Slashdot Mirror
77 Million Accounts Stolen From Playstation Network
Runaway1956 was one of many users to continue to update us about the intrusion we've been following this week.
"Sony is warning its millions of PlayStation Network users to watch out for identity-theft scams after hackers breached its security and plundered the user names, passwords, addresses, birth dates, and other information used to register accounts. Sony's stunning admission came six days after the PlayStation Network was taken down following what the company described as an 'external intrusion'. The stolen information may also include payment-card data, purchase history, billing addresses, and security answers used to change passwords, Sony said on Tuesday. The company plans to keep the hacked system offline for the time being, and to restore services gradually. The advisory also applies to users of Sony's related Qriocity network."
steals everything.
Seriously? They were storing passwords in a way that could be unencrypted?
I have on occasion lamented that I did not get involved with online gaming. Well maybe it was for the best. As we know the gaming where you run around killing and maiming and destroying promotes good character.
Hows that online requirement DRM working out for you guys?
~UC
skynet is trying to steal my identity!
They're calling it an "unexpected mass friendship opportunity."
SJW: Someone who has run out of real oppression, and has to fake it.
Gee, Sony just catch a break lately. I'm wondering if they are going to be asked to appear before the US Senate to explain their actions, just like Apple and Google? I think this is a little more serious than just tracking my phone location.
The real Sig captains the Northwestern. This one captains
It amazes me that a company as large and established as Sony would make such a boneheaded move as storing sensitive information in plaintext. Passwords and answers to secret questions should always be hashed. Credit card information and other sensitive information should be encrypted (preferably AES-256 or stronger).
I posted this in the last thread, but PSN users are already seeing their credit cards being fraudulently used!
So if you're affected, CANCEL YOUR CARD!
It's not a possibility anymore, it's a certainty.
Barack Obama finally released his birth certificate. The "born in kenya" theories seemed pretty far-fetched, yet plausible. I'm glad he finally cleared that up. He's still incompetent, but at least he was born in the US.
is alive and well here
Donte Alistair Anderson Roberts - hi son!
Karma: Chameleon
Sony tried to prevent the release of custom firmware due to concerns that it could be used for things other than running linux or homebrew. Perhaps their is some validity to those concerns.
You did not lost your identity, you gained additional account holders!
If only this were enough to ban Sony and their 'products' from N.A....they more than deserve it.
I reckon Sony aren't the only ones who are dumb enough to not encrypt user details. I've worked for several companies who don't encrypt their employee data and I could read the lot (not that I cared).
I do wonder though if the hackers were interested in the user details or if they simply wanted to download Mass Effect 2 for nothing...
http://anonnews.org/?p=press&a=item&i=848
It isn't identity theft, it's identity loaning. You know, like what you do to our games. That'll teach you to pirate. /sony
Massively Unexpected Online Identity Theft.
The only way to win...
I think the fact Sony has left the PSN in a completely disabled state for the past week could hint at some internal problems with disaster recovery. Their servers have been compromised and can no longer be trusted. In my world, that's a perfect time to re-build your systems from a pristine backup. So why doesn't Sony patch the vulnerability and deploy new servers? Perhaps it's because they don't have any good backups to restore from..
I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
And now they are raped right in the ass by big anonymous buba.
Just what they deserve.
First owned private keys, now owned PSN which is I remind you is the sole reason for updating the firmware
which removes the OtherOS option.
Right in the ass, Sony! I really like that
That what you get when you take our OS out!
Huge kudos to hackers that did it (And I hope have strong enough balls not to brag about that)
More interesting to me than how the intrusion occurred or how lax Sony's security practices are will be what the public backlash level is like. IT security departments tend to whip up a frenzy with the potential for "end of the company" concerns for data breaches on a regular basis. However, reality is that data loss doesn't always seem to have a particularly negative effect for the company that loses the information. Point in example would be the TJX data loss - http://it.slashdot.org/story/07/03/29/1618239/TJX-Is-Biggest-Data-Breach-Ever. Somehow this hardly seems to have put a dent in corporate profits. TJX's stock is up 100% since 2006 when the breach occurred. http://www.google.com/finance?q=tjx Point being is, if nothing seriously negative happens to Sony then it's no wonder that firms continue to have poor security practices. After all, why bother spending the effort and money to secure data when there is no return on the investment?
We're at the point where consoles have achieved parity with personal computers in all ways except freedom. Which begs the question, why not go back to personal computers for gaming? It's ironic, but for most games that come out on consoles a keyboard and mouse are the superior input solution, and you can do a lot more with a computer besides.
The whole situation brings to mind a discussion I had about information security the other day at the bakery. Ten years ago, who even thought you could play music on a computer? And now look at things. We need to get to a point where instead of using credit card information for transactions we use tokens instead -- that way, if someone gets into a database, they end up with a whole bunch of tokens instead of credit cards. Good luck using tokens anywhere else, they don't take em. Or maybe we should go back to paper for billing.
