User data stolen in Sony PlayStation Network hack attack Sony is warning its millions of PlayStation Network (PSN) users to watch out for identity-theft scams after hackers breached its security and plundered the user names, passwords, addresses, birth dates, and other information used to register accounts. The stolen information may also include payment-card data, purchase history, …
...I say castrate them. Not only have they exposed my personal information, but they are denying my right to use the hardware I bought.
Which reminds me: that sounds a bit like the argument that OtherOS-loving hardware-hackers like to throw around. Well, if they are to blame (and it might very well *not* have been them), then I say they are hypocrites.
While I completely agree two wrongs do not a right make... I think the real arseholes here are those who do not hash passwords and encrypt credit card information.
You still trust them?
I say boycott Sony.
Do a real DOS on them (Denial of Sales).
I feel for the victims of the hack (Sony's customers). Not Sony.
The only bits of Sony kit here on the Ranch are ancient. One is a 32" Trinatron, bought new by me in 1988. It's also the only TV in the house ... and likely the last one; we probably won't replace it if it ever dies ... no real need, it's almost never turned on. The remote is cob-webbed to the top of the TV, I couldn't tell you when one of us last watched television. TV is a vast wasteland, probably the only bigger waste of time is playing video games. The others are also from 1988 ... 20" DDM monitors that are attached to various pieces of old Sun kit. Yes, 2048x2048 in 1988 :-)
Until Sony summarize how the data was stolen, speculation regarding the manner it was done is just that - speculation. Perhaps they did comply with credit card regs, perhaps they do use strong password hashing and all the rest. All of which would not matter if the hack was someone in their datacentre walking out the door with a backup tape, or a disgruntled employee with a working login.
Yeah they've been bitten hard but maybe people should wait to receive the explanation of events before leaping to conclusions.
Might very well not have been? Might very well not have been?
Why the hell would you think that people hacking their hardware would be in any way involved in this in the first place?
Seriously, are you that warped in the head that you equate people gaining control over their own hardware with stealing millions of user details and (potentially) credit card details for the purposes of fraud?
Hell, even the most pirate-y of console hackers isn't interested in massive data theft and fraud.
Sony failed to secure their systems. The fact that passwords were even stored on their systems (instead of secure, salted hash values) is a huge failure in itself.
The ability to penetrate and compromise Sony's server infrastructure is entirely separate to breaking client-side security, it is also unambiguously criminal. This is absolutely nothing to do with custom firmware, homebrew or piracy.
The people who have stolen all this data are not the ones who originally hacked the hardware. Nor are they the "Anonymous" collective.
Sony allowed this type of data to be transmitted to developer machines. The hacked PS3's put themselves into the same mode so that the data is being sent to them. That is how this whole thing has happened. If Sony wasn't leaking the data to developers in the first place none of this would happen.
All the hardware hackers have done is given them a platform for which they could access the data on. Either way this data could have been leaked somewhere else.
If the credit card numbers were stolen because they were not obfuscated / truncated (only display first six, and last four characters, the rest are hashed out), then Visa International and Mastercard may take them to the cleaners.
Now they may have been obscured, but if the hashed data and the truncated data was accessible and could be linked, it can still be recovered.....and Visa and Mastercard will be after them again.
The PCI DSS standard has this requirement.
Primary Account Number (PAN)
Storage Pemitted = Yes
Render Stored Account Data Unreadable per Requirement 3.4 = Yes
Wouldn't like to be in their QSA / Information Security / IT auditors shoes right now tbh.
Out of Sony.
For having incredible wealth and resources, and yes technical expertise, but failing to provide their users with even the most basic protection possible. (Can you imagine that internal Sony accounts are lying around unencrypted on public facing servers?). If they can design the Cell processor (lol and what an over-engineered heap of crap that is) then they can damn well read an "Idiots guide..." to basic security practices.
And how do you know they were public facing servers? For all we know, the account database servers were internal and not connected directly to the internet. Perhaps they hacked a server that was public, and then worked their way into the network from there. Not unheard of.
But no encryption is unforgivable.
I'm not too concerned about the delay. LittleBigPlanet 2 and Killzone 3 are plenty of fun offline. But, the idiots who threw a tantrum over OtherOS: THEY can "Wimper more". After all, I'll be back online in a week or two. They will be waiting *a whole lot longer*. Your name really says a lot about you.
Aha, but what about the potentially massive loss to Sony's reputation?
That is one thing they DO deserve. If customers suffer then Sony (morally should) be liable.
I have been a Sony PS fanboy for years before this, but now I'm drifting away.
a)because of the Removal of the OtherOS feature (I didn't use it that often, but it was the principle and the attitude of Sony)
b)They sued Playstation hackers. These guys only unlocked it to support homebrew. Not piracy. You could say that they contributed to enabling piracy, but did THEY enable piracy?
c) Because of this potential loss of crucial data. They haven't stored the details securely, that 77 Million or so users have entrusted them to do. They have shown a horrendous disregard to their users.
You could add d) PSN has been down for 7 days, but I don't use the PSN: I was once a user, but homebrew was too tempting.
What you expect Sony to secure their own systems? That takes resources. Resources better spent devising draconian drm (spore drm sony invention) and illegal rootkits to punish your paying customers. Sad even control freak apple understands drm unsustainable. Sony last big company not to get memo.
So they allowed their customers to get robbed.
