Support NeoGAF

[MThanded]

whoops double post

 

[MThanded]

Nobody with cfw is connecting to PSN to buy anything anyway, so I might as well quote this again just for the hell of it.

Doubtful. Even then you are running some unauthed code and it could still manually open a connection and send your info out. Same issue with custom firmware on iphone or android. I could easily write code that farms your info locally and pipes it out. When you install custom firmware you are essentially trusting that code with your local information. It is almost as bad as someone watching you type every key on a a keyboard or having direct hardware access to your computer at all time.

 

[gofreak]

They say it's stored in plaintext, but it is a shame they don't elaborate on that.

I would have assumed your CC info would be sent once to their servers when you add your CC info, and they then store it on their end (?) How would they know how its stored on the other side?

Also if they're using SSL it's not entirely correct to say they transmit them 'in the clear', the SSL holes mentioned notwithstanding. They are encrypting them, but the PDF calls for encryption upon encryption. And given the...err..tone of the PDF, even if Sony did encrypt this info again people could probably claim it's not 100% secure anyway - given that we've seen apparently impenetrable encryption fail before.

edit - beaten anyway on that.

 

[Archaix]

this thread title is incorrect!!!
this thread title is incorrect!!!
this thread title is incorrect!!!




They still use https to transmit the data. The issue is if you have a CFW you can be snooped and your info can be stolen. Unless someone man in the middles your https handshake you are fine. Someone should fix the title.

Well, yeah, but aside from the security they're using, Sony isn't using any security at all! PANIC GO!

 

[N.A]

Yeah, my fault. Didn't read the full PDF.

 

[Jinfash]

Yeah, my fault. Didn't read the full PDF.

SMFH

 

[Rolf NB]

"SONY is only relying on
it's https connection. With all those CFWs spreading around, this is not secure anymore."

So basically, if I don't do CFW, and I don't, this doesn't affect me. Good to know.

 

[Pinko Marx]

LOL so you use CFW and this happens? Or is this for everyone?


So true. I expected better.

;\
look at the post thats been quoted 50 times already.

 

[Neuromancer]

this thread title is incorrect!!!
this thread title is incorrect!!!
this thread title is incorrect!!!




They still use https to transmit the data. The issue is if you have a CFW you can be snooped and your info can be stolen. Unless someone man in the middles your https handshake you are fine. Someone should fix the title.

By Grabthar's Hammer, you shall be quoted.

 

[sixteen-bit]

this thread title is incorrect!!!
this thread title is incorrect!!!
this thread title is incorrect!!!




They still use https to transmit the data. The issue is if you have a CFW you can be snooped and your info can be stolen. Unless someone man in the middles your https handshake you are fine. Someone should fix the title.

Quoted so we aren't running around like hens with out heads chopped off.

 

[LiquidMetal14]

;\
look at the post thats been quoted 50 times already.

I seen it. Don't worry about that pal.

 

[Carl]

this thread title is incorrect!!!
this thread title is incorrect!!!
this thread title is incorrect!!!




They still use https to transmit the data. The issue is if you have a CFW you can be snooped and your info can be stolen. Unless someone man in the middles your https handshake you are fine. Someone should fix the title.

Needs quoting more.

 

[MThanded]

Yeah, my fault. Didn't read the full PDF.

Yeah you really jumped the gun on this one. I came in here about to setup some packet capturing and test this out myself. I would not put it past them or any other company. Security is an art not a science. Things are inherently insecure.

 

[herod]

True or false, I could go and buy a second hand PS3 and if the previous owner didn't wipe it, I could dump his cleartext credit card info from the HDD?

 

[nib95]

So, don't install CFW? Problem solved.

 

[LiquidMetal14]

True or false, I could go and buy a second hand PS3 and if the previous owner didn't wipe it, I could dump his cleartext credit card info from the HDD?

Read the thread

 

[Clott]

this thread title is incorrect!!!
this thread title is incorrect!!!
this thread title is incorrect!!!




They still use https to transmit the data. The issue is if you have a CFW you can be snooped and your info can be stolen. Unless someone man in the middles your https handshake you are fine. Someone should fix the title.

quotequotequotequotequotequote

 

[Xater]

Easy solution: Don't use CFW!

 

[I NEED SCISSORS]

Besides, soon there will be a custom firmware maker released, so you will no longer have to rely on downloading said shady firmwares (if they even exist). Make your own!

 

[Shao Kahn Brewing a Stew]

BREAKING NEWS: GAF transmits your lulz in plain text.

 

[MThanded]

True or false, I could go and buy a second hand PS3 and if the previous owner didn't wipe it, I could dump his cleartext credit card info from the HDD?

Possibly. But you could just buy shit from their account anyway. If they did not wipe you have free reign on their psn account and associated credit card access.

 

[Starwolf_UK]

Yeah, my fault. Didn't read the full PDF.

OP didn't read OP?

I guess this Sony PR another reason to say Custom firmware is bad. But it also goes to with custom firmware you put full trust into the person releasing it that they've release da working product and not some buggy piece of crap that will brick you just to be the first (didn't the latter already happen with the PS3).

 

[N.A]

Some other interesting privacy stuff in that pdf though. I'll edit the OP but can't fix the title.

