PSN: The Security Scandal

By Richard Leadbetter Published 27 April, 2011

"One of the biggest security breaches of the internet age."

Page 1 of 2

"If Sony is watching this channel they should know that running an older version of Apache on a Red Hat server with known vulnerabilities is not wise, especially when that server freely reports its version and it's the auth server."

Today's re-emergence of an IRC chat log featuring PlayStation 3 hackers discussing PSN's security failings puts a new, unwelcome perspective on Sony's security crisis. The log, dated 16th February and posted the same day on PS3 hacking sites, should of course be treated with caution: easily forged and easily edited, the provenance of these sources is dodgy at best.

However, the content has been described to me by one informed source intimate with the PlayStation 3 as "looking about right", and it ties in with previously established information on how PS3 talks to the PSN servers. This opens up a whole new can of worms about what is swiftly transforming into one of the biggest security breaches of the internet age.

The inference is simple: PSN vulnerabilities were well-known and being discussed in public months ago, and Sony didn't act soon enough. Bearing in mind the colossal wealth of evidence the platform holder has lifted from PS3 hacking sites and presented during the Geohot legal case, it's clear that ignorance of these claims doesn't hold water. Sony is clearly paying close attention to the hacking "scene" and has been since the original PSJailbreak appeared last summer.

The information Sony has released about the nature of the hack is alarming enough, but there are hints that the story is far from over. Many believed that PSN was down in order to patch a security hole that allowed custom firmware users to exploit developer testing servers into authenticating pirate game and DLC downloads. Unfortunately the truth was far more shocking.

PSN security has been breached server-side and all the information the user entrusts to Sony when signing up to the service has been compromised. Names, addresses, login details, security questions and passwords have been purloined – and while the platform holder isn't 100 per cent sure that credit card details have been stolen, it won't rule out the possibility.

The whole notion that password details have been taken defies belief. There's a reason that most internet sites can't tell you what your own password is and can only reset it – it's because the server itself doesn't actually store it at all. Your chosen password is hashed when it's first transmitted, and only this checksum is stored. When you enter your login, the password is hashed again and compared to what is on the system – if we have a match, you are granted access.

In short, there is no actual need whatsoever for your password to be stored server-side at all. Sony's statement suggests that it was actually storing sensitive information in plain text format, which defies belief. The only other explanation is that hackers only got access to the hashes and may have compromised a small minority of passwords by running this data through something like a dictionary look-up. However, from the tone of Sony's apology this does not appear to be the case.

Updated: In a new message released on May 2, 2011, Sony has confirmed that it did use a cryptographic hash function.

If hackers have access to your name, address and date of birth, that information on its own is more than enough to cause trouble, and the notion that the security questions may have been compromised too only adds to the severity of the damage that can be done. Information of this kind is of immense value to ID fraudsters, but just your name and address can be enough for a skilled fraudster – as I know to my cost.

Page 1 of 2

Comments (128) Latest comment 1 year ago

Comments for this article are now closed, but please feel free to continue chatting on the forum!

  • Scopeh #1 1 year ago

    "Its Beyond belief"

    Yes, yes it is.

  • Psychotext #2 1 year ago

    The fact that security logs from one of their servers were visible as of the day they announced the intrusion is a pretty damning indication that Sony's security team really don't have a clue what they're doing.

    They need to get an external team in to beef thing up, and pronto (if they haven't already).

  • bell_801 #3 1 year ago

    You get what you pay for.

  • Razz #4 1 year ago

    Watchdog is probably already planning an episode based soley on this issue, cue video segment little 12yo chav Timmy who has borrowed mummy's credit card to buy CoD DLC, only now, because of the secruity scare the whole family can't afford to pay for groceries through fear of using their credit card and ITS ALL BIG EVIL SONY'S FAULT.

    God help us, the tabloids, a field day they shall have

  • GamesProgrammer Verified Games Team Programmer, Eutechnyx Ltd. #5 1 year ago

    @Psychotext

    They Have, they said so yesterday.

  • CaptainQuint #6 1 year ago

    Won't somebody please think of the (whiny, spoilt, horrible little...) children?

  • AdamAsunder #7 1 year ago

    This and the super injunction scandals are really going to affect privacy laws in the future I feel.

    I signed up for PSN when I had a PSP and when I borrowed a pal's PS3 so I'm a little bit concerned myself even though I don't actually own any Sony products now.

    Well done Sony you absolute fucktards.

  • psychokitten #8 1 year ago

    What's to flame?

    It's an epic failure on Sony's part, shocking lack of security for any company, let alone one of this size.

  • Manic_Miner #9 1 year ago

    Hi, Howard Stringer here. Nothing to worry about, move along.

    My secretary, who looks after PSN security in her spare time, has assured me that she'll get this whole kerfuffle sorted out. As soon as she's bought me my lunch.

  • Mister-Wario #10 1 year ago

    Fortunately, my email address isn't used for anything more important than forum logins.

  • spekkeh #11 1 year ago

    Parallels should be drawn to computer operating systems, where there would be consumer outrage and legal suits pending were Microsoft or Apple continually phoning home with information on how we are interacting with their products.

    Aren't they though?

    I wouldn't mind a law-enforced option where the software has to prompt you before sending personal info, and exactly stating which information it is.

  • spekkeh #12 1 year ago

    That's a relief Mister-Wario.

    ...or are you?!

  • Psychotext #13 1 year ago

    "They Have, they said so yesterday. "

    Not exactly. They said that they brought an external team in to gauge the extent of the intrusion, not to audit / secure their systems going forward.

  • captain_Carl #14 1 year ago

    Good thing i have a unique email and password for my PSN, and don't use my real name or DoB

  • lcmnick #15 1 year ago

    Post deleted at 12:48:44 14-04-2012

  • Lunastra78 #16 1 year ago

    You may have the right to gloat, but beware of the sun, young XTroll.

  • Roarster #17 1 year ago

    If you're going to be using pre-paid cards on your PSN and XBL accounts you're as well using them for every purchase online you make - no system is ever going to be 100% secure and every time you enter your credit card details you're risking them being stolen.

    We'll likely never know if Sony's security was lacking, but even following industry best practices wouldn't have made a hack impossible - there's always going to be security holes in any complex system.

  • ozzzy189 #18 1 year ago

    This is not surprising, the arrogance of sony regarding their situation and the way they've handled it actually makes me feel pretty good about my willingness to pay and enjoy xbox live. Thirty five pounds a year? There's no comparison in relation to which one is best. One is free because it's shit.

  • CaptainQuint #19 1 year ago

    A part of me thinks that somehow, somewhere... Kotick is to blame.

    Fuck you.

  • SteelPriest #20 1 year ago

    meh, it's not like i'd be in danger of actually losing any money. and not JUST cos i don't have any to steal.

