But you would expect a security team which by all accounts could have reacted faster. Of course, we don´t know to what extent there is anyone responsible for security within the PSN team.

There's different degrees of security though. You wouldn't expect every local law-enforcement agency to have a full SWAT team on hand - they'd have whatever level of security was appropriate for normal activities, and call in reinforcements as needed. We don't know the nature of the attack, despite those who are very quick to say it was nothing other than complacency and bare-minimum security on Sony's part. It's quite possible this was an attack no-one expected via a new vector, maybe even an employee traitor, and as such there was no realistic way anyone could defend against it. Yes, having a troop of the world's best security experts on hand 24/7 patrolling their servers would have given improved security, but at a potentially ridiculous cost. Life is a matter of compromises, always. There's no situation where you can forgo all compromise and buy the very best - there'll always be more you could do by spending more money. Whether Sony's compromise erred on the side of cheapness or reasonable standard or moderate effectiveness or insanely good, we don't know. Sony have said that their people looked into it, and some are just second-guessing what level of standard those people are.

But even a security team would have a mammoth task on their hands. You've noticed something fishy in a log, or a cron job has been interrupted, or maybe your database has reported an unusual amount of transactions. Whatever is was that alerted you in the first place you've got track the source. Is it just a script gone wild, unusual behaviour due to a race condition some code somewhere. Once you've looked at that on your server and you realise that it's actually an intrusion.

Next visit is to the log files, firewall, syslog, access and error logs. Now any of these can be hundreds of megs in size literally millions of entries. And they've all got to be gone through with a fine tooth comb to find the precise point of entry. You don't want to reset the server as the intrusion code might just be a virtual device which will self destruct if you do e.g. /dev/shm.

Going through the logs you start to realise that the intrusion has gone deeper than anything before and it's starting to look like the hacker(s) might have got close having low level access. That means they may actually have stolen the log in details of any staff member with access to server systems. Now you have to change every password on the system. Now you are looking at logs for systems that may very sensitive to the business itself. It's a complete nightmare.

This is the point you sever outside access and call in the big boys to do the rest. All of this can take days for a single server, if you're looking at dozens if not hundreds of servers that may have, potentially, been compromised then the task just grows exponentially.

No matter how fast you are, or how good your systems are at detecting unusual activity it all takes time to do the actual sleuthing.

It's an oversimplification. I'll grant you that. As you said, it's covered ground and I didn't particularly want to go over the whole thing again point by point. Especially when all I was trying to get at was..

..pretty much that.

I'm comfortable enough with what I do know to make some inferences. There would have to be some pretty amazing twists in this story for the pieces not to fit the way I expect they do. Add in the broader context of how Sony have performed as a company both financially and technically as they have built out these systems and the teams that run them and the schizophrenic nature of their management (which you both have been lamenting recently) and I find it hard to be persuaded by arguments advocating that I should give them the benefit of the doubt.

Yes, but once you decide it's so bad that you have to effectively pull the plug on the service(s), you should at least notify your customers and not delay for another week before doing so. That action there is what makes Sony look incompetent in the eyes of some consumers.

React faster compared to what ? Do we know how many attackers were there ? (I have no idea)
Shutting down the entire PSN isn't a small decision. One of the official blog posts mentioned that they had to pull the plug when more and more machines become suspect.

Not just that. The initial communication was also not so accurate. One of the posts mentioned "password" instead of "password hash".

Also interesting is the DoS attack shortly before the breach. I wonder if the attackers took the opportunity to compromise the service while everyone was distracted.

I would suspect, based on my own experience, it was whilst they were shoring up the firewall rules to cope with the DDoS attack from the EC2 cloud that someone noticed something awry in the firewall logs. Unusual traffic on a specific port perhaps.

Where does your knowledge come from? Unless you have sources other than the same media outlets spouting nonsense that well all have had to put up with, you have next to no information. It's your prerogative to blame first and decide Sony are guilty until they can prove themselves innocent in your eyes, but no-one who wants to make a fair judgement will act on anything less than pretty concrete info. BoardBonobo has explained in detail how these things can work out. There's even been suggestion of a disgruntled employee being 'let go' taking revenge. We don't know anything really about the ins and outs, and yet you'll make a judgement call because you are comfortable with what you think you know.

