Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sony Blames 'External Intrusion' For Lengthy PSN Outage

Posted by Soulskill on from the satisfaction-is-not-guaranteed dept.

Several readers have noted that outages on Sony's PlayStation Network have prevented online play for the past few days. The company has now blamed an 'external intrusion' for the trouble, saying they took down the network to "conduct a thorough investigation and to verify the smooth and secure operation of our network services going forward." Some suspect an attack by Anonymous, who declared war on Sony earlier this month, but Anonymous has disavowed knowledge of such an attack. Meanwhile, others are asking whether Sony should compensate users for the inability to play PS3 multiplayer modes, and even single-player modes on a few downloadable games.

12 of 321 comments (clear)

  1. Anonymous by Bovius · · Score: 4, Informative

    I love the implication that Anonymous has a representative that can "disavow knowledge of such an attack."

    Anonymous is not an organization! It's a bunch of jerks on the internet.

  2. Wow by headhot · · Score: 4, Interesting

    PSN has been down since Tuesday night, blowing the launches of Portal 2 (plus steam) and Mortal Kombat 30. The system is not still down for forensic or investigational issues, its down because they haven't figured out how to bring it back up. They are losing too much money and credibility having it down so long. My guess is they are poring though back up tapes right now. Some one owned them good.

    Also, this didn't feel like a DDOS, with intermittent problem. PSN seems to have gone down hard. When Sony says "infiltrated," I think totally raped their systems.

    1. Re:Wow by cgenman · · Score: 4, Insightful

      The system is not still down for forensic or investigational issues, its down because they haven't figured out how to bring it back up.

      Generally, the worst attacks are the ones when you can't figure out how much access people still have, what they did while they were there, and whether or not it is safe to bring the system back online. If someone got root on Sony's update servers, you'd better believe those are staying offline. A problem there could leave Sony on the hook for the cost of 50 million very expensive plastic bricks. Similarly, someone with deep PSN access might be able to leverage that into accessing Sony's other internal systems, which could include things like VAIO firmware, manufacturing robots, sony picture entertainment, and baseball fields full of money.

      Keep 'em down for a few days to do your security homework, or suffer a bigger break later.

      --
      The ______ Agenda
    2. Re:Wow by powerlord · · Score: 4, Interesting

      If someone got root on Sony's update servers, you'd better believe those are staying offline.

      Then feel secure that those aren't the problem.

      I was playing a Demo recently and it informed me there was an update available. System downloaded the update and loaded it, even though PSN is still down and I still can't log in.

      I heard a rumor that they found people circumventing the checkout/purchase system in some way. If that is true, then they may be keeping the system down while they fix that.

      Two more plausible explanations:

      1) someone used the fact that PS3s internal key has been exposed to try to craft code to go after the Login/Pay servers through the PS3 directly, on the idea that Sony programmed those interfaces on the assumption that they are secure, and only produced well formed code, leaving a chink in the armor. If that IS the case, then Sony may have shut down the whole system rather than letting it sit open and exposed once they detected the intrusion, in an effort to head off data theft (while they rewrite the interface?).

      2) someone could have been performing a Denial of Service attack, again through internal PS3 calls which were expected to be well formed.

      --
      This space for rent. All reasonable inquiries will be entertained at proprietors discretion.
  3. This is why I don't like online by Psychotria · · Score: 5, Insightful

    I guess it's great for the content providers and their DRM, but when I can't play a single player game because either their servers are down, or I don't happen to have a connection at the time is annoying and stupid. (I don't have a Playstation, but several single player games on Steam behave in the same, or similar, way; e.g. f1-2010 I can't save progress without the internet because apart from steam, which launches the game just fine, there is the crazy Live-Games for Windows (or whatever it's called). Why I can't save progress is beyond me as the save games appear to be local files, but that's just how it is.

  4. Best three days I've had with my son by Anonymous Coward · · Score: 5, Interesting

    This has been the best time that my 15 year old son and I have had since the PlayStation arrived in December. With the network dead, we went bicycling and bowling (his top score was 134); he showed me how to solve the last layer (well the OLL) of the Rubik's Cube.

