wraggster
May 28th, 2011, 22:21
News via http://dknute.livejournal.com/38217.html
So... SONY manages to have their PSN data stolen. And not just any data - the most sensitive kind, their customers' personal data. SONY calls that a high-profile malicious attack but in reality their system had gaping security holes. Known vulnerabilities were not patched for months. Very proffesional, let me guess, it was all outsourced to cut the costs?
How bad is it? So bad that they don't even know WHAT was taken since the logs were compromised as well. Because SONY not only failed to run a proper server stack, they failed to setup a logging system that would run independently. Apparently if it wasn't for the attackers clumsy attempts to cover their tracks, nobody would even know the intrusion took place!
To add insult to injury I was away from country as it got reported and could not block my card or else I'd end up with no money to pay bills and return home...
Words fail to properly convey my feelings about this, I'll try though. Let's start with PSP - it got hacked, with a spoofed "service battery" of all things. Way to include a backdoor into your secure product, guys. Just brilliant. PS3 - got hacked with a stupid buffer overflow in USB layer, again with the help of a backdoor system known as "service JIG". Then it got owned completly because SONY decided to use curve-based crypto rather than the usual RSA-like system, and nobody understood the new algorithms well enough to actually use them properly. I was laughing so hard when this was published... And what does SONY do? Blame the hackers.
Next thing SONY fails at is running a secure database with all of their clients data. And not just PSN, apparently the SOE one was raided too. You couldn't do worse if you tried. Hell, SONY might have as well just copied and send out the data themselves - at least that way we wouldn't have to endure a lenghty downtime of their services. But wait, that's not all of it yet. Now they got their collective asses moving and decided to actually upgrade the Apache to the latest version - and maybe (though doubtful) to keep doing that from now on. And with the claim that it's secure now they made it into grand reopening. Some lesser CEO even apologized. Wow. It would be much more impressive if not for another exploit that was discovered, what, less then 24 hours after the restart? This seems to be the extent of their new security - they just can't code shit, even if their lives depended on it.
Also, as it turns out, Japanese government is not happy with the way SONY handled the situation and forbid PSN reopening until all the issues are properly resolved, and explanations are made as to what steps were undertaken to prevent this mess from happening again in future. Now, this might just be a political struggle but it does kinda make you wonder just how secure this "new" system really is. It sure bothers me.
We are talking about 100 million accounts, this is THE BIGGEST data leak in history. Ever. SONY fails time and time again, and there seem to be no consequences whatsoever. I'm really unhappy with EU and USA authorities not demanding formal apology and proper compensation. I suppose the unnamed hackers will again take all the blame, since apparently big companies can do no evil. Nobody died, right? Move along folks, nothing to see here.
Oh and don't get me started on the Welcome Back Programme - it's just as insulting as the half-hearted apology. Rather than get a wallet bonus or something to the effect, we are given old games that many already have. And this is no accident, SONY knows well what games we have and play (via PSN reports) so this way they just pretend to give us something without actually investing too much money. Think of it this way, you just exchanged all of your personal data, including possibly credit card info, for 2 lousy games and 30 days of PSN+. Was it worth it?
I'm pretty sure kids won't mind. When you're 16 or so, what do you care who knows what your name and date of birth is. But proper adults should realize the potential consequences of identity theft. I've seen it happen to someone who had ID card stolen and let me tell you - it ain't pretty. First of all it won't hit you right away, usually takes months, but then it will haunt you for many months to come. And there is nothing you can do about it, except work hard to clear your name. In the meantime it's quite possible you'll be visited by debt collectors asking for money you never had, and even receive threats from people who think you owe them. Banks might lock your accounts every now and then, your cards will stop working due to all the stuff happening, and so on. And the worst thing is you know none of this is your fault. Welcome to your personal hell.
I won't ask anybody to boycott SONY. You do what you think is right in that situation. I will probably keep using my PS3 since the milk is spilt and nothing will change that. I sure won't enter my card detais into the console again, though, and if there is anything interesting on PSN then I will look for alternative payment methods. That's assuming I will feel like buying from SONY anytime soon. I'm simply not going to trust that company with anything, ever again. Because, let me repeat that one more time, not only they can't protect my data, they don't even feel like compensating me for my loss. So, I don't feel like spending my money on their products.
EDIT: And this just in, though still not properly confirmed: It seems that firmware 3.61 causes some of the consoles to overheat and turn off while playing. Seriously SONY, I couldn't come up with this stuff if I tried.
