
Sony: All personal data stolen from PSN - estel
http://blog.us.playstation.com/2011/04/26/update-on-playstation-network-and-qriocity/
======
cryptoz
I wonder how many times a company can install trojans on your computer,
destroy your OS's security, secretly watch all your actions, then proceed to
not properly protect your data when you voluntarily give it to them...before
going out of business.

Sony's size and momentum must be pretty crazy. Or maybe it's our society. I
just can't imagine a small record store in the 1960s, after being caught
spying through the bedroom windows of its customers, _ever_ staying in
business.

I feel terrible for anyone caught in this. But maybe, just maybe, Sony isn't
the company to do business with anymore?

~~~
mortenjorck
Don't read this as a defense of the company, but there hasn't really been a
single, monolithic Sony for decades. Sony Music Entertainment, perpetrators of
2005's rootkit debacle, is pretty far removed from Sony Computer
Entertainment, the division responsible for Playstation. Sony Electronics,
makers of TVs, home theater systems, and Walkmans, is another silo, as is Sony
Pictures.

Of course, every act of incompetence under the Sony name tarnishes that name,
and in the marketplace, that's ultimately all that matters.

~~~
wmf
There have been rumors that Sony Music/Pictures has "oh no, piracy!" veto
power over the rest of Sony, though. Either that or every division of Sony
happens to be really DRM-happy.

~~~
watchandwait
Sony Music's meddling is the reason Sony failed to make a successful Mp3
player, all the more remarkable because Sony created the individual portable
music market and dominated it with the Walkman.

~~~
regularfry
Not only that, but they're responsible for the Minidisc's failure. That could
have been a really nice format, but they had to slap a bunch of restrictions
on it.

~~~
wipt
Not only the DRM restrictions, but that they limited manufacturing licenses to
other companies. MinkDiscs are the perfect size and a little more durable
(scratch resistent) imo. It's a shame CD's won out.

------
OmarIsmail
This is a much much bigger deal than the Gawker security breach. Sony had
substantially more information on its users than Gawker could ever hope to
dream of. Specifically information on real names, addresses, and potentially
credit cards.

This is a big F'N deal and I wouldn't be surprised if it cost Sony more than
Microsoft's infamous 1 billion dollar write-down with the Xbox 360's Red Ring
of Death.

I don't think this will kill PSN or the PS3, but it's going to significantly
dent things. I'm curious to see how much media attention this gets and if
we'll see a macro shift towards the Xbox 360 and Wii.

If I was Nintendo and particularly evil I would leverage this opportunity to
tout the new system and emphasize the cutting-edge online modes with rock
solid security. And MS can also talk about their great track record in the
online world.

~~~
Alex3917
"I wouldn't be surprised if it cost Sony more than Microsoft's infamous 1
billion dollar write-down with the Xbox 360's Red Ring of Death."

Banks, colleges, hospitals, and credit card processors do this all the time,
and it doesn't cost them anywhere near a billion dollars despite the fact that
they have vastly more personal information. Sure they usually only have a few
hundred thousand records and not a few million, but even still the idea that
this is going to cost them a billion dollars is absurd.

~~~
_delirium
Numbers I've heard floated for leaks on the smaller scale are around $15-20
per person for post-leak mitigation and damages, which could push near $1b if
the same per-person cost held with this size leak (which it might not). When
my university had some data stolen, their lawyers advised them to buy everyone
a year of some identity-theft insurance/monitoring package, which I believe
cost them around $10 per person just for that.

~~~
thisisblurry
Monoprice did the same thing when they were hacked last year. Two months after
it happened, I got a letter from them with a few papers describing the
identity theft monitoring service I would receive for a year.

------
hebejebelus
There were sixty million[0] PSN accounts. This is impressive, and amounts to
(judging by a quick search) the largest-scale ID (and possibly credit-card)
theft ever [Not so, see child comment]. Not even factoring in credit card
details, the usernames, emails, addresses, ages, passwords, mother's maiden
names, favourite pets, of sixty million people is worth a hell of a lot.

I have to wonder how much data that is, in terms of storage. How could you
even take that without someone noticing?

Hats off to whoever it was. Now, I'm off to change my passwords. Thank Christ
I had the sense not to use a credit card to buy from PSN.

