Support NeoGAF

[Metalmurphy]

Lets say that if your account was robbed and the bank simply didn't inform you and haven't compensated you and told you its the thieves fault not ours.
What would you do?

But I have been informed. But to answer your question, even if they did inform me i'd still be mad at them, as I am with Sony. I can't blame/criticize/sue someone we don't even know who. That's not to say I think this is Sonys fault.

 

[Cruzader]

Wow, some people don't really grasp how hard it is to secure digital data this day and age. Much like achilles heel, no matter how strong your security is, a hacker just need a flaw in the system to exploit it. If a security company like SecureID(they make the RSA dongle) can get hacked, then don't any security system to be safe. Raging against Sony for their "weak" security system is just idiotic, especially when we don't know how the hack was done or how they secured it.

Obviously Sony are the only company to get hacked these days. Very incompetent compared to Visa or Amazon or some government agency.

 

[RuGalz]

What points to that? I haven't seen anything that would point to Sony not encrypting the passwords.

And hasn't encryption been pretty standard for at least ten years if not longer?.

They clearly stated that CC table was encrypted and didn't mention anything about personal information being encrypted. So draw your own conclusion from that.

Plenty of forums and smaller e-commerce sites don't encrypt password because it's not a requirement and adds burden to the system; or, it's just an old system that hasn't been updated. Most recent dslreports.com's breach, leaked people's info including password in plain text for example. While you may think it's illogical, I wouldn't assume it is a standard practice.

 

[Psychotext]

And you know this how?

We know they were running out of date versions of Apache and Linux, and we also know that their security logs were available for all the world to see (even after the intrusion)... the former is bad, the latter is inexcusable (logs make for an excellent attack vector).

 

[LowParry]

I agree with your last sentence, but Sony are working to make the security of PSN stronger and they're aiming to have done that within 2 weeks. Why not make it that strong to begin with? Why didn't they salt and hash passwords? Why did they have a bunch of user data completely unencrypted? Other companies may do the same things, but that doesn't get Sony off the hook - it only makes those other companies as bad as Sony.

For all we know, Sony's methods could be equivalent to other company's methods of security. One thing is for sure, what's happened to Sony, will no doubt give other company's the initiative of placing more security measures in their system. It sucks to see Sony being made an example to be honest. Though from a consumers side, I see every right for someone being mad at Sony. Though their anger seems very one sided.

 

[Metalmurphy]

We know they were running out of date versions of Apache and Linux, and we also know that their security logs were available for all the world to see (even after the intrusion)... the former is bad, the latter is inexcusable (logs make for an excellent attack vector).

No we don't. Did you miss the other guy saying that the header meant nothing?

There's also no telling those web servers had anything to do with where the db were stored.

Not really sure how logs (are they even security logs?) are really that bad. Then again, I'm not an hacker. But nothing relevant came from those logs as I'm sure you know.

 

[rpmurphy]

Wow, some people don't really grasp how hard it is to secure digital data this day and age. Much like achilles heel, no matter how strong your security is, a hacker just need a flaw in the system to exploit it. If a security company like SecureID(they make the RSA dongle) can get hacked, then don't any security system to be safe. Raging against Sony for their "weak" security system is just idiotic, especially when we don't know how the hack was done or how they secured it.

Preventing an attack is only one aspect of security though. If people are talking about PSN's information security policies as a whole, then there is likely to be more holes that they failed to address that could have mitigated and controlled the damage that this intrusion had caused.

 

[Mithos]

I really can't see why Sony need to store ANY information about me at all.

Login-name (my mailadress in this case), password and PSN-ID (displayname), that is ALL information Sony needs.
When you make a purchase, you enter name, address, CC-info etc, but it never gets stored, just check/confirm and voila.

 

[test_account]

I really can't see why Sony need to store ANY information about me at all.

Login-name (my mailadress in this case), password and PSN-ID (displayname), that is ALL information Sony needs.
When you make a purchase, you enter name, address, CC-info etc, but it never gets stored, just check/confirm and voila.

It seems to be some kind of standard policy for these types of services. But i do wonder what good it will do though because there is no control for if the name and adress etc. you write is real or fake. And even if you write a completely fake name, you still get to register.

 

[KJTB]

I really can't see why Sony need to store ANY information about me at all.

Login-name (my mailadress in this case), password and PSN-ID (displayname), that is ALL information Sony needs.
When you make a purchase, you enter name, address, CC-info etc, but it never gets stored, just check/confirm and voila.

I agree. Didn't really think about this either though, why the fuck does Sony need my address?

 

[Combichristoffersen]

Come to think of it, a nice way to compensate for the PSN fuckup would be to finally give us Tomba/Tombi on the PSN store

 

[Diablos]

I really can't see why Sony need to store ANY information about me at all.

