This is a much much bigger deal than the Gawker security breach. Sony had substantially more information on its users than Gawker could ever hope to dream of. Specifically information on real names, addresses, and potentially credit cards.
This is a big F'N deal and I wouldn't be surprised if it cost Sony more than Microsoft's infamous 1 billion dollar write-down with the Xbox 360's Red Ring of Death.
I don't think this will kill PSN or the PS3, but it's going to significantly dent things. I'm curious to see how much media attention this gets and if we'll see a macro shift towards the Xbox 360 and Wii.
If I was Nintendo and particularly evil I would leverage this opportunity to tout the new system and emphasize the cutting-edge online modes with rock solid security. And MS can also talk about their great track record in the online world.
He's not saying that the grandparent comment was "dissing the competitor". The grandparent comment suggested that Nintendo and Microsoft could use this opportunity to flaunt their own systems as superior, and the person you replied to was simply stating that Nintendo can't do that without having a lot of confidence in their own networks.
It does carry a risk though - if you make securing a major online service sound too easy by ridiculing your competitor then down the line when you get breached its more damaging imo. eg I dont remember any Car companies in recent history pointing to Service recalls of their competitors in their advertisements, ditto for Airlines and crashes.
It is, and that's the example I thought of in response to the point. But car companies do advertise the safety of their cars. The situation is different, though, since different cars do have different safety measures, and such things do get rated.
"I wouldn't be surprised if it cost Sony more than Microsoft's infamous 1 billion dollar write-down with the Xbox 360's Red Ring of Death."
Banks, colleges, hospitals, and credit card processors do this all the time, and it doesn't cost them anywhere near a billion dollars despite the fact that they have vastly more personal information. Sure they usually only have a few hundred thousand records and not a few million, but even still the idea that this is going to cost them a billion dollars is absurd.
I would argue the cost of the RRoD was a heck of a lot more than $1B because of all the lost sales. People didn't want to invest in hardware that was going to break 5 times over.
The direct damage from this won't be $1B (still tens of millions at least). But what about the impact of the lost sales and customers from the loss in credibility and trust? That is what could be huge.
It was relatively "easy" for Microsoft to replace broken hardware. How easy and how much is it going to cost Sony to replace broken trust?
I would argue the cost of the RRoD was a heck of a lot more than $1B because of all the lost sales. People didn't want to invest in hardware that was going to break 5 times over.
Agreed. Microsoft only wrote down the $1B as an expected total cost of fixing broken Xboxes. Who knows how much money they lost?
I've been seeing the notion of accounting for the loss of sales due to "reputation" come up on HN recently and I wish to dispute it.
First, most of the time when we're talking about business and we talk about costs we're clearly talking about accounting costs. This applies to startups, too. When you're talking about accounting costs, you don't get to include economic costs (e.g., opportunity cost.)
Second, isn't trying to include these extra "costs" due to lost sales the same thing that the music industry is doing? That is, claiming that they lost trillions of dollars due to file sharing from, you got it, "lost sales." [1]
I don't think there's any real way to measure these costs, so let's stop trying.
"Goodwill" is the difference between the book value of a company (value of tangible assets) and what it can be sold for. A manufacturer with tooling, machines and inventory might not have much, but a software company's book value is near zero.
People are asked to put value on intangibles all the time. You might want to write them all down to zero, but the rest of us value Wordsworth more than the dead trees his words are printed on.
No. Goodwill is the difference between the price paid to acquire a company and the book value of the acquired company. To put goodwill on the books, you must buy a company.
Opportunity costs are measurable. It all depends on your assumptions whether the measurements are reasonable or not.
Ex. If I make $2000 a week as a contractor on a steady contract, I know that the opportunity cost of taking a week of unpaid vacation time is $2000. That's a reasonable, measurable assumption.
However, I could also say that the opportunity cost of that week of vacation will be $12000, because there might be a one-week rush project that will come in that I can bill for $10000 in addition to my normal steady contract. Assuming there's not a pattern of that happening in the past, it's not a reasonable assumption and thus measurable in that way.
I'd say this second scenario is akin to the record companies assuming that every instance of piracy is also an instance of lost sales.
You're estimating an opportunity cost here, not measuring it.
Goodwill can be measured in the sense that goodwill = purchase price - book value. No assumptions are involved in its calculations--goodwill is calculated based on two fixed values.
Opportunity costs are not as concrete. In your example above you state your opportunity cost is $2000...but what if that rush project comes through? What if your steady contract scales back for that week? There are assumptions involved; ideally your opportunity cost would be the expected value of all probable incomes during that week. Identifying those probabilities a priori is impossible.
My point is: opportunity costs are based on assumptions. They cannot be measured--only estimated.
I definitely agree, and any "lost sales" are clearly evident in future revenue data. Opportunity costs are factors in economic decisions, but writing them down would be laughable.
My point was that Microsoft probably had some revenue trajectory with slope X before the write-down, and experienced a new revenue trajectory with slope Y < X after the write-down. I'm curious about the area between the two lines.
You can have more than one PSN account in a home i think (not a ps3 owner), one for each family member, i suppose there is where you can find the gap between the numbers.
Yes, you can have multiple accounts per console. And because it's free, I would think (based on a small sample, my friends who own PS3s), it's far more likely that there will be multiple PSN accounts, versus XBL accounts which cost money (to play online).
My PS3 has three PSN accounts on it, do three or four of my friends'. Everybody I know who has a 360 shares one Live account across everybody who uses the console.
Numbers I've heard floated for leaks on the smaller scale are around $15-20 per person for post-leak mitigation and damages, which could push near $1b if the same per-person cost held with this size leak (which it might not). When my university had some data stolen, their lawyers advised them to buy everyone a year of some identity-theft insurance/monitoring package, which I believe cost them around $10 per person just for that.
Monoprice did the same thing when they were hacked last year. Two months after it happened, I got a letter from them with a few papers describing the identity theft monitoring service I would receive for a year.
