security Archive


Anyone Surprised With How Sony Still Refuses To Take Responsibility For PSN Fiasco?

It’s been about a month since Colin Campbell’s take on how Sony should have responded to the PlayStation Network fiasco was published, and its pretty eerie how some of his predictions are playing out:

Here’s a little test for you. Which of the following statements are you most likely to agree with in one year’s time.

A: “Sony handled that situation amazingly. They held their hands up and took appropriate share of blame. They outlined a clear plan of action to remedy the situation and they made sure all stakeholders were recompensed beyond reasonable expectations. They showed their human side and came out of this a stronger company.”

B: “It just kinda went away, didn’t it? Sony entirely laid the blame on the hackers, launched a lot of legal flak, refused to take any responsibility, offered the minimum clarity and token recompense. But no-one cares any more. At least they’ve encrypted my personal data now.”

I’m going to go out on a limb here and predict that answer B is looking a whole lot more likely than answer A.

Sure, Sony has offered up some free games and enrollment in an identity theft program, but has it really made you believe that it’s truly sorry for what’s happened and that it will do its best to make sure it doesn’t happen again?

I didn’t think so.

Wired had a pretty funny list of ridiculous things that Sony could have used to compensate users for. It’s a silly read, but you know what? If Sony had the balls and/or humanity to take responsibility and show off their human side, why not pull off one of the stunts listed in the article? Pay the Kevin Butler actor to go to someones house and personally apologize. Make a whole media blitz out of it. Everyone has a laugh and Sony comes out with some great PR.

Instead, we get reports that Sony CEO Howard Stringer still doesn’t believe he has anything to apologize for.

From an interview last week:

Sony believed it had “good, robust security,” Stringer said. He rejected suggestions that the company is paying for a lack of vigilance and said he was unaware of the 2008 intrusion on the PlayStation Network.

“We have a network that gave people services free,” Stringer said. “It didn’t seem like the likeliest place for an attack.”

When the April incursion first started, he didn’t know how serious it was, Stringer said. “I really don’t think I could apologize for not knowing,” he said. “It’s a whole new experience for everybody at this scale.”

Seriously, dude? You didn’t think that a service with over 77 million users whose target demographic also happens to include the most computer savvy and vocally active people in the world could be the target of an attack? Sure it may be a whole new experience for your company at that scale, but you’re not the first people to have a massive database of users to take care of. If anything, you should have been more cautious and vigil because networked software solutions has not been your company’s strong suit in the past.

We may be forced to live on with Sony due to game developers being obligated to support a platform with such a huge userbase, but you can bet your ass that if we could still enjoy all of the exclusive content on the PS3 elsewhere, we’d be gone in a heartbeat.

via Gamasutra


Sony Confirms Massive PlayStation Network Breach – What You Should Know

Originally posted on Lalawag

Sony just confirmed on its PlayStation Blog the worst case scenario for its recent PlayStation Network downtime/security breach – massive amounts of customer personal data was compromised by hackers. There are over 70 million PSN accounts currently. This is a security breach of disastrous proportions.

From Sony’s PSN Outage FAQ:

Q.6     Does that mean all users’ information was compromised?  Tell us more in details of what personal information leaked.

In terms of possibility, yes.  We believe that an unauthorized person has obtained the following information that you provided: name, address (city, state/province, zip or postal code), country, email address, birthdate, PlayStation Network/Qriocity password, login, password security answers, and handle/PSN online ID.  It is also possible that your profile data may have been obtained, including purchase history and billing address (city, state/province, zip or postal code).  If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. If you have provided your credit card data through PlayStation Network or Qriocity, it is possible that your credit card number (excluding security code) and expiration date may also have been obtained.

That, my friends, is quite a Happy Meal of personal data that is out in the hands of someone “unauthorized.” Not only do they have your contact information and birthdate, but they have your friggin’ password and password security answers! Does this mean that Sony stupidly stored your passwords in plaintext somewhere? How dumb/cheap/lazy must your company be to store 70 million passwords in plaintext?

If the hackers had just gotten access to password hashes, I would have expected Sony would have mentioned that in order to allay some fears. Nowhere in Sony’s statement does it leave the possibility for password data to not have been compromised which leads many people to suspect gross negligence on Sony’s part. What else would you expect from a company that announces new Playstation/Qrocity branded tablets on the same day that it reports one of the worst breaches of consumer personal data in history?

There is some good news, though, as Sony did confirm that Steam account information was not compromised during the hack. Last week, PS3 players could link Portal 2 to their Steam account to gain access to extra features prior to the PSN going down. I was one of those players, but you can bet your sweet ass that I changed my Steam password ASAP. I suggest you do the same.

Hopefully the leaked information isn’t used maliciously, but obviously you can’t count on that so here’s what you can do right now to deal with Sony’s giant fuckup:

  • Change any passwords to your accounts that are similar to your PSN password.
  • Double check your credit card activity to make sure that nothing out of the ordinary is going on.
  • Be extra careful clicking links in emails – the most likely outcome of all this personal information getting out there is an increased amount of phishing attacks on unsuspecting people.
  • When the PSN comes back up, change your password.

It’s pretty much all you can do at this moment in time other than pray no one messes with your information. Yes, it’s a big pain in the ass, but it’s better to do this now than have to deal with getting your identity back or dealing with credit card fraud.

We can all thank Sony for being inept in network building and security for that inconvenience. For all Sony’s posturing on how the PSN was “free” compared to Microsoft’s Xbox Live, you can bet your ass that Microsoft is having a laugh at Sony’s expense right now.

We’re not even close to looking at the long term fallout of this disaster yet, but you can probably look forward to getting some more compensation in the inevitable class action suit. Time will tell just how big of a hit Sony is going to take in consumers’ eyes for future console and online content sales.

Oh, and for anyone who still cares, Sony hopes to have the PSN back up “within a week.” At this point, the last thing I’m sure people want to do is play their tainted video game consoles.


Hackers leave PS3 security in tatters

This is a fascinating article on why and how the Playstation 3’s software internals have become completely undressed.

Since shortly after its release, I’ve always wondered why there had been no jailbreak or “cracks” for the Playstation 3 when every other console had been broken.

Short answer? Because of the PS3’s option for users to install Linux, no hacker worth his salt cared enough to break the console.

I wonder if Sony knew they were signing the system’s death warrant when they removed the ability for users to install “Other OS” on the PS3. They probably had the hubris of thinking that their security measures were “unbreakable” after 4 years of relative unmolestation.


The first custom firmware is already out for the system, although it doesn’t allow pirated games at the moment.

From Digital Foundry:

The Fail0verflow team says that hackers do the hard work in compromising a system to run Linux and homebrew code, while the pirates exploit that for their own ends. They suggest that the pirates themselves lack the skill to come up with the exploits, and that the PS3 was left unmolested for so long because Sony gave paying customers a way to run their own code on the system. In short, the real hackers weren’t interested in opening up a system that was already open enough.

“There is absolutely no doubt in our mind that the PS3 lasted as much as it did due to OtherOS. The security really is terribly broken,” the team posted on their Twitter page.

Read: Hackers leave PS3 security in tatters – Page 1 | DigitalFoundry |