I would pressing those who have Plus already will have a 30 day extension to their membership, right?

if they're extending subscription based services, I would presume so

I would pressing those who have Plus already will have a 30 day extension to their membership, right?

Yes, they will.

Go back a page and check my bullet points, I tried to address anything relevant to what has been discussed on DP over the past few weeks.

Surprise surprise. I'm satisfied with this resolution.

I forget the name of the hypothesis, but essentially the PS3 should be the most secure system in the world right now. Kind of how the safest spot to be is where lightning has just struck...with the thinking being, you're standing in the spot most unlikely to get struck again.

I'm not going to be entering my CC info into my PS3, but in theory it should be the safest possible place to do it.

Sony better do better than giving us free 30 day subscription to PSN Plus. Every user deserves free Move. Heck why not give us free PS3 game.

At first, I figured that normal users shouldn't get any more than an apology and paid service users should get compensation for the days lost. Now, after potential credit card fraud, I'm not sure....

I don't want a subscription, a free game, a move. Give me some goddamn money for making me have to change all my passwords, email all of my friends an apology for the spam emails sent and have to constantly be keeping an eye on my credit report. This has class action lawsuit written all over it.

have to constantly be keeping an eye on my credit report. This has class action lawsuit written all over it.

For what reason? Your SSN is not required to sign up for PSN. First and last name as well as address isn't going to allow anyone to apply for a credit card.

You know what I'd like more than a free game or psn plus? If Sony gave us each free credit fraud monitoring for a year. Peace of mind is worth more than some game.

I'm not sure if people aren't reading the official statements, or they're just ignoring what was said.

"The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack."

While there's no reason not to be safe with your data if it helps you sleep better at night ... Sony has publicly declared that there was no compromise of credit card data.

And as far as credit fraud via the information that you provided to PSN to create an account ... A.) we live in an age where people should know better than to use the same password for all digital secure logins and B.) most if not all of our Names, Addresses and Phone Numbers are points of information that fraudsters can easily obtain without having to crack Sony's network.

In fact, that data has likely been sold and/or dispersed by your bank and/or credit card company already. Just type your name and state into Google and you'll probably find that data indexed in a "people finder" site.

A.) we live in an age where people should know better than to use the same password for all digital secure logins

This is key right here.

Anyone else read 2600? They had an article a few years ago (last year maybe) on best practices on keeping your online passwords safe. I'll see if I can track it down.

You know what I'd like more than a free game or psn plus? If Sony gave us each free credit fraud monitoring for a year. Peace of mind is worth more than some game.

Now that would be a class move, and actually a step above, but were talking Sony here. More like, FREE PSN!... Which is already free...

Glad to see they've called on third parties for investigation and consult. They're going to need credible experts external to the company to help them in court.

This has class action lawsuit written all over it.

Already underway (http://www.industrygamers.com/news/sony-sued-for-playstation-network-hacking-breach/). You just knew it was going to happen although I don't think it's going to get very far in court. Maybe if Sony offers an actual good downloadable game they'll drop the lawsuit altogether. I mean, it's not like they are going to get any monetary compensation if they miraculously won.

Update from Sony: 10 million credit cards may have been exposed. They will be providing credit card protection services to those people. http://latimesblogs.latimes.com/technology/2011/05/sony-apologizes-says-10-million-credit-card-accounts-may-have-been-exposed-in-network-attack.html

So, yikes. I'm glad I cancelled my card already and had them send me a new one. This is p. bad.

I'm glad someone else is upset that their credit card information might have been compromised. I don't view this as an awesome opportunity to get some shitty free game like a bunch of you are.

Sony to give us free crap in exchange for pretending this didn't happen. Or something:

http://blog.us.playstation.com/2011/04/30/press-release-some-playstation-network-and-qriocity-services-to-be-available-this-week/

Yeah, this is a pretty lame deal that Sony is pushing. "Hey, sorry for having an insecure system and allowing your user information to be stolen. But, as a way of saying we are sorry, try out our pay-based PSN+ for a month. We're sure you'll love it!" Riiiiiiiiight. They should have at least given everyone a free PSN title, that doesn't expire like PSN+, to every user.

