I wonder how many times a company can install trojans on your computer, destroy your OS's security, secretly watch all your actions, then proceed to not properly protect your data when you voluntarily give it to them...before going out of business.
Sony's size and momentum must be pretty crazy. Or maybe it's our society. I just can't imagine a small record store in the 1960s, after being caught spying through the bedroom windows of its customers, ever staying in business.
I feel terrible for anyone caught in this. But maybe, just maybe, Sony isn't the company to do business with anymore?
Don't read this as a defense of the company, but there hasn't really been a single, monolithic Sony for decades. Sony Music Entertainment, perpetrators of 2005's rootkit debacle, is pretty far removed from Sony Computer Entertainment, the division responsible for Playstation. Sony Electronics, makers of TVs, home theater systems, and Walkmans, is another silo, as is Sony Pictures.
Of course, every act of incompetence under the Sony name tarnishes that name, and in the marketplace, that's ultimately all that matters.
every act of incompetence under the Sony name tarnishes that name, and in the marketplace, that's ultimately all that matters
As it should. When these companies merge, buy other companies out, or execute reverse takeovers, there's always talk of "brand synergies" and all of the business advantages of having one set of products associated with another. There's absolutely no reason why that particular sword shouldn't have two edges to it.
Not only the DRM restrictions, but that they limited manufacturing licenses to other companies. MinkDiscs are the perfect size and a little more durable (scratch resistent) imo. It's a shame CD's won out.
Sigh. The CDs said "Sony." That means "Sony" is the party responsible for the rootkit. The goodwill (or lack thereof) accrues entirely to Sony.
As a consumer, I'm not the least bit interested in a detailed breakdown of the corporate structure. Sony pays brand managers very well to encourage me to think of it as a single monolithic company, and I'm happy to oblige.
You sigh too quickly. The CDs said "Sony BMG." The merger with BMG was in March of 2004 and the rootkit was in 2005. The reason you associate it with Sony corporate and not Bertelsmann (of Bertelsmann Music Group) is because reporters are lazy and shorten the name of the company to just Sony. Maybe Germans were boycotting magazines because that was the part of the name familiar to them. I don't recall that.
Its fair for you to say you're not interested. However, if you're going to try to boycott a company to punish them for their behavior, being aware of exactly who is responsible is a good place to start.
Bertelsmann was just as aggressive with music protection. They had to issue replacement CDs that had anti-rip software to annoyed customers in 2001 for instance. The executive in charge at the time of the fiasco came over to Sony BMG from Bertelsmann.
I worked closely with some of the people involved in it at Sony BMG. One lesson I took away from it all was that even though it was a 50-50 merger, Sony had way more name recognition and therefore more on the line. As you said, they benefit from the goodwill disproportionately and they also took the brunt of the PR damage.
Nothing much. In his defense, he's also been in charge as the industry has moved away from DRM. The music labels view computer technology as just a hammer in the toolbox. If they have a better option, they go to that.
I know, right? Reading through the comments on that post, the "you should have told us this last week" comments are just about balanced out by the "why are you wasting time with this instead of getting the PSN back online" comments.
Kids don't give a shit. Privacy is crap, they got their penis pictures on facebook. They want their fucking video games.
People playing games all day don't give a shit. They want their fucking games, stfu privacy and get moar kof33 and fucking get this shit online.
People with money to lose care. They care that their information is stolen because that could lead to their money being stolen.
People who know the value of information care. Thats few people though, since facebook exists.
In the end of the day people are willing to talk shit, when it comes to action that is a different story. How many people were so against EA's rootkits, but how many actually boycotted? Same with Apple? And now its same with Sony. Nobody will do anything. Nobody will boycott, the company will just shrug this off as an "opse".
Oh noes, some people value different things than me how dare they.
Let's be all elitist and imply "kids" don't know the value of information, whatever that may be. More like they know the information PSN had on them didn't matter (some nickname and email). And yeah, they want they games online, that's why they paid for a PS3 and multiplayer videogames after all. And Sony promised online multiplay.
Even if PSN didn't collect any financial information a breach of usernames and passwords is a big deal. As the Gawker hack has shown us, people tend to use the same usernames and passwords across many different websites. You can argue that this is the user's fault, but it doesn't matter. They'll still blame you when their bank account gets hacked.
