Activation e-mails?

Like I said before, it wasn't me who brought up the issue of failure rates or other company failures. And even if it is a slight tangent, it's at least slightly related to what I and Carl B were discussing. You guys really need to read up a little bit and realize that there's a discussion going on.

Exactly. Seemed pretty obvious to me. All the emails associated with each PSN are authentic and preserved in their original state, so activation email--a unique link to change your password via email--would be the answer.

Well, I would certainly be very impressed if they can make whole-sale architectural changes to an existing system with such large dependencies in a short time window (of a few weeks.)

Their PR seems to indicate datacenter moves, software architectural changes, etc..

Most changes of this magnitude, when done in an non-emergency basis, takes months to prepare -- or even more than a year for some, and usually weeks to implement.

Now, I have no idea what the scope of those changes are... it could simply be a move of a couple servers from one DC to another... or it could be dozens of servers. What's the software? The OS, database, some bespoke software, etc... I would assume some upgrades are required. Bespoke software updated/modified. Usually this requires some form of testing, first to validate that the vulnerability is eliminated, second to ensure you don't have a regression that causes more bad PR.

If they can do all this in a week or two... color me super impressed. Our organization (and many others) disaster recovery team could learn from them. I hope they'll publish an after-action report on this.

Not sufficient, in my opinion... someone above just posted an incident they noted with their own personal email account having been the source of a SPAM attack.

How do you ensure those email addresses Sony has are in fact under the correct ownership of the original user?

Sadly, one of the best identity vetting methods may be to go through financial institutions... If you are indeed "Mr Hobbit" of "Shire, Eridore" then, a credit authorization check on your credit card with those bits of information should authenticate you as who you are... assuming that information wasn't altered or compromised -- which seems to be a somewhat safer assumption that assuming your email account is secure.

Spam that uses your email is nothing special, it borders on "ohh again" an old email adress is bound to get picked up by spammers . SPF/DKIM is the way to go for anti spam.

The "no news" from sony and information shutdown is bad, very bad. But some of it must be related to them having piss poor security staff (or whatever it´s called) coupled with wild panic at CEO lvl (chickens without heads). Seems to me that they discover something is wrong.. find it it´s major screwed, flips the off switch. Searches some more and just can´t get a grip on the situation, calls in the "experts", that start from scratch, confirms that it´s fucked up. And the CEO´s have no choice but to give up "the truth" instead of a water down "only 1% was stolen".

And as been huffed and puffed by hackers for "weeks", PSN was in a poor state but no one from Sony seems to have reacted or passed that info on. Don´t they have a few people hired to just keep track of the underground, or just middleground? How do they have any idea of what is going on outside their buildings?

Yeah, you guys. Read up on it.

No, in this case:

Sounds to me like someone got into his email account (dkskribbles, I hope you didn't use the same password on PSN as your email)... why else would he have a trace of that spam message in the "sent mail" container?

This is different from someone modifying a SMTP mailer header to change the reply-to and from fields to use someone elses email address.

It was definitely you who brought up other company failures. Twice consequetively in fact before anyone else had mentioned it.

Still no email from sony...

I got mine last night. I know you're not going to like this answer but it takes time to send all these emails. Trying to mass send 77 Million emails will bring any email\exchance server to it's knees. Even if each branch of PSN is only sending a 10th of those it will take a while.

I think they put something on the blog Q&A that they are aiming to have them all sent by the 29th, but that they're hoping that the media has spread the message far and wide long before then,

I wonder if the way Sony has been handling the situation is going to come back to haunt them. I can't imagine consumer rights organisations being too pleased with it. You can't fault Sony for not being able to create a 100% secure system, but you can fault them for the way they've been treating their customers.

I just got the email, looks like it takes a few days.

I dont give a **** about their blog. They should contact their customers directly, not assuming that people follow their blog. They haven't exactly been keen on spreading this to the media either

Here's the full quote:

I think we do have to be fair that pretty much all news organisations have 'spread the message' and also that sending that amount of emails takes time.

I don't watch much TV but I know it was on 3 news programs as the kids called me (morning, afternoon and evening)

The scary thing is, it's not the same password. I don't 100% remember my PSN password, but I'm 100% positive it's not the same as my email. If it is what I think it was, it is pretty similar though.

I've changed my password and I'm gonna monitor my sent folder to make sure this shit stops.

