Support NeoGAF

[keit4]

Actually...

http://www.zdnet.com/blog/security/xbox-live-hacked-accounts-stolen/131

http://www.joystiq.com/2007/03/23/pre-texting-the-cause-of-xbox-live-account-issues/

It's not the same case. That was social engineering.

 

[DoctorButt]

i just tried to flush my ps3 down the toilet and psn still isn't up

 

[Chrange]

http://www.joystiq.com/2007/03/23/pre-texting-the-cause-of-xbox-live-account-issues/

It's not the same case. That was social engineering.

But ZDNet said a Microsoft Tech said "Hackers have control of Xbox live and there is nothing we can do about it." so who do we really believe?

 

[Metalmurphy]

http://www.joystiq.com/2007/03/23/pre-texting-the-cause-of-xbox-live-account-issues/

It's not the same case. That was social engineering.

Once again...

"I gave several examples how any system could be compromised, if one of them is wrong it doesn't disprove my point."

 

[Professor Beef]

About a hundred pages ago, a Sony enthusiast compared the company to a rape victim. I was speechless.

It was also an unfortunate reminder of one of the Geohot threads, in which another enthusiast described the rape they'd want George Hotz to endure as punishment for his disrespect towards the corporation.

Its shocking sometimes.

This thread is full of twists and turns. It's a hell of a toboggan ride, though!

 

[chris0701]

I need a clearer English. And you missed my edit.

I gave several examples how any system could be compromised, if one of them is wrong it doesn't disprove my point.

To be simple, the XBOX live thing you provided is something jackpot from desperating id/pw combination.

You can use this trick on google account,twitter or something. Such case happens everyday on every network system, so it would never be an news.

The PSN case looks lke some security breach on data center,hacker can access considerable personal data and bypass the normal identity authentication.

Tbh,the official email has revealed such thing if you see them more carefully.

 

[A.R.K]

Once again...

"I gave several examples how any system could be compromised, if one of them is wrong it doesn't disprove my point."

dude stop talking sense...you'll be accused of being paid by Sony like I was...

I just wish PSN is up soon and this carnival of stupids gets locked

Also the hackers get caught so the real culprit get punished in this whole scenario

 

[Metalmurphy]

To be simple, the XBOX live thing you provided is something jackpot from desperating id/pw combination.

You can use this trick on google account,twitter or something. Such case happens everyday on every network system, so it would never be an news.

The PSN case looks lke some security breach on data center,hacker can access considerable pseronal data bypass the normal identity authentication. This is what we could call epic fail on network infrastructure.

Dude... You don't have to repeat yourself 3 times. I got it the first time. You however seem to be missing the point every time.

 

[chris0701]

Let alone XBOX live hack case,it is only social engineering. I could hack my sister's facebook account,but no one would take my achivement to CNN

For some system or organization,we usually have faith that we believe they should't be broken.

FBI was hacked,then we doubt why FBI could be hacked.
PSN hacked,then we doubt Sony's ability.

 

[FINALBOSS]

dude stop talking sense...you'll be accused of being paid by Sony like I was...

I just wish PSN is up soon and this carnival of stupids gets locked

Also the hackers get caught so the real culprit get punished in this whole scenario

He is being paid by Sony...me too!!!

 

[Kyoufu]

About a hundred pages ago, a Sony enthusiast compared the company to a rape victim. I was speechless.

It was also an unfortunate reminder of one of the Geohot threads, in which another enthusiast described the rape they'd want George Hotz to endure as punishment for his disrespect towards the corporation.

Its shocking sometimes.

Almost as shocking as donating to Hotz.

 

[chris0701]

But ZDNet said a Microsoft Tech said "Hackers have control of Xbox live and there is nothing we can do about it." so who do we really believe?

How could you prevent social engineering hack through id/pw combination?

captcha on consoles ?

 

[obonicus]

For some system or organization,we usually have faith that we believe they should't be broken.

That's misplaced faith, though. These systems or organizations don't guarantee you complete security. They don't even really do a great job apologizing most of the time when they fail you.