 

[Jinfash]

OP didn't read OP?

That is deep.

 

[LiquidMetal14]

Besides, soon there will be a custom firmware maker released, so you will no longer have to rely on said shady firmwares. Make your own!

I want that one guy who lives behind the 7-11's firmware. You know, the one who sells crack behind the dumpster at Burgler King at 2am. His is rock solid compared to Sony's!


For the record, I never store my CC info on these consoles. I will input it every time. Come on now folks, smarten up.

 

[DoomGyver]

lol at the unnecessary panic.

 

[Hanmik]

Yeah, my fault. Didn't read the full PDF.

this deserves a TAG by the almighty MODS..

 

[androvsky]

Yeah, my fault. Didn't read the full PDF.

The https connection was mentioned in what you originally quoted.

The credit card information should ALWAYS be encrypted. In ANY case. At least the security code. SONY is only relying on
it's https connection. With all those CFWs spreading around, this is not secure anymore.

That said, Sony should use multiple layers of encryption. I get the impression that IBM's impressive security setup with the Cell made Sony incredibly lax on their side.

 

[Rolf NB]

True or false, I could go and buy a second hand PS3 and if the previous owner didn't wipe it, I could dump his cleartext credit card info from the HDD?

Pretty sure it's never stored on your HDD in the first place.

 

[Xater]

this deserves a TAG by the almighty MODS..

"Junior Member"

 

[captmcblack]

Lock this thread, make a new one with correct/non-fud info or not at all.

 

[Dreamgazer]

"Junior Member"

uh. a bit excessive considering N.A.'s overall contribution to this CFW thing.

 

[Shao Kahn Brewing a Stew]

Lock this thread, make a new one with correct/non-fud info or not at all.

I already suggested thread title: GAF transmits your lulz in plain text.

 

[MThanded]

"Junior Member"

Maybe someone can unjunior me. They rejuniored me like a year ago. He and I can trade places. LOL (i know its not going to happen)

 

[LiK]

Yeah you really jumped the gun on this one. I came in here about to setup some packet capturing and test this out myself. I would not put it past them or any other company. Security is an art not a science. Things are inherently insecure.

You should be a Member for this.

 

[darkwing]

this thread title is incorrect!!!
this thread title is incorrect!!!
this thread title is incorrect!!!




They still use https to transmit the data. The issue is if you have a CFW you can be snooped and your info can be stolen. Unless someone man in the middles your https handshake you are fine. Someone should fix the title.

smh

 

[fistwell_old]

"Junior Member"

sounds about right

 

[Jinfash]

Lock this thread, make a new one with correct/non-fud info or not at all.

Ugh, please. The info in that PDF is pretty interesting. Just edit the title, and we're good. Put down those, I SAID PUT DOWN THOSE TORCHES!

 

[Foffy]

Doubtful. Even then you are running some unauthed code and it could still manually open a connection and send your info out. Same issue with custom firmware on iphone or android. I could easily write code that farms your info locally and pipes it out. When you install custom firmware you are essentially trusting that code with your local information. It is almost as bad as someone watching you type every key on a a keyboard or having direct hardware access to your computer at all time.

But couldn't disabling any connection the PS3 has to online connectivity nip this in the behind? I figure nothing but could be transferred if the system is prevented from connecting online.

 

[Valkyr Junkie]

Regardless of the incorrect original OP, CC data is stored on PSN itself and not the console itself correct?

 

[Shao Kahn Brewing a Stew]

Regardless of the incorrect original OP, CC data is stored on PSN itself and not the console itself correct?

Correct.

 

[MThanded]

But couldn't disabling any connection the PS3 has to online connectivity nip this in the behind? I figure nothing but could be transferred if the system is prevented from connecting online.

If you have a CFW then the firmware can fake you not being connected and still leak your info. Best to unplug from ethernet and remove all wifi passwords. If you use an OS written by me then all bets are off about what is going on behind the scenes.

Also i am fairly certain your CC info is on psn. Because you can link it online. I need to know more about the internals to be certain.

 

[herod]

Read the thread

I did, it's not clear. I'm not talking about the network transmission.

 

[poweld]

OP will be absolutely furious when he finds out his cracked version of Windows is also vulnerable.

 

[nib95]

OP didn't read OP lol...that's a classic.

 

[N.A]

Updated the OP, the stuff in the PDF still raises some interesting points.

Sorry for jumping the gun :-\

 

[LiquidMetal14]

I did, it's not clear. I'm not talking about the network transmission.

I'm not a high level expert but I was mainly concerning the misinformation in the title.

Is the short story basically that CFW is not good for security or what?

 

[Pinko Marx]

Maybe someone can unjunior me. They rejuniored me like a year ago. He and I can trade places. LOL (i know its not going to happen)

 

[StealthGoblin]

uh. a bit excessive considering N.A.'s overall contribution to this CFW thing.

Moral of the story. . .don't fuck up. If you are going to make a thread about something as big as this, do the research before posting it. Everyone knows GAF has lurking journos ready to pounce on anything for a story.

 

[N.A]

OP will be absolutely furious when he finds out his cracked version of Windows is also vulnerable.

Awesome. Piracy accusations!