Comments on: Sony: We wuz robbed. Again. http://boingboing.net/2011/05/02/sony-we-wuz-breached.html Brain candy for Happy Mutants Sat, 18 May 2013 15:32:00 +0000 hourly 1 http://wordpress.org/?v=3.4.1 By: deckard68 http://boingboing.net/2011/05/02/sony-we-wuz-breached.html#comment-1099310 deckard68 Wed, 30 Nov -0001 00:00:00 +0000 #comment-1099310 Personalized spam, and personalized attempts to deceive. That is what this breach is about, so far as we know. It is a data set of people names connected to their email addresses. So instead of "Dear Bank Customer, you need to reset your password by visiting bank.crimesrus.com", it will say "Dear Joe Smith of 123 Happy Lane, you need to reset your banking password...". And some people, senior citizens especially, may be tricked. But unless there turns out to be credit card info stolen, this is basically the theft of an up-to-date mailing list. A HUGE one. The password to the PSN network? Worthless. The history of what games you played? No one cares. But boy, even non-criminals would love an up-to-date mailing list. 501c3s would kill for that kind of info so they could personalize their fundraising emails. Personalized spam, and personalized attempts to deceive. That is what this breach is about, so far as we know. It is a data set of people names connected to their email addresses. So instead of “Dear Bank Customer, you need to reset your password by visiting bank.crimesrus.com”, it will say “Dear Joe Smith of 123 Happy Lane, you need to reset your banking password…”.

And some people, senior citizens especially, may be tricked.

But unless there turns out to be credit card info stolen, this is basically the theft of an up-to-date mailing list. A HUGE one. The password to the PSN network? Worthless. The history of what games you played? No one cares. But boy, even non-criminals would love an up-to-date mailing list. 501c3s would kill for that kind of info so they could personalize their fundraising emails.

]]> By: DWittSF http://boingboing.net/2011/05/02/sony-we-wuz-breached.html#comment-1099577 DWittSF Wed, 30 Nov -0001 00:00:00 +0000 #comment-1099577 Geohot has a great blog post up about this, and he's 100% spot on: Now until more information is revealed on the technicals, I can only speculate, but I bet Sony's arrogance and misunderstanding of ownership put them in this position. Sony execs probably haughtily chuckled at the idea of threat modeling. Traditionally the trust boundary for a web service exists between the server and the client. But Sony believes they own the client too, so if they just put a trust boundary between the consumer and the client(can't trust those pesky consumers), everything is good. Since everyone knows the PS3 is unhackable, why waste money adding pointless security between the client and the server? This arrogance undermines a basic security principle, never trust the client. http://geohotgotsued.blogspot.com/ Geohot has a great blog post up about this, and he’s 100% spot on:

Now until more information is revealed on the technicals, I can only speculate, but I bet Sony’s arrogance and misunderstanding of ownership put them in this position. Sony execs probably haughtily chuckled at the idea of threat modeling. Traditionally the trust boundary for a web service exists between the server and the client. But Sony believes they own the client too, so if they just put a trust boundary between the consumer and the client(can’t trust those pesky consumers), everything is good. Since everyone knows the PS3 is unhackable, why waste money adding pointless security between the client and the server? This arrogance undermines a basic security principle, never trust the client.

http://geohotgotsued.blogspot.com/

]]> By: Anonymous http://boingboing.net/2011/05/02/sony-we-wuz-breached.html#comment-1100114 Anonymous Wed, 30 Nov -0001 00:00:00 +0000 #comment-1100114 Sony aren't to blame. As long as some one can create security some one out there can bypass it. Check how many major websites have been hacked in the last few months. Listen to sarcastic gamer playstation podcast for a proper perspective. Sony aren’t to blame. As long as some one can create security some one out there can bypass it. Check how many major websites have been hacked in the last few months. Listen to sarcastic gamer playstation podcast for a proper perspective.

]]> By: grs http://boingboing.net/2011/05/02/sony-we-wuz-breached.html#comment-1099124 grs Wed, 30 Nov -0001 00:00:00 +0000 #comment-1099124 I heard Osama bin Laden was caught because he called Sony customer service to see if his Playstation account had been hacked. I heard Osama bin Laden was caught because he called Sony customer service to see if his Playstation account had been hacked.

]]> By: deckard68 http://boingboing.net/2011/05/02/sony-we-wuz-breached.html#comment-1099125 deckard68 Wed, 30 Nov -0001 00:00:00 +0000 #comment-1099125 I heard there's a mansion opening up to buyers shortly. I heard there’s a mansion opening up to buyers shortly.

