Support NeoGAF

[Snuggles]

However, the 'best' games are also the most popular games, and more people are likely to own them. Surely theres got to be some kind of selection available?

Yeah, that's the problem. It's the same deal with the free PSN+ games (most of the time), I either already own it (Shatter) or didn't want it in the first place (Burn Zombie Burn).

I do want Might and Magic but that's never gonna happen. Oh well, I'm fine with buying it whenever it will be possible to do so.

How about only old accounts can download a free game? I'll hate it if I already have the game they're offering.

Hmmm, I wonder how they could track that. It would definitely be nice if we could receive $10-15 credit but unfortunately it's too easy for people to abuse that stuff.

 

[jcm]

I'm glad to know the passwords were hashed. Have they mentioned which hash they used, and whether it was salted?

 

[expy]

I'm glad to know the passwords were hashed. Have they mentioned which hash they used, and whether it was salted?

Why would they?

 

[Speevy]

I'm glad to know the passwords were hashed. Have they mentioned which hash they used, and whether it was salted?

Scattered, smothered, covered I believe.

Not too much salt.

 

[French]

Maybe they'll give Warhawk since Starhawk is going to be announced soon.

Or WipeOut HD / Flower.

 

[Loudninja]

I am reading the IGN comments section and I am pretty surprise that a lot people are so confuse about the free month of PS plus.

 

[test_account]

I completely with you and know what you are saying.

I work at a large company myself, and even if we have a tiny change in the software, we gotta go through a big process. We gotta write a document, get it peer reviewed. Once edited a few times and good with the co-workers, the initial manager takes a look and signs off. After that, it goes through layers of upper management for approval. Since management hours vary, they will not all get to it in one day. Once everything gets approved by all layers, you will finally get a notice about the change. Doesn't even matter if they are pressed on a deadline, we all gotta go through the process. Not going through is violates the ethics standard causing people to get fired.

I can see that stuff like this can take some time if it is about some more general change in the software, but what if someone finds an exploit that can be used to get access to the system? Would that still take just as long time?

Anyway, its weird for me because I turned on my older PS3 which had downloads queued up (like Expodemon). I checked its progress and it was still downloading (download finished too). Makes me wonder. I still could not sign onto PSN, but the download kept going.

The content servers have been up all the time PSN has been down i think. Updates for games still works as well.

 

[Skullkid]

Is it possible to transfer copy-protected saves between different PS3s using online storage? I have a Demon's Souls save file I'd like to move.

 

[Ickman3400]

I am reading the IGN comments section and I am pretty surprise that a lot people are so confuse about the free month of PS plus.

You're surprised that people who frequent IGN let alone the comment section are confused about something like this?

 

[corporate cheerleader]

I am reading the IGN comments sec

Why would you?

 

[Metalmurphy]

"Hasejima corrected Hirai's answer and said that
"passwords were not encrypted, but were hashed.""

Thank god. This is all I wanted to know. Seems they were storing the data pretty much the same way any other website/service does. I thought it would be really strange if they were saved in just plain text. I changed all my passwords for nothing <.<

 

[Loudninja]

You're surprised that people who frequent IGN let alone the comment section are confused about something like this?

It so damn obvious though.

Why would you?

So so bored.

 

[Greg]

So with the previous update on the 26th that said some services would be back within a week... are we still on track for the 3rd and they just didn't want to give a specific date at the conference last night?

 

[BeeDog]

So what's the actual difference between hashing and encrypting a password?

 

[Seraphinianus]

I wonder if this is gonna be the "9/11" for various media companies. they'll start suing people and pointing to this as an example of how damaging piracy and hacking can be. Which judges might eat up.

 

[Cruzader]

Is it possible to transfer copy-protected saves between different PS3s using online storage? I have a Demon's Souls save file I'd like to move.

I think so.

You upload the save from Console A. Then you have to wait 24 hours before being able to transfer.

After a day, log into Console B with your PSN+ account, go to the saves tab and download DS file. Then get killed in 2 seconds of playtime.