Anyway, computers are conclusively better if only for the fact that you can play MP3s while you game. That rules.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
I wonder if Sony regrets waving the red flag. http://news.cnet.com/8301-13506_3-20050310-17.html. Anybody heard from geohotz in the last few days?
The most rational thing to do is to assume that all your online accounts are compromised. How many accounts are secretly compromised? How long until your passwords are dumped to some hackers hard drive?
After the LifeHacker attack, I've moved to a very complicated password system. Each online account gets its own password, usually 15 characters long, comprising of a random series of special characters, uppercase, lowercase, and numbers. These passwords are stored in my wallet, and do not exist digitally anywhere except the particular website. The card in my wallet is basically a business card with random characters all over it. I memorize the location of the password, and how long it is, per website. To login, I pull out my card, and read across while typing in the password.
The plan is to replace the card every four years, and changing all my passwords on all the websites.
No duplicate passwords are ever used. The "secret questions" are always answered with random gibberish.
The most annoying thing is websites that restrict the length of your password, or the number of a particular sort of character... it forces me to search through my card to find a series that fits the criteria.
CAPTCHA: intrude, lol
sony is never going to do what is in the users interest.
The only reason it probably hasnt happened yet is their system is hacker-resistant being based on COBOL and 9-track tapes. IRS and SS both have legacy systems.
77 million users personal data and potentially credit card data now in the hand of hackers and they wait a week to come clean about it??!!!! There's really no reason Sony should store credit card info anyway. I'll gladly deal with the "minor" inconvenience of having to type it in every time rather than trust some company to take care of my data. Laws should be created that limit the types and personal data a company can store on it's customers to the minimum required for the transaction. And how long they can keep the data they are aloud to store. Otherwise we'll keep seeing these types of breaches over and over.
Is 77 million all the accounts? If not, are they telling the people specifically if their accounts got hacked?
Hi
There really has to be an overhaul of the whole SSN identification system. Pretty soon everyone will have had their information stolen in one form or another. Just entering your SSN in google up until a couple of years a go I saw hundreds of public records of my information. This is old news and nothing is being done against corporations/institutions like this in return.
Going back to the thread....First Texas and now this? Insane!
I had already planned on not purchasing anything from them again, but I already had a PS3 and I do enjoy playing games online. But now my credit card info is at risk because of their poorly secured network. If I can help it, Sony is never getting another penny from me. Fuck Sony.
Scourge of the Wastes
This is Sony we're talking about - they will of course have installed in a rootkit into the data... ;)
THE HONOUR OF THE KNIGHTS - CC Licensed Sci-Fi Novel
There are two schools of thought here...
If the passsword is stored as a hash on the server, then it is more resistant to attacks against the storage of the server. However, this does require the password be transmitted over the wire in one way or another on every connection. A man-in-the-middle attack with ip spoofing or dns cache poisioning has a non-trivial shot at compromising the password.
If the password is stored 'in the clear' on the server side and treat the password as a shared secret, then *if* you design the authentication right, you render man in the middle infeasible with the tradeoff of storage attack being a large exposure. A common scheme is to have client have a packet, concatenate with the password, calculate hash, then strip password before transmit. Server then repeats calculation and only accepts payload if secret matches. Usually, server responses are protected the same way, meaning only the server you *meant* to talk to can meaningfully respond because it needs your password to calculate correct hash responses.
All that said, it's also entirely likely that Sony has crypted hash passwords, but it's safer to say 'your password is compromised', because of how many users have passwords like 'yourmom65' rendering the hashing pointless.
XML is like violence. If it doesn't solve the problem, use more.
This is the exact reason I do not use online services that involves real money or that requires real ID (like Facebook). I know I am probably missing out on a lot of games and stuff but I don't care. All I have is an online banking thing for which you need a physical key generator even if you know all the rest of the personal ID. To this day I have never used real information for email signups and other accounts. I keep all my important data stored safely locally (as in NOT a cloud/online storage service) on DVDs and in some cases I burn double backups in case one fails. Hard disks that are thrown away are securely wiped, and then smashed in the ground 2-3 times for good measure. It's nice to know that in case I for some reason I don't have internet, I won't really be affected. All my games and data is present. Even if you steal my wallet or cellphone and find my old disks, you won't get very far !
Can I light a sig ?
Sony a hardware company not a software one so that why the keys are in hardware and not software.
What else explains peoples' insistence on giving money to this company of greedy bozos?