To confirm I've received the EU email, so it is just a slow communication. For the record I'm on holiday ATM and spent money on internet access with a view to buying Under Siege, so this PSN outtage actually has a monetray cost for me. Had I known PSN would remain down, I'd have spent less on internet access.

Class action lawsuit, here I come! :p

edit: As for Sony's imcompetance versus defenders, IMO Sony have been almost complete chumps this generation. I regard almost all their choices and actions since PS3's anouncement as negative or benign, with their good stuff only coming after a cock-up. They are nothing like their PS and PS2 hey-day, for whatever reason. This is just the latest of any number of massive failures.

I got my (UK) email yesterday and my (JPN) email on Tuesday. I'm not particularly concerned with this as my email is a throw away account fed from a proxy account on a server I manage. I've renewed my card as a precaution. Not because I'm worried about money getting spent but more because my bank will freeze my account at the slightest hint of dodgy dealings.

I find Sony's response, or rather the delay, kind of annoying but if their security has been compromised so thoroughly that they didn't know what had been accessed, and what else did Sony have on those servers? PS4 details, infrastructure records, details of their new security for the PS3?, and at the same time they appear to have suffered hardware failure of some kind or even a direct breach via a data centre staff member. It makes it kind of understandable that they were somewhat reticent about making a statement without knowing the facts.

And though Sony have some very obvious issues with the way in which they handle and store end user data (plain text db's I mean really!?) it isn't their fault this happened. Without the malicious intent of external parties the system would have functioned perfectly well as it was and we would have happily gone on our way. I can only blame the hackers concerned with the attack for the loss of my PSN access. Not Sony. And if they catch whoever did this (not very likely) and if they turn out to be some retard script kiddie running metasploit or some RFP derived code then I hope their identities are made public to the same 77 million accounts that have been deprived of the PSN. Let the gamers work out the justice for them.

That is amazingly poor reasoning. Anyone sensible is understanding of the criminal intent and activity in all walks of life. It's YOUR job to protect yourself from these elements. In respect to a global corporation that holds critical information on millions of users, it's paramount that security come before convenience, budget and functionality. You can play the victim card all day but in the end, the damage is done.

The level of ignorance displayed by Sony in maintaining passwords in clear text is mind boggling. Sony basically ended coming across with "you best to not trust us with your information."

They weren't reticent in shutting down the PSN though, that is for sure, which implies to me they knew quite clearly they were in the midsts of something serious, and something that linked back to and involved their membership. I mean I can understand some people thinking that Sony is getting the heat too hard, but actually apologizing/explaining for them? I don't know.

It's a little ironic also that in this particular case, the defense for the lack of seriousness of this situation and its handling came from someone who quite obviously takes their own net anonymity and ID protection quite seriously. That is all well and good for you and your throw away account, but I use my *real* email addresses, name, etc when I sign up for accounts like these, and I don't think I'm in any sort of minority, know what I'm saying? ;) Maybe if you were down here in 'exposed' land you would view things a little differently wrt Sony's fabulous action times. :)

Pretty much this. People tend to use proper information for trusted sources and until last week, I'd assume most people considered PSN to be a trusted source. There was no reason to believe this was some hobby/enthusiast project or a shady company you would think twice about when creating a service account. This is Sony.

The full effects of this won't be immediate for compromised users. Depending on how long before this information is distributed and maliciously used, you could see ongoing reports of identity thefts and hijacks for some time. If a common source for such is prior PSN access, then it'll be an easy association for people, right or wrong.

The level of ignorance displayed by posters who believe such nonsense is equally mind-boggling... :roll:

Even in the case of the Gawker breech, the passwords were encrypted (just not salted).

Did you read Sony's FAQ?

"Q: Was my personal data encrypted?
A: All of the data was protected, and access was restricted both physically and through the perimeter and security of the network. The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack."





"

Even if the people wich did this, do take a chance on doing this, after the security upgrades, it's pretty slim chance that it should be your account they did try with..
Afterall there is 77 million accounts wich might have been stolen, if worst case scenario is true, there still is safety in numbers. :)

Noone is going to contact 77 million people face-to-face directly, that's not realistic to expect.
Toyota didn't do that when they had floormats wich interferred with the braking system on their cars, they contacted their retailers, and media - said the car-model were recalled.

The only contact-information Sony has for you wich they are sure might be correct, is your e-mail address. You may or may not have filled in the correct address, when registering.. You did not fill in your phone number, or credit card information, with your account. So that may be false.