In this case, though, there are indications that financial data was disclosed. PSN (just like Steam and XBox Live) collects financial data to allow for online game purchases. Disclosure of that information is quite a serious matter. Yeah, the "kids" playing might not care about their PSN account, but the parents who enter credit card information to buy their kids games sure will.
A poorly made argument does not automatically render the conclusion false.
If you care enough about information then sony being compromised shouldn't be a threat to you. How come no one is talking about Anonymous' role in this? Unless you are a Sony exec you shouldn't be too concerned about anything but finding another device to watch netflix on.
Mm was nearly fully Sony-funded pre buyout. Sony put a lot in to start that studio and also published LBP1, so it's not horribly surprising that they acquired them once it was revealed that Mm would be more than an indie fluke of a business.
This is one of the reasons its a shame you need to buy a console to play exclusive titles. I was going to buy a ps3, but am hesitant now. A security breach like this is really unacceptable from anyone, under any circumstance. I'll need to be careful about disclosing any of my data if I do get a ps3.
Momentum and hydra-esque qualities. Sony manufactures parts for a lot of tech companies, who would suffer if Sony ceased to exist. So it's in their best interest to keep them alive, especially in the short-term as it would be crippling to have to change suppliers suddenly.
I think it's been proven that you can do just about anything in the US and get away with it because the consumers/populace are too placid to do anything about it ... except a BJ from a jewish girl that will get you in serious trouble.
This is a much much bigger deal than the Gawker security breach. Sony had substantially more information on its users than Gawker could ever hope to dream of. Specifically information on real names, addresses, and potentially credit cards.
This is a big F'N deal and I wouldn't be surprised if it cost Sony more than Microsoft's infamous 1 billion dollar write-down with the Xbox 360's Red Ring of Death.
I don't think this will kill PSN or the PS3, but it's going to significantly dent things. I'm curious to see how much media attention this gets and if we'll see a macro shift towards the Xbox 360 and Wii.
If I was Nintendo and particularly evil I would leverage this opportunity to tout the new system and emphasize the cutting-edge online modes with rock solid security. And MS can also talk about their great track record in the online world.
"I wouldn't be surprised if it cost Sony more than Microsoft's infamous 1 billion dollar write-down with the Xbox 360's Red Ring of Death."
Banks, colleges, hospitals, and credit card processors do this all the time, and it doesn't cost them anywhere near a billion dollars despite the fact that they have vastly more personal information. Sure they usually only have a few hundred thousand records and not a few million, but even still the idea that this is going to cost them a billion dollars is absurd.
Numbers I've heard floated for leaks on the smaller scale are around $15-20 per person for post-leak mitigation and damages, which could push near $1b if the same per-person cost held with this size leak (which it might not). When my university had some data stolen, their lawyers advised them to buy everyone a year of some identity-theft insurance/monitoring package, which I believe cost them around $10 per person just for that.
Monoprice did the same thing when they were hacked last year. Two months after it happened, I got a letter from them with a few papers describing the identity theft monitoring service I would receive for a year.
I would argue the cost of the RRoD was a heck of a lot more than $1B because of all the lost sales. People didn't want to invest in hardware that was going to break 5 times over.
The direct damage from this won't be $1B (still tens of millions at least). But what about the impact of the lost sales and customers from the loss in credibility and trust? That is what could be huge.
It was relatively "easy" for Microsoft to replace broken hardware. How easy and how much is it going to cost Sony to replace broken trust?
I've been seeing the notion of accounting for the loss of sales due to "reputation" come up on HN recently and I wish to dispute it.
First, most of the time when we're talking about business and we talk about costs we're clearly talking about accounting costs. This applies to startups, too. When you're talking about accounting costs, you don't get to include economic costs (e.g., opportunity cost.)
Second, isn't trying to include these extra "costs" due to lost sales the same thing that the music industry is doing? That is, claiming that they lost trillions of dollars due to file sharing from, you got it, "lost sales." 
I don't think there's any real way to measure these costs, so let's stop trying.
