*ren* PSN Down, Customer Info Compromised

How can you say MS have been slow when it comes to Cloud services considering they've been using and providing them since 2008?

One of the modes of Azure services is the OS image is provided as a read-only image. You deploy your service on top of it, and any changes are saved off as a differencing disk. This allows them to do automatic updates of the OS layer underneath your service without affecting the service at all. They also do the OS updates on a different node and run a series of tests after the update(s) are applied to determine if your service works after the update. If it has no issues, they cut over to the new node and remove the old node.

Afaik, Microsoft was late to the scene. And the services i have used from them sucked. But that´s really not the point here. The question was what they do different than other Cloud solutions since they should be better of. Still unanswered :)
 
Nice work on that 1 server, now how about checking all the other servers under the 45 different environment realms of "*.*.np.community.playstation.net" which was also mentioned in the chat logs?

Prolexic Technologies, Inc. would seem to be the AS for auth.np.ac.playstation.net but all the DNS info has gone now.
 
The question was what they do different than other Cloud solutions since they should be better of.

As to what MS does differently than everyone else, the most obvious bit is they provide and are responsible for the complete software stack from top to bottom. The other cloud solutions rely on external software even if it's as base as the OS and web server (Linux kernel, Apache, MySQL, etc).
 
How come Sony hasn't been more clear as to when PSN will be back up? It seems like they're deliberately obfuscating in order to give the impression it's going to be 'any day now' as if they are trying to limit the loss of their audience.
That's part of life when moving to a new data center. It's not as easy as just turning the servers back on. I've done a few moves like that (albeit on a smaller scale), and no matter how careful the planning, there's always something that goes wrong. The correct answer really is "as soon as possible", because it's quite impossible to give a definitive date, unless it's so far out (i.e. September) that all bugs will be worked out by that time.

Frankly, I don't give a shit about when PSN will be back online, except in regards to how long it will take me to get back out there and remove all of my personal data that I don't want them to have anymore. That, and to kick my buddy's ass at Mortal Kombat, but that can wait. Gives us more time to trash-talk over lunch.
 
Indeed. I just worked on a office move where they just flipped 11 offices in one building from one company to another. I was there for 11:30 hours helping our wiring guru trace ethernet cabling. Run new drops and flip connections on switches from the one company to the other and there was still at least one that is connected wrong and at least 4 more drops needed to be ran. I'd hate to see what moving a data center with all the wiring for data, environmental controls, power and backup power would take.
 
Google's cache from March 23 shows the server in question displaying the banner for 2.2.17 of Apache which is current:
If these claims that have been all over the media are supposedly incorrect, then why hasn't Sony corrected them?
They've got a reputation to lose, and I don't think they count on Beyond3D to set the record straight for them.
 
How long did it take them to set the record straight regards the internet noise that passwords were kept in plain-text form?
 
Nice work on that 1 server, now how about checking all the other servers under the 45 different environment realms of "*.*.np.community.playstation.net" which was also mentioned in the chat logs?

The chat logs specifically mentioned that server as being out of date:

<user2> which server
<user12> it also has known vulnerabilities
<user12> auth.np.ac.playstation.net

It wasn't as of March as shown by the Google cache.

They also claimed that the credit cards where being sent as "plaintext" which as has previously been discussed was bogus - the PS3 sends the data over an HTTPS connection like *every single e-commerce system on the planet*.

So two of the major claims in that IRC session have been repudiated. So personally I take the rest of what's in there as being as equally questionable.

I have little faith in Sony mind you (I've always stuck to PSN cards for that reason), I just do not like reading total fabrications as news is all.

Cheers
 
If these claims that have been all over the media are supposedly incorrect, then why hasn't Sony corrected them?
They've got a reputation to lose, and I don't think they count on Beyond3D to set the record straight for them.

There's a statement from Patrick Seybold floating around that does just that. But no one picked it up and here we have some concrete proof to point to.
 

Here's my reply: http://www.quartertothree.com/game-talk/showpost.php?p=2673715&postcount=961

In short, irregardless of the veracity of that nmap log, the vast majority of the dozens of Playstation.net servers were current and a small subset, all with "rc" in the address are using an old version. Without knowing what those specific servers were for, you can't draw any conclusions.
 
Last edited by a moderator:
I meant something useful, if Azure does something special compared to the competition it would be interesting to read about it. Considering how slow that Microsoft have been when it comes to Cloud services i would be pleasantly surprised if they do anything better than those that is beating them on a daily basis.

With the exception of end-user applications hosted by service providers like Google, Microsoft or Zoho (and perhaps others I'm not familiar with) - most Cloud services are rated on size and number of data centers, their location throughout the World, and the application development environment and services. Oh, and cost.
 
They also claimed that the credit cards where being sent as "plaintext" which as has previously been discussed was bogus - the PS3 sends the data over an HTTPS connection like *every single e-commerce system on the planet*.

Technically the hackers are correct. There is a big difference between transport security and message or payload security. The transport layer was secured using SSL from HTTPS but the payload inside the encrypted transport was plain-text without any message encryption. If someone were to stage a man-in-the-middle attack, such as spoofing that server and SSL certificate, the packet content would display the credit card information straight up.
 
Technically the hackers are correct. There is a big difference between transport security and message or payload security. The transport layer was secured using SSL from HTTPS but the payload inside the encrypted transport was plain-text without any message encryption. If someone were to stage a man-in-the-middle attack, such as spoofing that server and SSL certificate, the packet content would display the credit card information straight up.

If someone can fake SSL(or TLS) certificate with a man in the middle attack, there is a much bigger problem.
 
If someone can fake SSL(or TLS) certificate with a man in the middle attack, there is a much bigger problem.

Considering the PSN servers were compromised, and those same servers had SSL certificates *and* keys installed (for Apache, an OpenSSL keystore) on them, presumably, those SSL certs were compromised.

If they had bothered to capture the SSL traffic (using tcpdump for example), they would have all they need to capture the data (not quite a man-in-the-middle attack, more like a "man at the end" attack) and decrypt the traffic (with the SSL key).

Obviously, they would only have whatever was in that captured stream... there could be CC data, or not depending on what people were doing.

Of course, this scenario makes lots of assumptions, such as Sony didn't use a secure passphrase for the keystore, etc... but even if they did, that can be brute-force discovered. Many other assumptions exist.

In IT security, when you have an intruder, you have to assume they have everything.
 
Last edited by a moderator:
Obviously, they would only have whatever was in that captured stream... there could be CC data, or not depending on what people were doing.
I'm a bit confused by the complaints here. I thought CC data wasn't on the server unencrypted, which is what you'd expect, but this is the first I've heard about people stealing card number mid stream, which surely isn't a server fault?

If the data's not being encrypted when passed over HTTPS:, well, I didn't think anyone does because that's what HTTPS is all about! That's the encryption step. But that's irrelevant to the condition of data in the DB. I don't send my card details every transaction because they're on record, so the card number shouldn't be present in any PSN transactions once stored. So for my security, the vulnerabilities of HTTPS aren't a concern if the hackers are trying to get my Cc details after I've stored them. They are sitting encrypted on the server, and if the hackers have that data, they'll just have a load of rubbish they could always try to brute-force attack to get a few.

So where does HTTPS fit into this?
 
Release Candidate
But the old, outdated servers are named .rc. Doesn't sound like a release candidate to me! Unless they decided not to update those release candidates to the latest release prior to updating the rest of the system.
 
Back
Top