Top eight lies of history:
8) "No, really, just the Sudetenland. C'mon, guys, you won't even miss it." -- Adolf Hitler
7) "Don't worry, honey, I'm on the Pill." -- Your girlfriend
6) "See this bitchin' chemical weapons factory on wheels?" -- Colin Powell
5) "There will be cake after the test." -- GlaDOS
4) "The check's in the mail. Seriously, man, you don't have to do that..." -- You, when the electric company finally sends someone around with a pair of wire cutters
3) "No, seriously, guys, I swear, he was in here. Ask Pete! I saw Nick and Joe bring him in on Friday, and now there's nobody here. It doesn't even smell all that bad. What?" -- St. John
2) "Duke Nukem Forever will ship by Christmas 2002." -- George Broussard
1) "We loooooove our customers. Customers! Customers! Customers! It's all about customer service! We would never do anything to harm our customers' interests, take away their rights, or otherwise throw knives at their backs." -- Sony
From Alan Calder's blog: Why was Sony storing credit card numbers? http://www.alancalderitgovernanceblog.com/2011/04/out-of-an-abundance-of-caution/
Where does this story get its data from. 77 Million accounts stolen is ambiguous and downright shoddy journalism. The better headline might be
"77 Million PSN Accounts information has been stolen", but this number is the total amount of registered users and does not reflect the number of affected users, as this information is currently unavailable. Please research before opening your mouth and spilling fear mongering false information.
Its bad for most gamers.
www.mobilegamesarena.net
Seriously, how many times does Sony need to fuck over consumers before they stop buying their products? If you bought a Sony product and they fucked you over, why are you surprised? They do something like this every year!
Whilst I have read a lot of people pointing fingers at Sony and jeering them for this breach, some of the more savvy commentators are now asked how safe ANY online data really is.
Suppose you really did have a situation where the user's personal details and CC data were encrypted. Would you actually just put a press release along the lines of:
"Yeah, we got hacked. The hacker downloaded 77 million account details, all of which was AES secured. Nothing to see here, move along."
Or, would you tell people to delete their CC details and change their password anyway..?
I'm not saying that encryption is pointless, but it feels like the reasonable action would still be to err on the side of caution.
In a situation like this, there's no knowing how far the criminal underworld might be willing to go to attempt to crack the data wide open. Some might already employ massive server farms for this very purpose.
THE HONOUR OF THE KNIGHTS - CC Licensed Sci-Fi Novel
Was the sensitive information deleted from Sony's system, denying them access to it? If not, how is that stealing? I thought the People of Slashdot were against calling it "stealing" when information is merely duplicated without taking access away from the original holder?
Cool. I'm sure to be lost in the crowd.
So what are the ramifications for Sony if they violated PCI standards?
"- If you wanted to play any of the games online, you had to have a PSN account. Which meant you had to provide a credit card whether you were ever going to buy anything or not."
Completely wrong. I have a PSN account and never, ever gave them credit card info.
In a world with plenty of well understood crypto schemes like public-private key systems where you can prove yourself without a shared secret... why the hell do we trust so much of our wealth with a trivial to see/copy account number being tossed around like crazy?
XML is like violence. If it doesn't solve the problem, use more.
The mp3 has been around since the mid 90s and plenty of other simpler formats were around before that. Macs were doing 8 bit PCM music back in the late 80s and if you want to be pedantic about it synthesized music on a personal computer has been around since the 8 bits days in the early 80s.
is the new height at which it sets the bar for an epic fail.
I went to log in to PSN today to see which security questions I had picked and answered so that I could blacklist them from other sites and ... I can't get in to check it. Not helpful at all. Fix the holes and at least put it back up in a read-only mode. It has been years since I signed up for OR used PSN ... so I have utterly no clue what information I had there.
It is more productive to voice thoughtful opinions (reply) than to judge (moderate) others.
Cancelled my card last night. I hope sony gets the q's sued of it for this.
Sufficient information to steal my identity so that I can BUY their services?
All Sony should have is my payment each month and some security questions I can choose the answer to.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
Sony hasn't warned me of anything, and I know they have my correct email address attached to my PSN account. I am getting all of my information from 3rd parties. That irritates me more than their getting hacked in the first place. And yes, I canceled the credit card attached to my PSN account yesterday.
Time to Short Sony Stock!!!! :-)
You cannot do mutual authentication if the server doesn't know your password. And if it only has a hash, it doesn't know your password.
Additionally, Sony didn't say they were storing passwords in a way that could be unencrypted. It may be that losing the hashes is considered a severe enough incident to report that your password was compromised. Many security experts would agree with this, as even with hashes a breach of them exposes common passwords can be easily found through brute forcing a short list of common passwords or rainbow tables as applicable. See the gawker incident for a case of this.
http://lkml.org/lkml/2005/8/20/95
You have sued hotz, harassed those who modded/jailbroke your devices, suppressed hotz, and .....
'some' people basically handed your ass over to you in a different fashion ?
in the end, it seems you have annoyed far more dangerous circles in the internet hacker underground than the jailbreakers/mod hackers.
enjoy. and next time, remember that it is not good to treat people like cattle, and suppress/repress them.
Read radical news here
You still put your real data into anything that doesn't actually need it (e.g. if you want something delivered, you obviously need to put in your real address) ?
Seriously?
Have they sent everyone to dumb school?