"Goodwill" is the difference between the book value of a company (value of tangible assets) and what it can be sold for. A manufacturer with tooling, machines and inventory might not have much, but a software company's book value is near zero.
People are asked to put value on intangibles all the time. You might want to write them all down to zero, but the rest of us value Wordsworth more than the dead trees his words are printed on.
Opportunity costs are measurable. It all depends on your assumptions whether the measurements are reasonable or not.
Ex. If I make $2000 a week as a contractor on a steady contract, I know that the opportunity cost of taking a week of unpaid vacation time is $2000. That's a reasonable, measurable assumption.
However, I could also say that the opportunity cost of that week of vacation will be $12000, because there might be a one-week rush project that will come in that I can bill for $10000 in addition to my normal steady contract. Assuming there's not a pattern of that happening in the past, it's not a reasonable assumption and thus measurable in that way.
I'd say this second scenario is akin to the record companies assuming that every instance of piracy is also an instance of lost sales.
You're estimating an opportunity cost here, not measuring it.
Goodwill can be measured in the sense that goodwill = purchase price - book value. No assumptions are involved in its calculations--goodwill is calculated based on two fixed values.
Opportunity costs are not as concrete. In your example above you state your opportunity cost is $2000...but what if that rush project comes through? What if your steady contract scales back for that week? There are assumptions involved; ideally your opportunity cost would be the expected value of all probable incomes during that week. Identifying those probabilities a priori is impossible.
My point is: opportunity costs are based on assumptions. They cannot be measured--only estimated.
I definitely agree, and any "lost sales" are clearly evident in future revenue data. Opportunity costs are factors in economic decisions, but writing them down would be laughable.
My point was that Microsoft probably had some revenue trajectory with slope X before the write-down, and experienced a new revenue trajectory with slope Y < X after the write-down. I'm curious about the area between the two lines.
Agreed. Look at the T.J. Maxx breach, in which approximately 94 million credit card numbers were stolen. Despite media claims of billions of dollars in damages, and multiple class action lawsuits, T.J. Maxx didn't pay any huge settlements or face any special penalties.
Yes, you can have multiple accounts per console. And because it's free, I would think (based on a small sample, my friends who own PS3s), it's far more likely that there will be multiple PSN accounts, versus XBL accounts which cost money (to play online).
My PS3 has three PSN accounts on it, do three or four of my friends'. Everybody I know who has a 360 shares one Live account across everybody who uses the console.
Microsoft had millions of pieces of defective hardware out there which they were warranting free replacement on for several years. Unless Sony's going to replace all the PS3's in the wild, the direct costs for dealing with this PR nightmare shouldn't come close to what Microsoft set aside.
Would replacing all the PS3's fix it? It seems that this is more related to the infrastructure of PSN than the actual PS3 hardware. If that's the case, there's not much that Sony can do to really fix the situation.
if pki alone is at the core of their infrastructure problems, and the key is in the chip, this may well be what they have to do. however i don't know that this is entirely because their public key infrastructure.
He's not saying that the grandparent comment was "dissing the competitor". The grandparent comment suggested that Nintendo and Microsoft could use this opportunity to flaunt their own systems as superior, and the person you replied to was simply stating that Nintendo can't do that without having a lot of confidence in their own networks.
It does carry a risk though - if you make securing a major online service sound too easy by ridiculing your competitor then down the line when you get breached its more damaging imo. eg I dont remember any Car companies in recent history pointing to Service recalls of their competitors in their advertisements, ditto for Airlines and crashes.
It is, and that's the example I thought of in response to the point. But car companies do advertise the safety of their cars. The situation is different, though, since different cars do have different safety measures, and such things do get rated.
There were sixty million PSN accounts. This is impressive, and amounts to (judging by a quick search) the largest-scale ID (and possibly credit-card) theft ever [Not so, see child comment]. Not even factoring in credit card details, the usernames, emails, addresses, ages, passwords, mother's maiden names, favourite pets, of sixty million people is worth a hell of a lot.
I have to wonder how much data that is, in terms of storage. How could you even take that without someone noticing?
Hats off to whoever it was. Now, I'm off to change my passwords. Thank Christ I had the sense not to use a credit card to buy from PSN.