That's a valid point, but BoardBonobo's reply was specifically aimed at those who feel Sony shouldn't have needed outside help and should have been able to sort things out faster than they did (or are doing, Store still being down). Hopefully these people now see how complex the situation can be, and how their ideas of how things should be run aren't realistic.

This to me is a rediculous assumption - the overheads would be astronimical for something that had never happened. I'm sure Sony had a level of 'expertise' but the breach was potentially very bad so brought in unbiased experts to give a full account of the damage so they know the worst case (ie staff won't be able to cover up or only tell half the story). Certainly I can't think of any company that doesn't use a form of 3rd party support...even Microsoft.

No company has 100% cover for every scenario - especially in the current climate where companies are cutting what's seen as 'fat' - even where I work bizzare descisions seem to be made and good knowledge seems to be made redundant - alternatively maybe they just didn't replace a person who had recently left, who knows - but the point is the same, no company has every angle covered no matter how important it is - every company/person improves aspects after bad things happen, unfortunately this was a very bad thing.

Look at airport security - it's fair to say that there's more than enough evidence to prove my comments are valid - and in those cases we are talking peoples lives not data!

Sony and yes.

To be clear, I am not saying that they shouldn't ever need to call for help. I am saying that they should have had the internal resources to accomplish more on their own. Especially when it came to keeping their customers informed.

And that's all I want. For Sony and all other companies in this situation to recognize that:

This was a disaster.
Sony's response to the disaster was unacceptable.
They all need to take the steps necessary to improve their own security and their ability to respond when the next attack occurs.

As long as this happens I'll be satisfied and at least some good will come of it. OTOH, if the collective thinking is that Sony did nothing wrong and this is the level of response we should expect than this is exactly the level of response we will get going forward from the industry as a whole.

[QUOTE=mrcorbo;1554659]To be clear, I am not saying that they shouldn't ever need to call for help. I am saying that they should have had the internal resources to accomplish more on their own.[/qupte]More than what? We don't know what they did and didn't do. We have no information at all on what was really going on inside their server buildings and boardrooms.

I agree with that, but that's nothing to do with needing to call in external security experts for independent evaluation and advice.

I think in this instance they would have informed people earlier if it was required or not at all if the breach was a minor one. Once they'd cut the system off from the outside world I would bet that they thought it would be a small job to plug the hole, check for damage, and look for any inserted code. Having done that the system would be connected again.

Unfortunately what they found wasn't a simple breach. It was very complicated and had penetrated a long way into the system. And they took too long trying to pin it down themselves before asking for help.

Basically I don't think the delay was intentional, they were just taken back by the scale of the hack and tried to resolve it themselves. And like I said before, investigating a hack on this scale is so complicated, and tedious, it's mind blowing!

All the subsequent hacks that they suffered may be down to sys admin usernames and passwords being taken. Imagine if hackers now had access to the financial arm of Sony etc. The PSN is small fry compared to the collateral systems that may also have been compromised. They must have been (still are?) sh1tting themselves.

Except airport security has become ludicrously complex, ludicrously expensive, and any terrorist can find ways around it...

I think they are going to setup a Chief Security Office to consolidate their security needs. That means a clear and sustainable budget. Would be interesting to see who's the first CSO. ^_^ ( I would be very surprised if Sony management give a pat on their back after losing $171 million over literally nothing, and ignore possible/similar losses in the future. ).

If you ask me, I think they also need a Chief Customer Officer too. The recent departure of marketing heads present a good opportunity to regroup in this aspect.

To how they performed during this PSN crisis. We don´t know if they have a security team, but evidence seems to suggest they did not. With a dedicated team they would at least have knowhow on the inside, i am not talking hardcore specialist, but people that would be able to see faul play. And it might even have satisfied customers that find their reaction time to be to slow since they would have been able to make the "turn it all off" call earlier and give a valid reason instead of waiting for the experts.

With the setup and knowledge they had i still think they did what they could.

Usually, experienced system and network administrators would have such skills. They are able to harden the OS alone or together with the vendors. They can also detect if the system has been compromised. At the same time, it's common to employ an external security consultant to audit the system -- especially for a publicly listed company.

If they have a top management in charge of the security, then they would have more resources, and their needs could be attend to more promptly. In general, one can never be done with security though (You can always do more but it may become too hard to use, and too expensive to implement).

exactly...the MS DRM limitations are a real PITA and cost me a year of playing my games...and I bet it doesn't stop people exploiting the system

indeed...nothing is perfect and will never be 'enough'

They have already appointed a CISO (at least a temporary one while they look for a someone to permanently fill the post). The fact that they didn't have one before this is one of the things that makes me doubt the overall adequacy of their security staff at the time of the incident.

