Support NeoGAF

[Combichristoffersen]

My iTouch's battery life is dying quickly.
Suck Fony.

Hitler started WWII.
Yuck Fons.

 

[Blimblim]

Hey Blimblim, any chance you can elaborate further on the above point?

While it's been stated that existing CC data was being stored in encrypted fashion (and I fully believe that's the case), when does that encryption process take place? Does it happen immediately upon the PI being associated to the customer's account via the console, PSP, PSN/Qriocity website? Or does that process happen further down the road? Furthermore, what rationale would there have been from a cost effectiveness standpoint for Sony to not have encrypted other customer information in their database?

I've been trying to wrap my head around a scenario where the hackers "may have had access to credit card information" yet did not have access to decryption keys. Understanding whether or not unencrypted credit card details could have been accessed if transactions took place from April 17-19 when the network was compromised would shed some light on the situation.

It really depends on how Sony designed their credit card processing system.
If they did it the sane way, the credit card processing (and storing) is done on a separate network and the PSN server themselves only store the id of the card as it was stored on that separate server. That way only (highly restricted) people who have access to the payment network can get the actual CC numbers. This is the type of network that should allow for NO outside AT ALL (except for the actual webservice of course), if there is an issue on such network, you go there and connect to the servers locally.

 

[jim-jam bongs]

It really depends on how Sony designed their credit card processing system.
If they did it the sane way, the credit card processing (and storing) is done on a separate network and the PSN server themselves only store the id of the card as it was stored on that separate server. That way only (highly restricted) people who have access to the payment network can get the actual CC numbers. This is the type of network that should allow for NO outside AT ALL (except for the actual webservice of course), if there is an issue on such network, you go there and connect to the servers locally.

I do so love visits to the server room. They're like IT picnics.

 

[Professor Beef]

Hitler started WWII.
Yuck Fons.

My jukebox is broken.

uck Fonsy.

 

[DoctorButt]

My jukebox is broken.

uck Fonsy.

my roommate just walked out of the bathroom with an arm full of bacon

jgb g5 6ng.

 

[Hugh Buelow]

Hey Blimblim, any chance you can elaborate further on the above point?

While it's been stated that existing CC data was being stored in encrypted fashion (and I fully believe that's the case), when does that encryption process take place? Does it happen immediately upon the PI being associated to the customer's account via the console, PSP, PSN/Qriocity website? Or does that process happen further down the road? Furthermore, what rationale would there have been from a cost effectiveness standpoint for Sony to not have encrypted other customer information in their database?

I've been trying to wrap my head around a scenario where the hackers "may have had access to credit card information" yet did not have access to decryption keys. Understanding whether or not unencrypted credit card details could have been accessed if transactions took place from April 17-19 when the network was compromised would shed some light on the situation.

We can't know when it is encrypted as we have no information regarding Sony's system. But logically, it's when the CC is about to be inserted to the database (or the storage they use). Before that, it would make no sense. The CC info goes from your console or browser to Sony's front servers, then it needs to verify the informations with the bank, do other stuff and then send it to the storage. The transport between the servers (and sites) should be encrypted, but it is not the same kind of encryption as the one for the database. (Sending CC informations in clear over the internal network is disallowed by the PCI-DSS)

If the system is well designed, the non-encrypted CC informations should only be available in memory on the servers that process the CC submission and the transactions.

 

[DoomGyver]

Fuck Sony.
Fuck Sony.

 

[Sidewinder]

My jukebox is broken.

uck Fonsy.

Fonsy will just punch your Jukebox and it'll be working like a charm! I believe that he's the father of Chuck Norris.

 

[Professor Beef]

my roommate just walked out of the bathroom with an arm full of bacon

jgb g5 6ng.

I wish I knew your roommate.

 

[BeeDog]

*prays to Jebus for the arrival of the new debit card today*

 

[x3sphere]

The amount of misinformation in this post is insane. By the way, do you want friend code? I guess thats one way not to lose any info.

