I don't even care if what they exposed is a major flaw. All that matters is that the people hacking Sony are dicks. Fuck them.
Sony Website Hacked By the "Lulz Boat"
- Thread starter Greg Tito
- Start date
The Hackers may be dicks but they have proven time and time again that Sony has no clue on security as well as they do not take proper precautions to protect its users personal information. I would think that the PSN hack that lost all the users personal information should have been detected from hour 1 of the breach considering they were hit with a DDOS attack not much more than a week prior. and now this service gets hacked with 2 others between it and the PSN hack? And this one they said that users information was in plain text to boot? That tells me the PSN hackers didnt need to deal with encrypted data.
simple thing for a big company with millions of users to have servers dedicated to storing 1 part of it, such as CC information being on 1 server that deals with nothing but CC information and access to that server is through a program that requests CC info on customers 1 at a time. any other requests from anything but that program gets red flagged and alarm bells start going off. All information transfered should be recorded from that server and statistics gathered, so if that server sends the web server 150-200 CC request replies per hour on tuesdays at 6 AM and then this tuesday there is 1000 per hour that should sound off alarm bells. and furthermore that server should only reply with the last 4 digits and the proper number of *. this way if a hacker gets in through the web servers accessing personnal information requires them to hack a completly different server that only recognizes comunication to the web server in 1 way only with only 1 part of the web server. ever notice at some websites that when changing or even accessing CC info it takes allot longer than anything alse? thats because that information is stored on a different server with limited access from the web server.
My point is, Sony is not protecting personal information of its customers properly, they are taking almost no steps to ensure that another data breach will not happen and all of you Sony customers should refuse to allow Sony to store personnal information. especialy CC info. add a card and make the transaction then delete the card from your account once it cleared. if you can use a fake name and address do so. create a free email account to use for registration/account purposes with Sony and not use your real one. If you as a Sony customer dont take those simple steps knowing Sony is shit for securing your info then you deserve it when Sony gets hacked again and its your CC info thats out there and you just bought a brand new home entertainment setup that you dint know you did.
simple thing for a big company with millions of users to have servers dedicated to storing 1 part of it, such as CC information being on 1 server that deals with nothing but CC information and access to that server is through a program that requests CC info on customers 1 at a time. any other requests from anything but that program gets red flagged and alarm bells start going off. All information transfered should be recorded from that server and statistics gathered, so if that server sends the web server 150-200 CC request replies per hour on tuesdays at 6 AM and then this tuesday there is 1000 per hour that should sound off alarm bells. and furthermore that server should only reply with the last 4 digits and the proper number of *. this way if a hacker gets in through the web servers accessing personnal information requires them to hack a completly different server that only recognizes comunication to the web server in 1 way only with only 1 part of the web server. ever notice at some websites that when changing or even accessing CC info it takes allot longer than anything alse? thats because that information is stored on a different server with limited access from the web server.
My point is, Sony is not protecting personal information of its customers properly, they are taking almost no steps to ensure that another data breach will not happen and all of you Sony customers should refuse to allow Sony to store personnal information. especialy CC info. add a card and make the transaction then delete the card from your account once it cleared. if you can use a fake name and address do so. create a free email account to use for registration/account purposes with Sony and not use your real one. If you as a Sony customer dont take those simple steps knowing Sony is shit for securing your info then you deserve it when Sony gets hacked again and its your CC info thats out there and you just bought a brand new home entertainment setup that you dint know you did.
When "rape logic" is concerned, girl walking in the middle of the night stark naked and drunk is certaintly not "asking for it". She's just as dumb as a bag of hammers. Being that dumb is not a crime punishable by rape, but it tells you something about the character.
Now, if a guy dates a girl, that considers walking in the middle of the night stark naked and drunk a "safe and and non-dangerous entertainment", he IS asking for an STD. Because he dates a girl, who is as dumb as a bag of hammers.
I hope the analogy is clear, PSN-users.
Now, if a guy dates a girl, that considers walking in the middle of the night stark naked and drunk a "safe and and non-dangerous entertainment", he IS asking for an STD. Because he dates a girl, who is as dumb as a bag of hammers.
I hope the analogy is clear, PSN-users.
I hven't been on the PSN since it went down.
All I care about is Deus Ex:HR, Skyrim and Batman Arkham City.
These can and will all be enjoyed offline.
The LulzBoat can sail all it wants.
All I care about is Deus Ex:HR, Skyrim and Batman Arkham City.
These can and will all be enjoyed offline.
The LulzBoat can sail all it wants.
This didn't even happen. Congress is pushing for some laws that will censor internet and pretty much end all internet privacy in America. And what better way to do that than to make people believe it's their only choice if they want their privacy intact. So, this attack never happened, or id did happen, but hackers had nothing to do with it. I may just be a cynic. I'm not paranoid though, because I don't live in America and whatever happens there doesn't influence me at all. I'm just saying.
they need some sort of proof that they did hack sony.Jonny49 said:
you cant just get up and say "i hacked you lolz"
who would believe them?
