Support NeoGAF

[HooYaH]

Wrong. Hipaa is willfully distributing info, which Sony didn't do. I'd someone breaks into your doctors office a steals your file, its not a hipaa violation.

Such crazy misinformation going around in this thread. It's fucking ridiculous.

It's GAF, every member knows everything!

 

[daffy]

Holycrap, this has been so entertaining that I haven't even noticed it's 4AM.

Time to get some sleep >.<

This happened to me in the previous thread, I lost track of time several nights because I was laughing so hard hahaa

Latenight Sonythread GAF was the best

 

[SapientWolf]

for those that still haven't heard or haven't been reading the last several pages of the thread:

PSBLOG:


1. they got hacked, shut down PSN, and then told us.
2. they hired a security firm to investigate thoroughly.
3. the security firm found out yesterday (no time specified) that user data was compromised.
4. sony told us "this afternoon" (today) about the user data being compromised.

sony did not know the user data was compromised. they did not hide it from us "for days". i think it speaks a lot to how committed they are to seriously fixing this situation that they would focus all of their own team's energies on rebuilding the network and hire an outside security firm to handle all of the investigation duties. not to mention continually giving us updates to sit tight even though they had no news to report. they could have just been completely silent for the last 6 days while we freak out and fear the worst. i can't think of a better way they could be handling all of this right now without thinking of some smart ass comment like "give everyone a million dollars and a pony".

They don't need to know. If they even suspected it they should have sent the word out so that people were aware of the risk and could take the proper precautions. Some people wouldn't do anything based on unverified suspicion but the people with their debit cards and their strong passwords in the system might not be willing to take any chances.

 

[Tron 2.0]

No one has answered my question: Should I place a fraud alert on me? Even though I have no card.

Sure.

Even if the crackers didn't get credit card numbers, they have enough information to try and open lines of credit in your name.

 

[graywolf323]

So... because it happens to other companies, it's fine? And I don't see it being handled a lot better than most, but even if I grant that, it is still far from acceptable.

just look up what happened to TJ Max

 

[NullPointer]

If anything good comes out of this, I wouldn't be surprised if online retailers such as Amazon are going to go over their account security with a fine tooth comb after this mess.

That's how I'm looking at it. I was just finishing up a new application design, but after calling my bank and getting a new card sent out I took yet another security pass over my app. Can't be too careful when billing is involved.

You can sometimes let things slide in software, but once billing is involved there is no margin for error.

 

[wwm0nkey]

So how bad do you think things are going to get for Sony after this?

 

[Zoe]

No one has answered my question: Should I place a fraud alert on me? Even though I have no card.

Pay for a credit monitoring service if you're super paranoid, but they can't really do anything to you without your social.

 

[sangreal]

No one has answered my question: Should I place a fraud alert on me? Even though I have no card.

The fraud alert is not for credit card theft, it is for identity theft since Sony gave out your name/address/email/dob/security questions. Hopefully you didn't give them your SSN

 

[Absoludacrous]

No one has answered my question: Should I place a fraud alert on me? Even though I have no card.

If you don't have a card why would you place a fraud alert?

Unless your security question is 'What's my Social Security Number?' you should be fine as long as you change your passwords.

 

[th3dude]

How does it compare to free services like LastPass?

I haven't used LastPass.

However, from what I understand, there are 2 main differences.

1. LastPass is Open Source
2. LastPass stores your account data for you in the cloud

1Password leaves it up to you, so they (and no one else) ever has access to your accounts file. They also have instructions for using DropBox (which encrypts your files) to sync your accounts database (which is encrypted by 1Password) across multiple machines.

 

[Dead Man]

just look up what happened to TJ Max

What is your point?

 

[Igor Antunov]

No one has answered my question: Should I place a fraud alert on me? Even though I have no card.

If you only used a debit card or prepaid credits then perhaps not.

 

[i3allistic]

sooo...where do i sign up for the class action law-suit

 

[Neuromancer]

So how bad do you think things are going to get for Sony after this?

