Supposed hacker chat-logs reveal PSN security lapses

Wednesday, 27th April 2011 07:30 GMT By Patrick Garratt

A supposed chat log recorded from a discussion between PSN hackers has shown that data on the service wasn’t properly encrypted and that in the early days of PSN “you could see userpass, etc, plain”.

The hackers are seen joking about the fact credit cards details aren’t decently encrypted on the service is a “feature” and saying they would never input their financial details into their PSN accounts.

The chatters also claim it’s possible to “define” whether or not a downloadable game from PSN is “free” or not within a URL.

We’ve posted the entire thing below. This chat apparently took place in February this year.

Sony last night confirmed that hackers had gained access to PSN account information, such as names, addresses, passwords and, potentially, credit card details.

PSN was taken offline last week following the detection of an “external intrusion”.

Thanks, Asmerom.

[user1] xxx: I don't think there are many people involved in circumventing PSN access in /this/ channel [ "application/x-i-5-ticket" reason=40 > PSN error 80710101 ]
[user2] talk about network stuff?
[user2] nice
[user2] i just finished decrypting 100% of all psn functions
[user3] :)
[user2] you can forget all the history wiper and log remove apps
[user2] theres a independant check
[user2] which transfers all games and their playtime
[user2] every time you login
[user2] you can modify it like the firmware version tho
[user2] it looks like:
[user2] aswell they can detect backups this way
[user1] hash is eboot.bin to check for version?
[user2] if you use a backup it will look like this:
[user2] [user4] user2, is that in data sent to a0.[CC]
[user2] sec lemme check
[user4] im still collecting all the data
[user2] thats the server
[user3] user2: what about Blu-ray Master Disc/BD Emulator ?
[user3] since, i use those features legitimately
[user2] on debug or retail?
[user2] i didnt check all on debug unit yet
[user2] so no clue if it sends discid for bdemu
[user2] but sony is the biggest spy ever lol
[user2] they collect so much data
[user1] true
[user2] all connected devices return values sent to sony server
[user2] example:
[user3] user2: Debug models of course :)
[user2] >
32'' TFT-TVOEMreleasecex
[user4] i cannot find my PS3 connect to host with 'updptl' in the name
[user2] returns tv, fw version, fw type, console model
[user2] also i found data it collects when i had usb device attached etc etc
[user2] so if they ever sue someone for psn stuff, they will be sued themselves as most of the data they collect is just not legal
[user4] user2, at what time does it connect to that host?
[user4] during the PSN logon?
[user2] sec i check
[user5] user2 how can you modify that data?
[user6] user2: do you now know enough to wipe all traces so that people who never had their consoles on the internet can avoid sending this information now? :)
[user4] no DNS request for a host with 'updptl' in the name in my packet captures :-\
[user2] @user5: it sents directly after user profile load and sometimes; - it seams random, just when u play a game or anything
[user4] ohh
[user2] @xxxx: we could modify the data via proxy between the tunnels, like delete all data between the xml tags or somehow
[user5] oh so its not on the ps3 hdd itself?
[user6] user2: aha, so this information is actually encrypted?
[user2] ya
[user2] the list is stored online
[user2] and updated when u login psn and random
[user5] damn
[user6] but where is it stored before that? I have never been online with my ps3...
[user6] so it must be somewhere
[user5] was hoping it would be on the ps3 hdd
[user5] then lock it or so
[user1] the only avoidance is block all *
[user2] MAYBE - i rly dont know - it doesnt save it at all on hdd
[user2] so only transfers the games and stuff in one ps3 session when you go online
[user2] so if u have ps3 offline and play a game, then shutdown and turn on again
[user2] it MAY not transfer update
[user2] cuz i didnt find any info for that list on hdd
[user2] it could be that its used for online playtime or psn logged in playtime
[user2] aswell you should never ever install a CFW from someone unknown
[user2] cuz its way too easy todo scamming at this point
[user2] for example:
[user2] [redacted plain text code, includes false credit card number]
[user2] sent as plaintext
[user3] uh
[user3] did you censor that card?
[user2] ya its fake
[user3] good
[user1] wow, plaintext :S
[user5] plaintext wow
[user3] im never putting in my details like that
[user2] ya is all fake lol
[user2] i never used cc on ps3
[user2] normally you ATLEAST enccrypt the securtity code, even if its ssl
[user5] id hope sony would do such in a safe manner
[user5] psn cards probably plain text to then
[user2] fake certs are known since years as vuln so companies encrypt such data twice normally
[user2] but hey its sony --> its a feature
[user5] lol
[user7] lol
[user5] yeah if you go public with your info they either remove the store or psn all together
[user5] as an update