Thanks for nothing Sony.

Yeah, this is a pretty lame deal that Sony is pushing. "Hey, sorry for having an insecure system and allowing your user information to be stolen. But, as a way of saying we are sorry, try out our pay-based PSN+ for a month. We're sure you'll love it!" Riiiiiiiiight. They should have at least given everyone a free PSN title, that doesn't expire like PSN+, to every user.

Thanks for nothing Sony.

"Yet to be determined free content will be provided, differing per region"

In addition to the free month of PSN+ that everybody will be getting it's safe to assume that the "free content" will be in the form of a game. There's not much other content on the PSN that "differs per region".

Thanks for nothing Sony.

If you got compromised, it's worse than nothing. Nothing compared to that would be sweet.

I just remembered that I have a PSN account I set-up through my PSP. I had to have Stardust Portable, what can I say? Pretty sure the card info I upped is expired, thankfully. Since I haven't touched my PSP for anything other than Stardust in over a year... I sort of forgot about it.

Anything us in a similar PSP-only situation should know?

If you got compromised, it's worse than nothing. Nothing compared to that would be sweet.

I just remembered that I have a PSN account I set-up through my PSP. I had to have Stardust Portable, what can I say? Pretty sure the card info I upped is expired, thankfully. Since I haven't touched my PSP for anything other than Stardust in over a year... I sort of forgot about it.

Anything us in a similar PSP-only situation should know?

A PSN account is a PSN account.

A PSP PSN account is the same as a PS3 PSN account, it's all married data.

Same data gathered during sign-up, same login credentials, same PSN ID.

So ... yeah.

Best start building that bomb shelter.

If everything being discussed on the internet is to be believed, based on the PSN compromise the world should wind up looking like Cormac McCarthy's "The Road" in about a week or so.

surprise surprise. I'm satisfied with this resolution.



update from sony: 10 million credit cards may have been exposed.

doh!!!

And now another 12,700 credit card numbers and 10,700 debit cards from SOE's database - they're the MMO division. They're outdated (from a 2007 database), but any disclosure of debit/credit card info is bad. http://www.shacknews.com/article/68303/sony-online-entertainment-loses-12700

I don't want a subscription, a free game, a move. Give me some goddamn money for making me have to change all my passwords, email all of my friends an apology for the spam emails sent and have to constantly be keeping an eye on my credit report. This has class action lawsuit written all over it.

Making you change all of your passwords? Serves you right for having the same fucking password for everything you've ever had, especially when you sign in using your e-mail address. Who's to say your password wasn't taken from something else? I'm no better with my passwords, but damn it all if I'll blame someone else for my own ignorance. And if you have different passwords for all of your other stuff, then you just wasted your time. Also, you should ALWAYS be keeping an eye on your credit statements, so serves them right for "making" you do something you should have been doing from the start.

Anyway, I think Sony is owning up to it all pretty well, far better than others had anticipated. I expected free/extended PSN+ for all users at minimum, but having other goodies still to come is pretty cool for them to do. It's pathetic that all of these people are still bitching after this, then these same would would have bitched no matter what Sony did and them I say grow a pair and get realistic.

I wonder what this will do to Xbox Live's userbase?

I wonder what this will do to Xbox Live's userbase?

I remember reading a day after this all started that Live was down due to a bazillion people all signing up for Live accounts all at once.

Can we get PS games free from the PS store??

Making you change all of your passwords? Serves you right for having the same fucking password for everything you've ever had, especially when you sign in using your e-mail address. Who's to say your password wasn't taken from something else? I'm no better with my passwords, but damn it all if I'll blame someone else for my own ignorance. And if you have different passwords for all of your other stuff, then you just wasted your time. Also, you should ALWAYS be keeping an eye on your credit statements, so serves them right for "making" you do something you should have been doing from the start.

Anyway, I think Sony is owning up to it all pretty well, far better than others had anticipated. I expected free/extended PSN+ for all users at minimum, but having other goodies still to come is pretty cool for them to do. It's pathetic that all of these people are still bitching after this, then these same would would have bitched no matter what Sony did and them I say grow a pair and get realistic.

