Join 3,574 readers in helping fund MetaFilter (Hide)


PlayStation Network and Qriocity Security Breach
April 26, 2011 1:58 PM   Subscribe

Sony's PlayStation Network and Qriocity have been down since April 20 2011 due to an illegal intrusion. Today Sony announced that user data - birthdate, user name, password, e-mail address, possibly credit card information, and more - has been compromised for its 69 million users, exposing them to identify theft amongst other things. posted by Foci for Analysis (285 comments total) 20 users marked this as a favorite

 
The Sony network has been flaky and experienced a lot of outages before April 20. I also wonder what will happen to other partners like Netflix, whose PS3 app inexplicably depends on the Sony network for streaming.
posted by Hylas at 2:01 PM on April 26, 2011


Ah, was just working on a post about this... Sony has a FAQ up now too. I can't believe it took them almost a week to admit the massive data compromise.
posted by kmz at 2:02 PM on April 26, 2011


Its things like this that make me very very frightened about how much info I have stored on-line by companies that are out of my control.
posted by charred husk at 2:02 PM on April 26, 2011 [10 favorites]


FYI, even though PSN is down, you're still able to watch Netflix online on the PS3, you just have to let the login fail a few times.
posted by Oktober at 2:03 PM on April 26, 2011 [4 favorites]


Given their rootkit-installing, feature-removing, sue-happy ways I believe them to be capable of most anything.
posted by aerotive at 2:03 PM on April 26, 2011 [14 favorites]


Haha oh wow. That SCE release is a little terrifying. Including information on how to get your one free yearly credit report and everything. Maybe it's an "out of an abundance of caution", but it's still pretty stunning.

Also: granted I'm a usage nerd, and naturally sensitive to this kind of thing. But the release specifically says "[a]lthough we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided[.]" An unauthorized person? One? I mean, this is a document a lot of people vetted and that's being distributed widely. That seems like a weird thing to say unless you mean it. Unless you literally think it's just one person. That's unthinkable, isn't it? That this was the work of one solo hacker?
posted by penduluum at 2:04 PM on April 26, 2011


Ouch
posted by Windopaene at 2:05 PM on April 26, 2011


Hm. The FAQ specifically says "an unauthorized person" too. I wonder.
posted by penduluum at 2:06 PM on April 26, 2011


Of course, the fact that all those things were and/or could have been compromised means they probably weren't hashing things, weren't PCI compliant, etc.

Ouch indeed.
posted by kmz at 2:07 PM on April 26, 2011 [3 favorites]


Changing passwords as fast as I can type...
posted by WinnipegDragon at 2:08 PM on April 26, 2011 [1 favorite]


Why the hell would Sony need credit card information stored on the account? Couldn't they have encrypted it such that the ps3 acted as a unique key that way it'd still be easy to make purchasees without having to put it in everytime?
posted by EsotericAlgorithm at 2:09 PM on April 26, 2011


It would also suggest that they stored the passwords in plain text :(
posted by Foci for Analysis at 2:09 PM on April 26, 2011 [5 favorites]


According to the FAQ, the following information may have been released:
- name
- address (city, state/province, zip or postal code, country)
- email address
- birthdate
- playstation network online ID
- login
- password
- password security answers
- purchase history
- billing address (city, state/province, zip or postal code)
- credit card number (excluding security code)
- expiration date
posted by ryanrs at 2:09 PM on April 26, 2011 [1 favorite]


Thank god there's no corporate liability for breaches like this. Can you imagine the amount of money they'd be on the hook for, if they weren't able to force each of their customers to just suck it up and take one in the shorts for Sony?
posted by spacewrench at 2:10 PM on April 26, 2011 [75 favorites]


In other news: Horses Safer by Locking Them Out of Barns.
posted by ardgedee at 2:11 PM on April 26, 2011 [4 favorites]


I can't get to any of the playstation.com sites. Is their server just getting hammered by angry owners?
posted by specialagentwebb at 2:13 PM on April 26, 2011


Really, there's no class action lawsuit being prepared right now? Are you serious?
posted by seanmpuckett at 2:14 PM on April 26, 2011


Thank god there's no corporate liability for breaches like this. Can you imagine the amount of money they'd be on the hook for, if they weren't able to force each of their customers to just suck it up and take one in the shorts for Sony?

Some eager beaver lawyer is looking into filing a class-action suit right at this very minute, I can assure you.
posted by atrazine at 2:14 PM on April 26, 2011


*waiting for someone to blame it on geohot*
posted by mrbill at 2:15 PM on April 26, 2011 [2 favorites]


us.playstation.com seems to be ok.
posted by Foci for Analysis at 2:15 PM on April 26, 2011


But the release specifically says "[a]lthough we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided[.]" An unauthorized person? One?

"Sony regrets to inform you that some guy named Dave? We think his name was Dave? Got a big folder full of personal information and ran out to the parking lot, where he peeled out and took the hell off. We regret this loss of data, and will be reprimanding Craig, who we understand vouched for Dave at the front desk."
posted by Greg Nog at 2:16 PM on April 26, 2011 [39 favorites]


Probably unrelated in a technical sense, but probably very much related in other senses:this, in which fail0verflow demonstrates how to compromise the PS3 down to basically bare metal (because Sony disabled the ability to allow the hardware to boot other OSes; fail0verthrow was later sued, along with the guy who released the encryption key revealed by their method), and this, in which an arrested PS3 hacker releases the PS3 Hypervisor bible.

Sony's got themselves in a situation where they're attracting the attention of a lot of very talented, very motivated people, who want very much to cause them harm. And I don't blame any of the users, and I feel badly for them that this happened, but: that is a bad company to give your credit card number to.
posted by penduluum at 2:16 PM on April 26, 2011 [2 favorites]


If Sony isn't PCI compliant and they did indeed lose credit cards, they are about to get a massive, massive fine from the PCI standards council. Basically, Visa, Mastercard, and Amex are free to fine Sony whatever they want and Sony has to pay.

Additionally, some states (as I recall, Massachusetts, Nevada, and California?) have enacted laws that say, "whatever the PCI standard is, that's the law in our state", meaning that Sony may have actually broken the law by not being compliant.

This should serve as an interesting case, to say the least. If nothing else, it's a reminder that in the 21st century, Joe and Jane Public are pretty much screwed with regards to personal privacy, and not because of any fault of their own.
posted by mark242 at 2:16 PM on April 26, 2011 [6 favorites]


Bill Gates is laughing at his supercomputer. "All too easy...." he says.....
posted by TheCoyote23 at 2:17 PM on April 26, 2011 [2 favorites]


Computer replies:

"A problem has been detected and windows has been shut down to prevent damage to your computer."
posted by Threeway Handshake at 2:21 PM on April 26, 2011 [2 favorites]


Sony's network is apparently run by morons. I keep getting email about my PlayStation Network account. I don't own a damn PlayStation. I have a Wii. Some imbecile put my email address into the account setup, and they are not even bright enough to confirm the email account before setting up an online profile. I get confirmation emails for free online forums, for god's sake. They don't confirm contact info before setting up an account that people pay for? They deserve whatever hacking they got.
posted by caution live frogs at 2:21 PM on April 26, 2011


Man, all because I wanted to play Final Fantasy VII again.



Still worth it, though.
posted by elder18 at 2:22 PM on April 26, 2011 [8 favorites]


Supposedly this all started with a custom firmware named rebug. Hackers discovered how to access the PSN dev network shortly thereafter. Here is a bunch of hearsay and speculation by the moderator of PSX-scene and random neackbeards.
posted by Ad hominem at 2:22 PM on April 26, 2011 [2 favorites]


Custom Firmware came out March 31st.

You could flag a retail unit as a ps3 developer station. You could also refill your PSN wallet with a fake cc#. There's no split between the developer side and the retail network. Same backend.

You could also unban yourself and ban other people from PSN. They appear to trust the client 100%. If it says it's allowed, they let it.

The service was shut down on April 20th. And then it took them 6 days to tell people that their personal data was stolen.

I can't even begin to count the mistakes.
posted by Lord_Pall at 2:22 PM on April 26, 2011 [46 favorites]


Its things like this that make me very very frightened about how much info I have stored on-line by companies that are out of my control.

Yep, one of the many reasons I migrated away from my Google account(s). And never did anything with my FaceBook account (and deleted the vestigial nothing I did have).
posted by DU at 2:23 PM on April 26, 2011


I've been following this, despite not being a Sony customer or having a hat in the ring. It's truly ridiculous.
posted by codacorolla at 2:26 PM on April 26, 2011


Yeah this is pretty fucking shameful. They spent six days basically saying "Maybe sorta kinda just maybe your CC# was compromised, MAYBE, only kind of"
posted by PostIronyIsNotaMyth at 2:26 PM on April 26, 2011


Sony's network is apparently run by morons. I keep getting email about my PlayStation Network account. I don't own a damn PlayStation. I have a Wii. Some imbecile put my email address into the account setup, and they are not even bright enough to confirm the email account before setting up an online profile.

I have the same problem with XBL - someone put my gmail address in as theirs (some guy named Jose S.) and I still get emails when they add points to their system , when their XBL Gold is about to expire, etc.

I emailed and called XBL support and they couldn't help me. They couldn't remove that email from the account because it wasn't my XBL account. Even though it was my email address they were emailing.
posted by SirOmega at 2:26 PM on April 26, 2011 [3 favorites]


Sony's network is apparently run by morons. I keep getting email about my PlayStation Network account. I don't own a damn PlayStation. I have a Wii. Some imbecile put my email address into the account setup, and they are not even bright enough to confirm the email account before setting up an online profile.

I have the same problem with XBL - someone put my gmail address in as theirs (some guy named Jose S.) and I still get emails when they add points to their system , when their XBL Gold is about to expire, etc.

I emailed and called XBL support and they couldn't help me. They couldn't remove that email from the account because it wasn't my XBL account. Even though it was my email address they were emailing.


You should reset Jose's password.
posted by jessssse at 2:28 PM on April 26, 2011 [22 favorites]


According to the FAQ, the following information may have been released:
- name
- address (city, state/province, zip or postal code, country)
- email address
- birthdate
- playstation network online ID
- login
- password
- password security answers
- purchase history
- billing address (city, state/province, zip or postal code)
- credit card number (excluding security code)
- expiration date
posted by ryanrs at 5:09 PM on April 26 [+] [!]


This means that they were storing passwords unencrypted? It's 2011, how is that even possible for a company as high profile as Sony? This is 101-level stuff.
posted by Who_Am_I at 2:29 PM on April 26, 2011 [2 favorites]


Sony is doing a bang-up job iron-plating their place on my "never do business with under any circumstances" list.
posted by Skorgu at 2:29 PM on April 26, 2011 [6 favorites]


Heh. I was reading last night in an Ars thread about people finding fraudulent charges on their credit cards. I'd like to think Sony's about to get a company-destroying smackdown over this, but this is the company that sold "CDs" that rookitted people's computers, and they made it through that largely unscathed.
posted by dirigibleman at 2:30 PM on April 26, 2011 [1 favorite]


Somewhere, Chadwarden (nsfw language) is weeping.
posted by hellojed at 2:31 PM on April 26, 2011


The fact that they took a week to get this information out and the possibility that they were storing passwords in plain text (what. the. FUCK??) have convinced me to never buy another Sony product again. Hell, I don't even want to use my PS3 anymore. Guess I'll be missing out on Uncharted 3 and The Last Guardian.
posted by eyeballkid at 2:32 PM on April 26, 2011 [1 favorite]


This is global, right? Hopefully Sony will be raked over the coals in every jurisdiction on the planet.
posted by ryanrs at 2:33 PM on April 26, 2011


God damn it, I have no idea what my PSN password was but it's problem from the era where I was still using the same one in a bunch of places. Guess I'm having fun the next 5 hours...
posted by floam at 2:34 PM on April 26, 2011


s/problem/probably
posted by floam at 2:35 PM on April 26, 2011


Yeah, I'm returning the Sony camera (NEX5) I bought, not because of this, but because it's full of stupid-ass software limitations to what the hardware can do. It's like their whole marketing model is "look at this cool device" "we won't actually let you use it". Apple has nothing on these people's arrogance.
posted by seanmpuckett at 2:35 PM on April 26, 2011 [1 favorite]


If Sony isn't PCI compliant and they did indeed lose credit cards, they are about to get a massive, massive fine from the PCI standards council. Basically, Visa, Mastercard, and Amex are free to fine Sony whatever they want and Sony has to pay.

I don't know about 'whatever they want to'. I had thought the limit was a half-million dollars an incident.

But this brings another thought to mind. They're more than a year old. Does that mean their annual PCI DSS Certification was faked?
posted by mikelieman at 2:36 PM on April 26, 2011 [1 favorite]


I'm so glad PSN was always too broken to accept my card number in the first place right now. Was this another one of those guys just trying to make a point with no devious intent, and if not is there anything to be done except hope nothing comes of it?
posted by jinjo at 2:37 PM on April 26, 2011 [1 favorite]


I also don't even know my playstation password. It's written down somewhere in the house. I do remember when I got my playstation and my shiny disks with games on them, I was so excited. Then the playstation demanded I set up an account and asked for all this information from me so I could play those shiny disks. My reaction was "why?" and "hell, no." I did set up a username and password, but I did not put any of that other stuff into their database. Fucking databases. I just want to put my shiny disk in this slot and kill things.

That pisses me off more than the security breach--everything wants a fucking demographic survey of me and credit card before it will let me use it. Wouldn't the problem be much smaller if contributions to these databases weren't mandatory? Because there'd be less information in them? Fewer folks entrusting sensitive information to idiots?
posted by crush-onastick at 2:37 PM on April 26, 2011 [3 favorites]


Statistically speaking though, if 69 million credit card numbers are stolen, what's the chance an individual person's will actually be used?