  • marshaal5 #21 1 year ago

    i find it kinda sad that people are glorying in the fact its sony and are putting theboot in because of it.
    Blame the hackers and homebrew custom firmware users/defenders who have no clues as to what the people who make this firmware have put in it. possibly caching information as to how the ps3 logs in and communicates with servers then sending it to who knows where.

  • the_sas_man #22 1 year ago

    Sony = Make. Believe.

  • Mister-Wario #23 1 year ago

    Curses! Spekkeh is on to me. I'm REALLY Mister-Waluigi now.

  • joelstinton #24 1 year ago

    Its outrageous that it has taken so long to tell us this information, regardless of whether they only knew of the details on monday. When they closed down the network and first thought that it could have been from an outside source, they should have told us that details may have been at risk, and its worth keeping an eye on things - but when do companies stop holding our hand in the matter?, they shouldn't have to tell us all the time to check our own security when problems arise, we should know this for ourselves. But yet, there should have been a lot more transparency in those early days. I know the PR has been a disaster, but i think people forget that at least sony closed down PSN. They knew early on that it may have been bigger than the outage. They could have left it on, and then things could have been a lot lot worse. And they have done this at the cost of millions of pounds of revenue, (unfortaunatly for indie developers), and despite in the face of a complete mess, and a massive balls up, that is quite commendable.

  • richarddavies #25 1 year ago

    Im pissed that Sony didn't put more care in there protection but im still placing most of the blame on the thieving arseholes that stole the data. Just because they could doesn't mean they should of. Or something like that anyway...I don't know im getting a stella.

  • GamesConnoisseur #26 1 year ago

    Reputation for security and Sony ll get all the jokes and giggles from now on to the end of the internet age.

    Plus cries of rages and frustrations for the poor victims of either credits or ID frauds.

    Nothing good at all and quite preventable..... Password as plain text?? Nothing can excuses this other than rank carelessness and utter stupidity.

  • Freek #27 1 year ago

    The whole "everything can be hacked" line doesn't hold allot of water when the evidence points to PSN not being properly secured and thus Sony does not deserver our trust.

  • mAc062 #28 1 year ago

    Ahhh sony you goons thats my info and you should have kept it safe, thanks for leaving the door open ass holes

  • Lalaland #29 1 year ago

    Passwords stored as plain text is just so made of fail they should go on TV and do that deep 'public apology bow' that signifies you've done wrong in Japan. Really, really amateurville.

  • StooMonster #30 1 year ago

    I can't remember if PSN holds my CC details or which one of my passwords I used with it. :(

  • GreyBeard #31 1 year ago

    From what I can tell the whole "passwords in plain text" thing is yet to be confirmed as fact.

    There was a piece on Ars Technica published around February that first made this allegation, but it was hotly disputed at the time.

    As to this current situation, Wesley's piece hinges on a single word ("obtained";) in the press release/public announcement which seems flimsy to me at best.

    Its also worth pointing out that the size of a database containing all of Sony's 77million subscribers in an uncompressed unencrypted format is an extremely large structure (~380gb) making it a very difficult to move surreptitiously. Not to mention difficult and time consuming to mine/act upon without leaving an obvious paper trail.

    Doubtless more will be revealed in time, but quite honestly fostering panic and concern at this juncture is deeply irresponsible. Realistically, the odds that your particular details will be used for nefarious activity are millions to one.

  • Shikasama #32 1 year ago

    I don't get some people's argument about this.

    Just because 'no system is ever 100% safe', how does that excuse a complete lack of adequate security? Suddenly it's OK that they treat your personal details like crap because hell, chances are it could havce happened anyway?

  • scoop #33 1 year ago

    Well, I was going to criticise the author for scaremongering, but when you look at a lot of the posts it seems people need a good wake-up call.

    Personal details are FAR more important than credit card details. You can cancel your card, it will expire, it has a limit. You CAN'T cancel your name, date of birth, mother's maiden name, address (second time I've said this now).

    A phone call is all it takes to put your mind at rest if your card is lost or stolen. If someone gets your most intimate personal details though, then you're going to be looking over your shoulder for a long time to come, because it can be used from anywhere and at any time, and the fraud can be attempted over and over again.

    So sure, you can combat it - lock down the hatches and be on your guard at all times, but it will make your life miserable, as the author will know there's no greater way to ruin a day than be told someone else is posing as you.

    The quantity of information talked about (up to 70 million accounts) makes it even worse, because that kind of volume is worth a SHITLOAD of money, and it will be the big criminal institutions who'll offer the best bids, and those are the fuckers you *really* have to worry about, because they're damned good at what they do and getting away with it.

    And for the apologists: Hacker is not to blame. Sony ARE to blame. It's their system, they had a duty to protect, anonymize and hide your data.

    If your bank can keep your PIN code secret, then why the hell can't one of the biggest tech companies in the world do the same?

  • JayScott #34 1 year ago

    Frunk you are an idiot.

  • speedjack #35 1 year ago

    I can't tell if Frunk is being serious or not.

    Did you actually read the article ?

    Yes the direct cost of your previous data fraud may have come to zero but rest assured the credit companies/vendors get their money back by passing the cost to the end consumer - normally by charging more.

  • RobTheBuilder #36 1 year ago

    Remember Pspgo.
    Remember the extortionate cost of launch PS3's
    Remember "you won't be able to find one, whoops you have".
    Remember "I want a PSP" for xmas
    Remember "We can't make rumble work with motion sensing".

    This is potentially worse for Sony and Playstation than all of those combined.

  • Beano #37 1 year ago

    This story is shocking on so many levels - that a huge corporation like Sony is storing sensible information like password without any encryption. Most developers know that storing passwords as plain text (in in a database) is a big "NO NO".

    Sony's credibility is blown to pieces and it's hard to see how they will be able to recover. Most customers will not trust Sony with their credit card info again causing sales on the PSN Store to die or at lease be very low - which will cause many publishers to abandon PSN.

    On the positive side - I'm sure many companies are now going thru their own security and improving what needs to be improved.

  • WeakOrbit #38 1 year ago

    My Debit card just got used in a unknown transaction there without my approval. Thanks a bunch Sony.

  • Lalaland #39 1 year ago

    @Greybeard: That's true but if you just poll the db server with enough queries you could extract a significant percentage/all of that info if someone wasn't watching closely enough. Unfortunately if the chat logs and web posts from a while back about old versions of Apache are true then Sony clearly wasn't. The 'obtained' thing was clarified by the author saying that it might be a dump attacked via hash tables. If Sony had hashed them though you'd expect the usual 'it's encrypted but better safe than sorry' line rather than the vague 'obtained'.
    Edited by Lalaland at 27/04/11 @ 14:51

  • bad09 #40 1 year ago

    Wait wait wait. Not that I have anything to hide whatsoever but, as the article implies, is it really possible Sony use the PS3 to spy on our hard drives, connnected USB/ HDMI devices, CDs blu rays and DVDS big brother style?