[0] [http://www.derangedshaman.com/2011/01/06/sonys-60-million-
ps...](http://www.derangedshaman.com/2011/01/06/sonys-60-million-psn-users-
means-zero-zilch-nada/)

[edit] On a related note, paypal refuses to let my change my password to
something longer than 20 characters - or have spaces in my password. Why is
this the case? Surely the only thing that an upper limit on the length of a
password does is help the attacker.

~~~
joeyh
Overestimating 100k per user, it would only be 6 terabytes. And all those low-
entropy passwords etc should compress quite well.

~~~
fragsworth
They would only compress well if you stored them in plaintext...

------
dfischer
[http://psx-scene.com/forums/f177/sony-has-been-bad-boy-ridic...](http://psx-
scene.com/forums/f177/sony-has-been-bad-boy-ridiculous-levels-spying-81093/)

"A well known hacker i don’t want to reveal here had all the Sony PlayStation
Network functions 100% decrypted as well as providing some nice info about how
Sony dealing with PSN members privacy in their online servers.

Apparently, Sony server gathered everything they can from the PSN connected
PS3 console. When i said everything, i meant it. Here, i make all the list of
what they squeezed from the IRC chat logs conversation between the hackers.

 _Sony monitors all messages over PSN._ All connected devices return values
sent to Sony server returns TV, Firmware version, Firmware type, Console model
_They also collects data in your USB attached device._ Credit card sent as
plain text, example: creditCard.paymentMethodId=VISA&creditCard.holderN
ame=Max&creditCard.cardNumber=4558254723658741&cre
ditCard.expireYear=2012&creditCard.expireMonth=2&c
reditCard.securityCode=214&creditCard.address.addr ess1=example
street%2024%20&creditCard.address.city=city1%20&cr
editCard.address.province=abc%20&creditCard.addres s.postalCode=12345%20 *The
best part of all, the list is stored online and updated when u login PSN and
random.

But, that’s not all, with the PSN functions fully decrypted, this hacker can
use the function to get all games, DLC, you name it, from PSN store without
paying anything."

~~~
swaits
> Credit card sent as plain text

This was debunked. It's encrypted on the wire.

~~~
Natsu
What's your source on that?

~~~
swaits
It's talked about right in these very comments:
<http://news.ycombinator.com/item?id=2487412>

The data is POSTed over SSL. C'mon, do you _really_ think Sony sends credit
card data across the wire in plaintext? If so, it would have been discovered
the day the PS3 launched, like five years ago. And, its discovery wouldn't
have required any system hacking, as described above. Is it amateur hour here?

------
norova
FTA: _we believe that an unauthorized person has obtained the following
information that you provided: ...PlayStation Network/Qriocity password and
login..._

I'm curious if this means they store everyone's password in plain-text, or if
by "password" they really mean a hash of some sort.

~~~
rhizome
Frankly I'm more concerned with their words about changing credit cards if
you've made a purchase through PSN. This seems to be an admission that they
were storing CC#'s in plain text.

~~~
ak217
How do you use stored credit card info if the cc# is not stored?

Unlike passwords, the encryption for the cc#s has to be reversible. That's
part of the reason why they introduced CVCs, right?

~~~
jimktrains2
You could at least have them encrypted on disk with a key only stored in
memory, i.e.: when the system is turned on. Alternatively a dedicated crypo
device where you feed it cipher text and it gives you plain text would also
help as the attack wouldn't be able to get the key (even if they have the
physical box (for good crypto devices))

While only marginally better depending on the type of attack and permissions
gained by the attacker, if all they got was static data on disk, then it would
be secure.

~~~
cookiecaper
And what if that server needs to be rebooted some day? What if there's a
hardware failure and it has to be powered off?

Something as big as PSN has multiple servers reading the same DB and must be
able to tolerate failures without forcing everyone to re-enter their CC #. The
keys must be stored persistently somewhere.

~~~
tzs
What we do where I work is take the newly generated key whenever we key or
rekey the system, split it into multiple pieces using Shamir's secret sharing
algorithm, and those pieces are distributed to several people.

Whenever the server needs to be started, two of those people must enter their
key shares. That enables the server to reconstruct the key, which is then
stored in memory.

------
mrcharles
This seems like a really big argument for never allowing your data to be
stored by a 3rd party.

