Sony Admits Private PSN Info Has Been Stolen - All Of It
- Thread starter Andy Chalk
- Start date
I am still 100% behind this attack, sony used underhand tactics, as im sure all giant corparations do, to interfere with peoples rights. this is an outrage. just because private information was compromised, that doesnt mean that it was copied and sold to the highest bidder. the people behind this attack wanted to teach sony a lesson, and i really do think that sony will think twice before trying to fuck us over again. im not saying dont change your credit card info and stuff, im going to do that aswell even though i still believe the attack wasnt aimed at us. better safe than sorry though right? sony (PSN) has been brought to its knees because of this, bent over and had its bum smacked for being a naughty boy. i have faith in the peoples army (Anon. or whoever the fuck did it) to do the right thing. maybe i will eat my words, only time will tell i guess. peace out!
First of all, this has nothing to do with Geohotz or any other PlayStation3 custom firmware development (it does not appear that custom firmware would have been required to undertake or discover this attack).
Secondly, it does not appear to have anything to do with AnonOps (the particular Anonymous group undertaking a protest against Sony's litigation) either; this does not in any way resemble their chosen method of protest, and they have formally denied responsibility or involvement. I am familiar enough with their methods, basic as they are, to state that there is no way that they could have been responsible for this, or would have had any idea: LOIC is essentially just while true { visit website }, and that's not going to bring this kind of thing to light.
To simply state that this is the result of an external intrusion is, in my view, misleading. Sony have chosen to take the PSN system down; Sony designed it in-house in the first place. I'm not familiar with any external third-party security auditing they did of their systems, if indeed there was any until 19th April 2011 (I doubt it). Sony have chosen not to make a public statement of any particular substance until now, a decision for which they have been widely criticsed. The security vulnerabilities that have come to light in the PSN system are entirely due to Sony's incompetence and negligence; whether any malicious crackers have in fact exploited them or not, they are now at least partially known.
I don't have any detailed knowledge about the specifics, but from the rumours floating around, it appears that someone discovered it was possible to download games and DLC on the PlayStation Network without paying for it, by simply changing a URL parameter of some kind (I don't know any details; in any case, it's moot now). The implication was that this was surprisingly easy; upon further investigation, the security on the PSN as a whole was found to be exceptionally poor, and the discoverer expressed surprise and disappointment about this. I do not know if, or when, the vulnerability was reported to Sony.
It appears that Sony have been logging via PSN everything you ever played on your PS3, and storing, and in some cases even transmitting, personal details - including names, addresses, passwords and even credit card numbers - in cleartext; sometimes with no encryption. Furthermore, apparently their backend servers run (or, rather, ran) a known-vulnerable version of Apache for an extended period of time. That's a level of security far below anything anyone (including international PCI DSS card-processing security standards) would expect from a retailer of any kind, let alone a major international retailer. It's irresponsible. It's negligent.
One of the basic rules in security research is this: try not to shoot the messenger. Do not blame a hacker merely for discovering that someone was incompetent; instead, fix the hole, figure out what the impact was, try to deal with the impact, and figure out why the hole occurred in the first place and deal with that.
Even now that it has come to light, we can never know if the most recent ones to discover it were the first to be aware of the issues, or if someone more malicious has been exploiting them for some time previously. The issues do appear to be so widespread and simple in nature that it is not impossible that they have been independently discovered before by parties unknown. Equally, there's every possibility that in fact, subscriber's personal information hasn't actually been stolen by any malicious crackers in particular; but Sony have had to react this way because it could have been, at any time, probably without Sony's knowledge.
I'm very disappointed in their incompetence in actually bringing live such a misdesigned system. I cannot believe that they have actually passed any industry audits, and their utter failure to communicate any details about such a massive breach with the public for so long in my opinion warrants a detailed public investigation. I doubt Sony would be comfortable with that, but only because I doubt their ability to be able to pass an audit with such scrutiny.
tl;dr: Epic fail, Sony.
Secondly, it does not appear to have anything to do with AnonOps (the particular Anonymous group undertaking a protest against Sony's litigation) either; this does not in any way resemble their chosen method of protest, and they have formally denied responsibility or involvement. I am familiar enough with their methods, basic as they are, to state that there is no way that they could have been responsible for this, or would have had any idea: LOIC is essentially just while true { visit website }, and that's not going to bring this kind of thing to light.
