Speaking of Sony's weak security, I truly wonder if the case would have been any different if the group of hackers had targeted MS or Nintendo. It is easy to point fingers and say that this company had weak security infrastructure but we don't truly know what these hackers are really capable of. What makes you guys think that the outcome would have been any different if instead of Sony, they would have targeted another company?
-
Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.
CNET Rumor: Hackers Planning Third Attack Against Sony, Publicizing Data
- Thread starter Wario64
- Start date
test_account
XP-39C²
Can someone use the info through PSN to commit identity theft though? What they got was your name and adress and birth date (and possibly some personal info through the secret question answer, like what is the name of your cat or something).Mailenstein said:
Name and adress can easily be found through phone books (generally speaking about what is needed for identity theft), so that alone is not enough for identity theft. Birthdate, think about how many people who know when you're born. I dont think that birthdate alone is that sensitive data, so i dont think this is enough info either to commit identity theft. If they got a hold of your social security number however, then it is worse, but this was not among the PSN personal information.
McValdemar
Member
alphaNoid said:So we've moved on from trying to figure out who's most to blame, Sony or the intruders to telling other people how they can and cannot feel about the situation?
Lets make this real simple ...
1. Criminals breached Sonys security and stole information.
2. Sony's security is a joke, its very much on their shoulders to secure consumers sensitive data. They failed on a catastrophic level.
3. 100 million+ users data was compromised.
1+2=3
Feel as you may about either, but in addition to the evil hackers ... Sony is very much to blame for lackluster infrastructure here. I would be just as pissed at my bank if thieves were to have easy access to my money and personal information.
As a consumer, every single last one of us is allowed to feel as we choose about either Sony or the hackers. We speak with our wallets and nobody here really has any justifiable reason to tell someone they can only blame the hackers or that Sony isn't to blame at all. I suspect though that most of the bickering still going on is a direct reflection of just how frustration Sonys customers are ... 2 and half weeks of complete failure and its starts to wear on people.
Gamers turning against gamers, instead of focusing attention on the real problem.
Absolutely agree.
Doesn't surprise me that we didn't have to pay for their online infrastructure.
They were conscious of the real value...
Hackers always tryed to breach into systems.
But what they have been able to do in the PSN is really hilarious.
Negligence on Sony's side are unparalleled.
Mailenstein
Member
I'm fine with them stealing my friend codes.Kaako said:
Freyjadour
Member
Because these companies may or may not have actually followed at least basic data protection protocols?Kaako said:
VisanidethDM
Banned
Freyjadour said:
As other have posted, you're just blabbering stuff you heard with no evidence. CC data was encrypted.
Do *I* know how Sony stored the info? No, and neither does anyone else here, and my is simply that if I can wait to absolve or condemn Sony until we have some facts to discuss, why can't everyone else?
staticneuron
Member
Mailenstein said:
1. Privacy laws are all about reasonable expectations. If you make a facebook page and leave it open for all to see. Then a court request a discover of your page, you cannot turn around and claim privacy is being invaded. As far as we know, the information requested from youtube wasn't anything that really was personally identifiable, but contained the IP addresses so jurisdiction could be proven. IIRC , the information was supposed to be eye's only for the lawyers as well. If you think that your youtube SN and IP address is some sort of gross invasion of privacy, why are you even on the internet?
2. What was unpatched? Do you know what servers you are talking about? Do you know where your data was stored, in relation to other services or aspects of the PSN? Do you know what software was run on th 130 servers sony claims makes up the PSN? Do you know even if all the servers ran the same software?
Mailenstein said:
And that amounts to....?
shintoki said:
What "opposite corner"? Like I said above I understand everyone who used linux anger and support their right to complain. I am not in some sort of "opposite corner". It didn't affect me so I did update and moved on, but that doesn't mean I was against anyone who complained. In my point of view, if Sony acted to remove a vulnerability that would affect us all, then they are within their right to do that. But I also feel that for those who can prove that they actually suffered some sort of loss to be re compensated.
params7 said:
Their lawyers are on payroll iirc so there is nothing to support that they took money away one from one department to fund another.
Anyways, the wired interview covered this but people just seem to get information in bits and pieces. One of the strongest points I wonder why people are running off of, is the assumption about how the PSN works.
VisanidethDM
Banned
harrytang said:
I share the sentiment. There will be investigations, where people will look at actual facts and datas instead of second hand internet rumors, and then we will know what Sony can be blamed for.