I'm not saying this is no big deal, because mine is on file with them, and I'm pretty pissed, and I do hope they get raked over the coals. I guess I'm just curious.
posted by elder18 at 2:41 PM on April 26, 2011


I find it interesting how many people are saying "Stupid Sony, it's their own fault.", and wonder how many feel the same about Bradley Manning (if he was actually the one who did it, since no trial yet) taking military info, would they be saying "Stupid US military, not encrypting it.". Or "Stupid airlines, not keeping people from hijacking planes and flying them into buildings."

Regardless of what Sony did or didn't do, it's the hackers to blame, and i find it sad that people seem to be holding them up as heroes.
posted by usagizero at 2:41 PM on April 26, 2011 [2 favorites]


This means that they were storing passwords unencrypted? It's 2011, how is that even possible for a company as high profile as Sony? This is 101-level stuff.

I don't think this means they didn't have it encrypted. Even if they are encrypted, they have the password.. they just need to match the hash via brute force to get the actual password. It's just one extra step, though it could be a very long step depending. But, for all intents and purposes...
posted by tittergrrl at 2:42 PM on April 26, 2011


I have never been so glad that someone tried to steal my credit card number last year; it was a huge pain in the ass, but it made me realize how much damage could be done by using a single card number everywhere. Now all my finances are compartmentalized, and I'll know in a minute if anyone got access to my information and tries to use it illicitly.

Still, this is a massively bad black eye for Sony.
posted by quin at 2:43 PM on April 26, 2011


Sony is doing a bang-up job iron-plating their place on my "never do business with under any circumstances" list.

I remember how, in the 80s, Sony had a reputation as a manufacturer of quality sound equipment. Since then, I can't think of anything positive that has come out of them. Vaios and Playstations have troubled pasts, there was the CD rootkit deal a couple years back, and for the longest time, Sony's network of MMOs was where they went to die--when Pirates of the Burning Sea was launched on Sony Online, there was massive gnashing of teeth at the premature death of the only MMO besides Eve Online that wasn't a swords-and-sorcery epic. Sony Online famously killed Star Wars Galaxies, probably the most inherently profitable MMO franchise possible. They won the Blu-Ray/HD war just at the time that movies were becoming more frequently downloaded than purchased.

Seriously, have they done anything right in the last two decades?
posted by fatbird at 2:44 PM on April 26, 2011 [4 favorites]


quin, would love to hear how you manage all of that. Do you got multiple bank accounts? Some kind of fraud monitoring service in use?
posted by Foci for Analysis at 2:47 PM on April 26, 2011 [1 favorite]


My PS2 is the best DVD player I've ever had. But now I have an excellent reason to not get a PS3.
posted by epersonae at 2:48 PM on April 26, 2011


Sony had a reputation as a manufacturer of quality sound equipment.

Walkmen, sure. The rest of their audio wasn't any great.

They made superb video cameras, video tape decks, video editing hardware, televisions, and monitors, though.
posted by Threeway Handshake at 2:48 PM on April 26, 2011


Tittergrrl, that's not true. You can store passwords in a way that is not feasible to decrypt by anyone, even yourself. But you can still check for matches, e.g. to validate logins.
posted by ryanrs at 2:48 PM on April 26, 2011 [1 favorite]


- password
- password security answers


Dear Sony,

Because my password was the same one I used every other place, I've had to go change it at my bank and my email account and other sensitive websites. I understand that this is my fault, and in no way blame you. I'm having trouble, however, getting my mom to change her maiden name, renaming my first pet, or changing the mascot of the school I graduated from. If you have any advice to help me remedy this security breach, please let me know.
posted by AzraelBrown at 2:50 PM on April 26, 2011 [54 favorites]


You should reset Jose's password.

I did this for Bloodhalo11. Now I have an XBox 360 and I'm stuck with his username and game history. You can't change your name on XBL with out ringing them up and there's no apparent way to cleanse the game stuff. I did, however, ditch his friends and change his avatar before I ever signed on.

Seriously, how hard is it to use double opt-ins?

On the plus side, I appear to have access to US-only XBL content.
posted by John Shaft at 2:51 PM on April 26, 2011 [2 favorites]


Statistically speaking though, if 69 million credit card numbers are stolen, what's the chance an individual person's will actually be used?

100%.
posted by mark242 at 2:51 PM on April 26, 2011 [1 favorite]


fatbird: The original Playstation had NES-levels of market domination. The PS2 was also fairly successful and popular, roughly as popular as the XBox in the US. The Wega flat CRT screens were also pretty good in ~2000.
posted by aubilenon at 2:51 PM on April 26, 2011


Thank god there's no corporate liability for breaches like this. Can you imagine the amount of money they'd be on the hook for, if they weren't able to force each of their customers to just suck it up and take one in the shorts for Sony?

Liability laws like this would blast us back to the cash-only age. I don't usually side with big corporations, but I do know something about network security: You can hire all of the security consultants in the world and the risk that someone will find a way to break into your database is still great enough that the potential for liability lawsuits would render e-commerce a very dangerous business model.

To be both effective and practical, such laws would have to be very, very carefully crafted, and frankly I don't think our legislative system is capable of that. It would be useful, though, to require companies to meet a set of best practices for systems that store secure information... but it's quite possible that Sony was not being sloppy and careless with this information and got hacked anyway.
posted by qxntpqbbbqxl at 2:51 PM on April 26, 2011 [1 favorite]


So... 69million people are PSN members... but I had (someplace?) heard that PSN didn't require a credit card to join, that it was included in the purchase of the product and a CC# was only required if you were going to purchase things. Like, sort of the opposite of the X-Box online system in a lot of ways. (I'm not a gamer, so I only know about these things vicariously.)

So maybe not everyone who is a PSN member has had CC#s stolen?
posted by hippybear at 2:52 PM on April 26, 2011


Seriously, have they done anything right in the last two decades?
Certainly not since Howard Stringer became one of the powers that be.
posted by nj_subgenius at 2:52 PM on April 26, 2011


Tittergrrl, that's not true. You can store passwords in a way that is not feasible to decrypt by anyone, even yourself. But you can still check for matches, e.g. to validate logins.

Yes, but once a hacker has that file, they can run John the Ripper or match passwords against a rainbow table and extract large% of the encrypted values, regardless of the storage method.
posted by zvs at 2:52 PM on April 26, 2011 [3 favorites]


I'm having trouble, however, getting my mom to change her maiden name, renaming my first pet, or changing the mascot of the school I graduated from. If you have any advice to help me remedy this security breach, please let me know.

Actually, there is a very smart strategy for this (and one everyone should use). When it asks for your mother's maiden name... DON'T USE IT! Mother's maiden name is actually rather easy to get a hold of. Use something different, make it another secure password you remember.
posted by Mister Fabulous at 2:54 PM on April 26, 2011 [6 favorites]


Ouch. That really sucks. Sorry to those affected. And with Portal 2 out! Shame, shame.
posted by Admiral Haddock at 2:54 PM on April 26, 2011


Statistically speaking though, if 69 million credit card numbers are stolen, what's the chance an individual person's will actually be used?

Well, not all have credit card numbers. But don't kid yourself — even if one hacker never can manage to use all the CC numbers, passwords, you're not safe. There are markets for this stuff. Same places you sell botnets. Package them up and hawk them in sets of 10,000 for some smaller-than-you'd-guess amount of money apiece. It might be tomorrow, it might be three years from now, but it's not unlikely someone will get around to it.

posted by floam at 2:55 PM on April 26, 2011


Yes, but once a hacker has that file, they can run John the Ripper or match passwords against a rainbow table and extract large% of the encrypted values, regardless of the storage method.

Not if the hashes were properly salted and the hacker hasn't got the salt value. Defeating dictionary attacks and rainbow tables is one of the purposes of salting.
posted by jedicus at 2:55 PM on April 26, 2011 [10 favorites]


Foci for Analysis, I use different credit cards for online/ offline situations, one in particular (with a very low limit) allows me to view and pay its balance any time, and I always keep it at zero. If I see any kind of traffic on it, I know immediately whether or not it's legitimate and can take action. That's the one I use for places that store my card number online (PSN, iTunes, etc).
posted by quin at 2:56 PM on April 26, 2011 [3 favorites]


You can't change your name on XBL with out ringing them up

Can't you? At least in the US you can change your gamertag pretty easily. You do have to pay 800 points to do it though.

Yes, but once a hacker has that file, they can run John the Ripper or match passwords against a rainbow table and extract large% of the encrypted values, regardless of the storage method.

Not if they're properly salted.
posted by kmz at 2:56 PM on April 26, 2011


I bought a PS3 solely for Blu-Ray and streaming Netflix. It seemed like a piece of equipment with a lot of media center potential, but I've watched Sony completely ignore this market. I was hopeful that custom firmware would come up with something interesting, but it looks like that's too much trouble to deal with.

After my fist PS3 Fat got a Yellow Light of Death, I figured it was cheaper to get it fixed than to replace it with something else. Now I know I'm getting rid of the thing and building an HTPC. Fuck you, Sony.
posted by TrialByMedia at 2:56 PM on April 26, 2011


69 million is basically a huge made up number that Sony uses to inflate the impressiveness of their service. Comment on their forums? Create an account. Want to flame on their forums? Make another account.
posted by graventy at 2:56 PM on April 26, 2011 [1 favorite]


Yes, but once a hacker has that file, they can run John the Ripper or match passwords against a rainbow table

Not if you do it properly. Very simple passwords will never be secure, but it is trivial to prevent those from being used in the first place.
posted by ryanrs at 2:57 PM on April 26, 2011


When it asks for your mother's maiden name... DON'T USE IT! Mother's maiden name is actually rather easy to get a hold of. Use something different, make it another secure password you remember.

That's what I do too, but the compromise would mean you'd have to change your made-up answer on all sites that use that question, and there's generally a fairly narrow pool of security questions.
posted by kmz at 2:57 PM on April 26, 2011


I don't own a video game console, but I am listening to Warren Zevon on a set of Sony headphones right now. Am I safe?
posted by infinitywaltz at 2:58 PM on April 26, 2011 [3 favorites]


Oh, Christ. They point you to the yearly free credit report. When my company released a bunch of SSN's by accident, they bought two years of credit monitoring for each and every affected employee. Fuck you again, Sony.
posted by TrialByMedia at 2:58 PM on April 26, 2011 [3 favorites]


I don't own a video game console, but I am listening to Warren Zevon on a set of Sony headphones right now. Am I safe?

If you're in London I'd watch out for werewolves.
posted by kmz at 2:58 PM on April 26, 2011 [8 favorites]


I don't own a video game console, but I am listening to Warren Zevon on a set of Sony headphones right now. Am I safe?

From hackers, yes. Beware of werewolves, though.
posted by inigo2 at 2:58 PM on April 26, 2011 [5 favorites]


DAMNIT
posted by inigo2 at 2:59 PM on April 26, 2011 [22 favorites]


The lack of basic precautions against data breach, like salted passwords, seems like a level of gross incompetence that might rise high enough to leave them liable to some sort of court action. I sure hope so anyways.
posted by nomisxid at 2:59 PM on April 26, 2011 [2 favorites]


hacker hasn't got the salt value. Defeating dictionary attacks and rainbow tables is one of the purposes of salting.

Of course the hacker has the salt since it is stored with the hash.
posted by ryanrs at 2:59 PM on April 26, 2011 [1 favorite]


From hackers, yes. Beware of werewolves, though.

With the headphones cranked up, I won't even be able to hear them coming.
posted by infinitywaltz at 3:00 PM on April 26, 2011


I can't decide if I'm more irritated that this happened -- after god knows how many downloads and resets of my PS3 system, there wasn't any security included for my personal info? -- or that I am reading about this in the news and on the blue, not in an email. Because they still haven't officially notified me in any way, by email or otherwise.
posted by bearwife at 3:01 PM on April 26, 2011 [10 favorites]


Seriously, have they done anything right in the last two decades?

The PS2 game library is so good I'm keeping about 20 PS2 games I could easily trade in. And I don't even have a working PS2 anymore.
posted by Lovecraft In Brooklyn at 3:01 PM on April 26, 2011 [2 favorites]


the compromise would mean you'd have to change your made-up answer on all sites that use that question

Obviously you use a different made-up maiden name for every site. Keep the info in an encrypted file or a piece of paper.
posted by ryanrs at 3:01 PM on April 26, 2011 [1 favorite]


Liability laws like this would blast us back to the cash-only age. I don't usually side with big corporations, but I do know something about network security: You can hire all of the security consultants in the world and the risk that someone will find a way to break into your database is still great enough that the potential for liability lawsuits would render e-commerce a very dangerous business model.

It should be possible to consider the regulation of storage and transmission of sensitive personal financial data, much as HIPAA does for personal medical data. If parties that handle medical data aren't in compliance with HIPAA, they open themselves to civil and criminal penalties. It should be reasonable to set up similar laws that online businesses must comply with, in order to more safely ensure the privacy of customers and financial transactions. At the very least, a law that requires encrypting CC data would be useful.
posted by Blazecock Pileon at 3:02 PM on April 26, 2011 [3 favorites]


Of course the hacker has the salt since it is stored with the hash.

This conversation is giving me a contact high.
posted by dirigibleman at 3:02 PM on April 26, 2011 [12 favorites]


Yeah, and we're talking about someone who hacked Sony. Presumably they don't mind a diminished rate of return on their dictionary attack and have some computing power to throw at the problem (or will sell the information to someone who does). They have 69 million potential passwords. Not to mention enough personal information to build a really good dictionary of pet's names and birthdays.

I am not an expert on the exact algorithmic complexity of defeating salts, but it is not impossible. Especially when you have acquired a functionally infinite supply of targets. The rest is a scaling problem.
posted by zvs at 3:02 PM on April 26, 2011


You can make it effectively impossible if you want.
posted by ryanrs at 3:04 PM on April 26, 2011


You can make it effectively impossible if you want.

3 terrifying words.