Does anyone see any reason why these companies should do anything other than
store the data locally on your system, encrypted/obfuscated, and then only
ever send once, via encrypted connection, and then immediately delete the info
remotely?

I mean, if someone breaks in to my house and steals my PS3, they already have
access to all of that information.

~~~
falcolas
Much of ecommerce would go down the drain, if they got rid of remote storage
of your details. No recurring billing, no "One-Click", no address books,
etc...

~~~
_delirium
It should at least be an _option_ for me not to store it, if I prefer not to
use "one-click" and similar features. I understand why stores prefer to save
the information without giving me a choice (reduces friction for future
purchases), but I'm not sure that's a good enough reason given the prevailing
security track records.

Either that, or perhaps there could be statutory penalties for data breaches.
For example, if there was mandatory compensation of, say, $100/person for a
data breach, companies might be incentivized to better think about whether
they really need to store this data, and whether they're storing it safely.

~~~
dedward
Online retailers who handle their own CC processing tend to keep credit card
information around if only for fraud/chargeback tracking in the future - being
online opens you up to massive abuse if you don't keep it in check.

A big player like sony should have been complying with PCI standards - but
from what I've seen, that's not so difficult to pass and then forget about -
people take shortcuts - and how many companies out there have ever had their
processing revoked for NOT complying with PCI? That would be an interesting
statistic.

~~~
falcolas
From my experience, PCI compliance does not require that you have everything
perfect, as long as you have a plan to fix your deficiencies.

And as an employee at a couple of PCI compliant shops, I can attest that even
full PCI compliance still leaves a lot of holes (enough that some
organizations have formed their own compliance exams above and beyond PCI).

------
dman
Holy Cow! This has to be one of the most serious breaches I remember in recent
times. While I dont work in security and my security foo is weak it appears
that they did not have a strong layered security apparatus in place? Is it
just a coincidence that this breach and geohotz exploit happened around the
same time?

~~~
orangecat
It really looks like the PSN architecture assumed that the clients were
trustworthy. If so, that's an epic Security 101 fail.

~~~
marshray
And they used the same servers for development as for production. Isn't that
non-PCI-compliant?

~~~
brown9-2
What is the source for the claim in your first question? I don't see this
mentioned in the linked post.

~~~
marshray
I got this link from Slashdot:

[http://www.reddit.com/comments/gx6o4/im_a_moderator_over_at_...](http://www.reddit.com/comments/gx6o4/im_a_moderator_over_at_psxscenecom_the_real/)

But don't hold that against me. :-)

I clicked around a bit in the linked psx-scene forums and it looked like there
was a decent basis for it.

------
ares2012
So it is as bad as we feared. The only silver lining I can see is that Sony
made the difficult business decision to turn off the network until they were
sure it was secure. While that doesn't make me feel better as a PSN user I do
respect their honesty and commitment to fixing it.

Time to get a new identity! =)

~~~
Timothee
_Time to get a new identity! =)_

That's what I was thinking: in most cases of user accounts being compromised,
the solution is "change your passwords on this and other sites". Here you need
to change your birthday, cancel your credit card, move out, change your name…
kind of a hassle.

~~~
there
no problem!

<http://www.fakenamegenerator.com/>

~~~
nitrogen
How do they claim to own the MX for example.com? Aren't the example.* domains
supposed to be reserved?

~~~
xp84
From the "click here to use it" page: "Fake Mail Generator changes the domain
frequently in order to prevent the address from being banned, a problem which
plagues other disposable email services."

Sounds like they added "example.com" into the list by mistake... It has no MX
from what I can tell.

------
famousactress
_These malicious actions have also had an impact on your ability to enjoy..._

Interesting. Is it not fair to also say the _negligent_ actions that made
these malicious ones _possible_ had an impact?

I'm completely sick of the way these press releases sound.

~~~
keithburgun
Reminds me of 9/11 and no one in government taking any responsibility. Except
Richard Clarke.

------
maximilianburke
I'm disappointed but not surprised. When I had to change my password a few
months ago on the Sony developer's network site I was told that my new
password was too similar to the last ones. I was wondering how they knew that,
aside from storing the passwords in plain-text, something I'd assume they'd be
too smart to do.

I guess I gave them too much credit.