To simply state that this is the result of an external intrusion is, in my view, misleading. Sony have chosen to take the PSN system down; Sony designed it in-house in the first place. I'm not familiar with any external third-party security auditing they did of their systems, if indeed there was any until 19th April 2011 (I doubt it). Sony have chosen not to make a public statement of any particular substance until now, a decision for which they have been widely criticsed. The security vulnerabilities that have come to light in the PSN system are entirely due to Sony's incompetence and negligence; whether any malicious crackers have in fact exploited them or not, they are now at least partially known.
I don't have any detailed knowledge about the specifics, but from the rumours floating around, it appears that someone discovered it was possible to download games and DLC on the PlayStation Network without paying for it, by simply changing a URL parameter of some kind (I don't know any details; in any case, it's moot now). The implication was that this was surprisingly easy; upon further investigation, the security on the PSN as a whole was found to be exceptionally poor, and the discoverer expressed surprise and disappointment about this. I do not know if, or when, the vulnerability was reported to Sony.
It appears that Sony have been logging via PSN everything you ever played on your PS3, and storing, and in some cases even transmitting, personal details - including names, addresses, passwords and even credit card numbers - in cleartext; sometimes with no encryption. Furthermore, apparently their backend servers run (or, rather, ran) a known-vulnerable version of Apache for an extended period of time. That's a level of security far below anything anyone (including international PCI DSS card-processing security standards) would expect from a retailer of any kind, let alone a major international retailer. It's irresponsible. It's negligent.
One of the basic rules in security research is this: try not to shoot the messenger. Do not blame a hacker merely for discovering that someone was incompetent; instead, fix the hole, figure out what the impact was, try to deal with the impact, and figure out why the hole occurred in the first place and deal with that.
Even now that it has come to light, we can never know if the most recent ones to discover it were the first to be aware of the issues, or if someone more malicious has been exploiting them for some time previously. The issues do appear to be so widespread and simple in nature that it is not impossible that they have been independently discovered before by parties unknown. Equally, there's every possibility that in fact, subscriber's personal information hasn't actually been stolen by any malicious crackers in particular; but Sony have had to react this way because it could have been, at any time, probably without Sony's knowledge.
I'm very disappointed in their incompetence in actually bringing live such a misdesigned system. I cannot believe that they have actually passed any industry audits, and their utter failure to communicate any details about such a massive breach with the public for so long in my opinion warrants a detailed public investigation. I doubt Sony would be comfortable with that, but only because I doubt their ability to be able to pass an audit with such scrutiny.
tl;dr: Epic fail, Sony.
Can yuo show me proof that this was done via a hacked PS3? No of course not, heres a little hint.Mxrz said:
The two hacks are COMPELTLY independent of each other.
One is reguarding to the security on a console. One is reguarding to security of the PSN system and the sony servers. The PS3 hackers have NOTHING to do with the PSN hack as of yet.
TBH if a hacked PS3 did get that level of access to servers hosted somewhere else then sony have some SERIOUS issues to sort out as the security was awful to begin with, maybe they used a "random" password.
Although I could agree with some aspects of your view, it's unfair that Sony's consumers should be made to suffer for their own shortcomings. Furthermore, we're not certain of the motives behind the attack. It could be that they wanted to "teach Sony a lesson," but it's also likely that whoever did it is only looking to rob them and the PSN userbase. Shamus Young from the Experienced Points articles and Stolen Pixels mentioned in his blog [http://www.shamusyoung.com/twentysidedtale/?p=11467] that his brother has already had someone try and purchase electronics using credit info stolen from this attack, so it seems as if the latter is more likely.Craig Stewart said:
there does seem to be the assumption that the hacker who did this had an easy time of it, and that sony is entirely to blame for this situation
Is this a credible site?
http://vgn365.com/2011/04/26/psn-users-reporting-hundred-of-dollars-stolen-from-them/
"PSN Users Reporting Hundreds of Dollars Stolen From Them"
http://vgn365.com/2011/04/26/psn-users-reporting-hundred-of-dollars-stolen-from-them/
"PSN Users Reporting Hundreds of Dollars Stolen From Them"
Of course Sony isn't ENTIRELY to blame, the blame ultimately falls on the hacker who did it.rockoffanddie said:
What people are blaming Sony for letting it happen as well as working with a system that allows this to be possible in the first place.
