Slashdot Mirror
PSN Outage Continues, Console Hack Claimed To Be Responsible
Over the weekend, we discussed news that the PlayStation Network had been down for days, with Sony saying little other than that it was caused by an "external intrusion" and that they were "rebuilding their network." Many of you have written to point out that the outage continues, with Sony saying they "don't have an update or timeframe to share at this point." One theory about the cause behind the network's downtime was recently espoused on Reddit by 'chesh,' a moderator at PlayStation-modding enthusiast site PSX-Scene.com. According to him, recently released custom firmware called Rebug allowed people to essentially turn their PS3s into dev consoles, though some features were missing. A different group supposedly used this firmware to get on PSN through the developer networks, and also found that fake credit card numbers were not being validated for game purchases, leading to what chesh called "extreme piracy." He acknowledges that this theory is speculation. Sony's handling of this outage is starting to draw attention from the government. Update: 04/26 20:47 GMT by S : Sony just posted more details, saying that a massive data breach occurred: An "unauthorized person" has PSN users' "name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID." Billing address, password questions, and credit card info may also have been taken.
I've got a friend who is a PS3 fanatic, and hates all things Nintendo and MS as a consequence (never understood the partisanship myself, and I've owned all three consoles at one time or another and they all have their respective merits). A couple of weeks ago when he found out I was buying Portal 2 for the Xbox (I sold my PS3 a while back), I was treated to a rant about how superior the PS3 version was because it allows cooperative play between PSN and Steam PC users (a nice feature, for sure). I thought I was going to have to give him a sedative to get him to shut up about how stupid I was to even consider the Xbox version, how great PSN is, how much Xbox Live sucks, etc., etc.
I'm tempted to rub this in his face, but it would probably only make him worse.
SJW: Someone who has run out of real oppression, and has to fake it.
I understand that the slashdot community might be anxious to see the PSN come back up, but do we seriously have to start publishing nothing more substantial than speculation?
Also, I've met Dick Blumenthal. He's a very nice man. However, he is, by no means, "the government", nor does a single letter from a freshman senator constitute "attention from the government".
My postings are informational and does not constitute legal advice. Act on it at your risk.
why is the PSN outage any of the (US?) government's business?
Senators and Representatives going after Apple, now Sony, aren't there other goddamned things they should be working on?
It would be nice to be able to activate the PC version included with my PS3 copy of Portal 2. You're in a somewhat unique position to improve matters, given that you were planning to make the PC version available to us anyway.
Insert self-referential sig here.
I hate to be the paranoid type, but when the first 5 of 10 comments are kiss-ass "thank you's", it starts to raise red flags. Thank you for what? A nebulous useless update that they are denying you service, and have no idea when their service will be backup? I know that there are Sony Fanboys, but I can't imagine any Fan boy being happy about being denied internet gaming for a week... Especially happy enough to thank the company that is preventing them from playing, and has basically been lying from the start.
Am I just paranoid? Is there a legitimate reason to thank that guy for a useless update?
One theory about the cause behind the network's downtime was recently espoused on Reddit by 'chesh,' a moderator at PlayStation-modding enthusiast site PSX-Scene.com. According to him, ... [snip]
He acknowledges that this theory is speculation.
Slashdot should to change its moniker to "Jerry Springer for Nerds". All that's missing is a video feed of some grimy sweat pants wearing nerds furiously typing away virtual beatdowns over who got who's virtual girlfriend knocked up.
This whole "new media" thing is unconvincing.
You seriously believe that Sony would disable all access to it's multiplayer games, movie sharing etc, because someone's temporarily able to use one of their devices as a dev console? I think that overblows Sony's interest in homebrew.
For some of us, the PlayStation Network has effectively been "down" since April 1, 2010.
Welcome to my world.
At least Amazon were up front about the failure and remedy for its service... Sony should be learning that lesson - fast! http://www.cmswire.com/cms/enterprise-20/the-aftermath-amazon-ec2-sony-playstation-network-recover-from-cloud-crashes-010954.php
If he's the Walrus then can I be a penguin please?
sony is obviously not going to do what is in your interest.
"We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network.
Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.
"
http://blog.us.playstation.com/2011/04/26/update-on-playstation-network-and-qriocity/
Things are not looking good... http://blog.us.playstation.com/2011/04/26/update-on-playstation-network-and-qriocity/
If the rumor is indeed true that a custom firmware has been used to get some people free stuff, take note how Sony has handled the situation -- A small, small portion of people (the few that run custom firmware, and the fewer that run this particular custom firmware) are getting a few free (virtual) goods, and they shut down the entire network, screwing 100% of their customers.
