Nice work on that 1 server, now how about checking all the other servers under the 45 different environment realms of "*.*.np.community.playstation.net" which was also mentioned in the chat logs?
*ren* PSN Down, Customer Info Compromised
- Thread starter Cheezdoodles
- Start date
Nice work on that 1 server, now how about checking all the other servers under the 45 different environment realms of "*.*.np.community.playstation.net" which was also mentioned in the chat logs?
Afaik, Microsoft was late to the scene. And the services i have used from them sucked. But that´s really not the point here. The question was what they do different than other Cloud solutions since they should be better of. Still unanswered
Prolexic Technologies, Inc. would seem to be the AS for auth.np.ac.playstation.net but all the DNS info has gone now.
As to what MS does differently than everyone else, the most obvious bit is they provide and are responsible for the complete software stack from top to bottom. The other cloud solutions rely on external software even if it's as base as the OS and web server (Linux kernel, Apache, MySQL, etc).
That's part of life when moving to a new data center. It's not as easy as just turning the servers back on. I've done a few moves like that (albeit on a smaller scale), and no matter how careful the planning, there's always something that goes wrong. The correct answer really is "as soon as possible", because it's quite impossible to give a definitive date, unless it's so far out (i.e. September) that all bugs will be worked out by that time.
Frankly, I don't give a shit about when PSN will be back online, except in regards to how long it will take me to get back out there and remove all of my personal data that I don't want them to have anymore. That, and to kick my buddy's ass at Mortal Kombat, but that can wait. Gives us more time to trash-talk over lunch.
Indeed. I just worked on a office move where they just flipped 11 offices in one building from one company to another. I was there for 11:30 hours helping our wiring guru trace ethernet cabling. Run new drops and flip connections on switches from the one company to the other and there was still at least one that is connected wrong and at least 4 more drops needed to be ran. I'd hate to see what moving a data center with all the wiring for data, environmental controls, power and backup power would take.
If these claims that have been all over the media are supposedly incorrect, then why hasn't Sony corrected them?
They've got a reputation to lose, and I don't think they count on Beyond3D to set the record straight for them.
How long did it take them to set the record straight regards the internet noise that passwords were kept in plain-text form?
deathindustrial
Regular
The chat logs specifically mentioned that server as being out of date:
It wasn't as of March as shown by the Google cache.
They also claimed that the credit cards where being sent as "plaintext" which as has previously been discussed was bogus - the PS3 sends the data over an HTTPS connection like *every single e-commerce system on the planet*.
So two of the major claims in that IRC session have been repudiated. So personally I take the rest of what's in there as being as equally questionable.
I have little faith in Sony mind you (I've always stuck to PSN cards for that reason), I just do not like reading total fabrications as news is all.
Cheers
Found this on N4G: http://www.quartertothree.com/game-talk/showpost.php?p=2673158&postcount=912
There's a statement from Patrick Seybold floating around that does just that. But no one picked it up and here we have some concrete proof to point to.
Here's my reply: http://www.quartertothree.com/game-talk/showpost.php?p=2673715&postcount=961
In short, irregardless of the veracity of that nmap log, the vast majority of the dozens of Playstation.net servers were current and a small subset, all with "rc" in the address are using an old version. Without knowing what those specific servers were for, you can't draw any conclusions.
Last edited by a moderator:
With the exception of end-user applications hosted by service providers like Google, Microsoft or Zoho (and perhaps others I'm not familiar with) - most Cloud services are rated on size and number of data centers, their location throughout the World, and the application development environment and services. Oh, and cost.
Technically the hackers are correct. There is a big difference between transport security and message or payload security. The transport layer was secured using SSL from HTTPS but the payload inside the encrypted transport was plain-text without any message encryption. If someone were to stage a man-in-the-middle attack, such as spoofing that server and SSL certificate, the packet content would display the credit card information straight up.
If someone can fake SSL(or TLS) certificate with a man in the middle attack, there is a much bigger problem.
Considering the PSN servers were compromised, and those same servers had SSL certificates *and* keys installed (for Apache, an OpenSSL keystore) on them, presumably, those SSL certs were compromised.
If they had bothered to capture the SSL traffic (using tcpdump for example), they would have all they need to capture the data (not quite a man-in-the-middle attack, more like a "man at the end" attack) and decrypt the traffic (with the SSL key).
Obviously, they would only have whatever was in that captured stream... there could be CC data, or not depending on what people were doing.
Of course, this scenario makes lots of assumptions, such as Sony didn't use a secure passphrase for the keystore, etc... but even if they did, that can be brute-force discovered. Many other assumptions exist.
In IT security, when you have an intruder, you have to assume they have everything.
Last edited by a moderator:
Release Candidate
I'm a bit confused by the complaints here. I thought CC data wasn't on the server unencrypted, which is what you'd expect, but this is the first I've heard about people stealing card number mid stream, which surely isn't a server fault?
If the data's not being encrypted when passed over HTTPS:, well, I didn't think anyone does because that's what HTTPS is all about! That's the encryption step. But that's irrelevant to the condition of data in the DB. I don't send my card details every transaction because they're on record, so the card number shouldn't be present in any PSN transactions once stored. So for my security, the vulnerabilities of HTTPS aren't a concern if the hackers are trying to get my Cc details after I've stored them. They are sitting encrypted on the server, and if the hackers have that data, they'll just have a load of rubbish they could always try to brute-force attack to get a few.
So where does HTTPS fit into this?
But the old, outdated servers are named .rc. Doesn't sound like a release candidate to me! Unless they decided not to update those release candidates to the latest release prior to updating the rest of the system.
Similar threads
