QUEEN’S RUBBER DUCK – Moving past PSN melodrama

@ 44 – Totally agree with that you’ve said apart from Sony not contacting customers – all registered emails have been emailed an ‘important info about your account’ from Sony.

I have 2 emails – 1 for each account

Well I don’t have an email. They’ve been quite happy to send me endless marketing shit in the past, too.

Finally a non-sensationalist article!!

http://ps3.nowgamer.com/news/5669/sony-psn-credit-card-information-encrypted

Whoa there, Wulf. No need to be overly pimping Valve’s security. You don’t know who might be reading that. If there’s one thing we’ve learnt from this mess, it’s that there’s few more dangerous than a skilful hacker with a little motivation.

Also, to all – the BBC piece Pat linked earlier is an interesting read. [http://www.bbc.co.uk/news/technology-13213632]

The reconstructive facial surgery was a bit premature then?

—————————————-

I love how there is a massive assumption on behalf of the media (incluing the BBC from what I’ve read of that article) that whomever attacked the network did it SOLELY to gain personal data etc.

we don’t know WHERE the ‘external intrusion’ came from yet.
It could be a random group of hackers / Anon / ANYONE, that simply want to cause yet more disruption and distress to Sony… it could be anyone, and the reason is as of yet completely unknown.

@48 I am a network administrator. This stuff is fairly basic.

The simple fact that people’s information wasn’t encrypted is pure laziness and stupidity. You don’t leave that kind of information lying around.

I’ve also seen numerous complaints from people on here *alone* of their cards being charged for purchases they didn’t make, meaning someone got into other people’s accounts and used them. That isn’t just bad. It’s stupid and incompetent.

If you’re some sort of Pepsi-guzzling basement dweller who still lives with his mother, it might be hard to understand just how bad this could affect people other the yourself on an individual level.

For the consumer, it’s potential lost money that they need to take time out of their busy family life and work to get back from their credit card holder. For businesses, it’s potential lost profit and exposure.

I feel especially bad for NetherRealm and Valve. They both invested in partnerships with Sony to promote the PS3 versions of their games and their exclusive content, and the service goes down a few days later. Not to mention all the lost revenue on the PlayStation Store.

This not only harms those companies who supported Sony, it ruins consumer trust. This isn’t philshing people, it is simply poor neglect on Sony’s part, and they are *solely* responsible for this.

Well said, Michael.

And bonus points for “Pepsi-guzzling basement dweller who still lives with his mother”.

One last thing. Even on the most basic of servers, passwords are almost always stored in an encrypted format, meaning that even the owner of the server wouldn’t be able to access that kind of information.

Meaning only one thing; either passwords were unencrypted, or the credit card information was. Whichever one it was, it’s a first grade mistake and should not exist on a service of this size. You don’t need a degree in network engineering (which I have) to understand this.

@57
“I’ve also seen numerous complaints from people on here *alone* of their cards being charged for purchases they didn’t make, meaning someone got into other people’s accounts and used them.”

But no actual solid evidence that it was this breech which caused it. If it’s PSN like purchases then the account has been hack and if just before the network was taken down then likely related. Until they find a direct link through some proper analysis of data or catching someone with the big list of account details then how do you link the two? Certainly not through posts on an internet forum.

@59
They have already stated that the CC info was encrypted and by implication the passwords apparently weren’t. Unless you think they are lying about saying the CC info was encrypted? At this stage that would be the stupidest mistake they’ve made so far in this sorry saga if true.

Only time will tell if Sony’s infrastructure is/was grossly inadequate.
I agree with you on the encryption element, but have still yet to see any substantial claims of fraud or ID theft as a result.

I find it hard to believe that their setup fails to meet basic online security requirements, but I guess this will all be determined through the investigation.

@60 Oh please, this happens to a *huge* percentage of people just before the service goes down, at a quantity far beyond the scale of any standing philshing attempt.

If a guy with blood on his hands runs out of a building just before they find the dead murder victim, it’s safe to say that person is the killer.

@63
My point is – what huge percentage? How do you quantify it?

Are you talking about PSN/Sony purchases or more extensive use of the credit cards?

While I appreciate the alternative viewpoint, Brenna, your story reads like the work of an apologist. Sony might not deserve ALL the criticism they’re getting, but they’ve certainly not done “practically everything” right – flawed network security and ridiculously inefficient communication towards their customer base are their most egregious mistakes.

And then there’s this:

“You’re a weak link here. You’re not aware of how much you give away about yourself. You trust, foolishly, that nobody can breach the walls society puts around you. You’re wrong. You can’t blame PSN for that; it doesn’t store anything you wouldn’t hand over anyway.”

That’s pathetic. Let’s absolve all corporations of any responsibility towards their customers, why don’t we? No, I wouldn’t just “hand over” my personal details to anyone; the fact that I’ve put them on PSN is based on the implicit promise that Sony would keep that data safe.

@64 PSN purchases. I’ve yet to see any reports of credit cards details being abused outside of PSN.

Which leads me to believe that it was passwords that were compromised, and people’s accounts were simply accessed directly.

