Sony Sued for PSN Security Breach

[Bladexdsl]

sony is bribing the fucking courts there's no doubt about it now!

 

[MelodieOctavia]

sony is bribing the fucking courts there's no doubt about it now!

Either way, they are shooting themselves and everyone that comes after them in the foot. If class action lawsuits are a thing of the past, Big Money Corporations may have no legal recourse against piracy at all, unless they drag everyone out as individuals.

 

[godreborn]

regardless of the inevitable outcome. sony has permanently destroyed the playstation brand as well as their reputation. it's unlikely there will be another iteration of the console.

 

[ShadowSoldier]

Seeing as how this lawsuit was filed BEFORE that voting thing went into effect, will the lawsuit be affected, or does it get immunity from it in this case?

 

[FireGrey]

I want sony to win

 

[MelodieOctavia]

This kind of shit makes me wonder if legal precedent is absolutely legally enforceable, or can a case break precedent...

I want sony to win

Look, at this point...no one wins. Sony was a sore loser and took the entire legal system down with it.

 

[twiztidsinz]

This kind of shit makes me wonder if legal precedent is absolutely legally enforceable, or can a case break precedent...Yes, there are some matters that have precedent for both sides of an issue.


QUOTE(TwinRetro @ Apr 28 2011, 03:22 AM) Look, at this point...no one wins. Sony was a sore loser and took the entire legal system down with it.

Actually the Class Action Block was from AT&T I think... It's just Sony will be able to hugely benefit from it.

 

[Snailface]

Seeing as how this lawsuit was filed BEFORE that voting thing went into effect, will the lawsuit be affected, or does it get immunity from it in this case?

That's a good question. My brother is a lawyer, I'll email him and find out.

 

[FAST6191]

People who say Sony's security sucked, needs to gtfo. How do you know Sony security sucked and besides no one knows what level of hackers or how long it took for them to hack into Sony. What i don't get is what the hackers intend to get out of this. They're making 50M+ people very unhappy and some less-notified people angry at Sony for something Sony didn't intended. I've read all over on gaming sites that a lot of Ps3 users are selling their systems and picking up 360/Wii. This will leave a great scar on Sony's gaming career, if not the end of it.

I agree some of it is inferred from the PS3 (which on closer examination did not hold up- see the conference video ( http://www.youtube.com/watch?v=5E0DkoQjCmI - not only the key stuff but their poor hypervisor and hard drive stuff) but that does include their network code
Client side verification of console. Bad
Done by static remote plain text file- (see DNS workaround)- that is beyond amateur hour.
Later bypassed by minor checks client side again- equally silly but not as bad.

Just to say I did to do this properly you verify server side with code level challenges and introduce certificates and even methods/challenges that were not in older versions.

Developer network as effectively trusted network (seemingly minimal/no authentication*)- you lock down you SDK for a reason and then you do this- go people

*it got deployed as a wide scale hack- no limits it seems. Personally I would check IP ranges (not so good for some but still a worthy test), mac addresses (spoofable I know but collisions are another thing entirely), maybe have a user network side client involved (send a little box to your clients that can sit on a network and respond to challenges and mention nothing of it on the PS3 side of things) or at least an authentication token (I know they have been dragged through the mud lately but those little RSA tokens do wonders). None of that is all that complex, all that troublesome for client or Sony or even unknown procedure. Granted we have access to some flavours of dev kit so that changes a few things but you can still do things there like have different keys, authentication paths and other such things.
This is to say nothing of allowing "purchases" via this developer network.

I agree it possibly does not all fall on Sony (although it could depending on how far you want to push the hypervisor concept) but if you have a black box system, especially one that interacts with your private network, some continuous code verification would be nice. See stuff like the online (game) hacking work that went on after the initial hacks- it should not have been that easy. Even the GBA has appreciable measures against things like this (see any modern cheating guide that deals with anything beyond the basics).

This I do not feel quite as confident about as I do not know the specifics of the Sony side stuff (hopefully it will all come out in the wash) but traditionally when one has a worldwide network one compartmentalises such things- by region (especially useful when you are dealing with financial laws that vary by region), maybe keep such data as a remote/call up stuff- they might have but properly implemented one should not be able to get what has been said to be a complete dump (X million requests for new/effectively all data- alarm bells should be ringing if not automatically restricting flow). Granted if it comes out that a public facing machine was compromised and used to chain an attack (maybe with a few 0 days although there is much to be said for heuristics and related technologies) I might be more charitable (not much though).

However I do have those hacker logs and assuming they are usable in this conversation ( http://dpaste.com/536140/plain/ in case you do not want to scroll back a few pages) they paint a very different picture.