    I deeply thank whoever did this, and I wish you only the best!
      -CS in Berkeley

  5. Humans are the vulnerability by elucido · · Score: 4, Insightful

    It doesn't work like that. Assuming both sides are highly competent, securing something is a fundamentally harder problem than breaking in. To break in, you only need to figure out one vulnerability. To secure something, you need to make sure every component - as big as a data center and as small as every single instruction sent to the CPUs - in your system, is invulnerable. Hiring hackers would only help if the engineering team is highly incompetent to start with (like, they aren't even aware of basic things like why strcpy() to a fixed buffer can be a very bad idea).

    You are underestimating the power of social engineers. If you have someones dox, if you have their social security number for example, and this someone happens to be either an employee for a rival corporation, within your own corporation, or anywhere else, it's very easy to build an intelligence file to find all their human vulnerabilities. Now if you want to see how vulnerable an entire corporation is, who is in charge of protecting the secret information or passwords or whatever? How psychologically stable as those people? If you have an intelligence file on every important employee within an organization, and you know which ones happen to be psychologically unstable, vulnerable to certain kinds of social engineering, etc, then you can probe the network for human weaknesses.

    Which ones are most likely to write their passwords down and throw them in the trash? Which ones are most likely to go to an online dating service and meet a girl or guy? Knowing who is single, knowing who has what psychological disorder, knowing who cheats on their wife or husband, knowing anything which can be leveraged to compromise them. It's no different than in politics where politicians get targeted and corrupted over time, when enough eyes are on an employee then its only a matter of time before the employee does something which can put them in a compromised blackmailable position.

    Once in that position then they have to choose between losing their wife/husband or losing their job. Once again blackmail, extortion, or outright social engineering where they think the boss told them to give the password, is usually all that is required to hack human networks. If you are trying to always hack it by technical means then yeah you'll have to hope there is some bug in the system but if you want to guarantee success you have to hack through all means, technical and social.

  6. Re:Right... by Anonymous Coward · · Score: 4, Funny

    I am, in principle, not against Finland conquering the globe. They have a few nice things going, and the bit about Rome and the aqueducts from "Life of Brian" comes to mind.

  7. Personal Data? by thecombatwombat · · Score: 5, Insightful

    What blows my mind is that people are asking whether or not they should be compensated, when will the service will be back up, and who's responsible, but not so much "is my credit card that the PSN stores secure?" How is this not the first thing Sony gives an update on when they officially say this is due to an attack?

    I've been looking at the comments on every post I see about this. At first I was hoping for an answer, and now I'm mostly just curious. This seems to be the very least of everyone's concerns.

  8. Re:Anonymous represents something new by Dachannien · · Score: 4, Interesting

    A new kind of organization. I would say Anonymous is a cyber intelligence organization, not just a collection of jerks.

    There are a few people associating themselves with Anonymous who have the expertise to become a "cyber intelligence organization", and a few thousand who are jerks. The question is whether those few people have the resources to make it happen, and nobody can really be certain until they manage to pull off a coup of some sort (HBGary is chump change compared to what I'm talking about) without being busted by the FBI, Interpol, etc.

    But in the long term Anonymous is growing stronger at an exponential rate. Their only flaw at this moment in time is their relative inexperience and their silly tactics at times. They go from brilliant tactics at some points in time (such as hacking the email server at HBGaryFederal), to really dumb tactics like DDOSing Sony and taking down webpages.

    This actually proves my point. The masses didn't do the HBGary hack. That was one or a few people who actually know what they're doing. The only reason Anonymous gets the credit is because the people responsible allowed the credit to go that way. The Sony, Amazon, and MasterCard DDoS attacks were performed by the masses, and they've all created varying levels of embarrassment for Anonymous due to their lack of success or the pointlessness of their targets.

  9. Re:Right... by Anonymous Coward · · Score: 5, Insightful

    This is why liberals have mostly been in charge since the 1960s.

    Yeah, don't let a little thing like 30 years of Republican presidents vs 15 years of Democrats since 1960 get in the way of your "facts".

  10. Scapegoat by JavaBear · · Score: 4, Insightful

    Anonymous is fast becoming the preferred scapegoat when a large corporation have an outage.

    --
    Maybe I should have posted this as "Anonymous Coward"?