*ren* PSN Down, Customer Info Compromised

[mrcorbo]

This to me is a rediculous assumption - the overheads would be astronimical for something that had never happened. I'm sure Sony had a level of 'expertise' but the breach was potentially very bad so brought in unbiased experts to give a full account of the damage so they know the worst case (ie staff won't be able to cover up or only tell half the story). Certainly I can't think of any company that doesn't use a form of 3rd party support...even Microsoft.

No company has 100% cover for every scenario - especially in the current climate where companies are cutting what's seen as 'fat' - even where I work bizzare descisions seem to be made and good knowledge seems to be made redundant - alternatively maybe they just didn't replace a person who had recently left, who knows - but the point is the same, no company has every angle covered no matter how important it is - every company/person improves aspects after bad things happen, unfortunately this was a very bad thing.

Look at airport security - it's fair to say that there's more than enough evidence to prove my comments are valid - and in those cases we are talking peoples lives not data!

And that's all I want. For Sony and all other companies in this situation to recognize that:

This was a disaster.
Sony's response to the disaster was unacceptable.
They all need to take the steps necessary to improve their own security and their ability to respond when the next attack occurs.

As long as this happens I'll be satisfied and at least some good will come of it. OTOH, if the collective thinking is that Sony did nothing wrong and this is the level of response we should expect than this is exactly the level of response we will get going forward from the industry as a whole.

 

[Shifty Geezer]

To be clear, I am not saying that they shouldn't ever need to call for help. I am saying that they should have had the internal resources to accomplish more on their own.[/qupte]More than what? We don't know what they did and didn't do. We have no information at all on what was really going on inside their server buildings and boardrooms.

Especially when it came to keeping their customers informed.

I agree with that, but that's nothing to do with needing to call in external security experts for independent evaluation and advice.

 

[BoardBonobo]

Yes, but once you decide it's so bad that you have to effectively pull the plug on the service(s), you should at least notify your customers and not delay for another week before doing so. That action there is what makes Sony look incompetent in the eyes of some consumers.

I think in this instance they would have informed people earlier if it was required or not at all if the breach was a minor one. Once they'd cut the system off from the outside world I would bet that they thought it would be a small job to plug the hole, check for damage, and look for any inserted code. Having done that the system would be connected again.

Unfortunately what they found wasn't a simple breach. It was very complicated and had penetrated a long way into the system. And they took too long trying to pin it down themselves before asking for help.

Basically I don't think the delay was intentional, they were just taken back by the scale of the hack and tried to resolve it themselves. And like I said before, investigating a hack on this scale is so complicated, and tedious, it's mind blowing!

All the subsequent hacks that they suffered may be down to sys admin usernames and passwords being taken. Imagine if hackers now had access to the financial arm of Sony etc. The PSN is small fry compared to the collateral systems that may also have been compromised. They must have been (still are?) sh1tting themselves.

 

[Shifty Geezer]

And that's all I want. For Sony and all other companies in this situation to recognize that:.

Except airport security has become ludicrously complex, ludicrously expensive, and any terrorist can find ways around it...

 

[patsu]

And that's all I want. For Sony and all other companies in this situation to recognize that:

This was a disaster.
Sony's response to the disaster was unacceptable.
They all need to take the steps necessary to improve their own security and their ability to respond when the next attack occurs.

As long as this happens I'll be satisfied and at least some good will come of it. OTOH, if the collective thinking is that Sony did nothing wrong and this is the level of response we should expect than this is exactly the level of response we will get going forward from the industry as a whole.

I think they are going to setup a Chief Security Office to consolidate their security needs. That means a clear and sustainable budget. Would be interesting to see who's the first CSO. ^_^ ( I would be very surprised if Sony management give a pat on their back after losing $171 million over literally nothing, and ignore possible/similar losses in the future. ).

If you ask me, I think they also need a Chief Customer Officer too. The recent departure of marketing heads present a good opportunity to regroup in this aspect.