 

[Metalmurphy]

So what's the actual difference between hashing and encrypting a password?

passwords saved with one way hash keys can be bruteforced, but depending on what your password is this can be pretty hard.

When you type your password it is transformed/hashed and the hashed value is saved, and when you login they do it again and compare the hashed result instead of just decrypting what's on the db and then checking. Basically it is impossible to know what a hashed value is unless you already know it, or bruteforce it.


I could be wrong but I think that's how it works.

 

[cRIPticon]

Yes I know, give us free stuff when they potentially lost cc, dc, and depending on the press release last week and the one today billing address information in one very nice portfolio to social engineer more data to trick with more elaborate scams.

This is nice for the outage issue I s'pose.

For cc and dc holders which is around 10 million users world wide Kaz Hirai said in the video, £100 cheque in the mail for those people.

This might just be me though, whom is currerntly ex directory in the UK.

There is no affirmation that any CC info was stolen, and, if it was, no CVV data is kept with the data and everything was encrypted. Until there is more data, the crackers made off with a huge mailing list. Much of that data may be outdated or inaccurate anyway.

Sucks that this happened and I really feel for the folks at PSN who are working on this.

Really? Its a Japanese culture thing, I was expecting a bow.

To be honest, I was expecting it to be a lot more extreme, I thought Kaz was going to step down from his position.

Why? The breach was not due to incompetence on his part. Kaz is good for Sony.

Exactly, there's no reason for him to step down whatsoever, he had nothing to do with the breach.

Spoiler

OR DID HE?????

Ahahah! This made me laugh out loud!

 

[Loxley]

Why? The breach was not due to incompetence on his part. Kaz is good for Sony.

Exactly, there's no reason for him to step down whatsoever, he had nothing to do with the breach.

Spoiler

OR DID HE?????

 

[GodofWine]

Maybe they'll give Warhawk since Starhawk is going to be announced soon.
.

I personally think that would be a great idea...I miss the 'hawk...people should still be flocking to it...so good.

 

[Seraphinianus]

So no credit data was stolen? some of the problems people were running into with charges on their cards were just coincidental?

can i stop checking my accounts hourly?

 

[loosus]

passwords saved with one way hash keys can be bruteforced, but depending on what your password is this can be pretty hard.

When you type your password it is transformed/hashed and saved, and when you login they do it again and compare the hashed result instead of just decrypting what's on the db and then checking. Basically it is impossible to know what a hashed value is unless you already know it, or bruteforce it.


I could be wrong but I think that's how it works.

That's somewhat right.

A hash is one way; it can't be brute-forced. If it could potentially be brute-forced, then it wouldn't be a one-way hash, and there would be no reason to do it.

On the other hand, something similar can be done: they can create a list of hashes (based on, say, Sony's hash algorithm and salt) of all possible passwords and compare that list to your hashed password, thus revealing what your password is. This is time-consuming but possible.

For the shortest passwords (e.g., one to eight characters) and MD5 algorithm, there are already lists of hashed passwords available online. I highly doubt they were using MD5, though.

Of course, by the time they do this, you have hopefully changed all your passwords. I hope everyone realizes that, though: you need to change ALL your passwords to be safe, not just your PSN password.

 

[Alx]

When you type your password it is transformed/hashed and saved, and when you login they do it again and compare the hashed result instead of just decrypting what's on the db and then checking. Basically it is impossible to know what a hashed value is unless you already know it, or bruteforce it.

By the way I was wondering something : I suppose that most of the time we assume that a hacker trying to break an encryption has no prior knowledge of the info he's trying to access...
but in this case, isn't it possible that the hacker may have created his own (probably fake) accounts, and know what password / CC info he entered and compare it to the hashed / encrypted data to reverse engineer the encryption algorithm ? He could use that like a Rosetta stone.

So no credit data was stolen? some of the problems people were running into with charges on their cards were just coincidental?

can i stop checking my accounts hourly?

Well Sony said that you should keep watching your bank data, so they didn't completely rule out the possibility of CC frauds.