I feel this must ultimately be the fate of any company that sets their business up, on a premise of "Our customers are thieves." The only people who end up having to sit through endless messages about the evils of piracy, are the people who actually bought the product.
(I like to imagine the Sony motor car: you put the key in the ignition, and this racy music starts up and a stern voices starts saying things like ''You wouldn't steal a DVD... You wouldn't steal a handbag..." Of course, ideally, this system should be completely bypassed by someone hot-wiring the car.)
That's asuming that whoever stole my password doesn't log in first when PSN comes back up and change my password.
I suppose Sony could change all passwords and email users with new ones that require a reset as soon as you log in, but if anyone used the same pass for PSN and their email then...
Can't believe it's taken so long for Sony to notify users of what has happened. This is a major screw up, I'd like to see the ICO take action against them for this. Bastards.
Then again, I expect the servers will collapse under the weight of millions of people all trying to log in all at once when they do come back up again.
Sigh of relief here as I've had a new c.card since I last paid for something on PSN. Still not happy to hear Sony are stupid enough to store other personal info unencrypted also.
Oh well, we live and learn. Trust is such an easy thing to lose...
This post has been deleted by its author
...According to reports a custom firmware for the PS3 is in the wild, making slim consoles in to "developers" consoles.
This gives them access to the PSN Developers network as well as the main PSN,
The upside was being able to bypass checks on games and a few other security hurdles.
But they found a bug (or major FUBAR) where creditcard details are not checked to see if the user owns it with simple name/account check (or even if the card number was a valid one e.g. 16x1's would work.)
Letting people with this firmware but anything they liked on the PSN.
Having sniffed around for related information, all I can find is a bunch of speculation and no hard facts - i.e. independent verification by a white hatter of the claims that Rebug does indeed provide unfettered access.
I'm not saying you're wrong, but you can't make these assertions without providing a source that independently confirms them.
If Sony were in the position you suggest they are, nobody in Legal or PR would have suggested spinning a 'firmware cracked, dev network hijacked' story as a 'massive data theft affecting every PSN user, possibly including credit card details'.
At least chesh420 (the handle of the original poster at reddit) has the decency to say, at the start and the finish of his post, that he is SPECULATING.
Sony run a secret Ice cream parlor on Mars. They only let certain customers go there for free ice cream which is TOTALLY UNFAIR.
Some of the customers hacked in to the Martian Mother Computer and discovered a new flavour of ice cream based on chocolate. Again this is only a rumor at this point but if the queen is a reptilian shapeshifter then god help us anything is possible.
I spoke to Sony's PR company and they can confirm that I will be on the next shuttle up there for free ice cream and blow jobs. I asked about the possible existence of chocolate ice cream and the line went dead.
Several minutes later a military contractor phoned me back and told me in no uncertain terms that I love Raspberry ice cream not chocolate ice cream. Then a high pitched tone pierced my ears and I realised that this is in fact true, I do love Raspberry ice cream exclusively.
I AM SPECULATING
Considering their continual failure to secure the ps3 console against cracker
Attacks...a battle that really opened up when they
Stupidly removed the otheros feature (the final fallout
Of that move is still to be seen) I can't see how anyone can
Trust their ability to secure PSN. Sony are on a big slippery
Downward slope into every messy brown lake ...
That 95% of the users on PSN have probably used the same password on there as they use for every other secure site they have access to.
This is stupid, but they are users - it'll happen.
If you can't see the massive significance of this, you're either blind, stupid, or both.
Never, ever trust Sony - full stop.
Steven R
...never, EVER trust ANYBODY.
Not even YOURSELF.
Because humans are both fallible and capable of exploiting others' mistakes. You can't trust online transactions because your account can be hacked. You can't trust credit cards because the clearinghouses can be cracked. Hell, even cash can be vulnerable to supernote counterfeiters.
Many years ago as a (very) junior manager, I was told by an ex-Chief Super of the Met that there are only 3 types of people in the world. The SAD, the MAD and the BAD. Everyone falls into one of these 3 categories.
I argued with him, but he insisted that one day I would understand. Some 30 plus years later, I absolutely hate to admit it, but he was 100% correct. To quote Lex Luthor "People are just no damn good"
"Users are stupid for not using passwords properly" is satisfying, if you like that sort of thing, but also small-minded, smug, and rather pointless.
"Passwords are stupid for not living up to requirements" is much more accurate -- 'requirements', of course, defined as how the thing's actually going to be used in the real world.
Of course, I don't have any particularly clear idea for what could replace them, nor would I be able to meaningfully implement it if I did. So I do the best I can and just don't allow users to set their own passwords; they complain about it for thirty seconds, then remember their browser or mail client will store it for them and forget they thought it was a problem. The occasional crack about difficult passwords I can easily bear in exchange for systems which aren't infested by every petty criminal in the world who can get to an Internet cafe.
Sony are not sure at present if CC details have been compromised. Other info certainly has. When someone has your -
username
password
real name
email address
street address
credit card details
Would you not agree there's a lot of scope for negative effects? If this were just your username and password then it wouldn't be as big of a problem.
Also - good luck logging in to change those.
My number 1 rule with this sort of thing is never use valid info unless you really have to.
I registered my details as 123 fake street, London. With a fake postcode & name and haven't had any problems buying things. The only info they have on me is my CC details, I'll be cancelling those cards today.
However, I'll never use PSN again, except for demo downloading, 98% of the stuff on there is complete shite anyway.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