Agreed. Look at the T.J. Maxx breach, in which approximately 94 million credit card numbers were stolen. Despite media claims of billions of dollars in damages, and multiple class action lawsuits, T.J. Maxx didn't pay any huge settlements or face any special penalties.
Microsoft had millions of pieces of defective hardware out there which they were warranting free replacement on for several years. Unless Sony's going to replace all the PS3's in the wild, the direct costs for dealing with this PR nightmare shouldn't come close to what Microsoft set aside.
if pki alone is at the core of their infrastructure problems, and the key is in the chip, this may well be what they have to do. however i don't know that this is entirely because their public key infrastructure.
Would replacing all the PS3's fix it? It seems that this is more related to the infrastructure of PSN than the actual PS3 hardware. If that's the case, there's not much that Sony can do to really fix the situation.
Holy Cow! This has to be one of the most serious breaches I remember in recent times. While I dont work in security and my security foo is weak it appears that they did not have a strong layered security apparatus in place? Is it just a coincidence that this breach and geohotz exploit happened around the same time?
So it is as bad as we feared. The only silver lining I can see is that Sony made the difficult business decision to turn off the network until they were sure it was secure. While that doesn't make me feel better as a PSN user I do respect their honesty and commitment to fixing it.
I doubt turning off the PSN was a "difficult business decision". More like their lawyers said "KILL IT NOW" and pointed out the ramifications of not actively preventing such wholesale personal information theft.
There will already be a lawsuit of some sort. Imagine how bad it would be for them if they hadn't shut it down.
That's what I was thinking: in most cases of user accounts being compromised, the solution is "change your passwords on this and other sites". Here you need to change your birthday, cancel your credit card, move out, change your name… kind of a hassle.
From the "click here to use it" page:
"Fake Mail Generator changes the domain frequently in order to prevent the address from being banned, a problem which plagues other disposable email services."
Sounds like they added "example.com" into the list by mistake... It has no MX from what I can tell.
And, you know, your mom probably won't be too happy when you pop out of your time machine, a week before your birth, and tell her she needs to induce labor.
I thought Anonymous apologized to PSN users for the collateral damage? Makes me wonder if they're just trying to save face after realizing the users were turning against them too...
"We realize that targeting the PSN is not a good idea. We have therefore temporarily suspended our action, until a method is found that will not severely impact Sony customers." -- Anonymous
Then they went on to say something about how Anonymous is a diverse group and they can't control everyone, blah blah blah.
Quoting Anonymous on their involvement is a moot point. The lack of hierarchy and completely radical differing opinions of members within the "group" allows for confusion and varying ideologies. Since a press release, in the mindset of Anon, is released by an individual or a group of individuals, they may not be aware that a separate member did perform the hack. In the end no one really knows until someone pretty much steps forward.
I think given the severity and potential criminal lawsuits for this nobody will step out right away, however I'm pretty sure the geohot story pissed off some good hackers who found something to do in their spare time...
I can't even begin to fathom the magnitude of this considering how many people likely use the same login credentials for all of their sites.
The problem you run into is that communicating both the nature of the breach and convincing people to respond accordingly is incredibly hard.
This will continue to happen across many sites. I think after enough of these breaches, though, people will start to think about the protection of their online identities a lot differently, which is good, albeit at a painful cost.
<3 <3 <3 keepass. It has clients for Linux, Windows and OS X, not to mention many smartphones (stick to the 1.x version for this.) This, along with dropbox makes for an awesome way to keep track of passwords securely.
It doesn't have to use all those funny characters. But the vault at least allows you to use a different password for each site. Which, in this case, might be pretty important.
Okay, I see KeePass and Password Gorilla recommended here in the other replies. I use KeePass actually, and I've seen PGorilla. But I'd like something that is integrated with the iPhone - and works with Linux and Windows too.
There's an app called Strip that looks pretty good. I'm listening to other suggestions.
I've used LastPass since the Gawker breach. It works with iOS and automatically syncs password databases across all browsers and mobile devices. I've been very happy with it thus far.
FTA: we believe that an unauthorized person has obtained the following information that you provided: ...PlayStation Network/Qriocity password and login...
I'm curious if this means they store everyone's password in plain-text, or if by "password" they really mean a hash of some sort.
Frankly I'm more concerned with their words about changing credit cards if you've made a purchase through PSN. This seems to be an admission that they were storing CC#'s in plain text.
You could at least have them encrypted on disk with a key only stored in memory, i.e.: when the system is turned on. Alternatively a dedicated crypo device where you feed it cipher text and it gives you plain text would also help as the attack wouldn't be able to get the key (even if they have the physical box (for good crypto devices))
While only marginally better depending on the type of attack and permissions gained by the attacker, if all they got was static data on disk, then it would be secure.
And what if that server needs to be rebooted some day? What if there's a hardware failure and it has to be powered off?
Something as big as PSN has multiple servers reading the same DB and must be able to tolerate failures without forcing everyone to re-enter their CC #. The keys must be stored persistently somewhere.
What we do where I work is take the newly generated key whenever we key or rekey the system, split it into multiple pieces using Shamir's secret sharing algorithm, and those pieces are distributed to several people.
Whenever the server needs to be started, two of those people must enter their key shares. That enables the server to reconstruct the key, which is then stored in memory.
> How do you use stored credit card info if the cc# is not stored?
Simplifying just a bit -- The one time you pass the # along to the bank, they give you back a transaction ID you can use to do future things with that card. The bank knows the number, looks it up by that ID.
I don't know much about online credit card transactions, but how are you supposed to do it? Don't you need the number to transfer to Visa or whoever in order to get money out of someone's account?
PCI requires that CC#'s are stored encrypted in the database. A service this big has had a full PCI compliance overview, and they wouldn't miss a basic requirement like that (I hope).
Having access to a few of my passwords online has effects that range from my current to future employment, relationships with friends, partners, s.o's, future employers, all of my bank accounts, etc.
And I have better password practices than most. Credit cards might be an immediate thought, but how many other physical and intangible assets does your password give a hacker access to?