 On a related note, paypal refuses to let my change my password to something longer than 20 characters - or have spaces in my password. Why is this the case? Surely the only thing that an upper limit on the length of a password does is help the attacker.
While I detest PayPal, and it makes me livid that any company places upper-bound (and/or character) restrictions on passwords, I did want to mention that Yubico provides a two-factor authentication key which works with PayPal: http://yubico.com/VIP
I don't have any stake in either company, but I was glad when Google rolled out 2-factor and I am especially glad to be able to finally use 2-factor for safeguarding my money.
"A well known hacker i don’t want to reveal here had all the Sony PlayStation Network functions 100% decrypted as well as providing some nice info about how Sony dealing with PSN members privacy in their online servers.
Apparently, Sony server gathered everything they can from the PSN connected PS3 console. When i said everything, i meant it. Here, i make all the list of what they squeezed from the IRC chat logs conversation between the hackers.
Sony monitors all messages over PSN.
All connected devices return values sent to Sony server returns TV, Firmware version, Firmware type, Console model
They also collects data in your USB attached device.
Credit card sent as plain text, example: creditCard.paymentMethodId=VISA&creditCard.holderN ame=Max&creditCard.cardNumber=4558254723658741&cre ditCard.expireYear=2012&creditCard.expireMonth=2&c reditCard.securityCode=214&creditCard.address.addr ess1=example street%2024%20&creditCard.address.city=city1%20&cr editCard.address.province=abc%20&creditCard.addres s.postalCode=12345%20
*The best part of all, the list is stored online and updated when u login PSN and random.
But, that’s not all, with the PSN functions fully decrypted, this hacker can use the function to get all games, DLC, you name it, from PSN store without paying anything."
The data is POSTed over SSL. C'mon, do you really think Sony sends credit card data across the wire in plaintext? If so, it would have been discovered the day the PS3 launched, like five years ago. And, its discovery wouldn't have required any system hacking, as described above. Is it amateur hour here?
This is interesting. I remember hearing a story about Apple and the record labels. Basically, it took a long time for the labels to trust Apple with their entire catalogues DRM on Apple's servers (DRM was added at time of purchase). It required lots of work on Apple's side to gain that trust so that the labels felt comfortable with Apple essentially housing all of their prized assets.
If Sony was trusting all transactions on the dev network, that seems like they weren't protecting the assets of the movie/TV studios and record labels (not sure if they sell music through the PS Store).
Either way, this seems like a larger shit-storm than just user account details being stolen. It could very well impact future content deals for Sony, and possibly help the other, more trustworthy companies that have demonstrated discipline.
> How do you use stored credit card info if the cc# is not stored?
Simplifying just a bit -- The one time you pass the # along to the bank, they give you back a transaction ID you can use to do future things with that card. The bank knows the number, looks it up by that ID.
You could at least have them encrypted on disk with a key only stored in memory, i.e.: when the system is turned on. Alternatively a dedicated crypo device where you feed it cipher text and it gives you plain text would also help as the attack wouldn't be able to get the key (even if they have the physical box (for good crypto devices))
While only marginally better depending on the type of attack and permissions gained by the attacker, if all they got was static data on disk, then it would be secure.
What we do where I work is take the newly generated key whenever we key or rekey the system, split it into multiple pieces using Shamir's secret sharing algorithm, and those pieces are distributed to several people.
Whenever the server needs to be started, two of those people must enter their key shares. That enables the server to reconstruct the key, which is then stored in memory.
That wouldn't work over SSL, as there is no plain text in the HTTP Verb. And I recall a "paper" coming up some months ago that was mentioning the protocols the PS3 goes through, which does confirm that the data is transmitted over SSL.
If the attacker "0wned" the servers the fact there was encryption between you and the server doesn't really help a whole lot, they can just insert them selves in the stack post encryption (or even use the private key to decrypt the encrypted traffic if they wanted to minimize the number of points they touched).
This seems like a really big argument for never allowing your data to be stored by a 3rd party.
Does anyone see any reason why these companies should do anything other than store the data locally on your system, encrypted/obfuscated, and then only ever send once, via encrypted connection, and then immediately delete the info remotely?
