Security analysts have narrowed down the probable causes of the infamous Sony PlayStation Network breach. Sony is slowly restoring its PlayStation Network and Online Entertainment service following a hack that exposed the personal details of 77 million PlayStation Network gamers and (separately) 25 million customers of its …
nice write up
Just a couple of things.
"As a side note, Google’s web cache shows that Sony’s servers were up to date, so this whole theory may be bunk."
Not true, the Google cache only shows one server (Auth). Which was updated soon after the IRC chat happened. What wasn't updated were the other ones (Shop,account,content,patches, etc) and these have never been cached by Google. An Nmap revealed they were running apache 2.2.11 on all the core servers except the Auth obviously.
Sony would appear to have been watching the right channels for information about weaknesses, but they didn't do more than a token gesture towards keeping patched and up-to-date servers.
With regards to Rebug and SP-INT (Developer network) Sony have said that they weren't that concerned as it was an intentional bug on the developer network and until Rebug appeared there were no problems with the system of trust alone.
If this hack hadn't happened I'm quite sure Sony would have kept on coasting with the servers never getting more than a token patch on Auth and SP-INT cleansed every few months.
Which ones were on 2.2.11?
All the main ones
according to that link. As nobody knows what those servers were, or what they contained.
Anyways, it's looking increasingly likely this was all down to a SOE disgruntled employeee, not a cyber attack.
Was probably still in the "in tray" of Change Management, patch the Auth server and then wait a few weeks to see if something broke before further rolling out. Not like you would want to cause an outage or something.......
In a case like this, it's very very unlikely that you'll get full disclosure from Sony as to how they f**ked up. To do so will be akin to accepting full liability in a legal sense and I think they'd be reluctant to do that as doing so would leave them (even more) open to lawsuits and the like.
Hypotheses and deductive reasoning is all we'll get.
Maybe the story is trolling to get the comentards to fill in the facts?