[user6] I doubt it :P
[user7] from all the actions they've taken the past years, we can only deduce that Sony don't care about their customers
[user2] impossible
[user7] :)
[user2] they wont update their whole psn lol
[user6] but this should really get out there, but I guess it's on in a matter of minutes already ;)
[user5] 3.60 removal of psn
[user2] i know a few guys who worked @ sony's psn backend. just when the ps3 was released we talked bout the first psn, at this time ALL was http and unencrypted. so you could see userpass etc plain. i asked em why is it that way. lame answer was "we thought it was adressed." - lol
[user2] sony qa --> trainees
[user8] that fits nicely into the "#define rand() 4" mentality. ;)
[user2] yep
[user3] or more of
[user3] ECDSA_PRIVATE_KEY privateKey;
[user2] lol
[user3] and PrivateKey is in a header file
[user3] and it's static
[user2] xD
[user3] and ECDSA_RANDOM in a header file
[user3] and so on
[user2] another funny function i found is regarding psn downloads
[user2] its when a pkg game is requested from the store
[user2] in the url itself you can define if you get the game free or not. requires some modification in hashes and so on tho
[user3] ..
[user2] is like
[user8] :D
[user3] my god
[user2] drm:off
[user5] lol
[user2] lol
[user1] :facepalm:
[user8] well, that's one way to offload the server.
[user2] still wondering when the big ban wave arrives :D
[user1] if they ban everyone, even using backups legally in their country (but in their opinion a TOS violation), it will be a huge tsunami, not a wave
[user10] ask ur friends :P
[user2] prolly they take it like it is now, unstoppable anyways
[user2] new firmware to ban all further actions and done
[user4] an open psn would be nice
[user4] even if it was just a player matching service
[user2] ya
a PSN host by the community :)
[user3] that actually could be perhaps possible
[user3] if you can get auth working
[user3] and all
[user3] a new np environment
[user2] the friend list management is easiest
[user2] simple jabber server
[user11] don't some games use their own servers?
[user1] some use p2p
[user11] which check from the official psn servers whether you're logged in and who you are
[user2] imagine the traffic load :D
[user2] whod pay this xD
[user11] yes, but even p2p games do use publisher or sony provided servers for matchmaking
[user3] NpCommerce2
[user12] I am getting behind everything on doing my security analysis
[user12] started a couple months ago monitoring SSL stuff, and theen got distracted with blackops and havent pursed it, seems a lot of people are starting to take interest in it now
[user2] and regarding matchmaking and lobby systems
[user2] the functions built in firmware and/or game
[user2] how would you answer them
[user2] the server side code we dont know of
[user12] some stuff appears to be in lv2 and not in sprx for network stuff
[user2] so we can not create proper answers
[user12] you can try to analyze the protocol and say "if X then Y" type responses the problems come up when you get something you haveent seen before
[user12] that was done with counterstrike for example so that people could cheat
[user12] so its not entirely impossible although it is time consuming
[user12] sometimes its happy accidents, reason code 21 means bad cipher, 51 bad firmware version - for x-i-5 tickets for example
[user11] wasn't cs/hl server software available for anyone to download even back then?
[user6] anyone found a way to change DVD region on ps3 yet, btw?
[user11] for psn you can't even get binaries for the server side
[user5] user2 i remember some months ago you made a psntool with a psn messenger in it but not yet functional is that still being worked on?
[user12] but for stuff like that the ticket has to exist on the psn side of things because if I send my ticket to a vendor server they will validate it against psn and if its not there it will fail
[user1] xxx: wasn't syscall 0×363 0×19004 3rd byte usefull for that?
[user2] @xxxx: at this time i could finish the tool yes but im not sure if it is useful at all
[user12] xxxx: no but you can monitor traffic, even send some "bad" things and watch the responses... I discovered x-i-5 reason code 21 by accident, I did not force my proxy to mirror the cipher that the ps3 presented
[user2] i mean why would someone want to chat with a someone on ps3
[user2] while any1 anyway have msn/icq/aol
[user12] know this, sony in realtime, monitors all messages over psn
[user12] I verified that, its part of my privacy threats thing I am doing
[user5] ok too bad id like the psn messenger on pc
[user12] the realtime monitoring is a bit bothersome to me
[user6] user1: such information is quite useless to me, as I'm not that into the technical stuff :) was more hoping someone had an easy way to do it.. like a DVD region changer or something.
[user2] @user12: the realtime jabber monitoring as most likely for realtime censor of messages
[user12] they appear to have at the very least keywords they look for, not sure just how invasive the whole thing is, but ...
[user12] well they have osme odd things in there