Your experience here is atypical. With all of the RROD replacements consumers would be screaming bloody murder if they all had to go through what you did. I have moved my content across 3 different 360s with no issues at all. It's (usually) much easier to recover content from a dead 360 than a dead PS3, actually.

According to Sony's own timeline they took all of a day before calling in the first of the three(!) separate security teams they eventually called in.

Well the point is to re-download content purchased from the store, this is much easier with the Sony system as it has a lot less restrictions. My point though was that even with the 'better' security involved it isn't perfect.

I don't know what you mean by restrictions. I took the hard drive from the old system, put it on the new system and recovered my Gamertag. Everything works as long as you are connected to Live (even if you only have Silver). Later, when I had some free time, I went to xbox.com, did the license transfer, and deleted and re-downloaded my content. I had a LOT of Rock Band songs to re-download, too. It still wasn't a big deal and took maybe an hour total.

Yes, if they are serious about network operations, they should have appointed a "powerful" security head early, and be pro-active. For most organizations, the lead security guy is usually a techie, and may not have the mandate to plan, invest, and enforce security policies widely.

But even with a CSO, I expect them to still use external security consultants. Different talents are great in different areas, 'specially cutting edge ones. Not all of them will be in-house.


How long did they take to decide to shutdown PSN ? After it's down, it's natural to get as much help as possible to minimize the downtime. The external teams may specialize in different areas. And they can work in parallel to sieve through the data.

I never needed to delete any content just "re-download" (quotes because it isn't a full download). When I purchased a Kinect bundle for my son and did his license transfer I noticed that xbox.com now even has something akin to "send all titles to download queue" (I think it maxes out at something like 20 or 25).

Sorry for going OT but I want to answer to clear this up.

I sold my old X360 and bought a slim, did the xfer but the slim was faulty - then I couldn't do any more xfers - I ended up spending ages on the phone going round in circles and eventually was told it was escallated to the US where they would 'reset' the DRM thing so I could do it.

Alas that never happened and I gave up (like I said, when they auto-charged me for XBL it took several phones calls to finally get a refund, so I figured as it was just a matter of waiting for a year I'd rather do that).

TBH to limit me to 1/2 xfers a year is a joke - what if had to sell up due to losing my job, downgrade to a cheap machine that died and I got another (or got a job and re-bought a slim) - I wouldn't be able to play games I purchased legitamately until the DRM limit had refreshed...it's a stupid system.

Why isn't your 360 connected to Live? You don't have to subscribe to Gold to have it validate your Gamertag and enable your content.

?? how else would I re-download my content?

You don't need to do a DRM transfer at all if you have your gamer tag. It just limits you to playing the titles while logged in to your account.

Well it didn't work for me, I recovered my gamertag then I re-downloaded my purchased content and it wouldn't work - I had to do the DRM xfer via the website to get the games to work...then they worked fine, until I had to take that X360 back and I had the same issue (games didn't work on new console - however this time I couldn't xfer them with the DRM thing as I had used up my allowance).

Ah, hold on...are we talking about so my kids could play the games...yes, I think that was the issue (fuzzy memory), you need to do the xfer so anyone (on your console) can play anything more than just a demo...also I didn't want to be "online" the whole time as my internet wasn't great at the time.

http://forum.beyond3d.com/showthread...light=drm+tool

...


???

sorry mate, a question was asked...I tried to answer - feel free to nuke...

any news when the store will be up? Also it appears that the Hong Kong PSN is sill "under maintenance"

http://www.eurogamer.net/articles/20...by-end-of-week ...

I look forward to it - have some Rockband DLC to consume, and I'm sure I won't mind trying out Infamous either ... ;) . And Modnation Racers is still waiting to be bought.

So much for the "by the end of May" timeline. At least it means that there is still a chance that DNF will be out before PSN is back.

My wife and I have $70 sitting around collecting dust in PSN because it went down right after we had redeemed some PSN cards. Perhaps we should be demanding interest payments from Sony?

=)

Cheers

I think before this release, they said end-of-May give or take a few days.


Thank you ! MNR is a great game, vastly underrated. Glad you plan on buying it.

http://blog.us.playstation.com/2011/...tenance-today/

So a week ago they still were saying before the end of the month.

