Slashdot Mirror

← Back to Stories (view on slashdot.org)

77 Million Accounts Stolen From Playstation Network

Posted by CmdrTaco on from the oh-yeah-this'll-be-fine dept.

Runaway1956 was one of many users to continue to update us about the intrusion we've been following this week. "Sony is warning its millions of PlayStation Network users to watch out for identity-theft scams after hackers breached its security and plundered the user names, passwords, addresses, birth dates, and other information used to register accounts. Sony's stunning admission came six days after the PlayStation Network was taken down following what the company described as an 'external intrusion'. The stolen information may also include payment-card data, purchase history, billing addresses, and security answers used to change passwords, Sony said on Tuesday. The company plans to keep the hacked system offline for the time being, and to restore services gradually. The advisory also applies to users of Sony's related Qriocity network."

89 of 645 comments (clear)

  1. It only... by zppln · · Score: 2

    steals everything.

  2. passwords? by jaymz666 · · Score: 5, Insightful

    Seriously? They were storing passwords in a way that could be unencrypted?

    1. Re:passwords? by h4rr4r · · Score: 2

      I never did provide a CC, when did they ask for that. Mind you I have a PSN account used only for netflix.

    2. Re:passwords? by 0123456 · · Score: 5, Insightful

      This seems like an amateur mistake. Who are these companies hiring lately?

      The lowest bidder?

    3. Re:passwords? by fuzzyfuzzyfungus · · Score: 5, Funny

      My DARE officer told me that hash is illegal, and my health teacher says that salt causes high blood pressure...

    4. Re:passwords? by marcansoft · · Score: 4, Interesting

      This seems like an amateur mistake.

      About as amateur as using a static constant instead of a random number when signing firmware and games, which is exactly what they did (and which pretty much cost them their entire system security).

    5. Re:passwords? by Anonymous Coward · · Score: 2, Informative

      Get your fucking facts straight.
      1. You do not need a CC to get a PSN account. You only need one to buy something, and even then you could buy PSN credits at the store, and buy things on PSN without ever providing a valid credit card number.
      2. The game companies that allow you to tie your forum account to your PSN account are irrelevant. None of them require you to give them your PSN password.

      This situation sucks, and Sony fucked up big time, but this bullshit FUD everyone is spewing is not helping.

    6. Re:passwords? by Kuukai · · Score: 5, Informative

      - If you wanted to play any of the games online, you had to have a PSN account. Which meant you had to provide a credit card whether you were ever going to buy anything or not.

      Wrong. This is not true at all. You can play games without ever providing a credit card. On the other hand, they do require your name, birthdate, and mailing address.

      --
      Sendou Wave Kick!!
    7. Re:passwords? by adam.dorsey · · Score: 2

      No, if you keep hammering on Netflix it lets you in eventually. It just bitches at you.

      --
      You are still innocent until proven guilty. What's changed is what they do to innocent people. - notnAP, #26891325
    8. Re:passwords? by teeloo · · Score: 2

      Well actually if you're on Netflix US, you can still log on and watch as normal on the PS3. Netflix Canada does not work though. I have both accounts, so this is from personal experience.

    9. Re:passwords? by xavierpayne · · Score: 3, Informative

      This is not true. The Netflix app does ask you to log in to the PSN but after 3 failed attempts it lets you into the netflix app anyway and I thus far I haven't encountered any problems streaming even with the PSN itself down.

    10. Re:passwords? by outsider007 · · Score: 2

      Is that because you don't understand what salt means in that context or because you realized that AC's can't mod posts?

      --
      If you mod me down the terrorists will have won
    11. Re:passwords? by schnell · · Score: 4, Insightful

      As a previously happy PS3 user, I'm infuriated at their shoddy handling of this whole thing. The delay in notifying customers was inexcusable, and I still don't understand how passwords could have been compromised... I refuse to believe that even Sony would have stored them in plaintext. The only thing that makes sense to me is that they were stored in hashes but Sony is concerned that the hashed passwords are subject to brute force attacks. I spent a good chunk of last night changing all my online passwords that were the same as the one used in my PS3 account, and that meant dozens of accounts. (Thank goodness none of them were bank-related.) I guess that I should have moved to a system of unique passwords for each site before, and this finally forced me to do it.

      I am struggling to find a bright spot anywhere in this, but if I were to find one it would be that Sony must understand how badly they have pooched this situation. I would expect some serious mea culpas and free crap out of them (like free PlayStation Plus for a year or something) out of this. I don't know whether I actually want that, but it should be interesting to watch them grovel for my online trust and/or business back.

      --
      "95% of all Slashdot .sig quotes are incorrect or completely fabricated." -Benjamin Franklin
    12. Re:passwords? by somersault · · Score: 2

      He was talking out of his ass. You only need to provide card info to buy stuff from the store or get a PSN Plus account. Standard accounts are free.

