[Akumajou]

Quote:

Originally Posted by goonergaz

As much as I am a big fan of Sony you are completely correct. I manage a system where I work and I know for a fact that the suppliers of said system have an identical test server for such updates and I have a test server on site for testing new software - it may take months to plan though...depending on the severity of the issue and complexity of the 'fix'.

I do believe Sony were slow to react but I also believe the dates provided above (I'm sure the FBI will catch them out if anything is untrue) - so Sony told us pretty much as soon as it was confirmed (within a day) not 7/9 days as many seem to suggest.

I wonder if Sony were working on a complete migration and this is why it was left unpatched for so long...it would also explain why they can 'all of a sudden' migrate to new 'more secure' servers when usually such excersises take months of planning.

But Sony's servers are not easily accesible like the usual hacks that plague Windows Operating Systems, you have to have inside access to proprietary Sony software, and these hackers got access to such things as well as reverse engineering/hacking of the Sony firmware that unless they did not have the official documentation they would have never been able to simply crack it.

I personally am very disappointed at how the mainstream tech media keeps making it sound like these hackers are intelligent when they just had access to stuff the average consumer is not supposed to have access to so its no suprise otherwise they would have hacked the PS3 way back in 2006 or early 2007 even if OtherOS was never offered.

[macabre]

http://blog.us.playstation.com/2011/...e-restoration/

Quote:

Today our global network and security teams at Sony Network Entertainment and Sony Computer Entertainment began the final stages of internal testing of the new system, an important step towards restoring PlayStation Network and Qriocity services.

http://blog.us.playstation.com/2011/...ugh-debix-inc/

Quote:

A $1 million identity theft insurance policy per user

http://blog.us.playstation.com/2011/...ward-stringer/

[Brad Grenz]

One year of identity theft insurance is a pretty common in these situations. I wonder what Sony actually pays when they sign a contract for so many customers? I bet it isn't very much per customer.

[Xenus]

It's probably not even that they just signed such a contract. It's probably covered under some insurance they bought against this type of thing.

[goonergaz]

Quote:

Originally Posted by Akumajou

But Sony's servers are not easily accesible like the usual hacks that plague Windows Operating Systems, you have to have inside access to proprietary Sony software, and these hackers got access to such things as well as reverse engineering/hacking of the Sony firmware that unless they did not have the official documentation they would have never been able to simply crack it.

I personally am very disappointed at how the mainstream tech media keeps making it sound like these hackers are intelligent when they just had access to stuff the average consumer is not supposed to have access to so its no suprise otherwise they would have hacked the PS3 way back in 2006 or early 2007 even if OtherOS was never offered.

Sorry, I wasn't aware of the insider info - it was implied somewhere IIRC but I don't recall it being confirmed?

[JPT]

The letter from Howard Stringer on the EU blog is pushing it, comparing the breach with the Earthquak and Tsunami, they might not intend it like that. But reading it, definitely sounds like they are playing the poor us card there.
And the stronger defense statement, mmmmm would me much more assuring if they trotted out state of the art or best money can buy. Now their just upgrading with no real faith in the upgrade

http://blog.eu.playstation.com/2011/...ward-stringer/

But most importantly when will it be back? Last estimate we saw was one week from Tuesday last week.

[Arwin]

I don't know if it came across that way to everyone (probably not), but I'm sure the point is that Sony was hit hard by the Tsunami / Earthquake problems, but unlike that natural disaster the current problems were actually a man-made criminal attack that is seriously damaging the company (also stock-wise). So from his perspective, and the two things hitting the company so close after each other, it is not a strange comment. I guess to many Europeans the Tsunami / Earthquake in Japan isn't just as big of a deal - heck most of us even got Motorstorm: Apocalypse on the original release date.

[goonergaz]

I must confess that I thought the anti Sony brigade are going to lap that quote up.

[AlphaWolf]

I think they need a server vulnerability scale, that would allow them to better inform their customers of the issues at hand.

1.0 - kiddie script.. someone is testing the ports
|
V
8.0 cancel your credit cards

[BoardBonobo]

Quote:

Originally Posted by AlphaWolf

I think they need a server vulnerability scale, that would allow them to better inform their customers of the issues at hand.

1.0 - kiddie script.. someone is testing the ports
|
V
8.0 cancel your credit cards

9. "Whaddya mean you left it on the train?"

10. "I'm sure we had a server here somewhere... Check the back of the sofa Kaz mate"

[deathindustrial]

http://blog.us.playstation.com/2011/...ration-update/

Quote:

...When we held the press conference in Japan last week, based on what we knew, we expected to have the services online within a week. We were unaware of the extent of the attack on Sony Online Entertainment servers, and we are taking this opportunity to conduct further testing of the incredibly complex system....