    Surely thats not legal in any kind of way.

  • chris_ace #41 1 year ago

    Post deleted at 11:55:13 13-12-2011

  • scoop #42 1 year ago

    @GreyBeard: "Doubtless more will be revealed in time, but quite honestly fostering panic and concern at this juncture is deeply irresponsible. Realistically, the odds that your particular details will be used for nefarious activity are millions to one. "

    You get worse odds when you buy a lottery ticket, yet people still buy them, and people still win.

    Telling someone to worry is a lot more responsible than saying "don't fret, luv, it might not be you".

    I'm all for calm in the storm m8, but it's famous wisdom that lack of action can be more irresponsible than sitting idly by.

  • orangpelupa #43 1 year ago

    <strong>" Sony's statement suggests that it was actually storing sensitive information in plain text format, which defies belief."</strong>

    from what happened in PS3 hacking scene, Sony even use not random number for the random number. (hence all the jailbreaking and so on)

    even on PS3 itself if you install filemanager, you can see many thing are stored in plain text.

    so i kind of not shocked if sony Server also store those sensitive info in plain text...
    their Security engineer is kind of weird with this whole PS3 era (and PSN).

    or

    maybe all the data is hashed but the key is already known by the hackers. (maybe similar to PS3 jailbreaking case)
    Edited by orangpelupa at 27/04/11 @ 15:11

  • Walkerj #44 1 year ago

    I never put personal info on my ps3, and my password is unique. I also never use my credit card for anything online. Ill make a temp card, or use PSN cards, like everyone should. I'm not upset with Sony, I just want psn up again

  • RexRunti #45 1 year ago

    Can anyone remember what happens if you forget your PSN password? Do Sony send you a new one or do they resend your current one? If they send you your old one they probably have been storing the password as plain text.

  • Walkerj #46 1 year ago

    Plain-text passwords is SPECULATION by the author of this article.

  • joelstinton #47 1 year ago

    @Beano

    We don't know anything about the problem. at all. Its worthless making statments (and i know you're not the only one) like "that a huge corporation like Sony is storing sensible information like password without any encryption". You just end up believing your own assumptions. The latest talk is that, the passwords were actually indeed Hash prortected. What you are saying is the equal to them leaving a dossier of records of PSN users on a table in public on purpose for people to take. Which is surely not the case. Its un fathomable that Sony could be so stupid. If that was the case, this info would have been taken years ago. Gary McKinnon was in the American Gov/NASA system for 13 months before he was caught. And they would most likely, probably, have the best security system in the world.

    If i'm wrong, then i've been a fool, and would happily eat a thousand hats. and have pie throw in my face on a regular basis until i become some weird algumation of the two.. a big leathery pie like shoe...but all this sensationalism is helping no one.

  • Murton #48 1 year ago

    "We'll likely never know if Sony's security was lacking, but even following industry best practices wouldn't have made a hack impossible - there's always going to be security holes in any complex system."

    The ICO is contacting Sony UK to arrange an investigation, the results of which will likely be made public. I doubt we'll get a full report, probably just a summary but it'll be enough to either put some fears to rest or trigger the apocalypse, either/or. I'm reasonably confident that Sony were protecting our data in accordance with the law and this is the work of a determined hacker exploiting a key weakness that hadn't been resolved for whatever reason, unlike the author I'm doubtful of any actual negligence on Sony's part or this would have happened much, much sooner.

    As for your second point, spot on. Hackers simply move faster than security experts. They're forever locked in this game of cat and mouse, whereby the hackers find an exploit and start poking around, alert security and the hole gets plugged, but while they're doing that the hackers are finding another weakness to exploit and every now again a really bad exploit gets found or security are simply too slow to stop it and we see major damage and disruption like we've seen here or the stuxnet attack on Irans power plants.

  • Roarster #49 1 year ago

    I don't get some people's argument about this.

    Just because 'no system is ever 100% safe', how does that excuse a complete lack of adequate security? Suddenly it's OK that they treat your personal details like crap because hell, chances are it could havce happened anyway?

    Except we've no idea that that's the case. All we have is articles like this guessing at the worst case. If Sony really are storing passwords in plain text (though I'd be truly amazed if they are) and have been running outdated and unpatched software then they are idiots and deserve the huge fines and massive amounts of bad feeling that will come their way. However, just because they've been hacked doesn't mean they have been lax with their security or are completely clueless. Security holes exist in any system and a determined and skilled hacker will eventually find their way in.

  • Britesparc Verified Creative, ITV #50 1 year ago

    I think it was a very fair article - this is a MASSIVE, serious issue. People are genuinely pissed.

    I don't have a PS3, but on my Xbox I've always bought things with prepaid cards - Gold subs, points, etc. I don't think anything other than my real name is stored now. Apart from last year, when I renewed my Gold sub online to get some deal or the other. Now I'm regretting that a bit...

    If I was a PSN subscriber, I'd be very concerned; as it is, I'm worried that Xbox Live might have similar security protocols, and might be next in the hackers' firing line.

    And of course the issue of how much information all these companies - MS, Sony, Apple, etc - are taking, and what they're doing with it, is always troubling.

  • beastmaster #51 1 year ago

    I honestly think this article is on a par with the Duke Nukem outrage at arse slapping.

  • chibber23 #52 1 year ago

    Sony need to tell us if the details (especially passwords and CC details) were encrypted like they frankly should have been. Also only first 6 and/or last 4 numbers from our cards should be visable (that's the law if I'm not mistaken) so surely they don't have the full 16 numbers?

    Sony needs to clarify the details - if they got away with encrypted data and even partial card details (expiry, start dates and partial numbers) then I'm confident my card is safe. If they got away with unencrypted stuff or any any more card details they need to come clean, sod the leagal issues they will find themselves in and tell us so we can mop up the mess with our banks ASAP.
    Edited by chibber23 at 27/04/11 @ 15:10

  • RobTheBuilder #53 1 year ago

    Claims that this is over-reacting are ludicrous. This was fron tpage news today, and is one of the biggest customer data security breaches of all time.

  • Architect_z #54 1 year ago

    zzzzzzzzzzzzzzzzzzzzzzzzzzz this is boring now.

    The world isnt going to end because some fool(s) has your details. Just stay calm.
    The banks/police blah blah blah will know whats happened and procedures will be put in place to prevent any serious damage.

    Now everyone just relax.

  • speedjack #55 1 year ago

    It staggers me that some people are leaping to defend Sony despite one of the single biggest internet security breaches in history.