What Sony is doing is sending out e-mails, telling you what might have been stolen from them, and you should be carefull of what you give out, so noone gets the last remaining information.

Sony will not send you any e-mail's asking for your creditcard information, social security or similar, if that happens you are most likely beeing targetted for identity theft.

So I think it's unlikely that there is any kind of e-mail activation.
The safest thing is just to wait and see what happens when you turn on your PS3/PSP with the updated firmwares.:) As well as looking at your bank-account.

GeoHot responds...

http://geohotgotsued.blogspot.com/20...cent-news.html

Tommy McClain

Just a reminder here:

1) You don't have to have a CC attached to your PSN account.

2) You don't even have to own a Playstation product to have a PSN account.

Tommy McClain

Yeah, a writeup on how it all went down, so everybody can learn how to do this, is just what we need.. :)
That way, if someone steal your money, you can just steal it back.. GeoHot is so smart.. :)

:lol: God I love irony.

Thanks for the link, I really liked this paragraph:

Yes, and reading a PR FAQ isn't necessary for me to know how the PSN works. I'm fairly confident of my knowledge of the workings of the PSN (marketing name) vs. the information of a generalized PR release.

I found it rather amateurish and full of poor assumption. I mean seriously, the PS3 isn't the only PSN client. In fact, considering the knowledge the hacker community has of the various platforms that access the PSN, PS3 one of the poorest ones to use as an attack vector... What happened to the critical thinking skills around here?

Why is using the PS3 one of the poorest ways to attack PSN? If what he says is true, about PSN trusting the PS3 as a client, more than it should, then his speculation sounds reasonable.

Why use a PS3? The PSP does the same shit and is a lot less secure and well known... Shit, why bother with clients at all?

Encryption is not as reliable as many here think when your service needs to decrypt the data often.

Regarding the passwords though, the question is whether the stupidity of Sony reached the levels of storing the passwords in plain text or hashed. Encryption is not important compared to one-way hash function, using which you don't keep the password in a retrievable manner.

While it may seem extremely unlikely that any decent company/web service stores plain texts, lack of any mention in the PR response is seriously thought-provoking.

What do you guys think of this, taken frim the latest Eurogamer.net article on the subject:

I think its a load of crap. It took them far too long to address the issue publicly and only did so after pressure. And they are actually required by law to notify people of the breach and threat to their data in many places, so none of this came from the goodness of their heart.

I did not suggest that they sould call me but contact me directly by email. I recieved it first today. Thats quite a bit to late in my book

This is probably stretching it a bit but the fact that the Sony customer care agents don't have access to user passwords i.e. They can't tell you your password over the phone maybe an indication that the passwords were hashed.

As some (me included) have already pointed out - sending 77 million emails is not easy. It's not just about getting those emails out - it's also about not getting on any RBL spam lists or having your IP range blocked if suddenly a huge amount of mails originate from the same destiny. Sending a such a large amount of emails must be done in smaller batches. It's inevitable that some may receive emails a few days later than others.

I'm no Sony fanboy, but I think Sony is doing a good job at this. Yes, there are security lapses, but that's will happen when you're rushing to play catchup. Giving their current situation, I don't think you can expect anyone (even MS or Google) to do better. It takes time for engineering to figure out what's going on. It takes time have all these information flow to the appropriate key individual. What they have done is pretty agile for a company of their size. Have you ever move a data center? Trust me, it's not something you can do easily. It takes a lot of key individuals to align themselves and guts to make it happen.

So +1 for Sony. I'm not happy that this security breach happens, but I'm happy have with the way they reacted/responded.

So everyone gotten their apology letter from SONY? I have not gotten one, and I am a bit worried that I registered my PSN account with now a defunt student e-mail account in the PS2 days. When did PSN go up?

PSN started with the PSP I think.

I'm fairly sure it started with the PS3?

You got an US account?
I think they only send out emails for US customers (so far) - atleast I only did get one for my US account (not sure I left credit information on that one) and not the EU one.

And PSN started with PS3, in fact with a PSP you could only access PSN through a PS3 for a long time.

I got mails from: Australia, Denmark and Japan

Not sure what account I have and what region. I believe I did create an account on playstation.com when I got my PSP in february 2005. So my playstation.com account is not my PSN account? I have also received 19th of April an ad from PSN about Ratcher 4 for one to my current e-mail. Hopefully this means that my current e-mail address is bound to my PSN account. I am fairly certain that I do have an PSN account as I could log into PSN from my PS3. I am so confused heh.

