As you say yourself:

“No system is entirely secure as long as the door is slightly ajar.”

Why was the door slightly ajar?

I have this feeling that I’m going to just cancel and get a new card every 8-12 months regardless anymore.

To any Anons who may have had a part in this, stop attacking other end-users. All you’ve accomplished is to galvanize other end-users against you and given Sony and the rest of the copyrent establishment an excuse to clamp down harder. Attacking end-users is counterproductive.

The possibilities…

Try to have the two things bear at least some resemblance to each other. Otherwise you are merely a Sony apologist ready and willing to bend over for another paddle from the kind of authority to whose asshole you’re so eager to apply your lips that evidence appears to be irrelevant to you.

Cool, change my password and the only downer for me will have been a long weekend with no multiplayer.

You would think that a service with 50mm users would have decent security.

Or at least smaller controllers.

http://extendedsubset.com/?p=47

“But the nightmare scenario would be if the attackers used Sony’s exposed root key to sign a back-doored firmware image or other low-level software update. If they then compromised the PSN update servers they could use them to deliver the malicious update to everyone through the normal trusted channel.

Wikipedia reports 50 million PlayStation 3 units and 70 million PlayStation Network users, suggesting that a large percentage of these units are given internet connectivity on an ongoing basis. This attacker could potentially have created overnight the largest botnet in the world by a very large margin.

Most of these PS3 units sit behind the firewall, in homes with weak internal network security (to put it mildly). This puts them in the perfect position to conduct local-LAN man-in-the-middle attacks on home users using the basic techniques of ARP spoofing and DHCP jumping.

Furthermore, each PlayStation 3 is something a supercomputer in its own right. Each has 6 to 9 high-performance cores (depending on how low-level the code executes) running at 3.2 GHz, plus an Nvidia GPU. In 2008, researchers using “just” 200 PS3s for a weekend were able to forge a rogue CA certificate of a type trusted by web browsers to authenticate the identity of any webserver.

So if this attacker played their cards right they could control up to 500,000,000 CPU cores for a total of 1,600,000,000,000,000,000 core-cycles per second. Of course, the actual rate would be lower because not everyone would apply the firmware, have their PS3 connected, and so on. But still, even 10% of this type of computing capacity is far beyond what many important data security and cryptographic systems are expected to resist. For example, it seems likely that the Stevens et al. techniques could be used again successfully to forge a stronger SHA-1-based rogue Certificate Authority (or several).”

“Did SONY fail to protect its customers?” is the question.

Well, is there anyway SONY could have closed “every door that was left ajar”? NO WAY… simply impossible (other than disabling network access of course).

Is there anyway SONY could have detected the intrusion once it started, mitigating damages / reducing exposure? Yes, ABSOLUTELY yes!!! Intrusion detection is the FIRST line of defense of financial and government institutions – without it – any unauthorized users, once in, can move around unchecked (like in this debacle).

Sooooo… Did SONY implement any intrusion detection mechanisms? and if so to what extent? No one knows. (and why is that?)

I submit that SONY’s lack of intrusion detection left its customers exposed to theft (of person information) for an unjustifiable period of time. I base this solely on SONY’s PR communications: there was NO mention of intrusion detection mechanisms (again why is that?) and no detail on how or when the breach was identified.

This is the failure SONY will be answering.

Remember hackers are bad; and they are out there.

SONY… Feel free to leave the door ajar provided your taking good care of your vicious guard dog :)

The risk is that national borders will start to crop up in cyberspace. So far, there are a few (such as the great firewall of China).

No system is entirely secure as long as the door is slightly ajar.

I’m pissed, not at Sony, but for self righteous zealots who ruining good things. Hate DRM? Want to buy an e-book or play a Steam game without being treated like a criminal.

Our future isn’t going to be open as long as this type thing exists and you condone rather than condemn the actions.

> Is that sign a reflection of “YONS”?

If it is, the N and S are backwards on the sign being reflected. But yeah, it looks like a reflection with those letters flipped. Odd. Talk about screwing with future archeologists heads. Makes you wonder what sort of mind games ancient cultures might have been playing on us.

@ Anon #24

> Remember hackers are bad; and they are out there.

Black hat hackers, yes. White hat, not so much. Grey hat, depends on what you’re definitions of good and bad are. Of course not knowing who actually perpetrated this identity data theft, we can only speculate. If it was financially motivated black hat mercenaries working with or as identity thieves, then you’re on point that they’re a bad fact of online life. If it was an idealistically motivated grey hat move against Sony, then I don’t think it will achieve the ends it was meant to.

Whereas, there is no denying that Sony was involved. You can’t argue that Sony didn’t get hacked, that some other company got hacked instead.

Do you see now how you are letting your prejudices control your conclusions without any grounding in the facts?

A hacker hacked Sony and stole customer information. This says something about the hacker’s ethics and it also says something about the weakness of Sony’s security. But it doesn’t demonstrate anything about any ‘anti-Sony zealot’ — the political beliefs of anyone regarding Sony are simply not part of the fact-based picture here. So yes it is in fact your bias that is disgusting; even more so that you can’t even recognise that you are throwing blame at people with a certain opinion, based on zero evidence that they had anything to do with anything.

It should be readily apparent to consumers that Sony is not to be trusted.
Remember their audio CD rootkit? Or SecuROM (developed by Sony)? Or that time they removed Linux functionality from the PS3? Or when they waited an entire week to tell 70M customers they were owned? Or when they threatened tens of thousands of people with litigation for copyright infringement and settled for exorbitant damages? Or when they sued a hacker for reverse engineering and got the logs from his website and sent cease and desists across the web? Or when they built their PSN and their trusted developer network without any seperation so that dev access could be used to dump the data on every single on of its users? Oh right, that just happened.