    Rest assured your corporate overlords are grateful for your unquestioning loyalty/stupidity.
    Edited by speedjack at 27/04/11 @ 15:09

  • GreyBeard #56 1 year ago

    @Scoop

    I hear you man, and obviously if you feel seriously concerned about your personal security you should act upon it.
    I'm just a believer that in today's world the whole "precautionary principle" concept (where you act based on worst case projections) is causing more harm than good.

    There's already so much hyperbole and exaggeration going on its hard to tell the true extent (and consequences) of the damage.

    The funny thing is that theft on this scale is not unprecedented. For example, a quick Google search turned this up:

    [link url=http://www.time.com/time/business/article/0,8599,1917345,00.html
    ]http://www.time.com/time/business/articl...[/link]

    That's 130 million credit cards! And how well known is this case?



  • stevethemeat #57 1 year ago

    The big issue here is, how many people are going to be too scared to buy anything over PSN, or subscribe to PSN+.

    Sony has shot itself in the foot big time.

  • Roarster #58 1 year ago

    @speedjack There's a difference between defending Sony and pointing out the pretty much groundless speculation in this article. No one here knows how this has happened and whether it was avoidable but making assumptions about plain text passwords doesn't really help either.

    I'd certainly rather I didn't have a PSN account just now (especially since I haven't even turned my PS3 on for about a month) but I'm not kidding myself that the same couldn't to any of the dozens of other websites/councils/government bodies/etc. that hold my details.

  • scoop #59 1 year ago

    @GreyBeard

    You're right in the sense of too much speculation and not enough facts are being thrown about. The hard part is parsing the important information from the tabloid fluff. The plaintext password claims are way out there, for instance, but the underlying message is going to be important to some (if not everyone).

    That Albert Gonzalez article is pretty crazy; you can see where Hollywood gets it's movie scripts.

    As for the fallout and post-mortems to come, well, it should be fairly interesting - they don't call this the entertainment industry for nothing :)
    Edited by scoop at 27/04/11 @ 15:22

  • BOFH_UK #60 1 year ago

    First, thank you DF for starting to put this in some sort of context. Personally I'd love to see a couple more of these articles as further details emerge.

    Secondly, this line is key for me: "PSN security has been breached server-side and all the information the user entrusts to Sony when signing up to the service has been compromised." I really want to know how that happened if, as seems likely at the moment, this is related to custom firmware as a jumping off point for the attack. I've done a tiny bit of client / server development in the past and even for an unimportant little project like those I was working on we were always looking to ensure that compromised clients simply couldn't access anything on the server-side. Granted the level of complexity here is vastly more but then again so are the resources available to build the system properly.

    As far as trust goes... no, sorry Sony but you blew this big time. You're asking us to accept you as a gatekeeper for our digital data but have clearly proven you don't take that responsibility seriously. I've owned every console you've put out (PSP Go excluded) but no more. And yes, fully agree with DF here, the very first thing they need to do in order to start rebuilding that relationship with its customers is full disclosure on what info they're capturing followed very shortly afterwards by a breakdown of what the hell happened and how the hackers got this much data over a 2 day period without being spotted.

  • GamesConnoisseur #61 1 year ago

    Fraud ID is as just as serious if not more so, than credit frauds.

    So calm down?? When my personal details are all correct and waiting for criminally inclined people to get creative and works their way down to my details.

    There lots of bad uses they can be put to, so dont try to tell me thats it all harmless!!

  • marshaal5 #62 1 year ago

    does anyone know for CERTAIN that they stored passwords in plain text ?
    if you want to be 100 % safe buy with cash in a shop.

  • menschenfracht #63 1 year ago

    hmm. somehow a tech blog managed to convince its subscribers that Sony used 'plain text storing' giving no technical detail or explanation.
    'i can sense it from their report',oh well.
    mind you, if I was asked by Sony what to do if whole password base was compromised, i would strongly recommend to change all the passwords immediately.
    problems with the passwords are obvious:
    1) the majority of console users are not tech-savvy. they may not know that the best password is in as many alphabets as possible. meaning most passwords would be like dictionary word + date of birth (which is already known). now, even iPhone would guess such a password from hash using nothing more than locale characteristics of PS3 and corresponding dictionaries.
    2) many people would create a PSN account in the first days of PS3 usage. they would not know how to switch to big letter alphabet or punctuation. which is even more interesting for somebody who would try and recreate passwords from such hash. you see, PSN has no recommendations or guidelines on password strength. so any low-key latin alphabet 6+ letters dictionary word would do.

    even if the usual password recovery rate from hashes is 20% or so, under these circumstances it would be much higher (users in a hurry to play the game, not taking password-making seriously, not accustomed to the gamepad input, etc.) would rather recommend all the users change their passwords immediately.

    edit: formatting error
    Edited by menschenfracht at 27/04/11 @ 15:26

  • scoop #64 1 year ago

    @SteveTheMeat "The big issue here is, how many people are going to be too scared to buy anything over PSN, or subscribe to PSN+."

    I expect sales will be affected in the short term, but generally people have pretty poor long-term memories. More likely, sales of store credit will go up as subs decline, and it'll all balance out again come christmas.

    Unless Sony's PR department keeps tripping over itself, but now that external agencies are involved they're not going to find it so easy to camoflage information.

  • JahB #65 1 year ago

    i hate people that use bold text to make up for the lack of arguments.

    edit: thx for fixing that one menschenfracht
    Edited by JahB at 27/04/11 @ 15:29

  • Inmediasress #66 1 year ago

    @Architect_z

    I see that you talk shit on other post about this like everything is fine and whatnot but have you ever thought about that someone uses your identity for other than just stupid pranks? A credti card can be changed but your idcentity not so much at least not with due procedure. You sir strike me as really ignorant.

  • RexRunti #67 1 year ago

    With regards the comment about Epic knowing if your using a standard definition TV or not, it makes sense that an online game may need what resolution your running at so that doesn't concern me. The rumours of Sony harvesting what HDMI devices are connected to your PS3 does (and will get them into even more trouble with the ICO if true).

    Sony need to come clean immediatly over how our passwords were stored though, if they weren't stored in plain text Sony should let us know so they don't look like idots otherwise they should come clean now so we know how worried we should be.

  • cjs #68 1 year ago

    Greybeard, where do you get "~380gb" for the size of login and credit card information on 77 million customers?

    The relevant data for fraud and identity theft for any one individual customer can easily be storied in a few hundred bytes, giving an uncompressed size of more like 20-30 GB, and on this kind of data you should easily be able to compress it down to a quarter that size.

    As for those complaining about speculation: Sony's the one fueling it by not being open about exactly what's happened. Collecting various sorts of interesting data without telling you (and letting you opt out) is not the kind of thing that trustworthy companies do.