That wouldn't work over SSL, as there is no plain text in the HTTP Verb. And I recall a "paper" coming up some months ago that was mentioning the protocols the PS3 goes through, which does confirm that the data is transmitted over SSL.[0]
The SSL gets decrypted inside the web server process memory, at the latest. Sometimes it's stripped off by an SSL offload accelerator device before even entering the web server.
The numbers probably also cross the wire in plain text between the web server and the database too.
If the attacker "0wned" the servers the fact there was encryption between you and the server doesn't really help a whole lot, they can just insert them selves in the stack post encryption (or even use the private key to decrypt the encrypted traffic if they wanted to minimize the number of points they touched).
Good question. When you reset your PSN password, they send you a link, rather than your password in plaintext, which at least hints they were doing the right thing. But who knows.
It also says it might have been, which is much more worrying to me than the lack of evidence; because before this sony had no evidence that their network was compromised.
This whole thing seems like a great example of incompetence.
It doesn't mean they either know, or don't know. It means their PR isn't willing to fully disclose the exact nature because if they confirm customer data was nicked, class actions will start off rather promptly, and if they say it certainly wasn't, they're seen as over-reacting.
This compromise happened DAYS ago. Google was hacked by China in mid-December 2009 they didn't publicly announce what happened until January 12, 2010. What started to look like a harmless intrusion turned into compromised gmail accounts turned into a highly sophisticated attack on Chinese dissidents turned into a full scale assault on their infrastructure. People were still figuring out the extent of that attack a couple months later.
While this is a bad security breach, if you follow security news at all you'd know computer security is a joke. The Rustock botnet operated for FIVE years with impunity on as many as 2.4 million rooted machines. People didn't even know they were owned; their computers worked perfectly fine like nothing was wrong. Every system at pwn2own gets owned in seconds and you can bet the black hats were there first. Everyone gets compromised. The only thing stopping a crippling cyber attack is whether someone feels it is beneficial to do so.
I do not especially fault Sony for this. Google gets hacked. Microsoft gets hacked. The NSA gets hacked. The DoD gets hacked. JP Morgan Chase gets hacked. Just add another multi-national to the list. It's a systemic problem that nobody really cares enough about nor can we do much about it if we did care.
EDIT: Just to give you another idea of how screwed we are from a security perspective. To paraphrase George Carlin[1], some programmers are really stupid. Did you ever notice how much stupid software you see? Think of how stupid the average programmer is, and realize half the programmers are stupider than that. And that bottom half? They probably work in IT, managing over engineered address books and accounting ledgers of the world while smarter people worry about cooler problems.
Being a security guy, I agree that no amount of planning and intelligence will keep out a significantly determined attacker. However, this doesn't give you carte blanche to not think about security. All the evidence presented around this shows that they simply didn't make it difficult at all; as soon as the console fell, so did their system. They seem to have violated every rule in security. That is simply unacceptable.
It's one thing to be attacked by determined people and fail eventually -- given enough time, everyone does -- but it's a completely different matter to give the keys to the castle to anyone with a rooted PS3.
Thankfully that's what's great about credit cards (and let's not forget that) - you just ask the bank to deactivate the old one and no more transactions can go through. Also, you should in general not be liable for any fraudulent use of the number. Just dispute it. (my contract said I could be held liable for up to $50 of fraudulent use only in the case where the CARD was stolen and used prior to my reporting it.)
Not to be trite, but as they say, absence of evidence is not evidence of absence.
Especially considering the sentences immediately after the "there is no evidence..." statement, I'd be wary. I might just be jaded and they're really just trying to be forthcoming and helpful, but all that CYA-type-speak after that line makes me at least a little bit dubious that they're revealing all the details just yet.
I've always hated that saying. Absence of evidence is indeed evidence of absence, in situations where you would expect such evidence. It's absence of proof that isn't proof of absence.
Do what you will, I'm not going to defend Sony exactly but you'd be stunned to know how much this kind of thing happens and goes unreported. Stunned. Sony deserves a pile of credit for manning up and saying what they've said. Unfortunately they're also admitting that they have no idea how bad it really is. A remarkable number of companies wouldn't disclose this much. A remarkable number of them will interpret and spin it all in their favor and report as little as possible.
It took them a week to release a non-statement, which they only issued after Congresspeople started complaining about why the service was down for so long. This is not a victory for transparency.
What do you want them to do? What's reasonable? How long do you think it took them to figure out the extent? (They still don't fully know it!) There are absolutely business concerns that warrant acting with some measured prudence.
The parent is true, there are a lot more attacks than you hear about. Sony only loses here, they lie and under play it they look bad, they over play the concerns and they look bad, they tell the world too soon they look bad, they take their time and they look bad. It's just all around shitty. What's the reasonable way for them to report this or should they just lie like a lot of other companies?
Well, it's a little late now, but they could have kept to security best practices (hashed passwords, external hardware credit card encryption/decryption seem like two obvious things they chose not to do.) For a large network, that doesn't seem like an unreasonable burden.
Their business concerns are merely for their own good to try to protect their brand, not to actually benefit their customers. They will spend more on just PR, never mind making good any actual losses, than on just doing it right in the first place. At this point, they deserve to look shitty, because they were shitty. In the case of lying about it, that should be a serious corporate crime (and I think this sort of disclosure is required in most jurisdictions.)
More generally, why do businesses pay almost anything to protect their good names, but only after they themselves have let their reputation fall into the deep shit? Look at how much BP must have spent over the deepwater horizon spill, compared to how much it would have cost to maintain their equipment. Never mind the banking crisis. An ounce of rational prevention is worth a tonne of PR fire-fighting — why do companies struggle so much with mitigating downside risk?
I wonder how many times a company can install trojans on your computer, destroy your OS's security, secretly watch all your actions, then proceed to not properly protect your data when you voluntarily give it to them...before going out of business.
Sony's size and momentum must be pretty crazy. Or maybe it's our society. I just can't imagine a small record store in the 1960s, after being caught spying through the bedroom windows of its customers, ever staying in business.
