The dearth of details from Sony about a criminal intrusion into its PlayStation Network is fomenting plenty of speculation about the methods and motives behind the attackers, and some of it isn't pretty. The most dire scenario is that attackers gained, or tried to gain, control of the part of Sony's network that issues updates …
Sony loathes its customers
Boy am I glad I gave my Xbox 360 away to family and bought a PS3. Nine days without being able to play online (including totally being unable to play online only game MAG) is a small price to pay for Sony thinking of new ways to punish and monetize me for leasing their PS3 from them. What a fail. Guess it explains why Sony can't even push more hardware than the crap, me too home of the Zune and Kin M$. This is what happens when your CEO comes from the media content side where making dribble for sheep is in the job description.
Too right. I only found out yesterday from sony that my details had been stolen. Of course, I knew a week ago through third parties.
I only ever bought one or two "classics", non sony games. Glad I've put CFW on my PSP, no chance I'll ever by another sony product, let alone game for their consoles.
Yeah you're a hero for pirating games. We salute your moral stand.
custom firmware doesnt mean you pirate games you knuckle dragging imbecile
No, not necessarily..
..but usually, or at the least, very often.
The namecalling didn't legitimise your argument much either.
9 day outage speaks for itself
It sounds to me as if Sony don't yet have a clue how far this hack goes. The fact they haven't published a timetable for getting their network back online also suggests they don't yet know what they need to do to fix the problem.
This doesn't make the very heavy handed approach they took to the geohot disclosure look very sensible from a business point of view. Instead of using contemptible and discredited corporate-purchased law (DMCA) which attempts to override basic US first amendment constitutional rights in trying to gag him, they should have offered him a contract offering fair recompense for the application of his undoubted knowledge and skills to help them to sort out the mess they were clearly in yet didn't seem to understand they were in.
Sony appear to have made some very knowledgeable and determined enemies with the approach they have taken and now it's payback time. Sony had this coming to them and they deserve all they are going to get.
Hopefully anyone else thinking of using DMCA to try to shortcut proper security at the expense of user's fundamental rights will be made to think again concerning what this approach is likely to cost them.
I hear where you're coming from
Sony are certainly not lovable and, while I can sympathize with the temptation to see this as act of nemesis, it seems likely that for all the bad press, lawsuits, and loss of revenue, the individual users who've had their CCNs and personal details compromised are probably going to be screwed by this much more than Sony. The downside to Sony will be loss of profit, reduction in share price, and some heads rolling. By contrast, the bystanders who just wanted to play games will likely go through hell with identity theft, having their credit cards and potentially bank accounts frozen, troubles paying rent, etc.
As much as Sony have acted like playground bullies, I don't think we should be celebrating their antagonists as heroes.
Chat LOGS on IRC are news now?
El-Reg sinks to a new low. What next? Man down the pub said?????
Whatever happened to reporting factual news? Even the BBC are struggling with that one, just copy and pasting what they read elsewhere.
Bad = Allowing untrusted devices on your production network
I control the devices on my core network. Appliances like PS2, PS3, WII, Cell Phones, all run in a 2nd separate network. This removes most of the pain, windows still remains though :(
thats pretty damn scary! the possibilities with that amount of access are endless. If the hacker purely had a problem with sony then they could potentially load a corrupted firmware and just brick every ps3 out there - that'd probably be enough to bankrupt sony what with lawsuites and replacing almost every single console etcf.
If the hacker had grander plans and wanted maybe take a country out then with the processing power of that many PS3's that'd be pretty easy as well.
I for one welcome our PS3 botnet overlords etc.
Popcorn icon needed.
All your consoles are belong to us
I question the "official" explanation as a potential PS3 botnet, as this is obviously Skynet attempting to control the PS3 network as part of its plans for world domination.
AC because you just never know...
@AC because you just never know...
we know who you are
That's what it feels like to get shafted with a rootkit.
Re: Hi Sony
Re: Re: Hi Sony
Welp, stocks down at least 8% since this happened, I think Sony might just wake up, fire most of their upper-management and start again.
If I were Sony, I'd be a little ... startled...
They've stirred up a hornet's nest the likes of which probably hasn't been seen before...
(oh wait.. maybe not... HBGary)....
Just did a quick google and found this page:
What is this "The Month of May will bring Sony Dismay" they speak of? Did they hack PSN?
I suspect we will never know.
I only hope that whomever hacked Sony will respect Joe Q Public and not misuse any information they have gleaned to defraud them.
Just thinking aloud.
The most responsible thing these hackers could do (which I suspect would still *REALLY* hurt Sony) I suspect is to inform the credit card companies that they actually own the numbers, and let them know which ones numbers are compromised to confirm this. This possibly may protect those at risk.
reformat hard drive
and start again with a fresh copy of the OS.
