Sony Admits Private PSN Info Has Been Stolen - All Of It
- Thread starter Andy Chalk
- Start date
profit the 1st arc was all in k-chan's head lolpyramid head grape said:<--- she wouldn't hurt a fly ... really she wouldn't put a needle in your sandwich, hack off limbs or beat you to death with a steel pipe no she is nice and sweet ... most of the timeShadie777 said:
on topic it's Sony fault this happened. their security is or was joke to begin with and hell the dumb asses didn't even use http's or encryption software on their systems when you bough of the psn. All i have to say to the hackers that brought down the psn is this
http://youtu.be/ROPEICInVPY
Are you so stupid as not to see the connection here?Danzaivar said:
PS3's couldn't be modded to gain access that they obtained without that code.
The code was obtained.
People now could mod their consoles to trick the PSN into thinking that they had as much permission as the CEO of Sony itself.
Not hard bro.
I wouldn't say they're all evil except for maybe companies like Alcor (a facility that freezes bodies in an attempt to make them immortal), but I'm pretty sure there are companies that have stopped giving a shit about their consumers.Awexsome said:Of course. Lazy corporate bastards.Nurb said:I'm not giving up dick because some company can't do what every other damn company does and MAKE A PATCH when they discover someone found an exploit. You're a perfect example as how kids are manipulated by these lazy corporate bastards into thinking people need to give up more freedom as technology advances and finding an exploit in the company's hardware is something that needs to be punished.Awexsome said:You ever think things are better now? That they don't give people permission to do whatever they want?Nurb said:Yes. they do. It's a computer, people have a right to look into how their computers work at the code level and talk about it. If they want so much control over people's property, then they can charge less for it or lease it for 10 bucks a month.Awexsome said:
Just because people make viruses for PCs doesn't mean software engineers should be thrown in prison for figuring out and sharing how the window OS works, and you don't see car companies dragging car enthusiasts into court for cracking their car computer to tweak performance.
So yea, Sony isn't special and they're no different than any other hardware manufacturer. Deal with that. Damn kids are being brainwashed into defending some corporate bully who can't even encrypt their customer data. Not even banks let hackers get away with the entire database and they're hacked all the time.
It only pisses off a very small amount as most people get what they want from the functionality provided. You ever think that maybe the old ways were worse? Sure the people who love customization take a hit but its a small price to pay for the added security.
I'm not going to convince someone that has lived their entire life thinking that freedom is a given when given a new piece of technology but the times have changed.
Fuck that and fuck them. They can't punish people because they screw up and don't move fast enough to fix it like every other company out there. Apple doesn't prosecute jailbreakers, they just update the firmware.
Y'know they're not evil bad guys. As much as you lie to yourself they aren't actively trying to screw you over. They're trying to do what's best for everyone and the people who want stuff like you want are an extreme minority now.
I know you want to think that you're preaching one of the last hopes of a rapidly decaying videogame industry but you're not. You're just someone with another opinion.
If you were trying to run a business with unknown number of hackers always trying to be a step ahead of you and steal your products or ruin your services for their own personal gains what would you do? Keep fighting the same fight until the end of time? Because your solution isn't realistic or efficient.
If you're just going to be stubborn and only think of them as the "evil corporate bastards" then we're done here.
Neither are the fundamentals of computer data security bro.Awexsome said:
You limit the data available to any one person AS MUCH AS POSSIBLE. Hacking a PS3 should give you the access to the PSN data of the people who use that PS3 AT MOST. Nothing done on someones PS3 should allow access to PSN accounts you don't have the credentials for, to get at that you would need to do something at Sony's server farms, not the PS3's in someones house (and certainly not through one PS3). It's the absolute basic of file permissions and access in a distributed environment.
That means this attack wouldn't have been through the Geohot given PS3 hack. Even if there was somehow 'admin' access available through a PS3, security wise they would have closed it (server side) as soon as the master key was available.
What I'm trying to get at is that for you to be right, Sony (one of the biggest companies in the world, esp. in electronics) has absolutely no idea on how to manage the bare-basics of computer security.
That can't be right. That's too damn scary to be right. I really hope you aren't right.
I don't think Sony could've gotten away with taking down all of PSN as soon as the code was released. They probably tried to prepare for people having the all access code to fake being high authority, but it's not that Sony had no idea on how to manage security. Just hackers figured out how to exploit the new code faster than Sony could protect it.Danzaivar said:
Nono, to just disable the 'all access code' you would literally block any requests that tried to come in for it, and that alone would stop something like this. Could cause hell for them internally but it's not hard to do and keep PSN running. Hell they could only allow select IP addresses so sony's companies could manage it. No amount of hacking on a compromised PS3 could touch it then.Awexsome said:
This had to be done some other way. Like I keep saying, for this to come through a normal PS3 owned by some hacker is just too dumb for Sony to let happen. Computers don't work that way.
If it was as simple as just blocking any requests from the all access code they would've done it. It probably would've destroyed the PSN if they just did that.Danzaivar said:
A lot of people are wondering how Sony could be so stupid when the question probably is how was the hacker so smart with that code?
No. It IS that simple. There's all sorts of levels they could have implemented it (Do it in hardware with packet-sniffing routers that block any requests with the right code in, disable it at software level if they did a half decent job and had failsafes, etc).Awexsome said:
If you are right, Sony is unspeakably retarded. The only sane answer is this happened some other way.