It might not be so applicable here but

aswell you should never ever install a CFW from someone unknown
cuz its way too easy todo scamming at this point
for example:
creditCard.paymentMethodId=VISA&creditCard.holderName=Max&creditCard.cardNumber=4558254723658741&creditCard.expireYear=2012&creditCard.expireMonth=2&creditCard.securityCode=214&creditCard.address.address1=example street%2024%20&creditCard.address.city=city1%20&creditCard.address.province=abc%20&creditCard.address.postalCode=12345%20
sent as plaintext
uh
did you censor that card?
ya its fake
good
wow, plaintext :S
plaintext wow
im never putting in my details like that
ya is all fake lol
i never used cc on ps3
normally you ATLEAST enccrypt the securtity code, even if its ssl
id hope sony would do such in a safe manner

That is very bad and as others mentioned probably a breach of data protection and credit card number options not to mention somewhat unrelated to this matter (this seems to be a server thing rather than a direct attack against PS3 owners) although I do imagine the credit card companies will be having serious words with Sony but what is possibly worse

QUOTE

I also know that the server that does the x-i-5 tickets is a bit more tight about the ciphers than any other system in sonyland
if sony is watching this channel they should know that running an older version of apache on a redhat server with known vulnerabilities is not wise, especially when that server freely reports its version and its the auth server
its not old version, they just didnt update the banner
I consider apache 2.2.15 old
which server
it also has known vulnerabilities
auth.np.ac.playstation.net
ya the displayed version u see via banner is not the real version
unless they updated it in the last couple weeks
I doubt that since its not trivial to change that
its a bit more invasive than just setting it to Prod like they do on their other servers
you know, watching this conversation makes me think about whether it was a good idea after all to buy a couple of games from psn using a visa card
its just backported security patches
i did remove all my info after downloading the games though
that is just psn not the store
they are running linux 2.6.9-2.6.24 on that box too
that too is old
lol @ buying on store
yes, but their general attitude towards security just seems...ugh
sony wont misuse the info i bet xD
but just prevent using cfw's of unknown ppl

Version info is not advised but if it is true then as they say it is an old version with known security holes that is worse.

All this and more paints a very very bad picture of Sony security in general and casts very serious doubt over their network security practices. Saying it sucked might be jumping the gun a bit but I would not call it unfounded.

"What i don't get is what the hackers intend to get out of this."
Guessing motives is a tricky game- it might be some level of activism but equally that many cards and that much info can be used to generate a sizeable chunk of change- carding is a tricky game and there are all sorts of ways to make money from it.
The raw data is not something all that useful (you might be able to use it but done wrongly (all too easy to do) you will find yourself in bracelets or worse very very quickly- I imagine this has already attracted the attention of spooks of various flavours as laundering is a possibility with this as is straight up economy implications) but packaged* and sold on to others that do have the infrastructure (and later kids who think having card details is is useful) you get more useful things.

*one can not assume any one card is viable- there will however probably be a return rate (which varies with time from incident) at which point we actually start looking at more traditional investment finance models. Similarly it is still worth it to compromise a few thousand details- a few million is certainly worth it.

On top of this if it does have address data as well that is useful to other people too.

I am however not that much more knowledgeable on such matters and I am not really inclined to carry on providing a 101 on the subject so I will stop after saying suffice it to say there are serious financial implications for this for the holders of this data- a nice bump for the bottom line on matters of organised crime or more than enough to see the would be hackers made for life for what amounts to a few months work.

 

[cwstjdenobs]

Just really can't see this costing $24 billion. Sony are only worth $29 billion and most of that is made outside of gaming so how could the gaming side incur losses that are almost as large as the entire company.

And bloody hell, Sony must pump a lot of money into the US's politicians and judges.

 

[Nollog]

People who say Sony's security sucked, needs to gtfo. How do you know Sony security sucked and besides no one knows what level of hackers or how long it took for them to hack into Sony. What i don't get is what the hackers intend to get out of this. They're making 50M+ people very unhappy and some less-notified people angry at Sony for something Sony didn't intended. I've read all over on gaming sites that a lot of Ps3 users are selling their systems and picking up 360/Wii. This will leave a great scar on Sony's gaming career, if not the end of it.

THEY SEND YOUR LOGIN DETAILS TO PSN IN PLAINTEXT.
THEY SEND YOU CREDITCARD DETAILS OVER THE INTERNET IN PLAINTEXT.
THEY SEND YOUR CHOICE OF GAMES IN PLAINTEXT OVER THE INTERNET.

YOU NEED TO ENCRYPT THIS SHIT.
No hacking required, all you would need to do is connect to a PSN server with something you can work with(the only difficult part - Not Hacking!), listen to data coming in, dump it to a text file and have everyone's details.