  • menschenfracht #69 1 year ago

    @JahB

    it's just i'm accustomed to buttons instead of typing html tags by hand ))) forgot to close the second one

  • GamesConnoisseur #70 1 year ago

    One example of possible ID fraud is a loan application being taken out against your name.

    Baliff turns up 2 years from now and you go ...What?! Me?!

    Not scare mongering but need to realise the magnitude and take steps to minimise this.

  • Walkerj #71 1 year ago

    As soon as PSN is up I am loading in my PSN card I got for Easter and buying stuff. Sure, Ill change my password, but I do that every six months anyway.

    I just want the connection back so my brother and I can play portal 2 cross platform. This time it was Sony, it could just as easily have been Microsoft. Life goes on.

  • mss99 #72 1 year ago

    Stunned at how many stories Eurogamer has run today on this. Whilst it is a big story I have looked on other news sites and on Playstation sites (not official ones) about this and whilst all the media is reporting it they only run a new story when there is an update.

    Eurogamer just seem to run one speculative piece after another with nothing new in the way of information to offer. As a PS3 owner I am trying to keep my self informed of any developments and can only presume the Eurogamer are sensationalising this for the benefit of click throughs for advertisers. I find it sad that they don't take a more professional approach as seen with other sites to just report the facts as and when they are known.

    Yes, this is a big deal but I find most of the stories are just noise and speculation with little if anything new that is concrete to add. Please refrain from including any more stories until you actually have something new to report.

    In other news there is actually gaming stories out there that other sites have covered that you seem to have neglected today.

  • dancingrob #73 1 year ago

    One thing I'm intrigued about is how prevalent the common fanboy attitude in the assorted threads that 'Sony isn't at fault here' is in the wider world.

    If there are indeed a great many users prepared to forgive Sony for such a massive data breach, does that mean the PR damage might not be quite as bad as all that?

  • sega #74 1 year ago

    Attention! If one good thing has come from all this it's UK Resistance have updated again!

  • fatchris Verified Senior Developer2, Eurogamer Network #75 1 year ago

    Re: plain text passwords...

    Whilst we can't know for sure until Sony come out and tell us, their blog post last night clearly says that they "believe that an unauthorized person has obtained" PSN passwords (amongst other things). This could be a mistake by the person who wrote the statement, but the reason most people are assuming passwords have been stored as plain text is because, quite simply, that's exactly what Sony have told us.

    If the passwords are hashed then why would Sony tell us that the passwords (and not the password hashes) have been 'obtained'? I would assume they'd jump at the chance to reassure us that it's encrypted.

  • Otis_Inf #76 1 year ago

    I don't know who wrote the blogpost but clearly it's not someone who knows what modern OS-s do with passwords. Let's look at what windows does.

    Windows stores passwords encrypted. This is different from hashing. It's encrypting the password so it can be decrypted. The reason for that is that Windows supports policy features which allow rules to be set so 'similar' new passwords are rejected when you have to renew your password. This is impossible when hashing is used, it is possible with encryption/decryption.

    PSN also refused new passwords if they were too similar. This suggests that hashing wasn't used, otherwise this isn't possible to detect: e.g. MD5 hashes w/o salts of similar words are very different, and with salt values even more different.

    So either they stored the passwords encrypted or in plain text. Does it make a difference? No. The reason is that the encryption and decryption is done somewhere, e.g. by the OS / service software. If your system is compromised, the hacker could potentially simply copy all the software on the server and the data. This can lead to the hacker being able to decrypt the encrypted passwords offline on another box. I.o.w.: when you're hacked you don't know if this happened, but in case it did happen, you can only assume the worst: every password is compromised.

    Why did PSN ask for a more different password? Well, it's actually seen as more secure to have a new password which doesn't look like the old one. I.o.w.: it's seen as more secure, yet you have to give up hashing.

    As Sony hasn't given any facts about what it took to break the security, what they had done to prevent hacks etc., it's speculation what might have been the case: how sony stored data, how the data was separated by firewalls, DMZs, how databases were protected, if auditing etc. was implemented....

    This blog just reads as if someone behind a keyboard cooked up what did happen. While that might give the author a sense of relief, it's not really adding any valuable info to the people whose information might have been compromised by this hack.

    @fatchris: encrypted passwords don't matter: the decryption software is somewhere on the system, the hacker could have copied that, and used it to decrypt passwords offline. They can only assume it happened.
    Edited by Otis_Inf at 27/04/11 @ 15:48

  • Bigglesworth #77 1 year ago

    "...one of the biggest security breaches of the internet age."

    Yup, this is right up there with the hacking of the US DoD and other national security breaches of recent years: the thefts of current military procedures and technology, active troop deployments, undercover operative identities, movements of heads of state, etc. Right up there, this is.

  • Freek #78 1 year ago

    The theft of 75 million users personal information is indeed up there with the hacking of military networks. There is no exaduration there, it's verry big.

  • menage #79 1 year ago

    While I agree this is all a huge clusterfuck, especially regarding adresses, cc infor and such this bit

    "The bottom line is this: whatever information Sony has tied to our personal accounts – no matter how insignificant – should be divulged if there is even the most remote suspicion that it has been compromised. Any kind of link between different datasets that may have been hacked should also be revealed: if usage patterns are linked to a specific console ID, and PSN accounts are linked to that same console ID, we deserve to be told."

    is just fucking bullshit imo. What the hell do I care about stuff like that. I'm sure MS, Apple, etc all do it. And it really doesn't affect me in ANY way if a company knows I play 2 hours online a day or watched Batman Begins. The dude in the videostore knows as well, should I have him sign him a waver he should shut up about it to his gf as well? There's such a thing as taking it too far.

    I can see the email know, Dear Customer, we reget to in form you that information about you last rented BR has been compromised. Like anyone would fucking care.

    And do websites divulge this information to their users? Like EG itself? i bget they track everything we do. Would you really go tell us if information about which article I clicked on was compromised. Not a chance in hell.

    I'm sure the writer of this article really would rather be annoyed about having to fill in this 2 page survey saying he aproves or dissaproves, And have any of us actually read the EULA?
    Edited by menage at 27/04/11 @ 15:56

  • KDR_11k #80 1 year ago

    If the claim is right then this was a case of not keeping up with the security updates available for the server's software. That kind of stuff doesn't require monitoring hackers, the Apache group and Red Hat warn users when important patches appear (plus those systems are capable of auto-updating). Yes, it risks outages to update servers without testing that first but having known vulnerabilities in your servers is very dangerous as many worms and other malware are designed to scan for vulnerable systems and infect them completely without human intervention.

  • BOFH_UK #81 1 year ago

    Huh... could someone check my thinking on this and see if it tracks? Looking at the statement Sony put out about why they didn't notify customers earlier they said:

    "We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident. It was necessary to conduct several days of forensic analysis, and it took our experts until yesterday to understand the scope of the breach."

