Sony's PSN Network
-
@bgodot said:
I doubt their network was first breached just last wednesday, my thought is that it's been breached
for several months at leastsince last Thursday
FTFY.
-
@El_Heffe said:
@bgodot said:
So they couldn't be sure that even if they did store information encrypted, that the intruders didn't install backdoors, sniffers, rootkits,
One of the PSN admins inserted a Sony music CD into his computer.That would be so awesome. Sony's own "security" measurements break security of an unrelated network owned by the same company.
-
@El_Heffe said:
@bgodot said:
So they couldn't be sure that even if they did store information encrypted, that the intruders didn't install backdoors, sniffers, rootkits,
One of the PSN admins inserted a Sony music CD into his computer.Oh SNAP!
-
@serguey123 said:
That is why we need less people, let us work for that goal as a group
That is why we need fewer people, let us work for that goal as a group
FTFY.
-
@Cad Delworth said:
@serguey123 said:
FTFTFYFYThat is why we need less people, let us work for that goal as a group
That is why we need lesser people, let us work for that goal as a group
FTFY.
-
@derula said:
@Cad Delworth said:
FTFTFYFYFTFY@serguey123 said:
FTFTFYFYThat is why we need less people, let us work for that goal as a group
That is why we need less people named Morely, let us work for that goal as a group
FTFY.
-
@El_Heffe said:
FTFTFTFTFYFYFYFY@derula said:
@Cad Delworth said:
FTFTFTFYFYFY@serguey123 said:
FTFTFYFYThat is why we need less people, let us work for that goal as a group
That is why we need less people named Morely, let us work for that goal as a group
FTFY.
FTFY
-
TRWTF is saying "PSN network" in the first place. What do you think the "N" stands for? Like hearing someone say "PIN number", that shit really makes me cringe something chronic.
-
@Mason Wheeler said:
@Weng said:
I don't give a flying fuck at a rolling donut about Sony and their 'problems' - whether self or hacker-inflicted. I do, however, HATE this thread's title. "PSN" stands for "PlayStation Network" - or at least it used to. Therefore, "PSN Network" is a crime against language.
Indeed. Someone ought to report this to the Department of Redundancy Department!
Also known as the DRD Department.
-
@Sudo said:
TRWTF is saying "PSN network" in the first place. What do you think the "N" stands for? Like hearing someone say "PIN number", that shit really makes me cringe something chronic.
Whatever you do, stay away from the La Brea tar pits.
-
@derula said:
@bgodot said:
I doubt their network was first breached just last wednesday, my thought is that it's been breached
for several months at leastsince last Thursday
FTFY.Sony first detected an intrusion on the 19th of April:
[url]http://www.psx-sense.nl/46020/inbraak-op-psn-was-al-ruim-een-dag-voor-downtime-bezig/[/url]However, leaked server logs indicate that attempts at gaining access had been ongoing since atleast as early as the 15th:
[url]http://www.psx-sense.nl/46008/playstation-network-log-van-de-hacker-leaked/[/url]And hackers have been learning about the PSN's workings and topology since atleast mid february:
[url]http://www.psx-sense.nl/46022/chatlog-hackers-credit-card-gegevens-niet-voldoende-encrypted/[/url]According to those last chat logs, the PS3 sends all your credit card information in plain text, only protected by the layer of SSL offered by the secure connection, where it is good practice to atleast provide further encryption to the CVC/CVV verification codes. Also, Sony logs just about anything you're doing with the machine: peripherals connected, discs inserted, time played, etc. Talk about not caring about your customers or their privacy!
-
@Ragnax said:
According to those last chat logs, the PS3 sends all your credit card information in plain text, only protected by the layer of SSL offered by the secure connection
And how does this differ from every other online store on the planet that uses SSL/TLS?
-
@Sudo said:
TRWTF is saying "PSN network" in the first place. What do you think the "N" stands for? Like hearing someone say "PIN number", that shit really makes me cringe something chronic.
Congratulations, you're only about 20 posts late.
@ender said:
@Ragnax said:
According to those last chat logs, the PS3 sends all your credit card information in plain text, only protected by the layer of SSL offered by the secure connection
And how does this differ from every other online store on the planet that uses SSL/TLS?I wouldn't know, seeing as I haven't had the opportunity to look at the codebases of every online store on the planet. But if I was writing a system to send credit card details over the wire, I'd probably use symmetric encryption at either end, regardless of the transport protocol. After all, you can never have too much security (right, Sony?).
-
@The_Assimilator said:
I wouldn't know, seeing as I haven't had the opportunity to look at the codebases of every online store on the planet.