[user11] yeah they have that dumb automatic word filter
[user4] the censor word-list is ridiculous
[user13] psn messenger would be helpful, just yesterday was killed 2 times when typing response on the message + its so slow loading
[user12] a psn code that is not really valid if you sent that via email it becomes valid but you cant add funds to your wallet. The fact that emailing that code to someone makes it valid for you is odd ... why monitor that code?
[user11] which makes it much more difficult to have a sensible conversation in languages other than english
[user12] why change its state on sending it?
[user12] the censor words in home is on your system, it downloads a dict list of words
[user12] an empty file resolves that
[user2] tryin to find my jabber logs... >.< [user12] so it only censors on receipt not on transmission
[user12] dunno how the other stuff does it
[user12] mostly because I have yet to look
[user12] now you have me curious I am gonna go redo my network a little bit to start monitoring again :)
[user2] btw aswell a reason AGAINST pc to ps3 messenger is spam
[user2] cuz there actually is an easy way to get userlists
[user2] would fuck psn pretty hard if some skiddy releases a spam app
[user2] the highscore and matchmaking lobbies you can request per game id and get user mails for psn
[user13] ugh, yeah
[user2] huge list + spam app == sux
[user3] argghhhh
[user3] why do my trophies never sync to np
[user2] anyway sony just would have to open a port on the jabber server, so you could login with icq
[user5] lol
[user2] and we all know what happens if cool homebrew arrives, remember open remote play
[user2] sony just releases an official tool lol
[user12] thing is the more people do things and discuss what they do and explain how to do it the more likely sony will lock down psn in the future
[user2] psn is a core feature of ps3
[user12] making it harder and harder to do anything, like using older firmwares to log in, that will probably be the first to go away
[user2] they would be sued like with otheros
[user5] yeah but they also blocked open remote play
[user11] user12: that already went away, didn't it
[user12] if you are not running current firmware you do not have a right to psn
[user11] user12: even for debug users
[user12] not really, not yet anyway
[user12] 3.56 did not break it but the next release might
[user12] especially because it stops people running backups and other stuff on psn
[user11] well i mean 3.41
[user2] ya would be all possible for them
[user12] not sure what, if anything, changed with 3.41
[user11] you used to be able to sign in on debug 3.41 until someone released that psn enabler hack
[user2] one way more difficult than the other so i think they first will go on with backup ban on psn
[user11] even though 3.42 and 3.50 had already been released
[user2] via playlists and stuff i meantioned before
[user2] a secure way to fix it would require firmware and server update tho
[user2] wondering what prevents em of this way
[user12] I just got a new ps3 yesterday, has 3.40, gonna put 3.55 on it and do my work
[user12] I *might* try with 3.40 and see if I can do enough of my work, that would make it somewhat harder though
[user1] banwave possibly, new FW + plus they still need to fix that 3.56-1st/2nd harddrive exchange bug in the next version
[user12] because my work is specialized and very limited in scopee
[user2] the psn has 45 environments all working independant
[user2] prolly that is the reason
[user2] we could just change to another environment
[user2] and they also need to have an eye to the official developers which use environments too
[user2] and the qa
[user2] which needs to work with older firmware sometimes
[user2] so they cant update all environments and block all
[user4] probably so much ITIL process management so they can't fart without a work request
[user2] hehe
[user12] the way that people are getting on now is to change the user agent in the login request, well x-platform-version specifically. but if the x-platform-passphrase changes in how its constructed then its easy to detect people trying to use an older firmware
[user2] they can even without the xi
[user2] as the firmware version is in a lot more requests than the auth
[user4] version is sent to the getprof servers also
[user2] ppl change only the xi one atm
[user4] and ena.
[user2] but its in netstart, xi, game starts
[user12] I understand that part of it, I was just talking about x-i-5 auth stuff
[user2] many many functions send the real fw version
[user2] but only xi5 is checked
[user12] I realize that many functions send the fw version, anything that uses libhttp.sprx does
[user2] ya
[user12] remember I have been donig this for a couple months
[user12] even wrote software that lets me do the ssl parts on the fly instead of to a fixed server, mirroring the CN of the real server
[user4] what is the data in xi5 at 0xC0 ->EOF ? some crypto/salt ?
[user4] luckily they use CN=*.* which saves a bit of hassle, just calling openssl from your app user12 ?
[user12] openssl libs