 

[AranhaHunter]

Honestly, not really. If you understand how slow moving corporate changes can be due to being dragged down by change management you wouldn't doubt it. My company, which is large but not even as complex and big as Sony takes forever to make a single change. This is for compliance and legalitites that are Required when you're a publicly traded company (in the US.. see Enron for justification).

Something as simple as changing an account password has to go through a chain of change management systems, seeking approval from lots of folks. Something that could take 5 seconds might be delayed as long as 2 months. This is not a joke.

So if something needs to be fixed or changed, you'd be shocked that it simply just cannot be done quickly. Compliance is a bitch and I promise you that Sony is a very slow moving company in regards to ANY kind of change. If there was a vulnerability, don't assume for one second that even if Sony knew.. they'd have it fixed asap.

Corporate shenanigans and federal regulations slow down everything.

This is true, I had to wait 8 months to get administrator permissions in order to install some applications on my machine at work that I need to get work done. 8 whole months for something that takes less than 5 minutes to do.

 

[Metalmurphy]

By the way I was wondering something : I suppose that most of the time we assume that a hacker trying to break an encryption has no prior knowledge of the info he's trying to access...
but in this case, isn't it possible that the hacker may have created his own (probably fake) accounts, and know what password / CC info he entered and compare it to the hashed / encrypted data to reverse engineer the encryption algorithm ? He could use that like a Rosetta stone.

He can find his own hashed password, because he knows what the hashed value is, but he cannot reverse engineer other hashed values because it's impossible. But imagine for example, that he knows how the hashing is done, he could hash the value "password" and look the entire database for other people with the same hash value.

Spoiler

Yes, some people do use "password" as a password.

 

[ClosingADoor]

He can find his own hashed password, because he knows what the hashed value is, but he cannot reverse engineer other hashed values because it's impossible. But imagine for example, that he knows how the hashing is done, he could hash the value "password" and look the entire database for other people with the same hash value.

Wouldn't work if it was salted of course.

 

[chris0701]

I could be wrong but I think that's how it works.

If the hash only works for better performance data indexing(i.e. the hash value is only for index), then to some degree it is really no encryption on password as Sony said.

 

[Metalmurphy]

Wouldn't work if it was salted of course.

Well, i'm not really an expert in this area just trying to explain with limited knowledge

I'm currently googling "salted" as I have no idea what that is.

If the hash only works for better performance index sorting(i.e. the hash value is only for index), then to some degree it is really no encryption on password as Sony said.

As far as passwords go it's better to properly hash it then it is to encrypt it.

 

[Commanche Raisin Toast]

Yeah, that's the problem. It's the same deal with the free PSN+ games (most of the time), I either already own it (Shatter) or didn't want it in the first place (Burn Zombie Burn).

as a PS+ user i have to say that i experience the same kind of deal as you do, so when you really think about it, you should just wait on new games that are released until they get a PS+ discount (if they don't at launch) because for all you know the week after release it's on sale. what sucks about that is that you have to wait to get the game. PS+ causes unnecessary delay affect with some purchases (for me at least).

"Hasejima corrected Hirai's answer and said that
"passwords were not encrypted, but were hashed.""

Thank god. This is all I wanted to know. Seems they were storing the data pretty much the same way any other website/service does. I thought it would be really strange if they were saved in just plain text. I changed all my passwords for nothing <.<

(not singling you out, just using your post as an example) this is why i kept saying i was going to wait and see before making any rash decisions. i realize that yeah, they could have come back with "it was plain text" or something worse but taking all of those steps before knowing would just make everything harder and last longer.

but still, as they said: if your PSN password is the same for any other site CHANGE IT ON THOSE SITES. just do it. and stop using the same password for multiple things.

sorry you had to go through that though dude!

ALSO: i am kind of worried about the "must be changed on system account was activated on" thing because i activated my account on a unit i had to return to BB 2 days later. hopefully the email activation stuff is set up day and date with the restoration. i hate waiting for those kinds of emails, thinking maybe they got spam filtered by mistake. :x

 

[Salaadin]

So about this first phase rollout of PSN, any clue if this includes the Portal 2 PS3/PC linking? Im not sure how it works on PS3 and if thats included under the "titles requiring online verification and downloaded games" thing. I just ordered Prtal 2 PS3 on amazon for 35 bucks but want to link the two.

