http://ca.kotaku.com/5796902/there-are-22-million-psn-members-credit-card-details-up-for-sale
That should read "2.2 Million" in the URL, not 22 million.
hm... :s
That should read "2.2 Million" in the URL, not 22 million.
hm... :s
*ren* PSN Down, Customer Info Compromised
- Thread starter Cheezdoodles
- Start date
I would hope that going forward that all companies will have a contingency plan in place for this scenario that includes a pre-approved list of customer communications during the incident. Sony's response from a technical perspective seems to have been pre-planned and smoothly executed but I suspect there was a lot of back and forth between their legal and PR departments as to what information they were going to release publicly.
http://ca.kotaku.com/5796902/there-are-22-million-psn-members-credit-card-details-up-for-sale
That should read "2.2 Million" in the URL, not 22 million.
hm... :s
I wouldn't be surprised at all if their formal FAQ response contained errors; such would be the irony and reinforcement of their poor communications handling through this though.
I hate to sound like I'm defending, but it's hard to imagine what exactly happened. We're probably dealing with a very complex network with a lot of servers involved. I could imagine that at some point, some technician probably noticed things being off, parts of data that is corrupt or changed in some way alluding to perhaps a malfunction. Then a cup of coffee later, at some point after a little bit of digging, something seems terribly wrong. Now how fast do you think this kind of information passes up the ranks? How fast do you think you know of the true extend of that your system has been intruded and how much is at stake? Then after you know, you start to evaluate. Maybe the person in charge at the time isn't present, so it takes another few hours to get the message through "housten we have a problem". This isn't the type of company where you have a couple of technicians and a boss who is readily available to react to everything immediately.
You just don't shut things down, not when you're network has millions of customers accessing data at all times. And sending out 77 million email again is no small feat. I don't believe for a second that the true extend of the breach was something that was known quickly.
Unfortunately, I don't think anyone will ever know the true extend of how the system was breached and how long it took Sony to figure that out. Of course it's somewhat disappointing for the network to go offline and for it to take them so long to make some notice about what happened. Then again, I'm not really sure I even trust the official statement that they turned off PSN or that when they did, they knew exactly what they were dealing with. That might explain their "back-foot" reaction since they've been offline and why we are hearing about what has happend so late.
Different clients may access PSN differently. If the PS3 was intended to be a closed system, with some level of trusted access, then it could be that hacking the PS3 opened a door into PSN that they never thought would be opened. I'm not saying he's right, but he does have some experience with the actual firmware and might understand a little bit more about how it interfaces with PSN, since he was looking at a way to have it operate on a completely different network.
I think the problem with this reasoning is that they shut down PSN well before the admission of the data leak came out. When they shut PSN down entirely, they must have known that the breach was serious. If they did not know someone had attempted to steal data, then why did they shut it down?
Like I said earlier, at some point between shutting it down, and the release, they got the suspicion the hacker was trying to steal customer data. If they had that suspicion early on, they should have said something to their customers immediately, to help protect them, and they could have followed up later if it turned out that the data was not taken. If they had the suspicion later, why did it take so long?! You'd think the first thing they'd look at would be the integrity of their customer data. In one case you have incompetence, and in the other case you have customers as an afterthought.
http://ca.kotaku.com/5796902/there-are-22-million-psn-members-credit-card-details-up-for-sale
That should read "2.2 Million" in the URL, not 22 million.
hm... :s
I've only seen one list so far so unsure if that's part of the *lists* that are being shopped around...but anyway its a fictional list. Would be unfortunate if CC info was ultimately comprised so I hope users are taking the proper precautionary measures to protect themselves.
Carl B said:
It's not necessarily wrong, it's just being interpreted by many incorrectly leading to false assumptions. Unencrypted database/tables != plain text passwords. You can still write encrypted data into unencrypted tables, you're just not encrypted database objects at a higher level. It's like the difference between having an encrypted files on an unencrypted HDD and encrypted the whole HDD.
In any case the whole *late* aspect is somewhat unrealistic too. How long did the State of Texas take to notify of it's breach? A year. How long did Gawker go exploited before notifying users? More than a Month. The latest breach at DoE OakRidge National Laboratory? A week. Epsilon? About 5 days from breach to when I started getting emails from their clients. By the standards of recent well known security breaches I'd say the response was fairly quick and reasonably measured. Also considering the significant signal to noise ratio coming off a massive DDOS, and subsequent focussed DDOS and probes, along with CFW/MFW users trying spoof access and/or accessing and downloading content from staging envs, along with the normal routine of maintenance and platform updates; the total shutdown was understandable (albeit still surprising even to me) just to reduce the noise floor of activity to ascertain damages.
The only thing that cracks me up about this mess are the people that are only complaining about the service being down. I appreciate the level of conversation in this thread, but read around some of the blogs and forums around the 'net, and you'll see a bunch of people whining that they can't play Black Ops online or whatever. Never mind my credit card and passwords, I want my frikkin' Black Ops. Those jackasses will be the first in line to get their bank accounts emptied, I'm sure.
As for the stuff that was taken, I'm not particularly worried about most of it. My name, handle, email, etc.. that's all public record. Probably wouldn't take too long on Google to pull up most of it.