What if banks operated this way? They find a ring of fraudsters using bank accounts to commit fraud, and the bank responds by freezing everyone's accounts for weeks? It would be totally unacceptable.
When you find a small group of fraudsters, you take targeted action against them alone, even if it means you hemorrhage a little money compared to the more totalitarian approach. Its part of the cost of doing business. In the retail world they call it "spillage" -- the fact that some of your goods might get damaged beyond saleability or that a few things will go missing from the floor (or the stock room) is unavoidable -- you simply do your best to detect and take action against those responsible, but you don't go around treating every other customer as a criminal.
Of course, that assumes the rumored reason is the cause of this action -- I suspect its either speculation or a (possibly intentionally-leaked) cover story for other measures taken in response to the Anonymous attack and whatever information they got out of GeoHot in the settlement. I anticipate a new official firmware will be required after the network comes back up and it will be necessary to access the "new" PSN, and possibly even already-owned downloadable content. This long of a downtime indicates pretty drastic changes behind the scenes, methinks.
Recent post on their blog (http://blog.us.playstation.com/2011/04/26/update-on-playstation-network-and-qriocity/) explains the following:
"... we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained."
Obligatory...
You must be really gullable to think the rebug-firmware and being able to 'buy' games from PSN with fake CC would be the reason.. Sony could have easily suspended sale through PSN, so it wouldn't be possible to buy new content, but you would still be able to use PSN with bought content...
I can see Sony's response already "These data breaches were caused by unauthorized tampering of proprietary hardware by criminal hackers in violation of federal DMCA laws and has caused considerable and irreparable damage and losses to our networks as well as preventing our users from fully enjoying their console experience in a lawful manner."
aren't there other goddamned things they should be working on?
As a member of the Subcommittee on Privacy, Technology and the Law, this is exactly what Richard Blumenthal should, and is doing.
"The main thing Sony will be doing now is taking the original server code and rebuilding it using new login keys for their admin side," he said. He also claimed that Sony "will probably take the chance to change the developers root key that was recently leaked, which tells PSN that a particular piece of software is licensed and allowed to use the PlayStation Network."
http://www.gamepro.com/article/news/219040/psn-may-be-back-by-wednesday-expert-claims/
Belief is the currency of delusion.
To tell the truth, I do not believe a think Sony says. Sony credibility has fallen to zero, or negative even. So if Sony says their system was brought to its knees by a "console hack" I naturally tend to assume that the real cause was an inside job. And then I go on to speculate about what kind of employee abuse goes on inside Sony that might trigger such a thing, not that I condone it.
Have you got your LWN subscription yet?
People up in arms bitching at sony saying they should be able to custom hack their consoles with their own firmwares and all that other geohot was doing that every nerd was behind him 100%.
Well, you see what happens when people do shit with their stuff that were not supposed to do? All it took was one jerk to mess it up for everyone worldwide. Yeah hacking your console is a real great idea and you morons supported it without thinking because you wanted to believe your hip suave tech people and want to be on the bandwagon against the big evil corporations like a you were hippies with droid phones or something.
If only there had been some white-hat hacker to warn Sony that this might happen.
I'd written a blog post speculating about a worst-case scenario involving attackers using the leaked firmware signing keys to push a malicious firmware update from Sony's compromised backend servers. Personally, I've disconnected my PS3 from the network until the all-clear sounds from Sony.
Or we are seeing what happens when a company become so arrogant that they don't bother actually locking down this info despite the fact that it would be inevitable that someone would come along and find a backdoor.
Seriously, a 'hacked PS3' being able to do this is pretty much the definition of "Security Design Failure".
Bought the two big titles that came out a week ago. Can't play Mortal Kombat on my PS3 because PSN is down. Can't play Portal 2 on my Xbox360 because it red ringed on me. Isn't the latest technology grand?
Spend hundreds of dollars at least to get a gaming PC, ignore the sunken cost of their PS3s, all to play portal 2 a few days sooner?
I've said it before and I'll say it again: PC fanboys really are the worst.
Disclaimer: I am a PC gamer, and do not have a PS3.
