Support NeoGAF

[Rebel Leader]

Yeah I'm going to bed too.

This thread was fun. :lol

One last account check to ensure peace of mind before rest :3

 

[dream]

Yeah, I mean, a Jr. Member's friend said otherwise after all.

This is a company built on a culture of bullshitting customers.

"Our CDs don't install root kits."
"Rumble is a last generation feature."
"The Killzone 2 demo was real-time."
"RSX does 1.8 teraflops."
"SIXAXIS won an Emmy."
"all I want for Xmas is a PSP"
"Your credit card information may be safe."

Sorry but I think the junior's friend has more credibility than Sony does at this point.

 

[Jinfash]

His point is...you'll consider a jr member to be trustworthy with what he said, and then go ahead and not believe Sony with their timeline of when they discovered the scope of the attack.

And my point was: We had no reason to trust that member at the time, but since he accurately described the situation (right down to their uncertainty about whether CC was compromised or not), he deserves some credit, and conversely we grow a bit suspicious Sony's timeline.

 

[RedNumberFive]

This thread has been a blast! Almost worth not being able to play a shit ton of games that are sitting in shrink wrap on my shelf, and frantically checking my bank account and changing passwords.

That being said, I absolutely can not wait until their E3 press conference. Will they humbly apologize, will they have Kevin Butler joke around about it, or will they get booed off stage?

 

[freddy]

Having your information "out there" if someone wants to look hard enough and having it in the hands of people who may very well be looking for information to use implicitly for identity theft and monetary gain.

One and the same? I don't think so.

 

[Commanche Raisin Toast]

for those that still haven't heard or haven't been reading the last several pages of the thread:

PSBLOG:

I wanted to take this opportunity to clarify a point and answer one of the most frequently asked questions today.
There’s a difference in timing between when we identified there was an intrusion and when we learned of consumers’ data being compromised. We learned there was an intrusion April 19th and subsequently shut the services down. We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident. It was necessary to conduct several days of forensic analysis, and it took our experts until yesterday to understand the scope of the breach. We then shared that information with our consumers and announced it publicly this afternoon.

1. they got hacked, shut down PSN, and then told us.
2. they hired a security firm to investigate thoroughly.
3. the security firm found out yesterday (no time specified) that user data was compromised.
4. sony told us "this afternoon" (today) about the user data being compromised.

sony did not know the user data was compromised. they did not hide it from us "for days". i think it speaks a lot to how committed they are to seriously fixing this situation that they would focus all of their own team's energies on rebuilding the network and hire an outside security firm to handle all of the investigation duties. not to mention continually giving us updates to sit tight even though they had no news to report. they could have just been completely silent for the last 6 days while we freak out and fear the worst. i can't think of a better way they could be handling all of this right now without thinking of some smart ass comment like "give everyone a million dollars and a pony".

 

[Vestal]

This is a company built on a culture of bullshitting customers.

"Our CDs don't install root kits."
"Rumble is a last generation feature."
"The Killzone 2 demo was real-time."
"RSX does 1.8 teraflops."
"SIXAXIS won an Emmy."
"all I want for Xmas is a PSP"
"Your credit card information may be safe."

Sorry but I think the junior's friend has more credibility than Sony does at this point.

You forgot, render Toy Story in real time =p

 

[Rebel Leader]

And my point was: We had no reason to trust that member at the time, but since he accurately described the situation (right down to their uncertainty about whether CC was compromised or not), he deserves some credit, and conversely we grow a bit suspicious Sony's timeline.

Insert your avatar here*

That is true.

 

[Zoe]

If it was encrypted I assure you it would be PLASTED ALL OVER THE Press release. It would help them save face.

Do you think average users know what it means for it to be encrypted?

We had people on this forum in one of the earlier CFW fear-mongering threads who couldn't understand the concept.

 

[LiK]

This thread has been a blast! Almost worth not being able to play a shit ton of games that are sitting in shrink wrap on my shelf, and frantically checking my bank account and changing passwords.