[user12] not the app itself
[user12] and I do it for *ALL* ssl connections in realtime
[user12] so even if you use the webbrowser it will generate certs for that too
[user4] nice tool you made :)
[user12] it is similar in function to "sslsniff" but mine works with the ps3 and logs correctly
[user2] for the first i think ppl should use a replace of all 3.5.5 and 355 strings but regarding to the user agent, else psn wont load
[user2] user12 which certs u use?
[user2] only 05 i guess ?
[user2] CA i mean sorry
[user12] user2: I use them all
[user12] there is a place that the firmware version is in lv2 that is not a "string"
[user12] its 'decimal' "035500" not sure if its 32 or 64 bit in size though,
[user2] btw u know the login url for auth is like:
[user12] but that is not the ascii 3 its the decimal value
[user2] &serviceid=IV0001-NPXS01001_00&loginid=MYMAIL&password=MYPASS&first=true&consoleid=MYID
[user12] I have complete logs for the auth stuff
[user2] did u already change the "first" param?
[user2] i wonder what it does
[user12] first=true is only there if you had not previously loggged into psn
[user2] ah ok
[user12] its missing if you were previously logged in but you need a new ticet
[user12] ticket
[user14] hi
[user14] please not connect
[user14] to external dns ip
[user14] with your ps3
[user14] your passwords and email and other data is revealed on the external side
[user12] which you need for each service id that you need one for, meaning if you sync trophies you get 1 ticket, when you play a game you get a 2nd ticket, when you watch netflix you get a 3rd
[user14] spam people can use this info
[user12] most likely if they are mapping that host
[user12] if its just the firmware check then no, because there is nothing private sent in that http (cleartext) request
[user12] so it depends on what hosts they are looking at
[user14] to start a spamming attack
[user2] hm didnt check that ticket stuff yet
[user2] as when i used a ticket
[user2] for a test POST
[user2] i worked with 1 only
[user2] and always worked
[user2] prolly many to identify the service
[user12] the ticket is sent to say a game, netflix, etc. anythibng that uses psn. That way you do not send credentials to anyone but sony
[user2] if its like u say then this is another vuln lol
[user2] cuz as i tested if always first ticket works
[user2] you could hijack a session
[user2] the ticket and session i used didnt timeout
[user2] and if it always creates a new ticket as u say
[user2] there would be many sessions
[user12] I also haave yet to monitor how long the tickets are valid for, I know that the ps3 does not reuse them between apps but that could just be the way its coded (they might be valid even though a normal ps3 will never reuse)
[user2] for one user open
[user12] it may invalidate old ones on issuance of a new, I never looked
[user12] I just know that I saw it getting one at app launch
[user2] hm wierd with the tickets
[user2] i know the ticket is build outta few params
[user2] the serial
[user2] the userid
[user2] issueddare
[user2] service id
[user2] online id
[user2] many many :P
[user12] I also know that the server that does the x-i-5 tickets is a bit more tight about the ciphers than any other system in sonyland
[user12] if sony is watching this channel they should know that running an older version of apache on a redhat server with known vulnerabilities is not wise, especially when that server freely reports its version and its the auth server
[user2] its not old version, they just didnt update the banner
[user12] I consider apache 2.2.15 old
[user2] which server
[user12] it also has known vulnerabilities
[user2] ya the displayed version u see via banner is not the real version
[user12] unless they updated it in the last couple weeks
[user12] I doubt that since its not trivial to change that
[user12] its a bit more invasive than just setting it to Prod like they do on their other servers
[user11] you know, watching this conversation makes me think about whether it was a good idea after all to buy a couple of games from psn using a visa card
[user2] its just backported security patches
[user11] i did remove all my info after downloading the games though
[user12] that is just psn not the store
[user12] they are running linux 2.6.9-2.6.24 on that box too
[user12] that too is old
[user2] lol @ buying on store
[user11] yes, but their general attitude towards security just seems...ugh
[user2] sony wont misuse the info i bet xD
[user2] but just prevent using cfw's of unknown ppl
[user2] even better from ALL ppl
[user2] make ur own lol
[user12] so I doubt that they are spoofing the network stack on that box as well
[user12] my guess is that it really is undermaintained "it works why change anything"
[user2] could be
[user12] sony really should update that stuff to something more current
[user2] ya
[user2] but imagine
[user2] psn == 45 environments
[user2] and for example
[user2] every env has 50 subdomains
[user2] to external machines
[user2] its rly rly huge
[user2] who wants to do this xD
[user2] ppl r lazy
[user2] wont change