    Now that "our" in "our experts" isn't entirely honest, it's an external team not a Sony team. Which leads me to wonder... Does that imply Sony DOESN'T have an in-house security team? Or at the very least a permanent contract with an external group? If that's the case it might explain why we've been hearing so many tales of poor practice on the PSN and Playstation hardware over the last few months...

  • CaLeDee #82 1 year ago

    They have all my information in a text file along with 70 million others. I couldn't care less.

  • GreyBeard #83 1 year ago

    @cjs

    It was an estimate I ran across somewhere, no idea how accurate it is because I have no idea exactly what was databased or how it was compressed. There's obviously a big question of how much access the hackers had - did they have the opportunity to dump the database files or just access it at will?

    Thing is, right now noone seems to know (or at least telling) how the hack was achieved. I've read a variety of possible scenarios from a straight external hack, through using Rebug to get a toehold in SP-INT and tunnelling from there, to an individual admin being targetted with a custom trojan...

    If we knew how the hack was achieved we could fairly place the blame, and have a better idea what sort of crew/individual perpetrated it. But as we dont... I think its too early to say for sure exactly what's going on.

    Besides, its the net... who the hell really knows what's real and what's BS half the time...


  • CloisterBlack #84 1 year ago

    @Spekkeh even if they do, you do not actually bind your operating system with anything that represents your real ID, so even so the info collected is pretty much anonymous.
    On the other hand on the PS3 things weren't quite like this.

    On a side note, I bet you that the second episode of Southpark next week will have something to do with this ;)

  • Bulbatron #85 1 year ago

    Does this security breach just relate to details used on the PlayStation 3 itself, or is information used on the PlayStation website also at risk? I only ask because I created a PlayStation account on the website - intending to get a PlayStation 3 at some point in the future. My PlayStation 2 is already registered there.

    So, is this info also at risk?

  • Redsonny #86 1 year ago

    Years ago cars used to get stolen on a regular basis. A small percentage were taken by 'joyriders' who wanted to show off and get a 'buzz'. But the majority of cars were stolen by criminal enterprises were the car ended up in a 'chop shop'. The cars would never be used again and would be broken up and the parts sold for a huge profit. Thankfully car manufactures have improved their security were this practice is practically impossible, on a large scale, due to identification microchips and other security improvements.

    Some people on here are asking is it the fault of Sony or the hackers? We know some hackers are probably little spotty teenagers (the joyriders) in their basements showing off, but don't be fooled into thinking this is rule, it's the exception. Accurate personal information is now a commodity and is passed on to criminals who are experts as utilizing this information for profit, so a majority of hackers are not spotty teenagers but people who are actively part of criminal organisations.

    So yes you can blame the hackers but that would be a bit naive considering criminals have existed since year one. Would you go out of your house and leave the door open? Of course you wouldn't, you would take the precaution of locking your door. I would like to know why Sony has left the keys to my car in the ignition with the window down? Because what has happened here is exactly the same thing, and it's a warning to all to be more aware of who and what organisations hold our valuable data and if we should give it out at all.

  • marshaal5 #87 1 year ago

    just typed my name and city where i live into google and it helpfully in less than 10 seconds it gave me address name and also very helpfully the name of the other person who lives there.
    try it yourselves

  • fatchris Verified Senior Developer2, Eurogamer Network #88 1 year ago

    @Otis_Inf: I'm just concentrating on exactly what Sony has said. I feel people are right to assume that passwords (and not hashed or encrypted passwords) have been obtained if that's what Sony has said. Sony hasn't made it clear though.

    If the passwords were encrypted, like you say, along with the decryption software, then they might as well have been plain text. Right? :)

  • GreyBeard #89 1 year ago

    @BOFH_UK

    Isn't it possible that bringing in an external security auditor is likely a legal step? I mean in a situation where you have a critical breach of security your own staff-members are bound to be highly suspect given their knowledge and level of permitted access.

    Objectively this is a major crime, so Sony personnel are going to be interviewed by the authorities anyway just to rule them out of involvement.

  • carlosdfn #90 1 year ago

    EPIC FAIL SONY.
    What a fiasco.

  • bad09 #91 1 year ago

    @Captain_IronFist

    2 questions

    1. Are you really trying to compare RROD (a technical fault with a machine which MS suffered a class action suit for, set aside over a billion dollars to deal with, fixed any machine that got for FREE and revised the hardware) with one of the biggest security breaches in the history of the net with 70+ million peoples personal details and possibly credit/debit card details hijacked which could lead to fraud and identity theft?

    2. Can I have some of what you are smoking?

  • mss99 #92 1 year ago

    So in my last post I got negged for saying Eurogamer is posting too many stories without any merit and that I would like them to stop until they have news to report. Since then they have added the story "(Opinion PS3) PSN: The PR Disaster"

    If you look at the stories that have been run since the original breach was reported last night in "PSN users' personal details compromised", there have been no less than 7 new stories posted today of which less than half contained new information. Just look at the main page and count them you have:

    (Opinion PS3) PSN: The PR Disaster
    (Opinion PS3) PSN: The Security Scandal
    Sony Data Protection breach "probable"
    ICO confirms it will quiz Sony over PSN
    Sony: Gamers' Voice demands answers
    Sony defends PSN theft reveal timing
    What PSN identity theft means for you
    PSN users' personal details compromised

    Neg me if you want but it doesn't stop the fact that this site is milking the hype whilst many other sites are just updating when new facts are released.

  • Vortex3D #93 1 year ago

    There are credit cards that can generate unique numbers for either single merchant or one time use only. I use it all the time on online stores. Never trust giving my real credit card to any online store.

    Pre-paid credit card usually has fee unless your bank provides a free one.

    Or, buy PSN points card which is the safest.

  • Roarster #94 1 year ago

    @fatchris - For me the difference would be:

    plain text: hacker has immediate access to 77 million passwords.
    hashed: hacker can brute force the weak passwords that are susceptible to a dictionary attack. It'll take a while but I'd guess they'll still get a lot of passwords.
    salted: assuming they also have the salts the hacker may be able to slowly brute force a small number of weak passwords but it's going to be slow and it'll be a lot less than 77 million passwords.

    Either way, I expect Sony have to announce that your password may have been obtained because encrypted or not there's still the possibility a hacker can get your password. However, I'd say there's a massive difference between the consequences of encrypted passwords and plain text which is why I don't think it's wise to just assume they're in plain text.

  • Ryze #95 1 year ago

    @GreyBeard


    If the passwords have been compromised, then they were stored as plain text.

    Sony told us yesterday that the passwords have been compromised.

    All 12 Sony fanboys in this thread can now click on the the '-' button. Stay blind and stupid, sheep.

    Sony can't 'do' networked software and services.