The first rule of privacy is to not give people your data. Unless you understand why they need it. Very, very few online services need your birthdate, for example. I always put in a fake one (always the same, so it's easy to remember). Same for address and practically anything where I don't understand what they need it for but they insist on having it.
The second rule, of course, should be that companies shouldn't request and store data that they don't actually need. Because all security, encryption and whatever else you have is always breakable. Not having the data is the only thing that's 100% safe.
Assorted stuff I do sometimes: Lemuria.org
Unencrypted passwords being accessed is not speculation. Sony was pretty clear about this point:
I think if they could say "encrypted password hashes", they would. Unless they're trying to make things seem worse than they are in some misguided attempt to come out looking better in the end.
I had read news articles warning me about this a week ago, good job keeping your users informed Sony.
What do I know, I'm just an idiot, right?
I have been fairly patient with Sony thus-far, as it is hackers that caused this, but now that they have finally stepped up and admitted that our data was stolen, I fully expect Sony to have to bite the bullet and provide free credit monitoring to all PS3 customers effective immediately. If they do not, get ready for a massive class-action.
What are the odds that Anonymous was behind the breach? They did have an ongoing attack against Sony leading up to this.
Maybe this is the work of someone Sony pissed off. Lord knows there are enough people mad at these money grabbing bawds. I am laughing right now. I have a PS3 and it is just collecting dust.
NE1 want to buy a slightly used PS3? It's a little dusty but works like a charm. Even still has Linux on it.
And user interface. give me my trackball and keyboard for FPS.
True, a trackball is ideal for first-person shooters and for fixed-camera shmups like Centipede, Ikaruga, or Perfect Cherry Blossom. But games other than such shooters exist. What's the best controller for, say, a platformer or a fighting game?
Boy I sure am glad Nintendo only know me by WII Number and I have never given them my CC either, always just bought WII points cards to add points to my account for purchases. So even their database gets published me and probably lots of other account holders WONT CARE. Stupid Sony Stupid...
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
why not go back to personal computers for gaming?
Because most PC monitors are not big enough for two to four players holding gamepads, and the general public is unwilling to try to connect a PC to a TV.
for most games that come out on consoles a keyboard and mouse are the superior input solution
How would a keyboard and mouse/trackball work for, say, Street Fighter series or Smash Bros. series? And given that the input APIs on Windows combine all connected keyboards into one virtual device and all connected mice and trackballs into one virtual device, what do players 2 through 4 use?
Ten years ago, who even thought you could play music on a computer?
Any owner of an Atari ST, Amiga, or Apple IIGS computer was playing music twenty years ago: Amiga and IIGS through built-in sampler hardware, and ST through an external MIDI synthesizer. And as AC pointed out, Napster had already made its mark ten years ago.
Anyway, computers are conclusively better if only for the fact that you can play MP3s while you game.
Custom soundtracks have been possible on consoles since Xbox 1 back in 2001.
And about your sig: Yoda, Spock Sarekson, and Benjamin Spock aren't the same, but perhaps that was your point.
What's all this fuss, you have "nothing to hide"(tm) after all?
I could understand a single person having his data stolen by someone hacking that persons account, but why was it possible for someone to log in and grab every single PSN users' account data? All that data should never have been stored on a system accessible the Internet.
The only thing I can think of that would explain what happened, is that Sony stored the entire customer database on the PSN networks servers and used SQL to display/edit the account of the logged in user. A simply SQL injection bug would allow accessing everyone's account info. That wouldn't be possible if Sony kept all the personal info on a separate system with only the user name and a hashed password stored in the stored database on the PSN server. My guess is that's what Sony's busy doing now, moving the account data to a server not accessible from the Internet, but that's too little too late.
On a side note, I saw no evidence of fraud on my credit card account, but I cancelled it last night any way. When I called to cancel I was told I was the 2nd person the guy on the other end talked to about the Sony breach. The other person already had fraudulent charges on his account. So if you have credit card info stored on PSN, cancel that card now as it's only a matter of time before you get hit.
The problem with the whole credit card system for online payments is that you will need to give your secrets out to anyone who you want to pay, and trust that they handle those secrets properly. It just doesn't work.
The tech media and politicians had their panties in a wad over the iOS/Android "tracking". Guess what? Sony's lack of security actually did allow the personal information for 77 million users to be exposed. You know, opposed to theoretically being able to access your approximate location. I wonder if there are going to be Congressional hearings about this? Oh wait, the dried up turds in Washington don't use the Playstation network. So what do they care? The hypocrisy of what people find important and creates media buzz opposed to what really is important makes me wonder sometimes.
Ha, ha, ha......this just makes me laugh.
Badges!?! We don't need no stinking badges!
Oh my god! I just checked my past bank statements! These aren't just hackers they're deviant pervert hackers! They're using my CC to sign up for lesbian-midget-amputee-bondage porn websites (with the optional deluxe live streaming package!) And they have been for months! Even before I had a PS3! What's Sony gonna do about this?
