PSN down thread

[Robert Maxwell]

I would love to see a full accounting of just how their security was compromised. A well-designed network should have never permitted this level of intrusion. I'm glad Sony is working to address the problems but there should be hell to pay for their utter lack of due diligence.

 

[exodus]

I would love to see a full accounting of just how their security was compromised. A well-designed network should have never permitted this level of intrusion.

Then you underestimate a hacker.
These are the same guys that hacked into some of the top corporations, Amazon included. A good hacker can find a backdoor into any system no matter how well designed it is.

To quote Joe Sisko: "There isn't a test created a smart man can't figure out."

 

[137th Gebirg]

That, plus, hackers also tend to have some kind of politically motivated agenda and a desire to prove a point, and/or earn respect and prestige among their peers - one reason that Microsoft was such a high-value target for hackers and virus programmers for decades. They were the one true "Great Satan" that everyone wanted a piece of. The field has gotten a lot more target-rich in recent years and they're spreading out.

 

[Robert Maxwell]

I would love to see a full accounting of just how their security was compromised. A well-designed network should have never permitted this level of intrusion.

Then you underestimate a hacker.
These are the same guys that hacked into some of the top corporations, Amazon included. A good hacker can find a backdoor into any system no matter how well designed it is.

To quote Joe Sisko: "There isn't a test created a smart man can't figure out."

It's not just the fact that they were compromised--it's that, by being compromised, the attacker(s) had access to so much disparate data and infrastructure. Basic network design: you separate the various areas of your network, keeping more sensitive data in more secure locations. Anything potentially facing the outside world should be locked up tight.

I'm not saying it's possible for Sony to have ever been 100% immune to this kind of breach, but given the timeline and the amount of data that was taken, it's pretty clear that once the attacker(s) got in, they had access to damn near everything. This means whatever trust system was in place was fundamentally broken.

The fact that Sony is having to completely rebuild the PSN speaks to the fact that their infrastructure was flawed beyond repair. It's unfortunate that they had to suffer an attack of this magnitude in order to get their shit together, and even more unfortunate for their customers, who no doubt trusted Sony to be responsible in the first place.

 

[exodus]

I would love to see a full accounting of just how their security was compromised. A well-designed network should have never permitted this level of intrusion.

Then you underestimate a hacker.
These are the same guys that hacked into some of the top corporations, Amazon included. A good hacker can find a backdoor into any system no matter how well designed it is.

To quote Joe Sisko: "There isn't a test created a smart man can't figure out."

It's not just the fact that they were compromised--it's that, by being compromised, the attacker(s) had access to so much disparate data and infrastructure. Basic network design: you separate the various areas of your network, keeping more sensitive data in more secure locations. Anything potentially facing the outside world should be locked up tight.

I'm not saying it's possible for Sony to have ever been 100% immune to this kind of breach, but given the timeline and the amount of data that was taken, it's pretty clear that once the attacker(s) got in, they had access to damn near everything. This means whatever trust system was in place was fundamentally broken.

The fact that Sony is having to completely rebuild the PSN speaks to the fact that their infrastructure was flawed beyond repair. It's unfortunate that they had to suffer an attack of this magnitude in order to get their shit together, and even more unfortunate for their customers, who no doubt trusted Sony to be responsible in the first place.

Are you aware a hacker published the keys to his hacker buddies so they could do all of this to Sony's systems? It's not like Sony built a system with the doors left wide open so anybody could do this. What happened is cyber terrorism and are now being tracked by the FBI. How can you blame Sony for what the FBI themselves are labeling a terrorist activity? Blaming Sony without the full picture is the exact mentality the hackers have. Why would you even assume one of the top electronic corporations in the world would have poor security and not once question the ability of the hackers? Hackers have gotten into the systems of even the IRS. If they can hack a government system, do you think Sony is a challenge for that type of person?

 

[Robert Maxwell]

Then you underestimate a hacker.
These are the same guys that hacked into some of the top corporations, Amazon included. A good hacker can find a backdoor into any system no matter how well designed it is.

To quote Joe Sisko: "There isn't a test created a smart man can't figure out."