Sony did fuck up. If I put my valuables in a safety deposit box, because the bank tells me it's safe, and the bank is robbed and my valuables taken (something not necessarily covered by insurance), I get to blame both the bank and the robbers. The bank for failing to protect my valuables and the robbers for obvious reasons. The bank fucked up. I probably shouldn't call the bank incompetent unless I know otherwise, though.

Sony might've had huge gaping holes in their security, they might've had a reasonably secure system. Outside of speculatory pasties we don't know right now. Maybe Kaz will come clean in a few hours, but I doubt it.

 

[Mama Robotnik]

Almost as shocking as donating to Hotz.

If my miniscule contribution to try and prevent the eradication of (future) region-free gaming and homebrew, offends you more than those wishing sex-crimes towards a hacker who exposed a fundementally-flawed security structure, then I don't see how we're going to see eye to eye on this.

 

[Metalmurphy]

How could you prevent social engineering hack through id/pw combination?

captcha on consoles ?

For someone who can't let the subject drop you don't seem to understand very well how it was done...

If my miniscule contribution to try and prevent the eradication of (future) region-free gaming.

huh?

 

[Kyoufu]

If my miniscule contribution to try and prevent the eradication of region-free gaming and homebrew, offends you more than those wishing sex-crimes towards a hacker who exposed a fundementally-flawed security structure, then I don't see how we're going to see eye to eye on this.

Hey my PS3 is region-free I don't know what you're talking about!

 

[chris0701]

The question is very simple. I trust you but you failed to meet my expection.
Only when I trust Sony so I would put my CC and personal info into PSN.

If Sony one day declare their data center is outsourced by one infamous company and not take any responsibillity on data leak or system breakdown on EULA, I think you would never want to use them at all.

 

[Mama Robotnik]

huh?

Future region free, as in the right to hack future consoles (or existing ones) to run homebrew and software without region restrictions. Had Sony won then this (among any other modifications) would have been cemented as illegal.

Hey my PS3 is region-free I don't know what you're talking about!

Yes but will the next wave of consoles be? Not to mention handhelds and existing hardware.

 

[Metalmurphy]

Future region free, as in the right to hack future consoles (or existing ones) to run homebrew and software without region restrictions. Had Sony won then this (among any other modifications) would have been cemented as illegal.

I don't think that's what the case was about. It was about sharing the keys and hacks online.

 

[Combichristoffersen]

It's amazing how I keep hearing "Sony fucked up" "Sony fucked up" "Sony fucked up" yet no one can say how exactly they fucked up. Sony being hacked = them fucking up?

What kind of fucked up logic is that?

Bank gets robbed, bankers fucked up?
NASA gets hacked, NASA fucked up?
Pentagon gets hacked, Pentagon fucked up?
Mastercard gets hacked, Mastercard fucked up?
oO

I can understand being mad at Sony cause it's their responsibility, and if we have to complain to someone, it's obviously to them and not the Hacker. But your anger seems to be missplaced. Saying they fucked up is like saying they just gave the data away or something.

Obviously the hackers are at fault for breaching Sony's network and stealing the PSN account information (hackers gonna hack), but I'm not letting Sony off the hook for their debatable security. If you're storing information about 77 million user accounts, you damn well better be sure it's stored somewhere that's as good as impenetrable. So, yeah, Sony kinda fucked up, but they shouldn't be taking all of the blame.

Spoiler

Fuck Sony.

 

[Cruzader]

Future region free, as in the right to hack future consoles (or existing ones) to run homebrew and software without region restrictions. Had Sony won then this (among any other modifications) would have been cemented as illegal.



Yes but will the next wave of consoles be? Not to mention handhelds and existing hardware.

Im positive hackers have done more harm to future PS products this gen. All the 'openess' of the PS3 is saying bye bye on PS4 for sure.

Also the case was never to make it illegal to mod your console for homebrew. Sharing security keys to the open was and they way Geo went about things.