~~~
phaylon
Genuine Question: They let you change your password without having you supply
the old one?

~~~
jimktrains2
Password reset link?

~~~
phaylon
That might explain it.

------
redthrowaway
"Although we are still investigating the details of this incident, we believe
that an unauthorized person has obtained the following information that you
provided: ... PlayStation Network/Qriocity password and login,"

Seriously? Even Sony is keeping passwords in plaintext? There wasn't a single
competent person involved in the design of PSN who might have mentioned that
was a terrible idea?

~~~
AndyKelley
It could be that they simply obtained a hash and salt, from which it is still
possible to obtain plaintext.

------
moondowner
Notice how they never apologize? The closest thing to apology, but it's not an
apology, is:

> "We thank you for your patience as we complete our investigation of this
> incident, and we regret any inconvenience."

Sony apologizes only to Chuck Norris.

~~~
jswanson
The Japanese announcement is full of apology:

"2011年4月21日よりPlayStation®NetworkおよびQriocity™の障害が継続しており、お客様および関係各位に多大なるご迷惑をおかけしておりますことを深くお詫び申しあげます。"

Which is a polite and flowery way of apologizing for the ongoing interruption
of service.

<http://cdn.jp.playstation.com/msg/sp_20110427_psn.html>

~~~
moondowner
True, they are different probably because this (the Japanese announcement) is
from Sony Corporation, and the link in English is probably from Sony
Corporation of America.

~~~
ramchip
In Japan lawsuits are less common, and an apology is expected even if it's not
your fault, so it shouldn't hurt their legal defense if they apologize. I
think it won't be interpreted as an admission of guilt like it could be in
America.

------
aeontech
Does anyone else find it odd that they "strongly recommend that you log on and
change your password" instead of just force-resetting everyone's password and
sending them an email with an activation link? Out of 60M subscribers, I'm
certain that a large proportion will never see this message.

~~~
thenduks
Agreed, not only that but you _can't even login right now_ , so in another
week all 60M users are supposed to remember to go and futz around with the
PS3's clunky account UI to change their password?

Personally, I have a couple passwords in use for low-risk services (like PSN)
and just went and changed all my _other_ passwords :)

------
unexpected
This is unreal. What bothers me the most, is that when this happened to me one
time before, that particular company paid for a year of credit monitoring
services.

In this case, Sony is too cheap to do even that, pointing you towards where
you could download your credit report online. Ridiculous.

~~~
marshray
It's too soon. I don't think anyone knows what Sony's going to end up paying
here (Sony included).

------
parfe
What the hell Sony? I just tried logging into
<http://us.playstation.com/psn/playstation-home/> the SSL connection to
<https://store.playstation.com> gave Error code: sec_error_unknown_issuer.

It's like you're actively trying to make me never trust you again.

~~~
marshray
Looks OK in my Firefox, says it's signed by Comodo UTN-USERFirst-Hardware.

I am not making this up.

~~~
gedaxiang
Isn't Comodo the CA that was compromised recently?

~~~
marshray
Yep, through the usertrust sub-CA even.

[https://blog.torproject.org/blog/detecting-certificate-
autho...](https://blog.torproject.org/blog/detecting-certificate-authority-
compromises-and-web-browser-collusion)

------
dman
Funnily enough the stock doesnt seem to have moved at all as a result of this
news - <http://www.google.com/finance?q=sne>

~~~
Mrdev4
Funny, Jim Cramer's thestreet.com upgraded it from hold to buy on the 25th.

[http://www.thestreet.com/story/11093134/1/sony-
corporation-s...](http://www.thestreet.com/story/11093134/1/sony-corporation-
stock-upgraded-sne.html)

~~~
Mrdev4
I suspect Sony's stock is getting hammered tomorrow, and the lack official
email to PSN users,makes me think it's gonna be more bad news.

------
jasonneal
How could they have gained access to passwords? Do they mean, rather, gained
access to your secure password hash, or did they simply store passwords in an
unencrypted format? Being a member of PSN, this has me concerned. I'm making
it a point to change all of my security questions and passwords all throughout
all websites I use.

~~~
marshray
Not as easy as it sounds. You wouldn't believe the reaction I got from Mom
when I asked her to change her maiden name.

~~~
joeyh
Makes me wonder how many people just punch in "Maiden".

Of course those security questions are nearly useless anyway.

------
michaelchisari
So how do we sign up for the class action lawsuit?

