*ren* PSN Down, Customer Info Compromised
 

Its been down for atleast a day now. Something serious seem to have happend, because it sure as hell wasn't planned. (Sony said yesterday that they where having a maintenance, but its quite obvious they are not - as they where unable to give a ETA, and it was unplanned)

ModEdit:

http://blog.us.playstation.com/2011/...-and-qriocity/

1. Temporarily turned off PlayStation Network and Qriocity services;
2. Engaged an outside, recognized security firm to conduct a full and complete investigation into what happened; and
3. Quickly taken steps to enhance security and strengthen our network infrastructure by re-building our system to provide you with greater protection of your personal information.

See link for more.

Cheez edit:

I read something about it yesterday on engadget. The reasons behind the outage are still unknown (but I've really limited access to the web at my job :( ).

From PS Blog:

It coincides with Portal 2 and Steam integration. Could that be the issue?! Other fingers point at Anonymous, although they said they weren't going to target customers any more. Then again Anonymous isn't an organisation but a collection of individuals, and it's possible some people decided to pick on Sony's network.

Maybe PSN relies on AWS somewhere in the chain?

Cheers

We probably can't rule out hacking but it's more likely AWS as I recall that Sony was looking into solutions from Akamai and AWS to combat the DoS attacks in the last few weeks.

Whatever the cause I hope it's back up soon as my 5yr old wants to play Warhawk:)

It's has been down for ~42 hours now. Sony Europe speculates that it may be a DDOS attack.
http://psx-scene.com/forums/f6/psn-d...er-42-a-85343/

Some other sites are having intermittent problems as well (Reddit, Amazon).

Glad I activated my PC copy of Portal 2 before the outage.

Utter shameful and unprofessional on Sony's part. Unacceptable.

You get what you pay for. I hope they reimburse the people who, for whatever reason, pay for PSN.

I just got an email from Cakewalk saying their store had been down the last couple of days because Amazon was out. Seems like a major attack on eCommerce at this point.

Latest on the blogs says they got "hacked"

http://blog.eu.playstation.com/2011/...city-services/

And if its related to Amazon cloud, I guess,Amazon will lose customers now.

I hope that somebody with the inside info, will do a writeup about this attack on cloud based services. And if it was intentional to do it in sync with the Skynet dates. :)

This is the AMAZON EC2 affected customers, i see sony there but i think PSN is hosted somewhere else?

http://www.ec2disabled.com/

And most of those sites are back up, and afaik the Amazon failure had nothing todo with hacking but was related to a internal program that caused the servers to backup themselve up to such an extent they ran out of diskspace. One of the most annoying problems in any server is corrupt file systems, no amount of UPS or Raid can help with that.

http://twitter.com/#!/Mathieulh is full of harsh words on the PSN security, funny how getting access to the PS3 inner working really opened up a can of worms on Sony because they were slacking on security?

$50 / 12 months = $4.16
$4.16 / 30 days = $0.14
$0.14 x 5 days = $0.69

:lol::lol::lol:

EDIT

$0.69 x 100k customers = $69,444.

100k customers? I thought they had 69 million user accounts?

$0.69 x 69 million members = $47.61 million, wow. Whatever the number is it is costing them serious money. I'm sure Sony will reimburse their customers somehow. Would be suicidal not to.

Anybody really think it's an external intruder? Doesn't look like a DDoS attack to me. Though it might be a hacker(s) that breached the network & they had to shut it down so they could keep it from happening again. Just not real sold on that idea. Could understand a couple of hours, but not a couple of days. Sounds like more incompetence.

Tommy McClain

Gradthrawn was referring to those that have paid for PSN+, not the vast majority that pay nothing for the service as you are "working" with in your post.

Yeah, patching a security hole is always just a matter of minutes normally, I don't understand how they can take this long. :roll:

Sony can't understand how the hackers keep guessing their system passwords that they generated randomly once... ;)

Gotcha. But don't those who have the free accounts still not entitled to some kind reimbursement since some of the games they purchased can't work without PSN access?