At this rate Duke Nukem Forever is going to be released before PSN is back online.

If their account authentication system is that "incredibly complex" it sounds like they are doing something incredibly wrong.

Cheers

[-tkf-]

Quote:

Originally Posted by deathindustrial

http://blog.us.playstation.com/2011/...ration-update/



At this rate Duke Nukem Forever is going to be released before PSN is back online.

If their account authentication system is that "incredibly complex" it sounds like they are doing something incredibly wrong.

Cheers

I would like that, i have waited for Duke Nukem since 1997.

It´s obvious that getting PSN online is not a quick fix and the scale doesn´t help.

Being a big supporter of Cloud Services (and preacher) this really made me think. These things happens now and will continue to happen. And as more and more functions is bound to the services in the cloud, services becomes even more vulnerable. If PSN is down, you can´t play online, it doesn´t matter that the servers are hosted somewhere else. If Google has a problem, you can´t access your mail or you docs, pics etc that is in the cloud. The centralized nature is a big weakness when something goes wrong.

I hope that Microsoft, Nintendo and espcially Sony learns from this. I would propose a complete backup system that only works in "read only mode". Providing the basic services so that games work but only basic.

[BRiT]

I believe MS has nothing tech-related to learn from this Sony SNAFU as MS's Azure-based services have provided for a lot of the functionality Sony and others are missing. The likely features being automatic rolling updates and upgrades, automatic rollback of failed patches, failure detections of the nodes, load-based scaling, location independence of nodes, as well as consistent backup policies and procedures. Have a look at the various Azure-based presentations at PDCs (Professional Developer Conference) or TechEds. I first noticed this at the 2008 PDC in Los Angeles.

[-tkf-]

Quote:

Originally Posted by BRiT

I believe MS has nothing tech-related to learn from this Sony SNAFU as MS's Azure-based services have provided for a lot of the functionality Sony and others are missing. The likely features being automatic rolling updates and upgrades, automatic rollback of failed patches, failure detections of the nodes, load-based scaling, location independence of nodes, as well as consistent backup policies and procedures. Have a look at the various Azure-based presentations at PDCs (Professional Developer Conference) or TechEds. I first noticed this at the 2008 PDC in Los Angeles.

Could you provide some links? It would be interesting to see how Microsoft is better than Amazon or Google.

[AlphaWolf]

you mean like

http://www.microsoft.com/windowsazure/

?

[deathindustrial]

I was curious about the source of the outdated Apache server / no firewall claims. For the moment I am having to assume that it is related to the IRC log that was making the rounds back in February 2011:

http://www.ps3hax.net/showpost.php?p...&postcount=180

Google's cache from March 23 shows the server in question displaying the banner for 2.2.17 of Apache which is current:

http://webcache.googleusercontent.co...laystation.net

I then wanted to know what "forums" Dr.Spafford was using as his source for the congressional testimony (based on various news articles making the rounds) and so took a peek at his written submission and it contains this gem:

Quote:

I have no information about what protections they had in place, although some
news reports indicate that Sony was running software that was badly out of date, and had
been warned about that risk.

http://republicans.energycommerce.ho...1/Spafford.pdf

So anyone using Dr. Spafford as the source for the "they ran outdated software" claim did not actually read his submission - he doesn't know anything more than you or me. The situation is dire enough without media hacks making crap up.

Cheers

[-tkf-]

Quote:

Originally Posted by AlphaWolf

you mean like

http://www.microsoft.com/windowsazure/

?

I meant something useful, if Azure does something special compared to the competition it would be interesting to read about it. Considering how slow that Microsoft have been when it comes to Cloud services i would be pleasantly surprised if they do anything better than those that is beating them on a daily basis.

[Brad Grenz]

Quote:

Originally Posted by deathindustrial

I was curious about the source of the outdated Apache server / no firewall claims. For the moment I am having to assume that it is related to the IRC log that was making the rounds back in February 2011:

http://www.ps3hax.net/showpost.php?p...&postcount=180

Google's cache from March 23 shows the server in question displaying the banner for 2.2.17 of Apache which is current:

http://webcache.googleusercontent.co...laystation.net

I then wanted to know what "forums" Dr.Spafford was using as his source for the congressional testimony (based on various news articles making the rounds) and so took a peek at his written submission and it contains this gem:



http://republicans.energycommerce.ho...1/Spafford.pdf

So anyone using Dr. Spafford as the source for the "they ran outdated software" claim did not actually read his submission - he doesn't know anything more than you or me. The situation is dire enough without media hacks making crap up.