Realistically once they get back up and running with new security features in place, I imagine they'll be fine.

 

[Rebel Leader]

If you don't have a card why would you place a fraud alert?

Unless your security question is 'What's my Social Security Number?' you should be fine as long as you change your passwords.

Paranoia before bed tends to do that to me.

I don't usually stay up this late.

 

[bangai-o]

Meanwhile at Sony HQ

more like http://www.youtube.com/watch?v=PmMSBn7gtiU

 

[obonicus]

And my point was: We had no reason to trust that member at the time, but since he accurately described the situation (right down to their uncertainty about whether CC was compromised or not), he deserves some credit, and conversely we grow a bit suspicious Sony's timeline.

The thing is, with this kind of rumor you have to be close to completely correct or it could be a guess. I mean, a few of us back when Sony admitted to an intrusion already were guessing correctly that this was probably related to organized crime and that there was probably going to be a serious information leak. Not because of inside information, but because that's how these things go.

As to the timeline, it's certain that Sony was suspicious about leaked user data way before they finished their investigation, and maybe they should have come clean then (I'm not sure if that would have been better or not, but then since my info was never on PSN to begin with I'm not really an affected party). But I don't think they knew with any degree of certainty until the outside party finished their investigation.

 

[borghe]

You use a different salt for every password.



Yes, that is the point of hashing passwords



Being able to email your password is a clear sign of poor security.

Typically, no you don't use a different salt. The problem with using a different salt is you then still need an associative table somewhere with the salts. It is inefficient. Thus most systems use a single salt value for the hash. if you are going to use a second associative table to begin with, you would just use a key system.

As for being able to decrypt passwords being dangerous. Umm... Yeah, I hate to point out that two way encryption is how trillions of dollars are transacted on the web everyday. It's really not that hard to keep a private key secure. Keep it off of the accessible filesystem, minimal user acces, etc. In many ways it's more secure than a one way hash based on a single salt (passwd for example) because something like passwd can still have a dictionary attack rum against it and at that point is only as safe as the weakest password on the system.

 

[Commanche Raisin Toast]

EDIT: But who the hell leaves passwords as plaintext I mean REALLY

this is speculation at this point and nothing more. it's no better or worse than me making some wild accusation like "hackers changed the file extension on their avatar image file and it granted them access to the entire network!".

for the time being the only place to really get any substantial info is the PSblog, unfortunately. the news channels are already spinning this like crazy and making shit up. same with those first couple of fake news posts about people having money taken out of their bank accounts.

 

[MalboroRed]

So he sold his $300-$400 Ps3 for like 40 bucks?

He sure showed them!

Not unless he shotgunned the box.

 

[tomei]

Has anyone been affected? I was charged with fraudulent charges with my bank check card yesterday for $69.00 x 7 to some company named labibco.com in Portugal. I am disputing it with my bank and closed my card yesterday.

Don't know if this is coincidence or not but is perfect timing with this breach of security. This check card was linked with my PSN account.

GAF should check their bank accounts closely to catch any suspicious activity.

 

[Jinfash]

They may both be correct.

The internal assessment may be preliminary (Need independent confirmation). Some of the employees may also have their own assessments and assumptions as info unfolds, but it doesn't become a company position until the info is finalized and vetted.

I imagine what a lot of people are mad about at the moment, is that they didn't give a precautionary "heads-up" earlier than today (day 6 or 7). They could then proceed to asses the situation and vet the information, after all they still don't know whether CC numbers were compromised or not, so their investigation is far from over, and the final assessment has not been officially released. So any claims that the wait was to avoid raising unnecessary concerns due to uncertainty are moot.

 

[sangreal]

If you don't have a card why would you place a fraud alert?

Unless your security question is 'What's my Social Security Number?' you should be fine as long as you change your passwords.

A fraud alert won't help you with a stolen credit card, it is to prevent the opening of new accounts in your name (identity theft). So it doesn't really matter if he had a card or not

 

[~Devil Trigger~]

Just for kicks, I'm bored. I was also inspired by Duckroll

....soooooo they kept us updated with what they knew for a fact as they got results from investigating? i dont see the outrage

SHOW ME OUTRAGE!!!!