If these people were just to use 6 Cell SPE's per PS3 (as is/was normal for clustered PS3 with OtherOS and there's a lot of information and software for it available almost off the shelf), they would get around 6* 25.6 GigaFLOPS per console. Assuming one is able to push the code to 10 million ps 3s (out of 77 million), one gets 10000000* 6 * 25.6 GigaFLOPS which is 1.536 exaflops.
that is around 500 times more than the total processing power of all top 500 supercomputers in the world (see http://www.top500.org/stats/list/35/procclass ).
Even if IO reduced the overall effectiveness to just 1% of that, these guys would still be holding the strongest supercomputer on Earth.
If they manage to control it for some time, they can definitely break RSA-1024, very very likely RSA-2048, possibly RSA-3072 and maybe even longer. Hmmm... Could the guy that hacked Comodo be behind this? He made breaking PKI sort of a crusade for himself...
I'm too lazy to look it up, but
There was an article (either here or on /.) describing a US Military cluster of PS2/3 consoles. Maybe this was them trying to increase their performance by a factor of a googol.
Fucking scary, but the real question is: Will it play Crysis???
Ok I don't know...
Let us assume your superduper computer figures are correct, going forward the PS4 etc will have at least 4x times the power of the PS3 & the internet will be an IP6 based gigabit to the home vonder land
Further all encryption must decrypt as that is the point (send it thru unknown pipes in a safe fashion) but given enough CPU all encryption must fail, even quantum, because at some point you need to decrypt the bloody thing
At the moment I can only see a usage model as supplying the nes. security; Just as with limiting emails from one mailbox by what one human could reasonably send, we now need "electronic money" that weighs too much for you to carry that much around and spend
But if the market needs to be regulated like that then QED Capitalism must fail, for it can only exist in a market with no regulations e.g. cocaine
If every transaction must ultimately backtrack to some central point to verify the plausibility that someone somewhere might want to d/l a game in Poland and buy a tank of petrol in Peru (at the same time , keep up) that would mean a level of surveillance which would exclude any and all newcomers thus creating a closed market almost as it were "too big to start "
I ask you is there any evidence, any at all, that the world would stand back whilst a few rich and powerful people would control all trade like this? is there?
Back in the PS/2 days [AD2000] ....
It was rumored that Saddam was buying PS/2 in order to [insert preferred Mwahahaha action here]
There was as much truth to this as Iraqis throwing Kuwaiti babies out of incubators, Serbs ultrakilling Kosovars or the more recent Gaddafi handing out Viagra to enable Gang Rape Horror stories -- but at least it was funny.
That plan is called the NWO
We may not be standing back whilst this happens but they are doing it anyway. I expect it will fail, as with cloud computing. As soon as you centralize too much then your system become vulnerable. The level of control Microsoft has via Windows Updates is cause for concern, except there are plenty of people who can rebuild a Windows computer when it's screwed. The PS3 is deliberately made hard to hack.
The success of the Internet is that it is P2P with millions of possible centres. Millions of people able to do their own thing. Soon after you become the monopoly you stifle development, then you die and the people do their own thing.
If the botnet herders were to introduce a virus that instead of killing the PS3 introduced some bugfixes and performance improvements then who would realize it was there? If they only draw a small percentage of the CPU power then no one would be seeking to remove the intrusion.
What's to say they have not already succeeded in this?
"They could lose control of their whole PS3 network."
A figure of speech? Or do Sony really treat all the connected PS3s as parts of their own network? One hell of a target, if so.
They probably do, you know.
After all, they treated your home PC as their own and installed additional software into the deepest guts of your operating system without consent.
An old fashioned theft?
Sony have said:
"There was an external intrusion"
"We are initiating several measures that will significantly enhance all aspects of PlayStation Network’s security and your personal data, including moving our network infrastructure and data center to a new, more secure location, which is already underway."
Maybe someone physically walked in the data centre and just took it? If not why move centres, and say that it is one of "several measures that will significantly enhance all aspects of PlayStation Network’s security and your personal data"?
They've got problems finding appropriately skilled people after the geohot incident?
The Ideal Solution
Some flaws in Sony's methodology for securing the PS3 were disclosed at the same time the vulnerability was disclosed.
There may be other ones. Ideally, Sony would come up with a security patch for the PS3 that would not only close those vulnerabilities, but also re-open the ability to run Linux on a PS3. That would earn Sony renewed respect and applause, but it would take the wind out of any sympathy there might be in some quarters for these hackers - as well as helping to ensure that anyone seeking to overcome PS3 security in the future wouldn't get unintended help from legitimate quarters of the hacking community.
See, Linux ITSELF proved to be a vulnerability. Or rather, the ability to run unvetted user-level code proved to be a vulnerability. GeoHotz's earliest work on hacking the PS3 involved steering the Cell into a race condition that allowed him to elevate his access all the way up to ring -1 (the hypervisor level). That sounds like a hardware fault to me, and at such a basic level, it'll be hard to work around it apart from locking out all unvetted code (which is the path Sony has taken).
ring -1 ???