  • Dismiss #96 1 year ago

    Bloody heck. On the 19th, just before leaving for a short vacation, I decided to get a PSN Plus subscription for the game discounts (really wanted Clash of Heroes, Stacking and the upcoming Journey). I'm sorry, people.

  • Haunted_Tree #97 1 year ago

    Sony should have been on red alert following the Geohot case - that they only acted after the attack, had to call in external specialists to help and could barely communicate to their customers shows the arrogance of major corporations to web security.

    The damage has been done - admittedly more perceived than real - and hopefully they (and the consumer) will learn from it.

    Edited by Haunted_Tree at 27/04/11 @ 16:39

  • IronGiant #98 1 year ago

    Anyone got an iPhone? A few I hear, why not ask Apple why they store a history of your whereabouts on your phone. Bet there's a few million husbands out there that wouldn't like that info accessible ;) My point being plenty of other information about us is being captured by other huge companies, if Sony do know what blu rays I've watched i really dont care.

  • fatchris Verified Senior Developer2, Eurogamer Network #99 1 year ago

    @Roarster: I agree with what you've said, except that you'd hope Sony would have said if the passwords were hashed/encrypted. If I told you I have your password, you'd assume I meant your actual password and not in encrypted form, right? As you've said, there's a big difference and as such, you'd expect Sony to be clear about which it is.

  • bad09 #100 1 year ago

    @IronGiant

    Funnily enough I was told that just a few days ago. I was shocked, thankfully I don't own an Iphone and now I never will.

  • scoop #101 1 year ago

    @IronGiant: "Anyone got an iPhone? ..."

    Without doubt we're more and more trusting (or blind) to what we subscribe to with technology, but at the end of the day the important thing is where the information resides.

    It's one thing to hack someone's phone, or plant a trojan to get historic phone data. It's something else entirely to have an massive, largely verifiable, database of munchkins just waiting to be marked today, or tomorrow, or next week, or next year...

    You'll probably have another phone in 12 months time, and maybe a new computer. But you'll still be the same person, with the same date of birth, same mother or first pet or first school, and even if you've moved it's fairly trivial to get your new address with a previous address in hand.

    In that respect, be more worried about iTunes than your GPS record...

    If I was the boss of a crime syndicate, and someone told me I could have the details of 70 million potential 'marks', i'd probably kill for it (no semantics neccessary).

  • scoop #102 1 year ago

    @sven_vath: "this article makes it sound like it's the balkan mafia doing the hacking, it is most likely anonymous-type dweebs fucking around because they can."

    I heard they're based out of Stains
    Edited by scoop at 27/04/11 @ 17:06

  • Machetazo #103 1 year ago

    I want Sony to act responsibly, to divulge the full extent of the effect, as soon as it becomes clear. Really, I expect that to happen, and I don't think it's unreasonable. The timeframe is on Sony, for that, but their communication seriously needs improving.

  • man.the.king #104 1 year ago

    @scoop

    "Hacker is not to blame. Sony ARE to blame. It's their system, they had a duty to protect, anonymize and hide your data. "

    Yes - and AFAIK, Sony were trying their best to do that, until Geohot blew open the PS3 into something as wide as a standard computer, with all the wanted and unwanted freedom that entails. I'm going to go out on a limb here and say that Geohot's Internet-wide posting of the PS3 encryption hack contributed in some way to the creation of the particular CFW that enabled this hack.

    If I recall correctly, many of the people that are currently criticizing Sony for not successfully securing all user data were the SAME ones - e.g. Shikasama - that were commending Geohot on the PS3 hack and criticizing Sony for trying to keep their "closed system" closed. They were the very same ones that were standing up for hackers' rights to hack into the PS3.

    And look where THAT got us.

  • chessboxer #105 1 year ago

    Regarding the encrypted/plain text/hash comments, with the Gawker hacking issue last year, wasn't their stored information hashed, yet it appeared the following day on sites like The Pirate Bay?

    *edit - my slleping was bad*
    Edited by chessboxer at 27/04/11 @ 18:11

  • Miths #106 1 year ago

    "just your name and address can be enough for a skilled fraudster"

    What kind of security measures are being taken to keep phone books out of the hands of would be identity thieves?

  • Rigu7 #107 1 year ago

    Again, I find this bordering on scaremongering: "but just your name and address can be enough for a skilled fraudster".

    Let's just hope postmen, delivery drivers, newsagents, anybody you've ever bought an ebay item from and many more aren't skilled fraudsters because they have access to those two pieces of data all the time. There's only so much an individual can do to stop his name and address from being in the public domain whilst still leading a normal adult life.

  • MaxiSleep #108 1 year ago

    The issue is that there is now a large sample of every developed countries personel information in one nice big package. Adding an email address and password info greatly increases the risk of compromise. If you cant work out why think harder...

  • MaxiSleep #109 1 year ago

    The issue is that there is now a large sample of every developed countries personel information in one nice big package. Adding an email address and password info greatly increases the risk of compromise. If you cant work out why think harder...

  • Kaminari #110 1 year ago

    @Roarster

    "All we have is articles like this guessing at the worst case."

    I get your point, but a few days ago the 'worst case' scenario was a childish DDoS attack and Sony working on an extended "maintenance". They waited a full week before admitting the theft and getting themselves into a PR disaster. Should I recall that Sony claimed the PS3 was uncrackable, until it was found that the 'randomly encrypted' master key was unencrypted?

    The discussion on Ars about PSN's security was indeed hotly debated, but the point about the passwords being stored in clear instead of the hashes was informed and documented. At any rate and at this time, Sony proved one thing certain: this company can not be trusted anymore.

  • joelstinton #111 1 year ago

    Captain Ironfist - ... i got a bigger shovel here if you want it... heck i could get you a digger if you want one? Eurogamer at the moment is the most fair and balanced website going with a pretty loyal readership. If you searched for the RROD you would find a host of new stories, and probably a few DF article to go with it...

    No way have EG articles smeared sony, sure there been a host of articles, but they are all written in from a factual basis. They have published two opinion pieces, which are written to to provoke discussion. The Sensationalism as mainly come from fanboys either side who can't help but revel in other peoples misery.

  • butler` #112 1 year ago

    can't protect their console, never mind their network

    zzzz sony

  • Murton #113 1 year ago

    "Sony told us yesterday that the passwords have been compromised."

    Encrypted, hashed or plain text, if they've been downloaded then Sony have to describe them as having been compromised because they no longer have sole ownership of the data. If they said everything was fine and then it turned out that it wasn't that a major legal issue, if they say compromised and it later turns out that it's fine that's a relief.

    And to the people comparing this to RROD, completely invalid comparison. MS knew prior to launch that the manufacture was sub-standard and the failure rate would be high, as revealed during the class action cases in the US and it cost them millions of dollars to put right. This situation is the result of criminal activity against Sony and Sony not having adequate measures to counter that threat despite knowing it was a possibility. One was negligent the other complacent, totally different situations.