~~~
rorrr
You can do it right here. All you need is what, 30 people to get the class
action status.

------
wilschroter
I can't even begin to fathom the magnitude of this considering how many people
likely use the same login credentials for all of their sites.

The problem you run into is that communicating both the nature of the breach
and convincing people to respond accordingly is incredibly hard.

This will continue to happen across many sites. I think after enough of these
breaches, though, people will start to think about the protection of their
online identities a lot differently, which is good, albeit at a painful cost.

~~~
Florin_Andrei
This is a good time to purchase a password-vault app - AND USE IT!

~~~
Florin_Andrei
Okay, I see KeePass and Password Gorilla recommended here in the other
replies. I use KeePass actually, and I've seen PGorilla. But I'd like
something that is integrated with the iPhone - and works with Linux and
Windows too.

There's an app called Strip that looks pretty good. I'm listening to other
suggestions.

~~~
jcnnghm
I've used LastPass since the Gawker breach. It works with iOS and
automatically syncs password databases across all browsers and mobile devices.
I've been very happy with it thus far.

------
dirtbox
Interesting fact for the day: 75 million accounts is a new world record for
information theft.

------
Splines
It's too bad we don't know what's going on inside the sausage factory. It'd
make for a very interesting post-mortem.

------
estel
Giant Bomb is reporting that passwords are supposedly secure (of course, "no
way" is clearly false), so I'm guessing there's at least a decent salted hash:
[http://www.giantbomb.com/news/good-news-psn-back-maybe-
withi...](http://www.giantbomb.com/news/good-news-psn-back-maybe-within-a-
week-bad-news-everything-else-updated/3084/)

~~~
seiji
Salt is bad for you: <http://news.ycombinator.com/item?id=1209254>

~~~
cookiecaper
Salted hashes are better than unsalted hashes.

~~~
seiji
Against a GPU that can calculate five million hashes per _second_ your salt
isn't worth the paper it's printed on.

~~~
jbri
I don't know about you, but personally I think "crack one person's password in
one day" is a much better situation than "crack everyone's password in one
day".

------
blhack
Wow this sounds really really bad. As much as I dislike sony's actions in the
Geohot case, and as much as "this is what you get for failing at security", I
feel pretty bad for them right now (and even worse for all of their customers)

>To protect against possible identity theft or other financial loss, we
encourage you to remain vigilant, to review your account statements and to
monitor your credit reports.

>We have also provided names and contact information for the three major U.S.
credit bureaus below. At no charge, U.S. residents can have these credit
bureaus place a “fraud alert” on your file that alerts creditors to take
additional steps to verify your identity prior to granting credit in your
name.

~~~
r00fus
I fail to see why Sony should be pitied, unless the details of the attack are
laid out, and Sony shows that it was following good security practice.

I see neither disclosure happening any time soon.

~~~
blhack
It's probably too much of my mother and not enough of my father, but I can't
stand watching people fail, no matter how much I hate them.

I _hate_ sony, but I still feel bad for them.

------
sdkmvx
They say passwords were stolen. This must mean they are not properly hashing
passwords with salts stored outside of the database.

How many times does this have to happen before people realize that passwords
are never to be stored in plaintext? The only exception is a client-side
program that needs to log you in and in an ideal world that would be handled
by a Kerberos-like ticket system.

~~~
marshray
_They say passwords were stolen. This must mean they are not properly hashing
passwords with salts stored outside of the database._

It could also mean that the attacker was in a position to observe the
plaintext supplied by the user after it was decrypted (from SSL) but before it
was authenticated (with a password hash algorithm).

Or it could be that they're just not being too particular about the details,
on the side of being overly conservative.

------
ams6110
I think that what we're seeing here is evidence that there's just too many
ways to screw up handling personal information on line. The sane stance is to
now assume that any profile you provide to any website will eventually become
public, and proceed accordingly.

------
igorgue
I like the first comment on the post:

"Hope it come back quickly"

And ultimately that's what people care about, that information most of them
already share it via Facebook for FREE, funny thing, is that we already get
spam deliver to our homes in shape of publicity.

About the credit cards, these days most credit card issuers have pretty good
security so they'll let you know and block your credit card if people used it
in a weird way and believe me, I was a "victim" a couple of times already and
it works very well.