Login-name (my mailadress in this case), password and PSN-ID (displayname), that is ALL information Sony needs.
When you make a purchase, you enter name, address, CC-info etc, but it never gets stored, just check/confirm and voila.

Seriously. Store the name/addy/CC/etc info on the console and then the network reads it when making purchases, but wouldn't actually store it remotely.

 

[lunlunqq]

If I were Sony, I'd give everybody 3 months of PS+ for free. It's also a good chance to advertise PS+.

 

[H_Prestige]

Well, if the PS4 is locked down tighter than the Queen's clacker then we'll know who to blame won't we!

*cough*GeoHot*cough* (if it wasn't obvious enough)

If PS4 and NGP aren't region free, I don't think it will have anything to do with hacking. Probably due to publisher pressure and seeing MS and Nintendo still have great success selling region locked consoles.

 

[Snaku]

Come to think of it, a nice way to compensate for the PSN fuckup would be to finally give us Tomba/Tombi on the PSN store

I demand Suikoden II.

 

[SolidSnakex]

If PS4 and NGP aren't region free, I don't think it will have anything to do with hacking. Probably due to publisher pressure and seeing MS and Nintendo still have great success selling region locked consoles.

Any publisher could region lock their games if they wanted to.

 

[Combichristoffersen]

I demand Suikoden II.

Tomba and Suikoiden II then.

And a new Motor Toon GP.

That's like the least you can do, Sony.

 

[Professor Beef]

Tomba and Suikoiden II then.

And a new Motor Toon GP.

That's like the least you can do, Sony.

They'll put them on the store, but not for free.

*trollface*

 

[Combichristoffersen]

They'll put them on the store, but not for free.

*trollface*

I don't care, I only want Tomba and a new MTGP

 

[H_Prestige]

Any publisher could region lock their games if they wanted to.

Not on PS3 and PSP. That's what happens on the 360.

 

[Ultima_5]

Any word yet on the status of everyone's credit card information? I'm kind of concerned about it, and want to be sure before i tell my parents (i used their credit card). I don't want them to become more paranoid of buying things over the internet than they have to...

 

[test_account]

Any word yet on the status of everyone's credit card information? I'm kind of concerned about it, and want to be sure before i tell my parents (i used their credit card). I don't want them to become more paranoid of buying things over the internet than they have to...

Sony has said that the creditcard information was encrypted on their server and that the CVV (security code on back of the cards) were not stored. But arent you protected against CC fraud regardless?

 

[SolidSnakex]

Not on PS3 and PSP. That's what happens on the 360.

I'm almost 100% certain that at the start of this gen Sony said that region locking was up to publishers. I believe it was Phil Harrison that said it when he was asked about it. He mentioned that all of Sony's games would be region free but the publishers would have an option of locking or making it region free. Stranglehold was once region locked but Midway reversed their decision when a lot of backlash occurred from the announcement

See? Sometimes it pays to whine, and whine loudly. Midway's decision to region-lock Stranglehold was decidedly uncool, and gamers, understandably, were pissed. So pissed that Midway have seemingly reversed the decision, a moderator on the official Stranglehold boards saying that both the regular edition and the collector's edition (the one with Hard-Boiled) are now region-free.

http://kotaku.com/285961/midway-backs-down-stranglehold-now-region+free

 

[Ultima_5]

Sony has said that the creditcard information was encrypted on their server and that the CVV (security code on back of the cards) were not stored. But arent you protected against CC fraud regardless?

I would assume so, but i figure it's better safe than sorry. thank you

 

[H_Prestige]

I'm almost 100% certain that at the start of this gen Sony said that region locking was up to publishers. I believe it was Phil Harrison that said it when he was asked about it. He mentioned that all of Sony's games would be region free but the publishers would have an option of locking or making it region free. Stranglehold was once region locked but Midway reversed their decision when a lot of backlash occurred from the announcement



http://kotaku.com/285961/midway-backs-down-stranglehold-now-region+free

If that were the case, I think the ps3 would have just as many region locked games as 360. Instead it has a grand total of zero.

With Stranglehold wasn't the issue that it came bundled with a blu ray movie?

 

[test_account]

I would assume so, but i figure it's better safe than sorry. thank you

No problem =)

For sure, it doesnt hurt to be safe than sorry indeed. I wouldnt want my card to be abused even if i am protected. But i just wanted to mention/ask it since even if your card should be abused by someone else, at least (hopefully) your protected against losing money at least

 

[SolidSnakex]

If that were the case, I think the ps3 would have just as many region locked games as 360. Instead it has a grand total of zero.