I feel terrible for anyone caught in this. But maybe, just maybe, Sony isn't the company to do business with anymore?
People want to play God of War, Little Big Planet and Gran Turismo. I think Sony could do just about anything and stay in business. As sad as that is, it's probably true.
I know, right? Reading through the comments on that post, the "you should have told us this last week" comments are just about balanced out by the "why are you wasting time with this instead of getting the PSN back online" comments.
Kids don't give a shit. Privacy is crap, they got their penis pictures on facebook. They want their fucking video games.
People playing games all day don't give a shit. They want their fucking games, stfu privacy and get moar kof33 and fucking get this shit online.
People with money to lose care. They care that their information is stolen because that could lead to their money being stolen.
People who know the value of information care. Thats few people though, since facebook exists.
In the end of the day people are willing to talk shit, when it comes to action that is a different story. How many people were so against EA's rootkits, but how many actually boycotted? Same with Apple? And now its same with Sony. Nobody will do anything. Nobody will boycott, the company will just shrug this off as an "opse".
Oh noes, some people value different things than me how dare they.
Let's be all elitist and imply "kids" don't know the value of information, whatever that may be. More like they know the information PSN had on them didn't matter (some nickname and email). And yeah, they want they games online, that's why they paid for a PS3 and multiplayer videogames after all. And Sony promised online multiplay.
Even if PSN didn't collect any financial information a breach of usernames and passwords is a big deal. As the Gawker hack has shown us, people tend to use the same usernames and passwords across many different websites. You can argue that this is the user's fault, but it doesn't matter. They'll still blame you when their bank account gets hacked.
In this case, though, there are indications that financial data was disclosed. PSN (just like Steam and XBox Live) collects financial data to allow for online game purchases. Disclosure of that information is quite a serious matter. Yeah, the "kids" playing might not care about their PSN account, but the parents who enter credit card information to buy their kids games sure will.
A poorly made argument does not automatically render the conclusion false.
If you care enough about information then sony being compromised shouldn't be a threat to you. How come no one is talking about Anonymous' role in this? Unless you are a Sony exec you shouldn't be too concerned about anything but finding another device to watch netflix on.
Mm was nearly fully Sony-funded pre buyout. Sony put a lot in to start that studio and also published LBP1, so it's not horribly surprising that they acquired them once it was revealed that Mm would be more than an indie fluke of a business.
Momentum and hydra-esque qualities. Sony manufactures parts for a lot of tech companies, who would suffer if Sony ceased to exist. So it's in their best interest to keep them alive, especially in the short-term as it would be crippling to have to change suppliers suddenly.
Large companies like Sony don't just go out of business - they are bought out, maybe broken up in the progress. This "cease to exist" idea is really removed from reality.
> I just can't imagine a small record store in the 1960s, after being caught spying through the bedroom windows of its customers, ever staying in business.
Don't read this as a defense of the company, but there hasn't really been a single, monolithic Sony for decades. Sony Music Entertainment, perpetrators of 2005's rootkit debacle, is pretty far removed from Sony Computer Entertainment, the division responsible for Playstation. Sony Electronics, makers of TVs, home theater systems, and Walkmans, is another silo, as is Sony Pictures.
Of course, every act of incompetence under the Sony name tarnishes that name, and in the marketplace, that's ultimately all that matters.
There have been rumors that Sony Music/Pictures has "oh no, piracy!" veto power over the rest of Sony, though. Either that or every division of Sony happens to be really DRM-happy.
Sony Music's meddling is the reason Sony failed to make a successful Mp3 player, all the more remarkable because Sony created the individual portable music market and dominated it with the Walkman.
Not only that, but they're responsible for the Minidisc's failure. That could have been a really nice format, but they had to slap a bunch of restrictions on it.
Not only the DRM restrictions, but that they limited manufacturing licenses to other companies. MinkDiscs are the perfect size and a little more durable (scratch resistent) imo. It's a shame CD's won out.
Sigh. The CDs said "Sony." That means "Sony" is the party responsible for the rootkit. The goodwill (or lack thereof) accrues entirely to Sony.
As a consumer, I'm not the least bit interested in a detailed breakdown of the corporate structure. Sony pays brand managers very well to encourage me to think of it as a single monolithic company, and I'm happy to oblige.
You sigh too quickly. The CDs said "Sony BMG." The merger with BMG was in March of 2004 and the rootkit was in 2005. The reason you associate it with Sony corporate and not Bertelsmann (of Bertelsmann Music Group) is because reporters are lazy and shorten the name of the company to just Sony. Maybe Germans were boycotting magazines because that was the part of the name familiar to them. I don't recall that.
Its fair for you to say you're not interested. However, if you're going to try to boycott a company to punish them for their behavior, being aware of exactly who is responsible is a good place to start.
Bertelsmann was just as aggressive with music protection. They had to issue replacement CDs that had anti-rip software to annoyed customers in 2001 for instance. The executive in charge at the time of the fiasco came over to Sony BMG from Bertelsmann.
I worked closely with some of the people involved in it at Sony BMG. One lesson I took away from it all was that even though it was a 50-50 merger, Sony had way more name recognition and therefore more on the line. As you said, they benefit from the goodwill disproportionately and they also took the brunt of the PR damage.
Nothing much. In his defense, he's also been in charge as the industry has moved away from DRM. The music labels view computer technology as just a hammer in the toolbox. If they have a better option, they go to that.
every act of incompetence under the Sony name tarnishes that name, and in the marketplace, that's ultimately all that matters
As it should. When these companies merge, buy other companies out, or execute reverse takeovers, there's always talk of "brand synergies" and all of the business advantages of having one set of products associated with another. There's absolutely no reason why that particular sword shouldn't have two edges to it.
I think it's been proven that you can do just about anything in the US and get away with it because the consumers/populace are too placid to do anything about it ... except a BJ from a jewish girl that will get you in serious trouble.
This is one of the reasons its a shame you need to buy a console to play exclusive titles. I was going to buy a ps3, but am hesitant now. A security breach like this is really unacceptable from anyone, under any circumstance. I'll need to be careful about disclosing any of my data if I do get a ps3.