  1. Phoenixblight

    Really this equals News? Any moron can make a chat log about anything and everything. You running a tabloid?

    #1 4 years ago
  2. The_Deleted


    #2 4 years ago
  3. onyxbox

    It’s beginning to look like Patrick has a hard-on for hackers :)

    #3 4 years ago
  4. themadjock


    #4 4 years ago
  5. themadjock

    But good god Sony why did you store credit card information unencrypted!
    That’s unacceptable, I am quite scared about what this hack means not only for the future of Playstation but for the gaming industry as a whole.

    #5 4 years ago
  6. Phoenixblight


    You believe this crap? DO you read the normal trash hanging off the cashier isle? Big foot is real and is working for an organic company, I know because I seened it.

    #6 4 years ago
  7. Blerk

    Is there an ‘edited highlights’ version?

    #7 4 years ago
  8. themadjock

    @6 what makes you think it’s fake?

    #8 4 years ago
  9. viralshag

    Yawn. I skimmed through. Hacker chat is booooring. :)

    #9 4 years ago
  10. Frank17

    lol they should work for sony.. i thought sony was “more advanced” than 360

    #10 4 years ago
  11. JimFear-666

    you cant believe everything you read on the internet.

    #11 4 years ago
  12. Kerplunk

    Oh wow. What hugely co-incidental timing! I mean, this could have been exposed back in February when it happened but instead it appears mere hours after an official statement from Sony.

    I very much doubt this is genuine. Going by the typical appearance of chat logs this one has been edited on every single line. So, at worst this is fake and at best its been tampered with.

    Yeah, I think I’ll just file this under “Media frenzy scaremongering bullshit”.

    #12 4 years ago
  13. Alakratt

    If it’s anti-Sony, Patrick will believe it. Dude, just give it a rest, we all see what you are trying to do.

    #13 4 years ago
  14. OrphanageExplosion

    Google the URL Patrick has posted in *the very first words of the first sentence* and you will see what it was linked to on the same day it was posted, Feb 16, on PS3 hacking sites.

    So this hasn’t appeared in the wake of the outage at all.

    #14 4 years ago
  15. Golden

    0001 Do they get bored
    0002 having to read
    0003 in this broken form
    0004 ?
    0005 surely with
    0006 all their Skillz (sic)
    0007 they could do some-
    0008 thing prettier.
    0009 Its just
    0010 lazy

    #15 4 years ago
  16. OrbitMonkey

    *Pat to his 360* “hey kid, got some good times coming with Gears 3 huh? Man I love you”

    *turns to his ps3* “wtf you looking at? What you got? Dude raider3? You make me sick, spreading your legs for all those hackers! Slut! I hope you ylod!”

    *ps3* “sob”

    #16 4 years ago
  17. Rad430

    i searched that sentences & nothing came out of it!
    its really funny how people believe such craps.its not hard to make such things in this situation.
    though i dont really know if thats true or not!but considering the situation and the fact that its just a poor claim,there is no way i believe this craps.

    #17 4 years ago
  18. Kerplunk

    @14 Oh right. So a nameless anonymous post on an anonymous copy-paste website is now entirely legitimised because of a date. That still doesn’t remove the fact that every single line has been doctored to add further anonymity. And every chat log records the date of the log in the content (and often timestamps every single line too). None of that information is there.