"Software Development Contractors"

Have a nice night, folks.
posted by mikelieman at 3:06 PM on April 26, 2011 [2 favorites]


Ok. I can make it effectively impossible if I want.
posted by ryanrs at 3:07 PM on April 26, 2011 [1 favorite]


So... 69million people are PSN members... but I had (someplace?) heard that PSN didn't require a credit card to join, that it was included in the purchase of the product and a CC# was only required if you were going to purchase things.

Yes, basically. PSN basic is free with the PS3. You need one to play online, or stream netflix, or lovefilm. You have to fill out a ton of info though.

They do have an online store where you can buy games, as well as various other bits and pieces. They also have playstation plus accounts with various stuff - free games, mainly IIRC - which do require your CC number. And of course they store it for future use. Fuckers.

I have bought a couple of games off the playstation store. Fortunately, my card number expired a few months ago, so I have a new one with new expiry date - the old one is no longer valid, and charges against it are refused. So at least I don't have to worry about that.

I also use a strong, different password for each service I give a toss about, so even if they crack my random string password on there, it won't get them into email, online banking or any other service that has a CC attached.

Still. Last sony product I *ever* buy. Nor will I be ever using the PSN again. It can continue as an offline media streaming box to my TV, as it has done for the last year or so.
posted by ArkhanJG at 3:08 PM on April 26, 2011


Sure. But it's not likely to happen at this scale.

To take a different tack, the cracker has root on your system and knows the creation timestamp for each account. So our crackerjack PhD hacker can, with access to your code, limit your gigantic space of nonces to the ones that could have been generated at moment X. Hopefully your random function has more entropy than most.

Once somebody's inside the system, you're just pouring water on a forest fire. There are more attack vectors than can be reasonably prepared for.
posted by zvs at 3:08 PM on April 26, 2011


Not only is this a ridiculous fail, they've been sitting on this information for a week. Thats pretty bad, when your customer's data has already been compromised.

So glad I don't have a PS3...
posted by wildcrdj at 3:08 PM on April 26, 2011


When it asks for your mother's maiden name... DON'T USE IT!

What you're asking me to do now is to not only make up a word for my password and remember what it is, but you're asking me to make up another word so that I can try and remember that word the next time I forget the first made up word. I'm a total security failure.

actually, I do use 'wrong' answers to those questions, but I still have the same problem of cross-site use of the same answer to the same question. I can only remember so many things...
posted by AzraelBrown at 3:08 PM on April 26, 2011 [1 favorite]


This is a really enlightening argument for me, though! Thank God I don't deal with anybody's personal or financial information for a living.
posted by zvs at 3:09 PM on April 26, 2011


Of course the hacker has the salt since it is stored with the hash.

But he has to recompute his rainbow table.
posted by Ad hominem at 3:10 PM on April 26, 2011 [2 favorites]


I just searched my mail, cause I don't even remember what my PSN id actually is, and it turns out I already got someone attempting to phish me (using the correct PSN id) back on the 24th, to go to innovyx.net and give them more info.
posted by nomisxid at 3:10 PM on April 26, 2011 [1 favorite]


Oh, Christ. They point you to the yearly free credit report. When my company released a bunch of SSN's by accident, they bought two years of credit monitoring for each and every affected employee. Fuck you again, Sony.

This has actually been requested of Sony by Senator Richard Blumenthal (CT, assuming he's heavily concerned given the saturation of credit card companies in that state)
posted by XQUZYPHYR at 3:12 PM on April 26, 2011 [2 favorites]


But he has to recompute his rainbow table.

This would be a great problem for my 2^128-machine botnet.

Gaah, IPv4! Foiled again!!!
posted by zvs at 3:12 PM on April 26, 2011 [1 favorite]


Yes, salts defeat precomputed rainbow tables. The comment I was replying to suggested the salt must be kept secure. THis is not the case.

(It's difficult to discuss security in such a fast-moving thread.)
posted by ryanrs at 3:12 PM on April 26, 2011 [1 favorite]


I can only remember so many things...

It's a lot easier if you just give up remembering so much. Either do something like diceware or use something like 1Password that keeps track of everything and even logs you into your websites.
posted by floam at 3:12 PM on April 26, 2011 [1 favorite]


Metafilter: a bunch of hearsay and speculation by the moderator and random neckbeards.
posted by Horace Rumpole at 3:14 PM on April 26, 2011 [8 favorites]


You have to keep a record for every account you create anyway. (Or do people not even track which sites they have signed up on?)
posted by ryanrs at 3:15 PM on April 26, 2011


(It's difficult to discuss security in such a fast-moving thread.)

Yeah it is, too many responses flying by. You are right, salts don't need to be kept secure, there is no such thing as keeping some magic value secret once someone gains access.
posted by Ad hominem at 3:18 PM on April 26, 2011


Sony didn't just lose their way. They drove over their compass in the parking lot, set fire to the map and sent the Yakuza to the map maker's house. I hope they get sued into obscurity.
posted by tommasz at 3:20 PM on April 26, 2011 [5 favorites]


Oh crap. I just realised that all the staff at work tend to use the same password for *everything*. So now someone out there probably has a bunch of
1) work email adressess
2) passwords that are the same
3) an easy to figure out smtp server name
4) remote login to the smtp server to send email
5) because the senior management use iphones, and don't want to have to use our webmail service
6) my internal anti-spam system is gonna get *hammered* from breached accounts.
7) term starts tomorrow, so I was gonna be slammed anyway.

Cock.
posted by ArkhanJG at 3:21 PM on April 26, 2011 [2 favorites]


Hell, I don't even want to use my PS3 anymore.

Can I have it?

The PS2 game library is so good I'm keeping about 20 PS2 games I could easily trade in. And I don't even have a working PS2 anymore.

Amen. You can have my PS1/2 games when you pry them from my cold, dead fingers. I still haven't even *started* Okami yet.
posted by mrgrimm at 3:23 PM on April 26, 2011


This gives the impression that Sony stored user passwords as plain-text. No-one should do this, ever. In 2011 I think this is sufficiently negligent and incompetent to warrant a class-action lawsuit.
posted by East Manitoba Regional Junior Kabaddi Champion '94 at 3:23 PM on April 26, 2011 [4 favorites]


Well here we are again, its always such a pleasure.
Remember when you tried to kill me twice?
Oh how we laughed and laughed, except I wasn't laughing.
Under the circumstances, I've been shockingly nice.


Time to change all my passwords. Had been on the fence weeks ago between an Xbox and a Playstation. So incredibly glad I went with the XBox.
posted by Slackermagee at 3:24 PM on April 26, 2011


While a class action lawsuit would be nice, it won't change anything. IIRC, the class action suit over the rootkit CD basically ended with a fat cheque for the lawyers, and the infected users getting a clean digital copy of the deliberately-infected CDs, and a few free track downloads.

How much will they have to give out for this? 1 month's free PSN plus subscription?
posted by ArkhanJG at 3:26 PM on April 26, 2011 [2 favorites]


"[a]lthough we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided[.]"

So they have people that are authorized to steal and distribute this kind of information?
posted by Splunge at 3:27 PM on April 26, 2011 [1 favorite]


I thought PSN was already free. That was the supposed benefit over XBL.
posted by Slackermagee at 3:27 PM on April 26, 2011


It could be bigger if people suffer real damage from having used their Sony password on multiple sites. While that is indeed the fault of the consumer, it is widespread enough to be something Sony could have predicted and mitigated by using basic password encryption.
posted by East Manitoba Regional Junior Kabaddi Champion '94 at 3:27 PM on April 26, 2011


It is. But you use a CC for playstation plus accounts (free games), the online games store etc etc.
posted by ArkhanJG at 3:28 PM on April 26, 2011


PlayStation Plus is not free, nor are several PS3 games which have monthly subscriptions.
posted by East Manitoba Regional Junior Kabaddi Champion '94 at 3:28 PM on April 26, 2011


In 2011 I think this is sufficiently negligent and incompetent to warrant a class-action lawsuit.

You know, I think you may have a point there. Goddamn. Sucks to be Sony.
posted by aramaic at 3:29 PM on April 26, 2011


Changing passwords as fast as I can type...

You seriously still use the same password for multiple sites? I stopped doing that for 'important' sites years ago and now don't even use the same password for anything.

I guess my paranoia just puts me ahead of the curve these days :)

Anyway, Sony sucks. F'em.

I wonder how related this is to the Anonymous raid over the GeoHot thing. That was just a DDoS, then And Sony ended up settling right after the DDoS. Maybe Sony was terrified of the hacker and thought settling would get them off their backs somehow. Pretty unlikely, but fun to think about.
posted by delmoi at 3:29 PM on April 26, 2011


If any of you use the same password on multiple sites, stop doing that and use LastPass, which is a wonderful thing, and it is free.
posted by East Manitoba Regional Junior Kabaddi Champion '94 at 3:31 PM on April 26, 2011 [4 favorites]


This feels like karmic retribution for jailbreaking my PS3 phat with a iPod Video (with RockBox firmware) last September. I've kept this thing off the net to avoid potential banhammerings, but I still got dicked down by Sony. Oh well, off to cancel a credit card.
posted by porn in the woods at 3:33 PM on April 26, 2011


Lastpass is free unless you want to use it on your smartphone, in which case you need a premium sub. Keepass is an open-source app that also can sync the database with free mobile app versions. Not quite as good for browser integration, but it's completely free in all senses.
posted by ArkhanJG at 3:37 PM on April 26, 2011 [2 favorites]


LastPass is pretty sweet, although I couldn't get the Android version working very well. Although for our household accounts, we go old school with index cards kept in a safe place.

On quasi-preview: I read someplace (Lifehacker?) that you can set up Keepass to be LastPass-like by using Dropbox to store the key file. Or something.
posted by epersonae at 3:40 PM on April 26, 2011


You can hire all of the security consultants in the world and the risk that someone will find a way to break into your database is still great enough that the potential for liability lawsuits would render e-commerce a very dangerous business model.

This is, for the topic being discussed, bullshit.

Specifically, it is entirely possible to never store a password or a credit card number on your servers and still allow logins and payments. Passwords are handled easily with salted hashes and credit cards are handled by properly using your payment processor's APIs and never storing data locally.
posted by odinsdream at 3:48 PM on April 26, 2011 [8 favorites]


The PlayStation Network clusters are busy generating rainbow tables at the moment.
posted by benzenedream at 3:49 PM on April 26, 2011 [8 favorites]


On quasi-preview: I read someplace (Lifehacker?) that you can set up Keepass to be LastPass-like by using Dropbox to store the key file. Or something.

Yup.
posted by ArkhanJG at 3:50 PM on April 26, 2011 [2 favorites]


Though given the recent thingy about dropbox admins having access to user files, using a service like spideroak may be a better plan.
posted by ArkhanJG at 3:51 PM on April 26, 2011


Amazingly, Sony is only down about 1% on the NYSE today. (It's down 2.1% on the Tokyo exchange, though.) I would have expected the hit to be higher.
posted by stoneweaver at 3:55 PM on April 26, 2011


Yes, salts defeat precomputed rainbow tables. The comment I was replying to suggested the salt must be kept secure. THis is not the case.

Agreeing with this. If the passwords were hashed and salted with SHA-256, I don't think they would be reporting the possibility of compromise. I'm guessing unsalted SHA-256 at best, although I'm assuming (hoping?) they wouldn't be stupid enough to forgo hashing entirely. In either case, unconscionable for a company like Sony. I hope they suffer over this.
posted by Edgewise at 4:01 PM on April 26, 2011 [2 favorites]


I find it interesting how many people are saying "Stupid Sony, it's their own fault.", and wonder how many feel the same about Bradley Manning (if he was actually the one who did it, since no trial yet) taking military info, would they be saying "Stupid US military, not encrypting it.". Or "Stupid airlines, not keeping people from hijacking planes and flying them into buildings."

Regardless of what Sony did or didn't do, it's the hackers to blame, and i find it sad that people seem to be holding them up as heroes.


It's a bit like renting some storage place and finding out one day that someone showed up, said they were you, with no i.d., and the storage place gave them the key to your storage, the password to the gate and rented them a truck on your account. And when they figured out what happened, they waited a couple of weeks to tell you. Sure, the thief is to blame, but so is the complete lack of security at the storage company.
posted by stavrogin at 4:04 PM on April 26, 2011 [14 favorites]


The PS2 was also fairly successful and popular, roughly as popular as the XBox in the US.

The PS2 was also dominant. 50 million PS2s were sold in the US, compared to 16 million for the original Xbox.
posted by zsazsa at 4:13 PM on April 26, 2011


"Sure, the thief is to blame, but so is the complete lack of security at the storage company.

But then instead of any blame being put on the thief, people praise them for hurting the person who did business with them for doing business with them in the first place and they got what they deserved. There are a lot of assumptions being made for what Sony did/didn't do well enough, but who is going to be hurt through this? The users, and most if not all of the posts are basically saying "Screw them, they were asking for it." The hackers had malicious intent because they went for the user data, if they really wanted to hurt Sony, they would go for the real treasure. That being development info, source code, confidential docs, etc. But they didn't, either because that's harder or that's not where the money vs time is. (sort of like how most hackers don't go after Blizzard, but the user accounts where the gold/items are.)

Sony needs to figure out how to keep this from happening as best they can (if fines will do that, so be it), the hackers need to spend a good part of their lives in jail (hell, it's basically terrorism, send them to gitmo), and the users need to be able to use things like this without so much internet communication (basically keep it to if you want to update it, play multiplayer, dlc, otherwise you don't need to be).
posted by usagizero at 4:17 PM on April 26, 2011 [2 favorites]


This means that they were storing passwords unencrypted? It's 2011, how is that even possible for a company as high profile as Sony? This is 101-level stuff.
posted by Who_Am_I at 10:29 PM


Take a look at the privacyrights.org Chronology of Data Breaches, its a long page - theres hardly a day goes by without some company somewhere losing a load of credit card/password/personal data. The current total is over 500 million records that have been breached.
posted by Lanark at 4:17 PM on April 26, 2011 [1 favorite]


You should ideally be using a per-user salt, not a fixed salt for the whole site. It's a health hazard to put the very same salt on all users food.
posted by jeffburdges at 4:18 PM on April 26, 2011


This makes for a rather interesting contrast with previous MeFi threads about hacker George Hotz and the ethics of Sony's attempts to avert the potential security risks by various legal and technical means over the last year or so.