I would expect Sony to be bought out and split up and sold off in the next few years. They have been in trouble for a while now.
A number of PE firms have been looking at doing this deal with Apple mentioned as a potential purchaser of the fabs, chips and personal computing divisions
Happens to lots of organisations. Look at the Catholic Church. They are pretty big, still popular and have had their share of 'incidents' (to put it very mildly) recently.
If someone has had their data stolen, are there any steps that they can take to ensure that they are not fleeced or does this mean that it's only a matter of time (or perhaps luck)?
They're down about 10% relative to the rest of the market since the PSN outage, and pretty significantly in after hours trading (stock market closed about 25 minutes ago, news broke a few minutes ago).
How could they have gained access to passwords? Do they mean, rather, gained access to your secure password hash, or did they simply store passwords in an unencrypted format? Being a member of PSN, this has me concerned. I'm making it a point to change all of my security questions and passwords all throughout all websites I use.
There were sixty million[0] PSN accounts. This is impressive, and amounts to (judging by a quick search) the largest-scale ID (and possibly credit-card) theft ever [Not so, see child comment]. Not even factoring in credit card details, the usernames, emails, addresses, ages, passwords, mother's maiden names, favourite pets, of sixty million people is worth a hell of a lot.
I have to wonder how much data that is, in terms of storage. How could you even take that without someone noticing?
Hats off to whoever it was. Now, I'm off to change my passwords. Thank Christ I had the sense not to use a credit card to buy from PSN.
[edit] On a related note, paypal refuses to let my change my password to something longer than 20 characters - or have spaces in my password. Why is this the case? Surely the only thing that an upper limit on the length of a password does is help the attacker.
Fact is people put most of that other information on Facebook anyway, so for 500 million people, you can quite easily find someone's age, birthday, pets, and much more just from their FB account.
While I detest PayPal, and it makes me livid that any company places upper-bound (and/or character) restrictions on passwords, I did want to mention that Yubico provides a two-factor authentication key which works with PayPal: http://yubico.com/VIP
I don't have any stake in either company, but I was glad when Google rolled out 2-factor and I am especially glad to be able to finally use 2-factor for safeguarding my money.
I haven't really been following this but there have been rumblings all week that a hacked firmware was released that allowed anyone who installed it, and twiddled with some other things, access to the PSN development and testing network. Anyone know more?
I personally don't know any more, but this might be a good starting point if you're interested: http://news.ycombinator.com/item?id=2482679 is a link to a post on reddit from a moderator of a forum that deals in ps3 modding. He outlines the situation, and his forum probably has some more information.
This seems like a really big argument for never allowing your data to be stored by a 3rd party.
Does anyone see any reason why these companies should do anything other than store the data locally on your system, encrypted/obfuscated, and then only ever send once, via encrypted connection, and then immediately delete the info remotely?
I mean, if someone breaks in to my house and steals my PS3, they already have access to all of that information.
Much of ecommerce would go down the drain, if they got rid of remote storage of your details. No recurring billing, no "One-Click", no address books, etc...
It should at least be an option for me not to store it, if I prefer not to use "one-click" and similar features. I understand why stores prefer to save the information without giving me a choice (reduces friction for future purchases), but I'm not sure that's a good enough reason given the prevailing security track records.
Either that, or perhaps there could be statutory penalties for data breaches. For example, if there was mandatory compensation of, say, $100/person for a data breach, companies might be incentivized to better think about whether they really need to store this data, and whether they're storing it safely.
Online retailers who handle their own CC processing tend to keep credit card information around if only for fraud/chargeback tracking in the future - being online opens you up to massive abuse if you don't keep it in check.
A big player like sony should have been complying with PCI standards - but from what I've seen, that's not so difficult to pass and then forget about - people take shortcuts - and how many companies out there have ever had their processing revoked for NOT complying with PCI? That would be an interesting statistic.
From my experience, PCI compliance does not require that you have everything perfect, as long as you have a plan to fix your deficiencies.
And as an employee at a couple of PCI compliant shops, I can attest that even full PCI compliance still leaves a lot of holes (enough that some organizations have formed their own compliance exams above and beyond PCI).
Expound upon this, remembering the common audience that want things fast and easy and from anywhere (iPhone, Android, mac, windows, some computer at the library), I'd be curious to know it.
The entire security model for consoles has always relied on trusting the client. It has never worked, and yet they keep doing it time and time again. It doesn't surprise me a bit that they did their network the same exact way.
I understand, but this isn't the same case. I mean, a PS3 owner can already enter false data in to all these fields. So what is there to trust that's any more or less trustworthy than that?
Really we're talking about the equivalent of automatic field filling, and the entire internet functions on that (at least in my browser).
I'm disappointed but not surprised. When I had to change my password a few months ago on the Sony developer's network site I was told that my new password was too similar to the last ones. I was wondering how they knew that, aside from storing the passwords in plain-text, something I'd assume they'd be too smart to do.
That's not practical. Password hashes should be slow, to stop dictionary attacks; and it's easy to imagine a couple thousand "similar" passwords (flip case of some characters? 256 possibilities for an 8-character password. Add year of birth? 20-50 possibilities. And so on.)
Presumably the ratio between the rate of normal logins (each of which requires a single execution of the password hash) and the rate of password changes is at least a few thousand.
Sure, but if you run through a few thousand hashes to check for similarity, an attacker can check for the couple thousand most popular passwords in the same amount of time. It is possible to throw enough money at it to make an attack uneconomical, but that's expensive.
(Also, DoS. Note that you can't stop people from changing passwords when the system is under load, as that sets you up for a combined compromise-password-hashes-then-DoS attack...)
They say passwords were stolen. This must mean they are not properly hashing passwords with salts stored outside of the database.
How many times does this have to happen before people realize that passwords are never to be stored in plaintext? The only exception is a client-side program that needs to log you in and in an ideal world that would be handled by a Kerberos-like ticket system.