    Frankly, you have to overlook many many inexplicable ommissions and edits in order to argue the legitimacy of this. It’s entirely possible for the information in the text to be 100% factual, but its presentation and obvious editing means that it’s simply not a source of information that can be considered reliable.

    #18 4 years ago
  19. Alakratt

    You’d think a real JOURNALIST would verify his info BEFORE posting it. But again, JOURNALISTS do that, NOT Patrick Garratt. Patrick leave this industry and go work at a fast food place, I was gonna suggest going into politics but since you suck at lying I scratched that off the list. (check date in the upper right side)

    #19 4 years ago
  20. Syrok

    “This chat apparently took place in February this year.”

    #20 4 years ago
  21. RockTwist

    @1 “You running a tabloid?”

    Pretty much.

    #21 4 years ago
  22. ManuOtaku

    Guys i think you are confusing journalism with a reporter, a journalist collects and disseminates information about current events, people, trends, and issues, meanwhile a Reporter find sources for their work, their reports can be either spoken or written, and they are often expected to report in the most objective and unbiased way to serve the public good.

    Therefore i think this site and their people accomplish this the right way they find information and then deliver to us, is up to you to decide and inform you more deeply about the information given, if not find a reporter site about this.

    #22 4 years ago
  23. ManuOtaku

    well based on the information given at this time, not too much if i might say so, i do tend to believe this, basecally because if Sony’s developer system and the retail system network were independent like they said, and the way it should have been, that will meant that hackers would have a harder time doing the decyphering, becuase sony did encrypted it very stronlgy in another system, therefore it should require several years of computer power and in order to decode this, and also mean the developer network could be closed down, leaving the retail network in action and ready for a patching out with a firmware.

    But that didnt happen which maybe means, and is a possibility, that both sytems were on the same network meaning that the storing credit card data for completed transactions and for stored “wallet” info were very easy to read and without any strong protection because it did run alongside the other PSN systems, like this information seems to indicate, therefore it seems that sony security messures were very lacking to said the least, but again this based on the information given at this moment.

    #23 4 years ago
  24. Patrick Garratt

    #24 4 years ago
  25. dtyk


    Wow Patrick, that article sounds like some serious shit.

    #25 4 years ago
  26. ManuOtaku

    #24 patrick iam at work, and i cannot access that page with my internet,would you please put some text about what does it says, if it is not to much to ask.

    #26 4 years ago
  27. mathare92

    @26 It lays some credence to the chat log, explaining, among other worrying things, how hackers might have known about psn’s vulnerabilities months ago.

    Edit: Richard points out some serious (and basic) security blunders by Sony in that article (the issue of storing passwords in particular is really alarming). Very much worth a read.

    #27 4 years ago
  28. ManuOtaku

    #27 thank you very much mate appreciated

    #28 4 years ago
  29. LOLshock94

    [user2] fake certs are known since years as vuln so companies encrypt such data twice normally
    [user2] but hey its sony –> its a feature


    #29 4 years ago
  30. OlderGamer

    What is wrong with some of you people?

    Look, you can’t go running around bitching at anyone and everyone that wants to blame Sony for this.

    If your even level headed at all, your best bet is to take a wait and see aproach. None of us know the whole fact sheet yet. And we won’t know any of the facts unless people Dig for them and then Report them, and even (in Pats case) echo those reports. Thats what the press does. Media in general.

    There is going to be a lot of info, prolly more of it wrong then is right. But this is how the process works. While sifting/panning for gold you get more mud then nuggets. But if your don’t sift, you won’t find the nuggets(in this case the truth behind what happend).

    So stop your fanboy shit. I mean really. If Sony neglected our personial info, I want to know. If I suffer damages because of it, I want to know who is responsible. Where peoples rights and financial security and personal ID are concerned, fanboyism has no place.

    You want to fanboy, fine keep it where it belongs. Preach about the merrits of Uncharted vs Gears or GT vs Forza. But you shouldn’t stick your head in the sand, pretened that nothing happend and hoping it goes away.

    Cancel your PS accounts, or at least delink CC info to them. Have your bank issue you new CCs. Make the bank aware on record that a comprimise has occured. Stock up on prepaid points cards for Live/Wii/PSN. And sit back and wait for the smoke to clear.

    And what do you expect Pat to print?:

    “Gee, Sony was the victim of bad people, poor Sony. They didn’t mean to not protect your personal info. I am sure you can reearn your life savings back. Your good name won’t be that hard to reestablish. And shame on you for thinking of yourself, instead think of poor poor Sony.”

