kurtrussell
Banned
brentech said:You're just a junior, don't bring that shit here. It won't end well.
Warning shots fired.
Care to tell me what "shit" I brought from behind the safety of your keyboard?
brentech said:You're just a junior, don't bring that shit here. It won't end well.
Warning shots fired.
MarkMclovin said:Hold on. If you had to click on the link that was sent to your email - of which only you have access to - then how was that done?
Have I missed something here?
panda21 said:unbelievable. there is literally nothing they could do to make me trust them again at this point.
kurtrussell said:So essentially, the URL had a '&=username&dateofbirth' type string in it and it wasn't salted?
And that went past three independent security experts? Sheesh - get your consulting fees back from them, Sony.
I read through some posts, but not all, so i must have missed it. Where was it mentioned by the way?XiaNaphryz said:Read through the thread man and get caught up! Only took me 5 min. ;P
Threats are cool.kurtrussell said:Care to tell me what "shit" I brought from behind the safety of your keyboard?
That's the key word - considering the amount of money this is going to cost them overall, what if they skimped out and did the bare minimum in this area trying to find cost-savings?gofreak said:Rather frightening that this could slip through (supposedly) multiple independent audits by external experts.
kurtrussell said:So essentially, the URL had a '&=username&dateofbirth' type string in it and it wasn't salted?
Which would indicate the "token" can somehow be determined from the data embedded in the original password reset page or from the personal data someone would already possess at that point in the reset process.Massa said:He didn't have to click anything.
When you request a new password Sony e-mails you a token that allows you to change it on their website. The problem here is that the person who requested that token somehow got access to it without having to read the e-mail Sony sent (or they found a way to reset the password without the token at all, but that's much more unlikely).
What did Japan say?Luckyman said:I dont know why anyone has trust that Sony has stepped up security.Japan says not so much
Good luck Sony
test_account said:What did Japan say?
XiaNaphryz said:That's the key word - considering the amount of money this is going to cost them overall, what if they skimped out and did the bare minimum in this area trying to find cost-savings?
The 'haxxorz' need the email and Date of Birth to 'haxx'TTP said:I don't see it in my URL.
XiaNaphryz said:That's the key word - considering the amount of money this is going to cost them overall, what if they skimped out and did the bare minimum in this area trying to find cost-savings?
Fersis said:The 'haxxorz' need the email and Date of Birth to 'haxx'
Because thats why you need to reset the account password.
The 'haxx' itself must be a way to get the password reset email from SONY and then change the URL.
But well theyre fixing it now.
Smision said:This will require at least 10 more little japanese men bowing before they earn my trust back.
Can't wait to see the excuses in this thread. This company is fucked up and they don't give a shit about your security.
True, but the security can still be improved It just depends on what type of proof they need and how they want to aquire this proof, maybe it takes some time. I wonder what type of proof they want to see.TTP said:They aren't allowing PSN restoration in Japan until Sony provides some proof of increased security.
Japan is still PSN-less.
kurtrussell said:Isn't that exactly what Sony did when they forced OtherOS owners to choose between a firmware update & new games or OtherOS?
Lucky for us there haven't been any major intrusions in PSN security recently that, among other things, revealed people's DOBs...test_account said:I see. If that is the case, then it is pretty crazy, being able to change anyone's PSN password just by using Sony's own website. It will probably not be a big problem in general since you need the date of birth info to be able to do it, and Sony will most likely fix it now, but still.
test_account said:True, but the security can still be improved It just depends on what type of proof they need and how they want to aquire this proof, maybe it takes some time. I wonder what type of proof they want to see.
larvi said:Great, and the DoB was the one thing that it doesn't appear I can change in my profile. I changed my other personal information to bogus info but couldn't figure out how to change that. Does anyone know a way to do it?
That is a good point, i actually thought about that But unless that info get widespread on the net (which hasnt happened yet as far as i know), i dont think that it will be a big problem in general, and especially now that Sony fixes this problem (most likely).Tntnnbltn said:Lucky for us there haven't been any major intrusions in PSN security recently that, among other things, revealed people's DOBs...
True hehe :\ Hopefully for people in Japan/Asia, this wont delay PSN getting back for a long time.TTP said:I wonder that as well.
This password reset thing doesn't help matters tho.
mrklaw said:I think they post it on their twitter feed so you can be notified easily.
kurtrussell said:Any news on Sony UK and the Data Protection Act? From what I've had constantly drummed into me over the last seven years, Sony could theoretically be fined a large amount per breached account...
Tntnnbltn said:Lucky for us there haven't been any major intrusions in PSN security recently that, among other things, revealed people's DOBs...
Tntnnbltn said:Lucky for us there haven't been any major intrusions in PSN security recently that, among other things, revealed people's DOBs...
zomgbbqftw said:Play.com didn't get fined, the government didn't get fined, the MoD didn't get fined. No one gets fined.
We still got Greece to bail out so you might be right.kurtrussell said:Council fined £100,000 - company fined £60,000 for losing a laptop with unencrypted data (names, date of birth etc)...
I'd say it's a strong possibility that Sony are going to get financially reamed by the Information Commissioner for this one....
[Nintex] said:We still got Greece to bail out so you might be right.
Clear said:To which point the obvious retort is, if you've already been hacked and your personal information mined, what's being lost by getting hacked again especially when all e-commerce is suspended?
Seems like griefing to me.
Hanmik said:do you want to join the "club"..?
http://i.imgur.com/Pu6rf.jpg[/IG][/QUOTE]
really? this is how you guys are responding these days...ok, two can play---
[img]http://4.bp.blogspot.com/_ce8nz6K9xj8/SolYvQ5fd0I/AAAAAAAAASs/_8Nj11wV6XU/s320/StockholmSyndromeDerekWebb.jpg
Yep.TTP said:Well, you can say that because we have discovered about this exploit now.
Imagine if we didn't, and soon after the Store was back up you find out you can't log in (wrong password) and on top of that you get emails confirming purchases from the Store you never did.
Microsoft-Nokia marriage will cover Portugal just watchzomgbbqftw said:Portugal too, good point...
Sadly people will convince themselves free stuff negates all of Sonys mishaps.Raide said:Moar free stuffs!
Metalmurphy said:That's the exploit. They managed to do it by manually changing the URL or something, without need to click the confirmation link that was only sent to the email.
alphaNoid said:Sadly people will convince themselves free stuff negates all of Sonys mishaps.
Sony's a biig company, I wouldn't be surprised if Sony hired people to comb through the back end and didn't think of doing the same for their web front end.XiaNaphryz said:That's the key word - considering the amount of money this is going to cost them overall, what if they skimped out and did the bare minimum in this area trying to find cost-savings?
The more 'mishaps' and free shit for me, the better.alphaNoid said:Sadly people will convince themselves free stuff negates all of Sonys mishaps.
Ashler said:Yeah, that's it for me Sony. I'm out!