“Leave Sony alone! Don’t blame the bank that leaves it’s vault open! Blame the robbers who walk into the open vault and walk out with your cash! Nobody would’ve even known that the vault was open if you hadn’t tried to tell the bank that it was in the first place!”

My only point was that punishing the gamers isn’t helping. That litany of offenses is proof that Sony as a corporation doesn’t give a crap about their customers, so attacking them won’t slow Sony down.

An open vault implies no security. Robbers are still thieves no matter how you split hairs.

Upwards around 70 million people had their data possibly stolen and you say “who cares? They apparently weren’t secure. F* Sony.”

Tell me Bill is your home address on Amazon, iTunes? Or do you trust some portion of your internet life with your bank account and/or credit card. No? Yes.

Well, I hope not! If Apple, Amazon or anybody faltered in your fantasyland impression of them… then down it goes further down the spiral.

Hell even credit card companies nor banks are secure, but by all means lets aim for the limelight and exploit the system.

Valued PlayStation(R)Network/Qriocity Customer:

We have discovered that between April 17 and April 19, 2011,
certain PlayStation Network and Qriocity service user account
information was compromised in connection with an illegal and
unauthorized intrusion into our network. In response to this
intrusion, we have:

1) Temporarily turned off PlayStation Network and Qriocity services;

2) Engaged an outside, recognized security firm to conduct a full
and complete investigation into what happened; and

3) Quickly taken steps to enhance security and strengthen our
network infrastructure by rebuilding our system to provide you
with greater protection of your personal information.

We greatly appreciate your patience, understanding and goodwill
as we do whatever it takes to resolve these issues as quickly and
efficiently as practicable.

Although we are still investigating the details of this incident,
we believe that an unauthorized person has obtained the following
information that you provided: name, address (city, state, zip), country,
email address, birthdate, PlayStation Network/Qriocity password and login,
and handle/PSN online ID. It is also possible that your profile data,
including purchase history and billing address (city, state, zip),
and your PlayStation Network/Qriocity password security answers may
have been obtained. If you have authorized a sub-account for your
dependent, the same data with respect to your dependent may have
been obtained. While there is no evidence at this time that credit
card data was taken, we cannot rule out the possibility. If you have
provided your credit card data through PlayStation Network or Qriocity,
out of an abundance of caution we are advising you that your credit
card number (excluding security code) and expiration date may have
been obtained.

For your security, we encourage you to be especially aware of email,
telephone and postal mail scams that ask for personal or sensitive
information. Sony will not contact you in any way, including by email,
asking for your credit card number, social security number or other
personally identifiable information. If you are asked for this information,
you can be confident Sony is not the entity asking. When the PlayStation
Network and Qriocity services are fully restored, we strongly recommend that
you log on and change your password. Additionally, if you use your PlayStation
Network or Qriocity user name or password for other unrelated services or
accounts, we strongly recommend that you change them as well.

To protect against possible identity theft or other financial loss, we
encourage you to remain vigilant, to review your account statements and
to monitor your credit reports. We are providing the following information
for those who wish to consider it:
- U.S. residents are entitled under U.S. law to one free credit report annually
from each of the three major credit bureaus. To order your free credit report,
visit http://www.annualcreditreport.com or call toll-free (877) 322-8228.

- We have also provided names and contact information for the three major U.S.
credit bureaus below. At no charge, U.S. residents can have these credit bureaus
place a “fraud alert” on your file that alerts creditors to take additional steps
to verify your identity prior to granting credit in your name. This service can
make it more difficult for someone to get credit in your name. Note, however,
that because it tells creditors to follow certain procedures to protect you,
it also may delay your ability to obtain credit while the agency verifies your
identity. As soon as one credit bureau confirms your fraud alert, the others
are notified to place fraud alerts on your file. Should you wish to place a
fraud alert, or should you have any questions regarding your credit report,
please contact any one of the agencies listed below:

Experian: 888-397-3742; http://www.experian.com; P.O. Box 9532, Allen, TX 75013
Equifax: 800-525-6285; http://www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241
TransUnion: 800-680-7289; http://www.transunion.com; Fraud Victim Assistance Division,
P.O. Box 6790, Fullerton, CA 92834-6790

- You may wish to visit the website of the U.S. Federal Trade Commission at
http://www.consumer.gov/idtheft or reach the FTC at 1-877-382-4357 or 600 Pennsylvania
Avenue, NW, Washington, DC 20580 for further information about how to protect
yourself from identity theft. Your state Attorney General may also have advice
on preventing identity theft, and you should report instances of known or
suspected identity theft to law enforcement, your State Attorney General,
and the FTC. For North Carolina residents, the Attorney General can be
contacted at 9001 Mail Service Center, Raleigh, NC 27699-9001; telephone
(877) 566-7226; or http://www.ncdoj.gov. For Maryland residents, the Attorney
General can be contacted at 200 St. Paul Place, 16th Floor, Baltimore, MD 21202;
telephone: (888) 743-0023; or http://www.oag.state.md.us.

We thank you for your patience as we complete our investigation of this
incident, and we regret any inconvenience. Our teams are working around the
clock on this, and services will be restored as soon as possible. Sony takes
information protection very seriously and will continue to work to ensure that
additional measures are taken to protect personally identifiable information.
Providing quality and secure entertainment services to our customers is
our utmost priority. Please contact us at 1-800-345-7669 should you have any
additional questions.

Sincerely,

Sony Computer Entertainment and Sony Network Entertainment

Millions use their PS3 for watching movies on BluRay and for watching Netflix streaming. They only have an annoyance of having to press buttons fast to make Netflix load despite the Playstation network being down.

If this turns out to be anti-Sony zealots who did the attack, instead of, say, organized crime looking for credit card info, those folks should rot in jail just like the credit card thieves should.