Not necessarily
*ren* PSN Down, Customer Info Compromised
- Thread starter Cheezdoodles
- Start date
I don't know if they actually stored passwords in plaintext, but I have seen a lot of people in the industry of IT, assume that strings are "encrypted" when they can't read it as a natural language... Who knows what those passwords are stored as... all it takes is for someone to not understand a setting/configuration option in a complex piece of software to have it all not work the way it's intended, but still appear to function fine.
For example:
aGVsbG9iM2QhCg==
Looks encrypted right?
Running this command : echo 'aGVsbG9iM2QhCg==' | base64 -d
Returns: hellob3d!
Or use a webform: http://www.opinionatedgeek.com/dotnet/tools/base64decode/
You'd expect at least md5 encryption for stored passwords, phrases, and PCI compliant data like CC numbers etc.
Using Base64 to encrypt data is like bringing a water balloon to gun fight...
Interesting to see what different camp says about the CC, Norwegian banks says its worrisome, but no need to cancel your CC, just keep an eye on your account. And you will be compensated if your card is abused, the bank and the CC company will take care of that.
And then we got Sophos saying you should cancel your CC, http://www.next-gen.biz/news/sophos-advises-psn-users-to-cancel-credit-cards
I guess Sony is once again pioneering new ground
And then we got Sophos saying you should cancel your CC, http://www.next-gen.biz/news/sophos-advises-psn-users-to-cancel-credit-cards
I guess Sony is once again pioneering new ground
It depends. If after stealing my wallet they lock my pants in the closet where I can't get at them for a week it makes it hard to notice.
And any hacker who had any part in this deserves everything bad they get, this is the evil/bad kind of hacking that even I disapprove of.
Well earlier this year I was watching the old CasaBlanca movie, there is a scene where a smooth, quick/slick talking person is stealing from the other with a smile but my point is how do you react, obviously people are not going to tell you they are robbing you, even if they are asking for donations for a legal fight/battle only to settle and donate the money that was never used to begin with for its intended purpose to some sleezbag agency.
Again the problem here is how could Sony reply anybetter or how can any other party reply any better given the time.
It takes time to go through the servers, there is no magic button that tells you "it fixes it self" kind of like when people are being robbed, conned or swindled are not obviously going to be aware of it when the criminals are smiling in their face.
I'll tell you I was the victim of a CC hacker stealing my data and they tried to use my CC to charge alot of things in the space of three days, the Bank approved the first transaction, even though it was in another country, when they got trigger happy the Bank realized and put a stop to them, it took three to four business days.
more official info here
http://blog.us.playstation.com/2011/04/27/qa-1-for-playstation-network-and-qriocity-services/
http://blog.us.playstation.com/2011/04/27/qa-1-for-playstation-network-and-qriocity-services/
Are you trying to insinuate the EFF is a sleezbag agency?
It really is terrible that there's an organization that defends individuals against corporate oppression, people should accept their plight under the boot heel of large corporations and antagonistic entities like the RIAA and be thankful for the opportunity. /sarcasm
Does that imply that the physical location of the systems was a contributing factor in the intrusion?
Credit card table encrypted, personal table not encrypted. So, passwords and security questions were not encrypted?
I have a hard time believing they did not know this attack was directed at personal information any sooner than yesterday.
I hope Microsoft, Nintendo and basically any other only service with information like this is considering a serious review of security services after this, so they don't end up in the same situation.
I love this part...
With the PSN down you can't log into the website unless you've logged in before & saved your password. So there is only about 140 comments so far. They're not going to get a lot of comments until the service is back up. Duh! LOL
The last comment is the funniest. "Thank you... for letting us store your personal information so it can be stolen by hackers." They still haven't apologized for this incident. The closest to saying it was "We sincerely regret". Just apologize. What's so hard about that?
Anybody know how they are going to keep hackers from signing into the accounts they stole & reseting the passwords before legit users have a chance to log in themselves? That's what I wanted to ask in the blog comments, but can't since my PSN login isn't saved.
Biggest clusterf**k I've ever seen.
Tommy McClain
When PSN comes back, Sony will have alot of new security-measures in place aswell as monitoring the network pretty closely, so I doub't that the hacker/s will dare go in and try to change anything for regular users.
Just imagine the ramifications he's facing if he's caught.
He's stolen personal information from 75 millions accounts, and there is also is the fact that PSN has been down, and I don't think to many people would cry if Sony and/or some of their partners filed a lawsuit suing for financial damages the time the service were down.
It would be very interesting to see what happened if he were caught.
The hysterics around the PSN breach have become incredibly hyperbolic. At this point it seems clear that no one got any credit card info, Sony just has to warn people to be cautious since, in theory, someone could have downloaded the entire database, although they have no evidence of this, and by some miracle brute force decoded the whole thing. Likewise, identity theft isn't too big a problem since Sony didn't have anybody's social security number which is the most salient piece of data. No, the real biggest problems are compromised passwords which you may have used elsewhere, and downtime for the service itself. In both cases this isn't really any worse than any number of well publicized hacks in recent memory.