 

[-tkf-]

React faster compared to what ?

To how they performed during this PSN crisis. We don´t know if they have a security team, but evidence seems to suggest they did not. With a dedicated team they would at least have knowhow on the inside, i am not talking hardcore specialist, but people that would be able to see faul play. And it might even have satisfied customers that find their reaction time to be to slow since they would have been able to make the "turn it all off" call earlier and give a valid reason instead of waiting for the experts.

With the setup and knowledge they had i still think they did what they could.

 

[patsu]

Usually, experienced system and network administrators would have such skills. They are able to harden the OS alone or together with the vendors. They can also detect if the system has been compromised. At the same time, it's common to employ an external security consultant to audit the system -- especially for a publicly listed company.

If they have a top management in charge of the security, then they would have more resources, and their needs could be attend to more promptly. In general, one can never be done with security though (You can always do more but it may become too hard to use, and too expensive to implement).

 

[goonergaz]

Except airport security has become ludicrously complex, ludicrously expensive, and any terrorist can find ways around it...

exactly...the MS DRM limitations are a real PITA and cost me a year of playing my games...and I bet it doesn't stop people exploiting the system

 

[goonergaz]

In general, one can never be done with security though (You can always do more but it may become too hard to use, and too expensive to implement).

indeed...nothing is perfect and will never be 'enough'

 

[mrcorbo]

I think they are going to setup a Chief Security Office to consolidate their security needs. That means a clear and sustainable budget. Would be interesting to see who's the first CSO. ^_^ ( I would be very surprised if Sony management give a pat on their back after losing $171 million over literally nothing, and ignore possible/similar losses in the future. ).

If you ask me, I think they also need a Chief Customer Officer too. The recent departure of marketing heads present a good opportunity to regroup in this aspect.

They have already appointed a CISO (at least a temporary one while they look for a someone to permanently fill the post). The fact that they didn't have one before this is one of the things that makes me doubt the overall adequacy of their security staff at the time of the incident.

 

[mrcorbo]

exactly...the MS DRM limitations are a real PITA and cost me a year of playing my games...and I bet it doesn't stop people exploiting the system

Your experience here is atypical. With all of the RROD replacements consumers would be screaming bloody murder if they all had to go through what you did. I have moved my content across 3 different 360s with no issues at all. It's (usually) much easier to recover content from a dead 360 than a dead PS3, actually.

 

[mrcorbo]

I think in this instance they would have informed people earlier if it was required or not at all if the breach was a minor one. Once they'd cut the system off from the outside world I would bet that they thought it would be a small job to plug the hole, check for damage, and look for any inserted code. Having done that the system would be connected again.

Unfortunately what they found wasn't a simple breach. It was very complicated and had penetrated a long way into the system. And they took too long trying to pin it down themselves before asking for help.

Basically I don't think the delay was intentional, they were just taken back by the scale of the hack and tried to resolve it themselves. And like I said before, investigating a hack on this scale is so complicated, and tedious, it's mind blowing!

According to Sony's own timeline they took all of a day before calling in the first of the three(!) separate security teams they eventually called in.

 

[goonergaz]

Your experience here is atypical. With all of the RROD replacements consumers would be screaming bloody murder if they all had to go through what you did. I have moved my content across 3 different 360s with no issues at all. It's (usually) much easier to recover content from a dead 360 than a dead PS3, actually.

Well the point is to re-download content purchased from the store, this is much easier with the Sony system as it has a lot less restrictions. My point though was that even with the 'better' security involved it isn't perfect.

 

[mrcorbo]

Well the point is to re-download content purchased from the store, this is much easier with the Sony system as it has a lot less restrictions. My point though was that even with the 'better' security involved it isn't perfect.

I don't know what you mean by restrictions. I took the hard drive from the old system, put it on the new system and recovered my Gamertag. Everything works as long as you are connected to Live (even if you only have Silver). Later, when I had some free time, I went to xbox.com, did the license transfer, and deleted and re-downloaded my content. I had a LOT of Rock Band songs to re-download, too. It still wasn't a big deal and took maybe an hour total.

