Sony Shitshow

[Nappi]

All we know is that:

A) Sony says they were hacked.

PSN is down.

C) Sony says there is a chance the hacker has your info.

They are saying they believe the hacker has your info, which, I'm sure, translates to "the hacker has your info."

You are only defending how this is a PR disaster and not how this is not a security one. The fact that they find themselves in a situation where they believe that someone has your personal info (including email and password) and think it's possible credit card details have been stolen as well alone makes this a huge security disaster.

It's completely reasonable to expect huge powerful companies that ask for my information to be able to protect it. I had that expectation and had to have my card cancelled this morning. Then I have to change all of my passwords anywhere, since I can't remember which password I had for PSN and where else I used it. And maybe then move or something because they know my address :X It's fucking atrocious and shouldn't have happened.

Agreed, 100%.

[thorn]

It's completely reasonable to expect huge powerful companies that ask for my information to be able to protect it. I had that expectation and had to have my card cancelled this morning. Then I have to change all of my passwords anywhere, since I can't remember which password I had for PSN and where else I used it. And maybe then move or something because they know my address :X It's fucking atrocious and shouldn't have happened.

Of course that's true. But it's impossible to build a completely unhackable system. Any system on the internet - any system - can be hacked, with enough skill and resources.

You just have to expect a company to build a system that's secure against 99.9999% of hackers in the world and hope that the 0.0001% of hackers don't turn their attention that way. Note: Your expectation of the number of '9' decimal places may differ from mine, but it doesn't change the point that there's no such thing as an unhackable system.

For the record, people are probably overthinking things when discussing admin accounts or whether 77 million accounts were individually hacked. Probably they got server access and simply downloaded a copy of the database.

[brkl]

And that database apparently had passwords and credit card information in unencrypted form. Sony failed to make their system safe enough.

[Laxan]

It seems 2 of the major issues that allowed this to happen were Sony not dividing the Admin/User networks. Unlike Microsoft, which seperates these two completely, Sony gives Admins the ability to sign in to the one network with faulty information. It's theorised that if someone could trick the system into thinking they were an admin, they could give fake credit card information (which PSN would accept, as it thinks they were an admin) and thus, infinite virtual PSN dollars.

Also, STORING PASSWORDS IN PLAINTEXT. Goddamn Sony. Seriously? 70 million passwords and sets of personal data and you don't even encrypt that shit? They'd been warned countless times that their security was awful, and I guess we're paying the price for it.

[Drath]

*EDIT* Wrote this before seeing above 2 posts. Where is it being reported that the passwords and CC were stored as plain text?

Coming from a tech perspective here:

• Your password is encrypted (why wouldn't it be?)
  
• Your CC is encrypted (legally has to be, there's standards for this)
  
• Your security key (for Visa) users is not allowed to be stored on Sony's end (legally can't be), so that is safe - the reason you don't have to enter this each time is because Sony talks (not literally) with the CC company to allow direct transactions.
  

That being said, if they can crack your password somehow, if for some reason they are using a terrible encryption, which again, there's no reason for them to be, they can make purchases on your account. They can't steal your CC

Unless of course the hackers got access to the encryption methods and their "salt" and are reverse engineering everybody's passwords and CC numbers via their own method. I doubt this scenario, but again, would be nice to hear something solid from Sony themselves.

[Laxan]

*EDIT* Wrote this before seeing above 2 posts. Where is it being reported that the passwords and CC were stored as plain text?

Coming from a tech perspective here:

• Your password is encrypted (why wouldn't it be?)
  
• Your CC is encrypted (legally has to be, there's standards for this)
  
• Your security key (for Visa) users is not allowed to be stored on Sony's end (legally can't be), so that is safe - the reason you don't have to enter this each time is because Sony talks (not literally) with the CC company to allow direct transactions.
  

That being said, if they can crack your password somehow, if for some reason they are using a terrible encryption, which again, there's no reason for them to be, they can make purchases on your account. They can't steal your CC

Unless of course the hackers got access to the encryption methods and their "salt" and are reverse engineering everybody's passwords and CC numbers via their own method. I doubt this scenario, but again, would be nice to hear something solid from Sony themselves.

Ah, it seems I have been misinformed. Thanks!

*EDIT* Hmm, can't recall, but it was probably a kotaku-or-something-similar-esque site. It seemed improbable, but I guess I wouldn't put it past Sony to do something like that.

[Tanukitsune]

*EDIT* Wrote this before seeing above 2 posts. Where is it being reported that the passwords and CC were stored as plain text?

Coming from a tech perspective here:

• Your password is encrypted (why wouldn't it be?)
  
• Your CC is encrypted (legally has to be, there's standards for this)
  
• Your security key (for Visa) users is not allowed to be stored on Sony's end (legally can't be), so that is safe - the reason you don't have to enter this each time is because Sony talks (not literally) with the CC company to allow direct transactions.
  