I'm interested in getting in on this. I have to change my damn credit card now and my company is charging me $5. That's as much as a PSone game which I purchased and now is a liability.
My kingdom for a donkey!
I've been robbed, and I'm not even sure what they have stolen. I've had my PS3 for years, it collects dust most of the time lately - But I'm sure I setup a PSN account back in the day. So, I know they have some data. I have a pretty good idea what that data is - But I can't be sure. And since their site is down, I can't go in and check. Wonderful. And I'm getting this info from the media - Where's my letter saying "Hey, we got robbed, they took this and it was yours." Or some sort of note. Anything. Sony...Hello?
The FBI still has machines which use 8" floppies (they are the largest consumer of these disks in the word).
Not defending Sony, but if I must tell to my customers that we detected unauthorized access and they got the password hashes, I will report that we believe someone got access to the passwords database, hashed or not those are password related and the common user will not understand what is a hash or why if they are encrypted they must care to change it. This do not means they are storing hashes or not, there is a high probability than not but it is not conclusive
Note: password encryption is not a panacea either, if someone accessed the servers, they probably could access the encryption keys too because some code needs to decrypt them to validate the user, that is why you hash with a powerful algorithm and encrypt if you want more protection
Are we suing them them for failure to provide basic security of personal information required to participate within its environment? Is there legal footing for that? I am furious!
A company that sues it's own customers is a company that does not care about protecting your information.
I find it laughable there is actually that many IDIOTS that would buy a Playstation or sign up for PSN. I find it extrememly laughable that you all got your just desserts for your stupidity. So: HA frinkin' HA!
If you use a debit card, you are much more at risk than credit. Debit cards move money, credit cards issue credit.
I never use debit cards or checks. Both of those leave you wide open. Use credit for everything
So, you peek into PS3 internals, you get slapped with lawsuits, police raids your home and they send army of lawyers after everyone.
Someone steals 77m accounts from Sony, all they have to say is basically...
Sorry?
Fuck you Sony.
Weren't the encryption keys stored on the PS3 itself? If so they are already accessible which is probably part of the problem. If Sony was storing the server encryption keys on the PS3, then they were screwed the moment the PS3 was hacked. They should have shut down updated the PSN network servers the moment the PS3 master key was leaked.
Before hacking the ps3 and cracking its security was yelled allover the world in praise of geohot and how awesome he is at making a strike for the little guy against the giant evil corporations!
Im not saying this is his fault, but Im illustrating a point when people hack shit, its never in the best interest of anyone because all it takes is one person and in this case one person(s) screwed 77 million others. So yeah where is the harm is hacking your ps3? Everyone should do it!
There are bad software architectures and bad security bugs, but I do not believe the key to sign code to be run on the PS3 is the same they use to encrypt internal PSN data, that would be a BIG error. About the key found on the PS3, there is no other way to use symmetric key cryptography without one key on the side doing the signature validation so one key must be hidden on the PS3, and a bug on how they implemented the algorithm allowed people to deduct it, not that they found it in plain text
psp and ps3 are both compromised.
well, developer versions of them were compromised from day one and available to anyone with cash I suppose, so it was a bad plan from the start if it was like that.
world was created 5 seconds before this post as it is.
Identity Theft
they say it is often more relevant then the comment above, all we know is its called the Sig!
I own three (3) products made and/or licensed by sony:
(1) Dvd burner purchased many years ago,
(1) 42" Lcd Television purchased 2 years ago,
and (1) PS3 purchased about 6 months ago.
These products represent the last of the money they will have ever gotten from me,
Because i now see that even if they decided to dabble in medicine and came up with a cure for cancer,
no doubt it would be stored incorrectly, and come with the side effect of herpes.
Perhaps i'm over-reacting but to do something this stupid and wait as long to own up to it is just bullshit.
I don't even remember if I ever entered my CC info on PSN. Too bad I can't log in and check. =/
that the even more lucrative Xbox hacking project is still underway Given the massively large pot of gold in them thar Xbox hills, the hacking may be slow, but the Chinese government / Russian Mafia is patient.
Really, who gives a shit if they have your PSN password. Their service is down right now. When it comes back up, they just need to do a forced password change. Easy.
Unless, you were stupid enough to use the same password for everything.
Grammer Nazis - I mod you "troll" unless you actually add something on-topic. Yes, I know I have mispellings in my sig.
The worst part about whats going on with PSN was the fact I only heard about it through /. and other online news sources and nothing from Sony themselves. If I did not check these sites I would have had no knowledge about the hack. I wonder if there will be any class action lawsuits going on after this is cleared up as I seen it stated that CC info might have been leaked.
It's scary that Sony would allow this to happen.
On the one hand, it's a trust issue. I'm must less likely to trust Sony's network at this point. They would have to proactively earn my trust back in various, public, audited ways.