No, he's pretty much spot on. As for the chat log, it's legit. It's from #ps3dev on efnet.

 

[Blimblim]

I do so love visits to the server room. They're like IT picnics.

The servers at my work are about 45 km away from our main office. It helps making sure every single thing (including the network cables themselves) is redundant

 

[Lord Error]

No, he's pretty much spot on. As for the chat log, it's legit. It's from #ps3dev on efnet.

Being from there of course doesn't make it automatically legit, but even if it was, the CC encryption portion of that chat has nothing to with the situation at hand. It was saying that the CC info you submit from your console is not being encrypted before it was sent over HTTPS (which still doesn't make it unsafe, as it just means it was single instead of double encrypted), so he was saying that if you install a CFW made by someone malicious, they could easily put some code in there that would transmit your CC info to them as plaintext, over regular HTTP. basically, a problem only if you install some shady CFW, and nothing to do with this.

 

[Rocky_Balboa]

This morning I got a phishing email to my email, that I used with PSN. I have never before gotten anything like this on there and only a handful of spam mails, so I'm thinking that this is because of the leak. Unless it's legit. It is supposedly from Yahoo and delicious bookmarks. I have never used either of them. Also the sending address is yahoo@yahoo-email.com.

Maybe I'm paranoid.

 

[Blimblim]

Being from there of course doesn't make it automatically legit, but even if it was, the CC encryption portion of that chat has nothing to with the situation at hand. It was saying that the CC info you submit from your console is not being encrypted before it was sent over HTTPS (which still doesn't make it unsafe, as it just means it was single instead of double encrypted), so he was saying that if you install a CFW made by someone malicious, they could easily put some code in there that would transmit your CC info to them as plaintext, over regular HTTP. basically, a problem only if you install some shady CFW, and nothing to do with this.

Depending on the level of access to hacker did get on the PSN servers, he could very well have put a logger inside the webservices the PS3 uses to send the CC numbers. That's a common way to intercept CC numbers when they can't be extracted directly from a database when a host a compromised.

 

[koji]

Has that IRC chatlog been posted here already?

Check it. Not sure if it's legit, some juicy stuff in there.

 

[Withnail]

This morning I got a phishing email to my email, that I used with PSN. I have never before gotten anything like this on there and only a handful of spam mails, so I'm thinking that this is because of the leak. Unless it's legit. It is supposedly from Yahoo and delicious bookmarks. I have never used either of them. Also the sending address is yahoo@yahoo-email.com.

Maybe I'm paranoid.

FWIW I also received a similar email (from the same yahoo-email.com address) this morning and it looks fine to me. The links in the mail lead to the real delicious site so I don't think it's a phishing scam.

I have used delicious in the past though. It's a bit strange that you have received it if you have never used delicious or Yahoo.

 

[glaurung]

FWIW I also received a similar email (from the same yahoo-email.com address) this morning and it looks fine to me. The links in the mail lead to the real delicious site so I don't think it's a phishing scam.

I have used delicious in the past though. It's a bit strange that you have received it if you have never used delicious or Yahoo.

I got that email too.

I think it was simply an update since Yahoo acquired delicious. Could be wrong tho.

 

[BeeDog]

Still haven't gotten a Sony mail. Feels like my PSN account is completely overlooked, or even borked.

 

[Diablos]

If that log is legit... um, wow.

Wasting all that time and money on attacking Geohot proved futile. They should've doubled down knowing their plastic network was at that point in serious risk and put the safety of their users first. Sony is really blowing my mind in how arrogant, unprofessional and utterly incompetent they have been lately.

 

[Dead Man]

Still haven't gotten a Sony mail. Feels like my PSN account is completely overlooked, or even borked.

I got one for my US account that has no real information attached, but not for my UK, JP, HK, or my main Australia one.

 

[Grampasso]

Got email as well, they didn't even care about properly translate it, it was made up by an automatic translator.
Fuck Sony.