Just take a random sample and observe - the details are passed through HTTPS connection without any additional encryption, because there's no need for anything else. SSL/TLS has 2 purposes: to authenticate the connection (so that you know who you're talking to, and that the server knows it's still talking to the same client that established the connection), and to encrypt the data passing over that connection (to prevent eavesdropping).@The_Assimilator said:But if I was writing a system to send credit card details over the wire, I'd probably use symmetric encryption at either end, regardless of the transport protocol.
Unless you invent some radical new approach, any further encryption will not in any way improve security, because if the attacker somehow got past the first layer, he'll be able to get past any other layer in the same way (the symmetric key you were talking about has to be exchanged somehow, and if that's done over the connection that was already insecure, using that key does not improve security, because the attacker can simply intercept it, and then use it).
The hackers who claimed a month ago they intercepted CC numbers between their console and PSN have been able to do that because they were in full control of both the console, and the first part of the network it was connecting through - they added their own trusted CA certificate to the console, then set up a proxy between the console and PSN. The console authenticated to the proxy, and the proxy authenticated to PSN - since the console trusted the proxy's certificate, it could decrypt the data the console was sending, and thus obtain the cleartext. A 3rd party couldn't have done this without somehow inserting his certificate to the firmware.
-
"In congressional testimony this morning, Dr. Gene Spafford of Purdue University said that Sony was using outdated software on its servers — and knew about it months in advance of the recent security breaches that allowed hackers to get private information from over 100 million user accounts.
According to Spafford, security experts monitoring open Internet forums learned months ago that Sony was using outdated versions of the Apache Web server software, which "was unpatched and had no firewall installed." The issue was "reported in an open forum monitored by Sony employees" two to three months prior to the recent security breaches, said Spafford.
Spafford made his comments in a hearing convened by the House
Subcommittee on Commerce, Manufacturing, and Trade. Sony was invited to
participate in the hearing, but declined to attend."
-
@El_Heffe said:
months in advance
I dunno, considering how glacial big businesses are at updating software (even free software), I would find it more surprising if they were up-to-date on their patches. God knows my employer isn't.
-
-
@El_Heffe said:
Those sites are going to get hammered, and I won't know if the PSN is still down or not. Someone needs to make http://www.istheplaystationnetworkbackupinfositedown.info
Also, I can only hope that instead of serving up a static page, each of those sites are trying to log in on each request.
-
@Lorne Kates said:
Also, I can only hope that instead of serving up a static page, each of those sites are trying to log in on each request.
Why do that? Much better to check in the background every 5 minutes or so and write the result to a static page.
-
-
@joe.edwards said:
@bgodot said:
My employee ID? 12345.
That's amazing. I've got the same combination on my luggage.
Luggage with combo locks only use a 4-tumbler system.
-
@Lorne Kates said:
@joe.edwards said:
@bgodot said:
My employee ID? 12345.
That's amazing. I've got the same combination on my luggage.
Luggage with combo locks only use a 4-tumbler system.
Maybe in your frozen-turd of a country, but here in America we have luggage with up to EIGHT tumbers. And our top scientists are nearing breakthroughs which will bring us 18, 20, and 22-tumbler systems. (Researchers at luggage maker Hartmann are said to be working on a secret project which will produce luggage with tumblers all the way around the circumfrence of the piece; it's code-named The Samsonite Killer).
-
-
@blakeyrat said:
Sony’s PlayStation, Qriocity Services Remain Shut, ‘Uncertain’ on Restart
@TFA said:
Sony is uncertain when it can resume the services [...]
@TFA said:
[...] its plan to restart the services fully by May 31 is unchanged [...]
While these two statements are not technically contradictory, maybe the May 31 planned date should have been in the headline instead of the uncertainty...
-
@SQLDave said:
@Lorne Kates said:
@joe.edwards said:
@bgodot said:
My employee ID? 12345.
That's amazing. I've got the same combination on my luggage.
Luggage with combo locks only use a 4-tumbler system.
Maybe in your frozen-turd of a country, but here in America we have luggage with up to EIGHT tumbers. And our top scientists are nearing breakthroughs which will bring us 18, 20, and 22-tumbler systems. (Researchers at luggage maker Hartmann are said to be working on a secret project which will produce luggage with tumblers all the way around the circumfrence of the piece; it's code-named The Samsonite Killer).
I never travel anywhere without my Rubik's Valise™!
-
@Xyro said:
@Lorne Kates said:
Also, I can only hope that instead of serving up a static page, each of those sites are trying to log in on each request.
Why do that? Much better to check in the background every 5 minutes or so and write the result to a static page.
What fun would that be? Anyways, just checking once probably isn't sufficient. Even if you login successfully, what if the next one doesn't work. How will you know whether or not the PSN Network is really up? Try several times, just to be safe.