  • bad09 #114 1 year ago

    @Captain_IronFist

    You have the cheek to call me a fucking idiot after that post? LOL!

    Seriously are you another sock for one of the nutters on here? Get a grip, take off the tin foil hat and please stop trying to compare RROD with this security breach as you don't do yourself any favours looking like a complete twat to be honest

    Anyway ignoring the nutter something lighthearted, hitler has heard about the hack now peeps! :)

    [link url=http://www.youtube.com/watch?v=8FKkWo8KrKc
    ]http://www.youtube.com/watch?v=8FKkWo8KrKc
    [/link]

  • evnewell #115 1 year ago

    So, we are assuming that this hack has something to do with anonymous, right? They warned of exactly this type of thing - in magnitude at least. Clever what they have done, really. The first attack enraged the consumers towards the hackers. this attack has strategically made the consumers target Sony... and maybe rightly so.

    Final thought: they say that all media will be download only in the near future. How many people are going off line with their consoles because of this? If you can't set up trust between provider and consumer, digital downloads will not become ubiquitous.

  • funkateer #116 1 year ago

    Regarding the thing about PS3s 'phoning home' with personal usage data, can anyone confirm that the EULA of PSN says that you allow them to store this data linked to your account?
    I'm pretty sure that this practice is illegal, at least without the end-user's consent.

  • Murton #117 1 year ago

    "I'm pretty sure that this practice is illegal, at least without the end-user's consent."

    It's illegal if you share with third parties, the BT "phorm" case set the precedent. If you keep it within your own company or group and put it in your EULA then it's legal.

  • scoop #118 1 year ago

    @man.the.king I'm going to go out on a limb here and say that Geohot's Internet-wide posting of the PS3 encryption hack contributed in some way to the creation of the particular CFW that enabled this hack.

    Unless Sony are using banks of PS3s as servers, I don't see there's much of a connection. At best there could be a tenuous link between Anonymous's actions and the timing of the hack - perhaps Anon provided a distraction or openly discussed a vital vulnerability, but the fact is if security is poor, security is poor.

    As Rob Fahey puts it over at gamesindustry.biz:
    Consumers don't have a relationship, trusting or otherwise, with hackers. They have a relationship with Sony, and that relationship is predicated on Sony's assurance that it is a competent and responsible holder of personal data.

    In other words, yes the hackers should be clamped in irons, but ultimately Sony are responsible for letting it happen.

    Check out some of the IT blogs, there are plenty of posts by people acquainted with Sony's back-end systems, and there have been many warnings over the past few months about their servers being unpatched and open to compromise - and they all point the blame firmly at Sony for not acting sooner, or fast enough.

    As it stands, Sony tell us they're rebuilding their network from scratch and are trying to get it finished and online as fast as possible. Let's just hope they not only do it properly this time, but they don't make a hash of it by rushing, and leave more holes yet again...

    Edited by scoop at 27/04/11 @ 19:21

  • funkateer #119 1 year ago

    @man.the.king

    It seems you're mixing up PS3's internal security and PSN's security. I doubt that the intrusion was done using PS3's with Geohot's firmware or using PS3's encryption key.
    He still needs a firm slap in the face though.

  • DrStrangelove #120 1 year ago

    I have the impression that the more responsibility people have, the dumber they are. Be it BP, be it the operator of a nuclear power plant, be it NASA Space Shuttle guys, be it the programmers of Windows, they all seem to have no clue what the fuck they're doing. Governments, notably British ones, also tend to fail horribly at everything they do. Sony seems to join this list in a very prominent place now.

    I'm not sure if this is amusing or depressing.

  • man.the.king #121 1 year ago

    @funkateer

    You are probably right - I'm no security expert. For all I know, Sony could have archived my data onto punch cards and placed it in wooden shacks having open windows with silk curtains as protection :)

    However, what I'm trying to get at is that the PS3 as Sony intended was a closed system, and the ability of a closed system to hack into the PSN network is, at best, limited to the avenues Sony provides to access the network. I'm speculating that the public posting of the key enabled, in some way, to get at much greater functionality within the PS3 than earlier possible, functionality that - I don't know, but am guessing - may be used to make it easier to burrow into the PSN Server. That would explain why Sony went so strongly after Geohot - because he made public knowledge that would make it easier for unscrupulous members of his community to hack into the PSN in the way it has been presently hacked.

    It still means that PSN was probably not as strong as it could have been, but, -- if my assumption is correct -- Geohot's egotistical "contribution" made it easier for someone using a PS3 (a machine which the PSN already trusted to some degree, imo) to violate the PSN.

    That's my take on it, but who knows. I'm most probably completely wrong. After all, I know as much about network security as Bush Jr would know about the Thesaurus, the Encyclopedia Britannica and World History.
    Edited by man.the.king at 27/04/11 @ 21:53

  • elvis_vibrator #122 1 year ago

    "It only does everything" was more literal than we could've known.

  • Spekingur #123 1 year ago

    Punch-cards would probably have been more secure.

    I think Sony have gone all backwards this current gen - it has been easier to hack their servers than to code games for the PS3. It should be the other way around!

  • EMarkM #124 1 year ago

    @scoop

    "Let's just hope they not only do it properly this time, but they don't make a hash of it by rushing, and leave more holes yet again..."

    It seems to me that making a hash of everything would be ideal under these circumstances...

    Heh.

  • toa_boa #125 1 year ago

    "In the wake of this fiasco, trust needs to be rebuilt between Sony and the customer – but from a personal perspective, that trust has now been lost. All personal information will be stripped from my PSN and XBL accounts (technically putting me in breach of their terms of service), and I'll be using pre-paid cards only.

    Agreed, 100%.

  • Classique #126 1 year ago

    "In short, there is no actual need whatsoever for your password to be stored server-side at all." - Erm, so how are Sony supposed to check that the password you've supplied to log on with, is your actual password?

    Think about it.

  • paintsville #127 1 year ago

    Wow what a sham of a Network! 75 million accounts' personal information now just out on the web for all to see. LOL. Xbox Live all the way. Geese as if the ps3 didn't suck enough as it is. PS3..It only does giving your information to hackers and playing offline.

  • m0thr4 #128 1 year ago

    @Classique "In short, there is no actual need whatsoever for your password to be stored server-side at all." - Erm, so how are Sony supposed to check that the password you've supplied to log on with, is your actual password?

    Think about it.

    I don't need to "think about it"... I can simply read the article, which says:

    "Your chosen password is hashed when it's first transmitted, and only this checksum is stored. When you enter your login, the password is hashed again and compared to what is on the system – if we have a match, you are granted access."