I got the email with the warning today...what took them so long?

Don't make the mistake of believing that these big companies, be it either Sony, Microsoft, or Nintendo, have a soul or a heart. I've seen too much and know quite a few things to begin comprehending all the nasty things these companies do, not only to customers but also to their employees.

I might have made a broad generalization, but 99% of the employees are just a number for them, not a person, let alone their customers. We are all alone inside our heads. And for these companies like part of the article of Geohotz posted here says, we are pesky customers.

Sony/Microsoft/Nintendo is basically the modern day version of the pharisees, and although somewhat declining in influence over the years, because of laws, it's still there.

I have a hard time trusting these companies like the people on the net who have friends like stars in the sky, so to say. And this comes from an exemplary customer -I never pirated a console nor the thought crossed my mind, I buy games on a regular basis, etc- like many others there are here on B3D.

If there is one thread that makes me feel better about myself and my ways, it is this one.

Not to get off-topic.... Well... The greater the size of the company, the greater the reaction is, so this issue is a 'big deal.'

I think that the greatness of the implications has been blown way out of proportion in some ways, but that doesn't mean what happened do not influence a HUGE chunk of the PSN population, because it really does. The lack of security is placing your customers in a vulnerable position where others can either harm them or devastate them economically or whatever -some people have experienced odd operations made by someone else using their credit cards, for instance, these last days.

As for those defending Sony all the time, a fanboy-ish attitude frothing at the mouth like a rabid dog isn't helping anyone. This is when when you realize that you are in an extreme minority on a particular matter...or many.

Sony should return to their old, quite old ways, lick the wounds and start anew during the next generation of consoles, because this one hasn't been their best.

It's not those companies alone. It's perhaps also a reflection of today's society. Nowadays everything is darker, more dense. Maybe it is a reflection of the society we live in. We also have wars everywhere, crisis, etc.

Not many time ago, in the 90s -which I consider my favourite decade- everything seemed more lively and positive. Anyway, I don't want to get off-topic.

The damning fact for me is that they deemed this intrusion serious enough to shut down the network right away. At this point, issuing a notice to their customers that the network had been breached by an unknown party and that they were investigating the extent of the intrusion would have been appropriate. Instead they said nothing. I won't accept this as an appropriate reaction. You may disagree, but I expect better and hopefully most agree with me. Customer backlash is the only way that not only Sony, but all other companies will be forced to handle these situations in a more customer-focused way.

You should contact them and let them know that you are fairly confident the official Q&A that they are directing customers to on this issue is wrong. After all, it wouldn't be the first time that a 3rd party taught them something about their network they didn't know.

Good Job? AGAIN a bare minimum , if your security is breached and you have sensitive customer information, you should immediately alert your customers.

While it takes some engineering to figure out what has been taken, that is irrelevant. If you know there is a risk customer info is out, and this can later be used for fraud, that is a big deal!

While you loose some face on this, the other outcome is much worse. By the looks of it, they have not obtained cc info. What if they had? In a week, you could scam a significant amount of people, and people wouldn't have been able to do anythinng.

Heh i would be slamming them for not issuing the information immediately. Just like the senator.

You do not need a soul or heart. All you need is to understand that your customers is by far the most vital part of your success:

Assume that CC info actually was stolen from all of us.

And that Sony did not inform us until a week after the fact, and lots of people got scammed in the meanwhile.

What do you think would happend to their customer base, and global perception?

Even as such that doesnt mean they wouldnt/dont go against morals when they have interests and know they wont suffer any consequences.

Now regarding why they informed the customers late, there is a possible logical explanation. When you want to communicate to the customer an issue you want to communicate it clearly and once. And to do that you have to assess the real magnitude of the problem and its nature as much as possible. Its bad practice to inform the customer about an issue, then come back to him and tell him things were actually different or worse.

If I were in their shoes I would have faced a huge dilemma

http://ca.kotaku.com/5796902/there-a...ls-up-for-sale

That should read "2.2 Million" in the URL, not 22 million. :p

hm... :s

I would hope that going forward that all companies will have a contingency plan in place for this scenario that includes a pre-approved list of customer communications during the incident. Sony's response from a technical perspective seems to have been pre-planned and smoothly executed but I suspect there was a lot of back and forth between their legal and PR departments as to what information they were going to release publicly.

pf... well, maybe if it is true. :p

I wouldn't be surprised at all if their formal FAQ response contained errors; such would be the irony and reinforcement of their poor communications handling through this though.

