PSN down thread

[exodus]

It's not just the fact that they were compromised--it's that, by being compromised, the attacker(s) had access to so much disparate data and infrastructure. Basic network design: you separate the various areas of your network, keeping more sensitive data in more secure locations. Anything potentially facing the outside world should be locked up tight.

I'm not saying it's possible for Sony to have ever been 100% immune to this kind of breach, but given the timeline and the amount of data that was taken, it's pretty clear that once the attacker(s) got in, they had access to damn near everything. This means whatever trust system was in place was fundamentally broken.

The fact that Sony is having to completely rebuild the PSN speaks to the fact that their infrastructure was flawed beyond repair. It's unfortunate that they had to suffer an attack of this magnitude in order to get their shit together, and even more unfortunate for their customers, who no doubt trusted Sony to be responsible in the first place.

Are you aware a hacker published the keys to his hacker buddies so they could do all of this to Sony's systems? It's not like Sony built a system with the doors left wide open so anybody could do this. What happened is cyber terrorism and are now being tracked by the FBI. How can you blame Sony for what the FBI themselves are labeling a terrorist activity? Blaming Sony without the full picture is the exact mentality the hackers have. Why would you even assume one of the top electronic corporations in the world would have poor security and question the ability of the hackers?

The relationship between the master key George Hotz released and the PSN breach is tenuous and has not been confirmed in any official capacity. There is speculation that the the master key was used to sign custom firmware designed for developer-level access to PSN, which is believed to be how the breach originally started. I have not, however, seen any confirmation of this and it still remains just that--speculation.

So, let's say that Sony, by default, trusts developer PS3s to have unfettered access to PSN. This is not a great idea but not unforgivable on its own. There is still no reason--no reason whatsoever--that a developer PS3 should have access to any personally-identifiable information regarding PSN users. A minimal amount of data might make sense, such as usernames and other data to permit testing of PSN features, but credit card information? Home addresses? Email addresses? Real names? Hell no. There is no reason developers would need access to live information of that nature and Sony was reckless in not having it secured. What if someone had simply stolen a developer PS3 and figured out how to do this, or a developer with a chip on his shoulder decided to go rogue? The consequences would be the same, key or no key.

At issue is not the legality of what happened--clearly, the attacker(s) have grossly violated the law and deserve to be prosecuted to the fullest extent. This does not, however, excuse Sony's evidently inadequate and scattershot security model.

Sony's moves to save face and rebuild the network are just closing the barn door after the horses have escaped. The damage is done and I'm not convinced Sony was diligent enough in protecting its users' information. Like it or not, businesses that obtain such personal information are legally obligated to take certain measures to protect it, precisely because of instances like this.

Let's speculate further, shall we?

 

[gh4chiefs]

I'm not so sure that the damage hasn't already been done in terms of people leaving the PSN for XBL. I guess time will tell.

I guess I'm having a hard time wrapping my brain around the gaming division, who we're often told by trade magazines is struggling for profit, can survive something like this. I'm not a "Sony is done" person, but I do see this having a lasting impact on Sony's gaming strategy.

 

[Jax]

If the PSN is hacked again soon after going back up, no doubt the PS3's comeback into the next gen race since its came out with the slim will stall and crash...

Sony execs have to be worried about getting it right.

 

[gh4chiefs]

Just to add fuel to the fire there's this:
http://www.strategyinformer.com/news/12206/sony-we-knew-about-psn-security-flaws

Sony chief information officer, Shinji Hasejima made an astounding and disturbing admission in the Tokyo press conference: the company was fully aware of the "vulnerabilities" in the Playstation Network.

Now I have no idea how reliable this source is, you can go to the link and judge for yourself. So far, I really haven't been that down on Sony but if THIS turns out to be true, I might be ready to join those lawsuits myself.

 

[Jax]

I would not be surprised if Sony knew of weakness when they built the PSN but choose not too act because of money reasons or maybe they couldn't repair them without having to bring down PSN and start from the ground up.

It would not be the first nor the last time a major corporation cut corners.

 

[137th Gebirg]

Just to add fuel to the fire there's this:
http://www.strategyinformer.com/news/12206/sony-we-knew-about-psn-security-flaws

Sony chief information officer, Shinji Hasejima made an astounding and disturbing admission in the Tokyo press conference: the company was fully aware of the "vulnerabilities" in the Playstation Network.

Now I have no idea how reliable this source is, you can go to the link and judge for yourself. So far, I really haven't been that down on Sony but if THIS turns out to be true, I might be ready to join those lawsuits myself.

