Slashdot Mirror
PSN Outage Continues, Console Hack Claimed To Be Responsible
Over the weekend, we discussed news that the PlayStation Network had been down for days, with Sony saying little other than that it was caused by an "external intrusion" and that they were "rebuilding their network." Many of you have written to point out that the outage continues, with Sony saying they "don't have an update or timeframe to share at this point." One theory about the cause behind the network's downtime was recently espoused on Reddit by 'chesh,' a moderator at PlayStation-modding enthusiast site PSX-Scene.com. According to him, recently released custom firmware called Rebug allowed people to essentially turn their PS3s into dev consoles, though some features were missing. A different group supposedly used this firmware to get on PSN through the developer networks, and also found that fake credit card numbers were not being validated for game purchases, leading to what chesh called "extreme piracy." He acknowledges that this theory is speculation. Sony's handling of this outage is starting to draw attention from the government. Update: 04/26 20:47 GMT by S : Sony just posted more details, saying that a massive data breach occurred: An "unauthorized person" has PSN users' "name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID." Billing address, password questions, and credit card info may also have been taken.
I understand that the slashdot community might be anxious to see the PSN come back up, but do we seriously have to start publishing nothing more substantial than speculation?
Also, I've met Dick Blumenthal. He's a very nice man. However, he is, by no means, "the government", nor does a single letter from a freshman senator constitute "attention from the government".
My postings are informational and does not constitute legal advice. Act on it at your risk.
A one-week outage does not make Xbox live better.
Is there anything that isn't government business anymore?
On the other hand, PSN can't actually get worse by being down.
why is the PSN outage any of the (US?) government's business?
Because Senators are suppose to represent their constituents and the issues they care about (lets leave the vote pandering cynicism discussion as off-topic for now) and his constituents are worried their personal/financial details were compromised in the attack so it makes sense that he would ask Sony whether or not this is the case as he has a better chance of being responded to because he wields more power.
It makes just about anything else better, for a week.
It would be nice to be able to activate the PC version included with my PS3 copy of Portal 2. You're in a somewhat unique position to improve matters, given that you were planning to make the PC version available to us anyway.
Insert self-referential sig here.
One theory about the cause behind the network's downtime was recently espoused on Reddit by 'chesh,' a moderator at PlayStation-modding enthusiast site PSX-Scene.com. According to him, ... [snip]
He acknowledges that this theory is speculation.
Slashdot should to change its moniker to "Jerry Springer for Nerds". All that's missing is a video feed of some grimy sweat pants wearing nerds furiously typing away virtual beatdowns over who got who's virtual girlfriend knocked up.
This whole "new media" thing is unconvincing.
A one-week outage does not make Xbox live better.
Yeah, it's not the outage that makes Xbox live better, it's the external intrusion. Nothing quite like an external intrusion into a company that holds your credit/debit card data to make you wish you could pay for better service.
When one is free and one is paid? That certainly makes uptime LESS of a factor, though I suppose doesn't eliminate it.
Even if Sony offered a pay service, the same would have likely happened. I don't see the validity in your complaint.
Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
"We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network.
Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.
"
http://blog.us.playstation.com/2011/04/26/update-on-playstation-network-and-qriocity/
Oh, Sony takes that very minute to make full confession:
Press the NUKE button now!
Thank you for your patience while we work to resolve the current outage of PlayStation Network & Qriocity services. We are currently working to send a similar message to the one below via email to all of our registered account holders regarding a compromise of personal information as a result of an illegal intrusion on our systems. These malicious actions have also had an impact on your ability to enjoy the services provided by PlayStation Network and Qriocity including online gaming and online access to music, movies, sports and TV shows. We have a clear path to have PlayStation Network and Qriocity systems back online, and expect to restore some services within a week.
We’re working day and night to ensure it is done as quickly as possible. We appreciate your patience and feedback.
Valued PlayStation Network/Qriocity Customer: We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network. In response to this intrusion, we have:
Temporarily turned off PlayStation Network and Qriocity services; Engaged an outside, recognized security firm to conduct a full and complete investigation into what happened; and Quickly taken steps to enhance security and strengthen our network infrastructure by re-building our system to provide you with greater protection of your personal information.
We greatly appreciate your patience, understanding and goodwill as we do whatever it takes to resolve these issues as quickly and efficiently as practicable. Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained. For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well. To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports. We are providing the following information for those who wish to consider it: U.S. residents are entitled under U.S. law to one free credit report annually from each of the three major credit bureaus. To order your free credit report, visit www.annualcreditreport.com or call toll-free (877) 322-8228. We have also provided names and contact information for the three major U.S. credit bureaus below. At no charge, U.S. res
If he's the Walrus then can I be a penguin please?
I'd written a blog post speculating about a worst-case scenario involving attackers using the leaked firmware signing keys to push a malicious firmware update from Sony's compromised backend servers. Personally, I've disconnected my PS3 from the network until the all-clear sounds from Sony.
Or we are seeing what happens when a company become so arrogant that they don't bother actually locking down this info despite the fact that it would be inevitable that someone would come along and find a backdoor.
