
IRC chat log of PSN hackers - ssclafani
http://pastebin.com/m0ZxsjAb
======
uxp
This is old. Here is the same pastie, but posted on February 16, 2011
<http://pastie.org/private/97oth9v5tspkiztwwdmnga>

They aren't talking about the PSN Hack that brought down the network this
time, they are going back and forth about how PSN stores the user's CC
information in plain text on the console and that a shady/grey custom firmware
has the potential to skim that information off the hardware and onto a bad
guy's server.

The only slightly frightening thing about this is how they allude to the idea
that this plain text CC information and security codes are transmitted over
plain text, but that information is false. All transactions done between your
PS3 console and the PSN network were done over SSL.

~~~
incant
I don't think "user2" is claiming that the credit card information was sent in
plaintext:

 _normally you ATLEAST enccrypt the securtity code, even if its ssl_

That seems to refer to encrypting the CC security code before sending it over
SSL using public key encryption, which is good practice if you subscribe to
defence in depth. But it's nothing I'd get upset about.

~~~
marshray
Right, it's just how HTML forms work.

------
dsteinweg
They seemed to be concerned about the lack of security they were witnessing,
and they also alluded to "this could be bad in the hands of a spammer".

If this log is real, is it truly the conversation of those that took the data?

~~~
bcrescimanno
I'm with you on all points; however, what I find interesting is that these
guys talk explicitly about the credit card data being available via the path
they took. If these are the same people--or if perhaps it was someone lurking
in the channel--the suggestion is that the technique used would have exposed
the credit card data of these users--despite Sony claiming that they felt it
was unlikely.

I'm not sure there's a lot of "news" to this post; my feeling is that if Sony,
"isn't ruling out the possibility" that my credit card information was stolen,
I'm working under the assumption that it was. I'd encourage everyone else who
was subscribed to PSN to do the same.

~~~
uxp
They only talk about the unencrypted credit card data available to the
console, not to PSN. This chat happened weeks before whoever gained access
into PSN's network. Basically the same thing as pointing out the flaws in
someone storing their passwords in a plain text file on their desktop. It
isn't secure, but you'd have to get access to the single machine before you
could get anywhere else.

I agree. This isn't much for "news".

I am, however, curious on the repercussions of the current hack of other
services tied to the PSN network, like Netflix, that aren't directly gaming
related. Do you think it will make companies give pause to developing
dedicated clients for 3rd party services on game consoles that rely on the
manufacturer of the console to maintain a network outside of the 3rd parties
control?

------
mikle
This is fascinating. As a developer, I enjoy reading such logs and stories. I
like the thought that if you make something good, popular or interesting,
there will be someone that will admire your work, play with it and try to
break it.

------
calpaterson
Could someone please provide a précis?

~~~
tomjen3
Please there is no reason to use words that most people here don't know.
Plenty of people who frequent HN are non native speakers of English.

To save others the trouble, calpaterson asked for a _resume_.

~~~
notJim
Jesus, now that we're done with all the pointless bickering about language,
could someone provide a Zusammenfassung? I skimmed it, and saw nichts
interessantes.

~~~
Natsu
Here are the important claims made in the logs:

* They have "decrypted all PSN functions."

* Sony spies on basically everything PS-related (hardware plugged in, games played, etc.) and uploads it. There are "independent checks" and history wipers, etc. don't work. This may only happen when the device is networked. They can detect backups, piracy, etc.

* It sends CC data, etc. via SSL, but leaves unencrypted logs on the HD that contain that data in the URLs visited. It may not have used SSL at all at launch.

* You can modify a few things when you download something from the PSN store to tell it that you should be getting the game for free.

* Sony monitors all messages sent over PSN, may be searching that for keywords.

* Has a big list of censor words that lives on your HD. Checks this list on receipt of a message, not sending. Easy to bypass now.

* Various worries about people creating spam apps with this data.

* Comments indicating that Sony is running old Apache servers with known vulnerabilities internally.

Watching this, I'm glad I don't have a PS3.

~~~
Shadowriver
Most of stuff that they are talking requires use to have CFW in order to
still. Hardware information are probably for statistical information and show
me at least one service that they don't log messages, specially once that are
hosted in the cloud. and they didnt talk anything about apatch, as long as
they got this in EULA that you accepted it's fine. Best of all this log have
nothing to do with the current situation, it's normal CFW development talk

------
eof
<http://pastebin.com/8YNDuFCw>

line 177 fixed for new lines

------
rkon
"#define rand() 4"

Pure genius -- fool the hackers by making your "random" number static, they'll
never guess! Now that PSN users are actually seeing money ciphered from their
debit accounts, it's only a matter of minutes until the class action lawyers
are all over this.

~~~
damncabbage
From the context, this appears to be a joke (see <http://xkcd.com/221/>), not
a serious accusation.

~~~
rkon
It's also a reference to when the PS3 was first cracked, which was possible
because they weren't really using random numbers to generate keys.

So yes, it is a serious accusation that points out their consistently lax
programming techniques when it comes to security.

~~~
mukyu
No.

The problem was that one of the parameters they used in their ECDSA
signatures, k, was the same at least once. This allowed the key to be computed
with simple math, but the generation of the key itself was not the issue.