That being said, if they can crack your password somehow, if for some reason they are using a terrible encryption, which again, there's no reason for them to be, they can make purchases on your account. They can't steal your CC

Unless of course the hackers got access to the encryption methods and their "salt" and are reverse engineering everybody's passwords and CC numbers via their own method. I doubt this scenario, but again, would be nice to hear something solid from Sony themselves.

Didn't someone say it's illegal in their country to have their credit card info without any decryption?

Sony's PR isn't making us feel any better, the only update they have is this, in which they insist the people they hired to investigate the incident didn't tell them what happened until the day before yesterday.

Ugh, why won't they tell us what this alleged company knows already? At this rate, even I'm going to start to worry!

[Lu]

• Your CC is encrypted (legally has to be, there's standards for this)
  
• Your security key (for Visa) users is not allowed to be stored on Sony's end (legally can't be), so that is safe - the reason you don't have to enter this each time is because Sony talks (not literally) with the CC company to allow direct transactions.
  

So would you say that this is fake? Could be, I don't know. Haven't been following it a whole lot.

<user2> cuz its way too easy todo scamming at this point

<user2> for example:

<user2> creditCard.paymentMethodId=VISA&creditCard.holderName=Max&creditCard.cardNumber=4558254723658741&creditCard.expireYear=2012&creditCard.expireMonth=2&creditCard.securityCode=214&creditCard.address.address1=example street%2024%20&creditCard.address.city=city1%20&creditCard.address.province=abc%20&creditCard.address.postalCode=12345%20

<user2> sent as plaintext

[baconian]

Unless of course the hackers got access to the encryption methods and their "salt" and are reverse engineering everybody's passwords and CC numbers via their own method. I doubt this scenario, but again, would be nice to hear something solid from Sony themselves.

I think this is what happened.

I watched a video of a hackers conference couple of weeks ago where they went into the work that geohotz and his mates had done, and the key is that Sony mis-implemented the elliptic curve crypto algorithm in the PS3 in such a way as to make it a lot more crackable than it should be.

There is still such a thing as (effectively) uncrackable encryption, it's just that Sony fucked it up.

I didn't think they'd make the same mistake on the admin servers, but obviously that seems to be what they did. Sony just don't seem to have the software end of things nailed in the same way microsoft do (excluding team ICO and certain games studios...), I suppose it makes sense given their background in hardware.

Anyhow, yeah, new credit card ordered ...

[Drath]

So would you say that this is fake? Could be, I don't know. Haven't been following it a whole lot.

It's hard to say. I shouldn't have been so sure either with my statements, my statements implied Sony was complying, legally speaking. According to this log and conversation, they weren't. If CC information is being past like is shown in the conversation, not only are PSN users screwed, but technically, everybody would have the right to sue Sony, every single person that gave them CC information. You are not allowed to store (or pass) unencrypted CC information, it's illegal in all developed countries.

[elmuerte]

Sorry, but this is Sony. They have proven multiple times that the only thing they care about is your money becoming their money. I say, let them burn hard for this.

The fact that they say that my password might be known to the hackers speaks volumes. It pretty much implied that my password is stored in a reversible way or even plain text in their system. Otherwise they would have said that passwords might be compromised because the hashed values were exposed.

[Hermie]

Just read on a Norwegian news site about a guy who had eleven mysterious withdrawals from PSN, with five more queued:

Not good. I'm glad I didn't get a chance to buy anything with my PS3 yet.

Also: Remember how everyone is always bitching about how Nintendo requires you to type your entiiiiiire credit card number each time you want some WiiWares?

[Sully907]

I also think it's an over reaction in any case to flat out cancel your credit cards because of this. Not only is it unlikely the hacker got the CC numbers, but even if they did, you could check your account electronically and be on the watch for fraudulent charges. The only thing cancelling your card is going to do is hurt your credit rating

[toblix]

First of all, it seems very unlikely that the hackers would charge money through Sony.

Also, this would probably be a good time for someone to explain the concept of "credit rating" to me. I hear US-Americans speak about it from time to time, but I don't really understand it. What is it, and how does cancelling a credit card affect it?

[subbes]

By "cancel" they mean "tell the CC company their card number was compromised in a website breach and ask for a new card with a new number."

(Similar to what I got to do last week when someone used my CC number to PayPal a Russian dude $498.)

Getting your card re-issued due to fraud should not affect your credit rating since it doesn't indicate a change in your credit line. Canceling your account WOULD affect your rating, as it would reduce your available credit pool (changing your utilized:available credit ratio) and your credit-account-history thing.

If you're canceling credit card accounts over this and you're in the USA, that's silly. Call and tell them your number was exposed/stolen in a hack and you need a new card number, instead.

Edited April 27, 2011 by subbes
Wibble.

[Tanukitsune]

Just read on a Norwegian news site about a guy who had eleven mysterious withdrawals from PSN, with five more queued:

Not good. I'm glad I didn't get a chance to buy anything with my PS3 yet.

Also: Remember how everyone is always bitching about how Nintendo requires you to type your entiiiiiire credit card number each time you want some WiiWares?

I'm calling shenanigans, PSN is down as of now, how could anybody make any purchases on PSN?