I join the 1st commenter. I wont be changing my credit cards because of this
and I just care about playing my online games again... really I already got
bored of Gran Turismo, Final Fantasy offline ;-).

------
rhdoenges
This brings back memories of the Gawker breach, but Sony seemed so much more
legitimate. It can happen to the best of companies, I guess. This is the worst
security hack I've ever witnessed.

This spells for Sony, yes, but even worse for the uncountable people whose
credit card numbers just got nabbed. One hacker on the loose...

The worst part is that this public breach is only a single event. All the
companies that have our information _could_ be hacked and Sony is only a
visible example. It's similar to the BP oil spill: what other oil companies
weren't running tight rigs? The disasters happened to BP and Sony, yes, but it
is a reflection on their industries.

------
rbanffy
While it's a big deal, let's be reasonable with our expectations of privacy.

I know my street addresses, home and work, my e-mail addresses, significant
URLs, credit cards, expired credit cards, buying habits, posts, messages,
family relationships (mother, wife, ex-wife, kids, ex-girlfriends) etc are
stored in a lot (probably more than a hundred) places. I have no expectation
all that data will be kept secret for any length of time. I seriously doubt
much of that data could be kept form a dedicated googler with lots of free
time, much less from a determined criminal who wanted that data.

------
kristopher
This appears to also have affected Sony in Japan, as well.

It is interesting how this announcement differs from the Japanese
announcement[0]. Japanese people are so paranoid about their identity that
this cannot go well for Sony in Japan.

It does not seem like Sony is preparing people for any sort of identity theft
in Japan other than calling the card companies. They apologized and remarked
at how they are gearing-up to better protect their users when the service
reopens.

[0] <http://cdn.jp.playstation.com/msg/sp_20110427_psn.html>

------
chrischen
Any idea who's behind the data theft? I'm much more interested in that...

~~~
romland
The REAL anonymous.

~~~
Raphael
Well any criminal would not want to be identified.

------
neilalbrock
Frankly I'm in shock. That a company as large and experienced as Sony would
allow this to happen, well it beggars belief. The contempt shown to customers,
not just by Sony but by other large tech companies (I'm looking at you Apple)
is disgusting.

I choose not to be part of Facebook because I'd rather they didn't know every
detail of my life. Now I have to consider if I want to use products from Sony
because of concerns that they can't even protect my private data, which they
force me to give them in order to use their services.

Unbafuckinglievable.

------
idheitmann
For many folk who may not use PSN much or recently, the first concern I
imagine would be to recall whether they ever provided Sony with the most
sensitive things on that list.

A quick gmail search tells me that they had my mailing address and full name,
but I have no idea if I ever gave them my CC or DOB or SSN or Gitmo prisoner
bar code or whatever else.

I'm glad I use lastpass because I have a nice list of sites to update password
info, but I imagine this process is going to take quite a while. Too bad I
repeated that password so many times.

------
millerc
I haven't seen this point mentioned anywhere yet, but...

How many of you are willing to bet Sony will use the intrusion as an argument
for material damages in court against GeoHot, somehow linking his exploit with
the mode of intrusion?

This is pure speculation of course. But I'm willing to bet serious money that
Sony's "outside, recognized security firm" has been "requested (hint-hint,
wink-wink)" to be on special lookout for any sign the exploit was a vector for
the intrusion.

------
gorm
> For your security, we encourage you to be especially aware of email,
> telephone, and postal mail scams that ask for personal or sensitive
> information.

Am I the only one reacting on this? It's like they make it sound like YOU need
to take care when it's they are the one to blame.