I mean, if someone breaks in to my house and steals my PS3, they already have access to all of that information.
It should at least be an option for me not to store it, if I prefer not to use "one-click" and similar features. I understand why stores prefer to save the information without giving me a choice (reduces friction for future purchases), but I'm not sure that's a good enough reason given the prevailing security track records.
Either that, or perhaps there could be statutory penalties for data breaches. For example, if there was mandatory compensation of, say, $100/person for a data breach, companies might be incentivized to better think about whether they really need to store this data, and whether they're storing it safely.
Online retailers who handle their own CC processing tend to keep credit card information around if only for fraud/chargeback tracking in the future - being online opens you up to massive abuse if you don't keep it in check.
A big player like sony should have been complying with PCI standards - but from what I've seen, that's not so difficult to pass and then forget about - people take shortcuts - and how many companies out there have ever had their processing revoked for NOT complying with PCI? That would be an interesting statistic.
From my experience, PCI compliance does not require that you have everything perfect, as long as you have a plan to fix your deficiencies.
And as an employee at a couple of PCI compliant shops, I can attest that even full PCI compliance still leaves a lot of holes (enough that some organizations have formed their own compliance exams above and beyond PCI).
The entire security model for consoles has always relied on trusting the client. It has never worked, and yet they keep doing it time and time again. It doesn't surprise me a bit that they did their network the same exact way.
Holy Cow! This has to be one of the most serious breaches I remember in recent times. While I dont work in security and my security foo is weak it appears that they did not have a strong layered security apparatus in place? Is it just a coincidence that this breach and geohotz exploit happened around the same time?
So it is as bad as we feared. The only silver lining I can see is that Sony made the difficult business decision to turn off the network until they were sure it was secure. While that doesn't make me feel better as a PSN user I do respect their honesty and commitment to fixing it.
I doubt turning off the PSN was a "difficult business decision". More like their lawyers said "KILL IT NOW" and pointed out the ramifications of not actively preventing such wholesale personal information theft.
There will already be a lawsuit of some sort. Imagine how bad it would be for them if they hadn't shut it down.
That's what I was thinking: in most cases of user accounts being compromised, the solution is "change your passwords on this and other sites". Here you need to change your birthday, cancel your credit card, move out, change your name… kind of a hassle.
I'm disappointed but not surprised. When I had to change my password a few months ago on the Sony developer's network site I was told that my new password was too similar to the last ones. I was wondering how they knew that, aside from storing the passwords in plain-text, something I'd assume they'd be too smart to do.
That's not practical. Password hashes should be slow, to stop dictionary attacks; and it's easy to imagine a couple thousand "similar" passwords (flip case of some characters? 256 possibilities for an 8-character password. Add year of birth? 20-50 possibilities. And so on.)
Sure, but if you run through a few thousand hashes to check for similarity, an attacker can check for the couple thousand most popular passwords in the same amount of time. It is possible to throw enough money at it to make an attack uneconomical, but that's expensive.
(Also, DoS. Note that you can't stop people from changing passwords when the system is under load, as that sets you up for a combined compromise-password-hashes-then-DoS attack...)
"Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: ... PlayStation Network/Qriocity password and login,"
Seriously? Even Sony is keeping passwords in plaintext? There wasn't a single competent person involved in the design of PSN who might have mentioned that was a terrible idea?
Sometimes, you explain why storing a password in plaintext is a terrible idea, but the business executives simply do not care, or think it's better to keep them available, in case somebody forgets it...
That is very standard legal. If they did so, the impending class action would already be over.
I wouldn't be surprised if that blog post cost them well into 6 figures for legal fees. And that it took the full week to draft and approve--it is probably the reason this announcement took so long to emerge.
In Japan lawsuits are less common, and an apology is expected even if it's not your fault, so it shouldn't hurt their legal defense if they apologize. I think it won't be interpreted as an admission of guilt like it could be in America.
Does anyone else find it odd that they "strongly recommend that you log on and change your password" instead of just force-resetting everyone's password and sending them an email with an activation link? Out of 60M subscribers, I'm certain that a large proportion will never see this message.
They're down about 10% relative to the rest of the market since the PSN outage, and pretty significantly in after hours trading (stock market closed about 25 minutes ago, news broke a few minutes ago).