 

[Raoh]

For when psn goes up or for those changing their other passwords to other services like banks, etc.

8 characters are somewhat common and still better than most common password lengths.

My suggestion would be:

15 characters
Combination of Alphabet and Numbers. Symbols are tricky. I've come across other sites that get confused with symbols.
Nothing related to anything that can be easily identified to you.

I would also recommend not using the same password for psn/xbl/neogaf as your banking passwords.

 

[TheSeks]

I hope MAG is on that list of free games.

Why? No offense, but I played the beta and the demo/trial when it un-+'ed and it didn't really improve in the fun department from the beta: AKA: It wasn't very fun and the terrible Socom community/Zipper community of "diehards" is probably split between it and Socom. :/

 

[ClosingADoor]

Well, i'm not really an expert in this area just trying to explain with limited knowledge

I'm currently googling "salted" as I have no idea what that is.

You basicly add some random characters to the password and then hash that. So instead of hashing 'password' you hash 'password&*R!', '&*R!' being the salt. Of course, the salt has to be stored somewhere and that could be just in the personal data table (it's that way in lots of online stuff, like vbulletin).

 

[Kyoufu]

Why? No offense, but I played the beta and the demo/trial when it un-+'ed and it didn't really improve in the fun department from the beta: EG: It wasn't very fun and the terrible Socom community/Zipper community of "diehards" is probably split between it and Socom. :/

MAG is better than Warhawk and SOCOM combined, but yeah I agree its not very "fun" because its extremely tactical and when I played it last, people had no idea what to do, so you just end up getting trounced by the opposition.

 

[Dr. Malik]

I hope MAG is on that list of free games.

I am hoping for Warhawk in preparation for Starhawk. They might as well give inFamous too.

 

[HaRyu]

So no credit data was stolen? some of the problems people were running into with charges on their cards were just coincidental?

can i stop checking my accounts hourly?

They're pretty sure none was stolen, but they never said 100% nothing was stolen. So in terms of checking your accounts hourly, depends on how paranoid you are.

Exactly, there's no reason for him to step down whatsoever, he had nothing to do with the breach.

Spoiler

OR DID HE?????

Obviously, its all an elaborate plan by Skynet to throw us off balance.

 

[Skullkid]

I think so.

You upload the save from Console A. Then you have to wait 24 hours before being able to transfer.

After a day, log into Console B with your PSN+ account, go to the saves tab and download DS file. Then get killed in 2 seconds of playtime.

Awesome, thanks. My character was pretty buff after 3 playthroughs so I wasn't dying so much anymore.

 

[chris0701]

Well, i'm not really an expert in this area just trying to explain with limited knowledge

I'm currently googling "salted" as I have no idea what that is.


As far as passwords go it's better to properly hash it then it is to encrypt it.

Yes. But to me it is really interesting Sony said there is no encryption on password,which leads to me it is only processed as every data structure textbook in computer science field would say.

If your stored data is being hashed first like"13d456a!!@", then it would be called "encrypted".
If the hashed value is only for indexing,for example, key x=10 will be stored at slot No5 due to function f(x)=x/2,then there is no encryption at all. It only means at Slot No5 the key is 10,plain text!

 

[Snuggles]

MAG seemed to have some potential when I've tried it but I think it requires too much of a time commitment for most people. Take that how you want, but it's tough to get over that hurdle of understanding the mechanics and lvling up your dude to a competitive level. Plus, it seems very important to have a group of players to stick with. It's not so great for a lone wolf like myself. I tried the beta and the full game with Move (it was $10) and both times I lasted about 5 hours before moving on.

So I don't want that, but whatever, I'm not expecting anything. It's aight.

 

[loosus]

Wouldn't work if it was salted of course.

Actually, yes it would. If they were able to get that far, you can only assume that they were able to see their salt values, as well.

 

[alr1ght]

 

[obonicus]

Yes. But to me it is really interesting Sony said there is no encryption on password,which leads to me it is only processed as every data structure textbook in computer science field would say.