Yeah you know what you're right. I should have expected that when I used my credit card on their website and my email that they were going to just completely fuck up and let it be open to everyone. I guess I should have also gotten a completely seperate fucking credit card just for use on the PS network, so that in case this happened I would be protected. I mean, of course they did nothing wrong.

I'm not blaming them for me using the same password, I'm blaming them for NOT HAVING A FUCKING CLUE HOW TO PROTECT THEIR DAMN SYSTEM. They are only a multi-million dollar company, but yeah at least I'm getting 30 free days of some retarded service. We shouldn't expect anything more of them, I mean, mistakes happen. Hopefully next time they can give out my address and social security number and I get a Playtation Move! Yeah!!

I mean, I just think that them trying to bribe us w/ these crappy things is just pathetic, instead of dealing with the actual problem.

Hopefully next time they can give out my address

They already gave out your address. I've given out my name and address to plenty of people I don't know. How do you think I've bought things on here, Ebay, or other places?

You know it's also much easier to get your card stolen at places you normally go than any secure network as well. Take a fast food place for example. When you go through the drive through you can't very well see them sliding the card because it's usually out of view of the window, behind the register or elsewhere. No need to write anything down when receipt paper is perfect for making an exact copy. With cell phones now they'd just need to take a picture. Or what about people you do business with over the phone, like your cable, electric company, etc. Any time you give out your information to anyone you have the chance to get it stolen. Unless of course you only pay with prepaid cards, which isn't a bad idea in itself. Although a smaller amount of money, even prepaid cards can be stolen.

But just because it can happen anywhere doesn't make what happened okay.

They already gave out your address. I've given out my name and address to plenty of people I don't know. How do you think I've bought things on here, Ebay, or other places?

You know it's also much easier to get your card stolen at places you normally go than any secure network as well. Take a fast food place for example. When you go through the drive through you can't very well see them sliding the card because it's usually out of view of the window, behind the register or elsewhere. No need to write anything down when receipt paper is perfect for making an exact copy. With cell phones now they'd just need to take a picture. Or what about people you do business with over the phone, like your cable, electric company, etc. Any time you give out your information to anyone you have the chance to get it stolen. Unless of course you only pay with prepaid cards, which isn't a bad idea in itself. Although a smaller amount of money, even prepaid cards can be stolen.

If we were only talking about credit cards, then I would say this is a valid point. The problem is, in the Sony hack they got more than credit cards -- they got PII and SPII. In the security world, PII means Personal Identifiable Information and the S in SPII stands for Sensitive. PII in and of itself isn't bad. For example, if I knew your name, I could get your phone number and address out of the phonebook. Those are examples of PII. But by combining certain things -- say your name, DOB, and SSN, NOW I have SPII, and that's a problem. When SPII leaks, people need to stop worrying about credit card theft and start worrying about identity theft.

Having your credit card number stolen is a pain in the ass, but banks are pretty good at identifying weird charges and notifying you pretty quick. I've had mine stolen a couple of times now and the biggest hassle was waiting for new cards to arrive in the mail and then having to switch whatever online accounts they were tied to. Losing a debit card can be worse because money can actually be withdrawn directly from your account, leaving you financially fucked for a bit until things get straightened out.

Identity theft is a whole 'nother thing. My wife got her purse stolen in 1996 and occasionally we still get weird things showing up on our credit. All a crafty individual needs is the information off your driver's license to wreak havoc not only on your credit but also your life. Many times, people don't find out their identity has been stolen until someone has either opened a line of credit or applied for insurance claims in their names and collections agencies have begun contacting them. By then your insurance and credit may have already been permanently affected. Fake identities are routinely used for cashing fake checks and giving to the police when crimes are committed. Sometimes, criminals will file for bankruptcy on your behalf, too. Whee!

There was a paper a few years ago that claimed that 87% of the US population could be uniquely identified by their zip code, gender, and date of birth. By cross referencing that information in any number of publicly available databases, you can get someone's name. Correct me if I'm wrong, but I believe all that information was in my PSN profile ... along with my name and credit card number.