How could they have gained access to passwords? Do they mean, rather, gained access to your secure password hash, or did they simply store passwords in an unencrypted format? Being a member of PSN, this has me concerned. I'm making it a point to change all of my security questions and passwords all throughout all websites I use.
I can't even begin to fathom the magnitude of this considering how many people likely use the same login credentials for all of their sites.
The problem you run into is that communicating both the nature of the breach and convincing people to respond accordingly is incredibly hard.
This will continue to happen across many sites. I think after enough of these breaches, though, people will start to think about the protection of their online identities a lot differently, which is good, albeit at a painful cost.
Okay, I see KeePass and Password Gorilla recommended here in the other replies. I use KeePass actually, and I've seen PGorilla. But I'd like something that is integrated with the iPhone - and works with Linux and Windows too.
There's an app called Strip that looks pretty good. I'm listening to other suggestions.
<3 <3 <3 keepass. It has clients for Linux, Windows and OS X, not to mention many smartphones (stick to the 1.x version for this.) This, along with dropbox makes for an awesome way to keep track of passwords securely.
Wow this sounds really really bad. As much as I dislike sony's actions in the Geohot case, and as much as "this is what you get for failing at security", I feel pretty bad for them right now (and even worse for all of their customers)
>To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports.
>We have also provided names and contact information for the three major U.S. credit bureaus below. At no charge, U.S. residents can have these credit bureaus place a “fraud alert” on your file that alerts creditors to take additional steps to verify your identity prior to granting credit in your name.
They say passwords were stolen. This must mean they are not properly hashing passwords with salts stored outside of the database.
How many times does this have to happen before people realize that passwords are never to be stored in plaintext? The only exception is a client-side program that needs to log you in and in an ideal world that would be handled by a Kerberos-like ticket system.
I think that what we're seeing here is evidence that there's just too many ways to screw up handling personal information on line. The sane stance is to now assume that any profile you provide to any website will eventually become public, and proceed accordingly.
And ultimately that's what people care about, that information most of them already share it via Facebook for FREE, funny thing, is that we already get spam deliver to our homes in shape of publicity.
About the credit cards, these days most credit card issuers have pretty good security so they'll let you know and block your credit card if people used it in a weird way and believe me, I was a "victim" a couple of times already and it works very well.
I join the 1st commenter. I wont be changing my credit cards because of this and I just care about playing my online games again... really I already got bored of Gran Turismo, Final Fantasy offline ;-).
This brings back memories of the Gawker breach, but Sony seemed so much more legitimate. It can happen to the best of companies, I guess. This is the worst security hack I've ever witnessed.
This spells for Sony, yes, but even worse for the uncountable people whose credit card numbers just got nabbed. One hacker on the loose...
The worst part is that this public breach is only a single event. All the companies that have our information could be hacked and Sony is only a visible example. It's similar to the BP oil spill: what other oil companies weren't running tight rigs? The disasters happened to BP and Sony, yes, but it is a reflection on their industries.
While it's a big deal, let's be reasonable with our expectations of privacy.
I know my street addresses, home and work, my e-mail addresses, significant URLs, credit cards, expired credit cards, buying habits, posts, messages, family relationships (mother, wife, ex-wife, kids, ex-girlfriends) etc are stored in a lot (probably more than a hundred) places. I have no expectation all that data will be kept secret for any length of time. I seriously doubt much of that data could be kept form a dedicated googler with lots of free time, much less from a determined criminal who wanted that data.
This appears to also have affected Sony in Japan, as well.
It is interesting how this announcement differs from the Japanese announcement. Japanese people are so paranoid about their identity that this cannot go well for Sony in Japan.
It does not seem like Sony is preparing people for any sort of identity theft in Japan other than calling the card companies. They apologized and remarked at how they are gearing-up to better protect their users when the service reopens.
Frankly I'm in shock. That a company as large and experienced as Sony would allow this to happen, well it beggars belief. The contempt shown to customers, not just by Sony but by other large tech companies (I'm looking at you Apple) is disgusting.