The big question I have, the one that's come up in this thread several times, is how the password file was stored. Everyone assumes that it must have been encrypted, because of how stupid Sony would have to be to leave it as plaintext. But then there's that pesky press release of theirs that simply stated that the personal data files were not encrypted. I think we're in a gray area here, and I'd really like Sony to come out and say in plain English how the passwords were stored.
Frankly, I don't feel like going around and changing the email, name, and passwords of every site that I visit. Yeah, I can make it much safer by using randomly generated passwords on everything, but there's a fair number of sites I visit on my phone, which doesn't store passwords the way Firefox does. And I can just imagine trying to remember "kD(s&IN3%1sViK" every time I want to check my latest Amazon order. And then trying to type it into the iPhone's wonderful keyboard.
My point is that Sony needs to be abundantly clear on exactly what was taken, and what form it was taken in (encrypted, hashed, plaintext, etc). Then I can make an informed decision on exactly what I need to go change around the rest of the internet.
As for the stuff that was taken, I'm not particularly worried about most of it. My name, handle, email, etc.. that's all public record. Probably wouldn't take too long on Google to pull up most of it.
The big question I have, the one that's come up in this thread several times, is how the password file was stored. Everyone assumes that it must have been encrypted, because of how stupid Sony would have to be to leave it as plaintext. But then there's that pesky press release of theirs that simply stated that the personal data files were not encrypted. I think we're in a gray area here, and I'd really like Sony to come out and say in plain English how the passwords were stored.
Frankly, I don't feel like going around and changing the email, name, and passwords of every site that I visit. Yeah, I can make it much safer by using randomly generated passwords on everything, but there's a fair number of sites I visit on my phone, which doesn't store passwords the way Firefox does. And I can just imagine trying to remember "kD(s&IN3%1sViK" every time I want to check my latest Amazon order. And then trying to type it into the iPhone's wonderful keyboard.
My point is that Sony needs to be abundantly clear on exactly what was taken, and what form it was taken in (encrypted, hashed, plaintext, etc). Then I can make an informed decision on exactly what I need to go change around the rest of the internet.
Sony could definitely benefit by putting someone with a technical background in charge of the PR effort, even if only for a day, to at least spell out and clarify the nature of some of things you are alluding to, because I think it's understandable why people might reach the plain text conclusion. And in so doing, it doesn't help Sony's cause at the moment.
You're right about the length and severity of those other lapses you mentioned, but I'm not sure that does any assuaging in this particular case. It's different also in that Sony has actually shut down the related breached service in question indefinitely, with a not insignificant gap between the shutting down and the explanation commencing.
I'm not angry or anything with this turn of events; as others have mentioned, if the attackers were determined, the odds would be stacked against Sony regardless. But I can't give strong marks on the communications response on it even as such, and of course, I remain understandably aggravated that I'm at an unknown... or poorly communicated/understood... level of risk.
The best possible explanation is that Sony wanted to minimize the potential backlash. If the customers" best interest were the upmost priority the response would of been...
"PSN's security has been breached and we don't know how much of your info has been exposed. There is a possibility that all PSN user data including CC numbers has been compromised."
Sony weighed the risk of giving PSN user the worst case scenario up front over waiting and hoping an investigation would provide a scenario less scary. They chose to wait and they lost. They took the worst case scenario and made it worse by lumping a week of silence into the mix.
Sony understood the possible ramification of the breach because they shut down PSN as a response. The other immediate response should have been to inform the PSN userbase.
Last edited by a moderator:
It´s not clear cut, you have 77 million accounts. Do you ask 77 million "people" to change passwords unless you are somewhat sure? "they switched it off so they knew something was wrong!" yes, but not to what extent and they made a "big decision" when they switched it off. That costs money, so the critism on the security is valid, but imho it at least can be discussed just how bad Sony performed in regards to information.
Fun fact, if Geohot hadn´t cracked the PS3 in the name of "freedom" those 77 million users wouldn´t have been exposed. And his way in was OtherOS. Without OtherOS this might not have happend.
I am gonna get flamed for this, but the amount of arrogance and shortsighted views he presents competes with Sony´s arrogance. But hey, the day Hackers actually take their responsibility serious is the day hacking stops?
Jedi2016 said:
Well folks like that are probably also the type that probably have simple, commonly known passwords that even strong encryption isn't going to protect...
I'm not terribly worried about credit cards. Credit card companies generally have decent fraud detection services (I know mine does as I've been annoyingly inconvenienced by my card getting locked due to my shopping activities tripping red flags), and are able to resolve false charges fairly well. Passwords are annoying but if you're reasonably sensible and use different passwords for all your online accounts, then it's a minor issue. The data that bothers me is the security question and more specifically, the answer. Even if your password and credit card is secure, the relative invariance of security questions generally used makes exploitation a lot easier. After all, that's how Paris Hilton's T-Mobile account was hacked (and that even need any security breach to occur).
Actually, you don't know at all that it's true. Possibly, maybe even probably... but fact? No.
He can be arrogant if he wants, he's not running a consumer oriented business.
Fact? Really?
'Supposition dressed as fact' would be, pun intended, a factually accurate description.
Nobody got facts on any of this, those that have it wont say a word. But there is plenty of pointers that back it up.
Math that reverse engineered the Jig hack clearly stated that without Geohots original "glitch hack" the Jig wouldn't have come to be. Without the OtherOS option Geohot wouldn´t have had an easy way to snoop around with. So it´s not fact but it does seem plausible.
Similar threads