@66
Oh absolutely, agree that is the case – Sony have admitted as much. There would have been a period when there was a breach of data prior to the shutdown. Plenty of time to do some stuff. The limited use related to PSN purchases implies the actual CC details were a bit more secure though. Why bother with PSN purchases at all if you have other details.

i actually feel abit better after hearing it seems to be only related to psn purchases

The thing that theres no system/console that cannot bee hacked doesn’t matter in the end if PSN security is found that was lacking, which by all the information given at this moment seems to point out, thats far for they did almost evertyhing right, like one person did mention before, if this issue was the almost evertything right i dont want to see the almost everything bad, and lets not forget the time that had past since the key was divulged by geo is very long, why sony didnt take the neccesary steps to avoid this?, they should at least enforce their security a bit more under the circumstances, but they choose not doing it, therefore it was not they did everything right, we need to be strong with this case in order to avoid similar situations in the future, if we go softly with sony, then this will happen again in this industry with the same or another manufacturer.

Also lets said that the Credit data was secure based on the sony statement What about our personal data and password, according to the same statement it was not encrypted at all, that alone says too much about all this situation, and believe me thats far for “they did almost everything right” like your post try to suggest,i know is your opinion and i respected it but i do not agree with it, why it was not encrypted?, for me this continue to demostrate that users are not taken in consideration the way it should be by sony, adding to the other issues like the other s situation and the lack of information for several days that kept their users on a black hole.

Having said that i agree, is nice to see another different perspective of the same issue, like many posters previously stated, becuase at the end is us the readers that need to find all the information available in order to make our own opinion.

Sony is going to have a tough time gaining back the little faith they had left from consumers after this one.
That’s all i really have to say on the subject….im just too tired and wound up in life to care about this stuff anymore.

one more thing to add.
Please no more fucking hacking anything…dammit.
I used to be a hacker in my teenage years, i’ll admit….but realy, it gets old and is really immature.

I think the “Everything right” point in the article was meant to be post discovery of an intrusion, not prior. It’s not worded particularly well but that’s how I read it initially. Prior it seems obvious there was a lot wrong.

“What did Sony do right? Practically everything. Sony’s reaction to the detection of a network security breach was picture-perfect”

@70 hope whatever is going on you get sorted

#72 put it that way i agree with you, after the breach what they did was almost everything right, the only thing that i cannot pass was the delay of information on sonys part, that could cause more trouble to the users that one might think, other than that good, but prior was quite the opposite case, it was almost everything wrong.

thanks daytripper. Maybe eventually it will, but hey, its life and its how things go.

I respect that Brenna manages to keep a level head when writing about this situation, unlike many many others. I think Sony will pull through just fine.

Finally! A level headed article and not another “OMG!!! Derp, This is the worst hack in teh history teh world is ending ARRRRRRGGHHHHHHH!!!!!!!”

It really isn’t, I’ll admit that Sony really haven’t handled it all that well but Jesus, take a chill pill people.

Thanks Brenna .

@57 I’m sorry but that is simpley not true. Peoples information WAS enncrypted! (NOTE MY INFORMATION SOURCE:- http://blog.eu.playstation.com/2011/04/28/playstation-network-and-qriocity-outage-faq/ ). @70 How? Because of people like you yes but just no! They have given us all the information quickly! And have dont the right things like this article suggests sony has done… They only new on Monday then released, publicly, all the information regarding to psn… and it takes a while to send over 75 million emails you know? @69 Plz look at the related article to answer you’re queries! http://blog.eu.playstation.com/2011/04/28/playstation-network-and-qriocity-outage-faq/ @77 agree with you TOTALLY!

First off: “The ICO is investigating Sony, yes, and if found negligent, the company will face massive backlash in multiple countries. But there’s a strong likelihood the PlayStation Network will be found to meet minimum standards.”
-I don’t want them meeting “minimum” standards, I want them to actually try to have some legit security because last time I checked I haven’t heard about any massive hacks on XBL while the PSN/PS3 has had major hacking issues at least 3-4 times this year alone

“Xbox Live got caught with a phishing scam just yesterday. That’s the state of network security in 2011: inadequate.”
This scam was so minor you shouldn’t have even mentioned it in this article, it was only people on Modern Warfare 2 and they sent out a message immediately, not shut down XBL and not tell anyone what was going on for days…the difference between Sony and MS is that MS can handle breaches, and they are never as big as the one’s Sony has had recently

“What did Sony do right?
Practically everything.”
-That’s an overstatement if I’ve ever seen one, “It’s a short list: it didn’t communicate.” – That’s probably the most important thing to do in a situation like that

“What about me?
You should cancel your credit card. However slim the possibility that your data has been compromised is, you shouldn’t gamble your financial security on it.

But while you’re at it, you should get in touch with your bank, your work place, your social network, your MMO – any identity you log into, and which you’d be troubled by the loss of – and set up additional security measures, including double authentication, hard-to-remember passwords, and better secret questions. And not grumble about what a hassle it is.”
-That’s the point, why should we have to go through all this because their security protocol and network in general is shit, I have had XBL for 3 years and nothing like this has ever happened but now I get a PS3 and PSN in February, even after a good amount of hacking bullshit and then this happens, let alone I got the PS3 to play SOCOM which I got to play for a good few hours before PSN went down…it is a hassle and it shouldn’t be, why should we trust Sony with any personal data at all if their security and response to breaches is what we’ve seen over the past few weeks…it is a travesty, and I hope they get what they deserve, why the fuck should I have to go through the trouble of cancelling my credit card, and changing passwords, and changing double authentication standards and making security questions harder. Plus any retard who knows how to work a computer has online banking of some sort and is able to check their credit card transactions every day to make sure it’s not being used unlawfully, so I’m going to gamble my financial security on it so that I can trade in my PS3 if any of my info was leaked…we’re customers, we have the right to be pissed, so if you think otherwise you’re either living in a dream world or being paid by Sony…