I choose not to be part of Facebook because I'd rather they didn't know every detail of my life. Now I have to consider if I want to use products from Sony because of concerns that they can't even protect my private data, which they force me to give them in order to use their services.
I haven't seen this point mentioned anywhere yet, but...
How many of you are willing to bet Sony will use the intrusion as an argument for material damages in court against GeoHot, somehow linking his exploit with the mode of intrusion?
This is pure speculation of course. But I'm willing to bet serious money that Sony's "outside, recognized security firm" has been "requested (hint-hint, wink-wink)" to be on special lookout for any sign the exploit was a vector for the intrusion.
I think what they mean is that the information harvested may now be used to perpetrate such scams - imagine receiving an email specifically addressed to you, containing information that you thought only Sony knew about. Would be pretty convincing (and people fall for less convincing emails all the time). Or a phone call? "Hi it's Bob from PSN here, we need to update your account with new card details following the recent security breach" etc.
This is case-in-point for centralized log-archival-and-analysis tools like SenSage. No matter how secure you make your infrastructure, in situations like this you want evidence of all activity on your networks, computers, DB's, app servers, apps, etc. Storing log data related to this activity can consume petabytes over a multi-year span.
I don't know what kind of forensic tools Sony's using, hopefully they have something like SenSage.
While I don't know the details of how this happened, it's a sure fire bet that they were not doing something right when it came to securing their infrastructure. How many times have we heard of big name companies running un-patched operating systems and SQL databases or even weak passwords? From the consumer end, this really sucks. Especially if their personal data was compromised.
I haven't really been following this but there have been rumblings all week that a hacked firmware was released that allowed anyone who installed it, and twiddled with some other things, access to the PSN development and testing network. Anyone know more?
I personally don't know any more, but this might be a good starting point if you're interested: http://news.ycombinator.com/item?id=2482679 is a link to a post on reddit from a moderator of a forum that deals in ps3 modding. He outlines the situation, and his forum probably has some more information.
"We greatly appreciate your patience, understanding and goodwill" - I'm all out of good will for Sony. I already canceled the credit card I had on file with them, hopefully nothing happens with my personal info.
Do what you will, I'm not going to defend Sony exactly but you'd be stunned to know how much this kind of thing happens and goes unreported. Stunned. Sony deserves a pile of credit for manning up and saying what they've said. Unfortunately they're also admitting that they have no idea how bad it really is. A remarkable number of companies wouldn't disclose this much. A remarkable number of them will interpret and spin it all in their favor and report as little as possible.
What do you want them to do? What's reasonable? How long do you think it took them to figure out the extent? (They still don't fully know it!) There are absolutely business concerns that warrant acting with some measured prudence.
The parent is true, there are a lot more attacks than you hear about. Sony only loses here, they lie and under play it they look bad, they over play the concerns and they look bad, they tell the world too soon they look bad, they take their time and they look bad. It's just all around shitty. What's the reasonable way for them to report this or should they just lie like a lot of other companies?
Well, it's a little late now, but they could have kept to security best practices (hashed passwords, external hardware credit card encryption/decryption seem like two obvious things they chose not to do.) For a large network, that doesn't seem like an unreasonable burden.
Their business concerns are merely for their own good to try to protect their brand, not to actually benefit their customers. They will spend more on just PR, never mind making good any actual losses, than on just doing it right in the first place. At this point, they deserve to look shitty, because they were shitty. In the case of lying about it, that should be a serious corporate crime (and I think this sort of disclosure is required in most jurisdictions.)
More generally, why do businesses pay almost anything to protect their good names, but only after they themselves have let their reputation fall into the deep shit? Look at how much BP must have spent over the deepwater horizon spill, compared to how much it would have cost to maintain their equipment. Never mind the banking crisis. An ounce of rational prevention is worth a tonne of PR fire-fighting — why do companies struggle so much with mitigating downside risk?
This compromise happened DAYS ago. Google was hacked by China in mid-December 2009 they didn't publicly announce what happened until January 12, 2010. What started to look like a harmless intrusion turned into compromised gmail accounts turned into a highly sophisticated attack on Chinese dissidents turned into a full scale assault on their infrastructure. People were still figuring out the extent of that attack a couple months later.