Mailenstein
Member
I don't have my name, address etc. listed up in phone books or anything else, beside ebay.test_account said:
But the fact that Sony is offering a year of identity theft protection is reason enough to be worried.
test_account
XP-39C²
This is not the first time something like this has happened, so surely there is possible to draw pararells? Or how do you mean with negligence?McValdemar said:
get2sammyb
Member
Mailenstein said:
What is this? I don't even...? Overdue time-out for me, I think. Later comrades.
VisanidethDM
Banned
Freyjadour said:
And Sony didn't?
Bring evidence.
arnoldocastillo2003
Member
Wow this thread is now like the other one, totally derailed from the main point. The hackers have technically won when people are already hating on Sony when even though it lack high level security the true villains are the hackers, they should be put in jail ASAP.
Freyjadour
Member
If passwords were lost, they were stored. This is a major major mistake.VisanidethDM said:
Credit Card data was encrypted, yes. Other data was not. Look at the press releases.
If you want to stick your fingers in your ears and argue against the facts that Sony put out there, why bother with the argument at all.
test_account
XP-39C²
That is why i had "generally speaking" in parenthesesMailenstein said:
If name and andress is enough to commit identity theft, anyone could just look up a random name in a phone book. I'm pretty sure that you need more personal info than what are registered on PSN to commit identity theft.As for the identity theft program that Sony offers, this might be a "just in case" senario, or if someone got their accounts elsewhere exposed if they used the same password on PSN as on other accounts. Maybe the hackers were able to get more personal info from other places then. But i dont know. But i still dont think there is enough to have name, adress and birthdate to be able to commit identity theft at least.
McValdemar said:
Nah the perceived value of the online infrastructure are the services. Even if it's free, as long as the platform offers interesting applications (e.g., free and early access to Hulu Plus, linking to Steam, etc.), then it can be valuable.
The value to Sony is clearly the contunuing business. So PSN is strategic to Sony.
There may have been some lax in security, but I think some of the posters here are posting the wrong info. Credit card data is encrypted, passwords are hashes.
The Sony PR dude needs to consult technical folks to issue his statements more accurately. ^_^
EDIT:
Freyjadour said:
The same goes for you. Passwords are hashed. User info like addresses are indeed stored in the clear but the billing data are not.
You are very right. But on the other hand, cyber terrorists aren't going anywhere anytime soon. One could say the same about criminals in general. So instead of closing our eyes and singing la la la wishes for them to disappear, companies (like Sony) need to do a better job at securing their systems in anticipation of events like this.stuminus3 said:
VisanidethDM
Banned
test_account said:
I resisted the urge to tag quote the guy because that stuff should be left for humor, but still.
We're once again turning this into a pointless argument that leads nowhere since we have no way to know the facts we should be basing our opinions of.
It's sort of ridicolous we're completely ignoring the actual impressive part of this story, which is how much power hackers can exert toward companies who rely on web services to promote and sustain their products. I said it before, but if the attack is meant to damage Sony for their anti-hacker policy, all they have to do is take PSN down again a couple days after it's restored, enter the databases again, and Sony is pretty much done in terms of online sales for this generation.
Freyjadour
Member
If passwords were hashed, then Sony's initial PR is a monumental disaster.patsu said:
Mailenstein
Member
Well, you see things different - fair enough. It's not just about YT or my IP. It's about corporations going around and demanding informations which don't belong to them. I'm saying this for like.. the fifth time. I won't do it a sixth.staticneuron said:
Whatever it was, it was lazyness/unreliability on their end.staticneuron said:
McValdemar
Member
Kaako said:
I don't know the sense of wondering this. I mean, this helps to better accept the situation?
We have a fact: Sony's weak infrastructure have been holed twice in a way that have been running on world's newscasts.
Hackers attacks have been made since the early days of Internet.
Probably not many on Nintendo, but MS platforms, for instance, have always been between hackers favourite targets with trojan/viruses/etc...
The difference is that MS grew on this kind of problems and surely arrived to define an online infrastructure with much much more experience than Sony.
I'm not saying Live! can't be hacked, but surely behind the infrastructure there's much more experience.
They had problems but never ever lost so many sensible datas like Sony seems to have done.
It have been a very different approach.
For instance, on Live!, from day one on Xbox 1, Ms have always been full responsible of costumers data while on PSN, at the beginning, you had to tend payments directly with game publisher.