    Gimmie a break.

    The only fault coming across here is that people(journos, bloggers, readers alike) are personialy invested in what happens. And because of that they feel violated and a little pissed off. I don’t see the harm in letting folks vent a bit. Like I said thro the mud, the truth is in there. eventualy we will get to the bottom of it.

    #30 4 years ago
  31. Phoenixblight

    No evidence of anything

    Its another opinion based 2 page article but with an author any joe blow could written it.

    Really its a form of FOx reporting no facts about anything except for people that have “sources” about Sony claiming x, y, and z. Its not the actual Truth but enhanced version which is just giving this sites all the hits and views they like.

    “While Sony says there is no evidence of credit card details being accessed, PSN users should be under no illusions that they are in the clear. If email addresses and passwords are available, they can be tested on other sites such as PayPal and eBay – just two potential avenues of fraud on a grand scale. With so many people re-using passwords on multiple sites, Sony’s security failure could have severe repercussions for hundreds of other sites.”

    You have to be a complete moron if you are doing this and just asking for people to take your info.

    “Two years ago, I was a victim of identity theft: someone contacted my bank, changed my address and managed to get a brand new credit card dispatched to a place I’d never heard of. I was lucky in that either the fraudster or the bank made a mistake on the new address and the card was delivered to a good Samaritan who handed it in at their local branch. From there, the alarm was raised.”

    Really if your bank is allowing you to change address and ask for a new card with just your date of birth and address taken. You need to take your money else where.

    “The fact that I wasn’t even in the country for months during that period made the feat even more unbelievable.”

    Ummm so he lost his card didn’t call it in and was shocked that someone found it and used it……….. Really this guy is the top of the food chain and the best example of society.

    Really this article is crap and just fueling the fires with no facts and just opinions. Might as well be FOx news.

    #31 4 years ago
  32. notpill
    Arstechnica wrote about this chat log two months ago

    #32 4 years ago
  33. Alakratt


    I agree that some of the fault falls on Sony, fine. Let’s not forget that no network/hardware/software/system is unhackable. But this site… I mean Patrick is trying to make it seem Sony is entirely at fault here. Why the fuck didn’t he post this back in Feb 16 when it was originally published? Huh?! Back in the article about how Sony’s brand is damaged bla bla bla, he made it seem like Sony deserved it because of the way the handled the Geohot case. That stupid prick left the country on “vacation”, kept pieces of his HDD and yet some of you people (not you OG) still defend him AND his actions. His stupid hacker friends did this DON’T FORGET THAT. I really hope someone beats Geohot to a coma and see what Anonymous does then?

    #33 4 years ago
  34. ManuOtaku

    #33″Let’s not forget that no network/hardware/software/system is unhackable. But this site… I mean Patrick is trying to make it seem Sony is entirely at fault here”

    Is true there is not an unhackable network/hardware/software/system, having said that i think the important thing here is according with the information available at the moment, it seems that sony security was really lacking to say the least, which has nothing to do with that, thats not an excuse sony can wield to defend themselves one thing is nothing is safe and a whole completly different thing is that we have poor security messures, of course this could change as new information is available, but for the moment is a big possibility, and the most reasonable one.

    And to sate my two cents on this again, I dont think sony deserve it and i think anoybody with four fingers on their forehead does, even other gamers that dont like sony as a brand, because at the end is the game industry and users who have multiplatforms that enjoy all the systems, who end up suffering as well for this debacle, i rather like to see that sony learn from the mistakes they made, yes they made a lot, maybe some sony brand fanatics dont see it but for me it did started with the inclusion of a feature that made the console a super computer and the ability to run other S, and with the unhackeble advertisement throw in the way, then all of the sudden when they saw the mistake they opted for the removal without any compensation whatsoever to the affected consumers given them the cold shoulder, they also stated that this was for security reasons and in the end they stated that was for money reasons, then comes the Geo situation and sony again made a mistake pursuing him with not so clear goal in mind they cannot prove the piracy and other allegations and they simply ended with a settlement out of court with dont mess with us again or you will see.