Spoiler

Am I doing it right?

 

[Takao]

My dog just pooped in my sink and I have to clean it up
Fuck Sony.

Fix this shit Guerrilla!

 

[Rocky_Balboa]

FWIW I also received a similar email (from the same yahoo-email.com address) this morning and it looks fine to me. The links in the mail lead to the real delicious site so I don't think it's a phishing scam.

I have used delicious in the past though. It's a bit strange that you have received it if you have never used delicious or Yahoo.

Yeah it looks very legit. The fact that I haven't used delicious of Yahoo and the timing made me suspicious. Paranoid indeed.

 

[MalboroRed]

If that log is legit... um, wow.

Wasting all that time and money on attacking Geohot proved futile. They should've doubled down knowing their plastic network was at that point in serious risk and put the safety of their users first. Sony is really blowing my mind in how arrogant, unprofessional and utterly incompetent they have been lately.

Litigation and network security are completely separate things, they can sue geohotz AND work on their network without having to choose one over the other.

 

[Zeliard]

Litigation and network security are completely separate things, they can sue geohotz AND work on their network without having to choose one over the other.

Looks like both were successful ventures.

 

[Withnail]

This has probably been discussed but I noticed that the new FAQ mentions a PS3 firmware update when the PSN goes back online. That must be one of the reasons it's all taking so long.

It's going to fuel the (deluded) cross-game chat speculation as well though.

 

[neorej]

I burnt my mouth on a cheese & onion & bacon-pizza last night.

Fuck Sony.

Spoiler

srsly though, I got the email today on all my accounts, still no fraud on my CC.

I hope Sony fixes the PSN-security within the next few days. If the entire network is comprimized, you have no alternative but to start from scratch (maybe a good thing, rebuilding your network, allowing for massive improvements).

 

[mr_nothin]

Has that IRC chatlog been posted here already?

Check it. Not sure if it's legit, some juicy stuff in there.

Ok...so they collect data about the games you play and the devices you connect to the PS3. Big deal. Collecting Data about the games you play = trophies anyways...how else would they be able to display the data to you?

Funny how they call Sony "spies". It's like they live in this other world were everybody is out to get them.

 

[zoukka]

My friends card died today. He has the PSN account.

It's funny because he told me yesterday that there's nothing to worry D

 

[Fafalada]

That's a common way to intercept CC numbers when they can't be extracted directly from a database when a host a compromised.

That way could take months to get any large fraction of the userbase data - it certainly wouldn't be any relevant portion in 2 days.

Which is my main questions about this whole mess - 75milion accounts worth of data is NOT a small data transaction (unless it's a holywood movie in which case this would be done in 30seconds, just enough time to hide under the desk after security enters).
1) How does that go unnoticed by Sony for that long?
2) If 2 days gap is because they tried to download it 'low-profile' to go unnoticed by Sony, it's highly unlikely they got the whole thing.

Or is it perhaps because the intent was never to download but just to corrupt the hell out of database (if the claims about this being aimed against the corporation rather then users are true).

 

[Angst]

Ok...so they collect data about the games you play and the devices you connect to the PS3. Big deal. Collecting Data about the games you play = trophies anyways...how else would they be able to display the data to you?

Funny how they call Sony "spies". It's like they live in this other world were everybody is out to get them.

Bu bu but then Sony knows the insane number of hours I've played Hannah Montana? FUUUUUUU

 

[Combichristoffersen]

Still no mail for me At least there haven't been any fraudulent charges from my (now cancelled) Visa debit card.

Mount Vesuvius erupted and destroyed Pompeii.
Fuck Sony.

 

[gofreak]

Moving forward, we are initiating several measures that will significantly enhance all aspects of PlayStation Network’s security and your personal data, including moving our network infrastructure and data center to a new, more secure location, which is already underway. We will provide additional information on these measures shortly.