Sony announced today basically all personal info has been comprised by the hacker(s): http://blog.us.playstation.com/2011/04/26/update-on-playstation-network-and-qriocity/
So let me get this straight (if this is even true), Sony implemented a moronic system (hint: never trust the client) and you blame people messing with their PS3 to do what they want as the people at fault? The Dev console should have never been able to unlock retail titles like this, this is Sony's fault and their solution to fix it is their decision. They've already proven they are abysmal at security so if the user data was indeed stolen I'll bet you a nickel the important parts are not properly encrypted or hashed.
Lets look at two problems with a Japanese company. PSN down and TEPCO's reactor. Both had similar reactions.
Silence, followed by small admissions, followed by admissions its much worse that it appears, followed by more silence, followed by admissions that some members of the public may have been harmed, repeat. No timetables, no estimates.
Is this possibly a Japanese cultural thing?
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
Story at Ars: http://arstechnica.com/gaming/news/2011/04/sony-admits-utter-psn-failure-your-personal-data-has-been-stolen.ars
some ones user name was probably "users'); DROP TABLE allusers;"
http://nothing.golddave.com/?p=123
If Sony had never removed "other OS" feature, they would never have encountered the focused rage of the entire enthusiast community.
Now, it's possible that the Playstation Network, and possibly the entire PS3 platform, is finished.
You reap what you sow, Sony....
If telephones are outlawed, then only outlaws will have telephones.
This is another example of the evil's of DRM. A friend of mine bought Bionic Commando Rearmed 2, an offline game that requires online verification every time you start it, from the playstation network awhile ago. Well guess what, that offline game hasn't worked for a week now.
Gotta love the online verification.
Portal 2 doesn't require hundreds of dollar to run.
Disclaimer. I am a PC and PS3 gamer.
Translation :
newbie outsourced tech typed "sudo rm -rf *.*" and we don't have a backup.
If Sony ran a supermarket: if one guy was caught shoplifting, they'd close down the supermarket and deny an entire neighborhood any food.
This is their rootkit fiasco all over again. Deny, deny, deny, blame it on "hackers", don't admit that THEY fucked up.
If telephones are outlawed, then only outlaws will have telephones.
I did it. It was me. I did it specifically to piss you off, and it worked. I am very happy; thank you.
Pay raise.. If I was a DEV (good job I'm not) I've go right in and give it to'em, give me X or I call in sick lol.
Money money money!
So the PSN is cracked... good and hard.
Will Sony face any penalties what-so-ever for this? No.
How many millions if not billions of dollars has their lax security cost their customers?
It seems we're going more and more toward this centrally connected system for gaming and software in general. Used to be if you wanted to use software you bought for a computer or game system, as long as you weren't in multiplayer or otherwise using network resources you were able to play without worrying about connection problems. Now when something like this happens a lot of things that have no apparent NEED for a connection stop working completely. It just shows that while being connected is nice, it certainly has drawbacks when some games or services are unusable. I can't watch Netflix now because it requires a PSN connection - even though the Netflix service is working perfectly fine. This reminds me a lot of Steam - another platform that is very convenient when it works, but extremely frustrating when it doesn't. These vendors need to come up with a better way to handle authentication in a way that doesn't leave you high and dry for something that would otherwise work if it wasn't for their failed network. Maybe some kind of token that only needs occasionally updated. Sometimes I miss those days when you just clicked the icon and it ran no questions asked!
I'm all for a little lighthearted security breaching from time to time, but steal my credit card info and I hope you go to jail.
The anime film "Summer Wars" predicted this EXACT scenario, except a little more extreme and with more dire consequences, but pretty darn close.
http://www.anime.com/Summer_Wars/
If telephones are outlawed, then only outlaws will have telephones.
I'm definitely not an expert in computer security. I do know a thing or two about programming and good practices though. The first amazement in this is that they had ALL of the account information available in a single place. I've never designed a system like PSN but right off the bat, I would ensure that the financial data and the account data are on completely separate systems. That way, if one gets hacked, the other has a chance of not getting compromised. The account details would be managed in much the same way as password data -- as hashes. And of course the two or more systems would be able to know who they are talking about by some user identity hash. It just makes simple and logical sense. Any information that is considered sensitive should be treated as such.
That's not to say that they didn't do this and that the compromise wasn't extremely sophisticated, but it certainly sounds like they did one thing wrong -- they stored credit card information in the clear and that user details were also stored that way.
Well, glad I'm not a Sony user.