 

[Metalmurphy]

Obviously the hackers are at fault for breaching Sony's network and stealing the PSN account information (hackers gonna hack), but I'm not letting Sony off the hook for their debatable security. If you're storing information about 77 million user accounts, you damn well better be sure it's stored somewhere that's as good as impenetrable. So, yeah, Sony kinda fucked up, but they shouldn't be taking all of the blame.

Spoiler

Fuck Sony.

There's no such thing.

 

[TTP]

Obviously the hackers are at fault for breaching Sony's network and stealing the PSN account information (hackers gonna hack), but I'm not letting Sony off the hook for their debatable security. If you're storing information about 77 million user accounts, you damn well better be sure it's stored somewhere that's as good as impenetrable. So, yeah, Sony kinda fucked up, but they shouldn't be taking all of the blame.

Spoiler

Fuck Sony.

This is what I don't understand. The assumption that being hacked means you have "debatable security". Considering shit like this happens all the time, do we have any proof that Sony security was more lacking compared to those adopted by the likes of Amazon, Google, Play.com etc? I guess this is for the authorities investigating the issue to decide no?

 

[Combichristoffersen]

There's no such thing.

No. But they should do their best to make it as close to impenetrable as possible. And apparently they didn't.

This is what I don't understand. The assumption that being hacked means you have "debatable security". Considering shit like this happens all the time, do we have any proof that Sony security was more lacking compared to those adopted by the likes of Amazon, Google, Play.com etc? I guess this is for the authorities investigating the issue to decide no?

It's Sony. Considering how bad they've been this gen it wouldn't surprise me if they considered the free version of Avast to be acceptable security

 

[Metalmurphy]

No. But they should do their best to make it as close to impenetrable as possible. And apparently they didn't.

And you know this how?

It's Sony. Considering how bad they've been this gen it wouldn't surprise me if they considered the free version of Avast to be acceptable security

Nm...

 

[iNvid02]

wow this thread still going strong

1. hacker(s) are to blame mostly as they're the scum who did this
2. sony must share the blame because it seems their security was not up to par
3. the way sony dealt with this thing is truly abysmal
4. everyone on PSN should be compensated in some way, mainly because of the way sony dealt with this situation, not because they were hacked.
5. my bet still stands for 4th may

 

[Lothars]

No. But they should do their best to make it as close to impenetrable as possible. And apparently they didn't.



It's Sony. Considering how bad they've been this gen it wouldn't surprise me if they considered the free version of Avast to be acceptable security

Yeah ok, Sony has been as bad as any other company but you don't know if the security was actually really bad or not, There's alot we don't know but to say they automatically have bad security really doesn't make sense until we know exactly what kind of security they had.

wow this thread still going strong

1. hacker(s) are to blame mostly as they're the scum who did this
2. sony must share the blame because it seems their security was not up to par
3. the way sony dealt with this thing is truly abysmal
4. everyone on PSN should be compensated in some way, mainly because of the way sony dealt with this situation, not because they were hacked.
5. my bet still stands for 4th may

I agree with some of your points but we don't know if there security was up to par, it wasn't abysmal, it could have been handled better but wasn't horrible,

I agree as well, We should be compensated because of PSN being down for so long.

 

[TTP]

It's Sony. Considering how bad they've been this gen it wouldn't surprise me if they considered the free version of Avast to be acceptable security

It wouldn't surprise me either, but that's still an assumption.

Besides, aren't there regulations about how this server stuff is supposed to be set up? Aren't there 3rd party organizations periodically checking if companies dealing with personal info adhere to some security guidelines?

I think I read it somewhere you can't simply set up your server and go business without some sort of seal of approval. This is not to protect Company X, but the whole online business thing. If Company X security fails, every company working in the field is affected to some degree (people less willing to share personal data, CC info etc).

 

[Combichristoffersen]

And you know this how?

Obviously I don't know it, but if they rumours of Sony storing information in plain text are true, it's unacceptable. I mean, I love Sony, I've bought all of their consoles, even the PSP. But they've spent the last five years making dumb decision after dumb decision, so I wouldn't be surprised at all if poor security was another dumb decision of theirs. Not to mention their abysmal job at communicating with their users at the beginning of this brouhaha.