Over the next few months, people are going to be talking about the credit cards that were stolen. Some of those cards are going to be used maliciously and it's going to be a pain in the ass for the owners of those cards. However, in a year or two from now, I think people will be talking about the tens of thousands of cases of identity theft that sprung from this single incident.

Flack, you make a very valid post.

From what I can remember, Sony never asked for my social security number, just my credit card number. Say hackers got my personal data, like name, address, and telephone number. Say they also got an old credit card (well, a virtual card from BoA...the shop safe one in which is only valid for a certain date, time, location, and amount...but has been cancelled as well). With this, how can hackers use this for identity theft, specially with no social security number?

I know it is still possible, so now can we protect ourselves? Freeze our credit?

If you are skimming this thread or suffering from a bout of TL;DR I have an announcement: Stop what you are doing and read this post (108) (http://www.digitpress.com/forum/showpost.php?p=1815200&postcount=108) above.

With ID theft, once the info is out, it's out. You just have to keep tabs on yourself. Or rather your records... Still a pain, proving negatives.

If we were only talking about credit cards, then I would say this is a valid point. The problem is, in the Sony hack they got more than credit cards -- they got PII and SPII. In the security world, PII means Personal Identifiable Information and the S in SPII stands for Sensitive. PII in and of itself isn't bad. For example, if I knew your name, I could get your phone number and address out of the phonebook. Those are examples of PII. But by combining certain things -- say your name, DOB, and SSN, NOW I have SPII, and that's a problem. When SPII leaks, people need to stop worrying about credit card theft and start worrying about identity theft.

This is the mature, adult, real life perspective on the situation...



I think Sony is owning up to it all pretty well, far better than others had anticipated. I expected free/extended PSN+ for all users at minimum, but having other goodies still to come is pretty cool for them to do. It's pathetic that all of these people are still bitching after this, then these same would would have bitched no matter what Sony did and them I say grow a pair and get realistic.


I've given out my name and address to plenty of people I don't know. How do you think I've bought things on here, Ebay, or other places?

...and these are the exact opposite.

Yeah you know what you're right. I should have expected that when I used my credit card on their website and my email that they were going to just completely fuck up and let it be open to everyone. I guess I should have also gotten a completely seperate fucking credit card just for use on the PS network, so that in case this happened I would be protected. I mean, of course they did nothing wrong.

I'm not blaming them for me using the same password, I'm blaming them for NOT HAVING A FUCKING CLUE HOW TO PROTECT THEIR DAMN SYSTEM. They are only a multi-million dollar company, but yeah at least I'm getting 30 free days of some retarded service. We shouldn't expect anything more of them, I mean, mistakes happen. Hopefully next time they can give out my address and social security number and I get a Playtation Move! Yeah!!

They didn't "let it be open to everyone".

It was compromised as in BROKEN IN TO in a focused, deliberate criminal attack by a hacker/hackers.

Remember those people? The hackers? The ones that decided that it would be a good idea to illegally intrude in a corporate system and compromise your personal information? The ones who continue to conveniently get ignored/left out of 99% of discussions surrounding this event.

And where that is concerned, Sony has repeatedly stated that the only information that was compromised was your name, address, telephone number, DOB and login information.

Stop willfully ignoring the fact that it's on the record that PSN Credit Card Details were NOT compromised.

Despite the fact that gaming news sites keep running headlines that say "X amount of credit cards MAY have been compromised" there is NO EVIDENCE of that in the PSN database. Sony has made it clear several times over that security firms have audited their system and there is no evidence whatsoever that the fully encrypted credit card data was accessed or stolen.

(Before it's posted as retaliation to this, yes, it has been reported that SOE had a 2007 credit card file containing about 13,000 non-US cards compromised. http://www.soe.com/securityupdate/ That data was NOT in the same server/location as the current PSN account data that has been the source of discussion since this fiasco began. If you're one of those affected by that outside of the United States, and that's specifically what you're bitching about - change your card number and contact Sony about assistance with enrollment in an identity theft program they've said that is a service among many others that they're offering to those affected by this.)