I already have a gaming PC. And an xbox/ps3/wii...
To be fair, I hear Portal 2 is really good. ;)
Yeah, can't you wait until your Blu-Ray player stops working too, every time you want to watch a movie? This is why you can't have "server" verification. Because there's no guarantee the server will be there.
Tell your friend to return the game. It's broken. Get his money back. It's designed to fail.
If telephones are outlawed, then only outlaws will have telephones.
It's just as valid as the other suggestions that I have seen console fanbois make to PC gaming over the years when the media was pushing the idea that PC gaming was somehow dying when PC gaming is really all that is left. Consoles died in 1996; "consoles" of today are lowend PCs.
Two things.
a. I thought slashdot didn't edit articles. I'm obviously wrong.
b. This smells of anonymous....
I signed up recently to get the NHL GameCenter app. Basically it would let me stream games. My laptop didn't quite handle the high quality stream smoothly. I was hooking that to the TV previously. Since ps3/nhl had an exclusive agreement, this was the only way to go. Well, a week after buying the app, a new console firmware is released. That breaks the app. So it was a good month before that started working again. Now, ignoring the fact that the quality was actually worse than with my laptop, that really sucked. Now the network is down so, again, it doesn't work. And bonus, my information is compromised. I'm starting to get a little annoyed!
Portal 2 doesn't require hundreds of dollar to run.
That depends entirely on what hardware you have already. Plenty of people have laptops that are more than 5 years old, and that work fine for anything besides gaming. Out of my gamer friends, only one has a computer capable of running portal 2.
ahhha hhahhhahha woooo hahhhahah. heee heee haaw sniffle, hahahhahhha wahh hhe ahhh ahhhahhhahhah I could not of happened to a more deserving company. Karma is a bitch.
Could not happen to a nicer organization /sarc
So basically the shoe is now on the other foot and someone/people have now done to Sony what Sony has been doing to the public for years now. Namely, stealing their information, compromising their computer systems and causing general havoc within the household due to poorly or maliciously designed objects.
Boy, guess what I don't feel for Sony?
removing "other os" was *NOT* a good idea ? ;-)
You and I have different impressions of console fanboys then. I see console fanboys as generally being unconcerned with PC gamers. Consolers mainly seem to justify sony/ms/nintendo's every action and attack the "other" consoles. Furthermore, PC gamers are more vocal. I can't remember the last time I saw a PS3 or XBOX fan predicting the demise of PC gaming. PC fanboys conversely take every opportunity to preach their religion. Gaming article on slashdot? Two things are assured: 1. PC fanboy telling everyone they should throw away their consoles 2. Discussion of DRM.
Lastly, there's something much more arrogant about suggesting that -everyone- should do things exactly as they do (which is what PC fanboys like Dan667 are doing) than there is about making false predictions about the PC gaming industry (console fanboys).
Spend hundreds of dollars at least to get a gaming PC
Aww! How cute! You guys in the USA complain about spending hundreds of dollars.
Cheap PCs generally cost upwards of $1000 here (NZ). A little cheaper now that netbooks have come out, but last year I saw a full gaming rig going for around $7000. Yeah, I thought it was stupidly expensive too.
You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
It's the same in the States. You're not getting a gaming rig for "hundreds of dollars" here. A new videocard (unless you go commodity) is going to run you $300 to $750. A good estimate on a high-end (but not highest) gaming system without peripherals is around $1,500. If you're buying one that is pre-built, then it might be more. I have no idea.
"A new videocard (unless you go commodity) is going to run you $300 to $750. A good estimate on a high-end (but not highest) gaming system without peripherals is around $1,500"
You're doing it wrong.
Does this mean PSN stored passwords in cleartext?
If the password was hashed I'm not that concerned. You won't find my password in a rainbow-table.
But if it was unhashed, a looooot of people should change their passwords.
This XKCD comes to mind
Harald
My really old PS3 died with a hardware failure a couple days before PSN tanked. Instead of repair/replace I think my PS3 and PSP stuff is going to ebay and it is time for me to become a first time Xbox owner.
This is exactly the attitude I was afraid of. If sony was even mildly competent at security, nothing that could be done client-side from a console could be used to escalate privileges as radically as these people have.
Just because I can write software for my computer doesn't mean that I can exploit steam as thoroughly as PSN has been. The guys at sony don't have a lick of sense when it comes to network security. This is not geohot's fault.