]]> By: Jack http://boingboing.net/2011/05/02/sony-we-wuz-breached.html#comment-1099126 Jack Wed, 30 Nov -0001 00:00:00 +0000 #comment-1099126 I hear Abbottabad has a nice empty place ripe for a datacenter... *chirps* *chirps* *chirps* *howl* *chirps* *chirps* Okay, seriously, Sony. HOW!?!?!?!? Something this massive. HOW?!?!?!?!? I hear Abbottabad has a nice empty place ripe for a datacenter…

*chirps* *chirps* *chirps* *howl* *chirps* *chirps*

Okay, seriously, Sony. HOW!?!?!?!? Something this massive. HOW?!?!?!?!?

]]> By: Anonymous http://boingboing.net/2011/05/02/sony-we-wuz-breached.html#comment-1099387 Anonymous Wed, 30 Nov -0001 00:00:00 +0000 #comment-1099387 The password to the PSN network may be worthless but in a lot of cases it will be the same as the email, paypal, wow, etc. one. The password to the PSN network may be worthless but in a lot of cases it will be the same as the email, paypal, wow, etc. one.

]]> By: JM http://boingboing.net/2011/05/02/sony-we-wuz-breached.html#comment-1099404 JM Wed, 30 Nov -0001 00:00:00 +0000 #comment-1099404 You know's laughing hardest? Nintendo. You know’s laughing hardest?

Nintendo.

]]> By: Blackbird http://boingboing.net/2011/05/02/sony-we-wuz-breached.html#comment-1099149 Blackbird Wed, 30 Nov -0001 00:00:00 +0000 #comment-1099149 So...is this all of the data yet? So…is this all of the data yet?

]]> By: technogeek http://boingboing.net/2011/05/02/sony-we-wuz-breached.html#comment-1099152 technogeek Wed, 30 Nov -0001 00:00:00 +0000 #comment-1099152 This is _almost_ enough to make me sympathize with Sony's decision to kill the OtherOS feature (removing the PS3's ability to run Linux). On the other hand, that was _almost_ enough to make me feel Sony's security people clearly had their eye on the wrong ball. Grumph. Either way. This is _almost_ enough to make me sympathize with Sony’s decision to kill the OtherOS feature (removing the PS3′s ability to run Linux). On the other hand, that was _almost_ enough to make me feel Sony’s security people clearly had their eye on the wrong ball.

Grumph. Either way.

]]> By: edgore http://boingboing.net/2011/05/02/sony-we-wuz-breached.html#comment-1099158 edgore Wed, 30 Nov -0001 00:00:00 +0000 #comment-1099158 If the LOCATION of their data center has anything to do with their problems they should probably just give up right now. If the LOCATION of their data center has anything to do with their problems they should probably just give up right now.

]]> By: cratermoon http://boingboing.net/2011/05/02/sony-we-wuz-breached.html#comment-1099168 cratermoon Wed, 30 Nov -0001 00:00:00 +0000 #comment-1099168 That's just what I was thinking, edgore. Isn't the fundamental problem really that either the sensitive personal/credit card information is either stored on the same system as the game servers or on a system that is somehow trusted or too easily compromised once the game servers are hacked? Sony is doing something seriously wrong if they expect the user hardware to be secure to enough to be their main line of defense against intrusions. First rule of computer security: never trust the hardware in the hands of an untrusted third party. That’s just what I was thinking, edgore. Isn’t the fundamental problem really that either the sensitive personal/credit card information is either stored on the same system as the game servers or on a system that is somehow trusted or too easily compromised once the game servers are hacked? Sony is doing something seriously wrong if they expect the user hardware to be secure to enough to be their main line of defense against intrusions. First rule of computer security: never trust the hardware in the hands of an untrusted third party.

]]> By: oldtaku http://boingboing.net/2011/05/02/sony-we-wuz-breached.html#comment-1099169 oldtaku Wed, 30 Nov -0001 00:00:00 +0000 #comment-1099169 FFS Sony. If the physical location of your data center is an issue then you're even stupider than we were giving you credit for. Maybe you can use Tor to hide teh eye-pees? FFS Sony. If the physical location of your data center is an issue then you’re even stupider than we were giving you credit for. Maybe you can use Tor to hide teh eye-pees?

]]> By: Anonymous http://boingboing.net/2011/05/02/sony-we-wuz-breached.html#comment-1099186 Anonymous Wed, 30 Nov -0001 00:00:00 +0000 #comment-1099186 I read that prior to the hacking, Sony was already building a new Server installation in a new location - these events have brought the move date forward...I guess changing location to the new installation adds more security due to the hardware that is in place & moving now means less disruption for us in the long term. I read that prior to the hacking, Sony was already building a new Server installation in a new location – these events have brought the move date forward…I guess changing location to the new installation adds more security due to the hardware that is in place & moving now means less disruption for us in the long term.