On the other hand, what do you do when this happens to one of your accounts? The network isn't even back up yet. If the criminals have all of my information that Sony has, how can Sony guarantee that I'm a legitimate person, signing in and changing my password? Send me snail-mail with a one-time password? That's so costly and time-consuming.
I don't want to have to think about, or worry about, any of this security crap when I just want to play a game.
And this is why I think "cloud computing" is a bad idea. Putting all of your stuff out there, where someone could gain access to it? Scary!
I am so ridiculously pleased that I haven't purchased a single Sony product in the last 6 years.
Athiesm is a religion like not collecting stamps is a hobby.
I remember many years ago Sony shut down a decent shop called Lik-Sang . Karma's a bitch i'm guessing.
There's no Freedom like UFP-dom
I'm not concerned the Sony hackers might have my CC number. After all, Sony surely took that perfectly usable data and hobbled it in such a way that it only works with their own products and services.
That's just what they do.
There is one secure network. The one that is turned off.
Don't forget that many (not all) hackers get busted, and to be sure, Sony and their "partner" have as good a chance as any to catch the motherforker or motherforkers who did this. As for identity theft.... they didn't get SSN's, nor did they get the security code on the credit card. That doesn't make you safe, it just makes it harder for the perps. Even if they use it, you're not liable, so please, all, let's take a deep breath.
There is a huge difference between being at fault and being responsible. I don't think you can say that Sony is at fault, but clearly they are responsible (much like maybe a baseball coach isn't at fault for his team sucking but he is held responsible). I don't care that they waited, you're stupid if you do. They need to do whatever they need to do to catch the person responsible. Unless you're in a swivel chair at Sony, you don't know why they did what they did. I'm guessing that they didn't want to say anything until they were 100% certain that what they were saying is true.
As Sony is responsible to us, their customers, they will need to make amends. How, I do not know. I don't want any rushed features or anything (though I wouldn't mind my "other os" option back) but something.
I really enjoy those who gripe about "if you peek at the internals you're bad but Sony only has to say sorry". Yes, asshat, that is exactly true. Sony was trying to stop people from doing that to prevent EXACTLY what happened. While many, perhaps even the preponderance of people wouldn't use the information for evil, clearly it takes but one.
Sony was really keen on protecting their digital media rights... user information? Not so much. http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal
...about this. They aren't particularly tech savvy people, but my brother didn't even know PSN was down as he hadn't turned his PS3 on for 2 weeks.
Anyway, got off the phone with another friend and 5 mins later he got this email:
Valued PlayStation Network/Qriocity Customer:
We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network. In response to this intrusion, we have:
1) Temporarily turned off PlayStation Network and Qriocity services;
2) Engaged an outside, recognized security firm to conduct a full and complete investigation into what happened; and
3) Quickly taken steps to enhance security and strengthen our network infrastructure by re-building our system to provide you with greater protection of your personal information.
We greatly appreciate your patience, understanding and goodwill as we do whatever it takes to resolve these issues as quickly and efficiently as practicable.
Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state/province, zip or postal code), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence that credit card data was taken at this time, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, to be on the safe side we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.
For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security, tax identification or similar number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well.
To protect against possible identity theft or other financial loss, we encourage you to remain vigilant to review your account statements and to monitor your credit or similar types of reports.
We thank you for your patience as we complete our investigation of this incident, and we regret any inconvenience. Our teams are working around the clock on this, and services will be restored as soon as possible. Sony takes information protection very seriously and will continue to work to ensure that additional measures are taken to protect personally identifiable information. Providing quality and secure entertainment services to our customers is our utmost priority. Please contact us at www.eu.playstation.com/psnoutage should you have any additional questions.
Sincerely,
Sony Network Entertainment and Sony Computer Entertainment Teams
Sony Network Entertainment Europe Limited (formerly known as PlayStation Network Europe Limited) is a subsidiary of Sony Computer Entertainment Europe Limited the data controller for PlayStation Network/Qriocity personal data
Actually the one person who screwed 77million others was the CEO of Sony. You can bet *his* credit card numbers aren't compromised, you can bet his bonus for this year isn't even at risk. And you can bet that Sony will spin this in such as a way as to screw you all, over and over again.
If telephones are outlawed, then only outlaws will have telephones.
"Hey, we gave away a bunch of your personal information. Watch out."
I've been wrestling with buying a PS3 for years, paralyzed by indecision. The latest of late-adopters avoids the security breach!
Even better, some guy in Nigeria is offering me a ridiculous amount of money just to help him withdraw some of his money stuck in escrow, so now I can afford a PS3 for free once they fix the security issues. Win-win, suckas!
Slashdot "libertarians": Small government for me, big government for those I disagree with. -1, I disagree with you
Sony was trying to stop people from doing that to prevent EXACTLY what happened.
Wait.
So, you say they knew EXACTLY their security is so bad, some guy could hack them with just a bit of modding of the console.
And they tried to prevent EXACTLY that by going after that one guy instead of, you know, securing the data so it couldn't be stolen by just anyone with google and soldering iron?