      --
      which is totally what she said
    13. Re:passwords? by gstoddart · · Score: 5, Insightful

      Wrong. This is not true at all. You can play games without ever providing a credit card. On the other hand, they do require your name, birthdate, and mailing address.

      And people wonder why so many on-line accounts are set up with completely bogus information.

      Why should I be providing all of this information to play *(&^%*&^ video games? This is precisely why I don't give most companies this information -- because I don't trust them with it. Not to keep it safe, not to use it as they say, and not to provide it to someone else.

      --
      Lost at C:>. Found at C.
    14. Re:passwords? by linear+a · · Score: 2

      We're all DOOMED!

    15. Re:passwords? by Jibekn · · Score: 2

      Im in Canada, my netflix on my PS3 works fine, and has worked fine all through this outtage.

    16. Re:passwords? by Spazmania · · Score: 4, Insightful

      Not only did I use a unique email address and password for my PSN account (not used for anything else), I gave intentionally dishonest answers to the secondary security question (and wrote them down), an intentionally dishonest DOB and the only purchases I made were made with a debit card I got as a gift.

      I feel like a genius.

      --
      Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
    17. Re:passwords? by Narishma · · Score: 2

      You don't need to provide credit card info to create a PSN account or play online. You don't even need it to buy stuff on the PSN, you can instead use pre-paid cards.

      --
      Mada mada dane.
    18. Re:passwords? by Tetsujin · · Score: 4, Informative

      As a previously happy PS3 user, I'm infuriated at their shoddy handling of this whole thing. The delay in notifying customers was inexcusable, and I still don't understand how passwords could have been compromised... I refuse to believe that even Sony would have stored them in plaintext.

      Even if you one-way cipher the passwords, getting access to the password database gives the attacker the ability to attack the database offline via brute-force attacks. (Attempting to brute-force without access to the database system would mean you'd have to do it via the login system - which wouldn't work so well if the login system is built to guard against brute force attacks, for instance by limiting the frequency of login attempts to a single account.) So if somebody gets the password database it's safest to assume they've got the passwords in it.

      --
      Bow-ties are cool.
    19. Re:passwords? by nschubach · · Score: 4, Informative

      Cancel? Just call up Visa and they give you a new card and number. No need to kill the account.

      --
      Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
    20. Re:passwords? by ginbot462 · · Score: 2

      >> My DARE officer told me that hash is illegal [by fuzzyfuzzyfungus (1223518)]

      I'm guessing he wasn't that influential on you.

      --
      Atlas Shrugged : Thematic Story :: Battlefield Earth : Organized Religion
    21. Re:passwords? by schnell · · Score: 2

      What do you mean "even Sony"? This is the same company that decided a rootkit on their audio CDs was a great way to stop piracy.

      Putting rootkits on CDs is evil. Storing passwords in plaintext is stupid. Being evil doesn't make you stupid.

      Exactly how much do you really think Sony cares about you or your information?

      They care exactly to the extent that they can be subject to an expensive class-action lawsuit or government fines over the exposure. So, again, Sony's consumer-unfriendly attitude does not indicate that they would take reckless chances with protecting information that they face potential liability claims over. I don't get why their history with rootkits has anything to do with the fact that I seriously doubt they stored passwords in plaintext.

      Go ahead, ask me why I never bought a Playstation, or any other Sony device

      Is it OK if I don't?

      --
      "95% of all Slashdot .sig quotes are incorrect or completely fabricated." -Benjamin Franklin
    22. Re:passwords? by fuzzyfuzzyfungus · · Score: 4, Funny

      Are you implying that wasting time on slashdot is abnormal behavior for a fungus? The haploid glomeromycetes that fused to form my zygospore were always hassling me about it: "Are you going to sit there reproducing asexually in front of the computer like some pathetic diploid man-child all your life? Why don't you grow a fruiting body, and make something of yourself?"

    23. Re:passwords? by LavouraArcaica · · Score: 2

      Storing passwords in plaintext is only stupid? Do you really believe that?

    24. Re:passwords? by AJH16 · · Score: 2

      It really isn't though. If hashed, great, they have a hash of my password. There are many many possible combinations that could map to my password. There are existing attacks to quickly find A value that will match to the hash, but not actually the original password. (At least not unless I missed some breakthrough in the last 2 years or your password is weak to dictionary attacks.) For example, my password 123 hashes to abc. The attacker obtains abc and determines that 098 also hashes to abc. However since site B uses a different seed in their hash, 123 hashes to def for them and 098 hashes to xde so no match is found and the login is safe. The hash issues I'm aware of are only an issue when the compromise is unknown and done by a man in the middle. (ie, I intercept your traffic and your password was hashed at the client side and sent clear. In this case I could generate my own hash to match yours. It is also an issue in situations like a signature on a download where I can modify the file but still have it match the signature.)