IMHO simply Sony underestimated the whole thing.
And the results are here.
VisanidethDM said:
You shouldn't get too annoyed at everyone judging before we have all (or any) information. It's what we do when we don't have the information.
Once (if) we get the data and facts, most of us will change our minds (if wrong). However, some will disregard new information and continue to hate (or defend) Sony. Nothing you can do about these people.
Metalmurphy
Member
They were hashed, and yeah, they should have been really specific the first time around.Freyjadour said:
VisanidethDM
Banned
Freyjadour said:
Passwords were hashed. Non-encrypted data (the stuff you put in to create your PSN account) weren't sensible data (it's stuff people can have access too from public offices and such) and Sony can't probably be held responsible for not cripting it. You could probably create a PSN account using Gimmy McFancypants as your name, 3 Upmyass as your address, state you live in Carolina while you're from Texas and put up 555-QUACK as your phone number.
The fact that people keeps pointing at the Sony press statement as "evidence" is proof enough that critical thinking has left this discussion a while ago.
Mailenstein
Member
I understand what you mean. You know, I don't know how much data they could steal, in which form and how useful it is for them in the end. I just know that I gave Sony my CC info, which is enough to try to scam me in many ways. I'll see.test_account said:That is why i had "generally speaking" in parentheses
As for the identity theft program that Sony offers, this might be a "just in case" senario, or if someone got their accounts elsewhere exposed if they used the same password on PSN as on other accounts. Maybe the hackers were able to get more personal info from other places then. But i dont know. But i still dont think there is enough to have name, adress and birthdate to be able to commit identity theft at least.
VisanidethDM
Banned
Mailenstein said:
We know that's how you feel, but since the rest of the world (including the law) disagrees, we're trying to make you understand that you can't use your own idiosyncrasies as facts.
VisanidethDM said:
Earlier in this thread I posted a link to the video of the congressional meeting about this. The expert witnesses there claim that most breaches are preventable. It seems that lazy security is the norma for companies that are breached.
So are Sony in that 5% that wasn't preventable? Do you feel lucky punk?
staticneuron
Member
I am sorry I didn't understand your response was that general. I guess you don't understand about what a discovery is and why a court would even grant them. The idea of "information" requested in relation to a court case being unacceptable is a new one for me.Mailenstein said:
Not really. The sheer fact that they were hacked doesn't mean that they didn't try to secure thier network as much as possible or even "why" they allowed certain things to happen. The network I am apart of, I can tell you some machines are running older OS's and a large amount of machines do not have software firewalls installed/turned on. If you have no idea "why" then you would be flying by the seat of your pants if you assumed my network was "inadequate".Mailenstein said:
AppleSmack
Banned
patsu said:
Sony doesn't seem to be staying up and safe though....
Freyjadour
Member
Yes, that's data that should be encrypted.VisanidethDM said:
No, it doesn't, it means that intelligent people expect Sony to articulate on precise details of how they store their own data in the wake of one of the biggest PR disasters of their existence. Or in any case, not to misrepresent themselves in a negative light. When a company says "passwords were lost", that's a problem, a big problem.
Mailenstein
Member
You != We. But yeah, troll on junior.VisanidethDM said:
McValdemar said:
The hackers were/are very interested in PS3 security because the Cell security hasn't been compromised for 4 years straight. None of the console vendors could say that. Problem is the hole they eventually found was easy, but Sony seems to have recovered when people said it's impossible.
Now hackers want to embarrass Sony because they don't like Sony's handling of the first breach (e.g., Geohotz got slammed with restrictions). The law suit may have crossed their comfort zone. Usually the console makers were only able to nail the distributors of hacking device, not the source.
It's the same for PSN. From day 1, Sony is already fully responsible of consumer data. You can buy stuff from PSN directly, and also from the vendor's eStore. It's more open but it doesn't mean Sony is less responsible. ^_^
Just an FYI, MS has been getting attacked by hackers since the dawn of its first systems. Windows clients can be blown open because they sit right there on a users machine, not a good reference point. However at this day in age, 2011? MS's software team knows pretty much every single trick in the book and to pull something off like this on MS would have to be an inside job ... domain administrator accounts and direct access to security infrastructure. To breach their back end systems would likely be much, much more difficult.Kaako said:
I would argue that breaking into MS on the same level of what happened to Sony would be harder than breaking into some of the hardest high level government systems. They actually are running their own security systems that nobody else uses.. they do not run Cisco or something someone else would buy through a vendor. They have designed their own security software/hardware that is not available to the public ... intruders wouldn't know how to get around something they've never seen. It would have to be some kind of inside job to get deep enough in to database clusters storing sensitive data.