It's not just the fact that they were compromised--it's that, by being compromised, the attacker(s) had access to so much disparate data and infrastructure. Basic network design: you separate the various areas of your network, keeping more sensitive data in more secure locations. Anything potentially facing the outside world should be locked up tight.

I'm not saying it's possible for Sony to have ever been 100% immune to this kind of breach, but given the timeline and the amount of data that was taken, it's pretty clear that once the attacker(s) got in, they had access to damn near everything. This means whatever trust system was in place was fundamentally broken.

The fact that Sony is having to completely rebuild the PSN speaks to the fact that their infrastructure was flawed beyond repair. It's unfortunate that they had to suffer an attack of this magnitude in order to get their shit together, and even more unfortunate for their customers, who no doubt trusted Sony to be responsible in the first place.

Are you aware a hacker published the keys to his hacker buddies so they could do all of this to Sony's systems? It's not like Sony built a system with the doors left wide open so anybody could do this. What happened is cyber terrorism and are now being tracked by the FBI. How can you blame Sony for what the FBI themselves are labeling a terrorist activity? Blaming Sony without the full picture is the exact mentality the hackers have. Why would you even assume one of the top electronic corporations in the world would have poor security and question the ability of the hackers?

The relationship between the master key George Hotz released and the PSN breach is tenuous and has not been confirmed in any official capacity. There is speculation that the the master key was used to sign custom firmware designed for developer-level access to PSN, which is believed to be how the breach originally started. I have not, however, seen any confirmation of this and it still remains just that--speculation.

So, let's say that Sony, by default, trusts developer PS3s to have unfettered access to PSN. This is not a great idea but not unforgivable on its own. There is still no reason--no reason whatsoever--that a developer PS3 should have access to any personally-identifiable information regarding PSN users. A minimal amount of data might make sense, such as usernames and other data to permit testing of PSN features, but credit card information? Home addresses? Email addresses? Real names? Hell no. There is no reason developers would need access to live information of that nature and Sony was reckless in not having it secured. What if someone had simply stolen a developer PS3 and figured out how to do this, or a developer with a chip on his shoulder decided to go rogue? The consequences would be the same, key or no key.

At issue is not the legality of what happened--clearly, the attacker(s) have grossly violated the law and deserve to be prosecuted to the fullest extent. This does not, however, excuse Sony's evidently inadequate and scattershot security model.

Sony's moves to save face and rebuild the network are just closing the barn door after the horses have escaped. The damage is done and I'm not convinced Sony was diligent enough in protecting its users' information. Like it or not, businesses that obtain such personal information are legally obligated to take certain measures to protect it, precisely because of instances like this.

 

[Owain Taggart]

Man, looks like this year keeps getting worse and worse for Sony. If anything, this should serve as a huge wakeup call for them and anyone who thinks their security is good enough. You can bet that Sony isn't the only ones auditing their security at this moment, including MS and their X-Box Live.

Now, this makes me wonder if the same group that compromised PSN is responsible for SOE as well. If it isn't, then it's surely a group that has attempted to kick them when they're down, not to mention that they've likely been vulnerable already due to the earthquake. I'd be sweating profusely if I were Sony right now. Bucket loads... If I were them, I'd likely sell off the SOE division.

Btw, I think the SOE breach should have its own thread, as many who do have an SOE account and don't know about this wouldn't necessarily have a PS3 or PSN and wouldn't venture in here. Feels like seperate info to me.

 

[137th Gebirg]

Like I said before, Sony's arrogance and incompetence led them down this path. I honestly don't know why people are still surprised that this nonsense continues.

 

[Owain Taggart]

Like I said before, Sony's arrogance and incompetence led them down this path. I honestly don't know why people are still surprised that this nonsense continues.

Regardless of Sony's skill in this, this kind of thing could have easily happened to anyone else. If there'd been dedicated people angry at MS and X-Box Live for instance, XBL could have had the same thing happen to them. When you have dedicated people, they find ways to get past the systems you have in place. It's all about persistence on the part of the hackers and being caught unaware by methods used to gain entry.

 

[Geckothan]

I heard somewhere that they used HTTP GET for logins and credit cards and possibly even sent them as plaintext. Apparently they were running some embarrassingly out-of-date copies of some packages as well. That's pretty bad.