I disagree. Doesn't MS region lock some of their games? If they do then why shouldn't third party publishers? On the other hand Sony doesn't region lock any of their games. If you set a standard then publishers will often follow it. The standard on the PS3 is that the games are region free and if you don't do it then you get the type of reaction that Midway received.

With Stranglehold wasn't the issue that it came bundled with a blu ray movie?

No, they were region locking both the standard and collector's versions.

 

[pix]

PS3 HACKED!!!! FERP'S THREE PSN SAFETY STEPS 4 U ;-)

Probably already posted but this is great lol

 

[Psychotext]

No we don't. Did you miss the other guy saying that the header meant nothing?

If you're going to spoof headers you don't spoof with some random version from a couple of months back. You put something else in completely (so that at first glance it isn't even Apache / Linux, reduces automated attacks) or remove the version number altogether (far more effort to identify actual version and which attack vectors you should be using).

...and yeah, having your logs visible to the world is that bad. When someone is attacking your servers it lets them know exactly what's having an effect and what's not simply by looking at the results the server is logging. More than that, certain things being reported vs not can let you know exactly what's running on a server which enables you to target your attack far more precisely.

 

[kamorra]

Obviously Sony are the only company to get hacked these days. Very incompetent compared to Visa or Amazon or some government agency.

There was a data leak at Visa and Amazon?

 

[test_account]

PS3 HACKED!!!! FERP'S THREE PSN SAFETY STEPS 4 U ;-)

Probably already posted but this is great lol

Hehe =) Maybe it has been posted before, but i didnt see it before not at least.

If you're going to spoof headers you don't spoof with some random version from a couple of months back. You put something else in completely (so that at first glance it isn't even Apache / Linux, reduces automated attacks) or remove the version number altogether (far more effort to identify actual version and which attack vectors you should be using).

...and yeah, having your logs visible to the world is that bad. When someone is attacking your servers it lets them know exactly what's having an effect and what's not simply by looking at the results the server is logging. More than that, certain things being reported vs not can let you know exactly what's running on a server which enables you to target your attack far more precisely.

Which logs are these?

 

[Metalmurphy]

Hehe =) Maybe it has been posted before, but i didnt see it before not at least.



Which logs are these?

GraceNote Proxy log that had nothing to do with the hack.

 

[obonicus]

We know they were running out of date versions of Apache and Linux, and we also know that their security logs were available for all the world to see (even after the intrusion)... the former is bad, the latter is inexcusable (logs make for an excellent attack vector).

Where did you see 'security logs'? They were HTTP request logs. And how are logs an excellent attack vector? Unless someone screwed up a log implementation, the worst I can see them doing is giving the perpetrator insight into how the server is responding when they attempt their shenanigans. You shouldn't have them be public, but they're not the smoking gun you claim they are.

Just as an aside, people should be clear about how they're speculating about what the attack is about. No one has any idea about what actually happened; when people state authoritatively 'xxx was out of date' you have less tech-savvy people actually believing this to be the cause.

 

[test_account]

GraceNote Proxy log that had nothing to do with the hack.

What is that? I saw some screenshot of something that someone claimed to be a PSN access log, but i dont really know what this was about.

 

[Psychotext]

You shouldn't have them be public, but they're not the smoking gun you claim they are.

Never said they were a smoking gun, but if you're making mistakes on basic level security aspects like that then you're making them elsewhere. That's just an example we have clear proof of.

That said, it's quite possible that security on those servers were handled by a completely separate team. Though any network is only as good as its weakest security, with any breach providing a potential jumping point to to intended target.

Hopefully we'll eventually find out (via the congress questions most likely) how their network was breached and then we'll know exactly what they did wrong. It's highly unlikely they were attacked with a previously unknown platform vulnerability (because it wouldn't have just been them taken out, there are far tastier morsels out there)... but who knows if we'll ever get to see that information.

 

[DireStr8s]

hm, just got prompted to d/l a LBP 2 update.


edit: ah, good to know those ol update servers are still up & running

 

[Metalmurphy]

What is that? I saw some screenshot of something that someone claimed to be a PSN access log, but i dont really know what this was about.

It's not a PSN access log, it's just the Gracenote server log

http://shockwavelounge.blogspot.com/2011/04/playstation-network-log-of-hacker.html
(just disregard the actual article text as it's completely incorrect)

hm, just got prompted to d/l a LBP 2 update.

Update servers are separate from PSN servers.

 

[Combichristoffersen]

hm, just got prompted to d/l a LBP 2 update.

Update servers have been up and running since PSN was taken down AFAIK

 

[Speevy]

You have a new version of LittleBigPlanet 2...that you can't play.

 

[obonicus]

Never said they were a smoking gun, but if you're making mistakes on basic level security aspects like that then you're making them elsewhere. That's just an example we have clear proof of.