[subbes]

First of all, it seems very unlikely that the hackers would charge money through Sony.

Also, this would probably be a good time for someone to explain the concept of "credit rating" to me. I hear US-Americans speak about it from time to time, but I don't really understand it. What is it, and how does cancelling a credit card affect it?

That's going to be a long explanation!

Basically, it's a calculated rating that tells a credit issuer how likely you are to pay back money you borrow from them. It is calculated off all sorts of metrics like your current debt load, how much of your available credit (your credit card or overdraft limit) you have used, how many times you have made late payments or defaulted on payments, how long you have had "revolving" credit lines (that means a credit or charge card, the longer you have had one or more with a good payment history the better, as it shows you're responsible), whether you've recently applied for credit, plus a bunch of other things.

[Scrobbs]

I'd be very surprised if Sony stored passwords in plaintext on their db. Oracle used to set it like that as default iirc, but these days it's set encrypted out of the box I think (assuming they use Oracle. Everyone else seems to these days for enterprise applications). You don't have to crack the passwords - you just need to compare the encrypted format against an encrypted wordlist to see which ones match. This explains why passwords made of dictionary words are very weak.

It is *extremely* unlikely that the passwords would be able to be decrypted, even if the salt had been exposed.

As an aside, I had an email from Credit Expert (a subscription I pay monthly for from Experian) to say there was unusual activity going on with my accounts. Co-incidence? Turned out it was. It was nothing to do with it. Which is nice. I'm not cancelling my card as yet, as it's a pain - it would be nice, however, for Sony to tell us exactly what was downloaded and what wasn't. There's the obvious PR reason, as in, "Oh fuck, how do we spin this?" or there's the possibility that the forensic company that they've called in hasn't finished their investigation. I imagine it's quite a big job, and a flurry of activity from 'named' company calling in as many guys as it could for an all out push on the disks. Imagine it's a herculean task to complete WITHOUT the insane pressure.

[Tanukitsune]

Argh, even the local news are talking about it, and now I'm seeing several stories about being suing Sony and annalists are saying Sony is likely to lose billions and Sony... still won't make a statement?

I don't know what the hell is going on there, but it looks like Sony is so screwed compared to anybody else involved...

If worse comes to worse, I just hope the "Sony exclusive" indie companies are able to survive this, because while Sony might be crippled terribly by this PSN disaster, the people behind the Pixel Junk series, Mod Nation and others are going to be in serious trouble. Not to mentions all those niche game developers from Japan who sell their games on PSN, they are probably screwed too.

While I'm not in the "DEATH TO SONY" bandwagon, I certainly hate whoever is in charge of keeping us informed, that is, if they haven't fired him, her or them for not doing anything to calm or inform the public and let their image get torn to pieces within hours.

[Hermie]

If there's anyone who's bummed about this, it's Zipper Interactive, developer of the SOCOM that came out buried under Portal Kombat last week, and is now completely unplayable for everyone who actually bought it.

[Sno]

If there's anyone who's bummed about this, it's Zipper Interactive, developer of the SOCOM that came out buried under Portal Kombat last week, and is now completely unplayable for everyone who actually bought it.

Seriously though, this has to have been timed to coincide with those releases.

It was one of the biggest weeks for the PS3 in a long time, with two PS3-favoring versions of huge, incredibly successful games, and a proper sequel to one of Sony's old standbys being developed its original creators.

[tabacco]

More of a concern to me than credit card numbers, which are easily canceled and monitored, are the rest of the personal details. Name, address, and birthdate are a big part of what you need for identity theft. It's easy to watch for bogus charges on your credit card, but less easy to monitor (and much worse in the long term) is whether someone is applying for credit in your name.

One step to take if you're worried is to place an initial fraud alert on your credit report:

https://www.experian.com/fraud/

It's basically just a note on your credit report asking creditors to call you for verification before issuing credit. You only have to ask one of the three credit agencies to make it happen, and it lasts for 90 days and doesn't affect your credit score. Experian (one of the agencies) has a pretty easy online process and will give you a copy of your credit report at the end.

[Lu]

Seriously though, this has to have been timed to coincide with those releases.

It was one of the biggest weeks for the PS3 in a long time, with two PS3-favoring versions of huge, incredibly successful games, and a proper sequel to one of Sony's old standbys being developed its original creators.

[Sno]

well i'm just saying that it was guaranteed to be an important high-traffic period for PSN.

[Squid Division]

Via Shacknews

Confirmation that all credit card numbers were stored in an encrypted format and that there is no evidence that data was taken.

Admission that personal data maintained in a separate data table was not encrypted.

Recommendation that if you use the same username and password elsewhere that those passwords be changed.

For those trying to figure out which card was on their account, the first four and last four digits of the card number would be on a confirmation email from [email protected] if you used it to fund your online wallet.

A new system software update will rollout with the restoration of the PlayStation Network requiring all users to change their password.

Sony is working with law enforcement personnel and proceeding aggressively to find those responsible, wherever they may be around the world.