      Someone can correct me if I'm wrong, but I'm not aware of any technique to get an actual true password out of a one way hash.

      --
      AJ Henderson
    25. Re:passwords? by smelch · · Score: 3, Funny

      Like my wife. That's a lie, she never lets me in :-(.

      --
      If I can just reach out with my words and touch a butthole, just one, it will all be worth it.
    26. Re:passwords? by AK+Marc · · Score: 2

      If they got the entire system, they may know the hashing algorithm. As such, there may be some attack that allows them to two-way the one-way hash. Further, if the hashing were "perfect" (as in max entropy) then there would be limited, if any, collisions for passwords shorter than the hash length. So if the hash were larger than all the passwords, then they'd never be sure that they got the right password, but the chance of it increases greatly.

      Without more information, it's safest to say that your plaintext password (along with email address) has been compromised. Anything they could ever find related to your email address (not just email, but any social networking site linked to that email, any bank or broker account that uses the email for a login, etc.) will have your email and PSN password known.

      --
      Learn to love Alaska
    27. Re:passwords? by game+kid · · Score: 2

      You should've told them to make like yeast and bud out.

      --
      You can hold down the "B" button for continuous firing.
    28. Re:passwords? by gstoddart · · Score: 2

      Are those targeted to people who are so brainwashed by the propaganda of religious schizophrenia abuse organizations ("churches") that they censor themselves for no logical reason, and don't even know why, by any chance?

      As Miles Davis said ... It's not the notes you play, it's the notes you don't play.

      If I thought swearing would have helped me make my point any better, I fucking well would have.

      Profanity is like any other aspect of the English language -- it has its uses, but doesn't need to be overused.

      --
      Lost at C:>. Found at C.
    29. Re:passwords? by Rakarra · · Score: 2

      You're now guilty of wire fraud, unauthorised system access and several thousand ToS and EULA violations. Don't ever get noticed by Sony, they own you for life and aren't shy in the courtroom

      Wire fraud? No purchases were made, no cash exchanged hands. It's not illegal to give false answers to websites which ask for name or date of birth, nor is it illegal to violate the ToS.

      Sony could certainly shut down his PSN account and there's the off-chance they could sue for breach of contract, but the courts would also come down hard on the prosecutor and whatever you might think of Sony's upper brass, Sony's legal is not nearly stupid enough to find this case a worthy use of their time.

  3. DRM by UninformedCoward · · Score: 3, Funny

    Hows that online requirement DRM working out for you guys?

    ~UC

  4. Sony isn't using the term "massive identity theft" by elrous0 · · Score: 5, Funny

    They're calling it an "unexpected mass friendship opportunity."

    --
    SJW: Someone who has run out of real oppression, and has to fake it.
  5. SonyDownhill by thestudio_bob · · Score: 2, Interesting

    Gee, Sony just catch a break lately. I'm wondering if they are going to be asked to appear before the US Senate to explain their actions, just like Apple and Google? I think this is a little more serious than just tracking my phone location.

    --
    The real Sig captains the Northwestern. This one captains /.
    1. Re:SonyDownhill by vlm · · Score: 2

      I'm wondering if they are going to be asked to appear before the US Senate to explain their actions,

      http://www.opensecrets.org/pacs/lookup2.php?strID=C00282038

      $211,925 tries to say "No"

      Google sent four times that just to Barack Obama alone, and that didn't save them.

      So I'm guessing the answer will be "Yes"

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    2. Re:SonyDownhill by greg1104 · · Score: 2

      One senator is already writing them nasty notes.

  6. Unencrypted = Stupid by Bloodwine77 · · Score: 4, Informative

    It amazes me that a company as large and established as Sony would make such a boneheaded move as storing sensitive information in plaintext. Passwords and answers to secret questions should always be hashed. Credit card information and other sensitive information should be encrypted (preferably AES-256 or stronger).

    1. Re:Unencrypted = Stupid by drinkypoo · · Score: 4, Interesting

      We need laws for this crap now. Someone doesn't even try to use adequate obfuscation, they are accessories. Specifically, for protection of SSNs (yes I know the fact that they are good for so much is stupid, but we live in reality) and credit card numbers, and anything else equivalent.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:Unencrypted = Stupid by 0123456 · · Score: 4, Insightful

      Why are you surprised that big companies would do stupid things? Particularly one who thought that installing rootkits on peoples' computers when they played a CD was a pretty darn cool idea?