I wonder if Sony makes dev's sign something saying they can't sue them for losses due to store outages? This has gone on long enough that I would have expected to hear harsher reactions to 3rd party lost income. Or even to hear one or more small indies folding due to not being able to get their game out in their target window. Presumably the problem will last for a while afterwards too as Sony will have a backlog of content to deal with (approving and adding).

Cheers

I remember reading another article that says it'd be up May 31st, or if they missed it, only a few days later. But too busy to find it now. ^_^

As Patsu highlights, targeting. You can't force release of these service ahead of when they are ready! It's bad enough games getting released before they are finished because of a deadlined thought up in a board room years earlier, but there's no option for that here. Like many games (and projects) that miss the expected deadline because Life has a habit of throwing curveballs, we shouldn't consider estimates as binding. Within the same week as the end of the month is good enough IMO.

Sony Disputing Report Suggesting May 31 Deadline For PSN Restoration:
http://www.giantbomb.com/news/sony-d...toration/3149/

The May 31st date was a target revealed to Bloomberg by Sony Japan.

Someone in US denied the projection as early as May 9, probably because:
(1) Online gaming and sign on came up before May 31
(2) It is unclear whether they could get everything up by May 31

Personally, I'm more afraid of millions of users redeeming and downloading free games at the same time. Their CDN partners better be ready. I alone can download 4 free games (2 PSP, 2 PS3).

There should be another note by some Sony exec noting that if it's not up by May 31, it should be up just a few days later. But for the life of me, I can't find it anymore. 8^/

While i am sure they are doing everything they can i really think this is taking to long.

Playstation Store is online in the US at least. Commence the people being unable to do anything as everyone and their mother hammers it.

I'm getting an error message when I try to enter the PSN store here in Europe.

Yeah, it's not up here yet. I think they also started later with the maintenance. Probably you need to add the time difference, so that the store should be back up closer to 16:00 or so. It's been staggered that way also when PSN came back online.

I got in after trying a few times. It seems the EU store hasn't updated though, unlike the US store. And it won't let me download the Infamous 2 and Red Faction demo's from the US store.

Edit: Downloading both demo's from the EU store now. :)

I went to the US store but it doesnt say anything anywhere about the compensation plan. is it something we are going to get later?

PS blogs have been updated with a list of whats going to be on PSN+ for those that now have the free membership.

EU:
US:

They said on the blog that it will come a bit later, they are doing some testing. Wonder how the servers will hold up when it does go live, they ar big games and millions will be downloading.

Oh good. The PS+ discount applies to Under Siege, so I am going to get fiscal reimbursement for what I spent trying to get it a month ago. That makes my personal compensation complete.

Also, who here is feeling trusting towards PSN? Are you thinking it's safe and are ready to buy, or have recent rumours of more hacking on the way deterred you? I'm certainly looking at using vouchers rather than card for a good while at least.

What make me less trusting of Sony is their almost complete silence these past few weeks. You'd think they would try their best to show customers they can put their trust in Sony. Like more details on how Sony plans to keep customer data safe, and how they'll respond if they ever get hacked again. But Sony can't even be bothered to crush any rumours that might end making them look bad, like when which services will return.

It almost seems like Sony believes this whole situation will go away if they just ignore it.

Slowly! No two ways about it, the internet pipes are going to be gummed up. Actually that might pose a major problem for buying any content for quite a while. Add in E3 coverage and, unless they've increased everything 10x beyond what they had previously, PSN'll be buckling.

Indeed I'm in no hurry to try to redeem my stuff when it goes live. It will be hammered.

hmm, so how does this welcome back program work? dont see where I would get my free games.

If I didn't trust PSN now, then I might as well stop using credit cards anywhere online altogether. My trust is yet to go down, as I have yet to see any evidence that credit card information was actually stolen. And I've just been on holiday using my credit card in various places abroad without any issues either, all the while getting prompt sms messages from my 50 cent/month subscription to getting notifications of successful transactions.

Nice to see that the very well reviewed Magic game is free on PSN. I've had some issues with timeouts appearing here and there but downloads themselves work fine, so the bottleneck does not seem to be bandwidth (I've downloaded about 4GB from the store as fast as I ever have, with the Infamous 2 demo at 2.5gb, Outland, and that Magic game) , but only the Store content interface and database that seems to be getting hammered. I get occasional errors and timeouts in there, but fortunately they seem to be such that actually getting to the content and putting it into my download queue works fine. It is also important to note by the way that over here we are having a bank holiday, so lots of people are home and when the store went live this morning everyone started downloading asap. :D

I haven't been able to properly access the store for songs from within Rockband 3 this morning, but I'll try again later to see if matters have improved there.

