*ren* PSN Down, Customer Info Compromised

[mrcorbo]

Details of Class-Action lawsuit against Sony

Link

Some nuggets:

Sony laid off a large number of employees who had been responsible for security 2 weeks before the hack. Seems even more likely to me that an insider was involved in the hack.

Multiple witnesses will testify that Sony's security practices were lacking (in one example being described as falling "short of widely-adopted security standards" and that Sony knew of system vulnerabilities because of earlier, smaller hacks.

 

[patsu]

It kinda begs the question if the smaller incidents happened before they were let go, why didn't the plaintiffs patch the hole(s) ? It may not be a problem replacing existing staff with more experienced ones during reorg. I guess we will find out during the trial.

Some ex-Sony employee offered sceedev source code to lulzsec. The jig card was leaked from inside. I hope Sony tighten up their internal security. Some past data leaks happened from inside the organizations.

EDIT: The hackers are having a hard time now also it seems:
http://gizmodo.com/5815198/hacker-vs-hacker-new-rival-claims-to-out-lulzsec-leader

Someone going by the nom de guerre th3j35t3r ... claims to have taken out the LulzSec website in a denial of service attack and posted information about an alleged LulzSec leader. th3j35t3r has been baiting LulzSec for some time on Twitter, now. The alleged LulzSec'er "Sabu," is purported to be someone named either Xavier Kaotico or Xavier de Leon. The site was apparently down earlier today, but the identity of the LulzSec leader is impossible to verify.

Meanwhile LulzSec has responded by saying, essentially, shenanigans. They even posted what they claim is an improved version of the script th3j35t3r was using.

 

[mrcorbo]

It kinda begs the question if the smaller incidents happened before they were let go, why didn't the plaintiffs patch the hole(s) ?

The former employees aren't the plaintiffs. They are witnesses. The suit is being brought by and on behalf of consumers. As for why they didn't patch the holes, maybe higher-ups didn't authorize the actions that would have been required to implement the fixes.

 

[patsu]

Yes... some may require additional downtime or investments to implement, or need extra compatibility testing for existing applications, or they may have other higher priorities to meet. In which case, delays are inevitable. Otherwise, there is no reason not to authorize a patch for a known hole, especially if multiple incidents have happened before. Managers always like/want to cover their *sses.

 

[patsu]

EDIT: The hackers are having a hard time now also it seems:
http://gizmodo.com/5815198/hacker-vs-hacker-new-rival-claims-to-out-lulzsec-leader

The Guardian published lulzSec's leaked IRC log here:
http://www.guardian.co.uk/technology/2011/jun/24/lulzsec-irc-leak-the-full-record?INTCMP=SRCH

Unsurprisingly, other hackers have been trying very hard to uncover their identities. They seem pretty close too. Would be amazed if the group can last until next year.

 

[Jedi2016]

Unsurprisingly, other hackers have been trying very hard to uncover their identities. They seem pretty close too. Would be amazed if the group can last until next year.

One thing I've noticed in LulzSec's posts is their arrogance. They think themselves untouchable because they're widely distributed, and the (mostly true) fact that law enforcement, especially disconnected like that, won't be able to find them. What they're not factoring in is what you just posted.. law enforcement aren't the only ones looking for them.

Like BoardBonobo said, this isn't going to pan out the way LulzSec thinks it will. If anything, it will probably accomplish the exact opposite. "Don't poke the bear".

 

[deathindustrial]

They think themselves untouchable because they're widely distributed, and the (mostly true) fact that law enforcement, especially disconnected like that, won't be able to find them. What they're not factoring in is what you just posted.. law enforcement aren't the only ones looking for them.

But this ignores the fact that law enforcement tends to go after the lowest hanging fruit, any old collar will do. This can be seen in the way the the UK was parading around some script kiddie running an IRC server as if they had caught an evil mastermind.

One benefit LulzSec has is that the noise level is really high around them. Any low level script kiddie can DDOS or run canned attack scripts.

