I liked Kaz's apology where he bows for 7 seconds. It almost makes everything fine
*ren* PSN Down, Customer Info Compromised
- Thread starter Cheezdoodles
- Start date
Even with a contingency plan this may have still been the best they could do. The thing is people may complain and wish that everything was more ideal, but that could be unrealistic.
Its impossible to assess for sure if there was a better way to handle things unless someone shares his info from the inside. For now we are external observers making assumptions
It's still hard to imagine why that had to do what they did. They moved to a new data center.. was that necessary? Was the attack done by insiders at their old facility?
They apparently are taking this downtime as an opportunity to rework authentication / authorization so that hacked PS3s can't authenticate into developer mode and have free access to store content. Did that have to be done right now as part of this? Was there no way they could get their network running on an interim basis with the holes that let attackers in to get data fixed?
Was there no way that they could have put something more informative than 'The PlayStation Network is undergoing maintenance' on people's PS3s when they tried to login? They should have had some kind of way for people who don't read the blog to get more details about what was going on, right from their PS3s.
I've been trying to imagine a scenario that would entail, say, CNN going down for three weeks. I can't quite do it. Maybe if Atlanta, Los Angeles, and New York were all three hit by nuclear weapons?
I hope like hell Sony is using this time to dramatically improve the functionality and scope of their network, rather than spending all this time just to get things running again with their servers patched up and authentication / authorization moved from the client to the server where it should always have been.
The thing that bothers me the most is how long Sony waited to inform their customers. Even if they needed more time figure out just how much and what information has been compremized, they should have informed their customers earlier. Now they've have just given whoever stole it more time to make use of it. It's taking Sony weeks to find out just what has been stolen, whereas changing a few passwords and cancelling a creditcard can be done in a matter of minutes. At most they should have told their customers after 1 or 2 days of finding out they've been hacked.
I think this conflates their physical response with their PR response. What most of us are complaining or have complained about is their sheer lack of a cohesive/coherent message. I agree with xbd that Sony needs someone who is the face of the marketing message though I'm not sure I agree that they need to be technical at a minimum they need access to the technical people. I think the playstation blog(s) is/are a good step but I think Sony definitely needs to find their "Major Nelson" but this is nothing new for me since I've thought that for years now.
My statement isn't predicated on any assumptions. It is based on the level of service I expect from a company holding my personal information. If those expectations exceed what is possible for that company to provide then I will not be using their services.
You can feel free to have lower expectations and I'm quite sure a company will be happy to meet those.
Sony were planning on the move anyway, and it was going to happen. The costs of replacing servers where they are, and then moving everything to the new location, doesn't make sense if the downtime would be the same anyhow. It also did sound like Sony weren't happy with the physical security; hence the need for a more secure premises. I got the impression that there was some inside security breach, but that could just be my imagination.
I can't decide if I agree with this or not. What if the intrusion was only getting as far as seeing what files were on the servers, but no accessing of them? Scaring the public wouldn't benefit them in any way. It was interesting hearing the Senate saying the public had a right to know the moment there was a security issue, when we all know governments quite merrily hush up problems if they feel the public would be better off being ignorant. It's a hard one to call, as either way the consequences are negative.
What if your expectations exceed what anyone can provide? I'm not saying that's the case, but I take that as Nesh's point - Sony couldn't really have done better. There's no company you can deal with knowing their security is 100%. You don't know, for example, if MS or Nintendo got hacked but the hackers managed to do it without getting noticed. You don't know if PayPal got hacked, found out, and have just kept quiet hoping no-one finds out as it'll land them in serious doodoo. So unless you have inside knowledge of the workings of every organisation, you can't say who is a worthy choice for your custom. And if none of them could or would do any better, then whoever you choose thinking they are trustworthy, you'll be mistaken.
As ever, the criminal plumber who was caught years ago will get turned down, but that doesn't mean the man you hire in his stead isn't a criminal just because he hasn't got a criminal record. And chances are the man who's found out will mend his ways, whereas the man who's got by this long without being caught short will carry on as his was.
I don't really see the point in addressing hypotheticals when in this case we have a situation where we know two things for certain:
There was an intrusion into Sony's servers that was almost immediately deemed serious enough to take the network down. Kudos to them for taking this action, it was a correct response.
It took 6 days from the time of this intrusion for Sony to give any indication that personal data was compromised. This is not acceptable. Whether that delay was a result of the design of the system, incompetence on the part of their staff, the lack of in-house personnel capable of dealing with the attack or the corporate policies in place informing them how they needed to handle this situation is irrelevant. It is still a failure and they (and anyone else) need to do better than that.
I will judge any future incidents by the particulars of those incidents, but in this case, knowing those two facts, no additional information is going to change my perception of this incident as a failure on Sony's part to have acted in the best interests of its customers irrespective of whether that failure occurred before, during or after the intrusion itself.
Depending on how you read this:
http://kotaku.com/5798510/the-playstation-network-hack-timeline
Your 6 days may be the best Sony could do...
From the link:
"data had been removed" means what? user data that had been removed? sounds weird since the correct wording would be "stolen" og "copied". Data removed points at log files which i think was mentioned somewhere else as evidence that something was wrong or something completely different. Or just a weak wording from Sony PR to get around knowing something for 6 days with out telling?
In the timeline the 23rd is the day that they:
No comments about stolen data.
But the 24th they at least know something have been stolen but apparently they need to confirm.
And it´s the 25th they get a "certain" confirmation on the worst fears:
Which Sony then acknowledges the 26th.