And yeah, the welcome back programme games are not up yet. I think that's probably a wise decision. Same for Modnation Racers, and a few other things. They're definitely planning to pace things out over the next weeks a little.

By the way if you have two Move controllers and don't have The Fight yet, there's a free demo up which allows you to pound a practice doll freely. That should certainly give you an indication of whether or not this is something for you. :)

To be honest im not worried at all, my credit card info will be encrypted regardless. Worse comes to worse i am covered against fraud by my bank anyhow. I dont really have it in me to be bothered much, the inconvenience of having to buy vouchers and redeem them outways my worries about someone getting my bank card details which is extremely unlikely. I am far more likely to have a keylogger or something hidden on my PC yet it doesnt stop me from buying online with it. We all know credit card fraud is rife yet we all own and use credit cards, even if the risk level of PSN has rised its still not near the risk of using my card in shops or online using my pc imo.

They have to answer to the Congress' inquiry and the Japanese government's challenge. We will hear more from them no doubt. Their PR folks are too afraid to make mistake because everything they say can be cast in negative light.

I got Under Siege, Wizardry and a KZ3 dynamic theme to celebrate. 8^P

No difference for me. Should be able to reject fraudulent transactions. I'm kinda curious how identity theft and protection works. Someone used my identity for a medical expense about 6 years ago.

Edit: I'm thinking they might as well upsell the identity theft protection after one year.

I'm not worried about that content being stolen. I'm more worried about ongoing hacks. There was a very recent article prior to release saying hackers had got private info from Sony. If Sony are still being targeted, I'm not too happy about entering a card and that data being siphoned off, especially after hearing HTTPS has been compromised!

On a Thursday?! You continental types are so odd. :p

Of course you are already plusified. It'd cost me £12 now or £7.20 if I wait to get the free + membership, so I'll hold on a little bit longer.

Yes sir ! I have been waiting for its release. Truth to be told, given the content and innovation, I would have bought it too without PS+. But you are right, makes sense to wait for PS+ activation since it's free !

I think you're right about the value in itself. I just want back the few quid I wasted getting internet access! Also if this game plays amazingly with Move, I may need a Move controller, but I'm hoping DS will suffice. The devs have said they like the standard controls.

well, reading the welcome back conditions it says that you need to have an PSN Account since 20th April... but it doesnt explicitly say that you had to be a PSN+ subscriber for that long for the 60 days extension.
Im thinking about buying + now and hope Ill get 60 days free :lol:

The welcome back deal is for PSN+ only?

no, but if you have PSN+ you get additional 60 days for free, else you get only 30.

http://blog.us.playstation.com/2011/...north-america/

This won't require us to put in our CC info for a 30day free PS+ membership, right?

I have no idea. You can buy PS+ month by month, and the payment system usually only checks the wallet funds. I don't think there is a technical reason for requiring CC info. You can buy 3-month or one year worth and pre-pay the funds too.

no you don't and for PS+ it's now 70 days, not 60

Huh ? Why 70 days ?

Gave them everything again plus a years worth of PS+ subscription. And got the DLC for LA.N.

Do i feel safe? well my first CC was never really compromised (unless sony lies) and being in a developed country my bank gave me a new CC without any tears. I have this idea that every data is encrypted now :)

And something political, Sony is to blame for the security disaster, but not for the hack itself. And it´s not totally unlikely that Sony will be the target of another attack and knowing how computers and software works nothing is ever 100% safe. I wont give in to hackers and thief's rather risk (nothing really) it and enjoy whatever there is.

I dint cancel my old CC, so since the data was already compromised, I have nothin to lose in case it gets compromised again :lol:

I thought it was 30days of PS+ for users with no PS+?

Good news about not needing the CC.

He meant 70 days for PS+ users instead of 60.

yes, if you had PS+ you get an extra 10 days on top of the 60 for the time it was down

LulzSec versus Sony Pictures
 

Take this for what it's worth... I do not know if this is new or old or to be trusted, but it's something to read about.

http://pastebin.com/Y38gCS82 - LulzSec versus Sony Pictures