    3. Re:Unencrypted = Stupid by rsmith-mac · · Score: 3, Informative

      To give Sony all the credit they deserve (however little it is), the sensitive records like passwords probably weren't stored in plaintext.

      It's standard operating procedure at most companies to treat any data breaches as if the data was plaintext and will be immediately exploited. Once the hackers have taken the data, you have no way to tell if they have a way to decrypt/reverse it or not, so you simply assume they do.

      At the same time.almost no one feels like explaining to users what password hashes are and why their data is probably safe, so the public announcements always reflect the assumption above and present the worst case scenario to users, and maybe encryption is mentioned somewhere. Whether the data was decrypted or not, if you say it was then you've covered your ass. It's not as if most laypeople believe that the encryption will hold anyhow.

      In short, Sony's pretty damned stupid, but whether anything was encrypted or not they're going to treat it as if it wasn't, and their warnings are going to reflect that. Just because they aren't talking about it being encrypted doesn't mean it was stored in plaintext. The resolution is the same either way: assume the bad guys have it in plaintext form, and watch your credit reports.

    4. Re:Unencrypted = Stupid by vlm · · Score: 2

      It amazes me that a company as large and established as Sony would make such a boneheaded move as storing sensitive information in plaintext.

      If you remove the assumption that they were owned the same day they were shut down, the logical result is they got owned 77 million card entries ago... Sniff and store each new CC... Months / Years later they get noticed, oops.

      That would also fit with why they didn't restore from backups onto bare metal on day one and be back online within 24 hours. If the backups, going back months or years, are all perfect backups of the infection...

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    5. Re:Unencrypted = Stupid by _0xd0ad · · Score: 2

      Answers to secret questions can only really be stored as hashes if you insist on people reproducing spelling, capitalization, and punctuation accurately and you don't intend to use the secret questions for over-the-phone authentication.

      Spelling - yes; but capitalization and punctuation can just be ignored. Strip punctuation, convert to all-lowercase, then hash.

    6. Re:Unencrypted = Stupid by Sir_Sri · · Score: 2

      we don't know how any of their data was stored, or accessed. That's sort of the problem; Sony isn't talking, which is leading to wild speculation, including yours.

    7. Re:Unencrypted = Stupid by Anonymous Coward · · Score: 5, Informative

      Yes, I trust Congress to make laws that will cause secure implementations to be made.

      Remember, these are the guys who can't make a tax code that requires companies to actually pay _any_ tax on billions of dollars' of income.

    8. Re:Unencrypted = Stupid by AJH16 · · Score: 2

      Yes and no, I agree for the average user, assume the worst is good, but for someone like me who takes precautions to make sure my passwords will hash securely, I'm comfortable not changing non-financial passwords in the event of a disclosure as long as they were hashed. It's a very significant and important distinction for those who take carefully controlling our security seriously but don't obsess over having it take over the usability side. (ie, change every password every time any possible breach may or may not have occurred on every account regardless of sensitivity.)

      --
      AJ Henderson
  7. Credit card numbers WERE taken too by Anonymous Coward · · Score: 5, Informative

    I posted this in the last thread, but PSN users are already seeing their credit cards being fraudulently used!

    So if you're affected, CANCEL YOUR CARD!

    It's not a possibility anymore, it's a certainty.

    1. Re:Credit card numbers WERE taken too by RobDude · · Score: 3, Informative

      That seems a little extreme.

      You aren't liable for fraudulent charges. And until Sony sends you a certified letter stating that your credit card was compromised you don't know that your card was. I'll just wait until I see a fraudulent charge, then make a 10 minute phone call and have a new card/number mailed out to me. The biggest pain is updating the reoccurring bills/payments.

      Even if they had access to your credit card number you don't know what they are going to do with it. Sell it? Maybe. Or maybe they are just using this to piss off Sony. And, according to Sony, they only have the credit card #s - not the CVV or CV2 code. So, it would be reasonably difficult to make a purchase.

      I'll alert Capital One as soon as I see a fraudulent charge.

    2. Re:Credit card numbers WERE taken too by TheCyberShadow · · Score: 2

      I posted this in the last thread, but PSN users are already seeing their credit cards being fraudulently used!

      Note that this information is currently based on a single e-mail.

    3. Re:Credit card numbers WERE taken too by _0xd0ad · · Score: 2

      Yeah. More worrisome is the fact that if it is a debit card, the money is gone before you can even contest the charge.

      For a credit card, I'd probably wait it out and hope for the best. A debit card, though, would best be cancelled immediately.

    4. Re:Credit card numbers WERE taken too by bendytendril · · Score: 3, Informative

      I received fradulent charges the day after this occured. My bank called me and I had to cancel my card.