I hate to sound like I'm defending, but it's hard to imagine what exactly happened. We're probably dealing with a very complex network with a lot of servers involved. I could imagine that at some point, some technician probably noticed things being off, parts of data that is corrupt or changed in some way alluding to perhaps a malfunction. Then a cup of coffee later, at some point after a little bit of digging, something seems terribly wrong. Now how fast do you think this kind of information passes up the ranks? How fast do you think you know of the true extend of that your system has been intruded and how much is at stake? Then after you know, you start to evaluate. Maybe the person in charge at the time isn't present, so it takes another few hours to get the message through "housten we have a problem". This isn't the type of company where you have a couple of technicians and a boss who is readily available to react to everything immediately.

You just don't shut things down, not when you're network has millions of customers accessing data at all times. And sending out 77 million email again is no small feat. I don't believe for a second that the true extend of the breach was something that was known quickly.

Unfortunately, I don't think anyone will ever know the true extend of how the system was breached and how long it took Sony to figure that out. Of course it's somewhat disappointing for the network to go offline and for it to take them so long to make some notice about what happened. Then again, I'm not really sure I even trust the official statement that they turned off PSN or that when they did, they knew exactly what they were dealing with. That might explain their "back-foot" reaction since they've been offline and why we are hearing about what has happend so late.

Different clients may access PSN differently. If the PS3 was intended to be a closed system, with some level of trusted access, then it could be that hacking the PS3 opened a door into PSN that they never thought would be opened. I'm not saying he's right, but he does have some experience with the actual firmware and might understand a little bit more about how it interfaces with PSN, since he was looking at a way to have it operate on a completely different network.

I think the problem with this reasoning is that they shut down PSN well before the admission of the data leak came out. When they shut PSN down entirely, they must have known that the breach was serious. If they did not know someone had attempted to steal data, then why did they shut it down?

Like I said earlier, at some point between shutting it down, and the release, they got the suspicion the hacker was trying to steal customer data. If they had that suspicion early on, they should have said something to their customers immediately, to help protect them, and they could have followed up later if it turned out that the data was not taken. If they had the suspicion later, why did it take so long?! You'd think the first thing they'd look at would be the integrity of their customer data. In one case you have incompetence, and in the other case you have customers as an afterthought.

I've only seen one list so far so unsure if that's part of the *lists* that are being shopped around...but anyway its a fictional list. Would be unfortunate if CC info was ultimately comprised so I hope users are taking the proper precautionary measures to protect themselves.

It's not necessarily wrong, it's just being interpreted by many incorrectly leading to false assumptions. Unencrypted database/tables != plain text passwords. You can still write encrypted data into unencrypted tables, you're just not encrypted database objects at a higher level. It's like the difference between having an encrypted files on an unencrypted HDD and encrypted the whole HDD.


In any case the whole *late* aspect is somewhat unrealistic too. How long did the State of Texas take to notify of it's breach? A year. How long did Gawker go exploited before notifying users? More than a Month. The latest breach at DoE OakRidge National Laboratory? A week. Epsilon? About 5 days from breach to when I started getting emails from their clients. By the standards of recent well known security breaches I'd say the response was fairly quick and reasonably measured. Also considering the significant signal to noise ratio coming off a massive DDOS, and subsequent focussed DDOS and probes, along with CFW/MFW users trying spoof access and/or accessing and downloading content from staging envs, along with the normal routine of maintenance and platform updates; the total shutdown was understandable (albeit still surprising even to me) just to reduce the noise floor of activity to ascertain damages.

The only thing that cracks me up about this mess are the people that are only complaining about the service being down. I appreciate the level of conversation in this thread, but read around some of the blogs and forums around the 'net, and you'll see a bunch of people whining that they can't play Black Ops online or whatever. Never mind my credit card and passwords, I want my frikkin' Black Ops. Those jackasses will be the first in line to get their bank accounts emptied, I'm sure.

As for the stuff that was taken, I'm not particularly worried about most of it. My name, handle, email, etc.. that's all public record. Probably wouldn't take too long on Google to pull up most of it.