While you're here, why not read up on ALL of the official knowledge base Q&As while you're here. They not as sensational/divisive as all the neat gaming news blogs reporting on the events of this, and they don't have all the witty/snarky headlines, but they're OFFICIAL and they're as ACCURATE as we're going to get until somebody PROVES otherwise:

Official Sony Q&A #1

http://blog.us.playstation.com/2011/04/27/qa-1-for-playstation-network-and-qriocity-services/

Official Sony Q&A #2

http://blog.us.playstation.com/2011/04/28/qa-2-for-playstation-network-and-qriocity-services/

Press Release Restoration of Service / Improvement of Security / Reparations

http://blog.us.playstation.com/2011/04/30/press-release-some-playstation-network-and-qriocity-services-to-be-available-this-week/

Network Security Update

http://blog.us.playstation.com/2011/05/02/playstation-network-security-update/

If you are skimming this thread or suffering from a bout of TL;DR I have an announcement: Stop what you are doing and read this post (108) (http://www.digitpress.com/forum/showpost.php?p=1815200&postcount=108) above.

With ID theft, once the info is out, it's out. You just have to keep tabs on yourself. Or rather your records... Still a pain, proving negatives.

Still doesnt answer my question fully, though.

I read his post like three times, but I am wondering how can an identity be stolen if there was never a social security number that was given to Sony (as far from I can remember).

Yes, people can use your other info, but how can a particular issue or information be tagged to the correct person if there was no SS at play here? I know it's possible... I just want ot find out how. And with that, I want to find out how to prevent this, like a credit freeze, a type of identity "lock", etc. Yes, we can just monitor our accounts as many times az we want...and should, but there has to be other actions we can do to protect ourselves.

Cross referencing data, social engineering... Calling different bureaus or agencies (private or public) with a certain level of personal data can open up more, especially if you are good at working people. There are many ways. It's also extremely variable how victims are effected. If you want a magic bullet, there really isn't one.

Damn it, I guess I have to enforce stricter scenarios on my credit monitoring as well as be extremely vigilant. Well, I always was...just need to be more anal about it. LOL

If you are really worried, you can call any of the credit agencies and have them put a fraud watch or fraud alert on your records (forgot what it is called exactly). This makes it much more difficult for credit/loans/etc to get approved, requiring many additional verification steps. This can be inconvenient if you are applying for something, but also makes it much much more difficult for your identity to be stolen. If you contact one credit agency, it automatically propagates to the other two.


Still doesnt answer my question fully, though.

I read his post like three times, but I am wondering how can an identity be stolen if there was never a social security number that was given to Sony (as far from I can remember).

Yes, people can use your other info, but how can a particular issue or information be tagged to the correct person if there was no SS at play here? I know it's possible... I just want ot find out how. And with that, I want to find out how to prevent this, like a credit freeze, a type of identity "lock", etc. Yes, we can just monitor our accounts as many times az we want...and should, but there has to be other actions we can do to protect ourselves.

Still doesnt answer my question fully, though. I read his post like three times, but I am wondering how can an identity be stolen if there was never a social security number that was given to Sony (as far from I can remember).

These guys figured out a pretty good system of guessing people's SSN:

http://www.csmonitor.com/Innovation/Horizons/2009/0706/how-to-figure-out-someones-social-security-number

The first page of Google searching returned this site: http://www.docusearch.com/locc.html

"Provided your subject is over 25 year old and has established credit (good or bad), this search is guaranteed to return their social security number. Docusearch requires a detailed explanation regarding the legal necessity for requesting this information. All clients ordering this search will be interviewed. This search will only return your subject’s social security number. It will not supply addresses, telephone numbers, and dates of birth or any financial history for determining credit worthiness."

I'm guessing there are other businesses not quite so vigilant in doing background checks on their customers. My guess is they charge $10 more.

This website (http://www.publicpeoplefinder.com/Basic-People-Search.shtml) offers, for $49:

"This service will allow you to enter some general information about the subject you are searching for such as name, last known location and then locate the subjects current address, full name, address history, social security number, date of birth, and other details. We only require a name for this people search although the more information you provide us with the better your chances are of locating this person, and receiving details about them. Please see below for more information on this people lookup."