      --
      sig: pv qid
    5. Re:Credit card numbers WERE taken too by L4t3r4lu5 · · Score: 2

      And, according to Sony, they only have the credit card #s - not the CVV or CV2 code. So, it would be reasonably difficult to make a purchase.

      Absolutely. It's well beyond the ability of any petty criminal to buy a magnetic strip writer from eBay and put the stolen card numbers onto blanks / gift cards / any magnetic strip card. This was never done before internet purchases requiring CVV / CV2 codes became commonplace, and hardly anybody used cloned cards to withdraw cash at ATMs. Plus, store clerks always check the receipt card number against the one printed on the card itself, because they're vigilant pillars of the community.

      --
      Finally had enough. Come see us over at https://soylentnews.org/
    6. Re:Credit card numbers WERE taken too by mkraft · · Score: 3, Insightful

      The CVV or CV2 codes aren't required to make purchases in all places. Yes, for most cards you aren't liable for fraudulent purchases, but the money has to come from some where so the credit card companies end up taking a hit and they raise their rates. Besides if you know your card number might have been stolen and don't report it, you might end up having to pay for fraudulent charges since at that point it's basically your fault for not telling the credit card company.

      More importantly, the hackers also have your name, address and birth date. That information is nearly enough info, combined with the credit card information, to have your card canceled and another one issued to them. They could initiate a USPS change of address (since they have your name and address) to wherever they want, call your credit card company to have a new card sent out and then simply activate that card when they get it.

      It's much easier to preemptively have your credit card company reissue a card now, then try and go clean up a much more complicated mess in the future. That's what I did and my credit card company said that was a smart move on my part.

    7. Re:Credit card numbers WERE taken too by __aamnbm3774 · · Score: 2

      You aren't liable for fraudulent charges.

      There are all sorts of exceptions to that rule. The first most common is that you have a certain period of time, generally only a few days, to find and report such fraudulent charges or you will not be refunded 100%. (do you check your transactions every day while on vacation?) Second, what if they used a Debit card and their checking account was emptied. Sure, they might eventually get their money back, but it could take a month or more.

      So yea, this might actually affect people in a significant way. Quit downplaying this ridiculous breach in security because you monitor your Capital One card every single morning.

    8. Re:Credit card numbers WERE taken too by DaveGod · · Score: 2

      Bearing in mind of course... Say 70m PSN users, lets assume that 50% of them had credit cards on there and that the average frequency of credit card fraud generally is once per person every 20 years (no, I couldn't be bothered looking for a real statistic, or using real math).

      In the week or so since the breach, the average person would have had an approx 1/(20*52)= 1 in 1040 chance of incurring fraud anyway.

      Therefore chances are during that week we could anyway have expected around 1/1040 * (70m * 50%) = 33,654 people who had cards on PSN to have been victims of fraud.

      In that context, that website's 2 seems a bit inconclusive, even before considering the reliability of the source material.

  8. Re:Sony isn't using the term "massive identity the by Bloodwine77 · · Score: 2

    You did not lost your identity, you gained additional account holders!

  9. Re:Sony isn't using the term "massive identity the by sakdoctor · · Score: 2

    Massively Unexpected Online Identity Theft.

    The only way to win...

  10. Leaving PSN Down by TheNinjaroach · · Score: 4, Interesting

    I think the fact Sony has left the PSN in a completely disabled state for the past week could hint at some internal problems with disaster recovery. Their servers have been compromised and can no longer be trusted. In my world, that's a perfect time to re-build your systems from a pristine backup. So why doesn't Sony patch the vulnerability and deploy new servers? Perhaps it's because they don't have any good backups to restore from..

    --
    I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
    1. Re:Leaving PSN Down by Bobfrankly1 · · Score: 4, Informative

      I think the fact Sony has left the PSN in a completely disabled state for the past week could hint at some internal problems with not knowing what the hell they're doing in the first place. Their servers have been compromised and can no longer be trusted. In my world, that's a perfect time to re-build your systems from a pristine backup. So why doesn't Sony patch the vulnerability and deploy new servers? Perhaps it's because they don't have a clue what the vulnerability is...

      FTFY.
      Sony said it has temporarily shut down the PlayStation Network and Qriocity services and hired an outside security firm “to conduct a full and complete investigation into what happened,” but refused to offer details on the hack.

  11. Fallout by Canth7 · · Score: 5, Insightful

    More interesting to me than how the intrusion occurred or how lax Sony's security practices are will be what the public backlash level is like. IT security departments tend to whip up a frenzy with the potential for "end of the company" concerns for data breaches on a regular basis. However, reality is that data loss doesn't always seem to have a particularly negative effect for the company that loses the information. Point in example would be the TJX data loss - http://it.slashdot.org/story/07/03/29/1618239/TJX-Is-Biggest-Data-Breach-Ever. Somehow this hardly seems to have put a dent in corporate profits. TJX's stock is up 100% since 2006 when the breach occurred. http://www.google.com/finance?q=tjx Point being is, if nothing seriously negative happens to Sony then it's no wonder that firms continue to have poor security practices. After all, why bother spending the effort and money to secure data when there is no return on the investment?