Tommy McClain

From a comsumer perspective, PSN is a major draw of the PS3. It's a big selling point and 3 highly anticipated games released just this week have a strong emphasis on their MP portion. In that sense, you're crippling a major draw for these and other existing games.

Ultimately, it would be nice if Sony had an Amazon like attitude to this outage. Amazon has been very proactive with updates and status whereas Sony's seem to be "we'll let you know..." attitude.

We're not entirely sure it's a security hole anyway though it's probable. However, it could be the same thing that happened with Amazon. One would have thought they would be able to fix this in no more than 1 days time. I think you're giving PS3 hackers too much credit to pull something like this off. A lot of the hackers still haven't agreed on why it's down. Though I'm sure Sony would love to blame them for it.

Tommy McClain

Poll & article about whether Sony owe's their customers any kind of compensation for the outage...

http://kotaku.com/#!5795055

Looks like most people say yes.

Tommy McClain

Haha! It doesnt mean anything. We always say yes to money and free stuff ;)

Well they do owe us something, of course they have to be careful since they could end up being "to friendly" if this isn´t a "one of". Blizzard used to reimburse WOW players with "free time". But they never really were very fair about it.

Imho they should give everyone PSN Plus for a month and Plus owners a free month on top of their current subscription.

they should be much more consumer minded with this. The communication from sony has been terrible.

Day 1: "We have maintenance"
Day 2: We still have eh... maintenance. ETA tbd.
A little later that day: We are being hacked, ETA unknown.

Just come clean at once ;)

Its not always easy to tell the source of a problem in a large environment. Nor is it necessarily wise to make statements before having a finalized and tested plan of action. The simpliest answer, "it's under maintenance", is actually fairly accurate. It just falls under the "unplanned maintenance" category. :grin:

I just booted Socom 4/Special Forces for the first time and it told me that a new patch was out and let me download it. Without being signed in to PSN and when it tried to login in afterwards it said PSN down for maintaince.

So not all parts of the net is down at least.

Yeah, Rockband 3 still shows the new DLC, but of course no online highscores.

2007 Xbox Live precedent
 

When Xbox LIVE went down over christmas week (5 days) in 2007, Microsoft gave the highly rated Undertow (800 points) arcade game away for free to both silver and gold members if I remember correctly. I don't think anything came of the multiple lawsuits though. As for the usual hate in forums, blogs, news outlets, etc, that remained the same. And said factions continued to bitch and moan even when they were given that game for free.

I expect nothing less from those groups and Sony this time for PSN. So far though, I see no major uproar in the usual media outlets. Surprised (where's that sarcastic smiley when you need it).

But wasn't that 2007 outage actually Microsoft's fault and simply a under provisioning issue? I seem to remember the Halo 3 / Modern Warefare double team overwhelming their expected load capacities.This current Sony outage seems to be the result of some outside influence and not directly Sony's fault. There are protocols every large company has in place in the event of a network breach that must be followed, which usually consists of shutting down the compromised systems to prevent any further leaking of and safe guarding customer data, whilst allow for a investigation of known events and preventative measures to be put in place.

One thing I do find interesting though is how on one side of the fence developers always complain about MS's difficult certification processes and closed nature of their network, and on the other side of the fence as a consumer they have certainly delivered the most reliable and well integrated online experience of all the the consoles I have.

Lets just hope PSN is back up soon.

Well until the anonymous attack over the Geohotz thing I can't remember PSN ever being down other then the regularly scheduled maintenance so this is a new thing for PSN not a normal occurrence.

Yes, the 2007 XBL issue was a case of under-provisioning. They simply had not increased XBL's node-count in anticipation. A contact on the ETFS team mentioned he had heard they nearly doubled the number of nodes afterwards.

This PSN outage duration surprises me.

Well it´s the easter holidays. I would bet that plays a part in why its taking so long.

http://www.thesixthaxis.com/2011/04/...for-psn-outage

If there's any truth to the above, that would explain the duration of the outage.

If there is any truth to the above, expect lawsuits against sony for breaching their stated private policy?