I wanted to write something insightful but I used the same email and password on both PSN and slashdot so my account was compromised :-(
You can build a good gaming system for under $1000 easy. Enough to run the latest games at decent (not best) settings. I spent $650 on my recent quad core 8GB ram machine (a few weeks old) but that was sans video cards. A GTX 460 is $200 so that brings it to $850 (without monitor).
I am likely a victim of the PS3 debacle, like so many others. So this does suck for us.
But through it all, I am smiling. Why you may ask? This, to me, is Karma coming full circle for Sony and their fucking rootkits from half a decade ago.
Remember those kids?
Huh?
A compromised PS3 with a malicious firmware can go undetected much longer, and keep sniffing your new CC# even after you change your card following the initial data breach.
Stolen CC# = a short window of opportunity time, until the number get reported. (Same as a stolen physical CC)
Compromised PS3 (a machine which is used to buy stuff online) = can be abused for much longer. (Same as a infected and root-kit-ed PC)
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
No one is that arrogant. Clearly incompetence.
Support a great indie game: http://www.abaddon360.com
Because if so I should have gotten it from pirate bay.
But... the future refused to change.
PS3 exclusives: Uncharted 3, Resistence 3, LBP 2, Killzone 3, SOCOM 4
Xbox 360 exclusives: "not having your credit card info stolen"
and put up with lame copy protection schemes that install weird shit on your computer? No thanks.
Oh yes. FAIL
Those who would sacrifice OtherOS for PSN deserve neither.
And now, they truly have neither. Thank you Sony for continually showing the world what a crock DRM is.
You're ignorant. Portal 2 can run on absolute shit hardware (minimum GPU is a 7600. The PS3 has a modified 7800. Most computers built within the past 5 years can run it and you can get one of those off Craigsist for LESS than the cost of the PS3.
And you're only level five elitist. Come back when you only use operating systems written in raw ASM, n00b.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
"A new videocard (unless you go commodity) is going to run you $300 to $750."
Whet ripoff shit shop do you buy your shit from?
http://www.pricewatch.com/video_cards/
$160 460GTX.
The 450GTS is only $110 and is barely under the 460 in performance. Still runs everything pretty much smoothly at maximum detail.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
I bank with Wells Fargo and after hearing of the data breach, I called to cancel my card. As soon as I mentioned Sony and Playstation, the rep told me that they have been receiving calls all day from Playstation users who are taking similar, proactive measures. In my case, I have a separate card that I use for online transactions, so my exposure was limited, but it is still a PITA to have to go through.
This episode just goes to show how far we are from having a truly secure, digital economy. If a company with the resources that Sony has cannot even store payment information safely, it really dampens the public's enthusiasm for a completely digital payment system.
My question is, why wasn't the information encrypted? Why weren't there access controls in place to prevent people from getting at that data? Why were the two systems linked in such a way that they could be compromised? All of these problems have been solved. Was the system even audited by an outside party?
My company works with Fortune 50 companies and the US government on a regular basis. Our clients expect that we have been subjected to audits by neutral third parties (and we have). We do not even store credit card information like Sony does. How did were they not aware of the risks inherent in their architecture?
If people can sue Apple over the location tracking issue, what is Sony's liability like on an issue like this one?
They pissed off some people with a lot a free time. It is too close to the settlement to be a coincidence. It is nice to think that for all the intimidation that their lawyers and endless millions can produce, someone is willing to turn around and say "Oh, yeah?"
But I find that scenario much less likely than this being something they cooked up themselves, to blame on the "pirates" and save some face.
They, nor you count as a gamer then, portal 2's requirements are not that steep.
In fact you need to turn in your geek card asap.
Mod up, AC has a point. Pretty much every Sony/PS3/PSN-related article that's been posted, both here and elsewhere, since the start of the Geohot debacle has been rife with the same generic "Geohot is a total douchebag. I don't need to know any details, just look at him!" or "Hackers should all be thrown in jail for life" or "You agreed to the ToS! Nobody can do anything against Sony now!" comments. I know GamesRadar was particularly bad about it but I'm sure there were others too. It's pretty clear that Sony has at least some "reputation preservation agents" working on this matter to try to steer public opinion toward their favour.
There should be a Godwin's law for people who believe the opposing viewpoints are shills for corporations. This is a discussion board. Your going to find people who don't agree with you. If you didn't then that would be a good sign that something odd was going on. Anywhoo Geohot was a total douchebag when he released the key.