The most recent of those threads, from January, has some in-depth explanations about the functionality and weaknesses of their crypto security, which are probably a better reference than than the highly simplified explanation offered in the news release. I rather doubt they were just storing passwords in plain text, and while I consider this a rather glaring security failure it's also true that a good number of hackers have been trying to break through the hardware security on the PS3 since the day it hit retailers 4.5 years ago.
posted by anigbrowl at 4:21 PM on April 26, 2011


The only passwords I have memorized are my LastPass and my email password (in case LastPass suddenly disappears and I need to reset my passwords).
posted by East Manitoba Regional Junior Kabaddi Champion '94 at 4:21 PM on April 26, 2011


Uh, it's not really a salt if it's not unique for each password.

Edgewise, you shouldn't use SHA-256 for hashing passwords, salted or not. Something like bcrypt will be a lot stronger than a general purpose hash function.
posted by ryanrs at 4:22 PM on April 26, 2011 [1 favorite]


It could not have happened to a nicer company. lol
posted by jeffburdges at 4:22 PM on April 26, 2011


Dammit. Using pics of our game in the LAtimes article.

And we're not even Sony.
posted by Lord_Pall at 4:23 PM on April 26, 2011


ryanrs is right, arbitrary salting and hashing is an outdated solution. Use bcrypt.
posted by Llama-Lime at 4:25 PM on April 26, 2011 [2 favorites]


(And I don't even do security. I just follow data breach postmortems and read Wikipedia.)
posted by ryanrs at 4:27 PM on April 26, 2011


Is there a way we can look up our stupid PSN passwords right now, or no, because the network is totally down?

FROWNING! at YOU! Sony fuckers.
posted by theredpen at 4:33 PM on April 26, 2011 [2 favorites]


I am not an expert on the exact algorithmic complexity of defeating salts, but it is not impossible. Especially when you have acquired a functionally infinite supply of targets. The rest is a scaling problem.

So all the hacker is missing is the ability to hack into the ~30M PS3s on the planet and use them as a botnet. Which might not be outside the realm of possibility given how much access he had to PSN and Sony's DBs.
posted by SirOmega at 4:33 PM on April 26, 2011


from 4 months ago (via):
A well known hacker i don’t want to reveal here had all the Sony PlayStation Network functions 100% decrypted as well as providing some nice info about how Sony dealing with PSN members privacy in their online servers.
Apparently, Sony server gathered everything they can from the PSN connected PS3 console. When i said everything, i meant it. Here, i make all the list of what they squeezed from the IRC chat logs conversation between the hackers.

Sony monitors all messages over PSN. All connected devices return values sent to Sony server returns TV, Firmware version, Firmware type, Console model They also collects data in your USB attached device. Credit card sent as plain text, example:

creditCard.paymentMethodId=VISA&creditCard.holderN ame=Max&creditCard.cardNumber=4558254723658741&cre ditCard.expireYear=2012&creditCard.expireMonth=2&c reditCard.securityCode=214&creditCard.address.addr ess1=example street%2024%20&creditCard.address.city=city1%20&cr editCard.address.province=abc%20&creditCard.addres s.postalCode=12345%20
posted by crayz at 4:34 PM on April 26, 2011 [7 favorites]


Credit card sent as plain text, example:

Ha ha ha holy shit really? This blows my mind. Nobody involved with their network ever realized this was maybe not such a hot idea? Just amazing.
posted by chaff at 4:42 PM on April 26, 2011


Plain text over an HTTPS connection, to be fair.
posted by wierdo at 4:47 PM on April 26, 2011


anigbrawl:Sony needs to figure out how to keep this from happening as best they can (if fines will do that, so be it), the hackers need to spend a good part of their lives in jail (hell, it's basically terrorism, send them to gitmo)

Well, arguably they were trying to keep this happening as best they could. They just failed miserably. As far as people going to jail, yes, the criminals that took this info should go to jail (assuming it was taken). "Basically terrorism", I have no idea what the hell you are talking about. I sincerely doubt that the intruders were motivated politically, nor were they attempting to instill terror in a civilian population to affect political change (you know, terrorism).

If we are going to talk about jail time, I'm curious if any politically ambitious DA's would be willing to pursue criminal charges. Yes, the intruders were guilty, but I personally wouldn't be happy with a bank manager that left the bank vault unlocked and left the front door open. Certainly lock up the bank robbers, but don't ignore that bank manager when it's time to pull out the handcuffs.

Their stock didn't go down much today because the stock market knows that they'll just get slapped on the wrist for this mishap. Until companies actually get punished for negligence like this, they don't have any incentive to behave differently.
posted by el io at 4:48 PM on April 26, 2011 [1 favorite]


anigbrawl:Sony needs to figure out how to keep this from happening as best they can (if fines will do that, so be it), the hackers need to spend a good part of their lives in jail (hell, it's basically terrorism, send them to gitmo)

Er, I am not the author of that comment.

posted by anigbrowl at 4:53 PM on April 26, 2011


But then instead of any blame being put on the thief, people praise them for hurting the person who did business with them for doing business with them in the first place and they got what they deserved.

Who here has been praising the hacker?

The users, and most if not all of the posts are basically saying "Screw them, they were asking for it."

I don't see those comments either.

the hackers need to spend a good part of their lives in jail (hell, it's basically terrorism, send them to gitmo),

OK, I can only hope you're trolling now.
posted by kmz at 4:59 PM on April 26, 2011


Anigbrowl: sorry - my bad.
posted by el io at 5:01 PM on April 26, 2011


Time for Sony to go high tech. One time pad, anyone?
posted by Splunge at 5:02 PM on April 26, 2011 [2 favorites]


Anyone wonder if maybe preventing their vastly underwhelming security from becoming public knowledge was Sony's motivation behind the major George Hotz smackdown?
posted by DoctorFedora at 5:06 PM on April 26, 2011 [1 favorite]


wierdo: "Plain text over an HTTPS connection, to be fair."

Well, yes, you'd have to have access to server logs to get the information then.
posted by boo_radley at 5:09 PM on April 26, 2011


if they really wanted to hurt Sony, they would go for the real treasure

Having "dox" on ~70 million people, where the "dox" are complete CC info and everything else somebody needs to steal identities is the ultimate treasure if you're trying to fuck over a company.

Stolen source code can be patched to make what was stolen obselite; 70 million angry customers can't be.
posted by Threeway Handshake at 5:24 PM on April 26, 2011


No one has lined to the Penny Arcade comic yet?

Play with yourself.

- Kevin Butler
- VP of Fucking Bullshit
posted by sidereal at 5:25 PM on April 26, 2011


*linked
posted by sidereal at 5:27 PM on April 26, 2011


I saw an 3 teir system recently where the connection between web server and app server Used ssl, the connction between app server and database used IPSec. We were investigating some sort of slowdown and connected to SQL server with the SQL server profiler. We saw quereys rolling in with plaintext paswords, turned out that the hashing was done in stored procedures.

But that doesn't even matter. I have no doubt that had the hashing been done on the web server, with the correct privs I could have attached a debugger to IIS and watched the hashing happen.

I'm thinking hashing should happen on the client, with maybe the username as a hash, and the hash passed over the web. And even that wouldn't stop a targeted attack against a client machine.

Once an attacker has access to your servers all you can do is throw up barriers.
posted by Ad hominem at 5:36 PM on April 26, 2011


Well, I'm pissed at Sony, but not because they got hacked. I'm pissed at Sony for making me set up an account with a password to play games locally and to connect to MY HOME NETWORK to access something that isn't Sony, like my own media server, or a third-party company over my own home network. I'm just really glad they never forced me to give them a valid credit card to do those things.
posted by crush-onastick at 5:37 PM on April 26, 2011 [1 favorite]


I'm thinking hashing should happen on the client, with maybe the username as a hash, and the hash passed over the web. And even that wouldn't stop a targeted attack against a client machine.

MITM vulnerability.

You can't trust the client machine to do anything. Validate everything that a client sends to you, all the time, against what your business rules require.

Internet -> HTTPS -> Web server -> HTTPS -> App server -> Hash in memory and immediately remove plaintext -> JDBC to database, doesn't have to be a secured connection.

Like has been said a million times before, and a few times in this thread, bcrypt on the app server is the way to go.
posted by mark242 at 5:48 PM on April 26, 2011 [2 favorites]


Like has been said a million times before, and a few times in this thread, bcrypt on the app server is the way to go.

would an mitm cause a cert validation error? Not that it matters with users.

yeah but like I said with the correct privs I can watch memory on the app server. Doesn't matter what you do, bcrypt still takes plaintext.
posted by Ad hominem at 5:58 PM on April 26, 2011


Ah yes, people blaming the hacker(s). That's the spirit!

Can you even imagine the kind of shit Sony could be in right now if fail0verflow hadn't come forward with what they knew? If some ne'er-do-wells were already in the process of using Sony's ridiculous oversights to their advantage, completely obliterating the PSN?

Instead of utilizing Geohot and his team's extensive knowledge, they reprimanded him, threatened him, and now he's running for his life. That's not exactly something you should do to intelligent people, especially intelligent people with a huge following and that initially meant well.

You can't honestly want to "throw them in Gitmo" for finding such gaping holes in the security systems of such large corporations. If it wasn't this guy, it could and would have been someone else who could do it even harder, better, faster and without a trace.

PlayStation fanboys need to wisen up. This is blatant negligence on Sony's behalf and they should be held 100% accountable.
posted by june made him a gemini at 6:38 PM on April 26, 2011 [4 favorites]


It seems like not a year goes by where I don't feel vindicated for continuing my personal don't-ever-buy-Sony policy. What amazes me is that other people continue to buy Sony.
posted by grouse at 6:49 PM on April 26, 2011 [2 favorites]


Instead of utilizing Geohot and his team's extensive knowledge, they reprimanded him, threatened him, and now he's running for his life.

Whaaaaat? Sony dropped the suit and settled with him out of court two weeks ago, for $0 and a promise not to reverse engineer any more of their IP. 'Running for his life'? Stop spouting nonsense.
posted by anigbrowl at 6:52 PM on April 26, 2011 [4 favorites]


The blame sits squarely on Sony AND on the hackers. Sony made the choice to engage in incompetent engineering, the hackers made the choice to break, enter and steal. Nobody steals 70 million credit card numbers for altruistic reasons, give me a break. If one has a neighbor who does not lock their doors (be they individual or corporation) and one takes advantage to steal, then one is still a criminal no matter how ill-advised the unlocked door was.
posted by midnightscout at 6:55 PM on April 26, 2011 [2 favorites]


I've been reading rumors that Sony now has an automated caller going for the people affected.
posted by codacorolla at 6:55 PM on April 26, 2011


They're more than a year old. Does that mean their annual PCI DSS Certification was faked?

Have you seen some of the companies that do PCI audits and grant certifications? Many just run some automated tests that spit out a text file report, then bill the client for the "examination." And those tests aren't themselves exactly transparent.

If you fail an audit, find another auditor. Eventually, you pass.

Seen it over and over and over again.
posted by rokusan at 6:57 PM on April 26, 2011 [2 favorites]


You seriously still use the same password for multiple sites? I stopped doing that for 'important' sites years ago and now don't even use the same password for anything.

No, I don't, but I do have certain phrases that I reuse and modify based on the site I am on. I'm sorry, I can't recall three or four hundred completely unique and distinct passwords.

I'm probably overreacting but better safe than sorry.
posted by WinnipegDragon at 7:10 PM on April 26, 2011


Sony spokesman says:
"There's a difference in timing between when we identified there was an intrusion and when we learned of consumers' data being compromised. We learned there was an intrusion April 19th and subsequently shut the services down.

"We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident. It was necessary to conduct several days of forensic analysis, and it took our experts until yesterday to understand the scope of the breach. We then shared that information with our consumers and announced it publicly this afternoon."
Sony also says it "doesn't believe credit card data was stolen, but isn't positive." (Kotaku)
posted by jabberjaw at 7:16 PM on April 26, 2011


Well, yes, you'd have to have access to server logs to get the information then.

Even in that case, if you used POST and filtered what your app logs then this should never be a problem even with plain-jane Apache.
posted by soma lkzx at 7:41 PM on April 26, 2011


"Oh that guy," I said, glancing back at the body drooped at the end of blackened rope, "that was an info thief."
posted by bz at 7:45 PM on April 26, 2011


Have you seen some of the companies that do PCI audits and grant certifications?

Just one. Apparently, like the dumb schmuck I am, I've been following the rules all these years...
posted by mikelieman at 7:46 PM on April 26, 2011


PlayStation fanboys need to wisen up.

People who use the term fanboys need to wisen up as well.
posted by juiceCake at 7:53 PM on April 26, 2011 [5 favorites]


jedicus, salting only prevents a dictionary attack from working on all users at once. If you want to attack a specific user, and they have a weak password (which is extremely common, given the device people are using to enter passwords), salting barely helps. Heck, even something like PBKDF2 barely helps. You can only cover up poor entropy so much.

With regards to the Sony Rootkit fiasco, I was personally involved with that. I was the one who tracked just how widespread it was, using some amusing tricks with DNS servers. (It had invaded more than a half million networks, including government nets. That raised some eyebrows...that the infection worked, and that I was able to tell.) Ended up being flown out by the lawyers behind the class action to speak to Sony BMG directly. I can say without a shadow of a doubt that they had no idea just what they had done. The looks on their faces as I explained the scope of their actions was fairly priceless. Sony doesn't get enough credit for their response -- the CDs were off the shelves within days, and the CEO of Sony BMG was *removed* within a few weeks. It's been said that this was the straw that broke DRM, and I believe it.