We don't need that to say that Sony's security might have huge holes. The RNG thing on the PS3 is a much more blatant indication, honestly.

That said, it's quite possible that security on those servers were handled by a completely separate team. Though any network is only as good as its weakest security, with any breach providing a potential jumping point to to intended target.

True, but even the supposed unpatched exploits mentioned briefly in that pasties note don't mean the server necessarily was exploitable. They may depend on payloads that are difficult to take advantage of. Ideally they would be patched, and they may have been the point of entry, but it could just as easily been something else.

Hopefully we'll eventually find out (via the congress questions most likely) how their network was breached and then we'll know exactly what they did wrong. It's highly unlikely they were attacked with a previously unknown platform vulnerability (because it wouldn't have just been them taken out, there are far tastier morsels out there)... but who knows if we'll ever get to see that information.

Oh, definitely, there was some hole in their system and it probably was old. There always is. I'm just saying that we shouldn't point to any of the known issues so far as more than speculation, because there's no confirmation, and none of them so far is a gaping hole that had to be the point of failure. PSN is a juicy target, though, so I wouldn't rule out a 'new' exploit for that reason, but more because generally it's something already known that is exploited. Even with good turnover, patching a server on a production system requires a lot of planning.

 

[Metalmurphy]

We don't need that to say that Sony's security might have huge holes. The RNG thing on the PS3 is a much more blatant indication, honestly.

Because network security and console security are one and the same, and done by the same people.

 

[ClosingADoor]

They clearly stated that CC table was encrypted and didn't mention anything about personal information being encrypted. So draw your own conclusion from that.

Plenty of forums and smaller e-commerce sites don't encrypt password because it's not a requirement and adds burden to the system; or, it's just an old system that hasn't been updated. Most recent dslreports.com's breach, leaked people's info including password in plain text for example. While you may think it's illogical, I wouldn't assume it is a standard practice.

If you have ever coded a website or service in the last 5 years (PSN went online in 2006 I think) and you don't use encryption on your passwords, you are doing something very, very wrong.

Of course you can debate about the level of encryption that certain systems use (the forum you are on now probably uses the standard vbulletin one, so that is an md5 encryption of your password, then salt it and md5 encrypt again), but no encryption is just stupid.

I hope Sony clears this up tomorrow. And I too am amazed by dslreports btw.

 

[KaYotiX]

There was a data leak at Visa and Amazon?

If you use a CC at all you should assume your info is out in the wild. Pay attention to statements every month. Should be common practice by now, if you never check your statements then your asking to be taken advantage of.

 

[DailyVacation]

PS3 HACKED!!!! FERP'S THREE PSN SAFETY STEPS 4 U ;-)

Probably already posted but this is great lol

The interlude with John is the best part.

 

[test_account]

It's not a PSN access log, it's just the Gracenote server log

http://shockwavelounge.blogspot.com/2011/04/playstation-network-log-of-hacker.html
(just disregard the actual article text as it's completely incorrect)

What is a Gracenote server log?

That os the picture/article i was thinking about indeed.

 

[RuGalz]

There was a data leak at Visa and Amazon?

Not sure about Amazon security leak but it has this problem: http://lifehacker.com/#!5744577/amazon-security-flaw-may-make-your-old-password-easy-to-crack

And Heartland leak was, imo, worse than PSN issue since it included 1.1m SSNs: http://www.computerworld.com/s/article/9126379/Heartland_data_breach_could_be_bigger_than_TJX_s

edit: RBS WorldPay leak included SSN, not Heartland.

 

[obonicus]

Because network security and console security are one and the same, and done by the same people.

Of course not, but it suggests that code and systems may not be audited or inspected as closely as they should be.

 

[plainr_]

I think Sony needs to give us an option (like XBL) to change account names. I don't feel comfortable knowing that there is probably a database out there that one could use to find out where I live simply by entering my PSN ID. Hilarious as it sounds, I have had some people genuinely pissed off at me for accidentally team killing them. God knows what these people are capable of if they get hold of our personal info.

 

[Raistlin]

I really can't see why Sony need to store ANY information about me at all.

Login-name (my mailadress in this case), password and PSN-ID (displayname), that is ALL information Sony needs.
When you make a purchase, you enter name, address, CC-info etc, but it never gets stored, just check/confirm and voila.

Actually age is a legal requirement in many territories.

As for CC info, do they always record it or can u do per-purchase transactions? (serious question)

 

[RuGalz]

Actually age is a legal requirement in many territories.

As for CC info, do they always record it or can u do per-purchase transactions? (serious question)

I remember it's optional if you want to store CC info. (or maybe I always go and delete it after I make a purchase).