Wow. If true, this would actually surprise even me. This would move the issue from a simple question of incompetence to a more complex question of abject criminal neglect and fraud. I'm amused to see that they used the same word that I did in an earlier one of my posts to describe Sony's self-denial: "Hubris". Most amusing, indeed.

Honestly, I don't think I need to say anything more on this topic, as Sony is doing a far better job performing a physically impossible act on themselves than I ever possibly could. I'm now starting feel like I'm kicking a terminally wounded animal.

To the surprise of many here, I do feel a genuine compassion and sorrow for those who have used the PSN and other products that Sony has failed to protect or deliver on. I truly hope that your PI was never used against you and, if it has (or even if it hasn't), that you take the battle to those bastards and hold them accountable. Their crimes are many and I feel that much more will come out in the discovery process of the litigation once subpoenas get sent out. I wish you the best of luck and hopes for a favorable outcome.

Make them an example for others that have done the same thing and nobody knows about...yet.

 

[Jax]

I keep hearing conflicting reports parts of Japan are back up, any here confirm that?

 

[Rincewiend]

More info:

http://www.joystiq.com/2011/05/04/sony-responds-to-congress-with-open-letter-suggests-anonymous/

In addition, the letter and post provide a timeline of the attack, including this early clue: "We discovered that the intruders had planted a file on one of our Sony Online Entertainment servers named 'Anonymous' with the words 'We are Legion.'" Despite that evidence, Sony still says it has yet to identify the "individual(s) responsible for the breach." It's unclear if that means Sony does not think the hacking organization known as Anonymous was responsible or, rather, if it hasn't managed to uncover the actual identities of Anonymous' ... err, anonymous contributors.

http://blog.us.playstation.com/2011/05/04/sonys-response-to-the-u-s-house-of-representatives/

 

[Arrqh]

Let's speculate further, shall we?

Let's!

Dr. Gene Spafford of Purdue testified that Sony's system was weak, and that those weaknesses had been revealed on security mailing lists months before the breach. According to Spafford, key parts of Sony's PlayStation Network ran on Apache servers that "were unpatched and had no firewall installed." This was reported in a forum known to be frequented by Sony employees, he said, though no changes were made in the months leading up to the attack.

Full article

 

[Robert Maxwell]

Let's speculate further, shall we?

Let's!

Dr. Gene Spafford of Purdue testified that Sony's system was weak, and that those weaknesses had been revealed on security mailing lists months before the breach. According to Spafford, key parts of Sony's PlayStation Network ran on Apache servers that "were unpatched and had no firewall installed." This was reported in a forum known to be frequented by Sony employees, he said, though no changes were made in the months leading up to the attack.

Full article

Yep. Just like I said, Sony was fucking negligent and they knew it.

 

[CaptJimboJones]

Just curious, did PSN ever go back online? It was supposed to be fixed today, right?

 

[Vance]

As of 3:20pm mountain, they're still down. Stil, they only promised limited functionality by the end of the day anyway. They still have three hours.

 

[Servo]

It's 11.07pm here in the UK and it's still down.

 

[Stone_Cold_Sisko]

Anyone know if game patches will be allowed through?

 

[BlackFire3]

yep, when i put a game in the other day, i didn't have any problem downloading updates for the game

also it's 6:30 pm central and the networks still down

 

[Servo]

Patches aren't delivered through PSN, so you'll still be able to get them. I've downloaded updates for Fallout: New Vegas and Motorstorm Apocalypse while PSN has been down.

 

[Jax]

Dear me Sony, May 4th comes and goes...

The lack of information Sony has given out has been nothing short of pathetic, their P.R is nearly as bad as their PSN security.

 

[Haggis and tatties]

Well no doubt seeing as they just found out about the attacks and breach of the SOE that its possible it put a hold on everything for the moment.

And just released is the letter from Kazuo Hirai's to the U.S. House of Representatives on the whole matter.

http://www.flickr.com/photos/playstationblog/sets/72157626521862165/with/5687530922/

Some very interesting stuff in it.

 

[Winterwind]

Patches aren't delivered through PSN, so you'll still be able to get them. I've downloaded updates for Fallout: New Vegas and Motorstorm Apocalypse while PSN has been down.

Good to hear. Maybe I should connect my PS3 and get the latest FO:NV patch. Or I can just wait until the next DLC comes out in a couple weeks... *shrugs*

 

[gh4chiefs]

Yet another lawsuit filed, this time in Canada.

http://www.pcworld.com/article/2272...ver_playstation_network_breach.html#tk.hp_new