No, I never said that.
I said they try to prevent people from hacking their equipment so that those people don't use that information to hack their servers. And their servers getting hacked is EXACTLY what happened. (you sure got excited by my capitalization)
Putting rootkits on CDs is evil. Storing passwords in plaintext is stupid. Being evil doesn't make you stupid.
/. has a sig that say something like 'Sufficiently advanced malice is indistinguishable from stupidity' which seems pretty prophetic in this case. In the end is the net outcome any different?
Someone on
Anyway, a better point to look at is: With society being where it is, why is anything being stored in a DB in plain text anymore? You can't do partial string searches on hashed values but how often do you need to do 'like' db searches on SSNs, Addresses, City, State, Zip, Names, and birth date fields? As a developer, I am saying to my fellow devs: Paranoia is your friend, encrypt every dam thing you can. Given enough success, your product WILL be hacked.
HA! I just wasted some of your bandwidth with a frivolous sig!
No. Just no.
You see, it depends on assumption that it was geohot's and rebug's work that led to the breach - which I have trouble believing is true, as it would imply colossal stupidity on Sony's part.
If it was true, it would be like bank defending it's security by beating people who tried to use the WC, because there is unlocked safe vault door on the way there.
"Don't be surprised when you see the poor kicked around, and justice and right violated all over the place. Exploitation filters down from one petty official to another. There's no end to it..."
Ecclesiastes 5:8-9
You're absolutely right, X.25, justice is absolutely missing in this situation.
I'm speaking more conceptually, not directly about geohot or rebug per se. What I'm saying is, they don't know what others can do, so they try to prevent people from hacking into their shit. I'm more explaining why Sony did that and saying that you can't defend exploiting their code while decrying them for being hacked. So it's okay to hack the console, but wrong to hack the servers that house the data. I get the philosophical difference, but from a corporate point of view, they are both the same thing.
You know what's "funny"?
The credit card i registered on PSN was the Sony branded credit card i got when they had the special offer to get $100 off a new PS3. I used that deal to pick up my first PS3. Then a little over a year later (right after the warranty expired of course) i ended up using most of the points i'd accumulated with that account to get a PS3 Slim after my first PS3 got the yellow light of death.
You know what? This entire generation of consoles has been kinda filled with fail. Even my Wii managed to get a disk reader error that i needed to take it in for, and recently it's started getting corrupted memory. Anyone else remember the days when you would just buy a console and expect it to, you know, work?
This Space Intentionally Left Blank
Well put. I'm also a conscientious objector to all things Sony, but my primary reason is that I just can't reward the jerk-off's evil practice of creating their own stupid, proprietary solutions for problems we've already solved. Memory stick anyone?
Ask me about my sig!
Kind of sad really
I was trying to figure out which card I used on my PSN account. The charge description for sony psn points would read like: "PLAYSTATION NETWORK 877-971-7669 CA" then a few numbers. Hope this helps.
Identity Theft is America's Fastest Growing Crime! Get Identity Theft Protection for only $9.95 a month includes credit monitoring, access to credit report and full restoration services.
Our Identity theft services are provided by Kroll Inc., the largest risk management firm in the world with over 30 years experience in security and risk mitigation. Kroll offers expertise from varied backgrounds and qualifications such as: Criminal justice, psychology, insurance, collections, law enforcement, credit bureaus and financial institutions.
Go to www.prepaidlegal.com/idt/ssquestel now!
i have the services and its great. i get an email every month if any activity is done on my credit report
Honestly, id rather have it and not need it than need it and not have it
Why all this focus on whether the passwords are encrypted? If someone has my CC number, address and date of birth, I'm going to be way more concerned about my identity being hijacked than whether they can impersonate me on PSN!
Prov 9:8 Do not rebuke mockers or they will hate you; rebuke the wise and they will love you.
If I could do it with the very limited functions Java ME provides (just so I could write a WoW client for mobile phones :-) they could certainly do it for a PC or PS(P).
In practice most of the businesses that need some form of recurring payments will store CC details. Why? Because most CC processors will not do that on their behalf, they just process the payment one-time. Had to implement a system allowing irregular recurring payments and it was a f*ing nightmare. When investigating "how others do it" it turned out that everybody and their dog were storing CCs.
Oh, you can bet they're already spending millions of dollars. They spent that from the day their service went offline and have continued to spend it each day it's unavailable to users.
The infrastructure costs of a firedrill like this are enormous. Consider that the State of Texas Comptroller's Office has already spent more than $1.8 million just to hire consultants to come in and figure out how their own staff screwed up and left 3.5 million people's SSN's, DOB's, names, and addresses on a publicly-available server for over a year. In the case of the Comptroller's Office, it appears that two of the consultants were campaign contributors, so it's not like the Comptroller's Office is wasting money on strangers.
I agree with you that millions should be spent to compensate the victims, though, if that's what you meant.
Seth
$5 / month hosted VPS on linux = awesome!