We don't see other companies getting hacked and losing ALL their information very often now do we? That tells us that there was incompetence on Sony's part.
/facepalmFledge said:
The GeoHot case has to with the HARDWARE not the NETWORK
Doubt it, there are a lot of people claiming they are starting to experience fraud though. This could be lies or a coincidence for all we know.xx19kilosoldier said:
Anyway, if I experience any problems, I am going to lost all trust in Sony and probably any other online service after this. I know it isn't necessarily Sony's fault they were hacked but if it is true that their security wasn't that great then I can't help but feel that they are kind of responsible.
I honestly can't be bothered summing up how I feel about this farcical situation.
We've got the pirates who are harming the industry they love so much and the execs who so fucked this metaphor won't decribe how fucked they are.
So forget it, here's an amusing picture about how we all feel.
We've got the pirates who are harming the industry they love so much and the execs who so fucked this metaphor won't decribe how fucked they are.
So forget it, here's an amusing picture about how we all feel.
I get so tired with the extreme polar-opposite mentality when anything negative happens under anyones jurisdiction by a group that is loosely affliated with a similar group. It happens all the time in politics, governments can't get anything done because people keep shifting who is in power and plans never get seen through to the conclusion and end up being a waste of money, whereupon the new government is blamed.
This is not geohotz fault, it is not homebrewers faults, this does not prove all hackers are criminals who support identity theft. That view is an extreme reaction that labels a minority for simplicity because you'd rather not understand the problem, just have a very loud opinion.
Anyway, this is irritating, quite a large failure for Sony. Whether this is indicative of weak security protocols or talented internet criminals, I don't know. Luckily, like I said previously, there isn't much information on there I haven't freely provided multiple times. Saying this, I may want to just check some of my other accounts; I use some similar passwords for things, I only have a bank of about 12 with slight differentiation for each making a total of about 48 / 60 passwords.
This is not geohotz fault, it is not homebrewers faults, this does not prove all hackers are criminals who support identity theft. That view is an extreme reaction that labels a minority for simplicity because you'd rather not understand the problem, just have a very loud opinion.
Anyway, this is irritating, quite a large failure for Sony. Whether this is indicative of weak security protocols or talented internet criminals, I don't know. Luckily, like I said previously, there isn't much information on there I haven't freely provided multiple times. Saying this, I may want to just check some of my other accounts; I use some similar passwords for things, I only have a bank of about 12 with slight differentiation for each making a total of about 48 / 60 passwords.
i find it very troublesome that some posters here think that some 16 year old 4chan nerds got their hands on the data and are now trying to buy themselves a ton of new flatscreen tv's.
The Trading with data and personal information is a huge business with a lot of professional companies and data vendors involved, who are analysing this kind of information for new insights concerning market data, Yield management, Geo Marketing etc.
Data theft on this level isn't a kid with some DDos attack, there are probably some insiders at Sony who made this possible as well.
The Trading with data and personal information is a huge business with a lot of professional companies and data vendors involved, who are analysing this kind of information for new insights concerning market data, Yield management, Geo Marketing etc.
Data theft on this level isn't a kid with some DDos attack, there are probably some insiders at Sony who made this possible as well.
Okay. Well. I'm a PSN user, so here are my thoughts on this.
OH SHIT SHIT SHIT SHIT SHIT SHIT SHIT FUCK CHRIST OH SHIT
I have a fair amount of family members on PSN.
FUCK.
OH SHIT SHIT SHIT SHIT SHIT SHIT SHIT FUCK CHRIST OH SHIT
I have a fair amount of family members on PSN.
FUCK.
