People who say Sony's security sucked, needs to gtfo. How do you know Sony security sucked and besides no one knows what level of hackers or how long it took for them to hack into Sony. What i don't get is what the hackers intend to get out of this. They're making 50M+ people very unhappy and some less-notified people angry at Sony for something Sony didn't intended. I've read all over on gaming sites that a lot of Ps3 users are selling their systems and picking up 360/Wii. This will leave a great scar on Sony's gaming career, if not the end of it.
I agree some of it is inferred from the PS3 (which on closer examination did not hold up- see the conference video (
http://www.youtube.com/watch?v=5E0DkoQjCmI - not only the key stuff but their poor hypervisor and hard drive stuff) but that does include their network code
Client side verification of console. Bad
Done by static remote plain text file- (see DNS workaround)- that is beyond amateur hour.
Later bypassed by minor checks client side again- equally silly but not as bad.
Just to say I did to do this properly you verify server side with code level challenges and introduce certificates and even methods/challenges that were not in older versions.
Developer network as effectively trusted network (seemingly minimal/no authentication*)- you lock down you SDK for a reason and then you do this- go people
*it got deployed as a wide scale hack- no limits it seems. Personally I would check IP ranges (not so good for some but still a worthy test), mac addresses (spoofable I know but collisions are another thing entirely), maybe have a user network side client involved (send a little box to your clients that can sit on a network and respond to challenges and mention nothing of it on the PS3 side of things) or at least an authentication token (I know they have been dragged through the mud lately but those little RSA tokens do wonders). None of that is all that complex, all that troublesome for client or Sony or even unknown procedure. Granted we have access to some flavours of dev kit so that changes a few things but you can still do things there like have different keys, authentication paths and other such things.
This is to say nothing of allowing "purchases" via this developer network.
I agree it possibly does not all fall on Sony (although it could depending on how far you want to push the hypervisor concept) but if you have a black box system, especially one that interacts with your private network, some continuous code verification would be nice. See stuff like the online (game) hacking work that went on after the initial hacks- it should not have been that easy. Even the GBA has appreciable measures against things like this (see any modern cheating guide that deals with anything beyond the basics).
This I do not feel quite as confident about as I do not know the specifics of the Sony side stuff (hopefully it will all come out in the wash) but traditionally when one has a worldwide network one compartmentalises such things- by region (especially useful when you are dealing with financial laws that vary by region), maybe keep such data as a remote/call up stuff- they might have but properly implemented one should not be able to get what has been said to be a complete dump (X million requests for new/effectively all data- alarm bells should be ringing if not automatically restricting flow). Granted if it comes out that a public facing machine was compromised and used to chain an attack (maybe with a few 0 days although there is much to be said for heuristics and related technologies) I might be more charitable (not much though).
However I do have those hacker logs and assuming they are usable in this conversation (
http://dpaste.com/536140/plain/ in case you do not want to scroll back a few pages) they paint a very different picture.
It might not be so applicable here but
QUOTE said:
aswell you should never ever install a CFW from someone unknown
cuz its way too easy todo scamming at this point
for example:
creditCard.paymentMethodId=VISA&creditCard.holderName=Max&creditCard.cardNumber=4558254723658741&creditCard.expireYear=2012&creditCard.expireMonth=2&creditCard.securityCode=214&creditCard.address.address1=example street%2024%20&creditCard.address.city=city1%20&creditCard.address.province=abc%20&creditCard.address.postalCode=12345%20
sent as plaintext
uh
did you censor that card?
ya its fake
good
wow, plaintext :S
plaintext wow
im never putting in my details like that
ya is all fake lol
i never used cc on ps3
normally you ATLEAST enccrypt the securtity code, even if its ssl
id hope sony would do such in a safe manner
That is very bad and as others mentioned probably a breach of data protection and credit card number options not to mention somewhat unrelated to this matter (this seems to be a server thing rather than a direct attack against PS3 owners) although I do imagine the credit card companies will be having serious words with Sony but what is possibly worse
QUOTE
I also know that the server that does the x-i-5 tickets is a bit more tight about the ciphers than any other system in sonyland
if sony is watching this channel they should know that running an older version of apache on a redhat server with known vulnerabilities is not wise, especially when that server freely reports its version and its the auth server
its not old version, they just didnt update the banner
I consider apache 2.2.15 old
which server
it also has known vulnerabilities
auth.np.ac.playstation.net
ya the displayed version u see via banner is not the real version
unless they updated it in the last couple weeks
I doubt that since its not trivial to change that
its a bit more invasive than just setting it to Prod like they do on their other servers
you know, watching this conversation makes me think about whether it was a good idea after all to buy a couple of games from psn using a visa card
its just backported security patches
i did remove all my info after downloading the games though
that is just psn not the store
they are running linux 2.6.9-2.6.24 on that box too
that too is old
lol @ buying on store
yes, but their general attitude towards security just seems...ugh
sony wont misuse the info i bet xD
but just prevent using cfw's of unknown ppl