I know for a fact the pro-xbox flamewar soldiers will never let this one drop for one I am a 360 player and I am very worried for my ps3 gaming bro's
Actually, dude, the most they could do was install a custom firmware that tricked the PSN into thinking they were on a developer's console, which let them download games and other DLC for free, and they already fixed that issue. Everything else you're just blowing out your ass. Apparently you missed the whole portion about how people accessing the network still need to use a username and password, which isn't governed by the console.Awexsome said:
Wow. *puts on monocle* Good show old bean! what a cleverly written piece of literature this is! someone sure knows how to turn their thesis into words! but in all seriousness, this is a very well written comment, and i can only wish that there were more like it. good job.Elmithian said:
I've only read a few pages of this discussion, but it is mind boggling how much people (here and apparently at Sony) don't know about even the basics of network security and responsibility.
While it is easy to blame the thieves. You generally will be regarded as having had it coming if you always leave even one door to your house unlocked, and this appears to have been the case with Sony. Quite simply even in the event of someone gaining illicit access to the network personal information and especially things like CC info should have remained inaccessible. After all, only watching the border or gateway between the LAN and the Internet for illicit traffic is increasingly regarded as old fashioned since security breaches can now come from either side. If a machine is compromised, you want all traffic that it could eavesdrop on encrypted, and you don't want to allow it unlimited access simply because it is administered locally. In addition some information should never appear in Sony's database, the most obvious of which is your password which should not only be hashed, but the hash should be salted. Following this your data should be encrypted using your login password (which again isn't stored by Sony) as the key. Using a hardware based key would also be nice, but I can't immediately see a way to register new hardware, without having an ability to decrypt some of your info first for verification purposes at least.
The idea that this has something to do with GeoHotz flies in the face of reason simply because to do so suggests that Sony's security efforts were beyond incompetent. Computer security depends on controlling access to the machine and network security depends on controlling access to the network. Seeing as PS3s have been sold to the general public for years means that Sony clearly isn't interested in controlling access to PS3s. Thus PSN security should have assumed from day one that all PS3s were potential entry points of attack and treated every PS3 (or PS3 lookalike) with suspicion. When you lay this at the feet of GeoHotz, then what you are saying is that Sony is so incompetent that they can't tell the difference between their ass and their face.
It is also worth pointing out that due to Sony's efforts at suppressing any security related research on their products, they created an environment where almost all vulnerabilities would be "zero day" vulnerabilities. As Schneier's Law says "Any person can invent a security system so clever that he or she can't imagine a way of breaking it," (I know someone else said it first). This is why the best security programs are the ones that can be closely examined.
tl;dr
Quite simply, the moment Sony asked to be entrusted with personal information (let alone CC numbers) they were taking responsibility for protecting it from hackers. If they were negligent, which seems to be the case, then they should suffer.
While it is easy to blame the thieves. You generally will be regarded as having had it coming if you always leave even one door to your house unlocked, and this appears to have been the case with Sony. Quite simply even in the event of someone gaining illicit access to the network personal information and especially things like CC info should have remained inaccessible. After all, only watching the border or gateway between the LAN and the Internet for illicit traffic is increasingly regarded as old fashioned since security breaches can now come from either side. If a machine is compromised, you want all traffic that it could eavesdrop on encrypted, and you don't want to allow it unlimited access simply because it is administered locally. In addition some information should never appear in Sony's database, the most obvious of which is your password which should not only be hashed, but the hash should be salted. Following this your data should be encrypted using your login password (which again isn't stored by Sony) as the key. Using a hardware based key would also be nice, but I can't immediately see a way to register new hardware, without having an ability to decrypt some of your info first for verification purposes at least.
The idea that this has something to do with GeoHotz flies in the face of reason simply because to do so suggests that Sony's security efforts were beyond incompetent. Computer security depends on controlling access to the machine and network security depends on controlling access to the network. Seeing as PS3s have been sold to the general public for years means that Sony clearly isn't interested in controlling access to PS3s. Thus PSN security should have assumed from day one that all PS3s were potential entry points of attack and treated every PS3 (or PS3 lookalike) with suspicion. When you lay this at the feet of GeoHotz, then what you are saying is that Sony is so incompetent that they can't tell the difference between their ass and their face.
It is also worth pointing out that due to Sony's efforts at suppressing any security related research on their products, they created an environment where almost all vulnerabilities would be "zero day" vulnerabilities. As Schneier's Law says "Any person can invent a security system so clever that he or she can't imagine a way of breaking it," (I know someone else said it first). This is why the best security programs are the ones that can be closely examined.
tl;dr
Quite simply, the moment Sony asked to be entrusted with personal information (let alone CC numbers) they were taking responsibility for protecting it from hackers. If they were negligent, which seems to be the case, then they should suffer.
Luckily the card I used for my PSN transactions expired recently, so my money is theoretically safe. This is still an absolutely massive cock-up on Sony's part and it's done a lot of damage to my confidence in them. I don't see myself ever buying anything on PSN again.
Oh shit. That really is a complete disaster.
I feel sorry for Sony, everyone's banging them even though it's not their fault. However admittedly only because they're my favourite electronics company, and I don't even own a PS3.
I feel sorry for Sony, everyone's banging them even though it's not their fault. However admittedly only because they're my favourite electronics company, and I don't even own a PS3.