 

[TheExecutive]

Don't for a second believe Sony didn't know within 12 hours that all of our information was likely compromised. There is no amount of incompetence that takes someone a week to figure out how deep the intrusion went. No fucking way.

 

[Data West]

I'm currently away from my home where my PS3 is and won't be back for months.

Is there anyway to remove credit card info through Sony's site(when it's up again) and turning off PSN+ renewal?

 

[Dr. Malik]

Whooooo!!!!!

I got my email

 

[FINALBOSS]

Even if the passwords were unencrypted, I guarantee that you'll be downplaying that just as fiercely as you've downplayed every other Sony-unfriendly notion in this thread.

I wish GAF still had a post search. No GAF-Gold here

God damn you have a raging hard-on for me.

 

[lupinko]

So can we just kill 'security through obscurity' now?

This.

 

[stupei]

Using a debit card is stupid (always), but you are still protected by federal law in the US if your debit card number is stolen. You have 60 days from the date you receive your statement to report any unauthorized charges. People should use those 60 days to ponder their decision not to use the superior payment method.

I've gotten money back off faulty charges to my debit card before but it took about a month. I'm sure if the account was completely emptied out that'd be a bigger deal and the process would be faster, but if it was a big purchase but not nearly the full amount it might still take a while. I hear it's less of a hassle with credit.

Oh my god, the credit card companies are the ones who hacked Sony.

 

[Zoe]

A fraud alert won't help you with a stolen credit card, it is to prevent the opening of new accounts in your name (identity theft). So it doesn't really matter if he had a card or not

They can't open accounts in his name without an SSN.

 

[Kagari]

So how bad do you think things are going to get for Sony after this?

A month or two from now most people probably won't even care.

 

[CadetMahoney]

Meanwhile at Sony HQ

hilarious.

 

[DietRob]

This is clearly CYA time for Sony. Today's message was essentially drawn up by their legal department.

Furthermore, people need to stop taking anything Sony says at face value. For the first 48 hours of this disruption they didn't even acknowledge that they'd taken the network down themselves.

The Sony story changes every day based on what they're legally obligated to share. It's the Japanese way of doing business.

On Friday, we might hear that all of our credit card information was definitely compromised instead of "some accounts" and "may have" and "we just learned 24 hours ago after our team of experts told us".

Next Monday, we might learn that all of the existing PSN accounts were wiped when PSN was rebuilt, online accounts will need to set up from scratch and existing trophy data not linked to offline profiles will not be able to be migrated over.

And next Friday, PSN might come up and we'll learn that none of our previously purchased content can be recovered. Whoops! Our bad. Our experts just found out. We were only legally obligated to tell you now.

This scenario is what worries me. It would be a catastrophic if psn accounts were wiped, purchases lost, and having to start over. That is what would be the death of Sony.

The current situation certainly isn't favorable, in fact, it's downright shameful the way it was handled but face it most people will forget about it and go right back to playing COD on the PSN.

The former WOULD be 'game over'

 

[Snipes424]

So how bad do you think things are going to get for Sony after this?

Well a similar problem happened to DSW a few years ago, they seem to be doing fine. I don't think this kind of thing hurts companies long term, but we will see I guess.

 

[Kadey]

This thing is all over the news now. LOL.

" In what could be one of the largest data breaches in history, hackers have gained access to email addresses, passwords and possibly credit card info belonging to 77 million users of Sony PlayStation’s online video game network, Reuters reported. "While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility," Sony wrote in a blog post Tuesday, six days after it abruptly shut down its PlayStation Network and Qriocity service without explanation. "You waited a WEEK to tell us our personal information was compromised? That should have been said last Thursday," one angry gamer responded in a blog post comment, MSNBC reported. "

 

[daffy]

sooo...where do i sign up for the class action law-suit

 

[ULTROS!]

A month or two from now most people probably won't even care.