Where did you come up with that? The hypervisor still only runs in ring 0 (thats assuming that the hardware supports rings) and the guest's version of ring 0 (again assuming that the hardware supports it) won't be actually running in ring 0.
btw, does anyone have a PL/1 compiler for x86 hardware?
Yes, ring -1.
It's a feature of some recent x86 descendents.
There is more than one type of hypervisor; the kind that runs in the machine's real ring 0 as an OS kernel-mode device driver and offers a simulated ring 0 to the guest is known as a Type II hypervisor, one running on the machine's hardware virtualisation support (ring -1) under which all OSs run as guests is known as a Type I (you could also implement a Type I solely at ring 0 if you wanted but the hardware support is more efficient.)
As to your other question, http://pl1gcc.sourceforge.net/ might be able to help.
dear o dear....
People running scared about a what if "article" written based of chat logs based of speculation of data that may have been taken from a unknown number of people...
@Carol: bit more to it than that
'People running scared about a what if "article" written based of chat logs based of speculation of data that may have been taken ...'
Having such a large network down for 9 days with no recovery plan published seems to be a bit more than speculation to those affected. You haven't really been following the increasing conflict between Sony and some of their games console users unrolling over the last several months have you ? If you had, you might understand some of the motivations of those behind this outage, and also the fact that the keys to this kingdom were out there waiting to be used.
Ah, yet more spin from TheRegister.
Got nothing better to do that speculate?
Sony won't say what's actually happening
"Got nothing better to do that speculate?"
This is the problem with not telling people what's going on: they have to speculate.
There is also a difference between "spin" and "speculation"
The former is enhancing the truth, the latter trying to discern the truth.
Power to the people!
The internet is ours. The consumers are right. Big corporations are evil. Etc, etc etc. I love seeing arrogance being punished that hard. I wish MS and Apple could get a beating like that too.
Sony 'incompetence' undermines arrogance...
It's the usual corporate idiot-think: decreased spending on IT must lead to increased profit.
Glad I missed out
Several years ago I purchased a PS2 for the children and tried to get the darned thing to go on line. It steadfastly refused to get the Sony network to respond and no one bothered about it.
I now thin that perhaps I was one of the lucky ones?
I speculate! I speculate!
I reckon the reason it's still offline is that PSN was so poorly designed form the start they can't figure out a way of closing the gaping security holes without borking every PS3 out there.
Sony do appear to be putting their foot in it, repeatedly, disabling the install other OS feature after advertising it, taking action against geohot and even obtaining a list of anyone who had visited his site. Incredibly mean and despicable acts which will have many thinking, they got their comeuppance.
Fortunately for me, I barely used my PSN account, and never bought anything because for some odd reason it would reject my password when I tried to check my account on a PC, but worked fine on a PS3 with the same password. I asked Sony about this, they ignored it, so did I.. and that was years ago.
The only thing I can suggest is that you.........
....pick up an xbox on the way home!
Just like everyone else El Reg sigh!
Lol love articles made from chat logs or forum comments! what is this Kotaku???
Turns out the hackers are already using the data
Just got a third 'warning' email from Sony.. sent directly to an email I *only* used for the ps3.
1. It's not from sony, or a domain registered to sony. Indeed it appears to be from a spammer.
2. It states rather boldly at the top 'Add PlayStation_Network@playstation-email.com to your address book' - first part of a 2 stage phish? (Since in some mailservers email addresses in the address book are more trusted which supresses the phishing warnings)
3. It was sent from a *third* mailserver, of similar dubious origin.
As a phish it was so borderline (containing no dodgy links to russian websites etc.) that it took some discussion to work out what was going on.
If somehow it's not a phish then Sonly just failed epically *again* by training their users to accept emails from random untrusted domains.
Not a phish, don't panic.
Try putting http://playstation-email.com/ into your browser. You'll see it's a domain and server belonging to a direct marketing contractor called Innovyx, Inc., who apparently Sony outsource their marketing emails to.
this actually in many ways puts Sony in the right
All these hacking incidents actually vindicate Sony in wanting to sue the ass off GeoHotz. Tthese sanctimonious anti-Sony hax0rs have much of the responsibility for this.
Please refrain from forgetting to enable the use of sarcasm tags.
It confuses the heck out of people.
- Review Apple iPhone 6: Looking good, slim. How about... oh, your battery died
- Review + Vid Apple iPhone 6 Plus: What a waste of gorgeous pixel density
- +Comment EMC, HP blockbuster 'merger' shocker comes a cropper
- Moon landing was real and WE CAN PROVE IT, says Nvidia
- Analysis Will BlackBerry make a comeback with its SQUARE smartphones?