I am wondering how can an identity be stolen if there was never a social security number that was given to Sony

Hackers may have obtained users' names, home addresses, email addresses, birthdates, PlayStation usernames and passwords, and answers to password security questions.

Using that information, someone could get into your email account, bank account, credit cards, and other online bills...and from there, obtain *even more* information about you (as well as tamper with your money and credit).


This isn't a simple matter of "sorry our network was down for maintenance, here's a free game." This is much more serious as Flack has pointed out. :(

Damn it, I guess I have to enforce stricter scenarios on my credit monitoring as well as be extremely vigilant. Well, I always was...just need to be more anal about it. LOL

There's nothing wrong with being safe and smart with your personal information, and there are several steps that one can take on a regular basis to review credit reports/activity (Google will help there).

however, I will again play devil's advocate here.

I currently work for an organization that deals directly with billions and billions of points of demographic information on individuals.

Many of us are ignorant of the fact that many many many sources including but not limited to: financial organizations (ie banks, credit card companies, credit bureaus, etc.), retail companies (supermarkets, pharmacies, big box stores that offer credit cards, etc.) govt./municipalities (courts, law enforcement, postal services, etc.) telecoms (phone companies) etc. all have different/varied levels/services by which they either make certain points of our personal information (or all of it) available legally, either for free on request, or for sale in bulk data lists to organizations interested in that demographic info (name, address, telephone number, email, etc.)

Couple that with however many millions of people are ACTIVELY PROMOTING their own personal data (name, contact info, photo, education history, professional history, links to family, friends, etc.) on services like Linkedin, Facebook, MySpace, etc. and the illusion of "private, sensitive, personal data" should wash away just a BIT.

While the compromise of Sony's data is a terrible thing with instances of identity theft as a potential consequence (if that's the intent of those responsible for the criminal intrusion), the core of the information that we supplied Sony with is the same basic personal information data set that we use for practically everything that we "sign up for" and about 80% of it is typically available to any member of the general public who actively seeks it out.

SSN and Credit Card data are the sticky wickets. Those aren't data points that are trafficked in any legitimate/legal sense the same way that the above mentioned data is.

IF there was any evidence that pointed to that data being snatched up/used in the Sony data compromise I'd share people's feelings of outrage, fear and maybe even understand all the vocal panic.

That understood, being concerned that people may use your basic level personal data to contact and somehow "convince" a Credit Card company to give them access to your information without your SSN or security questions is ... well, it's a plausible scenario, but there's no reason that that couldn't happen without Sony having ever been hacked.

At this point people simply need to take whatever steps they need to to personally feel secure (change all login passwords that were identical to the PSN login, get a new CC number, look into fraud monitoring services, etc.) and then proceed to monitor their credit information with a reasonable amount of care.

My perspective says that this is all cause for alert, but by no means for panic.


This website (http://www.publicpeoplefinder.com/Basic-People-Search.shtml) offers, for $49:

"This service will allow you to enter some general information about the subject you are searching for such as name, last known location and then locate the subjects current address, full name, address history, social security number, date of birth, and other details. We only require a name for this people search although the more information you provide us with the better your chances are of locating this person, and receiving details about them. Please see below for more information on this people lookup."

AFAIK, all of the data being offered for that fee is largely public information made available via various public legal records.

That company is merely providing a service that does all the busywork for you.

However, there's an asterisk where the SSN Info is concerned -

In order to access SSN data that organization requires the appropriate legal documents (likely warrants or subpoenas served from the appropriate legal/law enforcement officials).

In other words, you and I couldn't just "pay" for that data.


*[SSN] May only be included with GLB, IRSG Reasons Under Federal/ State law) Some information such as SSN may not be given as required by law such as the GLB law, IRSG, state, federal, and local laws. To get a SSN you must have legal documents that allows you to receive such information.


GBL = http://www.ftc.gov/privacy/glbact/glbsub1.htm

IRSG = http://irsg.bcs.org/

many millions of people are ACTIVELY PROMOTING their own personal data (name, contact info, photo, education history, professional history, links to family, friends, etc.) on services like Linkedin, Facebook, MySpace, etc. and the illusion of "private, sensitive, personal data" should wash away just a BIT.