However, Sony closed down the network the 20th, and if you read their blog it is pretty clear they had no idea about the scope of the problem. Unless they are lying like bitches and just trying to dig a bigger hole.
The 22th they confirm there was an attack but they still don´t know the scope (goes along with the timeline posted). They still seem to believe they will be back up "shortly". I really don´t think they understood the scope of the problem from the start, as they got deeper into the investigation they found out just how big it was.
And i would like to see the backlash if they had proclaimed they had been hacked and 12+ million creditcards were stolen.. if it turned out no to be true.
In any case, i don´t see how it can be "certain" that Sony knew something and didn´t tell, there may have been 1 day or so between knowledge found and told to the world. But that is understandable. 6 days is just wrong. Unless Sony is lying of course.
You believe that the backlash resulting from a cautionary notice that, "We have detected an intrusion in to PSN by an unknown agency. We are unsure at this time whether customer data has been compromised. We are continuing to investigate and will provide information as it becomes available." being followed up by a notice that "After extensive investigation, we have determined that customer data was not accessed." would have been severe? I don't agree.
What you are not really addressing, though, is that even if it *is* true that they really had absolutely no idea what happened for 5 days that that itself is a problem and a failure on their part either in the architecture of their system or their knowledge of it (something strongly indicated by their need to bring in outside firms). In my opinion, this is no less of a failure.
Oh well. Looks like anonymous might be self destructing under the strain. It also would appear that their own website was defaced by their own members recently.
I suppose the threat of FBI and the fact that 500 members, supposedly accountable for the PSN hack, Names and IP addresses have been posted up for the world to see. And they've had a go at FOX, Eidos, and the Dues Ex website
I suppose the threat of FBI and the fact that 500 members, supposedly accountable for the PSN hack, Names and IP addresses have been posted up for the world to see. And they've had a go at FOX, Eidos, and the Dues Ex website
The scary part is that it is supposedly the more radical element that has taken control (a 17 year old dick). The AnonOps guys who'd been controlling things before were the moderates!
IS that why there have been a rash of attacks of late? Also there is a article that amazon servers were rented and used in the attack. This is getting to be like some kind of crazy movie at this point.
The more anonymous tears them selves apart the easier it makes them to get caught though.
The more anonymous tears them selves apart the easier it makes them to get caught though.
Of course you don´t agree, and i am pretty sure that if Sony experiences something like this again they will post something like that. But of course they, like us, would have the knowledge they have now. Something that makes all to easy to suggest something like you do now. The lastpass breach and the Eidos/DeusEX hacks are evidence that the attitude changed to rather safe than sorry when it comes to information.
And read the timeline again, they had an idea something was wrong, but what is clear is that the attacks was done with skill and dedication to not being easily detected. And since Sony didn´t really have an dedicated security team/function they were screwed, which imho is a disaster. Maybe they relied to much on outside firms when it comes to PSN? I dunno, outsourcing for the fail. I see no reason to defend their poor security measures.
My original post was only to demonstrate that with what we know you can´t just say "they knew for 6 days user information was stolen". You can say "Sony is lying and they knew information was stolen for 6 days" but there is very little info to back that up with.
It's been alleged that one or more of the 200+ staff who were laid off may have helped, if not engaged, in the hacking. And it was done whilst they were physically moving the data centre.
Not only did they not know the full extent of the hack but it was possibly spread across both datacentres. Considering the magnitude of data spread across two fragmented networks I'm actually surprised they have got as far as they seem to have so quickly. I think there will be quite a few employees who were pulling 24hr shifts to get this done.
The Square Enix\Deus Ex hack has apparently exposed 25k+ customer records.
Not only did they not know the full extent of the hack but it was possibly spread across both datacentres. Considering the magnitude of data spread across two fragmented networks I'm actually surprised they have got as far as they seem to have so quickly. I think there will be quite a few employees who were pulling 24hr shifts to get this done.
The Square Enix\Deus Ex hack has apparently exposed 25k+ customer records.
Thats my point. You may form expectations based on what you ideally want and expect the company to follow the procedures to meet those, but that may not actually be the wisest method of handling the issue (or even possible) when there are large complexities involved, uncertainty and risk.
All good things. And the consensus reaction to this incident being so negative is a big reason why that attitude has changed.
I haven't suggested either of those two things since their timeline came out. All I said was that it took them 6 days from the time of the incident to get a statement out. That is a fact, and no matter what combination of circumstances and decisions led to that result, I have a problem with it.
According to their timeline (which I believe is true, but incomplete) they confirmed that data was compromised on day 5 and then waited until the next day before they made their statement. That is a fact, and I have a problem with it.
I believe that at some point before they knew that customer data had been accessed that they suspected that customer data could have been accessed. It was at this time I would have expected Sony to inform their customers of this possibility.
I would prefer that they deal with the uncertainty and risk instead of passing it along to their customers.
I am quite used to companies putting their interests above the interests of their customers. I expect it, even. But there are some areas where this cannot be accepted and this is one of them.
First i have to say - good work!
But the out of date server claimed in the irc could have been the truth. The google cache is from the 23rd of March but the irc log is from the 17th of February or earlier as seen here:
http://www.ps3hax.net/showpost.php?p=172049&postcount=180
So Sony could have updated the servers between the log and the hack.
And thats what they tried to deal with before they informed the consumer about what was going on.
Hasty communication to the consumer simply because he wants it IS passing uncertainty and risk to the consumer.
Similar threads