My understanding is that Sony was running very out of date Apache web servers, unpatched and they were public facing. Thats like leaving the keys in the ignition, with the door unlocked. Incompetence 101.
All these companies get attacked all the time, but Sony got breached this time because they pissed off the wrong people and had gaping holes in its security. A combination of circumstances lead to data loss ... and in order for Sony to properly secure their systems I guarantee you they are cherry picking some of the best available engineers out there. They need to can their Security Director ... thats for damn sure.
nephilimdj
Member
AppleSmack said:
Why? Facebook, myspace and gawker media also had details and passwords stolen from there DB in last 2 years.
No Database seems safe, its the price it seems we have to pay in this digital age.
staticneuron
Member
Vagabundo said:
Yeah, but did that security witness make a statement about how preventable breeches are while defending against a really strong series of DDoS attacks?
Chances are, there were servers on the PSN that didn't have certain "protections" up probable because they did not contain sensitive data and for flexibility purposes.
Because we don't know the nature of sony's network at the time, we also cannot fully determine how sophisticated their attack was. But from limited info we do have, it seems as if these people really knew what they were doing and performed the attack at the right time.
test_account
XP-39C²
True, if PSN is hacked again just a few days after it gets up again, then i dont know what will happened to PSN in the future. This is why i think Sony dont want to rush anything before they are 99.99% sure that PSN is safe before they put it upVisanidethDM said:
Actually, if you look at the number of PCs running Windows that have been hacked during the years, i would not be surprised if this number exceeds the PSN number by farMcValdemar said:
But i know that you're referring to services that Microsoft are (or have been) running and then it is probably true indeed.The CC info that was on the PSN servers was encrypted, so i'm not sure if the hackers will get to those. But it doesnt hurt to be extra cautious in these times though. Personally i have checked my account many times over the last week, but luckily i havnt lost any money. I think that i will keep my card for a while longer seeing that nothing has happened so far to me.Mailenstein said:
TheJollyCorner
Member
RustyNails said:
*summons an Xzibit photoshop*
alphaNoid said:
How do you know MS's security infrastructure ?
Also for proprietary security system, you can buy them from third party vendors. MS is not the only people who invent new security solutions. A lot of startups do. PS3's Cell security is proprietary to IBM and Sony also.
Although some would argue that an open source security system may be more secure sometimes because of open scrutiny.
MS servers used to get hit by automated tools like viruses and worms easily too. In a complex system, it's very difficult to defend against determined and experienced hackers. It's an expertise and a growth phase Sony needs to go through. And yes, they need to invest more in this aspect. Also to form a network of alliances to help catch these guys so they are not always on the defensive.
VisanidethDM
Banned
Mailenstein said:
Now you're cyber-bullying me
.But you got what I mean. You're entitled to a position, but stating that hating Sony for possibly doing something that isn't illegal is the only sensible position because you disagree with the law is... a stretch.
I'm simply trying to force you to present a less personal argument.
Mailenstein
Member
Ok, I will give up my personal fanboyish warfare against Sony. Sony is the best <3!VisanidethDM said:Now you're cyber-bullying me
But you got what I mean. You're entitled to a position, but stating that hating Sony for possibly doing something that isn't illegal is the only sensible position because you disagree with the law is... a stretch.
I'm simply trying to force you to present a less personal argument.
alphaNoid said:
Again: they were running out of date Apache servers, but the version reported has no known remote exploits. The fact that they had unpatched servers is telling, but even the people who reported that Sony was running out of date servers have admitted that this probably was not the point where the breach occurred.
Do you have any evidence for this? Because it makes no sense for MS to have a separate codebase from what's available to everyone else. Not to mention that you're talking about security through obscurity, which generally isn't a good idea. No, it's likely that MS runs the same server software it sells. Maybe they don't have to wait until patch Tuesday every month to roll out patches, but MS isn't immune to any of the realities of running a network. Like having to actually validate a patch before it's applied to make sure it doesn't break anything.
staticneuron
Member
alphaNoid said:
Thats what I keep hearing as well.
Clear said: