On the PSN Relaunch Announcement

[StrixMaxima]

Sony screwed up. We know it, they know it. This is one part of the story. They should have better security layering than that.

However, I think Sony did handle the debacle quite well. And I share the feelings of the OP about each and every topic. I was sincerely hoping for a Playstation Blog message, some crappy indie games and a sad face emoticon.

To my surprise, they did exactly the opposite. They admitted to the screw-up without any garbled marketish, they gave the playerbase some great choices of games (which, of course, could be more varied, but hey), and they treated their customers as adults. I cannot stress how important the last item is for me, and for many others.

I go back with Sony since Betamax. And I'll continue to support them if they are willing to learn from their mistakes and continue to treat us as non-imbeciles.

Nice read, OP, thanks.

 

[Shirokurou]

I agree with Shamus completely.
Maybe I'm too much of good guy, but I was like "hacks happen, nothing is 100% safe" and Sony's bow I thought "Wow these are serious about this..."

captcha: basic saysmiti

 

[Littaly]

They handled it OK. Not above expectations, not below them either. Though I'm not entirely sure of how I feel about the "free month of Playstation Plus" compensation. I know it's supposed to compensate for the downtime and not for the whole identity theft mess, but is it really appropriate to use a situation as grave as this one to push what is essentially a free trial of their paid service?

 

[AzraelSteel]

They handled it OK. Not above expectations, not below them either. Though I'm not entirely sure of how I feel about the "free month of Playstation Plus" compensation. I know it's supposed to compensate for the downtime and not for the whole identity theft mess, but is it really appropriate to use a situation as grave as this one to push what is essentially a free trial of their paid service?

Having worked at a few completely unrelated companies, I can say that it seems that companies first response to any problem is something along the lines of, "Let's see what we can do about it, and in the meantime, here's 30 days of some extra service for free."

 

[Zom-B]

In fact, I'm proud to say that I haven't bought anything with the name "SONY" on it since about 2006;

You're entitled to the feeling of course, but why would you feel "proud" about that? Because you're better than us poor people that have purchased Sony products? Because you've purchased products from companies with flawless track records? If you've got an Xbox360 I'd daresay the RROD problem is not looked upon fondly by anyone.

Oh wait, you've got a Wii, right? With it's robust and well done online component and easily navigable store and endlessly retreaded franchises?

Come on, don't play off your personal opinion of Sony into some sort superiority complex. No one, and no company is perfect. You may not like Sony (personally I don't like Microsoft but I was never proud to not owned any of it's products), but there's nothing to be proud of there.

I don't see why they couldn't just get one team and work with them.

Exactly. You don't and can't see why they might hire three companies and not just one, so where do you get off questioning it?

 

[Zom-B]

So far all I've heard is entitled brats moaning about how 2 weeks without PSN has ruined their lives.

Granted, I don't own a PS3 and don't think I ever will, but isn't PSN something they have to -pay- for? If so, it's a service that they -literally- are entitled to, so they have right to behave accordingly. The same would apply if their cable went out for two weeks, that's a service they paid for and they have a right to demand quality.

Of course, this argument is nulled if the PSN is a free service, I'm too lazy to check.

You know, it would have been way quicker to google whether or not the PSN is free, than it was to type out that mindless comment.

For the record, basic PSN access is free. PSN+ is a paid service.

 

[Lorechaser]

-Snip-

Thank you. Mainly your last part is something I'm glad others have taken note of.

No one seems to realize that this "breach" has seriously put people who used a universal password for their online accounts at serious risk.

Let's be clear here, though - people who use a universal password for their online accounts have been seriously at risk from the moment they started doing that. Sony exposed that password, but they were waiting for the doom to come down upon them. And I suspect that their password has already been compromised at least a few times - hell, the most sophisticated scams I've seen involve people put up sites that advertise a legit product (or, more cleverer still, a potential product that's desirable), ask people to create an account, and then just run the site while their friends use the user/pass combo every where they can think of.

*That's* nasty.

Doesn't excuse Sony in the slightest, to be sure.

 

[Firehound]

Around the three minute mark he did point out the hackers are always hacking things, like they do, but he didn't repeat the meme I've been hearing lately that "no network can ever be secure".

Not so much a meme but simple truth. It's also true that networks can usually be secured just enough for the requirements of the use-case.

Good solution to the PSN password problem.

Debatable.

One group of people had (or might have) the password for everyone else.

This. This should never have happened. It's a n00b mistake to store plaintext passwords; any half-witted security engineer will tell you not to do it. That Sony has someone done it is unforgivable, in terms of trusting their security solutions.

From their standpoint, how could you ever be sure of anyone's credentials ever again?

They can't. They never could. You can sign up to PSN without any meaningful proof of who you are, so that hasn't actually changed much.

I'm not a security expert, ...

indeed.

... but I think their solution to the password problem is a good one.

It isn't, though.

You have to change your password when you log in again. You can only do so from the machine you've been using.

You think. Sony wants. It's a password-based authentication system, and the authenticity of the person trying to change the password is "proven" based on their old password.

The "machine" part can be faked. It'll take a bit to find out how to fake it; you'd better change your password before someone does that.

This means a hacker with the full list of passwords can't log in and pretend to be any of those people, even though he's got their login.

And that is not the problem. The problem is that most people re-use the same password (or almost the same password) over and over again. I doubt the PSN hackers cared about hacking PSN; I'm fairly sure they cared about obtaining email addresses, user names and passwords. Now they can use that to pay with your paypal account, read your email, harvest more information from your facebook account, etc. That's where the value of having stolen passwords lies.

Having said all the above, I don't think Sony responded particularly badly. They did what you need to do: shut down (ignore the cost of that), and hire someone who knows what they're doing to perform an audit. Engineer a solution for people to regain control over their account. Apologize.

But the damage is already done, and because of a painfully silly oversight. That doesn't really make me feel warm and fuzzy inside about whatever they've replaced their system with.

This.

I'd rather sony say something along the lines of 'well, at least it'll take them an average of a million years to figure out what they stole guys. So change your passwords before then eh? Ha!'

Seriously? Plaintext? Really sony? REALLY?

 

[Pandabearparade]

You know, it would have been way quicker to google whether or not the PSN is free, than it was to type out that mindless comment.

*shrug* I added a caveat in case I was wrong (which I was), but I was reasonably sure that PSN was a charged feature, like xbox live. Regardless, no need for hostility.

 

[unwesen]

This.

I'd rather sony say something along the lines of 'well, at least it'll take them an average of a million years to figure out what they stole guys. So change your passwords before then eh? Ha!'

Seriously? Plaintext? Really sony? REALLY?

As was pointed out to me, Sony *did* issue a statement that the passwords were not stored in plaintext, but as hashes. Unfortunately, the statement did not include whether or not the hashes were salted.

A bit of an aside as to the non-crypto-geeks about hashes and salting:

Hashing means transforming plaintext (like your password) into some other bytes. Given the same plaintext and the same hashing algorithm, the result will always be the same. That means that websites (or PSN) doesn't have to store your plaintext password to know whether the password you entered is correct: they store the hash, compute the hash of what you've entered, and if they're the same then you got the password right.

Cryptographic hashes have another important property: they look random, which means a tiny change in the plaintext will lead to massively different hashes. That makes them fairly secure for storing passwords, as it's next to impossible to guess what the plaintext password was by looking at the hash.

But attackers can work around that with something called a rainbow table. That's just a big table of plaintext and hashes computed from that plaintext. Just like the server doesn't need to know the plaintext if it knows the hash, neither does the attacker. If they see a hash, and look that hash up in a rainbow table, they can find the plaintext password.

So it's best to "salt" hashes: for that, you concatenate the password with some random gibberish called a salt, e.g. "s3kr1t" + "shfkusg", and compute hash over that. Then you store the resulting value and the random salt.

When a legitimate user enters a password, you can still compute hash as you know the salt, and make the same check as before. But when someone tries to compare your hash against a rainbow table, they will fail, because it's infeasible for them to try all possible salts. Even if they *did* know the salt, computing a hash with all possible passwords for that salt would take ages.

My problem with Sony is now a bit different: given that they spoke about passwords being stolen, I must assume one of two things:
a) They did not, in fact, communicate well. If salted hashes of passwords were being stolen, that's not too bad of a problem.
b) The hashes were unsalted, and therefore the theft of those hashes is akin to stealing password, and they communicated well. But they still failed at basic cryptography.

Would love to know which it is.

 

[Zom-B]

You know, it would have been way quicker to google whether or not the PSN is free, than it was to type out that mindless comment.

*shrug* I added a caveat in case I was wrong (which I was), but I was reasonably sure that PSN was a charged feature, like xbox live. Regardless, no need for hostility.

So... reasonably sure, yet dead wrong, but at the same time too lazy to use the very device you typed your comments out on to verify. And people are worried about the future of the world! With guys like you around, we've got no problems!

 

[Pandabearparade]

So... reasonably sure, yet dead wrong, but at the same time too lazy to use the very device you typed your comments out on to verify. And people are worried about the future of the world! With guys like you around, we've got no problems!

I conceded that I was dead wrong. I'm not sure why you're so deeply hurt over it.

 

[kaieth]

So they apologized in a decent way, big deal. The problem isn't their apology, it's that they were so negligent about the personal information they collected from people. They had a duty to protect it, did it half-assed, and now they should be punished for their disregard for their consumers.

Their apology doesn't mean shit.