*ren* PSN Down, Customer Info Compromised
- Thread starter Cheezdoodles
- Start date
Not to mention that some software breaks when Microsoft or others "fix" their software, making patches a science...
It can take weeks, months even, to roll out what would appear to be even the simplest patches or updates. It all depends on how large the network is and how much bespoke coding has been done to plug holes or provide extra levels of integration for the network users. Plus the fact that patches and updates are something of a black art as was pointed out above you have what amounts to a security nightmare.
I don't think there are many networks out there that could survive the sustained and prolonged attention of a skilled hacker. Especially ones as large and complex as Sony's are. In many ways other companies are probably giving a huge sigh of relief, 'There but for the grace go I...'.
It's also taken all the heat off Epsilon hack where they managed to lose almost the same subset of data as Sony have but for theses companies: Kroger, TiVo, US Bank, JPMorgan Chase, Capital One, Citi, Home Shopping Network, Ameriprise Financial, LL Bean Visa Card, McKinsey & Company, Ritz-Carlton Rewards, Marriott Rewards, New York & Company, Brookstone, Walgreens, The College Board, Disney Destinations, Best Buy, and Robert Half Technologies.
Now that's a leak!!
I don't think there are many networks out there that could survive the sustained and prolonged attention of a skilled hacker. Especially ones as large and complex as Sony's are. In many ways other companies are probably giving a huge sigh of relief, 'There but for the grace go I...'.
It's also taken all the heat off Epsilon hack where they managed to lose almost the same subset of data as Sony have but for theses companies: Kroger, TiVo, US Bank, JPMorgan Chase, Capital One, Citi, Home Shopping Network, Ameriprise Financial, LL Bean Visa Card, McKinsey & Company, Ritz-Carlton Rewards, Marriott Rewards, New York & Company, Brookstone, Walgreens, The College Board, Disney Destinations, Best Buy, and Robert Half Technologies.
Now that's a leak!!
Noooooooo my marriot rewards.....
I received, at a minimum, 10 e-mails post Epsilon breach. Some MUCH sooner than others...
Not certain if this was already shared or not, but here's a few excerpts from: http://consumerist.com/2011/05/secu...re-was-obsolete-months-before-psn-breach.html
At this point I just want the damn service back up. I bought an HRAP3 for MK and have been considering purchasing a second one, but if this outage is going to persist for weeks, then I might reconsider and just consolidate on the 360. 3D and exclusive characters were great selling points for the PS3 version, but no online play is a huge negative.
That's why you have a test environment and a proper patch management policy in place.
Patch management processes are quite simple to follow.
1. Identify severity of patch
2. Implement in a test environment
3. Schedule a rollout based on severity
A severe vulnerability should be addressed quickly. An enterprise service like PSN, will have multiple servers in a high availability scenario meaning patching can be done during production in a rolling manner once testing is completed
Outside of a breakdown in procedures and negligence, there is NO viable scenario in which the servers should be left unpatched for months. I'm sorry but no one actually managing Enterprise systems would agree with this being normal.
I understand taking a few days to a week to run through the QA process but months...? Maybe the much needed Chief Security Office position they are creating will address this clear flaw.
@ban25
if in a haste, in the meantime you can play online using XBSLink.
i have not tried on PS3, but it say it support PS3. (it first made for xbox, then also support ps3)
if in a haste, in the meantime you can play online using XBSLink.
i have not tried on PS3, but it say it support PS3. (it first made for xbox, then also support ps3)
As much as I am a big fan of Sony you are completely correct. I manage a system where I work and I know for a fact that the suppliers of said system have an identical test server for such updates and I have a test server on site for testing new software - it may take months to plan though...depending on the severity of the issue and complexity of the 'fix'.
I do believe Sony were slow to react but I also believe the dates provided above (I'm sure the FBI will catch them out if anything is untrue) - so Sony told us pretty much as soon as it was confirmed (within a day) not 7/9 days as many seem to suggest.
I wonder if Sony were working on a complete migration and this is why it was left unpatched for so long...it would also explain why they can 'all of a sudden' migrate to new 'more secure' servers when usually such excersises take months of planning.
They were working on a complete migration to a new physical location, according to these details. We have been told they have expedited the transition to a new location as part of their system upgrade.
Yes, sorry - I was aware of this comment (I had actually suggested this elsewhere before Sony even said it)...I meant to say that maybe this confirms what they said. (sorry my memory is playing tricks with me!)
Gradthrawn
Veteran
Boy that sounds real nice.... until you step into an environment that doesn't have any of that in place, is in full production, with a large environment and is a conglomeration of inherited and legacy systems from past administrations, with very few of the people from those days still remaining (thankfully, and for good reason). Now, with that try implementing proper test and prod environments when management doesn't see the cost justification (until its too late) and you're limited on soft resources as well. In my experience, that's the more likely scenario than an environment with actual duplicate testing and production systems. Frankly its rather scary some of the places that have these crappy setups considering their size, name/reputation and the type of data they handle for people.
By the way, my rant it not an excuse for Sony. I'm just standing up for the IT guys that don't have the luxury of test/dev/prod due to no fault of their own. "A breakdown in procedures and negligence" is just simply the reality for many environments and moving away from that is a monumental task. Not an excuse, just simply a reality for large corps that's far more common then your post would imply.
But this is Sony, a massive company holding secure data...regardless of the complexities there should be a test environment, how long has PSN been running now? I'm sorry but they've had plenty of time to build a new suitable and stable alternative and then flick a switch one evening.
This isn't a dig at anyone on the ground, upper management who are 'penny pinching' are to blame.
I thought SOE fell first and then PSN was hacked two days later, while the discovery of the hacks happened in the opposite order.
If so, why attack SOE first if the discovery of the vunerability came from the PS3 hack?
It seems likely to me that the hackers found a vunerabiltiy in SOE's security and then use something like bad password management (shared passwords across systems) on Sony's part to simply access PSN.
But Sony's servers are not easily accesible like the usual hacks that plague Windows Operating Systems, you have to have inside access to proprietary Sony software, and these hackers got access to such things as well as reverse engineering/hacking of the Sony firmware that unless they did not have the official documentation they would have never been able to simply crack it.
I personally am very disappointed at how the mainstream tech media keeps making it sound like these hackers are intelligent when they just had access to stuff the average consumer is not supposed to have access to so its no suprise otherwise they would have hacked the PS3 way back in 2006 or early 2007 even if OtherOS was never offered.
One year of identity theft insurance is a pretty common in these situations. I wonder what Sony actually pays when they sign a contract for so many customers? I bet it isn't very much per customer.
Sorry, I wasn't aware of the insider info - it was implied somewhere IIRC but I don't recall it being confirmed?
Similar threads