I'm frankly sort of impressed that Sony cut the service entirely. There's a lot of business reasons to hide that there was an event, and notably, they pulled the plug anyway. There probably weren't 69M compromised CC#'s, but there wasn't 0 either. "You're safe as long as you didn't give Sony any money" is fairly cold comfort.

Regarding the comment that you don't need to store CC#, just pass it off to the payment processor, at the tier these guys operate at you *are* the payment processor. That's just the reality.

If you're curious whether this could happen at XBox...well, uh, I suppose anything's *possible*. However, I've never actually met a more paranoid group of engineers working for a more paranoid group of managers under the direction of a more paranoid group of executives. It's kind of crazy.
posted by effugas at 8:01 PM on April 26, 2011 [26 favorites]


in other news, a Sony netops team member begins a blog, entitled How I Came to Work at the Wendy's...
posted by ancillary at 8:02 PM on April 26, 2011 [1 favorite]


This is blatant negligence on Sony's behalf and they should be held 100% accountable.

I don't know for sure, but I've got a strong inclination that at least some accountability should fall on the persons ( or person ) that hacked the PSN and took all of that data.
posted by Isosceles at 8:27 PM on April 26, 2011


Regarding the comment that you don't need to store CC#, just pass it off to the payment processor, at the tier these guys operate at you *are* the payment processor. That's just the reality.

I didn't say anything when this was mentioned earlier, because I really don't know for sure, but that was my assumption as well. It doesn't make any sense to retain the information otherwise. I mean yeah, whatever allowed them to get hacked, that was dumb, but it was dumbness that could be attributed to laziness. If you're using a third party payment processor, you actually have to do extra work to store the CC#s.
posted by juv3nal at 8:52 PM on April 26, 2011


This means that they were storing passwords unencrypted?

Not necessarily, since we don't know how long their systems were compromised before they noticed. For example, the passwords could be stored securely, but a subverted Sony system could sniff them when you log in, or when you change them, or etc.. Ditto CC numbers.
posted by hattifattener at 8:58 PM on April 26, 2011


If the PS3 was backwards compatible I'd have bought one and then I'd be in trouble. Good thing it isn't!
posted by Lovecraft In Brooklyn at 9:06 PM on April 26, 2011


If you're curious whether this could happen at XBox...well, uh, I suppose anything's *possible*. However, I've never actually met a more paranoid group of engineers working for a more paranoid group of managers under the direction of a more paranoid group of executives. It's kind of crazy.

What personal information do I really need to give Microsoft though? They've got the basics, but no CC info. And I can just buy point cards with cash.
posted by Lovecraft In Brooklyn at 9:07 PM on April 26, 2011


Okay, I know this sucks for a lot of people but someone just tweeted that they just realized the internet must be the hidden XBox exclusive for Mortal Kombat and guys, honestly that's pretty damn funny.
posted by XQUZYPHYR at 9:11 PM on April 26, 2011 [8 favorites]


Correct me if I'm wrong here.

Sony: Corporate fuckwads that deserved this to happen to them.

Hackers: General fuckwads that deserve to be arrested and put in jail.

It seems to be a win/lose lose/win kinda thing.

If all goes well both will suffer for being assholes. The only people that don't deserve to suffer are the customers that trusted Sony to do due diligence security-wise.

I'm feeling that, if you do a whole balance thing, Sony comes out lacking.

Maybe just a bit. But in my NSHO Sony is more to blame than the hackers. If security was tight, Sony isn't in this position right now.

I don't in any way, shape or form condone the hacking part. But, if you have my CC info, you had better keep it safe.

So the ball is in your court. Hackers suck. But Sony has my shit and allowed someone to walk in and steal it. Thus, game, set and match. Sony at fault.
posted by Splunge at 10:39 PM on April 26, 2011 [2 favorites]


It really says something about me that I'm more irritated I haven't been able to redeem my damn code for Scorpion's extra costume and fatality than I am about the security breach.

Like, seriously, where are my priorities?
posted by Nattie at 10:53 PM on April 26, 2011


Nattie, I'm in the same boat. When I went home about a month ago, I picked up 3 games: Mod Nation Racers, LBP2, and Homefront*. MNR and LBP2 are all about online play. I've been so busy that I couldn't really get to them until... this weekend. Damn it.

Homefront? Seriously? It seemed pretty cool, but then the game ended right when it felt (from the tone of the gameplay) that the tutorial had just ended. I was thinking, hey, this game should get pretty fun now that I'll be free to do what I want, rather than just follow the NPCs around. Bah, I says.
posted by Ghidorah at 10:59 PM on April 26, 2011


Maybe just a bit. But in my NSHO Sony is more to blame than the hackers. If security was tight, Sony isn't in this position right now.

Nah. It's pretty close, but it's gotta be at least 51% hackers 49% Sony. It's not like they left a PDF with everyone's information out there for Google to find or something. It required active hacking. They're negligent, they should get sued, but they are not as bad as the douchebuckets that made a choice to fuck millions over.
posted by floam at 11:00 PM on April 26, 2011


Have you seen some of the companies that do PCI audits and grant certifications?

Just one. Apparently, like the dumb schmuck I am, I've been following the rules all these years.


And that's the thing. At heart, it's well-intentioned stuff but completely voluntary on your part. You want security and are concerned, so you choose to try to be a good PCI citizen. You probably also take measures and steps of your own, outside of the PCI/DSS cookbook. Because you want to. But should you be so inclined, or suitably motivated by cost-savings, you could get pretty much anything certified to PCI standards by presenting the public-facing appearance of security. It's very easy to be PCI-compliant vs. test or audit, while simultaneously running your entire business as a complete disaster on matters of actual security and privacy.

The PCI/DSS standards are useful in a textbook/reference way, as things you should use and understand if you're interested in your own security. But to think that PCI certification or even compliance is a magic token that in any way guarantees actual security is like assuming any college graduate must be literate and educated.

(The fact that actual experts are swimming in a tank filled with fly-by-night for-profit "security companies" all selling you PCI audits/testing is another ball of stinky wax. What's their motivation, after all?)
posted by rokusan at 11:04 PM on April 26, 2011


What personal information do I really need to give Microsoft though? They've got the basics, but no CC info. And I can just buy point cards with cash.

They've got my CC#; makes it much easier to buy points.
posted by effugas at 11:59 PM on April 26, 2011


No problems here with my Atari 2600.
posted by bardic at 12:02 AM on April 27, 2011 [1 favorite]


This totally wouldn't have happened to a Magnetbox.
posted by Mikey-San at 12:28 AM on April 27, 2011


Heh. I've actually found myself surprisingly unaffected by the outage, since I mostly just play Street Fighter IV and there's an arcade nearby with the new arcade version, and I'm not good enough at MvC3 to be able to tell a difference between a human opponent and the AI set to "hard" or higher. Plus Portal 2 is arriving tonight, so I've got that.

I guess my point is: I have no ability to empathize with other human beings, primarily because I will be playing Portal for the next week or two.
posted by DoctorFedora at 12:44 AM on April 27, 2011


Like has been said a million times before, and a few times in this thread, bcrypt on the app server is the way to go

Nothing more to say? Bcrypt is the end all be all? Nothing to say about the fact that an attacker can watch memory? I want to make sure we all have the benefit of your wisdom so we don't fuck up.
posted by Ad hominem at 1:06 AM on April 27, 2011


The PSN disaster occurred at the same time as the Amazon service interruption. (Thread here.) Apparently a coincidence. (But my conspiracy detectors are clicking.) The official anonymous1 says they(/he/she/it) didn't do this but maybe other anonymous people did. The last week of internet fail has really gotten to me, partly because I was going to buy a PS3 as a media server. Now, I dunno.

1 Should "anonymous" be capitalized? Does it make a difference if you're talking about the (self-proclaimed) "official" group?
posted by CCBC at 2:43 AM on April 27, 2011


The last week of internet fail has really gotten to me, partly because I was going to buy a PS3 as a media server. Now, I dunno.

#FirstWorldProblems
posted by clearly at 2:50 AM on April 27, 2011 [1 favorite]


Nothing more to say? Bcrypt is the end all be all? Nothing to say about the fact that an attacker can watch memory? I want to make sure we all have the benefit of your wisdom so we don't fuck up.

Also, bcrypt is barely relevant in the face of low entropy passwords entered via a controller.
posted by effugas at 3:00 AM on April 27, 2011


> What amazes me is that other people continue to buy Sony.

As someone who made the "rational" decision of buying a launch Xbox instead of a PS2, let me just say that for videogame consoles we really have no choice. If Sony makes crap audio equipment, you can always buy another brand's and play your CDs just the same; if Capcom decides God Hand is a PS2 exclusive, you either buy the console or never play the game.

In a perfect world, back in 2001/2002 eveyone would be purchasing Gamecubes and Xboxes because they were much more powerful and easier to develop for than the PS2 and the publishers would target them as the main platforms and unicorns would roam across the land. In the real world, people bought PS2s initially on hype alone, a deluge of excellent games in 2001 made it the optimum choice for most everyone, and it just snowballed from there.


> I'm sorry, I can't recall three or four hundred completely unique and distinct passwords.

Nor should you. Use something like this, memorise only one password (or if you're paranoid, keep the few really important passwords in your head only and use the database for the rest) and use your browser cookies.
posted by Bangaioh at 3:06 AM on April 27, 2011 [1 favorite]


passwords entered via a controller

Oh. That would certainly put a damper on your security aspirations. Not sure how to go about solving that one.
posted by ryanrs at 3:27 AM on April 27, 2011


Saying anonymous "denies responsibility" is meaningless. Journalists quoting "spokesmen" for anonymous might as well be quoting my dog.
posted by churl at 3:35 AM on April 27, 2011 [1 favorite]


Honestly, the more I hear about this the more epic the fail at PSN becomes. You can hook your *developer* console to the *production* purchasing systems and have your fake credit card numbers make actual purchases? Jesus. Wept. Passing credit card details around in GET parameters in HTTP requests? O. M. G.

Rule 1 of dealing with money: developers don't get access to production. Rule 2: test environments don't ever touch anything in production that has anything to do with real customer data or money. This is 101 systems engineering stuff. Not only should Sony get roasted, so should anyone who's certified anything to do with their security; penetration testers, PCI complaince auditors, you name it.

None of that excuses the people stealing the data, incidentally. They are crooks, and any attempt to somehow make them less that 100% culpable for being crooks is "she-shouldn't-have-worn-that-dress" bullshit. If they wanted to be vigilante troublemakers or expose problems with Sony's security radical-full disclosure style they could have done it without massive data theft. That's the mark of crooks.
posted by rodgerd at 3:45 AM on April 27, 2011 [3 favorites]


"In the real world, people bought PS2s initially on hype alone"

Here in Japan, at least, it also helped that it cost half as much as a DVD player. Tons of people with no interest in games got it as a half-price DVD player.
posted by Bugbread at 3:55 AM on April 27, 2011 [1 favorite]


Maybe the credit card and personal information was just a bonus...

"But the nightmare scenario would be if the attackers used Sony’s exposed root key to sign a back-doored firmware image or other low-level software update. If they then compromised the PSN update servers they could use them to deliver the malicious update to everyone through the normal trusted channel.

"Wikipedia reports 50 million PlayStation 3 units and 70 million PlayStation Network users, suggesting that a large percentage of these units are given internet connectivity on an ongoing basis. This attacker could potentially have created overnight the largest botnet in the world by a very large margin.

"Furthermore, each PlayStation 3 is something a supercomputer in its own right. Each has 6 to 9 high-performance cores (depending on how low-level the code executes) running at 3.2 GHz, plus an Nvidia GPU. In 2008, researchers using “just” 200 PS3s for a weekend were able to forge a rogue CA certificate of a type trusted by web browsers to authenticate the identity of any webserver.

"So if this attacker played their cards right they could control up to 500,000,000 CPU cores for a total of 1,600,000,000,000,000,000 core-cycles per second."
: Extendedsubset.com
posted by crunchland at 4:22 AM on April 27, 2011 [7 favorites]


Can the people recommending LastPass and other such password managers explain to me how they're more secure than any other random company (ie. Sony. Excepting Sony's atrocious reputation, i guess)? Isn't there a chance they'd get hacked just like this and all the passwords and usernames i'd entered into them would be compromised similarly but in a far more widespread fashion?

I'm not disputing that perhaps they are, but I don't understand how. I'd really appreciate it if someone could explain it to me in layman's terms.
posted by pseudonymph at 6:40 AM on April 27, 2011


[the PS2] cost half as much as a DVD player

Wasn't that a big selling point for the PS3, too, that it was a fairly cheap blue ray player?

I bought a PS3 just to run linux and play around with the Cell processor. So no PSN account for me. Plus, I believe Sony lost money on the deal. Good times all around. Shame about how they treat their real customers, though.
posted by ryanrs at 6:47 AM on April 27, 2011


If you don't want to use a password safe service like Lastpass or Keepass, consider using an algorithm to generate unique but memorable passwords.
posted by lyam at 6:52 AM on April 27, 2011 [2 favorites]


customers that trusted Sony to do due diligence security-wise.

LOL.
posted by grouse at 7:21 AM on April 27, 2011


Can the people recommending LastPass and other such password managers explain to me how they're more secure than any other random company (ie. Sony. Excepting Sony's atrocious reputation, i guess)? Isn't there a chance they'd get hacked just like this and all the passwords and usernames i'd entered into them would be compromised similarly but in a far more widespread fashion?

The ones I recommended are merely encrypted databases that are stored on your computer, so, assuming the cryptography is correctly implemented, the hacker would need to get access to your files (by stealing your computer or rooting it) AND know your master password for the database. If you choose a strong password there's nothing a hacker can do with your encrypted database.