If your stored data is being hashed first, then it would be called "encrypted".

They're distinct things. And really, there's no reason in the world for them to use your password in a lookup table. By hashing it's most likely they mean one-way hashing -- in the context of that conversation that's really the only reasonable reading.

 

[obonicus]

Why? No offense, but I played the beta and the demo/trial when it un-+'ed and it didn't really improve in the fun department from the beta: AKA: It wasn't very fun and the terrible Socom community/Zipper community of "diehards" is probably split between it and Socom. :/

Well, I obviously have no idea now, but I was playing it up to PSN being down and it wasn't hard to find games. Oddly, I'd meet a LOT of die-hard japanese players.

 

[loosus]

Yes. But to me it is really interesting Sony said there is no encryption on password,which leads to me it is only processed as every data structure textbook in computer science field would say.

If your stored data is being hashed first, then it would be called "encrypted".
If the hashed value is only for indexing,for example, key x=10 will be stored at slot No5 because has function f(x)=x/2,then there is no encryption at all.

Do you know what encryption and hashes are? Do you know why it doesn't make much sense to encrypt passwords from a practical standpoint?

Encryption requires some key, whether public or private. Hashes don't. They're stand-alone. If someone steals a hashed password, they haven't gotten much (hopefully). If someone steals an encrypted password along with its decryption key, then they can easily see what your password is.

 

[Metalmurphy]

Yes. But to me it is really interesting Sony said there is no encryption on password,which leads to me it is only processed as every data structure textbook in computer science field would say.

If your stored data is being hashed first like"13d456a!!@", then it would be called "encrypted".
If the hashed value is only for indexing,for example, key x=10 will be stored at slot No5 due to function f(x)=x/2,then there is no encryption at all. It only means at Slot No5 the key is 10,plain text!

Why on earth would they do that? oO

Ofcourse they are storing the passwords hashed. That's exactly what they said.

 

[Cruzader]

offtopic: Anyone know why older games dont go on sale like Tekken DR on PSN?

Want to buy but fools never drop damn price. Also Warhawk being free would rock as I sold my disk copy long time ago and after enjoying Halo:R co-op, id like to do that too on Warhawk!


LOL: Seems like a Warhawk electric bomb was dropped in front of those fools.

 

[Stumpokapow]

Well, i'm not really an expert in this area just trying to explain with limited knowledge

I'm currently googling "salted" as I have no idea what that is.

Salting refers to doping up the password being hashed before the hashing occurs so that someone who obtains a list of hashed passwords can't simply use a rainbow table to derive the original password. Also, by making the password longer, it can also increase the amount of time a bruteforce attack would take or foil simple dictionary attacks.

The simplest salt would be to simply prepend a set of fixed characters to a password; if your password was butts and my password was farts, a very simple salt would be to hash "psnbutts" and "psnfarts" rather than our actual passwords. A more secure salt would be to make the salt dynamic based on the password itself; for example appending the password backwards to the end of the password.

... and probably best not trying to explain how these things work if you're just learning them for yourself as you google

 

[patsu]

Scattered, smothered, covered I believe.

Not too much salt.

...




[fire up grill in the backyard]

 

[Angst]

For when psn goes up or for those changing their other passwords to other services like banks, etc.

8 characters are somewhat common and still better than most common password lengths.

My suggestion would be:

15 characters
Combination of Alphabet and Numbers. Symbols are tricky. I've come across other sites that get confused with symbols.
Nothing related to anything that can be easily identified to you.

I would also recommend not using the same password for psn/xbl/neogaf as your banking passwords.

A good idea is to use a password manager. I use passdroid and I imagine there are loads on ios as well. That way you can generate ludicrously hard and different passwords for all your accounts.

Just don't forget your master password or uninstall the app though...

 

[HaRyu]

offtopic: Anyone know why older games dont go on sale like Tekken DR on PSN?

Want to buy but fools never drop damn price. Also Warhawk being free would rock as I sold my disk copy long time ago and after enjoying Halo:R co-op, id like to do that too on Warhawk!

Prices of the games are left up to the publishers that make them, for the most part.