How convenient just days after the Geohotz lawsuit... Almost seems coincidental how much that's going to bolster Sony's defense against opening their system up...
Earlier this year, EQ2's records were compromised or something similar. My account was taken over, and a few fake credit cards were added to the account and charged for $50+ things (Mostly StationCash). The "billing" address was obviously fake as the name and address were just random letters. I tried to contact SOE about this, but I got a canned message back asking for information I didn't have. (The last credit card used, which was the fake one, and obfuscated on the account info. As well as a CD-Key for EQ2 which I didn't have because I don't keep my MMO boxes.) Since then my account has been locked and I am unable to log into it. So, somewhat similar to what is going on here, just earlier. Seems their cc verification system is either non-existent or easy to bypass.
Sure it is his fault. He didn't exactly work with Sony on the security problem. Or did give them a couple week to fix the problem and not tell anyone? I must of missed that part. It seems to me he went and published everything as fast as he could. That he blogged about it, made Youtube videos, and posted the security key on Twitter. Were you one of those twits who posted it on Slashdot. Thanks a lot for that. Your concern for my privacy and respect for property rights are really appreciate. I am sure the hacker who accessed my data did all his own work and did not need it.
There seems to be a big disconnect with all this.
"A different group supposedly used this firmware to get on PSN through the developer networks, and also found that fake credit card numbers were not being validated for game purchases, leading to what chesh called "extreme piracy"
"Sony just posted more details, saying that a massive data breach occurred"
What does the first have to do with the second? The developer networks shouldn't have any access to PSN player information. The developer networks should have their own separate authentication setup and if the PSN login access is required for development, a fake PSN login service should be used (rather then having access to the real service). Checking for valid credit card numbers is trivial. Checking if the details (CC name, CC number, security code) are valid is standard procedure when processing purchases.
Secondly, a massive data breach probably did not occur via consoles. It would be trivial to reverse engineer the login process of a ps3 on the network and then use a standard desktop to login to the PSN and poke around. It would not require any modification or hacking of the console to do so. Even then, chances are that people have been poking around at the PSN infrastructure due to the recent actions of Sony (suing Geohot for hacking the consoles).
What we really need is Sony to come out and say "this is what happened". Chances are that they will blame hacked consoles for it so that they can use it against Geohot (I think that case is still ongoing). "Your honour, hacked consoles have cost us *BILLIONS* of dollars due to their use in hacking our online gaming service which we had to take down for (weeks, months, etc). There is no other way anyone could have gained access to our network (which is served over the internet but noone would be able to fake being a PS3 console to access it). They are also responsible for the loss of thousands of player's personal information. We need to prevent people from doing this and suing this guy into slavery will stop others from even thinking about doing the same!"
Years ago the credit card companies came up with some very stringent rules for retaining credit card info. The fines are high for each card stolen. To be complaint requires regular testing from outside security firms. So either Sony skipped these rules which wouldn't surprise me, or the security firm is on the hook for this. Although one other option, and more likely, these rules make the industry sound good without actually making anything better.
for fighting for our freedom to use Linux on our PS3s by taking down evil Sony. Now, can you please stop?
"Outdated business models" is code for "I don't like paying for things, but want them anyway"
I knew this was going to happen as well as did everyone when Geohot settlement hit. I hope they bring it to it's knees and forces Sony to beg for mercy from anon.
Most computers built within the past 5 years can run it and you can get one of those off Craigsist for LESS than the cost of the PS3.
Again, most of my gamer friends have 5 year old -laptops- which somehow seem to not count as computers in the eyes of most PC gamers. And again, cheaper than the cost of a PS3 doesn't matter to the gamers OP was talking to, their PS3s are already paid for. If you could get a computer that could run portal 2 for zero dollars, then yes, it would make sense for them.
And that's why it was a stupid suggestion.
... when 70 million cards get cancelled at once?
Watch this Heartland Institute video
Sony: As you sow, so shall you reap or, in the modern vernacular, what goes around, comes around.
I have to wonder of all the people here that have such a hate on for Sony have ever owned and run a business? Or have they been involved with the gaming industry at any point of it's development?
When you boil it all down to one thing in gaming, to it's essence in it as a business or entertainment, it's all about the game it's self. If you don't have "game", you don't have a product and you are done. Stolen Information? We can forgive that, crafting bastards are out stealing from everyone and they need burned for it. But cheaters!? Those we will NEVER tolerate as costumers. Face it, Sony knows this and will NOT let their PS3 go down in flames by being shredded by cheaters.