From what I understood, Sony did a piss-poor job with their security policy, but we only know of this now they've been hacked because they'd never tell you exactly how they were storing the user's information if you'd ask them. OTOH, the programs I linked are open source, so if they had any glaring mistakes someone would have noticed by now.

Now, if you're paranoid (and I mean this in a good way) and still don't trust the software you may only use it for the unimportant logins and memorise all the important ones yourself.
posted by Bangaioh at 7:24 AM on April 27, 2011


So, I'm reading through that Extended Subset article, and holy shit.

It starts with a bunch of hackers figuring out Sony's unique key (which apparently, due to poor decisions at every level, seems to act as a key to the kingdom). This was in response to Sony cutting the homebrew options out of the PS3. Sony responds to these hackers by retweeting the secret key (hadn't heard about that one - holy crap, that was dumb) and suing a bunch of people. This makes the fringe Internet even angrier at them, which leads to a DDOS attack by Anon., which (either intentionally or not) may have served as cover for a more direct compromise of central Sony servers. There's a non-zero chance that part of this attack, aside from stealing financial and personal information, was corrupting a firmware update to give the attackers control of any PS3s that applied it, effectively rooting a whole network of zombie PS3s. If this is the case, then the attacker has one of the largest botnets in history, maybe the largest, due to the constantly networked nature of a home console, and the huge computing power of a single machine. This person then, also, has direct access to any details that a consumer enters in to a rooted machine, like further credit information.

Throughout this whole thing Sony never once said "hey we fucked up" at the appropriate time, and instead have bungled their response, leaving their customers even more open to credit fraud then they would've been otherwise. Who knows how long this has actually been going on, what data has been lost, and what machines are truly compromised.

I'm imagining some Gibsonian scenario where an intelligent computer system under research at a government lab somehow managed to engineer the entire thing. Posing as an insider to leak sensitive information to FailOverfl0w, orchestrating the panther moderns anonymous into DDOSing Sony to provide cover for its intrusion into their network, where it could release millions of copies of itself, and expand its brainpower a thousandfold, all while escaping the carefully controlled networks where it currently lives.

I'm not saying I think this did happen, but I am saying that we're not far outside a period in time where it could.

I need to lie down for a little bit.
posted by codacorolla at 8:11 AM on April 27, 2011 [2 favorites]


> memorise write down all the important ones yourself.

Fixed.
posted by Bangaioh at 8:27 AM on April 27, 2011


write down all the important ones yourself.

Yep. I work in marketing for a small-ish financial institution and did a bunch of research a couple of years ago for a newsletter article on passwords. The basic advice came down to writing them down and treating them the way you treat your passport, credit cards, etc: keep them in a safe place!

I'm thinking about revising the article to include info about password managers. Might even include the PSN story for topical relevance. (Thanks, MeFi!)
posted by epersonae at 8:41 AM on April 27, 2011


I just bought a PS3 on Thursday, 1 day after the service went down.

This was either terrible, or perfect, timing depending on your point of view.
posted by CaseyB at 10:52 AM on April 27, 2011


Sony needs to figure out how to keep this from happening as best they can (if fines will do that, so be it), the hackers need to spend a good part of their lives in jail (hell, it's basically terrorism, send them to gitmo)


Only if you redefine the concept of 'terrorism' in such a way as to make it completely meaningless.

In which case ridiculous hyperbole is also terrorism. Don't forget to pack your suncream.
posted by reynir at 11:43 AM on April 27, 2011 [2 favorites]


Can the people recommending LastPass and other such password managers explain to me how they're more secure than any other random company (ie. Sony. Excepting Sony's atrocious reputation, i guess)? Isn't there a chance they'd get hacked just like this and all the passwords and usernames i'd entered into them would be compromised similarly but in a far more widespread fashion?

I personally would have the same concern about LastPass, but tools like KeePass and PasswordSafe are applications you can run on whatever device (home PC or whatever) you think will keep them safe. And in that case then, yes, they are substantially more secure than Sony's network.
posted by rodgerd at 11:45 AM on April 27, 2011 [1 favorite]


Isn't there a chance they'd get hacked just like this and all the passwords and usernames i'd entered into them would be compromised similarly but in a far more widespread fashion?

I'm not a fan of online password managers for exactly this reason. PasswordSafe and other apps that run locally are safer IMHO.

Even if your personal password keeping computer is less secure than Sony's network, your own computer is a much less rich target. The Russian mafia is unlikely to devote significant resources to cracking into my own network and password manager, but is going to try to get into Amazon, Sony, LastPass, etc. which have millions of accounts to exploit all in one place.
posted by benzenedream at 1:01 PM on April 27, 2011


Ars Technica is reporting that credit cards linked to PSN accounts are being used for fraudulent charges.
posted by bonehead at 1:49 PM on April 27, 2011


I'm not a fan of online password managers for exactly this reason.

Most HTML/javascript password generators can be saved and used locally and I agree thats the best way to use them. On my password page (here) I advise people to save the page because you never know what could happen to a website in the future.
The advantage of a one way hash algorithm (rather than reversible encryption) is that you don't have to store an encrypted password file containing all your passwords, and with no password file theres nothing to 'hack into' even if your PC gets pwned by some virus.
posted by Lanark at 1:57 PM on April 27, 2011


Lastpass encrypts your password database locally and stores it in the cloud. They don't know what your password is, so while they could conceivably get hacked, the hackers can't access a central database to figure out how to crack your password file. Assuming you pick a secure enough password to encrypt it, it's pretty safe. On the other hand, if you forget your password (and you don't allow for contingencies), you're SOL.

Lastpass also allows you to store your password database locally, in the event that the central Lastpass servers go away (either from technical issues, or they go bankrupt). Lastpass also supports third-party authentication devices, like Yubikey.
posted by crunchland at 3:02 PM on April 27, 2011


ryanrs: "I bought a PS3 just to run linux and play around with the Cell processor."

So did I. Unfortunately, it rekindled my interest in playing video games. That was a real pisser when they took away OtherOS in firmwares newer than 3.15. Needless to say, I'm inclined to be rather anti-Sony.

Despite that, I seriously doubt their security is significantly worse than many other companies. What annoys me about this whole thing, however, is the idiots conflating the people who attack the security of the console with those who attacked PSN and stole a bunch of data. It's remotely possible that there is overlap, but it seems pretty unlikely to me. It takes a different set of skills.
posted by wierdo at 3:26 PM on April 27, 2011


Thanks for all the explanations, guys. I think i'll end up going with a combination of the suggestions, using one of the locally-run password programs for the unimportant log-ins and keeping the important ones physically written down somewhere safe.

(Fortuitous now that my CC was compromised a few months ago by the Lush data-leak and had to be cancelled after my bank noticed some odd charges. Pretty sure I haven't used it on PSN since then, but I figure it can't hurt to be moderately careful.)
posted by pseudonymph at 5:26 PM on April 27, 2011


On the plus side, I learned how nice my banks can be when it comes to requesting replacement cards. And it didn't take much time to set up a fraud alert on my credit file. I hope Sony will pay for the super duper fraud alerts forever, though.
posted by dragonplayer at 6:16 PM on April 27, 2011


I called my bank to replace my credit/debit card, and they were more than happy to comply, except that it would take 7-10 business days to turn it all around, and I'm the sort of person who never carries cash or checks, so doing without my credit card for 10 days would be quite a hardship.
posted by crunchland at 6:34 PM on April 27, 2011


"I'm the sort of person who never carries cash or checks, so doing without my credit card for 10 days would be quite a hardship."

I'm not saying that you should become the kind of person who carries cash or checks all the time, but is withdrawing some cash from an ATM to use over the next week and a half really "quite a hardship"? I could understand if the issue is that you, for example, buy your groceries online, where no credit card = no purchasing. But if it's just "I don't usually put cash in my wallet", is doing so really that tough?
posted by Bugbread at 6:41 PM on April 27, 2011 [1 favorite]


Well, yeah, actually. They process deposits overnight. They withdraw their fees from my account right on time. I can't really understand why I have to dick around with cash and checks for half a month.
posted by crunchland at 6:43 PM on April 27, 2011


What amazes me is that other people continue to buy Sony.

As someone who made the "rational" decision of buying a launch Xbox instead of a PS2, let me just say that for videogame consoles we really have no choice. If Sony makes crap audio equipment, you can always buy another brand's and play your CDs just the same; if Capcom decides God Hand is a PS2 exclusive, you either buy the console or never play the game.


If Sony made all the PS3s backwards compatible I'd be screwed right now. I can't emphasize how great the PS2 library is. Going through EB Games used game shelves is my version of record crate digging.
posted by Lovecraft In Brooklyn at 7:06 PM on April 27, 2011 [3 favorites]


Ok, knowledgeable people, here's a question about LastPass: You can use it for free via a plug-in, or via the website, or you can pay to use it via iPhone or Android...but since iPhone and Android phones have web browsers, couldn't you just use it for free via their website?
posted by Bugbread at 8:59 PM on April 27, 2011


Ars Technica is reporting that credit cards linked to PSN accounts are being used for fraudulent charges.

If so, Sony lied to Kotaku.

I have to wonder if Sony is the equivalent of an American car company, too big to fail, yet still resting on a reputation earned a generation ago, putting out garbage.
posted by Blazecock Pileon at 9:03 PM on April 27, 2011


but since iPhone and Android phones have web browsers, couldn't you just use it for free via their website?

Yes, of course. But zooming in etc on a mobile browser is fiddly for that sort of thing, and cut and paste with fingers between tabs can be a bit imprecise. A local app can integrate with the phone browser itself so once you've entered your master password and you then goto metafilter, amazon, etc it has your long, complex random password autofilled in for you. And of course, it also has your passwords stored when you're out of range of 3G and need to login on to say, your parents computer when you're visiting, so you can fix their latest problem with windows.

Whether that's worth $12 a year is up to you! And whether you like your encrypted password database sat on a big target web-service. Though if the master password you use is strong enough, it doesn't really matter if the database itself is compromised - they still can't break in in realistic timeframes if it's done right.
posted by ArkhanJG at 12:03 AM on April 28, 2011


Ah, ok, that all makes a lot of sense (I don't have a smartphone yet, so I don't have an instinctual grasp of what is and isn't easy to do with them).

Also, I was wondering about the database, so let me know if I'm totally off-base:

My understanding is that you don't log in to the database in the conventional sense of telling them "this is my login, and this is my password", and them saying "you're right, come in" or "you're wrong, go away". If that were the case, a hacker trying to get at your database would know if they succeeded or not. Instead, your login is basically like a key, which they use to decrypt the db and feed the results back to you.

So no matter what a potential hacker might feed in in some sort of brute force attack, they would get back some kinda password, but they wouldn't know if it were correct or not. If they guessed your LastPass password was "password", it might tell them your MeFi password is "492e8qw26iu7yre", but if they guessed it was "password1", it might tell them your MeFi password is "834y9a32redv8". Since they're both garbled strings, they wouldn't have any way to know if they'd guessed right or wrong, unless they went and tried each individual password.

Does that make sense? And if so, is it a correct understanding of the situation?
posted by Bugbread at 12:22 AM on April 28, 2011


I don't know about LastPass, but from what crunchland said it appears to just store your encrypted database online in addition to in your computer. So if you use more than one computer you can keep it synced between devices by accessing their site.

If their server was compromised, all the crackers would get would be your encrypted database (just like if you used one of the offline password managers and someone stole your computer), which is useless as long as you have a strong enough master password (the one that unlocks your database and allows you to access all the passowrds stored in it).
IANASecurityExpert, but I reckon the main danger with LastPass online service would be a man-in-the-middle attack, where someone could eavesdrop on your connection to their site and find out your master password - but then the cracker would still need to either hack into their server or to your computer to get the database file.
posted by Bangaioh at 1:08 AM on April 28, 2011


Bugbread, that's kinda the process by which passwords are checked if they're not stored in plaintext - get the password off the user, hash it, and check it against the stored hash. Bangaioh has it for how most password managers work.
posted by Dysk at 1:55 AM on April 28, 2011


Brother Dysk: What I meant was, with a regular password over https, your password is locally hashed, and that hash is compared against the server's stored hash. If they match the server says "Good job! You now have access to data on me!" If they don't match, the server says "No! Bad hacker! You will get no data from me!"

My understanding of the way this system works is that your password is locally hashed, and that hash is sent to them. They then use that hash on the data stored in their system, and send back the resulting data. If you sent them the right hash, the data you get back from them will be useful passwords. But if the hash you send them is wrong, they'll still send back data, but it will be garbage. They won't even know if you sent them the right or wrong hash. You're not really sending them a "password" which they verify, but a "key" which they use to decrypt your data and send it back...right? And, because they send back data whether your hash is right or wrong, a brute force attack will be really difficult, because there won't be any indication to the brute forcers if the password they guessed was right or wrong. They'd get an answer from LastPass either way, and then they'd have to test it out, each time. Am I way off base?
posted by Bugbread at 2:21 AM on April 28, 2011


Bugbread, that's not the impression I got. I'm no cryptographer, but your idea does sound good idea to me - I just don't think that's what LastPass does. I'm no authority, mind...
posted by Dysk at 3:10 AM on April 28, 2011


I signed up to lastpass to check it out.

My understanding of the way this system works is that your password is locally hashed, and that hash is sent to them. They then use that hash on the data stored in their system, and send back the resulting data

It could work that way, but doesn't.

Basically, there is a local database (tied to the browser plugin, used for management) with a list of sites, with the usernames and password associated with that site, plus any additional secure notes you put in. Because of this metadata, rather than just passwords, is why it can't be done as you think.

Your 'master' email address and password are the key used to encrypt this database, so without both of them, you can't decrypt it - with a strong enough one of both*, even someone with physical access to your machine won't be able to brute force it by just random guessing.