That being said, I absolutely can not wait until their E3 press conference. Will they humbly apologize, will they have Kevin Butler joke around about it, or will they get booed off stage?

i'm definitely looking forward to the Sony E3 press conference the most. fuck the Wii2 and whatever else is there...lol

 

[FINALBOSS]

Tis a good thing gamers are a VERY forgiving bunch of people.


See: The Modern Warfare 2 "boycott" lollllllll

 

[Curufinwe]

Using a debit card is stupid (always), but you are still protected by federal law in the US if your debit card number is stolen. You have 60 days from the date you receive your statement to report any unauthorized charges. People should use those 60 days to ponder their decision not to use the superior payment method.

I have a Visa debit card that's covered by Visa's Zero Liability policy.

Still going to get a new one with a different number this week, though.

 

[Dead Man]

So can we just kill 'security through obscurity' now?

 

[Vamphuntr]

Pretty sure Sony knew but they had to check with their attorneys and PR people about the proper course of action to save themselve and not their customers.

 

[LiK]

Pretty sure Sony knew but they had to check with their attorneys and PR people about the proper course of action to save themselve and not their customers.

pretty much.

Sony: "How bad is it?"
Lawyers & PR: "Pretty bad."

 

[spindashing]

Yeah, I'll still use; I'll just switch over to pre-paid cards.

Going to remove my credit card off of every site that I use that needs such a thing, though.

 

[ULTROS!]

Tis a good thing gamers are a VERY forgiving bunch of people.


See: The Modern Warfare 2 "boycott" lollllllll

They're also the most "jump to conclusions" kind of group too.

Also, I remember the L4D2 boycott, but that didn't work well coz L4D2 was pure awesome.

 

[FINALBOSS]

Do you think average users know what it means for it to be encrypted?

We had people on this forum in one of the earlier CFW fear-mongering threads who couldn't understand the concept.

Exactly. That's why I think they left it out. Who really knows though.

 

[GillianSeed79]

People already knew this but a lot of folks have been saying they wanted Sony to come out and say "There a chance of a possibility that your info might have been stolen...............maybe..................we dont know yet" from the beginning and then backtrack on those statements and then clear it up when they found out more info.

It's been repeated over and over within this thread that Sony had to investigate the problems 1st to see how bad it was and THEN report back once they knew more about it.

COMMON SENSE to me

When you pull the plug on your entire world-wide network you already are already going to suffer a financial/stock loss. It just seems like to me if it was serious enough that they had to shut down the entire network, they should have just gone ahead and said the first day that they were investigating, but didn't know yet if personal info was comprised. If it turned out to be nothing and a false alarm being open about what happened is infinitely better than the situation they are in now.

 

[ezekial45]

Yeesh, what a nightmare.

 

[Jonnyram]

Good job, Sony, with your awesome security.
Good job, hackers. Fight the power, while fucking over the consumer.

What a set of wankers, all of them.

 

[Vestal]

Do you think average users know what it means for it to be encrypted?

We had people on this forum in one of the earlier CFW fear-mongering threads who couldn't understand the concept.

Thats even better.. a BIG WORD Encryption.. Makes people feel safer..

 

[Rebel Leader]

They're also the most "jump to conclusions" kind of group too.

Also, I remember the L4D2 boycott, but that didn't work well coz L4D2 was pure awesome.

I never jump... I slightly put my foot in it.. slowly

 

[borghe]

That is why you salt the hash -- so two identical passwords would have different hashes. So now you not only need to go through a list of the most common passwords, but you have to do it for each salt value.

Salts are the same across a system. When your unix passwd salts md5, it's the same salt. Thus two exact passwords WILL have the same hash. What won't have the same hash are two same passwords on different systems using different salts.

Also with salts you are talking one way hashes. Two way encryption works solely on keying.

So basically the passwords are either clear text, hashed, or encrypted with a key. The first is unlikely, the second is common, and the third is necessary if they are expected to be able to email your password to you at any time.

 

[patsu]

And my point was: We had no reason to trust that member at the time, but since he accurately described the situation (right down to their uncertainty about whether CC was compromised or not), he deserves some credit, and conversely we grow a bit suspicious Sony's timeline.