Honestly, I think the FFXIII going to the 360 situation is more impacting.

 

[obonicus]

They could then proceed to asses the situation and vet the information, after all they still don't know whether CC numbers were compromised or not, so their investigation is far from over,

I think the investigation is over, actually. Though they don't have evidence of CCs being leaked, that doesn't mean they haven't been leaked.

and the final assessment has not been officially released,

I don't think they'd be released to us in the first place.

so any claims that wait was to avoid raising any unnecessary concerns are moot.

And I think while this isn't their final word on the subject, it's close to it, at least in terms of relating the damage done.

 

[LiK]

A month or two from now most people probably won't even care.

yep, no one remembered the Live blackout or the Gawker security breach already. this too will pass.

 

[KJTB]

I'm not sure if my CC information is saved on my PSN account... I bought Flower way back when, but otherwise I haven't bought anything. Should I be worried about some fucker using my card?

 

[Rebel Leader]

This scenario is what worries me. It would be a catastrophic if psn accounts were wiped, purchases lost, and having to start over. That is what would be the death of Sony.

The current situation certainly isn't favorable, in fact, it's downright shameful the way it was handled but face it most people will forget about it and go right back to playing COD on the PSN.

The former WOULD be 'game over'

To the bolded part: ahh HELL no

 

[Absoludacrous]

A fraud alert won't help you with a stolen credit card, it is to prevent the opening of new accounts in your name (identity theft). So it doesn't really matter if he had a card or not

Yea but the stuff they took isn't anything more than you can get through a google search, outside of emails and passwords. Unless your first pet's name is the key to identity theft, it's not worth going through that hassle over yet.

 

[cj_iwakura]

Things happen. Sony's doing the best they can. Any haters would be saying the same about their company of choice.

 

[shintoki]

yep, no one remembered the Live blackout or the Gawker security breach already. this too will pass.

You're good.

Certainly will depend on much info turns out to be leaked too.

 

[nbcjr]

reposting the timeline:

April 20th "We’re aware certain functions (um what?) of PlayStation Network are down. We will report back here as soon as we can with more information.

Thank you for your patience."
April 21st "While we are investigating the cause of the Network outage (the "off" switch had already been flipped on PSN), we wanted to alert you that it may be a full day or two (false) before we’re able to get the service completely back up and running. Thank you very much for your patience while we work to resolve this matter. Please stay tuned to this space for more details, and we’ll update you again as soon as we can."

April 22nd "An external intrusion on our system has affected our PlayStation Network and Qriocity services. In order to conduct a thorough investigation and to verify the smooth and secure operation of our network services going forward, we turned off PlayStation Network & Qriocity services on the evening of Wednesday, April 20th (but couldn't post about it on the 20th or the 21st). Providing quality entertainment services to our customers and partners is our utmost priority. We are doing all we can to resolve this situation quickly, and we once again thank you for your patience. We will continue to update you promptly as we have additional information to share. "

 

[DrForester]

Meanwhile at Sony HQ

 

[Cruzader]

So how bad do you think things are going to get for Sony after this?

If PS3 gets priced dropped to $200(this year), everyone will jizz.

 

[Commanche Raisin Toast]

They don't need to know. If they even suspected it they should have sent the word out so that people were aware of the risk and could take the proper precautions. Some people wouldn't do anything based on unverified suspicion but the people with their debit cards and their strong passwords in the system might not be willing to take any chances.

i disagree with this statement. i'm just personally on the side of they should keep their mouths shut until enough information has been acquired. it would only make them look worse and cause even more problems if they scared everyone about CC info and then turned out to be a false alarm.

but this isn't what a lot of people are blowing up over. they (not everyone) are blowing up specifically because they believe that sony knew about the compromised data and hid it for days before telling us. not that they suspected data compromise and didn't warn us.

that's what im talking about. and that's what i think is the most important discussion point at the moment. or at least it WAS, until sony came out and clarified as i quoted above. unless anyone has any evidence or proof that sony knew about the data compromise earlier then it's pointless to even argue.