Cheers

 

[Xenus]

I wouldn't take LOLSEC's word for it that he was just a low level guy running the IRC. They will never admit one of their own to being caught. Because depending on how much they've revealed to each other one of their own being caught posses a potential huge risk to the others. Most hackers feel invincible and never expect to be caught. They are not like other criminals that face the reality and resolve themselves against interrogation. If they were loose with their real details with each other and one gets caught the whole network could fall rather quickly.

 

[BoardBonobo]

I wouldn't take LOLSEC's word for it that he was just a low level guy running the IRC. They will never admit one of their own to being caught. Because depending on how much they've revealed to each other one of their own being caught posses a potential huge risk to the others. Most hackers feel invincible and never expect to be caught. They are not like other criminals that face the reality and resolve themselves against interrogation. If they were loose with their real details with each other and one gets caught the whole network could fall rather quickly.

And, of course, if they take steps to ensure their anonymity from the police as well as each other, then they can potentially fall foul of anti-terrorism laws. If any court makes a case for their actions causing harm to the fabric of the country then they could be right royally screwed because even if they are under-age it makes no difference to the new laws defining the freedom of the state.

 

[BoardBonobo]

And now the lulz decide that their 50 day cruise is over and they can get back to their normal lives... In other words they're shitting themselves over what's to come, as though they could do anything to stop it now, and basically are running away with their tails between their legs. Which would appear to be the only thing between the dickless cretins legs.

 

[patsu]

Other hackers claimed to have identified lulzsec members yesterday/today:
http://pastebin.com/iVujX4TR

EDIT:
lulzsecurity.com server IP, registration info and config uncovered:
http://th3j35t3r.wordpress.com/2011/06/25/lulzsecs-cloudflare-configuration/

 

[jonabbey]

And now the lulz decide that their 50 day cruise is over and they can get back to their normal lives... In other words they're shitting themselves over what's to come, as though they could do anything to stop it now, and basically are running away with their tails between their legs. Which would appear to be the only thing between the dickless cretins legs.

Yep.

 

[-tkf-]

Tried to experience the PSN hack from the view of a very casual player..

He hadn´t logged in for months, had no idea the hack even occurred. Just went straight into GT5 and was greated with a error message. Tried to login from the PS Store, was asked to change password and was told he got a mail.

Checked his mail, and tried to change password on the PC, was greeted with another error message that the site was down for service..

Tried it on the PS3, welcome to HEX decimal error messages with a "server not available"

Tried it the next day.. same problem..

finally on the 2nd day he got lucky on his PC

Ohh and we had to do a firmware upgrade as well.

And of course, no free games or welcome back package to him since he didn´t log in.

Conclusion, for the casual, maybe very casual gamer, it´s just not a satisfying experience. A big thumbs down to SONY.

And the ferrari i mailed him in GT5 was gone as well!

 

[JB9861]

Had a friend who called up customer service and cussed them out because he was too late for the welcome back. And the tedious patches for some game. It may have been the first Littlebigplanet. Anyway felt bad for the rep.

 

[Npl]

Had a friend who called up customer service and cussed them out because he was too late for the welcome back. And the tedious patches for some game. It may have been the first Littlebigplanet. Anyway felt bad for the rep.

Yeah I hate the damn patches... but its good that you can atleast skip them if you dont play online.
Replayed Uncharted2 last week and I had 5 patches for that game queued up - why cant they use cumulative patches?
And why do you get hopelessly outdated versions from PSN store you just have immediately to update?

Its just more reasons for me not to buy games until a GotY version or similar is available. I always feel burned if I get games at launch, nothing is as neat and tidy as a un-bugged version with additional content on a shiny disc.
There are exceptions (pretty hyped for the next Uncharted), but I just got "GTA IV Complete Edition" and Ill jump on "Red Dead Redemption" as soon as a similar edition crops up.

 

[Xenus]

Yeah it was all over the news hell they even extended it for a weekend cause the confusion whether it was ending on July or when it hit July 3rd which in turn caused some people to abuse the system and get 2 free months of PSN+. It's one of those you can't complain about not getting free stuff if you can't even be bothered to check when the offer might expire.