So... SONY manages to have their PSN data stolen. And not just any data - the most sensitive kind, their customers' personal data. SONY calls that a high-profile malicious attack but in reality their system had gaping security holes. Known vulnerabilities were not patched for months. Very proffesional, let me guess, it was all outsourced to cut the costs?
How bad is it? So bad that they don't even know WHAT was taken since the logs were compromised as well. Because SONY not only failed to run a proper server stack, they failed to setup a logging system that would run independently. Apparently if it wasn't for the attackers clumsy attempts to cover their tracks, nobody would even know the intrusion took place!
To add insult to injury I was away from country as it got reported and could not block my card or else I'd end up with no money to pay bills and return home...
Words fail to properly convey my feelings about this, I'll try though. Let's start with PSP - it got hacked, with a spoofed "service battery" of all things. Way to include a backdoor into your secure product, guys. Just brilliant. PS3 - got hacked with a stupid buffer overflow in USB layer, again with the help of a backdoor system known as "service JIG". Then it got owned completly because SONY decided to use curve-based crypto rather than the usual RSA-like system, and nobody understood the new algorithms well enough to actually use them properly. I was laughing so hard when this was published... And what does SONY do? Blame the hackers.
Next thing SONY fails at is running a secure database with all of their clients data. And not just PSN, apparently the SOE one was raided too. You couldn't do worse if you tried. Hell, SONY might have as well just copied and send out the data themselves - at least that way we wouldn't have to endure a lenghty downtime of their services. But wait, that's not all of it yet. Now they got their collective asses moving and decided to actually upgrade the Apache to the latest version - and maybe (though doubtful) to keep doing that from now on. And with the claim that it's secure now they made it into grand reopening. Some lesser CEO even apologized. Wow. It would be much more impressive if not for another exploit that was discovered, what, less then 24 hours after the restart? This seems to be the extent of their new security - they just can't code shit, even if their lives depended on it.
Also, as it turns out, Japanese government is not happy with the way SONY handled the situation and forbid PSN reopening until all the issues are properly resolved, and explanations are made as to what steps were undertaken to prevent this mess from happening again in future. Now, this might just be a political struggle but it does kinda make you wonder just how secure this "new" system really is. It sure bothers me.
We are talking about 100 million accounts, this is THE BIGGEST data leak in history. Ever. SONY fails time and time again, and there seem to be no consequences whatsoever. I'm really unhappy with EU and USA authorities not demanding formal apology and proper compensation. I suppose the unnamed hackers will again take all the blame, since apparently big companies can do no evil. Nobody died, right? Move along folks, nothing to see here.
Oh and don't get me started on the Welcome Back Programme - it's just as insulting as the half-hearted apology. Rather than get a wallet bonus or something to the effect, we are given old games that many already have. And this is no accident, SONY knows well what games we have and play (via PSN reports) so this way they just pretend to give us something without actually investing too much money. Think of it this way, you just exchanged all of your personal data, including possibly credit card info, for 2 lousy games and 30 days of PSN+. Was it worth it?
I'm pretty sure kids won't mind. When you're 16 or so, what do you care who knows what your name and date of birth is. But proper adults should realize the potential consequences of identity theft. I've seen it happen to someone who had ID card stolen and let me tell you - it ain't pretty. First of all it won't hit you right away, usually takes months, but then it will haunt you for many months to come. And there is nothing you can do about it, except work hard to clear your name. In the meantime it's quite possible you'll be visited by debt collectors asking for money you never had, and even receive threats from people who think you owe them. Banks might lock your accounts every now and then, your cards will stop working due to all the stuff happening, and so on. And the worst thing is you know none of this is your fault. Welcome to your personal hell.
I won't ask anybody to boycott SONY. You do what you think is right in that situation. I will probably keep using my PS3 since the milk is spilt and nothing will change that. I sure won't enter my card detais into the console again, though, and if there is anything interesting on PSN then I will look for alternative payment methods. That's assuming I will feel like buying from SONY anytime soon. I'm simply not going to trust that company with anything, ever again. Because, let me repeat that one more time, not only they can't protect my data, they don't even feel like compensating me for my loss. So, I don't feel like spending my money on their products.
EDIT: And this just in, though still not properly confirmed: It seems that firmware 3.61 causes some of the consoles to overheat and turn off while playing. Seriously SONY, I couldn't come up with this stuff if I tried.