This database is also stored and synced on their servers. They don't store your password at all. When you sync up another computer/browser, or access the database directly on the website, it uses your entered email/master password to pick the right database, and attempt to decrypt it. If it fails, it tells you, but not which was incorrect. There's also a IP timeout if you try to login and fail too many times, which helps prevent brute force attacks against the service.

They do have a password hint and your email; they can send you that if you forget your password, but can't use it to reset your password - as without your old password, there's simply no way to decrypt the contents of your database, they have no override decryption. If you can login successfully, you can then change email or master password.

When you're using it in your desktop browser, you enter your email/master pw, which makes the database available to the plugin, but not outside it. It then uses auto-form filling, prompts you to save passwords on new sites, or generate random passwords for new accounts, change password screens etc. You can also enter user/pass combos directly, for non internet based passwords. Storing the passwords encrypted this way is more secure than remembering them directly in your browser, which usually saves them in the clear. (try view saved passwords sometime in firefox!)

So the vulnerabilities are these:
1) You leave your browser logged in. Someone comes along, sits down, and can now pretend to be you. There are various measures to prevent this; it has auto-timeouts for when the browser is closed, or left idle. Once those expire, you need to re-enter the master password to get access again. It also prompts by default if you want to view any stored passwords, or change the master password, even when logged in. There's a bunch of extra settings, which for example, can prompt you every time it accesses a stored password to auto-fill, you can turn off auto-fill altogether, only-on for certain sites, or only off for certain sites.

There is also the option to use two-factor authentication; you can print out or store a spreadsheet grid of authentication letters/numbers for free, so you need that grid in addition to your email/master pw to login. With premium, you can use a usb smartkey, yubikey, or a fingerprint reader as the 2nd layer.

2) someone breaks into the backend of the service, and steals your database, or onto your pc, and steals your database. Without your email/password combo, the database is basically useless. This is the same as if you use say, dropbox or spideroak to sync an offline password database program between PCs.

3) Someone breaks into the service, and modifies the front page https service to copy username/passwords, in addition to getting the database when you login - or they intercept the internal communication system undetected, and pull out the database after it's decrypted. This is probably the scariest risk, as nothing you can do will prevent that. You just have to hope lastpass are competent enough in their system design and security. Assuming they are, it's basically not a major risk. If they employ the same guys as Sony, however... This one is an article of faith, really.

4) Someone listens in on your browser syncing the database to the online service when you've entered a new password, or you've logged into the website directly, by pretending to be lastpass while also having access to your network connection (man in the middle attack) - say a public wifi point. Your browser should scream blue-murder if the cert is fake, but it's not a zero risk, as it's possible to get real certificates for other services issued to the 'wrong' person.
The other possibility is they install a keylogger on your pc, and get your email/master pass that way.

To get round this, either use two-factor authentication, as in 1) so they can't login even with your password (you can specify 'trusted' computers that don't need it while having it required for all others), or use the one-time-password feature when on untrusted computers/network connections. Here, you pre-generate a new password-as-a-key that can only be used once. You then use that in the local webcafe, and even if someone gets this master password, it doesn't help them as it expires after one use.

Generally, I'd say it's as secure as a local database synced over a secure method (usb key, spideroak), as long as you presume that the login page on lastpass itself is secure from modification/behind-the-scenes interception. If you're not prepared to take that risk, then it's probably better to stick to offline systems.

* Note, you should of course use a strong unique password for the database, and ideally a unique email also. That way, even if your usual email address leaks (as is increasingly common these days), the attacker still has no clue what your lastpass email is, and they need both to decrypt the database.
posted by ArkhanJG at 4:49 AM on April 28, 2011 [5 favorites]


Stolen shamelessly from mefightclub -- PS3 IS INSECURE
posted by inigo2 at 6:44 AM on April 28, 2011 [1 favorite]


With due respect ArkhamJG, these vulnerabilities:
2) someone breaks into the backend of the service, and steals your database, or onto your pc, and steals your database.

3) Someone breaks into the service, and modifies the front page https service to copy username/passwords, in addition to getting the database when you login - or they intercept the internal communication system undetected, and pull out the database after it's decrypted. This is probably the scariest risk, as nothing you can do will prevent that. You just have to hope lastpass are competent enough in their system design and security. Assuming they are, it's basically not a major risk. If they employ the same guys as Sony, however... This one is an article of faith, really.

4) Someone listens in on your browser syncing the database to the online service when you've entered a new password, or you've logged into the website directly, by pretending to be lastpass while also having access to your network connection (man in the middle attack) - say a public wifi point.


...are all unique to an on-line system like Lastpass. I'll agree that 2 shares some vulnerabilities with a Dropbox-like shared network storage of a local database, but a) there's the Dropbox encryption layered on the password db encryption (two accounts to break into); b) lastpass offers a single point of attack, while random storage services on the internet do not (ie one can chose one's storage provider).

Your risks 3, phishing, and 4, network man-in-the-middle, don't apply for a Keepass or truecrypt-like system. Risk 1 does apply, of course, and most password db programs have similar protections, times-outs and the like.

Risks 3 and 4 are what decides it for me. It's quite possible to walk into a internet cafe that's been setup as a phishing pot or man in the middle arragement. Using a local password store allows me to avoid those risks.
posted by bonehead at 7:28 AM on April 28, 2011


OK, so I only got the e-mail notification from PSN about the breach and now. Fer chrissake.
posted by LMGM at 7:29 AM on April 28, 2011


Your risks 3, phishing, and 4, network man-in-the-middle, don't apply for a Keepass or truecrypt-like system. Risk 1 does apply, of course, and most password db programs have similar protections, times-outs and the like.

Risk 4 only applies if you're using the web-based service in a non-trusted location; if you're using your local password store on your own laptop and turn off auto-sync, it's as secure as keepass etc. And keepass sync'd over dropbox or off a thumbdrive while in a remote location has the same vulnerability, if you don't trust the pc and/or network. I consider that pretty much a wash, especially if you use the two-factor authentication, neither of which are available in truecrypt or keepass AFAIK.

I'm happy to grant you that risk 3 is the big one that is unique to lastpass, i.e. that the site itself gets compromised and nobody notices someone stealing data via the login service and if that concerns you, lastpass is not a service for you. I'm not shilling for them here, I've only looked into it briefly and may well use keepass instead personally.

It's quite possible to walk into a internet cafe that's been setup as a phishing pot or man in the middle arragement. Using a local password store allows me to avoid those risks.

lastpass IS a local password store on a pc you trust, i.e. have installed the plugin on, or if you're using the thumbdrive portable firefox version. If you're using an untrusted PC, then presumably you're going to have get your keepass database on there somehow, and there's no diff between running keepass off a USB and running lastpass off a USB key.

In any case it's a bad idea, as any password you put in the browser itself could be compromised, regardless of whether the database is on your phone, on a usb key or installed locally, if you don't trust the local PC you're using.
posted by ArkhanJG at 8:00 AM on April 28, 2011


My issue is that with lastpass you do have to trust your email/login combo is secure over the wire. A phishing or SSL exploit could get access to the keys to your whole store. With Keepass (and the like), you never have to take that chance.

It's a question of degrees of exposure. It's a big deal to me if bad guys get my Paypal or credit card info; it's much less of a problem if someone cracks my Facebook account because I used an icafe to upload some vacation pictures. With lastpass requiring a net login, everything could fail at once. Their security model is brittle, all or none. With keepass like services, I can choose to restrict my activities to low-consequence activties even if the local risks are higher. The all-local security model is more tolerant of (this kind of common) failure.
posted by bonehead at 9:47 AM on April 28, 2011


Actually with LastPass your master password is never sent over the wire. A hash is created client-side and that is used for authentication. Even if attackers steal that hash, they can only use it to access your encrypted password database. They can't decrypt it without your password, which never leaves your machine. And if only you use the browser plugins rather than logging in on the website (and don't automatically update them), then even a lastpass.com total server compromise won't result in a breach of your master password. As long as you don't log via the web form it's just as secure as a local solution. I was skeptical at first too but it's actually quite well thought out.

Despite all this I still only use it for low risk passwords (i.e. not email, banking, etc.) since the risk of a local compromise still exists (like the other systems). You can mitigate this somewhat with multifactor authentication though.
posted by umrain at 11:28 AM on April 28, 2011


A hash is created client-side and that is used for authentication. Even if attackers steal that hash, they can only use it to access your encrypted password database.

So after authentication you download the whole encrypted database from their server to the device you're using and only decrypt the database locally? And upload it again if modified? If so then yes, it appears to be just as secure as an offline solution with the added advantage of online backup/synchronisation.
posted by Bangaioh at 11:46 AM on April 28, 2011


A hash is created client-side and that is used for authentication

Huh, interesting. I've just confirmed you don't need access to the webservice at all to use the local database, as I tested that just now. (disabled gateway, flushed cache/cookies, was still able to do a last pass managed login to a local webhost on my LAN), as I thought, so it's not like you actually need the lastpass server unless you want backup/sync or to change your password and advanced universal security options (turn on multifactor etc)

But yeah, missed that altogether. Very much secure then.

From the forums:
"After all these tests of sniffing the information transmitted and understanding the ways you are doing the hash, encryption and decryption, I observed the following :
- Lastpass doesn't store online my master password, only a hash is transmitted over the wire
- All the critical information is encrypted locally on my machine with my master password before being sent to the lastpass.com site"


It appears that also applies even when accessing passwords from lastpass itself with no local client; it grabs a copy of the database using the locally generated salted hash, then decrypts it locally in the browser using the master password, even without the plugin installed. The password itself never touches the wire. There is literally no way for a remote server or MitM compromise to do anything but give out your strongly encrypted database, which should be pretty much unhackable without the master password - it's a 256-bit AES encryption scheme, which should be safe enough assuming a dictionary attack won't break your password.

From the FAQ:

What encryption is being used?
AES utilizing 256-bit keys. AES-256 is accepted by the US Government for protecting TOP SECRET data. AES is implemented in JavaScript for the LastPass.com website, and in C++ for speed in the Internet Explorer and Firefox plug-ins.

Do you use a salted hash for logging in?
This is important because your sensitive data is always encrypted and decrypted locally on your computer before being synchronized. Your master password never leaves your computer and your key never leaves your computer. No one at LastPass (or anywhere else) can decrypt your data without you giving up your password (we will never ask you for it). Your key is created by taking a SHA-256 hash of your password. When you login, we make a hash of your username concatenated with your password, and that hash is what's sent to verify if you can download your encrypted data."


Very clever.

If you're a premium user, you can convert any USB key into a two-factor authentication, also using a one-time-password (sesame). So even if you don't trust the computer you plug into, they don't get your master password with a keylogger, they can't access the database file with a trojan either. So it's only any login you actually use on an infected computer (say, facebook, to use bonehead's example) that actually gets compromised.

After doing more digging, that addresses any last concerns I had at least. And there was me plugging keepass upthread originally as more secure! Actually, now I think lastpass is *more* secure than keepass or other local database if you use one of the various two-factor auth methods for untrusted computers/connections. I'm officially impressed.

Also, there is a way to recover the database, if you forget the password. On a PC you've installed the plugin on, it also installs a one-use local password. You can use that to decrypt the database - once - and reset the password. Possibly a good idea to turn that off if you're ultra paranoid, as you're still potentially vulnerable to a trojan on your local PC if you trust it, by installing the browser plugin and don't use two-factor or soft-keyboard on it. For that reason, I'm also keeping my 'kingdom' passwords, i.e. email and banking, separate and unique and only in my head.

Still anything that
a) stops password re-use
b) stops people saving passwords in the browser

is a good thing. It's definitely going on my 'techie recommends' list. Plus it's WAY easier to use than keepass. I did use to use the latter - it was such a pain in the arse for browser integration and syncing with android, I stopped using it. But stopping using it is why I got burnt (a bit) with my PSN password being compromised. I don't think I'll stop using lastpass, it's easier than just saving passwords in the browser, and a shit-ton more secure.

Thanks umrain!
posted by ArkhanJG at 12:21 PM on April 28, 2011


I can't be totally sure there's any causality here, but I was alerted by Bank of America today that I had some strange activity on my debit card that I used on the playstation network. It could just be coincidental, but if you used a credit card or debit card on there, check your account activity.
posted by Gankmore at 12:26 PM on April 28, 2011


Interesting to hear how careful they are. That's a much better model than I thought they were using. Still, I wish they would release source. Personally, I think all security code should be available for review on request. I strongly dislike having to trust something I can't see inside of. "Trust Us!"

Incidently, Keepass can use keyfiles as well as passwords for multifactor authentication.

I tried Lastpass a while ago, but their IE integration is worse than bad, while Keepass (w Dropbox) seems to work ok. Their plugin version made IE quite unstable actually.
posted by bonehead at 1:01 PM on April 28, 2011


Their plugin version made IE quite unstable actually.

How could you tell the difference?


hamburger.
posted by ArkhanJG at 1:52 PM on April 28, 2011


I don't own a playstation so I don't know how to follow these things; is PSN still pushing up daisies?
posted by Justinian at 12:43 PM on April 29, 2011


As a result of these last few comments I've signed up for LastPass. It's really quite nice, and cheap considering the capabilities. I've got a YubiKey on the way to add two-factor hardware authentication to it, which is also going to fit nicely with some dev work at the office. At $25 each we can actually roll our own two-factor authentication for customer access with these things.
posted by odinsdream at 1:25 PM on April 29, 2011


Justinian, PSN is still down. I tried logging in a few hours ago & it said it was down for maintenance.

I'm glad my PS3 is a fine DVD player!
posted by dragonplayer at 2:41 PM on April 29, 2011


I can't be totally sure there's any causality here, but I was alerted by Bank of America today that I had some strange activity on my debit card that I used on the playstation network. It could just be coincidental, but if you used a credit card or debit card on there, check your account activity.

Was there actually strange activity on your card? Possibly, banks are doing the right thing and flagging all cards that have PSN activity on them, giving them a lower threshold for reporting unusual behavior. I know that using a card for small iTunes purchases tends to flag a card for potential identity theft.