Uhh...does anyone get a whiff of 'inside job' from that? That sounds like they mean a physically more secure location.

But maybe I'm wrong...

 

[BeeDog]

Still no mail for me At least there haven't been any fraudulent charges from my (now cancelled) Visa debit card.

Mount Vesuvius erupted and destroyed Pompeii.
Fuck Sony.

I can't even check my account, now that I'm waiting for the new card.

Fuck Sony.

 

[Combichristoffersen]

ITT we fuck Sony

 

[Professor Beef]

It's past 2 in the morning, and I'm tired as hell.

Fuck Sony.

 

[Vagabundo]

Why are people using this as a credible source? The Credit Card info was encrypted.

The credit card information - from tat chat log - is sent in plain text over the SSL channel (which itself is encrypted). The poster comments that this not usually sufficient and that the CC info is usually encrypted on the client and then sent over SSL. This has nothing to do with how the CC info may have been stored on the PSN servers.

 

[Blimblim]

The credit card information - from tat chat log - is sent in plain text over the SSL channel (which itself is encrypted). The poster comments that this not usually sufficient and that the CC info is usually encrypted on the client and then sent over SSL. This has nothing to do with how the CC info may have been stored on the PSN servers.

You can't encrypt on the client when it's a SSL transaction done with a web browser (well technically you could do it with JS, but there is no point in doing that), which is about 99% of the CC transactions you'll ever see over the internet. So no, it's not a problem under normal circumstances.

 

[DoctorButt]

i think ill use my socom 4 disk as a frisbee until psn is back up

 

[Hanmik]

The credit card information - from tat chat log - is sent in plain text over the SSL channel (which itself is encrypted). The poster comments that this not usually sufficient and that the CC info is usually encrypted on the client and then sent over SSL. This has nothing to do with how the CC info may have been stored on the PSN servers.

you try a "little" to hard..

 

[Gadfly]

I find it ironic that a company that doesn't mind installing a rootkit on your PC in order to stop you from copying a couple of songs, is so careless with your personal information.

 

[Crackers]

The credit card information - from tat chat log - is sent in plain text over the SSL channel (which itself is encrypted). The poster comments that this not usually sufficient and that the CC info is usually encrypted on the client and then sent over SSL. This has nothing to do with how the CC info may have been stored on the PSN servers.

So SSL isn't sufficient for internet banking now? Someone should tell the banks!

 

[zomgbbqftw]

The credit card information - from tat chat log - is sent in plain text over the SSL channel (which itself is encrypted). The poster comments that this not usually sufficient and that the CC info is usually encrypted on the client and then sent over SSL. This has nothing to do with how the CC info may have been stored on the PSN servers.

So almost all CC transactions on the internet which us HTTPS are bogus then?

Seriously, give it a rest. Your earlier post was full of assumption and hyperbole as well...

 

[darkwing]

crap SSL is hacked? this should be the biggest news!

 

[Fallout-NL]

Damnit.

Still can't play my PC version of Portal 2. That's the biggest tragedy of all.

 

[Pistolero]

Uhh...does anyone get a whiff of 'inside job' from that? That sounds like they mean a physically more secure location.

But maybe I'm wrong...

You are on the verge of opening another Pandora's box, gofreak!

By the way, I can see that the drama has lost of some of its intensity...I want my paranoïd and hyperbolic gaf back!

 

[jax (old)]

The credit card information - from tat chat log - is sent in plain text over the SSL channel (which itself is encrypted). The poster comments that this not usually sufficient and that the CC info is usually encrypted on the client and then sent over SSL. This has nothing to do with how the CC info may have been stored on the PSN servers.

You just kind of need to Shut the fuck up already.

 

[Luckyman]

http://twitter.com/Mathieulh
http://twitter.com/hdmoore

Some nice rumours from hackers. Emails being attacked as of right now thanks to no pass encryption. Sony notified of the issues months ago.

 

[Meus Renaissance]

EDIT: Already metioned