They say passwords were stolen. This must mean they are not properly hashing passwords with salts stored outside of the database.
It could also mean that the attacker was in a position to observe the plaintext supplied by the user after it was decrypted (from SSL) but before it was authenticated (with a password hash algorithm).
Or it could be that they're just not being too particular about the details, on the side of being overly conservative.
Wow this sounds really really bad. As much as I dislike sony's actions in the Geohot case, and as much as "this is what you get for failing at security", I feel pretty bad for them right now (and even worse for all of their customers)
>To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports.
>We have also provided names and contact information for the three major U.S. credit bureaus below. At no charge, U.S. residents can have these credit bureaus place a “fraud alert” on your file that alerts creditors to take additional steps to verify your identity prior to granting credit in your name.
This is unreal. What bothers me the most, is that when this happened to me one time before, that particular company paid for a year of credit monitoring services.
In this case, Sony is too cheap to do even that, pointing you towards where you could download your credit report online. Ridiculous.
Lifelock is a scam that you are better off without anyway, but yeah, they definitely should provide some compensation. Unlikely though. They would rather sue people that want to run linux.
While I don't know the details of how this happened, it's a sure fire bet that they were not doing something right when it came to securing their infrastructure. How many times have we heard of big name companies running un-patched operating systems and SQL databases or even weak passwords? From the consumer end, this really sucks. Especially if their personal data was compromised.
Does anyone else find it odd that they "strongly recommend that you log on and change your password" instead of just force-resetting everyone's password and sending them an email with an activation link? Out of 60M subscribers, I'm certain that a large proportion will never see this message.
Agreed, not only that but you can't even login right now, so in another week all 60M users are supposed to remember to go and futz around with the PS3's clunky account UI to change their password?
Personally, I have a couple passwords in use for low-risk services (like PSN) and just went and changed all my other passwords :)
291 comments
[ 2.5 ms ] story [ 336 ms ] threadThis is a big F'N deal and I wouldn't be surprised if it cost Sony more than Microsoft's infamous 1 billion dollar write-down with the Xbox 360's Red Ring of Death.
I don't think this will kill PSN or the PS3, but it's going to significantly dent things. I'm curious to see how much media attention this gets and if we'll see a macro shift towards the Xbox 360 and Wii.
If I was Nintendo and particularly evil I would leverage this opportunity to tout the new system and emphasize the cutting-edge online modes with rock solid security. And MS can also talk about their great track record in the online world.
Nope, companies usually don't leave any chance to point to the competition's faults and laugh, even if they themselves are worse in that regard.
Banks, colleges, hospitals, and credit card processors do this all the time, and it doesn't cost them anywhere near a billion dollars despite the fact that they have vastly more personal information. Sure they usually only have a few hundred thousand records and not a few million, but even still the idea that this is going to cost them a billion dollars is absurd.
The direct damage from this won't be $1B (still tens of millions at least). But what about the impact of the lost sales and customers from the loss in credibility and trust? That is what could be huge.
It was relatively "easy" for Microsoft to replace broken hardware. How easy and how much is it going to cost Sony to replace broken trust?
Agreed. Microsoft only wrote down the $1B as an expected total cost of fixing broken Xboxes. Who knows how much money they lost?
First, most of the time when we're talking about business and we talk about costs we're clearly talking about accounting costs. This applies to startups, too. When you're talking about accounting costs, you don't get to include economic costs (e.g., opportunity cost.)
Second, isn't trying to include these extra "costs" due to lost sales the same thing that the music industry is doing? That is, claiming that they lost trillions of dollars due to file sharing from, you got it, "lost sales." [1]
I don't think there's any real way to measure these costs, so let's stop trying.
[1] http://www.p2pon.com/2011/03/25/greed-hits-climax-music-indu...
People are asked to put value on intangibles all the time. You might want to write them all down to zero, but the rest of us value Wordsworth more than the dead trees his words are printed on.
Ex. If I make $2000 a week as a contractor on a steady contract, I know that the opportunity cost of taking a week of unpaid vacation time is $2000. That's a reasonable, measurable assumption.
However, I could also say that the opportunity cost of that week of vacation will be $12000, because there might be a one-week rush project that will come in that I can bill for $10000 in addition to my normal steady contract. Assuming there's not a pattern of that happening in the past, it's not a reasonable assumption and thus measurable in that way.
I'd say this second scenario is akin to the record companies assuming that every instance of piracy is also an instance of lost sales.
Goodwill can be measured in the sense that goodwill = purchase price - book value. No assumptions are involved in its calculations--goodwill is calculated based on two fixed values.
Opportunity costs are not as concrete. In your example above you state your opportunity cost is $2000...but what if that rush project comes through? What if your steady contract scales back for that week? There are assumptions involved; ideally your opportunity cost would be the expected value of all probable incomes during that week. Identifying those probabilities a priori is impossible.
My point is: opportunity costs are based on assumptions. They cannot be measured--only estimated.
My point was that Microsoft probably had some revenue trajectory with slope X before the write-down, and experienced a new revenue trajectory with slope Y < X after the write-down. I'm curious about the area between the two lines.
My PS3 has three PSN accounts on it, do three or four of my friends'. Everybody I know who has a 360 shares one Live account across everybody who uses the console.
If T.J. Maxx can get away with it, Sony can too.
http://www.reddit.com/comments/gx6o4/im_a_moderator_over_at_...
But don't hold that against me. :-)
I clicked around a bit in the linked psx-scene forums and it looked like there was a decent basis for it.
Time to get a new identity! =)
There will already be a lawsuit of some sort. Imagine how bad it would be for them if they hadn't shut it down.
That's what I was thinking: in most cases of user accounts being compromised, the solution is "change your passwords on this and other sites". Here you need to change your birthday, cancel your credit card, move out, change your name… kind of a hassle.
http://www.fakenamegenerator.com/
Sounds like they added "example.com" into the list by mistake... It has no MX from what I can tell.