    1. Re:Fallout by X.25 · · Score: 5, Interesting

      TJX's stock is up 100% since 2006 when the breach occurred. http://www.google.com/finance?q=tjx Point being is, if nothing seriously negative happens to Sony then it's no wonder that firms continue to have poor security practices. After all, why bother spending the effort and money to secure data when there is no return on the investment?

      Many years ago, I was in a meeting with heads of a bank, discussing their need for penetration testing, auditing, etc.

      So, after all that talk, one guy simply asks:

      "Why would we spend dozens and hundreds of thousands of dollars on security services/products/staff, when it costs us 200 dollars to issue few press releases that claim how no valuable data was lost, and everything will be just fine?"

      I had no answer to this.

      That's why in 2011. we are witnessing things like this.

      That's why in 2011, Sony will still be determined to be PCI/DSS compliant, although they probably don't satisfy 50%-70% of requirements.

      It's because they don't give a fuck and don't care. There is nothing you/we can do to them, they are on the top of the food chain.

      Because humans are greedy, like flashy toys and are too blind to see what's happening in front of their eyes.

      Oh well, back to work :)

    2. Re:Fallout by AK+Marc · · Score: 2

      That's why the free market fails and the government must step in. It costs more than $200, but because banks have successfully convinced people that "bank fraud" should be blamed on the customers of the banks (calling it "identity theft"). But if the externalities are forced to be accounted for by the government (people suing for their inconvenience and fines from the government), then they'll have to re-think their policies. But it will take nothing less than government action for companies to take things like this seriously.

      --
      Learn to love Alaska
  12. undivided attention of Anonymous by fhage · · Score: 4, Insightful

    I wonder if Sony regrets waving the red flag. http://news.cnet.com/8301-13506_3-20050310-17.html. Anybody heard from geohotz in the last few days?

    1. Re:undivided attention of Anonymous by Ruke · · Score: 3, Insightful

      Definitely. If Anonymous had stolen 77 million PSN accounts, you'd see 77 million PSN accounts available for torrent at The Pirate Bay. Someone would be claiming the hack, and they'd be offering proof, and they'd be bragging about how easy it was. Anonymous is generally in it to ruin Sony's day; credit card fraud is a couple of steps beyond "doin' it for the lulz."

  13. Might not be bad... by Junta · · Score: 4, Interesting

    There are two schools of thought here...

    If the passsword is stored as a hash on the server, then it is more resistant to attacks against the storage of the server. However, this does require the password be transmitted over the wire in one way or another on every connection. A man-in-the-middle attack with ip spoofing or dns cache poisioning has a non-trivial shot at compromising the password.

    If the password is stored 'in the clear' on the server side and treat the password as a shared secret, then *if* you design the authentication right, you render man in the middle infeasible with the tradeoff of storage attack being a large exposure. A common scheme is to have client have a packet, concatenate with the password, calculate hash, then strip password before transmit. Server then repeats calculation and only accepts payload if secret matches. Usually, server responses are protected the same way, meaning only the server you *meant* to talk to can meaningfully respond because it needs your password to calculate correct hash responses.

    All that said, it's also entirely likely that Sony has crypted hash passwords, but it's safer to say 'your password is compromised', because of how many users have passwords like 'yourmom65' rendering the hashing pointless.

    --
    XML is like violence. If it doesn't solve the problem, use more.
    1. Re:Might not be bad... by Anonymous Coward · · Score: 2, Informative

      actually, you can store the password as a hash _and_ not transmit it in clear for authentication...

      1. server has hashed pw + salt1
      2. server randomly generates salt2, sends salt1 and salt 2
      3. client calculates x == hash(hash(pw, salt1), salt2)), sends it to server
      4. server calculates hash(hashed pw, salt2) and compares to x

      result: server has hashed pw and pw is never transmitted in clear...

    2. Re:Might not be bad... by traindirector · · Score: 3, Insightful

      If the password is stored 'in the clear' on the server side and treat the password as a shared secret, then *if* you design the authentication right, you render man in the middle infeasible with the tradeoff of storage attack being a large exposure.

      And why couldn't a hash of the password be used as a shared secret? As long as the client can do the hashing, I see no reason the hash couldn't be used in place of the original password.

      As a potential answer to my own question, maybe they wanted to make sure their log in form would work on a web browser without scripting.

