*ren* PSN Down, Customer Info Compromised

Discussion in 'Console Industry' started by Cheezdoodles, Apr 22, 2011.

  1. BRiT

    BRiT (╯°□°)╯
    Moderator Legend Alpha Subscriber

    Joined:
    Feb 7, 2002
    Messages:
    11,231
    Likes Received:
    6,973
    Location:
    Cleveland
    Nice work on that 1 server, now how about checking all the other servers under the 45 different environment realms of "*.*.np.community.playstation.net" which was also mentioned in the chat logs?
     
  2. -tkf-

    Legend

    Joined:
    Sep 4, 2002
    Messages:
    5,632
    Likes Received:
    36
    Afaik, Microsoft was late to the scene. And the services i have used from them sucked. But that´s really not the point here. The question was what they do different than other Cloud solutions since they should be better of. Still unanswered :)
     
  3. BoardBonobo

    BoardBonobo My hat is white!
    Veteran

    Joined:
    May 30, 2002
    Messages:
    3,255
    Likes Received:
    153
    Location:
    SurfMonkey's Cluster...
    Prolexic Technologies, Inc. would seem to be the AS for auth.np.ac.playstation.net but all the DNS info has gone now.
     
  4. BRiT

    BRiT (╯°□°)╯
    Moderator Legend Alpha Subscriber

    Joined:
    Feb 7, 2002
    Messages:
    11,231
    Likes Received:
    6,973
    Location:
    Cleveland
    As to what MS does differently than everyone else, the most obvious bit is they provide and are responsible for the complete software stack from top to bottom. The other cloud solutions rely on external software even if it's as base as the OS and web server (Linux kernel, Apache, MySQL, etc).
     
  5. Jedi2016

    Veteran

    Joined:
    Aug 23, 2005
    Messages:
    1,021
    Likes Received:
    0
    That's part of life when moving to a new data center. It's not as easy as just turning the servers back on. I've done a few moves like that (albeit on a smaller scale), and no matter how careful the planning, there's always something that goes wrong. The correct answer really is "as soon as possible", because it's quite impossible to give a definitive date, unless it's so far out (i.e. September) that all bugs will be worked out by that time.

    Frankly, I don't give a shit about when PSN will be back online, except in regards to how long it will take me to get back out there and remove all of my personal data that I don't want them to have anymore. That, and to kick my buddy's ass at Mortal Kombat, but that can wait. Gives us more time to trash-talk over lunch.
     
  6. Xenus

    Veteran

    Joined:
    Nov 2, 2004
    Messages:
    1,316
    Likes Received:
    6
    Location:
    Ohio
    Indeed. I just worked on a office move where they just flipped 11 offices in one building from one company to another. I was there for 11:30 hours helping our wiring guru trace ethernet cabling. Run new drops and flip connections on switches from the one company to the other and there was still at least one that is connected wrong and at least 4 more drops needed to be ran. I'd hate to see what moving a data center with all the wiring for data, environmental controls, power and backup power would take.
     
  7. ct03

    Newcomer

    Joined:
    May 5, 2010
    Messages:
    191
    Likes Received:
    0
    If these claims that have been all over the media are supposedly incorrect, then why hasn't Sony corrected them?
    They've got a reputation to lose, and I don't think they count on Beyond3D to set the record straight for them.
     
  8. Shifty Geezer

    Shifty Geezer uber-Troll!
    Moderator Legend

    Joined:
    Dec 7, 2004
    Messages:
    39,578
    Likes Received:
    9,602
    Location:
    Under my bridge
    How long did it take them to set the record straight regards the internet noise that passwords were kept in plain-text form?
     
  9. deathindustrial

    Regular

    Joined:
    Jan 5, 2007
    Messages:
    800
    Likes Received:
    59
    Location:
    Soviet Kanuckistan
    The chat logs specifically mentioned that server as being out of date:

    It wasn't as of March as shown by the Google cache.

    They also claimed that the credit cards where being sent as "plaintext" which as has previously been discussed was bogus - the PS3 sends the data over an HTTPS connection like *every single e-commerce system on the planet*.

    So two of the major claims in that IRC session have been repudiated. So personally I take the rest of what's in there as being as equally questionable.

    I have little faith in Sony mind you (I've always stuck to PSN cards for that reason), I just do not like reading total fabrications as news is all.

    Cheers
     
  10. Trejser

    Regular

    Joined:
    Dec 4, 2009
    Messages:
    621
    Likes Received:
    0
  11. Brad Grenz

    Brad Grenz Philosopher & Poet
    Veteran

    Joined:
    Mar 3, 2005
    Messages:
    2,531
    Likes Received:
    2
    Location:
    Oregon
    There's a statement from Patrick Seybold floating around that does just that. But no one picked it up and here we have some concrete proof to point to.
     