Besides, aren't there regulations about how this server stuff is supposed to be set up? Aren't there 3rd party organizations periodically checking if companies dealing with personal info adhere to some security guidelines?

I think I read it somewhere you can't simply set up your server and go business without some sort of seal of approval. This is not to protect Company X, but the whole online business thing.

You're probably thinking of the PCI DSS

 

[mrkgoo]

Yeah ok, Sony has been as bad as any other company but you don't know if the security was actually really bad or not, There's alot we don't know but to say they automatically have bad security really doesn't make sense until we know exactly what kind of security they had.



I agree with some of your points but we don't know if there security was up to par, it wasn't abysmal, it could have been handled better but wasn't horrible,

I agree as well, We should be compensated because of PSN being down for so long.

An encrypted password would be nice. Yes, we don't know it wasn't, but if it was, we assume they would've mentioned it.

 

[TTP]

Obviously I don't know it, but if they rumours of Sony storing information in plain text are true, it's unacceptable.

How is that unacceptable? I'm not expert by any means, but you seem to be sure such info (not the CC one, but just the personal data one) is encrypted everywhere else. Is it so?

 

[Stuggernaut]

So we now know exactly what type of security system Sony had and how good/bad it was?

And we also know exactly how it was hacked?

I missed that, can someone link?

 

[Massa]

How is that unacceptable? I'm not expert by any means, but you seem to be sure such info (not the CC one, but just the personal data one) is encrypted everywhere else. Is it so?

Password and security anwer should have been encrypted.

So we now know exactly what type of security system Sony had and how good/bad it was?

And we also know exactly how it was hacked?

I missed that, can someone link?

We've no idea.

 

[DoctorButt]

So we now know exactly what type of security system Sony had and how good/bad it was?

And we also know exactly how it was hacked?

I missed that, can someone link?

there is no link to credible info to be had in this thread, just babbling idiots

 

[RustyNails]

An encrypted password would be nice. Yes, we don't know it wasn't, but if it was, we assume they would've mentioned it.

Encrypting just passwords means encrypting an entire column of 77 million rows. We don't know how many rows of CC info were there in the CC table, but all indicators point to being about 2.2 million so it's more manageable to encrypt that. Besides, companies are under extra scrutiny to make CC info and SSN info as secure as possible especially e-businesses.

 

[Combichristoffersen]

How is that unacceptable? I'm not expert by any means, but you seem to be sure such info (not the CC one, but just the personal data one) is encrypted everywhere else. Is it so?

Depends. I think someone earlier ITT mentioned at least birthdates and passwords were usually encrypted, while postal addresses and names were not necessarily encrypted (due to.. storage concerns or CPU use or something). Names, postal addresses and e-mails are more or less freely available on the web separately, but when you've stored most of that information (barring CC information), especially passwords, at the same place, you really should have some sort of encryption on it.

 

[ClosingADoor]

Encrypting just passwords means encrypting an entire column of 77 million rows. We don't know how many rows of CC info were there in the CC table, but all indicators point to being about 2.2 million so it's more manageable to encrypt that. Besides, companies are under extra scrutiny to make CC info and SSN info as secure as possible especially e-businesses.

And how is it a problem to encrypt 77 million passwords (not rows, since the row would probably include the username and other info as well).

Passwords should always be encrypted. I don't think companies like Facebook and Google save your password unencrypted and those handle a lot more passwords than 77 million.

But do we even know if passwords were saved unencrypted? Since that would be very illogical to do.

Depends. I think someone earlier ITT mentioned at least birthdates and passwords were usually encrypted, while postal addresses and names were not necessarily encrypted (due to.. storage concerns or CPU use or something). Names, postal addresses and e-mails are more or less freely available on the web separately, but when you've stored most of that information (barring CC information), especially passwords, at the same place, you really should have some sort of encryption on it.

Most systems only encrypt passwords. The other info can easily be gotten anywhere or isn't private anyway. Encrypting a username for example is just useless.