Greg Tito said:Sony Website Hacked By the "Lulz Boat"
A new hacker collective pilfered more than a million of personal passwords, emails and dates of birth.
After threatening to hack into Sony's systems for weeks on the group's Twitter feed, a group who alternately calls themselves LulzSec and the Lulz Boat has finally made good on project "Sownage" - that's Sony + ownage in case you confused the term with planting crops. The Lulz Boat infiltrated SonyPictures.com today and allegedly stole over 1 million users' personal information with a SQL injection. The group claims that much more could have been nabbed if only they had the resources (read: money) to make it happen, prompting a request for donations. All of the personal information that LulzSec were able to steal despite meager means is now posted online, along with a press release stating their intention was merely to call out Sony's botched security measures.
"We recently broke into SonyPictures.com and compromised over 1,000,000 users' personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts," LulzSec's statement read.
The attack was not made maliciously but in order to instruct the public about Sony's awful security practices. "Our goal here is not to come across as master hackers, hence what we're about to reveal: SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed everything. Why do you put such faith in a company that allows itself to become open to these simple attacks?"
Sony apparently didn't have the wherewithal to encrypt the personal information collected on SonyPictures.com. "What's worse is that every bit of data we took wasn't encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it. This is disgraceful and insecure: they were asking for it."
I'm not sure that kind of rape-logic holds up, but LulzSec does have a point. Sony is a big company, with lots of interchangable parts, but you think database security would be at the top of every divisions to-do list right about now.
Source: LulzSecurity [http://lulzsecurity.com/releases/]
Thanks to [user]ckeymel[/user] for the awesome-est tip in the world!
Permalink
I have no idea who to side with either, but I'm more prone to agreeing with you that in a perfect world we should't need locks on our doors, not to mention the amount of players that got fucked over by this and indie companies that were unable to sell their games online for that period.Kopikatsu said:
I couldn't have said it better myself.Silva said:
If the Lulz Boat wanted to make a point, they could have done it in a manner which was less malicious and that didn't pose a threat to innocent PS3 users.
I'm going with the 'I think LulzSec is lying' crowd. Especially considering that they've hacked Nintendo and broke through the IAA (http://www.linkedin.com/company/infragard-atlanta-members-alliance) in one afternoon with little difficulty.Generic Gamer said:
I think they're just proving a point at this point, they're putting fear into the masses.
If the common people(mom and pop, not just people like us) know about anonymous, then they have much more power when they try to do something big.
If the common people(mom and pop, not just people like us) know about anonymous, then they have much more power when they try to do something big.
Holy crud plus they had an affliate of the FBI. May and the beginning of june has been a busy a month for hackers and the cybersecurity people.
The reason Sony keeps getting clusterboned is because these fucking hackers aren't even giving Sony a chance to recoup... Plus not only are they hurting Sony, but every one of those million accounts who's information is now publicly on display for all sorts of assholes to use.
2011 the year of unoriginal ideas, bad video games, and people with too much time on their hands. At this point I think Sony should just take time to go through everything and get everything secured and not bother coming online until they are inspected by several different companies around the world.
Great, I respect your opinion.Kopikatsu said:
I'm curious as to at which point you believe LS is lying and what the correct version is.
If your idea is that this was more than an SQL injection I don't think it's a good argument either.
I'm not a security researcher myself but I do dabble in various things and have a strong opinion on where exactly good security lies.
First, all systems can be hacked and there's not a single system, encryption algorithm, no single way of securing data that is guaranteed to be unbreakable other than physical destruction.
Good security is when hacking a system using high-tech means is so unpractical (for example requires the attacker to have the computing power of the NSA at his disposal) that kidnapping the administrator and torturing him to unlock the system is a better, faster and safer choice.
Obviously LS did this hack using very little resources, little specialist knowledge and had little motivation. In other words the barrier for obtaining this data was set very, very low. Unreasonably low.
If you do believe that LS is lying however (meaning that they had to, for example, gain physical access to the internal company LAN to do this hack) then please explain more.
Why is it obvious?archont said:
Serious question by the way.
They claim to have compromised over a million accounts, but only have proof of a tiny fraction of that. They claim that the reason they don't have more is because of "financial constraints".
They also claim that the hack itself was incredibly easy, but then why have only a sample of accounts? Why say you need more money to continue the hack?
It doesn't really add up.
Honestly I have no idea why immediate financial status was a constraint. I can't think up of a reasonable explanation.Raesvelg said:
Long-term, sure, they could use the funds to grant themselves additional security from persecution. With 3k USD + monthly upkeep it's possible to design a setup that grants a very high degree of anonymity.