The big question I have, the one that's come up in this thread several times, is how the password file was stored. Everyone assumes that it must have been encrypted, because of how stupid Sony would have to be to leave it as plaintext. But then there's that pesky press release of theirs that simply stated that the personal data files were not encrypted. I think we're in a gray area here, and I'd really like Sony to come out and say in plain English how the passwords were stored.

Frankly, I don't feel like going around and changing the email, name, and passwords of every site that I visit. Yeah, I can make it much safer by using randomly generated passwords on everything, but there's a fair number of sites I visit on my phone, which doesn't store passwords the way Firefox does. And I can just imagine trying to remember "kD(s&IN3%1sViK" every time I want to check my latest Amazon order. And then trying to type it into the iPhone's wonderful keyboard.

My point is that Sony needs to be abundantly clear on exactly what was taken, and what form it was taken in (encrypted, hashed, plaintext, etc). Then I can make an informed decision on exactly what I need to go change around the rest of the internet.

Sony could definitely benefit by putting someone with a technical background in charge of the PR effort, even if only for a day, to at least spell out and clarify the nature of some of things you are alluding to, because I think it's understandable why people might reach the plain text conclusion. And in so doing, it doesn't help Sony's cause at the moment.

You're right about the length and severity of those other lapses you mentioned, but I'm not sure that does any assuaging in this particular case. It's different also in that Sony has actually shut down the related breached service in question indefinitely, with a not insignificant gap between the shutting down and the explanation commencing.

I'm not angry or anything with this turn of events; as others have mentioned, if the attackers were determined, the odds would be stacked against Sony regardless. But I can't give strong marks on the communications response on it even as such, and of course, I remain understandably aggravated that I'm at an unknown... or poorly communicated/understood... level of risk.

The best possible explanation is that Sony wanted to minimize the potential backlash. If the customers" best interest were the upmost priority the response would of been...

"PSN's security has been breached and we don't know how much of your info has been exposed. There is a possibility that all PSN user data including CC numbers has been compromised."

Sony weighed the risk of giving PSN user the worst case scenario up front over waiting and hoping an investigation would provide a scenario less scary. They chose to wait and they lost. They took the worst case scenario and made it worse by lumping a week of silence into the mix.

Sony understood the possible ramification of the breach because they shut down PSN as a response. The other immediate response should have been to inform the PSN userbase.

It´s not clear cut, you have 77 million accounts. Do you ask 77 million "people" to change passwords unless you are somewhat sure? "they switched it off so they knew something was wrong!" yes, but not to what extent and they made a "big decision" when they switched it off. That costs money, so the critism on the security is valid, but imho it at least can be discussed just how bad Sony performed in regards to information.

Fun fact, if Geohot hadn´t cracked the PS3 in the name of "freedom" those 77 million users wouldn´t have been exposed. And his way in was OtherOS. Without OtherOS this might not have happend.

I am gonna get flamed for this, but the amount of arrogance and shortsighted views he presents competes with Sony´s arrogance. But hey, the day Hackers actually take their responsibility serious is the day hacking stops?

Well folks like that are probably also the type that probably have simple, commonly known passwords that even strong encryption isn't going to protect...

I'm not terribly worried about credit cards. Credit card companies generally have decent fraud detection services (I know mine does as I've been annoyingly inconvenienced by my card getting locked due to my shopping activities tripping red flags), and are able to resolve false charges fairly well. Passwords are annoying but if you're reasonably sensible and use different passwords for all your online accounts, then it's a minor issue. The data that bothers me is the security question and more specifically, the answer. Even if your password and credit card is secure, the relative invariance of security questions generally used makes exploitation a lot easier. After all, that's how Paris Hilton's T-Mobile account was hacked (and that even need any security breach to occur).

The problem with the security questions/answers is that, with the network down, I have no idea which questions and answers were used. I haven't so much as looked at that stuff since I created the account years ago.

Some sites tell you the safety level of your password when you sign up, hope they include something like this in the new firmware/PSN version.

Actually, you don't know at all that it's true. Possibly, maybe even probably... but fact? No.

He can be arrogant if he wants, he's not running a consumer oriented business.

Fact? Really?

'Supposition dressed as fact' would be, pun intended, a factually accurate description.

Nobody got facts on any of this, those that have it wont say a word. But there is plenty of pointers that back it up.

Math that reverse engineered the Jig hack clearly stated that without Geohots original "glitch hack" the Jig wouldn't have come to be. Without the OtherOS option Geohot wouldn´t have had an easy way to snoop around with. So it´s not fact but it does seem plausible.