]]> By: Jack http://boingboing.net/2011/05/02/sony-we-wuz-breached.html#comment-1099195 Jack Wed, 30 Nov -0001 00:00:00 +0000 #comment-1099195 What about this magical “cloud” I keep on hearing about? Amazon’s “cloud” goes down and brings slews of sites down. Sony’s “cloud” is hacked and 1,000,000,000+ users have their data compromised. I’m keeping my landline. What about this magical “cloud” I keep on hearing about? Amazon’s “cloud” goes down and brings slews of sites down. Sony’s “cloud” is hacked and 1,000,000,000+ users have their data compromised.

I’m keeping my landline.

]]> By: Rob http://boingboing.net/2011/05/02/sony-we-wuz-breached.html#comment-1099707 Rob Wed, 30 Nov -0001 00:00:00 +0000 #comment-1099707 Call it a hunch, but I don't think there's many senior citizens on Everquest or PSN Call it a hunch, but I don’t think there’s many senior citizens on Everquest or PSN

]]> By: kibbee http://boingboing.net/2011/05/02/sony-we-wuz-breached.html#comment-1099463 kibbee Wed, 30 Nov -0001 00:00:00 +0000 #comment-1099463 How were passwords stolen? Shouldn't they be salted and hashed? Seriously how can Sony be so stupid about this stuff? However, after owning a MiniDisk player and having to put up with SonicStage, it doesn't surprise me. For anybody who complains about iTunes, you've never used SonicStage. I also can't believe they are so insecure that all accounts and credit cards can be accessed by hacking into the game network. How were passwords stolen? Shouldn’t they be salted and hashed? Seriously how can Sony be so stupid about this stuff? However, after owning a MiniDisk player and having to put up with SonicStage, it doesn’t surprise me. For anybody who complains about iTunes, you’ve never used SonicStage. I also can’t believe they are so insecure that all accounts and credit cards can be accessed by hacking into the game network.

]]> By: ibbers http://boingboing.net/2011/05/02/sony-we-wuz-breached.html#comment-1099213 ibbers Wed, 30 Nov -0001 00:00:00 +0000 #comment-1099213 on an unrelated matter - boingboing have you increased the amount of adverts on the site? hell of a lot more advertising clutter nowdays it seems. on an unrelated matter – boingboing have you increased the amount of adverts on the site?

hell of a lot more advertising clutter nowdays it seems.

]]> By: EH http://boingboing.net/2011/05/02/sony-we-wuz-breached.html#comment-1099214 EH Wed, 30 Nov -0001 00:00:00 +0000 #comment-1099214 Sony should not be allowed to take credit cards. Sony should not be allowed to take credit cards.

]]> By: brianary http://boingboing.net/2011/05/02/sony-we-wuz-breached.html#comment-1099727 brianary Wed, 30 Nov -0001 00:00:00 +0000 #comment-1099727 I think SonyStyle.com is still pending. I think SonyStyle.com is still pending.

]]> By: morcheeba http://boingboing.net/2011/05/02/sony-we-wuz-breached.html#comment-1099226 morcheeba Wed, 30 Nov -0001 00:00:00 +0000 #comment-1099226 too late... Sony Bank is issuing their own credit cards. http://www.asahi.com/english/TKY201103310375.html too late… Sony Bank is issuing their own credit cards.
http://www.asahi.com/english/TKY201103310375.html

]]> By: Steiny http://boingboing.net/2011/05/02/sony-we-wuz-breached.html#comment-1099230 Steiny Wed, 30 Nov -0001 00:00:00 +0000 #comment-1099230 <a href="http://www.youtube.com/watch?v=kzs9L9HDdp0">Sailor Mars has the answers to all Sony's problems.</a> Sailor Mars has the answers to all Sony’s problems.

]]> By: Anonymous http://boingboing.net/2011/05/02/sony-we-wuz-breached.html#comment-1099253 Anonymous Wed, 30 Nov -0001 00:00:00 +0000 #comment-1099253 I guess http://ispsnupyet.com may be wrong.. I guess http://ispsnupyet.com may be wrong..

]]> By: petsounds http://boingboing.net/2011/05/02/sony-we-wuz-breached.html#comment-1099256 petsounds Wed, 30 Nov -0001 00:00:00 +0000 #comment-1099256 This summary is a bit sparse on details. The 25 million additional users were from the Sony Online Entertainment network, completely separate from PSN. This network handles their (shitty) MMORPGs like Everquest and Star Wars: Galaxies. 100 million users. That's roughly one third of the entire population of the USA. This kind of systemic, gargantuan negligence of people's trusted data needs to be criminalized. This summary is a bit sparse on details. The 25 million additional users were from the Sony Online Entertainment network, completely separate from PSN. This network handles their (shitty) MMORPGs like Everquest and Star Wars: Galaxies.

100 million users. That’s roughly one third of the entire population of the USA.

This kind of systemic, gargantuan negligence of people’s trusted data needs to be criminalized.

]]>