And, you know, your mom probably won't be too happy when you pop out of your time machine, a week before your birth, and tell her she needs to induce labor.
http://anonnews.org/?p=press&a=item&i=848
"We realize that targeting the PSN is not a good idea. We have therefore temporarily suspended our action, until a method is found that will not severely impact Sony customers." -- Anonymous
Then they went on to say something about how Anonymous is a diverse group and they can't control everyone, blah blah blah.
a moot point? moot? really? i like your choice of words. Heh.
In fact, I'd be peeing my pants if I saw that in the SQL-dump I just downloaded through a couple of proxies.
Sony did piss off a lot of hackers, though, so maybe they had it coming...
The problem you run into is that communicating both the nature of the breach and convincing people to respond accordingly is incredibly hard.
This will continue to happen across many sites. I think after enough of these breaches, though, people will start to think about the protection of their online identities a lot differently, which is good, albeit at a painful cost.
[1] https://github.com/zdia/gorilla/wiki/
There's an app called Strip that looks pretty good. I'm listening to other suggestions.
I'm curious if this means they store everyone's password in plain-text, or if by "password" they really mean a hash of some sort.
Unlike passwords, the encryption for the cc#s has to be reversible. That's part of the reason why they introduced CVCs, right?
While only marginally better depending on the type of attack and permissions gained by the attacker, if all they got was static data on disk, then it would be secure.
Something as big as PSN has multiple servers reading the same DB and must be able to tolerate failures without forcing everyone to re-enter their CC #. The keys must be stored persistently somewhere.
Whenever the server needs to be started, two of those people must enter their key shares. That enables the server to reconstruct the key, which is then stored in memory.
Simplifying just a bit -- The one time you pass the # along to the bank, they give you back a transaction ID you can use to do future things with that card. The bank knows the number, looks it up by that ID.
And I have better password practices than most. Credit cards might be an immediate thought, but how many other physical and intangible assets does your password give a hacker access to?
[0] http://arstechnica.com/gaming/news/2011/02/report-psn-hacked...
The numbers probably also cross the wire in plain text between the web server and the database too.
Why on earth would you ever do that?
Passwords should always be salted and hashed.
Credit card info should always be HSM-protected so that it is irretrievable except through a hardware API.
What was Sony thinking!?
How could you suggest such a thing?! That would have cost Sony thousands of dollars extra!
I am not a big fan of MSFT usually, but the next time I am buying a console I'm not buying a PS4.
(I'm not taking any chances, either way)
This whole thing seems like a great example of incompetence.
While this is a bad security breach, if you follow security news at all you'd know computer security is a joke. The Rustock botnet operated for FIVE years with impunity on as many as 2.4 million rooted machines. People didn't even know they were owned; their computers worked perfectly fine like nothing was wrong. Every system at pwn2own gets owned in seconds and you can bet the black hats were there first. Everyone gets compromised. The only thing stopping a crippling cyber attack is whether someone feels it is beneficial to do so.
I do not especially fault Sony for this. Google gets hacked. Microsoft gets hacked. The NSA gets hacked. The DoD gets hacked. JP Morgan Chase gets hacked. Just add another multi-national to the list. It's a systemic problem that nobody really cares enough about nor can we do much about it if we did care.
EDIT: Just to give you another idea of how screwed we are from a security perspective. To paraphrase George Carlin[1], some programmers are really stupid. Did you ever notice how much stupid software you see? Think of how stupid the average programmer is, and realize half the programmers are stupider than that. And that bottom half? They probably work in IT, managing over engineered address books and accounting ledgers of the world while smarter people worry about cooler problems.
[1] http://www.youtube.com/watch?v=8rh6qqsmxNs
It's one thing to be attacked by determined people and fail eventually -- given enough time, everyone does -- but it's a completely different matter to give the keys to the castle to anyone with a rooted PS3.
Especially considering the sentences immediately after the "there is no evidence..." statement, I'd be wary. I might just be jaded and they're really just trying to be forthcoming and helpful, but all that CYA-type-speak after that line makes me at least a little bit dubious that they're revealing all the details just yet.
Buy a Nintendo next time...
The parent is true, there are a lot more attacks than you hear about. Sony only loses here, they lie and under play it they look bad, they over play the concerns and they look bad, they tell the world too soon they look bad, they take their time and they look bad. It's just all around shitty. What's the reasonable way for them to report this or should they just lie like a lot of other companies?
Their business concerns are merely for their own good to try to protect their brand, not to actually benefit their customers. They will spend more on just PR, never mind making good any actual losses, than on just doing it right in the first place. At this point, they deserve to look shitty, because they were shitty. In the case of lying about it, that should be a serious corporate crime (and I think this sort of disclosure is required in most jurisdictions.)
More generally, why do businesses pay almost anything to protect their good names, but only after they themselves have let their reputation fall into the deep shit? Look at how much BP must have spent over the deepwater horizon spill, compared to how much it would have cost to maintain their equipment. Never mind the banking crisis. An ounce of rational prevention is worth a tonne of PR fire-fighting — why do companies struggle so much with mitigating downside risk?
It could be said that that's what they're doing.
They're saying more than they have to.
Sony's size and momentum must be pretty crazy. Or maybe it's our society. I just can't imagine a small record store in the 1960s, after being caught spying through the bedroom windows of its customers, ever staying in business.
I feel terrible for anyone caught in this. But maybe, just maybe, Sony isn't the company to do business with anymore?
Kids don't give a shit. Privacy is crap, they got their penis pictures on facebook. They want their fucking video games.
People playing games all day don't give a shit. They want their fucking games, stfu privacy and get moar kof33 and fucking get this shit online.
People with money to lose care. They care that their information is stolen because that could lead to their money being stolen.
People who know the value of information care. Thats few people though, since facebook exists.
In the end of the day people are willing to talk shit, when it comes to action that is a different story. How many people were so against EA's rootkits, but how many actually boycotted? Same with Apple? And now its same with Sony. Nobody will do anything. Nobody will boycott, the company will just shrug this off as an "opse".