Hacker: Douchebag ThiefVenereus said:Alright, spit it. How much are they paying you?Awexsome said:Of course. Lazy corporate bastards.Nurb said:I'm not giving up dick because some company can't do what every other damn company does and MAKE A PATCH when they discover someone found an exploit. You're a perfect example as how kids are manipulated by these lazy corporate bastards into thinking people need to give up more freedom as technology advances and finding an exploit in the company's hardware is something that needs to be punished.Awexsome said:You ever think things are better now? That they don't give people permission to do whatever they want?Nurb said:Yes. they do. It's a computer, people have a right to look into how their computers work at the code level and talk about it. If they want so much control over people's property, then they can charge less for it or lease it for 10 bucks a month.Awexsome said:
Just because people make viruses for PCs doesn't mean software engineers should be thrown in prison for figuring out and sharing how the window OS works, and you don't see car companies dragging car enthusiasts into court for cracking their car computer to tweak performance.
So yea, Sony isn't special and they're no different than any other hardware manufacturer. Deal with that. Damn kids are being brainwashed into defending some corporate bully who can't even encrypt their customer data. Not even banks let hackers get away with the entire database and they're hacked all the time.
It only pisses off a very small amount as most people get what they want from the functionality provided. You ever think that maybe the old ways were worse? Sure the people who love customization take a hit but its a small price to pay for the added security.
I'm not going to convince someone that has lived their entire life thinking that freedom is a given when given a new piece of technology but the times have changed.
Fuck that and fuck them. They can't punish people because they screw up and don't move fast enough to fix it like every other company out there. Apple doesn't prosecute jailbreakers, they just update the firmware.
Y'know they're not evil bad guys. As much as you lie to yourself they aren't actively trying to screw you over. They're trying to do what's best for everyone and the people who want stuff like you want are an extreme minority now.
I know you want to think that you're preaching one of the last hopes of a rapidly decaying videogame industry but you're not. You're just someone with another opinion.
If you were trying to run a business with unknown number of hackers always trying to be a step ahead of you and steal your products or ruin your services for their own personal gains what would you do? Keep fighting the same fight until the end of time? Because your solution isn't realistic or efficient.
If you're just going to be stubborn and only think of them as the "evil corporate bastards" then we're done here.
Company: Souless Money Grabber
Peronsally i don't vouch for either side, Sony fucked up big time here and put people's financial assests on the line here. Conversely the pirates and hackers are treacherous douchebags who endanger gaming simply because things don't go their entitled way.
At the end of the day i think we can safely say there are no victories here, only varying degrees of failure.
Whoah boy... Am I glad that I never did put cred info in PSN and all the personal info is FAKE.
HAHAHAHAHAHAHAHAHAHAHAAAAaaaaahhhh....
Oh sweet mother of tentacle porn. I cannot describe the satisfactory feeling of being untrusting prick paying off. Like a blowjob from a anime character would propably be closest to truth.
HAHAHAHAHAHAHAHAHAHAHAAAAaaaaahhhh....
Oh sweet mother of tentacle porn. I cannot describe the satisfactory feeling of being untrusting prick paying off. Like a blowjob from a anime character would propably be closest to truth.
Just because this also happens to other companies (on a much smaller scale btw) doesnt make sony right, just alot of people wrong
and also saying that they're not incompetant because no system is hack proof is like saying that PSN is just as competant as Xbox Live or Steam (which hasnt lost all of its client info)
and also saying that they're not incompetant because no system is hack proof is like saying that PSN is just as competant as Xbox Live or Steam (which hasnt lost all of its client info)
I'm suddenly happy that my credit card information has always been refused by the PSN network for obscure reasons, forcing me to buy prepaid PSN cards at WalMart to buy anything off the network. That little inconvenience just saved me a world of trouble. Sucks for everyone else though...
I hope they find the people responsible for this breach of security at Sony and give them hell to pay.
I hope they find the people responsible for this breach of security at Sony and give them hell to pay.
I hate how everyone in this thread supports the hackers.
Yes, Sony's lack of security was a cause, but WHAT THE HELL?
Come on people.
And no, don't give me a "HUR DUR IT'S WHAT THEY DO" speech. That doesn't cut it.
I hate Geohot for starting all of this.
Yes, Sony's lack of security was a cause, but WHAT THE HELL?
Come on people.
And no, don't give me a "HUR DUR IT'S WHAT THEY DO" speech. That doesn't cut it.
I hate Geohot for starting all of this.