So do the credit card companies have grounds to take legal action against Sony? This breach is going to cost the credit card companies millions of dollars as they have to deal with increased customer call volumes, fraud investigations and time and effort to issue new credit cards and numbers. I'm sure Sont can't just get away with saying 'Sorry' to them. I supposed Sony could 'settle' with the CC companies and just pay them out, but still ... stuff like this has a ripple effect and doesn't just cost Sony money. Who can say how many companies are taking a financial hit because of this. Harmonix is certainly taking a hit because they can't sell any Rock Band tracks while this is going on.
"When you gotta shoot, SHOOT! Don't talk." Tuco Benedicto Pacifico Juan Maria Ramirez
So I once had a credit card number taken by what I can only assume was a waiter at a restaurant, since I only ever used that card to pay for meals. There are other ways to have your card information stolen. With 77 million PSN users, the odds that a given identity theft victim also happens to be a PSN subscriber seem reasonable.
Look, Sony purposely setup the Dev's network like they did.
They also knew when someone reverse engineered the USB debug util, that all bets were off. That it wouldn't take someone long to figure out how to make it seem like they have a Dev. machine.
They also knew that making it so only certain firmwares can connect to the PSN, that the hackers will try to figure a way around it.
Did they decide to change how they do the Dev Network, to keep it and PSN safe?
No, they decided to sue everyone and anyone that talked about hacking the PS3.
We call that denial.
Sony got what it deserved. Sorry that it affected it's customers, but then, you had been warned what type of company Sony is, and their incompetence proved dangerous this time.
Sony never, ever cared about it's customers. It only cares about money. Sorry it took something like this to wake you up, but hey, at least Sony told you right away. err, i mean, a week later.
See what I mean? They don't give a fuck about you.
Be seeing you...
That is the message I got every time I tried to put my credit card into the PSN. I think now I should be glad for that. As long as I had the PS3 I had to buy the prepaid card and use that to buy games. Even if they did get the number, that card has $20 available balance. Selex
there are much more profitable avenues to hack for money, than a fscking gaming network.
and these vulnerabilities were out and known for a long time. why they were not hacked until now ?
Read radical news here
I'm really tired of reading these kind of stories. Databases on commercial providers ARE going to be stolen. It is irresponsible to be storing dangerous information given that hacks and theft are inevitable. For instance, why does Sony need to know my exact DOB? They actually only NEED to know whether I'm allowed to buy all games/DLC on the system, or only content that's suitable for people less than 18yo. This problem is much bigger than "just" PSN. If anyone cares, I wrote up a proposal - really more a philosophy, with a technical proposal to counter the "it will never work" arguments - at http://larwe.com/blog/larwe.php/2011/04/27/sony-and-the-libertarianism-of-data Grrrr.
Since I haven't updated my PS3 firmware after the OtherOS incident (avoiding to agree with the removal, and waiting to see if Sony was forced to put it back), and according to the article, the login and password have been stolen, how the heck am I supposed to access my PSN account to change the password if I don't want my OtherOS feature to be deleted when I'm forced to update the firmware?
Do the credit card companies step up their charges to Sony because of this? Or perhaps they should be suing Sony for the cost of the resulting credit card fraud, They've been negligent and should pay for that.
Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
HDMI out on computer to HDMI in on TV. Done.
I myself know it's possible, but the general public is unwilling to do that, as CronoCloud and others have explained in previous comments (1 2 3 4 5 6 7).
Sorry for being a few days late, but I noticed a schism between those who know PCI-DSS and those who don't. I won't insult you with the obvious things you can search online, but the basic idea is that if you are storing credit card info, you have to encrypt it strongly and keep the keys safe. As I implement PCI-DSS for a living, I would bet that somebody definitely had access to (but might not have found) encrypted credit card data, and since Sony can't be sure who it was they had to cautiously tell everyone about the worst case scenario. Since the only true protection in today's encryption is time, just change your password and credit card number today (I know it sucks), and you will be safe for now. - j
I myself know it's possible, but the general public is unwilling to do that
Yes they are, what % of households have TiVO, Dish, etc.
Your hair look like poop, Bob! - Wanker.
quote>
HDMI out on computer to HDMI in on TV. Done.
the general public is unwilling to do that
Yes they are, what % of households have TiVO, Dish, etc.
The public thinks of DVD players, DVRs, cable boxes, and video game consoles as "consumer electronics appliances" designed for the living room, as opposed to a general-purpose "computer" designed for a desk. How many of the seven comments linked in my grandparent post did you actually read? I'd like to see evidence that even 10 percent of living room TVs in the United States have a PC connected to them. And how often do you expect the owner of a tower PC to carry it back and forth between the living room and the room with the PC desk?
Reiki is a light-touch, energy-based therapy that reduces stress and increases relaxation for better health. See how Reiki is touching the lives of cancer patients at the Washington Cancer Institute at Washington Hospital Center.