  12. Brad Grenz

    Brad Grenz Philosopher & Poet
    Veteran

    Joined:
    Mar 3, 2005
    Messages:
    2,531
    Likes Received:
    2
    Location:
    Oregon
    Here's my reply: http://www.quartertothree.com/game-talk/showpost.php?p=2673715&postcount=961

    In short, irregardless of the veracity of that nmap log, the vast majority of the dozens of Playstation.net servers were current and a small subset, all with "rc" in the address are using an old version. Without knowing what those specific servers were for, you can't draw any conclusions.
     
    #512 Brad Grenz, May 9, 2011
    Last edited by a moderator: May 9, 2011
  13. makattack

    Regular

    Joined:
    Feb 13, 2008
    Messages:
    352
    Likes Received:
    0
    Location:
    Boston, MA US
    With the exception of end-user applications hosted by service providers like Google, Microsoft or Zoho (and perhaps others I'm not familiar with) - most Cloud services are rated on size and number of data centers, their location throughout the World, and the application development environment and services. Oh, and cost.
     
  14. BRiT

    BRiT (╯°□°)╯
    Moderator Legend Alpha Subscriber

    Joined:
    Feb 7, 2002
    Messages:
    11,231
    Likes Received:
    6,973
    Location:
    Cleveland
    Technically the hackers are correct. There is a big difference between transport security and message or payload security. The transport layer was secured using SSL from HTTPS but the payload inside the encrypted transport was plain-text without any message encryption. If someone were to stage a man-in-the-middle attack, such as spoofing that server and SSL certificate, the packet content would display the credit card information straight up.
     
  15. betan

    Veteran

    Joined:
    Jan 26, 2007
    Messages:
    2,315
    Likes Received:
    0
    If someone can fake SSL(or TLS) certificate with a man in the middle attack, there is a much bigger problem.
     
  16. makattack

    Regular

    Joined:
    Feb 13, 2008
    Messages:
    352
    Likes Received:
    0
    Location:
    Boston, MA US
    Considering the PSN servers were compromised, and those same servers had SSL certificates *and* keys installed (for Apache, an OpenSSL keystore) on them, presumably, those SSL certs were compromised.

    If they had bothered to capture the SSL traffic (using tcpdump for example), they would have all they need to capture the data (not quite a man-in-the-middle attack, more like a "man at the end" attack) and decrypt the traffic (with the SSL key).

    Obviously, they would only have whatever was in that captured stream... there could be CC data, or not depending on what people were doing.

    Of course, this scenario makes lots of assumptions, such as Sony didn't use a secure passphrase for the keystore, etc... but even if they did, that can be brute-force discovered. Many other assumptions exist.

    In IT security, when you have an intruder, you have to assume they have everything.
     
    #516 makattack, May 9, 2011
    Last edited by a moderator: May 9, 2011
  17. betan

    Veteran

    Joined:
    Jan 26, 2007
    Messages:
    2,315
    Likes Received:
    0
    If either side is already compromised you don't need to do a man in the middle attack.
     
  18. ban25

    Veteran

    Joined:
    Apr 7, 2002
    Messages:
    1,380
    Likes Received:
    6
    Location:
    San Francisco, CA
    Release Candidate
     
  19. Shifty Geezer

    Shifty Geezer uber-Troll!
    Moderator Legend

    Joined:
    Dec 7, 2004
    Messages:
    39,578
    Likes Received:
    9,602
    Location:
    Under my bridge
    I'm a bit confused by the complaints here. I thought CC data wasn't on the server unencrypted, which is what you'd expect, but this is the first I've heard about people stealing card number mid stream, which surely isn't a server fault?

    If the data's not being encrypted when passed over HTTPS:, well, I didn't think anyone does because that's what HTTPS is all about! That's the encryption step. But that's irrelevant to the condition of data in the DB. I don't send my card details every transaction because they're on record, so the card number shouldn't be present in any PSN transactions once stored. So for my security, the vulnerabilities of HTTPS aren't a concern if the hackers are trying to get my Cc details after I've stored them. They are sitting encrypted on the server, and if the hackers have that data, they'll just have a load of rubbish they could always try to brute-force attack to get a few.

    So where does HTTPS fit into this?
     
  20. Shifty Geezer

    Shifty Geezer uber-Troll!
    Moderator Legend

    Joined:
    Dec 7, 2004
    Messages:
    39,578
    Likes Received:
    9,602
    Location:
    Under my bridge
    But the old, outdated servers are named .rc. Doesn't sound like a release candidate to me! Unless they decided not to update those release candidates to the latest release prior to updating the rest of the system.
     
Loading...

Share This Page

  • About Us

    Beyond3D has been around for over a decade and prides itself on being the best place on the web for in-depth, technically-driven discussion and analysis of 3D graphics hardware. If you love pixels and transistors, you've come to the right place!

    Beyond3D is proudly published by GPU Tools Ltd.
Loading...