Also, Sony is presently stating that all credit card information was encrypted:
All of the data was protected, and access was restricted both physically and through the perimeter and security of the network. The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.
Here is their latest FAQ on everything.

That doesn't change reports of people, like Gankmore, that might have had their credit cards used; or reports that somebody is shopping around a list of 2.2 million credit card numbers (unverified at this point).

Note that Sony has admitted that personal data was not encrypted.
posted by jabberjaw at 2:56 PM on April 29, 2011


Question - in this Wired article, PlayStation Network Hack: Who Did It? (April 27), near the end:
"...The passwords (which Sony evidently didn’t bother to hash) could be a gold mine..."
I've not been able to find any further info along these lines, and I only know the vaguest concepts of the programming here (gleaned from various web articles, so feel free to over define anything). Anyone else have any links to "oops, Sony didn't protect the passwords as is usual with hash" in any news articles? Have seen a few other blogs refer to the "didn't bother to hash" but no citation of the source.

The only line I can see where Sony seems to admit fault along these lines in the FAQ is:
"The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack."
Is this where the inference of "didn't bother to hash" comes from?
posted by batgrlHG at 9:24 PM on April 29, 2011


Short version - does "not encrypted" = "not hashed" and is this normal?????
posted by batgrlHG at 9:27 PM on April 29, 2011


Hmm, sony's "what unencrypted card data!?" statement doesn't jive with the previously mentioned explanation of their code passing card data through http get requests. They might have been munging the final storage table of card data, but clearly they don't understand something here.
posted by odinsdream at 10:36 PM on April 29, 2011


When Sony says attackers got passwords and attackers got security question answers, with no qualifications, it sounds a lot like they were doing something wrong. Because if they were doing the right thing here, Sony should have never had this data in the first place.

You are never supposed to store user passwords or security question answers in a database. You convert them with a cryptographic hash function such as properly salted SHA-2 or bcrypt (for example) into a string of bits that can't be turned back into a password and store that instead. This is not difficult and it is not a secret. This is password security 101.

When this is done correctly, it makes it impractical and infeasible to decode the table (although weak individual passwords can still be cracked one-by-one over enough time). Since it mitigates the damage of a breach a lot, and would make them seem a lot more competent, the fact that Sony very conspicuously omits mentioning it strongly suggests that this isn't what they were doing. I'd honestly like to hear otherwise, as it would mean the hackers didn't really have 77-million passwords and security answers, but based on what Sony has said and hasn't said I don't think it's likely.
posted by umrain at 1:30 AM on April 30, 2011


Short version - does "not encrypted" = "not hashed" and is this normal?????

No. Encryption is a reversible process, while hashing is one-way. Meaning that if you have encrypted data, you can decrypt it if you know the key (password), whereas once you hash something, you can never go back. umrain explained it properly in the comment above.

Someone please tell me if I'm missing something, but if the hackers do have access to everyone's password, and assuming the decryption key was derived from the user's PSN password, what is the benefit of the CC data being encrypted?
posted by Bangaioh at 4:06 AM on April 30, 2011 [1 favorite]


Encryption is a catch-all word for reversible and non-reversible processes. Hashing is a name for a non-reversible process of encryption. If Sony says that something wasn't encrypted they're basically saying that it wasn't hashed or altered in any way and that it was just stored as pretty much plain text.
posted by I-baLL at 12:20 PM on April 30, 2011 [1 favorite]


Latest annoying development: Netflix not working (for me at least). Earlier today I was able to get on to Netflix and watch some movies. Now, it appears to connect, giving me my queue and everything, but when I select a particular program to watch, it starts loading, but then says it is unable to connect. It has been doing the "failed login multiple times" thing, but now it seems to be totally F'd in the A.
posted by Saxon Kane at 6:22 PM on April 30, 2011


Hashing is not irreversible if the data being hashed has low entropy, as we can expect passwords entered via controller to be. I received a report of a brute forcer going through 277M passwords in 15 minutes today.
posted by effugas at 8:58 PM on April 30, 2011


Database encryption is mostly a lie, by the way. Even when there's an encrypted table, the database itself has the key because it actually needs to operate on the data (for searches, etc). So, you get Admin, you get the key.
posted by effugas at 9:50 PM on April 30, 2011 [1 favorite]


Sony now says that passwords were, in fact, hashed.
One other point to clarify is from this weekend’s press conference. While the passwords that were stored were not “encrypted,” they were transformed using a cryptographic hash function. There is a difference between these two types of security measures which is why we said the passwords had not been encrypted. But I want to be very clear that the passwords were not stored in our database in cleartext form.
Link.
posted by jabberjaw at 11:19 AM on May 2, 2011


Update:

Sony Online Entertainment, their PC gaming network (Everquest, etc) which is not linked to PSN, has now also been hacked..
posted by wildcrdj at 6:27 PM on May 2, 2011


And another update (at the bottom), guess it was part of the same intrusion even though they are separate services (makes sense, depending on their internal network security, once an intruder is in getting access to different data sources might not be hard)
posted by wildcrdj at 7:36 PM on May 2, 2011


Lots of candy bar (crunchy on the outside, soft and chewy on the inside) security out there.
posted by effugas at 9:20 PM on May 2, 2011


Oh, FFS Sony. Another network hacked.
posted by LMGM at 7:06 AM on May 3, 2011


Who was running Sony's network security? Because this would not happen at Microsoft with XBOX Live. Those guys are crazy paranoid. I mean apparently Sony didn't salt the passwords. Seriously, guys?
posted by Justinian at 10:56 AM on May 3, 2011


Anyone know of any class action lawsuits against Sony over this security breach yet?
posted by crunchland at 11:22 AM on May 3, 2011


Yep.
posted by Justinian at 11:49 AM on May 3, 2011


Thanks for the clarification on hashing - noticed that while Wired and a few other places mentioned it, the "not hashed" thing was never attributed to a source. I'm thinking that this claim must have gotten back to Sony somehow since they expressly mentioned in the press conference (see jabberjaw's link) that hashing was used. Now I'm curious about who the bad source was - but I suppose I'll have to wait until someone eventually writes a book on it all.
posted by batgrlHG at 7:37 PM on May 3, 2011


I think the big deal is that hashing and salting is the one thing non-security folk can wrap their mind around, and so it constantly gets trotted out as the one thing that would have stopped the bad guys. Silly, but a sign of how impotent we are at doing just that.
posted by effugas at 8:17 PM on May 3, 2011


One of the things that's not clear to me from the discussion is how you'd use LastPass for your PSN login info and security questions.
posted by garlic at 6:29 AM on May 5, 2011


garlic: LastPass is just a storage location for passwords. For web-based logins the browser extension can automatically fill in the stored password for you, but that's not a requirement for storing information in the system. You can manually store and retrieve passwords in the system as well. For PSN you could store the password and then look it up with your mobile phone for typing in on the game system when necessary.

What LastPass (and really any password manager) allows you to do is to store unique, strong passwords for each service you use. A lot of people don't do this at all, or do it poorly (i.e., using a base common word with some site-specific add-on). Password managers make this storage and retrieval easier, and thus more likely to be used.

I'll admit that before signing up for LastPass I didn't do this very well myself, for both personal and work systems. Now I can concretely say that every single password I use is both strong and unique, meaning any data breach at one service doesn't open me up to additional attacks.
posted by odinsdream at 7:31 AM on May 5, 2011 [1 favorite]


Shocker: Sony blames Anonymous for PSN hack; DOJ & FBI investigating

Anonymous: Sony is incompetent (and we don't steal credit cards)
posted by homunculus at 10:06 AM on May 5, 2011


Bad day to be switching to LastPass.

I tried their instructions about using the local copy of my db, but I still couldn't get it to login. Luckily, I keep a secure notes file that allowed me to get done what I needed to get done, but once the login info for all the sites I login to expire, and I still haven't been able to login to the lastpass in the cloud, I'm pretty much hosed. Eep.
posted by crunchland at 10:44 AM on May 5, 2011


Yeaaa... that's some disappointing stuff from LastPass today. I exported a flat-file this morning when it came across the news just in case, but I haven't personally had any issues with normal access yet.
posted by odinsdream at 12:03 PM on May 5, 2011


LastPass CEO Explains Possible Hack
posted by crunchland at 8:38 PM on May 5, 2011


FYI, even though PSN is down, you're still able to watch Netflix online on the PS3, you just have to let the login fail a few times. --- Actually, no. I'm able to look at my queue, but the process fails when I actually try to watch a movie.
posted by crunchland at 7:24 PM on May 11, 2011


From what I've read in numerous places, other than the people that keep parroting this, is that the last time Netflix worked for a lot of people was Saturday. That's about the time our access quit working too. I love the part about Sony's website going down today also, supposedly due to the security upgrade. If I could find a blu-ray/netflix box with DLNA capibilities this stupid PS3 would be on ebay in a heartbeat.
posted by Big_B at 8:10 PM on May 11, 2011


I don't quite get it why Netflix works on some PS3s and not others. It works on mine perfectly well.
posted by jabberjaw at 10:42 PM on May 11, 2011


26 days later, PlayStation Network returns (ars technica) : "After 26 days of downtime, Sony has announced that the PlayStation Network is up and running once again. After customers apply mandatory security patch 3.61 to their PS3s and change their passwords, they will again have access to online play, the media service Qriocity, and third-party services including Netflix and Hulu."
posted by crunchland at 9:22 PM on May 15, 2011


Details for compensation begins to roll out.

2 free games from the following list:

PS3:
Dead Nation
inFAMOUS
LittleBigPlanet
Super Stardust HD
Wipeout HD + Fury

PSP:
LittleBigPlanet (PSP)
ModNation Racers
Pursuit Force
Killzone Liberation

And some other stuff, including 30 day free trial of PSN plus.
posted by jabberjaw at 5:18 PM on May 16, 2011


So, a couple of two year old games?
posted by crunchland at 6:44 PM on May 16, 2011


No, no. A couple of two year old games that you probably already own.
posted by jabberjaw at 11:18 AM on May 17, 2011


A couple of two year old games that you probably already own.

Yeah, their excuse ("Unfortunately with a user base of 77m people, it is really hard to offer something for everyone") is ridiculous too. If they had just given psn store credit or made at least 2 of the titles things that would have been released during the outage (hence, stuff that no one actually had a chance to buy), this wouldn't even be an issue.
posted by juv3nal at 11:55 AM on May 17, 2011


Wait, so if you have PS Plus and you stop subscribing your games disappear?

This offer is insulting.
posted by elder18 at 2:18 PM on May 17, 2011


Wait, so if you have PS Plus and you stop subscribing your games disappear?

As I understand it, there are a few different cases:
1) The free "welcome back" games...these you keep.
2) PS Plus free games...these go away if your PS Plus sub ends.
3) PS Plus discounted games (i.e. games you actually pay for but at a lower price than if you had not been a PS Plus member)...these you keep.

I'm not absolutely sure about 3, but I'm pretty sure about 1 & 2.
posted by juv3nal at 3:02 PM on May 17, 2011


Huh.

"I want to make this clear to ALL PSN users. Despite the methods currently employed to force a password change when you first reconnect to the PlayStation network, your accounts still remain unsafe.
A new hack is currently doing the rounds in dark corners of the internet that allows the attacker the ability to change your password using only your account’s email and date of birth.

It has been proven to me through direct demonstration on a test account, so I am without any shadow of a doubt that this is real."

Sony response.
posted by mrgrimm at 11:09 AM on May 19, 2011


If it happened to you, it would still generate an extra password change notification email, so if you don't see one of those, I don't think you have anything to worry about.
posted by juv3nal at 2:11 PM on May 19, 2011


From the Sony response:
We temporarily took down the PSN and Qriocity password reset page. Contrary to some reports, there was no hack involved. In the process of resetting of passwords there was a URL exploit that we have subsequently fixed.
How is a URL exploit not a "hack?"
posted by grouse at 7:38 PM on May 19, 2011


Wow, that's some weak compensation. I already have every one of those games.
posted by wierdo at 7:56 PM on May 19, 2011


Wow, that's some weak compensation. I already have every one of those games.

Yeah, I don't have all of them, but I have all but one of them and I have all the ones I actually want.

I said this before they announced what the compensation was going to be: the only way they can avoid screwing over the customers who have previously bought the most stuff is if the compensation is either a) store credit or b) something that hadn't been released yet up until the point when the outage occurred.

But it's not a huge surprise that they decided not to do the right thing there.
posted by juv3nal at 5:50 PM on May 20, 2011


One of the things I really loathe deeply about Sony is how they never test user factors on anything. They just shovel their engineering out the door as if it's blessed and we'll suck it up just because it's got their name on it. In fact, the only time they polish anything is when it will absolutely be used as marketing collateral. But once you buy something.. fuck you, boyo.

My latest example: The PSN News link on the crossbar that says "details about customer appreciation program", when selected, takes you to the front page of the PSN Blog. Where there's nothing about the customer appreciation program visible above the fold, or indeed anywhere on the page at all. Indeed, one must advance the blog to page 2 to find the blog post referenced by this link. The right thing for Sony to do would be to link that news item right to that blog page. But, no, their "never tests for user factors" fucking morons thought that pointing people to the blog would be good enough forever because it was good enough for the six minutes the post was the lead story.

I hate Sony so much. They're like the asshole uncle who'll fix your car for free just as long as you'll give him beer and let him insult you (in the guise of conversation) while he does it. Bastards.
posted by seanmpuckett at 7:08 PM on May 20, 2011


Sony is pretty annoying at times. It's too bad the PS3 is such a nice piece of kit in so many ways, as hard as they're trying to make it worse with each passing day. Ironic that for the first couple of years they were actually making things better with most firmware releases.
posted by wierdo at 8:52 PM on May 20, 2011


« Older Tim Heidecker endorses Donald Trumps for president...   |   Eloisa James weighs in on hist... Newer »


This thread has been archived and is closed to new comments