Same with Skype on Android when they sent you an messaging telling you that
YOU should be careful to install software because they have made a security
hole for that software.

~~~
danparsonson
I think what they mean is that the information harvested may now be used to
perpetrate such scams - imagine receiving an email specifically addressed to
you, containing information that you thought only Sony knew about. Would be
pretty convincing (and people fall for less convincing emails all the time).
Or a phone call? "Hi it's Bob from PSN here, we need to update your account
with new card details following the recent security breach" etc.

------
nwatson
This is case-in-point for centralized log-archival-and-analysis tools like
SenSage. No matter how secure you make your infrastructure, in situations like
this you want evidence of all activity on your networks, computers, DB's, app
servers, apps, etc. Storing log data related to this activity can consume
petabytes over a multi-year span.

I don't know what kind of forensic tools Sony's using, hopefully they have
something like SenSage.

------
alexknight
While I don't know the details of how this happened, it's a sure fire bet that
they were not doing something right when it came to securing their
infrastructure. How many times have we heard of big name companies running un-
patched operating systems and SQL databases or even weak passwords? From the
consumer end, this really sucks. Especially if their personal data was
compromised.

------
Osiris
I'm just glad I got my Steam PC code from my Portal 2 disc activated just
before PSN went offline.

------
Hominem
I haven't really been following this but there have been rumblings all week
that a hacked firmware was released that allowed anyone who installed it, and
twiddled with some other things, access to the PSN development and testing
network. Anyone know more?

~~~
kmfrk
There was a reddit thread on this that explains the gist of it:
<http://news.ycombinator.com/item?id=2482679>.

------
pdenya
"We greatly appreciate your patience, understanding and goodwill" - I'm all
out of good will for Sony. I already canceled the credit card I had on file
with them, hopefully nothing happens with my personal info.

------
touchstone
an interesting update: [http://torrentfreak.com/playstation-network-shut-down-
to-end...](http://torrentfreak.com/playstation-network-shut-down-to-end-
piracy-free-for-
all-110426/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Torrentfreak+%28Torrentfreak%29)

------
tibbon
Any idea if they properly Salted/Hashed the passwords, or if they just stored
everything in the plain?

------
gildur
Well, seeing it from a positive perspective, I did (finally) get the password
changed on some sites =)

------
vipivip
Sad day, what's next for playstation owners Sony?

~~~
marshray
Ordinarily I'd just say reformat it and install Linux, but....

~~~
vipivip
Linux installation is easy piece of cake to HN audience, but nightmare to
normal people.

~~~
ilconsigliere
Sony yanked linux support from PS3s after thousands of users had already paid
for it. Tally that in the "Reasons to no longer support Sony" column.

~~~
chrischen
Somewhat untrue. You could still use linux, but just not in combination with
continued (free) PSN access.

~~~
marshray
That was the theory anyway. Now we don't have PSN access either.

We kept the family PS3 patched-up in good faith. Is there now a reasonable way
for me to install Linux?

Seriously, the kids are probably moving to Xbox and I have some supercomputing
I'd like to do.

~~~
ra
I'd like to know this too... I assume that now the keys have been discovered,
PS3 should be fully retaskable?

------
rickdale
Thats ridiculous. Sony should feel in debt to their customers for such a
security breach. I hope they catch the people responsible and give them jobs!

------
lotusleaf1987
Thanks for waiting a week to tell me my credit card info has been stolen Sony.

I am not a big fan of MSFT usually, but the next time I am buying a console
I'm not buying a PS4.

~~~
ansy
The article says there is no evidence credit card information was accessed.

~~~
wewyor
It also says it might have been, which is much more worrying to me than the
lack of evidence; because before this sony had no evidence that their network
was compromised.

This whole thing seems like a great example of incompetence.

~~~
ansy
This compromise happened DAYS ago. Google was hacked by China in mid-December
2009 they didn't publicly announce what happened until January 12, 2010. What
started to look like a harmless intrusion turned into compromised gmail
accounts turned into a highly sophisticated attack on Chinese dissidents
turned into a full scale assault on their infrastructure. People were still
figuring out the extent of that attack a couple months later.

While this is a bad security breach, if you follow security news at all you'd
know computer security is a joke. The Rustock botnet operated for FIVE years
with impunity on as many as 2.4 million rooted machines. People didn't even
know they were owned; their computers worked perfectly fine like nothing was
wrong. Every system at pwn2own gets owned in seconds and you can bet the black
hats were there first. Everyone gets compromised. The only thing stopping a
crippling cyber attack is whether someone feels it is beneficial to do so.

I do not especially fault Sony for this. Google gets hacked. Microsoft gets
hacked. The NSA gets hacked. The DoD gets hacked. JP Morgan Chase gets hacked.
Just add another multi-national to the list. It's a systemic problem that
nobody really cares enough about nor can we do much about it if we did care.

EDIT: Just to give you another idea of how screwed we are from a security
perspective. To paraphrase George Carlin[1], some programmers are really
stupid. Did you ever notice how much stupid software you see? Think of how
stupid the average programmer is, and realize half the programmers are
stupider than that. And that bottom half? They probably work in IT, managing
over engineered address books and accounting ledgers of the world while
smarter people worry about cooler problems.

[1] <http://www.youtube.com/watch?v=8rh6qqsmxNs>