While this is a bad security breach, if you follow security news at all you'd know computer security is a joke. The Rustock botnet operated for FIVE years with impunity on as many as 2.4 million rooted machines. People didn't even know they were owned; their computers worked perfectly fine like nothing was wrong. Every system at pwn2own gets owned in seconds and you can bet the black hats were there first. Everyone gets compromised. The only thing stopping a crippling cyber attack is whether someone feels it is beneficial to do so.
I do not especially fault Sony for this. Google gets hacked. Microsoft gets hacked. The NSA gets hacked. The DoD gets hacked. JP Morgan Chase gets hacked. Just add another multi-national to the list. It's a systemic problem that nobody really cares enough about nor can we do much about it if we did care.
EDIT: Just to give you another idea of how screwed we are from a security perspective. To paraphrase George Carlin, some programmers are really stupid. Did you ever notice how much stupid software you see? Think of how stupid the average programmer is, and realize half the programmers are stupider than that. And that bottom half? They probably work in IT, managing over engineered address books and accounting ledgers of the world while smarter people worry about cooler problems.
Being a security guy, I agree that no amount of planning and intelligence will keep out a significantly determined attacker. However, this doesn't give you carte blanche to not think about security. All the evidence presented around this shows that they simply didn't make it difficult at all; as soon as the console fell, so did their system. They seem to have violated every rule in security. That is simply unacceptable.
It's one thing to be attacked by determined people and fail eventually -- given enough time, everyone does -- but it's a completely different matter to give the keys to the castle to anyone with a rooted PS3.
It doesn't mean they either know, or don't know. It means their PR isn't willing to fully disclose the exact nature because if they confirm customer data was nicked, class actions will start off rather promptly, and if they say it certainly wasn't, they're seen as over-reacting.
Thankfully that's what's great about credit cards (and let's not forget that) - you just ask the bank to deactivate the old one and no more transactions can go through. Also, you should in general not be liable for any fraudulent use of the number. Just dispute it. (my contract said I could be held liable for up to $50 of fraudulent use only in the case where the CARD was stolen and used prior to my reporting it.)
Not to be trite, but as they say, absence of evidence is not evidence of absence.
Especially considering the sentences immediately after the "there is no evidence..." statement, I'd be wary. I might just be jaded and they're really just trying to be forthcoming and helpful, but all that CYA-type-speak after that line makes me at least a little bit dubious that they're revealing all the details just yet.
Quoting Anonymous on their involvement is a moot point. The lack of hierarchy and completely radical differing opinions of members within the "group" allows for confusion and varying ideologies. Since a press release, in the mindset of Anon, is released by an individual or a group of individuals, they may not be aware that a separate member did perform the hack. In the end no one really knows until someone pretty much steps forward.
I think given the severity and potential criminal lawsuits for this nobody will step out right away, however I'm pretty sure the geohot story pissed off some good hackers who found something to do in their spare time...
Even if hashes are stolen, you should consider the original password stolen as well, because it's only a matter of time and effort to brute force the original password from the hash. Even if you use a really good password with a really good hash (like bcrypt), it still doesn't mean that they can't find the password, just that it will take more time to do so.
A really good password with a really good hash takes more time for values of time exceeding far exceeding any human's lifespan.
Assuming a 10-character random alphanumeric, that'd be 62¹⁰ possibilities (26 uppercase + 26 lowercase + 10 numbers = 62). Even given an insanely fast brcypt of 1µs, that's over thirteen thousand years to get to a 50% chance.
Now, if your hash is a bad one, say MD5, then you're in trouble. GPUs could brute force that ten-character password within a year.
We've seen several examples recently of Japanese corporate culture's secrecy and lack of candor. Toyota, TEPCO nuclear plant and now Sony same pattern of not wanting to admit to the problem. I wouldn't bet on their long term competitiveness.
Howard Stringer is Sony emperor... I mean Chairman, President and CEO. And he comes from Sony Entertainment (US) . He was the one pushing stuff like the Audio CD rootkit, DRM everything and BluRay in all PS3 consoles to force a format war. Some people consider this last trick as the move that got the previous admin gutted, I mean restructured, back in 2005. And he got the top job. Amazing guy.