The problem is people are holding Sony to an impossible standard. They should have immediately notified everyone who was effected last week, but you can't assume they automagically knew what had happened and who was impacted back then, and Sony have come out and directly said they didn't really have a good idea until Monday. People also complain that Sony shouldn't have built such an insecure system, but no system is perfectly secure and for all we know this was the most difficult and magnificently executed hack in the history of hacks. We can't say we know their security was bad, only that the concerted effort of the attackers overcame it. People also blame Sony for "poking the bear" or "kicking the hornets nest" when they sued Geohot and others (in an attempt to protect their business interests), which is a lot like telling a rape victim they shouldn't have dressed so provocatively. One thing is clear, no matter who the hackers were, this was an illegal intrusion, a criminal act and no matter what Sony's stance on custom firmware is (the compromise of which, for all we know, directly led to the discovery of vulnerabilities in PSN), that in no way excuses an attempt to steal customer information and credit card numbers.
It does not help that so much schadenfreude is being expressed by fanboy partisans around the net who have a distaste for Sony anyway and are more than happy to fan the flames of panic and anguish. My Google Reader feed is filled with outlandish, unsubstantiated and, frankly, unconscionable link bait stories written by people who don't understand what they are saying, but are happy to repeat anything that makes Sony look bad. Ars Technica loves telling us correlation does not equal causation when it come to videogame violence, but as soon as three idiots email them to claim they saw fraud on their credit cards (and depressingly common occurence, PSN notwithstanding), so few that you can't even rightfully claim even correlation, they are more than happy to report these coincidences as though they are news. Many outlets have also made the mistake of using the statements from random customer service reps in the banking industry to supposedly discredit Sony's claim to have warned major financial institutions. Speaking as someone who has worked in a call center for a major bank I can guarantee you Sony doesn't call the same 800 number that's on the back of your debit card to make such notifications and that kind of information takes a while to trickle down the chain.
To date, I haven't seen any evidence of actual damages incurred by customers due to the breach. Associated services like Hulu Plus have already done the cool thing and offered subscription extensions to impacted users. The biggest losers are small developers dependent on PSN sales for their livelihood. Talk of congressional inquiries are premature, as are class action lawsuits. The breach of PSN has been a massive inconvenience, to be sure, but it is not the business catastrophe it is being made out to be.
The problem is people are holding Sony to an impossible standard. They should have immediately notified everyone who was effected last week, but you can't assume they automagically knew what had happened and who was impacted back then, and Sony have come out and directly said they didn't really have a good idea until Monday. People also complain that Sony shouldn't have built such an insecure system, but no system is perfectly secure and for all we know this was the most difficult and magnificently executed hack in the history of hacks. We can't say we know their security was bad, only that the concerted effort of the attackers overcame it. People also blame Sony for "poking the bear" or "kicking the hornets nest" when they sued Geohot and others (in an attempt to protect their business interests), which is a lot like telling a rape victim they shouldn't have dressed so provocatively. One thing is clear, no matter who the hackers were, this was an illegal intrusion, a criminal act and no matter what Sony's stance on custom firmware is (the compromise of which, for all we know, directly led to the discovery of vulnerabilities in PSN), that in no way excuses an attempt to steal customer information and credit card numbers.
It does not help that so much schadenfreude is being expressed by fanboy partisans around the net who have a distaste for Sony anyway and are more than happy to fan the flames of panic and anguish. My Google Reader feed is filled with outlandish, unsubstantiated and, frankly, unconscionable link bait stories written by people who don't understand what they are saying, but are happy to repeat anything that makes Sony look bad. Ars Technica loves telling us correlation does not equal causation when it come to videogame violence, but as soon as three idiots email them to claim they saw fraud on their credit cards (and depressingly common occurence, PSN notwithstanding), so few that you can't even rightfully claim even correlation, they are more than happy to report these coincidences as though they are news. Many outlets have also made the mistake of using the statements from random customer service reps in the banking industry to supposedly discredit Sony's claim to have warned major financial institutions. Speaking as someone who has worked in a call center for a major bank I can guarantee you Sony doesn't call the same 800 number that's on the back of your debit card to make such notifications and that kind of information takes a while to trickle down the chain.
To date, I haven't seen any evidence of actual damages incurred by customers due to the breach. Associated services like Hulu Plus have already done the cool thing and offered subscription extensions to impacted users. The biggest losers are small developers dependent on PSN sales for their livelihood. Talk of congressional inquiries are premature, as are class action lawsuits. The breach of PSN has been a massive inconvenience, to be sure, but it is not the business catastrophe it is being made out to be.
Similar threads