 

[137th Gebirg]

Like I said before, Sony's arrogance and incompetence led them down this path. I honestly don't know why people are still surprised that this nonsense continues.

Regardless of Sony's skill in this, this kind of thing could have easily happened to anyone else. If there'd been dedicated people angry at MS and X-Box Live for instance, XBL could have had the same thing happen to them. When you have dedicated people, they find ways to get past the systems you have in place. It's all about persistence on the part of the hackers and being caught unaware by methods used to gain entry.

And yet, again and again, they continue to prove all my points with aplomb.

I heard somewhere that they used HTTP GET for logins and credit cards and possibly even sent them as plaintext. Apparently they were running some embarrassingly out-of-date copies of some packages as well. That's pretty bad.

And again.

 

[Robert Maxwell]

I heard the HTTP GET thing, too, and I really, really hope it's not true. I'll accept that Sony is fairly incompetent, as large corporations often are, but to be that utterly brain-damaged just defies belief.

 

[Vance]

Like I said before, Sony's arrogance and incompetence led them down this path. I honestly don't know why people are still surprised that this nonsense continues.

You mean like Apple with the two similar breaches with the iPhone and now iPad? Or Microsoft with the original XBox Live? Or AOL, or any one of a few hundred entities over the past twenty years.

Sorry, Gebirg, you know I love you, but what you're doing here is blaming the owner of the car for it getting stolen and say "Serves you right for not having bullet-proof glass on your windows". The fact is that PSN was secure for several years before it was finally hit in a big way, and even then the hack happened after a round of layoffs which impacted the division. I don't think that's a coincidence.

So yes, today I did indeed cancel my cards and ordered replacements just in case. That's just being prudent on my part. It took me about six minutes on the phone to get that done, and two of them just explaining why I was doing it. Big deal.

Sony got victimized here. Just because they're a scary "big corporation" doesn't mean that they're at fault. Why not blame the fucktard hackers and identity thieves who performed this act of cyber-terrorism in the first place?

 

[Vance]

I heard somewhere that they used HTTP GET for logins and credit cards and possibly even sent them as plaintext. Apparently they were running some embarrassingly out-of-date copies of some packages as well. That's pretty bad.

I can say with %100 certainty that whoever fed you that line of shit had pulled it from his or her own ass.

 

[Jax]

PSN is due to go back up today BUT take anything from Sony though with a huge gulp of salt

 

[sikkbones]

id like to thank the hackers for effictively bricking my psp go... i can see sony no longer looking at a downlooad model for games and i wonder how much longer they may support the damn thing.

 

[gh4chiefs]

Good question. Me and co-worker have kind been debating that very thing, or more precisely online gaming in general. Does anybody know the statistics of how many gamers play online as a percentage of all gamers? I know it wasn't very long ago it was still overwhelmingly a "single player" world, but I'm guessing that's changed drastically by now.

The reason I'm asking, my friend and I have debated whether or not there would be any market share for Sony of they said "F the PSN" and just went to single player model? I honestly don't know, just thinking out loud.

 

[Jax]

Online brings in a ton of revenue due to PSN+, Arcade Games, PS1/2 titles for download and DLC's so no way Sony would want to go PSN-Lite. What I find stupid is all this talk of going pure digital, which the studio Remedy re opened by saying they can't wait to get rid of discs

There are millions who don't play online and are not even connecting online with their consoles so you would cut out all those customers. Also internet speeds are not as quick in Asia in other parts of the world so imagine having to download all your games and remember games are getting bigger and bigger...

Not too mention all the jobs that would be cut at stores.

 

[gh4chiefs]

Online brings in a ton of revenue due to PSN+, Arcade Games, PS1/2 titles for download and DLC's so no way Sony would want to go PSN-Lite.

A lot of that revenue is being wiped out though with the expense of rebuilding the PSN, plus they're going to spend untold millions defending and possibly losing the onslaught of lawsuits that are coming.

I'm just opining that somebody at Sony might be asking the question "Is it really worth it?"

 

[Jax]

Sony would lose a lot of gamers to the 360 if they got rid of online, there are millions of people who want to play online a lot. Sony has MMO's through SoE so that would face problems with no PSN.