 

[dobwal]

Yeah it was all over the news hell they even extended it for a weekend cause the confusion whether it was ending on July or when it hit July 3rd which in turn caused some people to abuse the system and get 2 free months of PSN+. It's one of those you can't complain about not getting free stuff if you can't even be bothered to check when the offer might expire.

People will and do complain about anything. Whether if its rational or illogical doesn't matter. All that matter is how consumers thoughts affect product sales.

 

[-tkf-]

Yeah it was all over the news hell they even extended it for a weekend cause the confusion whether it was ending on July or when it hit July 3rd which in turn caused some people to abuse the system and get 2 free months of PSN+. It's one of those you can't complain about not getting free stuff if you can't even be bothered to check when the offer might expire.

It´s more a question of Sony not choosing the smooth option. First time you login with your new password everyone should have been greated with a "IMPORTANT" text. Your 4 weeks of free stuff starts NOW. Instead of the option they chose which was and is bound to create drama for some, while others like my friend really doesn´t give a damn anyway or another. He was just annoyed that he had to wait for 48 hours to actually get his password reset.

 

[Brad Grenz]

It´s more a question of Sony not choosing the smooth option. First time you login with your new password everyone should have been greated with a "IMPORTANT" text. Your 4 weeks of free stuff starts NOW. Instead of the option they chose which was and is bound to create drama for some, while others like my friend really doesn´t give a damn anyway or another. He was just annoyed that he had to wait for 48 hours to actually get his password reset.

You say that like it would have been easy to juggle free content on separate time frames for 100 Million accounts. By the time this incident you are recounting happened Sony had probably sent half a dozen emails directly to the user over 2 months. If a user doesn't check their email, or has signed up for a service with a disused email account, why is that Sony's responsibility? Word about the hack, the restoration and the welcome back program were distributed as widely as Sony could reasonably effected.

Companies only have so many ways to communicate to their customers, and if customers willfully ignore those communications they have to take responsibility. I used to work for a bank and customers would frequently call to complain they had not been notified about changes, updates, overdrafts, etc. The natural question was always, "did you read your last statement or the five overdraft notices sent to your current address over the last couple months?" You can't complain about a lack of communication if you actively refuse to read your mail. At least, you can't expect to be taken seriously.

Of course, you end up with situations where a mailing address has changed, and email account is no longer active, but updating that information is still the customer's responsibility. The bank has no way of knowing you moved. Sony doesn't know you've switched to gMail.

 

[-tkf-]

You say that like it would have been easy to juggle free content on separate time frames for 100 Million accounts. By the time this incident you are recounting happened Sony had probably sent half a dozen emails directly to the user over 2 months. If a user doesn't check their email, or has signed up for a service with a disused email account, why is that Sony's responsibility? Word about the hack, the restoration and the welcome back program were distributed as widely as Sony could reasonably effected.

Companies only have so many ways to communicate to their customers, and if customers willfully ignore those communications they have to take responsibility. I used to work for a bank and customers would frequently call to complain they had not been notified about changes, updates, overdrafts, etc. The natural question was always, "did you read your last statement or the five overdraft notices sent to your current address over the last couple months?" You can't complain about a lack of communication if you actively refuse to read your mail. At least, you can't expect to be taken seriously.

Of course, you end up with situations where a mailing address has changed, and email account is no longer active, but updating that information is still the customer's responsibility. The bank has no way of knowing you moved. Sony doesn't know you've switched to gMail.

Who says it should be easy for Sony? Why should i care about the work they would have to go through?
I am not complaining about the information i got from Sony, i am just pointing out that the best way to say "we are sorry" is not to have a time limited free gift pack which is bound to leave some people out of the loop.

And the way most people read mails from Companies like Sony does leave a chance out that they wont even notice the welcome back package, but that is not Sonys fault, but it´s a reason that people will miss stuff like this.

My main complaint was the embarrassing way that the "change password" procedure did not work. The free stuff was really not so important (as i think i mentioned) but Sony did chose a way that left some people out.