a big spender on PSN, that will make you a much more attractive target.

 

[Zoe]

loans could be taken out in your name. they could take over your bank account. you wouldn't be singled out, you would be picked at random.

Loans aren't that easy to be taken out. They don't have your bank account number.

They also have your purchasing history. If you are a big spender on PSN, that will make you a much more attractive target.

There has been no indication that your purchase history was grabbed.

 

[VisanidethDM]

ID theft is pretty bad. It is a major pain in the ass. Yeah they can ruin you credit rating and it is very very difficult to fix it.

Care to elaborate further?
As a background note, when I was graduating in law the internet was much less secure than it is now and CC scams / credit theft were already labeled as white/victimless crimes.

 

[Akkad]

There is a dark van outside my house, I think I'm being watched. FUCK YOU SONY!

 

[TheKurgan]

I am very late to all this. Didn't even know about it until I read it on CNN.

Anyway, I doubt it's as serious as some are making out but I have cancelled my credit card and won't be using it again on PSN. Looks like I will have to buy those stupid prepaid cards going forward.

I could see this mistake cutting PSN revenue in half for the next 6+months.

 

[Divvy]

There has been no indication that your purchase history was grabbed.

From the email I got from Sony:

It is also possible that your profile data may have been obtained,
including purchase history and billing address

 

[Rapstah]

2 cents is nowhere near 1.98SEK. It's more like 33 US cents, or 22 Euro cents.

Sony's leak has caused so much spending that the Swedish Crown is now at one tenth the value it was yesterday. Get with the times.

 

[Vagabundo]

How can they ruin your credit rating without opening lines of credit?

Well they do, that's their thing.

 

[coopolon]

It seems entirely conceivable to me that with passwords and email accounts they can gain access to plenty of people's emails. I'm sure lots of people have their social security #s stored in their emails somewhere (maybe they sent it to their spouse one time when they were at work, or to a college admissions official when following up on their transcripts, etc. etc.).

Obviously none of this would be impossible without lax internet security, but just because people are dumb about using different passwords doesn't mean they deserve to have their personal information given out by Sony either.

Edit: Even without social security #s, people can cause some real havoc if they gain access to your email. Send out phishing scams to everyone on your address list saying I got mugged in london, please wire money. Or just start sending spam to everyone on your contact list. All serious problems for the end consumers.

Edit 2: EVen worse, with access to emaila ccounts you can gain access to bank accounts. Do people really not understand how Sony losing millions of people's personal information including emails and passwords is not dangerous?

 

[Zoe]

Well they do, that's their thing.

How do they open the line of credit without your SSN and information off of your credit report?

 

[Clear]

Probably because there's no way for us to know? I mean, what's the point? I'm sure Sony and the authorities care, but what am I going to do. "Well, they've denied it, but I bet it's Anonymous!" "I bet it's some random Russian dude!" "I bet it's a disgruntled Sony employee!" "I bet it's Iwata. *Laughs*"

Depending on who it is, they should be harder or easier to find I'd imagine?

I mean its just that everybody is acting like this is the work of master criminals when recent events would more likely put it on the fringes of the Hacktivist movement. Making it in fact entirely possible that this is just a demonstration to Sony of their vulnerability, with no intention to actually use the data for nefarious purposes.

Call me slack, but considering my PSN ID and password have always been different from those used on my other accounts, and that its not a certainty that the the partial CC info on file at PSN was actually taken I see no reason do a damn thing more than I'd normally do on any other month.

i.e. check my statements for spurious transactions because banks fuck up all the time.

Not to mention that the sheer volume of data compromised means that its relatively unlikely that I'm specifically going to be targetted.

The way I see it, the degree of risk to which this hack exposes you to is directly proportional to how careful you are about your personal security online. And even then that presupposes that the data was ever co-opted for criminal gain, which given the circumstances surrounding Sony vs Hackers is arguably not the most likely scenario.

This is a big part of the reason why I'm so dubious about playing the blame game against Sony. While the possibility remains that the entire reason behind this attack was to crucify Sony at the expense of its userbase I'm not willing to hand the douchebags responsible an easy win.

 

[Rebel Leader]

There is a dark van outside my house, I think I'm being watched. FUCK YOU SONY!

Sorry, that was me. I hate this town.

 

[Vagabundo]

Care to elaborate further?
As a background note, when I was graduating in law the internet was much less secure than it is now and CC scams / credit theft were already labeled as white/victimless crimes.

ID theft usually a starting poinit for whole load of crap, including:

- Go on a shopping spree with your credit or debit card account numbers.
Thieves may also create counterfeit debit cards or checks. Merchandise can be sold
and the criminals walk away with cash.
- Open credit or checking accounts in your name with your SSN and date of birth. As the bills pile up, your credit report reflects the delinquent account.
-Have your credit card statements sent to a phony address. Without the bills as a reference, it may take you a while to realize your account is being used.
- Take out loans in your name for big purchases, such as a new car.
- Set up telephone or internet service in your name.
- Avoid the responsibilities of debt or an impending eviction by filing
bankruptcy using your SSN.
- Give your name to police when being arrested. If the criminal is released on bond but fails to appear for the court date, police may issue an arrest warrant for you.

Just from some googling. There are a lot of horror stories out there. I had a pal getting arrested and hassled for fines for a long time because someone was giving his name and address to the cops.

 

[larvi]

Loans aren't that easy to be taken out. They don't have your bank account number.




There has been no indication that your purchase history was grabbed.

The FAQ from Sony says it's possible that it was. Have you seen something else indicating it wasn't grabbed?

It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained.

 

[diffusionx]

When hackers like that are able to pinpoint Sony's security holes and Sony has to hire an external company today to explain to them their gaping holes..really shows how well Sony knows their own PSN.

Have you ever worked in the corporate world? Companies hire consultants because they want expertise and results fast fast fast.

Sony is probably paying company XYZ gazillions of dollars to completely redo their PSN network infrastructure in two weeks. You need to go external for that sort of thing, companies don't keep that on staff. Because it is enormously expensive.

 

[Vagabundo]

How do they open the line of credit without your SSN and information off of your credit report?

We are talking about ID theft. Where they have that information.

 

[Drek]

Not to be paranoid but I just saw a 1,98kr (cirka 2 cents, Sweden representin') reservation on my debit card. It starts. Dum-dum.

I really wonder how much of these stories on here are people who now just realized that maybe they should be checking transaction histories.

Sony uses actual encryption on CC numbers and keeps them in a separate place which they claim has not been touched. If it had Sony would not be saying otherwise (since doing so opens them for a MASSIVE class action lawsuit). Chances are if you're seeing strange transactions on your credit card its because someone got your number in some other way.

Or more likely, you bought something that didn't get charged for a few days, gave a tip to someone in an establishment that had to then run a second charge to your card, etc..

 

[kinoki]

2 cents is nowhere near 1.98SEK. It's more like 33 US cents, or 22 Euro cents.

I'm guessing I've seen Office Space enough times to make a decimal mistake. Anyways, called the bank and it was iTunes that made that transaction, but to the best of my knowledge I haven't bought anything off of iTunes. They recommended that I'd cancel my card anyway, so I did.

 

[JudgeN]

You and some others are greatly underestimating the potential danger here. You think you made a few phone calls and now you're in the clear? These people have your name and address and a skillful enough hacker doesn't need much more than that to socially engineer his way to identity theft.

Names and address can be found in public phone books, I just don't think its that easy considering that information if public knowledge. Credit Card numbers will cause some problems but some of those can be easily fixed. Sony still done fucked up no if and or buts about it.

devastating, look at Under Siege

This game finally released? When?