Their head guy also died about a week ago. That might have something to do with this as well, because civilized people will take the proper time to mourn the loss of someone that great in their lives. Personally as nerdraged as I am about this, I keep myself in check, being respectful of those who have lost someone great to them. Not to mention, isn't Sony out of Japan? Could we have a heart? Haven't those people had enough horror for a while? They don't need to worry about their jobs because pissy haxors and angry internet nerds are raging at them.
WTF? Where is our government in all this? I expected them to be dancing all over this like it's the hat in a Mexican hat dance. These fuckers never miss an opportunity to stick their noses into any Internet situation with their "Holy Cow, PROTECT THE WOMEN AND CHILDREN....for the children" shrill rhetoric. Are we seeing them look the other way while Sony a foreign based based company who competes with our precious Micro$oft, gets hammered?
This is where it goes sideways, so hang the fuck on. This is what our government has had to say about all this shit. ... *crickets* NOTHING. Ok, what is it then with them and I don't want to hear the "we are conducting a thorough investigation". If they aren't all over this like a fat kid a chocolate cake by now, either they are: a. Retarded and have no clue wtf is going on, which is NOT comforting all things considered. or b. They know, but aren't doing anything for whatever fucked up reasons.
Now I am sure they (Sony) have a PR department or something following internet forums. This issue has been going on a week and forums will catch it first, then a few blogs or sites will comment on it, starting with a trickle and building to a flood the longer this outage keeps up. I suggest they not hide this, for it makes the customers feel excluded and in fact, they should be more transparent. There might be a lot of old school people running Sony still, and for them business is war and an element of trust is always lacking in those who remember the nukes with bitterness.
People complain about "ownership rights" in here, but yet they ignore the ownership rights of Sony. Look if you don't like their system so much, build your own! With so many people who are obviously so much smarter than them, it shouldn't be such a hard thing, right? You go build a gaming system and keep it secure from hacking cheaters and people who want to take it all apart and then complain that its not working right. When you have done all of that, I really want to hear what you have to say about all of this.
I feel like I am going to the bank to make a withdraw and the bank has been robbed and people are cheering the bank robbers on. Well, the bank has no money now and I need some to pay my bills. WTF? Let me say this, this isn't some happy bandit gets the bad guy thing. That isn't how the real world works, mark my words, nothing good will come out of this for anyone.
Take the Red Pill.
your ps3 is a brick right now. it is obvious that sony is never going to do what is in your interest. They own the network, they own your hardware, they own the games you try to run. As many crap stories as I hear about consoles you have to ask why continue to take the abuse and just chuck the console in the trash.
If this goes on much longer, we're going to have a plethora of pale-faced zombies roaming the *gasp* outdoors! All the poor souls who have been addicted to online gaming over the PSN are going to have to either sleep or actually go out and get some fresh air. ;)
Seriously though, this could be the biggest loss for Sony. How long does it take before those addicted (or at least a strong habit) to online gaming are broken of it and find other stuff to do and never buy games or play online again?
Sony has purposefully installed rootkits on home PCs. Your scenario of compromise via trusted channels is real, but you've chosen to trust the very people who have already done it in the past. Please do wait for the global mega-corporation to let you know that it is safe to connect to the internet again!
Hitler finds out PSN is down.
"We have an A-Bomb...what more do you want, mermaids?" --I.I. Rabi, speaking in defense of Robert Oppenheimer
I'm certain that the PSN had to be audited as part of PCI-DSS compliance to process credit cards in the volume they had to. I'm sort of shocked that they didn't implement some sort of tokenization to process credit card data, but if they were storing complete card data... weren't they encrypted? If they did encrypt the data, did the hacker steal the keys too? Just how badly was Sony owned, anyway? And if they were just storing this plain text, then they and their auditor is going to have some serious 'splaining to do to the payment card peeps.
They're going to have a long, difficult process ahead of them, with lawsuits, fines, loss of business, customer trust, penalties, processing fee hikes, etc. Might be while they're still down, that they literally CAN'T go back on line until they satisfy an outside QSA that they have their i's dotted and t's crossed. Don't get me wrong, they deserve what they're getting, but if CC info is involved, this becomes the new landmark PCI case. Should be interesting to watch for years.
Like my comments? Try my podcast: http://www.baldmove.com