    Therefore for me sony didnt handle anything right since the beginnig when they were developing the ps3 hardware, they didnt know what to do with it (computer? /console?, both?) and also didnt put enough grey matter into the pros and cons list in the development cycle, also this console was given the green light on all the departments of SCE, even his investors, so is unaceptable for such a big company to make the mistakes they did made and keep making till this very day, is right now almost seven days afterwards that are starting to give some information in order to avoid the black hole we have been put since the shutdown.

    And lastly like i said before this site and their members are part of journalism spectrum, which means find the news and then they deliver it to us, which they do on all basis very well, that is very different from a reporter that find sources for their work, their reports can be either spoken or written, and they are often expected to report in the most objective and unbiased way to serve the public good, is in our part to analyze it and seek more information to make our own judgment,they fullfill their part. therefore maybe when he did saw this news back in the day he didnt seem irrelevant, and in that maybe he did fail in that, for not to bring us this news, but again are you certain this news wasnt covered from this site back in the day, not him as a journalist, from this very site, i dont know myself, we need to check.

    #34 4 years ago
  35. TheWulf

    I like OlderGamer. He’s one of the few people who’s actually capable of wrapping his head around this.

    You people are a ball, sometimes, honestly.

    Sony: Hm, perhaps we should store credentials and credit card data in plain text, that would be a good idea! Who needs security? Security is for babies! Ha! Oh, by the way, I’m secretly Saxton Hale. Don’t believe me? Whom else would have the sheer iron balls to not encrypt important data at all? ME! Saxton Hale. That’s right, bitches.

    Hackers: LOL, look at this, Sony stores credentials and credit card data in plain text. That’s just bad. Still, we’re hackers so we’re not stupid enough to get involved with fraud so we’re not touching this, but it’s still really funny.

    Black Hats: Hey, let’s stir the hornet’s next for lulz by stealing this info. Maybe we’ll buy a few games on the accounts of some of these people too. It’ll be great!

    Average VG 24/7 Poster: Oh no! The innocent, pure, and beautiful Sony has been raped by those evil hackers! Lock them up and throw away the key! Sony’s done nothing wrong. It’ll all be cool. I don’t have to worry about my bank account, and if I do it’s all the fault of evil hackers and Sony has no culpability whatsoever. Oh Sony, you poor, poor (yet incredibly rich) corporation, you. Don’t listen to the bad people, just ignore them, maybe they’ll go away.

    See? A ball.

    #35 4 years ago
  36. Ireland Michael

    Sony *is* entirely at fault here.

    You don’t fucking store credit card info unencrypted, unless you’re a complete fucking idiot. There is a plenty of evidence to back up the fact that this is entirely true.

    It’s stupidity of the highest order, and it was a problem waiting to happen.

    #36 4 years ago
  37. Aimless

    Sony don’t store plain text credit card information. The data is sent using a HTTPS connection — much as if you were making an Amazon purchase, for instance — after which it is retained in an encrypted form at Sony’s end.

    Even if it’s genuine the text log is disingenuous, as was made clear back in February when it first appeared.

    #37 4 years ago
  38. MarissaG1


    How data is stored is not the same as how it’s transmitted (https), you *DON’T* know how Sony actually stores the data, but given the amount of fail in their overall security (as has been repeatedly demonstrated since they removed OtherOS) it doesn’t come as a shock that it may be unencrypted.

    #38 4 years ago
  39. OpaqueSheen

    A bunch of bumbling fools on IRC does not a story make. Apparently the concept of HTTPS was beyond their collective understanding. The data is not sent plain-text. It’s encrypted via TLS/SSL before transmission, which prevents eavesdropping/MITM. Essentially they noticed that, shockingly, stuff is unencrypted before its… encrypted. Some creative snooping of memory on a PC while submitting credit-card info to basically, any site in existence, will reveal the same thing.

    This is why it’s stupid to use PSN for purchases with custom firmware. The firmware provider has free-reign over the system, for the most-part, and can trivially snoop in on most anything.

    Also, this has NOTHING, NADA, ZILCH, to do with Sony’s network being breached. Pure fud fuel.

    #39 4 years ago
  40. Paradeigma

    Pat this is BAD journalism. These chats are from FEBRUARY. They are from ps3dev on effnet. DO YOUR RESEARCH AND CHECK YOUR SOURCES. Pre-school stuff. A simple google search with the correct terms could have yielded this. Media today is a JOKE.

    #40 4 years ago

Comments are now closed on this article.