 

[patsu]

They have already appointed a CISO (at least a temporary one while they look for a someone to permanently fill the post). The fact that they didn't have one before this is one of the things that makes me doubt the overall adequacy of their security staff at the time of the incident.

Yes, if they are serious about network operations, they should have appointed a "powerful" security head early, and be pro-active. For most organizations, the lead security guy is usually a techie, and may not have the mandate to plan, invest, and enforce security policies widely.

But even with a CSO, I expect them to still use external security consultants. Different talents are great in different areas, 'specially cutting edge ones. Not all of them will be in-house.

According to Sony's own timeline they took all of a day before calling in the first of the three(!) separate security teams they eventually called in.

How long did they take to decide to shutdown PSN ? After it's down, it's natural to get as much help as possible to minimize the downtime. The external teams may specialize in different areas. And they can work in parallel to sieve through the data.

 

[NavNucST3]

I don't know what you mean by restrictions. I took the hard drive from the old system, put it on the new system and recovered my Gamertag. Everything works as long as you are connected to Live (even if you only have Silver). Later, when I had some free time, I went to xbox.com, did the license transfer, and deleted and re-downloaded my content. I had a LOT of Rock Band songs to re-download, too. It still wasn't a big deal and took maybe an hour total.

I never needed to delete any content just "re-download" (quotes because it isn't a full download). When I purchased a Kinect bundle for my son and did his license transfer I noticed that xbox.com now even has something akin to "send all titles to download queue" (I think it maxes out at something like 20 or 25).

 

[goonergaz]

I don't know what you mean by restrictions. I took the hard drive from the old system, put it on the new system and recovered my Gamertag. Everything works as long as you are connected to Live (even if you only have Silver). Later, when I had some free time, I went to xbox.com, did the license transfer, and deleted and re-downloaded my content. I had a LOT of Rock Band songs to re-download, too. It still wasn't a big deal and took maybe an hour total.

Sorry for going OT but I want to answer to clear this up.

I sold my old X360 and bought a slim, did the xfer but the slim was faulty - then I couldn't do any more xfers - I ended up spending ages on the phone going round in circles and eventually was told it was escallated to the US where they would 'reset' the DRM thing so I could do it.

Alas that never happened and I gave up (like I said, when they auto-charged me for XBL it took several phones calls to finally get a refund, so I figured as it was just a matter of waiting for a year I'd rather do that).

TBH to limit me to 1/2 xfers a year is a joke - what if had to sell up due to losing my job, downgrade to a cheap machine that died and I got another (or got a job and re-bought a slim) - I wouldn't be able to play games I purchased legitamately until the DRM limit had refreshed...it's a stupid system.

 

[mrcorbo]

Sorry for going OT but I want to answer to clear this up.

I sold my old X360 and bought a slim, did the xfer but the slim was faulty - then I couldn't do any more xfers - I ended up spending ages on the phone going round in circles and eventually was told it was escallated to the US where they would 'reset' the DRM thing so I could do it.

Alas that never happened and I gave up (like I said, when they auto-charged me for XBL it took several phones calls to finally get a refund, so I figured as it was just a matter of waiting for a year I'd rather do that).

TBH to limit me to 1/2 xfers a year is a joke - what if had to sell up due to losing my job, downgrade to a cheap machine that died and I got another (or got a job and re-bought a slim) - I wouldn't be able to play games I purchased legitamately until the DRM limit had refreshed...it's a stupid system.

Why isn't your 360 connected to Live? You don't have to subscribe to Gold to have it validate your Gamertag and enable your content.

 

[goonergaz]

Why isn't your 360 connected to Live? You don't have to subscribe to Gold to have it validate your Gamertag and enable your content.

?? how else would I re-download my content?

 

[AlphaWolf]

You don't need to do a DRM transfer at all if you have your gamer tag. It just limits you to playing the titles while logged in to your account.