    3. Re:Might not be bad... by akh · · Score: 2

      There's no need to transmit or store a password in the clear at an time. For example:

      When choosing a password:

      1) User chooses a password which is then hashed on the client side.
      2) The hashed password is then transmitted over a secure channel to the server.
      3) The server stores the hashed password in its user database.

      To authenticate a user one can do the following:

      1) The server chooses a random value (a nonce). A nonce is used to prevent replay attacks.
      2) The plaintext nonce is transmitted to the client.
      3) The client hashes the nonce using the user's hashed password. (This can be done e.g. by appending the nonce to the hashed password and taking the SHA-1 hash of the resulting string.)
      4) The hashed nonce is then transmitted back to the server.
      5) The server uses the user's hashed password (retrieved from its database) to hash the nonce that it sent to the client.
      6) If the both hashed nonces are the same then the user is authenticated.

      Additional layers of security can be added such as adding a salt to the initial password hash to defend against brute force and rainbow table attacks if the server's database is compromised.

      --
      Accept Eris as your Fnord and personally sate her
    4. Re:Might not be bad... by bigjocker · · Score: 2

      This is nonsense. You can double hash passwords. That's the correct way:

      plaintext: 1234
      salt: xyz
      salt+plaintext hash: opqr
      you store on DB: xyz-opqr

      when the user requests the login page, the server creates a new salt, stores it in the session (server side) and sends the two salts to the client (session one and DB one):

      server extracts salt from DB: xyz
      server creates a session salt: abc
      client receives session salt: abc
      client receives DB salt: xyz
      user enters password: 1234
      client hashes using DB salt: opqr
      1st hash is: opqr
      1st hash with salt is: xyz-opqr
      client hashes using session salt: hijk
      2nd hash is: hijk
      client sends the twice hashed password to the server: hijk

      Now the server hashes the DB password using the session salt (that was stored on the server side session, remember not to trust the info from the client), and the two should be the same, without the server needing to know the plaintext password.

      This is basic auth and security stuff. Which means sony must have hired some second hand programmers to develop this whole system. Creepy indeed.

      --
      Life isn't like a box of chocolates. It's more like a jar of jalapenos. What you do today, might burn your ass tomorrow.
    5. Re:Might not be bad... by Junta · · Score: 2

      Because then the 'hash' becomes the 'password' for all intents and purposes, bringing you right back to square one: your password is stored 'in the clear' on the server. Even if not keyboard friendly, an attacker gives not much of a rat's ass about that detail.

      --
      XML is like violence. If it doesn't solve the problem, use more.
    6. Re:Might not be bad... by bigjocker · · Score: 3, Informative

      No, they not. That's the point of double hashing. If you know 'xyz' you still need to know 'opqr' to send a valid hash (remember that you need to hash 'xyz-opqr' with the session salt). Since the server never sends 'opqr' to the client, the only way to generate it is through HASH(xyz + plaintext_password).

      --
      Life isn't like a box of chocolates. It's more like a jar of jalapenos. What you do today, might burn your ass tomorrow.
  14. Re:Firmware by fuzzyfuzzyfungus · · Score: 5, Insightful

    Never. Trust. The. Client.

    If their online systems' security depends on all clients playing by a specific set of rules, it is Broken.(even barring custom firmware, PS3s communicate over the internet via reasonably normal protocols, so it isn't as though the public-facing infrastructure was ever invisible to PCs running whatever people wanted them to run).

    Especially for something as large and potentially valuable as 77 million accounts, many with cards on file, there would just be no way that you could make the client secure enough to serve as a trusted part of your security system: your pirate will give up if you can't flash a firmware in software or do a relatively simple mod-chip install. A more serious hacker might be willing do dump some ROMs, if possible, maybe snoop bus traces if they can get to them, install mod chips that require SMT skills, etc. For 77 million accounts, though, you have to consider the possibility that somebody would commission a serious forensic teardown of your system, decapping, microscopes, and the lot.

  15. Karma's a bitch. by straponego · · Score: 2

    So what are the ramifications for Sony if they violated PCI standards?

  16. FUD by dreamchaser · · Score: 2

    "- If you wanted to play any of the games online, you had to have a PSN account. Which meant you had to provide a credit card whether you were ever going to buy anything or not."

    Completely wrong. I have a PSN account and never, ever gave them credit card info.

  17. Makes you wonder... by Junta · · Score: 4, Insightful

    In a world with plenty of well understood crypto schemes like public-private key systems where you can prove yourself without a shared secret... why the hell do we trust so much of our wealth with a trivial to see/copy account number being tossed around like crazy?

    --
    XML is like violence. If it doesn't solve the problem, use more.
  18. Music on a computer 10 years ago? Errr, yeah. by Viol8 · · Score: 2

    The mp3 has been around since the mid 90s and plenty of other simpler formats were around before that. Macs were doing 8 bit PCM music back in the late 80s and if you want to be pedantic about it synthesized music on a personal computer has been around since the 8 bits days in the early 80s.