Let's be all elitist and imply "kids" don't know the value of information, whatever that may be. More like they know the information PSN had on them didn't matter (some nickname and email). And yeah, they want they games online, that's why they paid for a PS3 and multiplayer videogames after all. And Sony promised online multiplay.
That's a badly made chain of arguments.
In this case, though, there are indications that financial data was disclosed. PSN (just like Steam and XBox Live) collects financial data to allow for online game purchases. Disclosure of that information is quite a serious matter. Yeah, the "kids" playing might not care about their PSN account, but the parents who enter credit card information to buy their kids games sure will.
A poorly made argument does not automatically render the conclusion false.
It sucks I have to chose between playing such awesome games and keeping my privacy and financial information safe.
PS3 is the last Sony product I'll ever buy.
/applauds
Sony isn't a small record store.
Of course, every act of incompetence under the Sony name tarnishes that name, and in the marketplace, that's ultimately all that matters.
As a consumer, I'm not the least bit interested in a detailed breakdown of the corporate structure. Sony pays brand managers very well to encourage me to think of it as a single monolithic company, and I'm happy to oblige.
Its fair for you to say you're not interested. However, if you're going to try to boycott a company to punish them for their behavior, being aware of exactly who is responsible is a good place to start.
Bertelsmann was just as aggressive with music protection. They had to issue replacement CDs that had anti-rip software to annoyed customers in 2001 for instance. The executive in charge at the time of the fiasco came over to Sony BMG from Bertelsmann.
I worked closely with some of the people involved in it at Sony BMG. One lesson I took away from it all was that even though it was a 50-50 merger, Sony had way more name recognition and therefore more on the line. As you said, they benefit from the goodwill disproportionately and they also took the brunt of the PR damage.
What actually happened to him? I don't think I ever heard.
http://www.npr.org/templates/story/story.php?storyId=4989260 (even here when they were interviewing him, the headline is just "Sony" but throughout it is "Sony BMG") http://en.wikipedia.org/wiki/Thomas_Hesse (last few paragraphs)
As it should. When these companies merge, buy other companies out, or execute reverse takeovers, there's always talk of "brand synergies" and all of the business advantages of having one set of products associated with another. There's absolutely no reason why that particular sword shouldn't have two edges to it.
A number of PE firms have been looking at doing this deal with Apple mentioned as a potential purchaser of the fabs, chips and personal computing divisions
http://www.thestreet.com/story/11093134/1/sony-corporation-s...
Of course those security questions are nearly useless anyway.
I have to wonder how much data that is, in terms of storage. How could you even take that without someone noticing?
Hats off to whoever it was. Now, I'm off to change my passwords. Thank Christ I had the sense not to use a credit card to buy from PSN.
[0] http://www.derangedshaman.com/2011/01/06/sonys-60-million-ps...
[edit] On a related note, paypal refuses to let my change my password to something longer than 20 characters - or have spaces in my password. Why is this the case? Surely the only thing that an upper limit on the length of a password does is help the attacker.
http://datalossdb.org/
Not to lessen the extent of this, but it's not nearly the biggest dataloss incident ever.
http://www.msnbc.msn.com/id/17853440/
Fact is people put most of that other information on Facebook anyway, so for 500 million people, you can quite easily find someone's age, birthday, pets, and much more just from their FB account.
I don't have any stake in either company, but I was glad when Google rolled out 2-factor and I am especially glad to be able to finally use 2-factor for safeguarding my money.
It's like you're actively trying to make me never trust you again.
I am not making this up.
https://blog.torproject.org/blog/detecting-certificate-autho...
Does anyone see any reason why these companies should do anything other than store the data locally on your system, encrypted/obfuscated, and then only ever send once, via encrypted connection, and then immediately delete the info remotely?
I mean, if someone breaks in to my house and steals my PS3, they already have access to all of that information.
iTunes comes to mind:
http://isc.sans.edu/diary.html?storyid=9136
http://news.ycombinator.com/item?id=1488956
http://news.ycombinator.com/item?id=948757
Either that, or perhaps there could be statutory penalties for data breaches. For example, if there was mandatory compensation of, say, $100/person for a data breach, companies might be incentivized to better think about whether they really need to store this data, and whether they're storing it safely.
A big player like sony should have been complying with PCI standards - but from what I've seen, that's not so difficult to pass and then forget about - people take shortcuts - and how many companies out there have ever had their processing revoked for NOT complying with PCI? That would be an interesting statistic.
And as an employee at a couple of PCI compliant shops, I can attest that even full PCI compliance still leaves a lot of holes (enough that some organizations have formed their own compliance exams above and beyond PCI).
And, ironically, something which I think Sony forgot here. :)
Really we're talking about the equivalent of automatic field filling, and the entire internet functions on that (at least in my browser).
We kept the family PS3 patched-up in good faith. Is there now a reasonable way for me to install Linux?
Seriously, the kids are probably moving to Xbox and I have some supercomputing I'd like to do.
I guess I gave them too much credit.
(Also, DoS. Note that you can't stop people from changing passwords when the system is under load, as that sets you up for a combined compromise-password-hashes-then-DoS attack...)
How many times does this have to happen before people realize that passwords are never to be stored in plaintext? The only exception is a client-side program that needs to log you in and in an ideal world that would be handled by a Kerberos-like ticket system.
It could also mean that the attacker was in a position to observe the plaintext supplied by the user after it was decrypted (from SSL) but before it was authenticated (with a password hash algorithm).
Or it could be that they're just not being too particular about the details, on the side of being overly conservative.
>To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports.
>We have also provided names and contact information for the three major U.S. credit bureaus below. At no charge, U.S. residents can have these credit bureaus place a “fraud alert” on your file that alerts creditors to take additional steps to verify your identity prior to granting credit in your name.
I see neither disclosure happening any time soon.
I hate sony, but I still feel bad for them.
In this case, Sony is too cheap to do even that, pointing you towards where you could download your credit report online. Ridiculous.
Personally, I have a couple passwords in use for low-risk services (like PSN) and just went and changed all my other passwords :)