Assuming there is any truth to the above, unless they have truly incompentent people, they should by now know if any information has been compromized. This should be communicated to their customers asap -> so people can take the necessary steps to secure themselves.

If there is no truth to the above, atleast sony should release a statement confirming that the attack on PSN has not resulted in private information being leaked.

Depending on the nature of the breach it can be very difficult to determine what information may have been taken. Different companies have different policies on this. Some deem it better to take a more proactive approach and simply inform their customers that there is the possibility their data has been compromised and should take appropriate measures, while others are a bit more conservative and rather not alarm customers unless they are sure data has been taken. I think Sony falls into the more conservative category.

Hmm, I absolutely hate if services store your credit-card detail, PSN does this and so does Amazon.
No easy way to disable this "feature" either.

Successful attackers can do with the rest of my PSN Account whatever they want, they earned all the worthless accomplishments on it

There are new rumours that are about a new CFW that came out earlier this month that allowed users to log in as dev. and download stuff with fake CC info...ok could be possible but why shut down everything, and for so long ?

My guess is that a) Sony over-reacted and then b) something went wrong.

I agree, they should have been able to disable anything sensitive (the store, account updates) but still allow basic authentication to still happen so folks could play games. I wonder if when they disabled things they managed to mess up their internal communication channels and if that is what has slowed the whole process down.

What really makes zero sense is the lame PR they are pushing out. It is like they are totally out of touch with how folks feel about online services and oblivious to how insulting their updates come across.

IMHO of course.

Cheers

You're not alone on that, penny arcade did a piece on it today suggesting they should hire a human.

That`s what a lot of people say. Many accept the fact that they had to shut down , the anger comes from lack of clear information. But the gaming press should also be a little more agressive in researching such issues not just copy/paste from each other but I guess they don`t want to risk their relationship with the industry.

The anger comes far more from the length of the shutdown and people wanting to use it already then Sony's bumbling PR.

I don`t think so. Anyway, finally some more specific information : http://ps3.nowgamer.com/news/5657/ps...-expert-claims

You honestly think so? I'd have thought good customer communication, regular progress updates and a realistic timetable (that could easily be extended if necessary) for the resumption would alleviate much of the anger currently being seen.

Edit

How is that 'more specific information'? It's yet another guess by someone who is unrelated to Sony.

And of course that's part of the problem... with Sony not making any steps at all to feed information into the marketplace, we have newshounds either adding 1 and 1 and coming up with 7 (Anon) or going to 'experts in the field' to make guesses that are then sometimes taken as facts, or at the very least 'specific information'.

Not sure why this random guy's opinion on when PSN is coming back up is any more likely to be accurate than yours or mine. Also, anyone care to unravel this strange quote?

Hard to tell whether the guy is simply full of it or whether the author just misquoted him or something.

Cheers

I worked at Amazon, and having seen the system they use to protect credit card numbers (affectionately known as CC Motel), I would be extremely surprised if credit card numbers were ever compromised at Amazon. Not even employees can ever retrieve a credit card number from an account, and the system that does store them is physically isolated and has no internet connection. When you add a credit card, it submits the number to the CC Motel (using a serial protocol with only a couple of very well defined simple commands) and gets a token back, which is stored in the account. When you buy something, they present the token and the amount to CC Motel, and it returns if the charge was successful or not. That's it.

I want to live it up at the CC Hotel, it sounds such a lovely place

I got a little pissed-off earlier when someone posted the below comment as fact in response to a Kotaku story earlier:

So the first commenter posts it, saying it was from a trusted source and all of a sudden half-a-dozen thickos believe it. A little investigation and I discovered the 'source' of the post being the opinion of an anonymous poster on a tiny messageboard.

And yet, and yet some people were all to willing to believe it and, once can assume, further spread the rumour.

And it does so while being isolated from the net? Wow, Im extremely impressed :smile:

Yah, that's a typical solution for "removing a system from direct internet connection" but you have to know that the weakness to that method of having physical security for the system is those systems that *are* connected to it... and those systems are on a network of some sort, which ultimately ends up accessible from the internet.