You're right, *but* there's a difference between me posting my email address and birthday on a Facebook profile (which is pretty stupid), and posting the answers to my security questions on a Facebook profile (which would be super insanely stupid).

The Sony hackers obtained answers to security questions. Combined with the email addresses and password they also obtained, they *could* get into your email account, credit card account, bank account, and other online bills.


If you're a member of the PlayStation Network, stop what you're doing and change all of your online passwords *and* your security questions/answers.

Security questions themselves are dumb as shit. It doesn't take much effort to obtain your mother's maiden name or the city in which you were born. If I absolutely am required to use one I'll always pick the option for info that would be "off the grid" like the name of my first pet or something. I really wish they weren't required most of the time.

...wait. People actually use real answers for their security questions?

And where that is concerned, Sony has repeatedly stated that the only information that was compromised was your name, address, telephone number, DOB and login information.

Stop willfully ignoring the fact that it's on the record that PSN Credit Card Details were NOT compromised.

Despite the fact that gaming news sites keep running headlines that say "X amount of credit cards MAY have been compromised" there is NO EVIDENCE of that in the PSN database. Sony has made it clear several times over that security firms have audited their system and there is no evidence whatsoever that the fully encrypted credit card data was accessed or stolen.

Actually what they have said since day one is that they don't know if the credit card database was stolen or not.

Quoted from Sony's official statement: "While all credit card information stored in our systems is encrypted and there is no evidence at this time that credit card data was taken, we cannot rule out the possibility."

That, to me, doesn't say that the credit card database unequivocally wasn't stolen. What it says to me is, they can't tell if it was or not. When companies start saying that my information "may" have been leaked, that's good enough for me.

Sony also clarified that user passwords were "hashed" but not "encrypted". Big difference. Put it this way -- your passwords on Digital Press are "hashed". Before we had terabytes of storage at our fingertips, hashes were pretty good protection. Unfortunately, with rainbow tables, cracking hashed passwords is child's play. Ironically, there is a huge accessable cache of rainbow tables currently being hosted on a group of networked PS3s. Go figure.

I'll talk about hashes in another response not to bog this one down, but the bottom line is if you used your PSN password anywhere you should change it immediately.

Security questions themselves are dumb as shit. It doesn't take much effort to obtain your mother's maiden name or the city in which you were born. If I absolutely am required to use one I'll always pick the option for info that would be "off the grid" like the name of my first pet or something. I really wish they weren't required most of the time.

If you want the answers to someone's questions, go to Facebook. People continue to post dumb shit like this about once a month:

"To get your Royal Name for the celebrations use this formula:

Male: Lord + Grandfather's First Name + First Pet's Name + Street Name you grew up on = Your Royal Name.

Female: Lady + Grandmother's First Name + First Pet's Name + Street Name you grew up on = Your Royal Name."

Two Facebook password reset questions: "What was the name of your first pet?" and "What was the name of the street you grew up on?" Jesus Christ, people.

If you want the answers to someone's questions, go to Facebook. People continue to post dumb shit like this about once a month:

"To get your Royal Name for the celebrations use this formula:

Male: Lord + Grandfather's First Name + First Pet's Name + Street Name you grew up on = Your Royal Name.

Female: Lady + Grandmother's First Name + First Pet's Name + Street Name you grew up on = Your Royal Name."

Two Facebook password reset questions: "What was the name of your first pet?" and "What was the name of the street you grew up on?" Jesus Christ, people.

That's really funny!

Last response, then I gotta get back to real security work. ;)

Hashes are one-way encryption techniques used on passwords to store them safely. Unless the application you are using was written by a homeless hobo, the passwords are probably hashed. To make this simple, let's say that MD5 uses a hash of "64". Now let's take a look at three users. Their passwords are "111", "222", and "333". When a website like Digital Press stores your password, it doesn't store "111". It stores "111 x 64", or "7104". If your password is "222", the database actually has "14208" in it, and so on.