 

[RuGalz]

But do we even know if passwords were saved unencrypted? Since that would be very illogical to do.

All things point to they didn't encrypt password. While I think a company that handles user base as big as this probably should have done it, you are kidding yourself if you think most of the sites have updated their security to have password encrypted.

 

[Acquiescence]

Hey my PS3 is region-free I don't know what you're talking about!

Yes but will the next wave of consoles be? Not to mention handhelds and existing hardware.

Well, if the PS4 is locked down tighter than the Queen's clacker then we'll know who to blame won't we!

*cough*GeoHot*cough* (if it wasn't obvious enough)

 

[LowParry]

Ya know, if the hacker/s are capable of doing what they did to Sony, I'm pretty sure they are capable of doing this kind of damage to other companies easily. There's no such thing as a perfect security system.

 

[TTP]

But do we even know if passwords were saved unencrypted? Since that would be very illogical to do.

They said "the personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack".

I guess passwords are part of the personal data table.

 

[ClosingADoor]

All things point to they didn't encrypt password. While I think a company that handles user base as big as this probably should have done it, you are kidding yourself if you think most of the sites have updated their security to have password encrypted.

What points to that? I haven't seen anything that would point to Sony not encrypting the passwords.

And hasn't encryption been pretty standard for at least ten years if not longer?

They said "the personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack".

I guess passwords are part of the personal data table.

Depends. You can just as easily have a username + password table and a user info table, since the user info would be called on more often than the password would.

 

[surly]

Ya know, if the hacker/s are capable of doing what they did to Sony, I'm pretty sure they are capable of doing this kind of damage to other companies easily. There's no such thing as a perfect security system.

I agree with your last sentence, but Sony are working to make the security of PSN stronger and they're aiming to have done that within 2 weeks. Why not make it that strong to begin with? Why didn't they salt and hash passwords? Why did they have a bunch of user data completely unencrypted? Other companies may do the same things, but that doesn't get Sony off the hook - it only makes those other companies as bad as Sony.

 

[GodofWine]

OK...I wanna play something online...badly...couldn't they just wipe the data out, and at least open the ability to sign in to play games again? No store / no transactions, nothing like that open...and when they have the new network built, push it out as an update.

I don't know anything about this kinda stuff, but it seems plausible to temporarily be a online gaming only portal?

...Im about to plug in my ps2 to play GTA3, and remember the good old days.

 

[tenchir]

Wow, some people don't really grasp how hard it is to secure digital data this day and age. Much like achilles heel, no matter how strong your security is, a hacker just need a flaw in the system to exploit it. If a security company like SecureID(they make the RSA dongle) can get hacked, then don't any security system to be safe. Raging against Sony for their "weak" security system is just idiotic, especially when we don't know how the hack was done or how they secured it.

 

[TTP]

Depends. You can just as easily have a username + password table and a user info table, since the user info would be called on more often than the password would.

I see. Well, I dunno. In the first detailed update they said:

Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained.

 

[ClosingADoor]

Why did they have a bunch of user data completely unencrypted?

No one is going to encrypt stuff like names and locations, what would be the use? That stuff can be found everywhere and if you want that info you can just buy a database filled with that info from legal sources.

I see. Well, I dunno. In the first detailed update they said:

I'm not saying it is impossible that they did that. I just wouldn't understand why on earth someone would save passwords unencrypted. If someone does that, they deserve to be fired immadiatly.

 

[DXB-KNIGHT]

Bank gets robbed, bankers fucked up?

Lets say that if your account was robbed and the bank simply didn't inform you and haven't compensated you and told you its the thieves fault not ours.
What would you do?

 

[Rebel Leader]

...Im about to plug in my ps2 to play GTA3, and remember the good old days.

The good old days for me are

with a certain guy
that's very short
with a bowler hat

 

[Zoe]

Depends. You can just as easily have a username + password table and a user info table, since the user info would be called on more often than the password would.

Other way around actually. Real name + address rarely needs to be called, but your account is authenticated frequently.