-
@da Doctah said:
You think that's really going to turn out to be a suitcase when you figure out how to open it?@SQLDave said:
@Lorne Kates said:
@joe.edwards said:
@bgodot said:
My employee ID? 12345.
That's amazing. I've got the same combination on my luggage.
Luggage with combo locks only use a 4-tumbler system.
Maybe in your frozen-turd of a country, but here in America we have luggage with up to EIGHT tumbers. And our top scientists are nearing breakthroughs which will bring us 18, 20, and 22-tumbler systems. (Researchers at luggage maker Hartmann are said to be working on a secret project which will produce luggage with tumblers all the way around the circumfrence of the piece; it's code-named The Samsonite Killer).
I never travel anywhere without my Rubik's Valise™!
-
@SQLDave said:
And I thought it was only the scientists working at the razor companies that were involved in this kind of madness.@Lorne Kates said:
Luggage with combo locks only use a 4-tumbler system.
Maybe in your frozen-turd of a country, but here in America we have luggage with up to EIGHT tumbers. And our top scientists are nearing breakthroughs which will bring us 18, 20, and 22-tumbler systems.
-
@DaveK said:
@da Doctah said:
I never travel anywhere without my Rubik's Valise™!
You think that's really going to turn out to be a suitcase when you figure out how to open it?Big enough for overnight trips:
-
@SQLDave said:
@Lorne Kates said:
@joe.edwards said:
@bgodot said:
My employee ID? 12345.
That's amazing. I've got the same combination on my luggage.
Luggage with combo locks only use a 4-tumbler system.
Maybe in your frozen-turd of a country, but here in America we have luggage with up to EIGHT tumbers. And our top scientists are nearing breakthroughs which will bring us 18, 20, and 22-tumbler systems. (Researchers at luggage maker Hartmann are said to be working on a secret project which will produce luggage with tumblers all the way around the circumfrence of the piece; it's code-named The Samsonite Killer).
Wait, are you actually still using luggage that only exists in 3 dimensions? Not that I would lower myself by visting one of those other countries, but if I did, I'd pack my clothes in my tesserect, then pack it in itself. The latches are kept nestled away in one of an infinite number of parallel dimenions, and can only be reached via a keyfob that contains a quantum-bonded singularity.
And the airlines will never lose my luggage, because it arrives at my destination a week before I pack it.
-
Turns out all you needed to reset your PSN password was your email account and date-of-birth-- two things that just happened to been leaked after the initial exploit! Bottom-line: anybody who downloaded the leaked data could reset any PSN user's password before they got around to it.
Way to go Sony!
-
... they didn't even require an email confirmation? Mind boggling!
-
@Xyro said:
... they didn't even require an email confirmation? Mind boggling!
From the article, it looks like they at least tried to require an email confirmation, but it doesn't work properly and lets the password be reset anyway.
-
It looked like the confirmation link was determinable based on the e-mail.
-
@Someone You Know said:
@Xyro said:
... they didn't even require an email confirmation? Mind boggling!
From the article, it looks like they at least tried to require an email confirmation, but it doesn't work properly and lets the password be reset anyway.
Yeah, it doesn't go into detail, but there was something you could do client-side to either redirect the confirmation email to another address, or (more likely) successfully confirm the change without clicking the link in the email.
If you read further down, there's a story of a PSN member who received a "verify your password change" email followed directly by a "confirmed-- your password is changed" email, and he never logged into the website nor replied to the first email.
Edit: Sony calls it a "URL Exploit". The confirmation URL was probably like "sonypassword.com/changepass?user=email@example.com&confirm=true" or something ridiculous.
-
-
@derula said:
@blakeyrat said:
"URL Exploit".
This is a funny way to say [b]"You thought the original PSN implementation was bad? Just wait until you see our fix!"[/b].
EITFY
-
According to this story, Sony will bring the PlayStation Store back online May 24. The timing of that seems a bit suspicious since the world is supposed to end on May 21.
-
@El_Heffe said:
May be on the 22nd May, they'll postpone it to Dec '12?According to this story, Sony will bring the PlayStation Store back online May 24. The timing of that seems a bit suspicious since the world is supposed to end on May 21.
-
I'm totally bookmarking the site. I wonder if anythinginteresting's going to happen, but it'll probably just sit in shame without updates.
-
@dhromed said:
I'm totally bookmarking the site. I wonder if anythinginteresting's going to happen, but it'll probably just sit in shame without updates.
i hope the counter will go negative ....
-
-
@Nelle said:
@dhromed said:
Looks like dhromed called it. Still sitting there, counter at 00 days. I wonder how long it'll stay up.I'm totally bookmarking the site. I wonder if anythinginteresting's going to happen, but it'll probably just sit in shame without updates.
i hope the counter will go negative ....
-
This post is deleted!