Seriously, a 'hacked PS3' being able to do this is pretty much the definition of "Security Design Failure".
Lets look at two problems with a Japanese company. PSN down and TEPCO's reactor. Both had similar reactions.
Silence, followed by small admissions, followed by admissions its much worse that it appears, followed by more silence, followed by admissions that some members of the public may have been harmed, repeat. No timetables, no estimates.
Is this possibly a Japanese cultural thing?
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
If Sony had never removed "other OS" feature, they would never have encountered the focused rage of the entire enthusiast community.
Now, it's possible that the Playstation Network, and possibly the entire PS3 platform, is finished.
You reap what you sow, Sony....
If telephones are outlawed, then only outlaws will have telephones.
Nope, all personal data stored with your PSN account has been compromised. It's taken this long for the forensic team to verify what people suspected. Everything including name, address, birth date, the answers to your account reset questions (used by *many* sites), email address, and *passwords* (haven't they heard of a f'ing hash!). Obviously Sony has a worst case scenario here and they wanted to be absolutely sure it was as bad as they feared before coming forward. This probably means legal trouble for them in the EU, and it might actually get Congress off their arse to enact some privacy legislation.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
Even if Sony offered a pay service[...].
They should make one ... call it Playstation Plus or something ....
This is the company that used a constant instead of a random value to feed a critical encryption algorithm in their flagship product. You really think they understand password security? Even if they hashed the passwords, what do you figure the odds are that they salted, much less peppered, them? Apply rainbow tables and go home happy, since i can't imagine many of the users would have bothered with a particularly secure password.
There's no place I could be, since I've found Serenity...
Yeah, can't you wait until your Blu-Ray player stops working too, every time you want to watch a movie? This is why you can't have "server" verification. Because there's no guarantee the server will be there.
Tell your friend to return the game. It's broken. Get his money back. It's designed to fail.
If telephones are outlawed, then only outlaws will have telephones.
They almost certainly had that info on separate systems. Why else the "Billing address, password questions, and credit card info may also have been taken." disclaimer. If the information had been on the same system they would have been sure. However rather than assume that the information is safe just because it was on a separate server, they're saying that "at the moment we don't know. Please be vigilant until we can give a definite answer".
Sony does offer a paid service. It's called PSN Plus and it's $60/yr. It's the same service with discounts on a few download titles plus automatic patch downloading.
Having a paid service wouldn't make it any better, anyway. They're not a little startup. It's Sony. I'm pretty sure they can bootstrap a service on their own dime without a significant impact to the bottom line. Especially when it's used to bolster the userbase for their mainline product.
Also, don't forget when XBOX Live had an outage for . . . a week? Or was it even longer?
Of course, that was an outage. Not a complete failure of all security measures.
Sony does offer a paid service and it is identical to the free one, except it offers discounts on some downloadable games and automated patch downloads. It's called PSN Plus. PSN Plus users are also down right now and they are also part of the same data breach. So, the paid service is identical to the free service and the paid service is just as insecure as the free service.
Bottom line: This can CERTAINLY happen to XBOX Live (or any system hosted on a public network). The fact that it's taking so long to correct is a little disconcerting, but I'd rather they fully correct it then bring a vulnerable system back online.
I'd be surprised if (evil) Microsoft didn't have a much more elaborate and robust system for countering "external intrusions". I'd chalk up their unwillingness to tie into many outside networks (Steam for one) as proof of their caution. With as much money as Live makes for them, they'd be foolish not to protect their cash cow.
(eviler) Sony, on the otherhand, has shown the opposite. With the rootkit on audio CDs, and now this. As well, Sony LOSES money on the playstation network. Their focus is likely on how to make it profitable, not secure.
If you'd rather trust your personal data (including credit/debit card) to the company with a record of security failure, have at it.
you might as well. The cognitive dissonance could be hilarious to watch!
I don't know, I wouldn't do it if you value him as a friend at all. A friend of mine is a big PS3 fan and I told him, look, there's no way PS3 can be the best when they have this sort of outage. It threw him into some kind of crazy logic-loop, and he started beeping and asking for someone named "Norman" to straighten things out for him...
Bow-ties are cool.
Parent never once mentioned Xbox Live (Or any service) was better, so that wasn't an argument being made to need a response about which was better.
His entire post was a complaint about Sony fanbois who can't stop talking about how great Sony is.
They also charge a monthly fee, just sayin'.
Just like that :P
The fact that my password and credit card number have been pwned sort of screws the PSN in my eyes.
face-saving talk...
if they say "may have been", they mean "definitely has been".
if they say "working around the clock to fix it", they mean "shitting in our pants and yelling at our techies but not authorizing overtime for them".
the mere mention of CC details, and the advice to avoid scammers is basically confirmation.
they're using the same language that TEPCO has been using the last month (not just Japanese).
The fact that my password and credit card number have been pwned sort of screws the PSN in my eyes.
And of course you feel completely safe in Microsoft's hands, the company with a long and glorious history of high profile fiascos like the all-day trading outage on the London Stock Exchange or turning a modern Navy frigate into a floating barge
Have you got your LWN subscription yet?