Cheers

Yeah, people are so eager to believe the worst about Sony that any rumor that blackens their eye is immediately repeated as fact. The fact is that "security expert" was literally repeating something he read on a message board once. His claim that Sony knew was based on an assumption that someone from Sony probably read the same post he did. He did not have first hand knowledge. He did not personally inform Sony. He didn't even do the very basic detective work you have that completely repudiates the claims. We are in a backwards world where everything Sony said is assumed to be a lie or conspiracy and "IRC chat logs" have miraculously become the most trusted news source in the industry.

It's an example of just how far the journalistic standards have fallen and the way the "console wars" have made it impossible to have an honest discussion about anything. Everything becomes a proxy battle between internet partisans, and blogs like Kotaku are more than happy to stoke the mob mentality since it gets them clicks (and their writers are paid by the post and will write up anything).

Anyway. You should send a tip to Joystiq or somebody with your findings.

[Shifty Geezer]

Quote:

Originally Posted by Brad Grenz

Anyway. You should send a tip to Joystiq or somebody with your findings.

I agree with everything you've written, including this. If this expert's testimony is useless, it needs to be known so those listening to him know to disregard his unjustified comments.

[Brad Grenz]

Quote:

Originally Posted by Shifty Geezer

I agree with everything you've written, including this. If this expert's testimony is useless, it needs to be known so those listening to him know to disregard his unjustified comments.

For my part I'm going to write it up and post it to Bitmob. That's a better place than my own blog, which is mostly satirical, and maybe a link on N4G can help get this information out. Here's my article: http://bitmob.com/articles/detective...ers-up-to-date

[tuna]

Quote:

Originally Posted by deathindustrial

I was curious about the source of the outdated Apache server / no firewall claims. For the moment I am having to assume that it is related to the IRC log that was making the rounds back in February 2011:

http://www.ps3hax.net/showpost.php?p...&postcount=180

Google's cache from March 23 shows the server in question displaying the banner for 2.2.17 of Apache which is current:

http://webcache.googleusercontent.co...laystation.net

I then wanted to know what "forums" Dr.Spafford was using as his source for the congressional testimony (based on various news articles making the rounds) and so took a peek at his written submission and it contains this gem:



http://republicans.energycommerce.ho...1/Spafford.pdf

So anyone using Dr. Spafford as the source for the "they ran outdated software" claim did not actually read his submission - he doesn't know anything more than you or me. The situation is dire enough without media hacks making crap up.

Cheers

Thank you for your very informative reporting. I wish more news outlet would do this kind of work, but instead we have to depend on people like you.

[Squilliam]

How come Sony hasn't been more clear as to when PSN will be back up? It seems like they're deliberately obfuscating in order to give the impression it's going to be 'any day now' as if they are trying to limit the loss of their audience.

[Shifty Geezer]

Quote:

Originally Posted by Squilliam

How come Sony hasn't been more clear as to when PSN will be back up? It seems like they're deliberately obfuscating in order to give the impression it's going to be 'any day now' as if they are trying to limit the loss of their audience.

Well they kinda have, but got their forecasts wrong. It was due up this week, but then they found something else to worry about. With something like this you can't give a firm date. It'll be ready when its ready. They can only update on how things are looknig at the moment.

[Squilliam]

Quote:

Originally Posted by Shifty Geezer

Well they kinda have, but got their forecasts wrong. It was due up this week, but then they found something else to worry about. With something like this you can't give a firm date. It'll be ready when its ready. They can only update on how things are looking at the moment.

It just sucks to be without, it would be easier to make alternative plans if they gave a better indication on when they optimistic/realistic/pessimistic ETA of the return of service.

[BRiT]

Quote:

Originally Posted by -tkf-

I meant something useful, if Azure does something special compared to the competition it would be interesting to read about it. Considering how slow that Microsoft have been when it comes to Cloud services i would be pleasantly surprised if they do anything better than those that is beating them on a daily basis.

How can you say MS have been slow when it comes to Cloud services considering they've been using and providing them since 2008?

One of the modes of Azure services is the OS image is provided as a read-only image. You deploy your service on top of it, and any changes are saved off as a differencing disk. This allows them to do automatic updates of the OS layer underneath your service without affecting the service at all. They also do the OS updates on a different node and run a series of tests after the update(s) are applied to determine if your service works after the update. If it has no issues, they cut over to the new node and remove the old node.