 

[OmegaVesko]

People who say Sony's security sucked, needs to gtfo. How do you know Sony security sucked and besides no one knows what level of hackers or how long it took for them to hack into Sony. What i don't get is what the hackers intend to get out of this. They're making 50M+ people very unhappy and some less-notified people angry at Sony for something Sony didn't intended. I've read all over on gaming sites that a lot of Ps3 users are selling their systems and picking up 360/Wii. This will leave a great scar on Sony's gaming career, if not the end of it.

THEY SEND YOUR LOGIN DETAILS TO PSN IN PLAINTEXT.
THEY SEND YOU CREDITCARD DETAILS OVER THE INTERNET IN PLAINTEXT.
THEY SEND YOUR CHOICE OF GAMES IN PLAINTEXT OVER THE INTERNET.

YOU NEED TO ENCRYPT THIS SHIT.
No hacking required, all you would need to do is connect to a PSN server with something you can work with(the only difficult part - Not Hacking!), listen to data coming in, dump it to a text file and have everyone's details.

+1 my friend.

 

[Joe88]

why does it matter how its sent?

the database (were everything was stored) was breached and raided so how its transmitted wouldnt matter in this case

 

[GameGeek]

Also, was the rumor that everyone's stuff was just on unencrypted, plaintext files? IF it's true, then guess what, it's a fact that their security sucked.

No one knows what kind of security they have except for Sony and the hackers. So far the people saying they suck are using speculation.

If the hacker got access to the users' data, then it IS Sony's fault. Anyone who knows a thing about encryption will tell you that if Sony had used a decent encryption format and a secure enough key, it would have taken the hackers thousands of years to decrypt the data. The fact that the Wii has been out for almost half a decade and hackers have yet to find Nintendo's private key used for the Wii yet the hackers get the PS3 users' data as soon as Sony gets hacked shows how poor Sony's security was.

QUOTE(Joe88 @ Apr 28 2011, 10:20 AM)

why does it matter how its sent?

the database (were everything was stored) was breached and raided so how its transmitted wouldnt matter in this case

If the data is properly encrypted, the hacker wouldn't (or didn't) have had access to the users' data.

 

[azariaspice]

Seriously, this is bullshit. It's not like it's their fault. I'm siding with Sony on this. It's not hard to change your credit card information (has anyone ACTUALLY had their card stolen?) and most supposedly "personal" information is pretty easy to find anyways. There's actually a website where you can track where a person has lived, how long, and if they have any criminal records. Your name, address, and all that isn't exactly a private thing anymore.

 

[GameGeek]

Seriously, this is bullshit. It's not like it's their fault. I'm siding with Sony on this. It's not hard to change your credit card information (has anyone ACTUALLY had their card stolen?) and most supposedly "personal" information is pretty easy to find anyways. There's actually a website where you can track where a person has lived, how long, and if they have any criminal records. Your name, address, and all that isn't exactly a private thing anymore.

I seriously hope this a troll post.

 

[Nollog]

why does it matter how its sent?

the database (were everything was stored) was breached and raided so how its transmitted wouldnt matter in this case

Have Sony said this?
I thought all they said was that users details were at risk from a haxor.
The brat who was ddosing PSN could have left a message saying "lern2encrypt" or something, and Sony could be all "oh no!".

 

[MelodieOctavia]

Seriously, this is bullshit. It's not like it's their fault. I'm siding with Sony on this. It's not hard to change your credit card information (has anyone ACTUALLY had their card stolen?) and most supposedly "personal" information is pretty easy to find anyways. There's actually a website where you can track where a person has lived, how long, and if they have any criminal records. Your name, address, and all that isn't exactly a private thing anymore.

Are you mentally challenged?

 

[Nollog]

Seriously, this is bullshit. It's not like it's their fault. I'm siding with Sony on this. It's not hard to change your credit card information (has anyone ACTUALLY had their card stolen?) and most supposedly "personal" information is pretty easy to find anyways. There's actually a website where you can track where a person has lived, how long, and if they have any criminal records. Your name, address, and all that isn't exactly a private thing anymore.

Are you mentally challenged?

You call visa or mastercard, inform them it's been stolen, they issue you a new card.
It is easy, just effort.

 

[Wizerzak]

Seriously, this is bullshit. It's not like it's their fault. I'm siding with Sony on this. It's not hard to change your credit card information (has anyone ACTUALLY had their card stolen?) and most supposedly "personal" information is pretty easy to find anyways. There's actually a website where you can track where a person has lived, how long, and if they have any criminal records. Your name, address, and all that isn't exactly a private thing anymore.

Are you mentally challenged?

You call visa or mastercard, inform them it's been stolen, they issue you a new card.
It is easy, just effort.

Unless the money was already taken in the six days it took for Sony to report this.