They may both be correct.

The internal assessment may be preliminary (Need independent confirmation). Some of the employees may also have their own assessments and assumptions as info unfolds, but it doesn't become a company position until the info is finalized and vetted.

 

[Acrylic7]

just saw this on the news.
Sony has to be pissed.

 

[LowParry]

I'm not really sure who to be angry with. Guess I'm just a bit too passive about it all.

 

[sangreal]

Salts are the same across a system. When your unix passwd salts md5, it's the same salt. Thus two exact passwords WILL have the same hash. What won't have the same hash are two same passwords on different systems using different salts.

You use a different salt for every password.

edit: well not every password. You use a random salt for every password, so some passwords may share the same salt.

Also with salts you are talking one way hashes. Two way encryption works solely on keying.

Yes, that is the point of hashing passwords

So basically the passwords are either clear text, hashed, or encrypted with a key. The first is unlikely, the second is common, and the third is necessary if they are expected to be able to email your password to you at any time.

Being able to email your password is a clear sign of poor security.

 

[ULTROS!]

I never jump... I slightly put my foot in it.. slowly

Then take the plunge and all hell breaks loose. :lol

 

[epmode]

Exactly. That's why I think they left it out. Who really knows though.

Even if the passwords were unencrypted, I guarantee that you'll be downplaying that just as fiercely as you've downplayed every other Sony-unfriendly notion in this thread.

I wish GAF still had a post search. No GAF-Gold here

 

[th3dude]

I'm considering buying 1Password now for my Mac so I can have different passwords for everything and not lose track of any.

I highly recommend this. I started using it a few weeks ago. Makes me feel so much better about my accounts.

 

[SneakyStephan]

Hilarious.
Nice safety record there Sony.

 

[daegan]

You can get pissed at whoever you want, it doesn't change the fact that this is the first time this has happened with them yet I've gone through three Bank of America debit cards because they keep letting my info get compromised.

EDIT: But who the hell leaves passwords as plaintext I mean REALLY

 

[MrTroubleMaker]

damn

 

[Rebel Leader]

just saw this on the news.
Sony has to be pissed.

Meanwhile at Sony HQ

 

[ultron87]

So either Sony is lying about when they found out, or they are so incompetent that they don't even monitor their databases enough to know that a ton of information got out.

 

[XiaNaphryz]

Exactly. That's why I think they left it out. Who really knows though.

The term encrypted gets used all the time in mainstream news articles regarding other tech-related stuff involving Google, Apple, Amazon, etc. Why would they purposely not use the term simply because of the potential demographic reading the release?

 

[Igor Antunov]

PlayStation hacking scandal: police chief says contact your bank now

* 77 million customers affected
* Notification delay: breach happened April 17-19
* No law requiring companies to tell customers of breach
* Passwords, logons, email addresses exposed
* Nothing to stop hackers acquiring new credit cards

The head of the NSW Police fraud squad has warned Australian PlayStation users that they may have to cancel their credit cards after hackers stole enough information to even take out loans on the victims' behalf.

The Australian Privacy Commissioner, Timothy Pilgrim, said he was "very concerned" and would contact Sony for more information on the breach, which security researchers have said may be the largest theft of identity data on record. His office has begun an "own motion investigation" into the matter.

Read more: http://www.smh.com.au/digital-life/...ur-bank-now-20110427-1dvts.html#ixzz1Kgqdw6z2

Sony is in for a world of hurt.

 

[graywolf323]

for those that still haven't heard or haven't been reading the last several pages of the thread:

PSBLOG:


1. they got hacked, shut down PSN, and then told us.
2. they hired a security firm to investigate thoroughly.
3. the security firm found out yesterday (no time specified) that user data was compromised.
4. sony told us "this afternoon" (today) about the user data being compromised.

sony did not know the user data was compromised. they did not hide it from us "for days". i think it speaks a lot to how committed they are to seriously fixing this situation that they would focus all of their own team's energies on rebuilding the network and hire an outside security firm to handle all of the investigation duties. not to mention continually giving us updates to sit tight even though they had no news to report. they could have just been completely silent for the last 6 days while we freak out and fear the worst. i can't think of a better way they could be handling all of this right now without thinking of some smart ass comment like "give everyone a million dollars and a pony".