~~~
daeken
Being a security guy, I agree that no amount of planning and intelligence will
keep out a significantly determined attacker. _However_ , this doesn't give
you carte blanche to not think about security. All the evidence presented
around this shows that they simply didn't make it difficult at all; as soon as
the console fell, so did their system. They seem to have violated every rule
in security. That is simply unacceptable.

It's one thing to be attacked by determined people and fail eventually --
given enough time, everyone does -- but it's a completely different matter to
give the keys to the castle to anyone with a rooted PS3.

------
rkon
Payback for GeoHot or what? Haven't heard anything about the source of the
attack since the DDoS that Anonymous took credit for...

~~~
retroafroman
Anon actually didn't do the DDoS attack. From the press release-"For once we
didn't do it"

[http://anonnews.org/?p=press&a=item&i=848](http://anonnews.org/?p=press&a=item&i=848)

~~~
elliottcarlson
Quoting Anonymous on their involvement is a moot point. The lack of hierarchy
and completely radical differing opinions of members within the "group" allows
for confusion and varying ideologies. Since a press release, in the mindset of
Anon, is released by an individual or a group of individuals, they may not be
aware that a separate member did perform the hack. In the end no one really
knows until someone pretty much steps forward.

~~~
xp84
Quoting Anonymous on their involvement is a moot point.

a moot point? moot? really? i like your choice of words. Heh.

------
unwantedLetters
If someone has had their data stolen, are there any steps that they can take
to ensure that they are not fleeced or does this mean that it's only a matter
of time (or perhaps luck)?

~~~
wmf
Change your credit card number and password; everything else is information
that is already known.

------
shareme
Japan Nuke Apology Two..same delayed response, same non-statement, same lack
of transparency..

Where is Godzilla to stomp Sony's ass when we need him?

------
GrandMasterBirt
Wait, "Password" was stolen? WTF they store unencrypted passwords?!?!?!!?! I
sure hope they meant password hashes otherwise upset many people should be.

~~~
nuclear_eclipse
Even if hashes are stolen, you should consider the original password stolen as
well, because it's only a matter of time and effort to brute force the
original password from the hash. Even if you use a really good password with a
really good hash (like bcrypt), it still doesn't mean that they can't find the
password, just that it will take more time to do so.

~~~
derobert
A really good password with a really good hash takes more time for values of
time exceeding far exceeding any human's lifespan.

Assuming a 10-character random alphanumeric, that'd be 62¹⁰ possibilities (26
uppercase + 26 lowercase + 10 numbers = 62). Even given an insanely fast
brcypt of 1µs, that's over thirteen thousand years to get to a 50% chance.

Now, if your hash is a bad one, say MD5, then you're in trouble. GPUs could
brute force that ten-character password within a year.

------
edtechre
"Wait, ENCRYPT credit numbers? I thought you said decrypt!"

------
benhebert
Poor Sony.

------
D3lt4
Damn it, Sony.

------
touchstone
I think a lot of us are missing the big picture; thankfully not Tgebbs (see
comment 22).

------
allending
"+ OreoPoptart on April 26th, 2011 at 12:58 pm said: JUST STOP! FIX THE GOD
DAMN PSN FIRST THEN POST THIS CRAP UP GEEZ"

Heh.

------
guelo
We've seen several examples recently of Japanese corporate culture's secrecy
and lack of candor. Toyota, TEPCO nuclear plant and now Sony same pattern of
not wanting to admit to the problem. I wouldn't bet on their long term
competitiveness.

~~~
wmf
I think corporate ass-covering is pretty pan-cultural. See RSA's recent "we're
answering every question other than the one that everyone is asking" PR about
the SecurID thing.

~~~
yuhong
I know, there was a previous article on the cover-up culture that once made it
to the top at HN.

~~~
alecco
For the lazy

<http://news.ycombinator.com/item?id=2088469>