So, if someone were to compromise the systems with the direct serial connection to the CC Motel, they could conceivable get CC Motel to make a lot of random charges on various accounts... if they know how to craft the request properly... sure, big ifs... but there are always vulnerabilities.

Yep, it has a hardline direct to a payment processor. No net at all.

Right, if someone compromises the sytem, ,they can possibly make charges to accounts, although they would not get the money. What they couldn't do, though, is steal the credit card number and then sell it/use it for their own financial gain.

Apparently the fears of users' personal information being compromised were well-founded. There is no evidence yet that Credit Card data has been compromised, but it hasn't been ruled out either.

Shite. Time to start changin' my passwords again.

:| Yikes.

They've known about this for a week (if not the extent of it) and this is the first communication to users that their personal information may have been compromised. :evil:

Thread title change to reflect this info? People need to know about this.

I've updated the first post as well.

:( Bloody awful situation. Wonder what the lashback will be against Sony from a legal standpoint.

Yeah, if they had suspicion that it might have been this serious, they should have said something right away, to err on the side of caution. Dicks.

I also appreciate that they didn't even bother to send this information to their PSN subscribers in an email. I mean, putting this information on their blog is obviously the best way impart this information to their casual subscribers. I'm sure all of the subscribers read that blog every day.

I'm also trying to remember if I had my credit card number stored on my profile. I don't think so ... What a huge pain in the ass, since I can't even log in to see. Request a new credit card? Yes or no?

Damn, did Sony do anything right in this situation? :shock:

Seen on arstechnica:

"PlayStation: It only gives away all your information."

This is living.

erm... Just a side-thought... would there be any impact regarding the Facebook integration :?:

No, but was today really the day to launch their tablets boasting their online services?

Like I said, did they do ANYTHING right? :???:

If you used the same email address and password, I'd be changing that ASAP. I've been scouring the millions of online accounts I have, looking for places where I used the same password.

I would really, really, really love to see a post-mortem on this, but I expect Sony to clam up to try to defend against legal action. ;-/

Yeah, so far I've changed e-mail and password, but I luckily don't keep the same password for facebook as the e-mail. Even then I haven't got much for personal details in Facebook.

Good grief, reading this... just simply boggles my mind how badly Sony needs some engineers/architects with just a wee bit of knowledge about sound security practices. Just even a minimal bit of knowledge.

Explains how their PKI implementation was borked from the beginning.

Most companies these days, consider it an automatic terminate offense if a release of customer information was made due to negligence. I don't even know the legal implications.

In other high profile cases, companies have had to offer their customers credit ratings watch services. Dang. This really cheeses me off.

Guys just cause their security was comprimised doesn't mean Sony was negligent in their Security policy. Even the best systems can be broken.

The main issue for now is that they took so long to start sending out emails that the data has been comprimised and that may include CC numbers that is the issue.

I agree. But this alone is enough to have me royally pissed. I don't even know what e-mail/password/security question I used to sign up for PSN and, of course, can't log in to find out.

Edit: Well, at least I know what e-mail I used now.

**** YOU SONY.

You should have given this information on day 1. Not a week after the fact. WORST CUSTOMER SERVICE EVER.


Oh well, gonna call the tech guys at the bank tomorrow and see if i need to change the credit card that was used or not. They say that the security code was not comprimised, however if they aren't sure wether or not they obtained our credit card information how the hell do they know if they got the security code or not? (they probably are 100% sure, they just dont want to make things even worse)

+1

Maybe get DigitalFoundry on the case?

Lets do a CLASS ACTION LAWSUIT!!!
Millions of PSN users vs Sony

I wonder if its the "anonymous". If its them, I dont know what to say? Attacking the customer information because geohot and Sony have disputes is completely unfair.

Since the severity of the situation and such. Hoever it was they will likely find out through the FBI and such the issue is can they do anything to them. If they trace it back to China it doesn't matter a damn bit that they know who is at fault.

Here is a letter sent by Sen. Blumenthal of Connecticut to the CEO of SCEA.