They may both be correct.

The internal assessment may be preliminary (Need independent confirmation). Some of the employees may also have their own assessments and assumptions as info unfolds, but it doesn't become a company position until the info is finalized and vetted.

exactly but apparently it's so much more fun to jump to conclusions and hate on Sony here ignoring the fact it's not like they are the only company this has ever happened to and on top of that have handled it a LOT better than most

You can get pissed at whoever you want, it doesn't change the fact that this is the first time this has happened with them yet I've gone through three Bank of America debit cards because they keep letting my info get compromised.

hell I've gone through at least two from Navy Federal Credit Union for the same reason

 

[Vestal]

So either Sony is lying about when they found out, or they are so incompetent that they don't even monitor their databases enough to know that a ton of information got out.

Pick your poison.

 

[RiccochetJ]

If anything good comes out of this, I wouldn't be surprised if online retailers such as Amazon are going to go over their account security with a fine tooth comb after this mess.

 

[cjtiger300]

Patrick's latest post on the blog is such bullshit. You can't claim ignorance when dealing with PII. If they were in health care, this would be a HIPAA violation and they would be screwed. They fucked up and should've been more forthright from day 1.

Wrong. Hipaa is willfully distributing info, which Sony didn't do. I'd someone breaks into your doctors office a steals your file, its not a hipaa violation.

Such crazy misinformation going around in this thread. It's fucking ridiculous.

 

[Galactic Fork]

I now regret not removing my CC information back when that supposed Anonymous announcement came out. Luckily I only use that password for PSN, but I need to get my card blocked in the morning. So inconvenient. Oh well.

In the future I shall pay more heed to random internet threats.

 

[Four_Chamber]

Just for kicks, I'm bored. I was also inspired by Duckroll

April 20th "We’re aware certain functions (um what?) of PlayStation Network are down. We will report back here as soon as we can with more information.

Thank you for your patience."
April 21st "While we are investigating the cause of the Network outage (the "off" switch had already been flipped on PSN), we wanted to alert you that it may be a full day or two (false) before we’re able to get the service completely back up and running. Thank you very much for your patience while we work to resolve this matter. Please stay tuned to this space for more details, and we’ll update you again as soon as we can."

April 22nd "An external intrusion on our system has affected our PlayStation Network and Qriocity services. In order to conduct a thorough investigation and to verify the smooth and secure operation of our network services going forward, we turned off PlayStation Network & Qriocity services on the evening of Wednesday, April 20th (but couldn't post about it on the 20th or the 21st). Providing quality entertainment services to our customers and partners is our utmost priority. We are doing all we can to resolve this situation quickly, and we once again thank you for your patience. We will continue to update you promptly as we have additional information to share. "

 

[XiaNaphryz]

I highly recommend this. I started using it a few weeks ago. Makes me feel so much better about my accounts.

How does it compare to free services like LastPass?

 

[Dead Man]

exactly but apparently it's so much more fun to jump to conclusions and hate on Sony here ignoring the fact it's not like they are the only company this has ever happened to and on top of that have handled it a LOT better than most

So... because it happens to other companies, it's fine? And I don't see it being handled a lot better than most, but even if I grant that, it is still far from acceptable.

 

[UberTag]

That being said, I absolutely can not wait until their E3 press conference. Will they humbly apologize, will they have Kevin Butler joke around about it, or will they get booed off stage?

Given the audience (aka a crowd full of gaming nerds), they'll kick things off with footage of Uncharted 3 and it won't even be acknowledged.

 

[Neuromancer]

Pick your poison.

I'm going with incompetent.

 

[Rebel Leader]

No one has answered my question: Should I place a fraud alert on me? Even though I have no card.

 

[Rewrite]

Saw this on the spanish news here. This is huge.