  19. Re:I guess I didnt miss much by Unkyjar · · Score: 2

    Seriously, I mean why give me a game that allows me to steal cars and shoot people when it's doesn't even emulate the experience properly?!! I go out and try these techniques on the street and they don't work at all the way they do in the game. It's morally negligent I say! I could be killed because of the bad info I'm getting from my video games!

  20. Sony is warning users? by dtmancom · · Score: 2

    Sony hasn't warned me of anything, and I know they have my correct email address attached to my PSN account. I am getting all of my information from 3rd parties. That irritates me more than their getting hacked in the first place. And yes, I canceled the credit card attached to my PSN account yesterday.

  21. Ok Sony, so basically, by unity100 · · Score: 2

    You have sued hotz, harassed those who modded/jailbroke your devices, suppressed hotz, and .....

    'some' people basically handed your ass over to you in a different fashion ?

    in the end, it seems you have annoyed far more dangerous circles in the internet hacker underground than the jailbreakers/mod hackers.

    enjoy. and next time, remember that it is not good to treat people like cattle, and suppress/repress them.

    --
    Read radical news here
  22. Re:I guess I didnt miss much by somersault · · Score: 2, Insightful

    You don't really sound like you've played the game, the way you talk about it makes it sound very serious. You don't actually have to kill innocent bystanders unless you want to, just the same as real life. Many missions call for you killing people, but what do you expect in a game about gangsters? Actually, you don't even have to do the killing missions if you don't want to.. you could just be a taxi driver, paramedic, or firefighter if you really wanted to just be super-good all the time.

    --
    which is totally what she said
  23. Re:Stolen? by The+Moof · · Score: 2

    The last time I checked, my identity couldn't be stolen with a copied MP3.

  24. Credit Card = Stupid by indeterminator · · Score: 2

    The problem with the whole credit card system for online payments is that you will need to give your secrets out to anyone who you want to pay, and trust that they handle those secrets properly. It just doesn't work.

  25. Re:Stolen? by blueg3 · · Score: 2

    If someone steals your identity, do you no longer have it? Who are you then?

  26. I've been robbed... by Gorkamecha · · Score: 2

    I've been robbed, and I'm not even sure what they have stolen. I've had my PS3 for years, it collects dust most of the time lately - But I'm sure I setup a PSN account back in the day. So, I know they have some data. I have a pretty good idea what that data is - But I can't be sure. And since their site is down, I can't go in and check. Wonderful. And I'm getting this info from the media - Where's my letter saying "Hey, we got robbed, they took this and it was yours." Or some sort of note. Anything. Sony...Hello?

  27. They sue their own customers... by plastick · · Score: 2

    A company that sues it's own customers is a company that does not care about protecting your information.

  28. That's it? "Sorry"? by X.25 · · Score: 5, Insightful

    So, you peek into PS3 internals, you get slapped with lawsuits, police raids your home and they send army of lawyers after everyone.

    Someone steals 77m accounts from Sony, all they have to say is basically...

    Sorry?

    Fuck you Sony.

    1. Re:That's it? "Sorry"? by sycorob · · Score: 2

      They should get massively fined, in proportion to the monetary losses they are pushing onto customers, banks and vendors. $100 per account sounds like a good start. The money should go towards getting their users' credit histories back on track, as well as additional monitoring by the credit bureaus.

      They should fall out of PCI compliance, and be forced to bring their system fully up to compliance before they can charge even one more credit card. Or, they should only process pre-paid PSN cards, and leave merchant processing to the big boys who can secure the data properly.

      Overall, If people who are publishing the internals of the PS3 are subject to lawsuits, fines and possible imprisonment, then it stands to reason that revealing the private information of 77 MILLION people should have similar ramifications. If Sony can just say "We're sorry, we're working on it," then Geohot should have had that option too.

  29. Re:An ill wind blows nobody well by tgd · · Score: 2

    I was playing MP2s on my computer almost ten years before that.

    And MOD files five years before that.

    And (okay, going to stop before I age myself here ...)

  30. Re:Stolen? by Kielistic · · Score: 3, Insightful

    Kind of. A personal identity is singular and is assumed to only exist for one person. If one person uses an identity it is assumed another is not.

    Also using another's identity most certainly can and does bring harm to the creator/originator of that identity.

  31. Re:Stolen? by The+Moof · · Score: 2

    Sort of, via my credit score. They use my identity to use my credit, not a copy of it. Anything they do to damage my credit becomes my burden to bear, not reflected on a copy of it. Credit isn't something that can be copied like a file.