Slashdot Mirror
PSN Outage Continues, Console Hack Claimed To Be Responsible
Over the weekend, we discussed news that the PlayStation Network had been down for days, with Sony saying little other than that it was caused by an "external intrusion" and that they were "rebuilding their network." Many of you have written to point out that the outage continues, with Sony saying they "don't have an update or timeframe to share at this point." One theory about the cause behind the network's downtime was recently espoused on Reddit by 'chesh,' a moderator at PlayStation-modding enthusiast site PSX-Scene.com. According to him, recently released custom firmware called Rebug allowed people to essentially turn their PS3s into dev consoles, though some features were missing. A different group supposedly used this firmware to get on PSN through the developer networks, and also found that fake credit card numbers were not being validated for game purchases, leading to what chesh called "extreme piracy." He acknowledges that this theory is speculation. Sony's handling of this outage is starting to draw attention from the government. Update: 04/26 20:47 GMT by S : Sony just posted more details, saying that a massive data breach occurred: An "unauthorized person" has PSN users' "name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID." Billing address, password questions, and credit card info may also have been taken.
I understand that the slashdot community might be anxious to see the PSN come back up, but do we seriously have to start publishing nothing more substantial than speculation?
Also, I've met Dick Blumenthal. He's a very nice man. However, he is, by no means, "the government", nor does a single letter from a freshman senator constitute "attention from the government".
My postings are informational and does not constitute legal advice. Act on it at your risk.
A one-week outage does not make Xbox live better.
Is there anything that isn't government business anymore?
why is the PSN outage any of the (US?) government's business?
Because Senators are suppose to represent their constituents and the issues they care about (lets leave the vote pandering cynicism discussion as off-topic for now) and his constituents are worried their personal/financial details were compromised in the attack so it makes sense that he would ask Sony whether or not this is the case as he has a better chance of being responded to because he wields more power.
It makes just about anything else better, for a week.
A one-week outage does not make Xbox live better.
Yeah, it's not the outage that makes Xbox live better, it's the external intrusion. Nothing quite like an external intrusion into a company that holds your credit/debit card data to make you wish you could pay for better service.
When one is free and one is paid? That certainly makes uptime LESS of a factor, though I suppose doesn't eliminate it.
Even if Sony offered a pay service, the same would have likely happened. I don't see the validity in your complaint.
Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
There's the whole fact that it is, you know, actually better. Xbox Live is just about fucking perfect. You can bitch all you want about paying less than a WoW subscription to play all of your console games online, but that doesn't make the PSN even close to XBox Live. PSN always makes me feel like I'm playing multiplayer in 1998. I mean that literally not as a slam. I enjoy games from 1998 still. This may have more to do with the fact that Halo has amazing multiplayer if you are in to the game, and there is a lot of consistency between titles with good matchmaking. As far as I can tell each game has to roll their own for PSN.
If I can just reach out with my words and touch a butthole, just one, it will all be worth it.
Or we are seeing what happens when a company become so arrogant that they don't bother actually locking down this info despite the fact that it would be inevitable that someone would come along and find a backdoor.
Seriously, a 'hacked PS3' being able to do this is pretty much the definition of "Security Design Failure".
Spend hundreds of dollars at least to get a gaming PC, ignore the sunken cost of their PS3s, all to play portal 2 a few days sooner?
I've said it before and I'll say it again: PC fanboys really are the worst.
Disclaimer: I am a PC gamer, and do not have a PS3.
Lets look at two problems with a Japanese company. PSN down and TEPCO's reactor. Both had similar reactions.
Silence, followed by small admissions, followed by admissions its much worse that it appears, followed by more silence, followed by admissions that some members of the public may have been harmed, repeat. No timetables, no estimates.
Is this possibly a Japanese cultural thing?
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
If Sony had never removed "other OS" feature, they would never have encountered the focused rage of the entire enthusiast community.
Now, it's possible that the Playstation Network, and possibly the entire PS3 platform, is finished.
You reap what you sow, Sony....
If telephones are outlawed, then only outlaws will have telephones.
This is the company that used a constant instead of a random value to feed a critical encryption algorithm in their flagship product. You really think they understand password security? Even if they hashed the passwords, what do you figure the odds are that they salted, much less peppered, them? Apply rainbow tables and go home happy, since i can't imagine many of the users would have bothered with a particularly secure password.
There's no place I could be, since I've found Serenity...
Yeah, can't you wait until your Blu-Ray player stops working too, every time you want to watch a movie? This is why you can't have "server" verification. Because there's no guarantee the server will be there.
Tell your friend to return the game. It's broken. Get his money back. It's designed to fail.
If telephones are outlawed, then only outlaws will have telephones.
They almost certainly had that info on separate systems. Why else the "Billing address, password questions, and credit card info may also have been taken." disclaimer. If the information had been on the same system they would have been sure. However rather than assume that the information is safe just because it was on a separate server, they're saying that "at the moment we don't know. Please be vigilant until we can give a definite answer".
Bottom line: This can CERTAINLY happen to XBOX Live (or any system hosted on a public network). The fact that it's taking so long to correct is a little disconcerting, but I'd rather they fully correct it then bring a vulnerable system back online.
I'd be surprised if (evil) Microsoft didn't have a much more elaborate and robust system for countering "external intrusions". I'd chalk up their unwillingness to tie into many outside networks (Steam for one) as proof of their caution. With as much money as Live makes for them, they'd be foolish not to protect their cash cow.
(eviler) Sony, on the otherhand, has shown the opposite. With the rootkit on audio CDs, and now this. As well, Sony LOSES money on the playstation network. Their focus is likely on how to make it profitable, not secure.
If you'd rather trust your personal data (including credit/debit card) to the company with a record of security failure, have at it.
Even if Sony offered a pay service, the same would have likely happened. I don't see the validity in your complaint.
Yet, if the same thing happened with XBOX live, Microsoft would have communicated the outage, and an expected uptime. If the downtime was significant, Microsoft would have comped paying subscribers with a free xbox live game. The risk of alienating paying subscribers is a motivating force for communication and haste.
Sony doesn't have this motivation, and what little they've communicated so far comes across as "It'll be done when it's done, and not before. Now leave us alone so we can get this done".
face-saving talk...
if they say "may have been", they mean "definitely has been".
if they say "working around the clock to fix it", they mean "shitting in our pants and yelling at our techies but not authorizing overtime for them".
the mere mention of CC details, and the advice to avoid scammers is basically confirmation.
they're using the same language that TEPCO has been using the last month (not just Japanese).