When you log in and you put in "111" for your password, the application does NOT translate "7104" back into "111". It CAN'T -- hashes only work ONE WAY. Instead, what it does is multiply what you type in ("111") by "64" and gets 7104. It then compares those two answers. If they match, you put in the right password!

The advantage to this system is, if someone downloads the entire database, all they have are the hashed passwords. Even with "7104", there's no way I can convert it back to your real password. Sounds pretty secure, right?

Rainbow Tables are giant lists of hashed passwords. Even though we can never go back from "7104" back to "111", what we can do is randomly guess passwords and compare the results. Rainbow Tables are generated against specific known hashes, like MD5. FreeRainbowTables.com (http://www.freerainbowtables.com) has them available for download (as do many other places). For example, for about 380GB, you can download the hashed version of every possible 8-character combination of numbers and letters. All you have to do at that point is search the database for "7104", which will tell you the original password of "111".

There are two ways around this. The first is, use a password so long that it won't appear in a rainbow table. There's an NTLM rainbow table available on the above website that's 8 characters and 430GB. Creating rainbow tables for 12+ character passwords would take a lifetime, so those are safe. Also, note that these tables are alpha-numberic. Something like an ascii symbol would never appear in one.

Salting is the other way to defeat rainbow tables. Salting hashes means adding another number to the equation. Let's say our salt number is 75. Now when a user enters "111", the password stored in the database is "111 x 64 x 75", or 532800. A rainbow table in this instance would be useless. The key to this working is keeping the salt value secret; not difficult with encryption and whatnot, unless someone steals your source code.

---

PSN stored their passwords hashed, but not salted, which means anyone with the list of passwords and the link I posted above probably already has the password of every person with a < 9 character password.

That's really funny!

Here is one I copied from Facebook last year:

THE NAME GAME

1. YOUR ROCK STAR NAME: (first pet and current street)
2. YOUR MOVIE STAR NAME: (grandfather/grandmother on your mother’s side, your favorite candy)
3. YOUR “FLY GIRL/GUY” NAME: (first initial of first name, first two or three letters of your last name)
4. YOUR DETECTIVE NAME: (favorite animal, favorite color)
5. YOUR SOAP OPERA NAME: (middle name, city where you were born)
6. YOUR STAR WARS NAME: (first 3 letters of your last name- last 3 letters of mother’s maiden name, first 3 letters of your pet’s name)
7. JEDI NAME: (last name spelled backwards, your mom’s first name spelled backward)
8. PORN STAR NAME: (friend’s middle name, street you grew up on)
9. SUPERHERO NAME: (“The”, your favorite color, the automoblie you drive)
10. EMO BAND NAME: (first word in the top banner ad above, city of the away team of the last major sporting event you went to/remember)

They should have one called your "Dumbass Name" where your first name is just your password and your last name is your SSN.

One last thought: last year when Sarah Palin's e-mail got hacked, she was using Yahoo Mail. The way hackers gained access to her account was by resetting her password by using her security questions. Her 3 questions were: her zip code, her birth date, and where she met her spouse. All three questions were found via Google. The zip code took two tries. Her birth date was listed on Wikipedia. Where she met her husband (Wasalla High) showed up in Google.

...to me, doesn't say that the credit card database unequivocally wasn't stolen...[/b]

But it does not state that it unequivocally was stolen either.

My issue, which I feel like I've made clear exhaustively at this point is that people, news outlets, blogs, etc. are frequently stating it as fact (ie "Our credit card records were stolen.") where there are currently no official reports that corroborate that.

Even if we agree to work from the logic that Sony is "not sure" if credit card data in their encrypted servers was stolen, until there is demonstrable, verifiable proof of theft, as much as one person coming forward with verifiable evidence that can be linked to a compromise of Sony's encrypted credit card servers I'm going to continue take issue with the indication that this has empirically, factually happened.

That's just me. Can't help myself.

That aside, as I've also stated repeatedly, there is absolutely nothing wrong with people taking every measure that they need to to be smart, be secure, and be safe going forward based on the news of this data compromise.

If you want the answers to someone's questions, go to Facebook. People continue to post dumb shit like this about once a month:

"To get your Royal Name for the celebrations use this formula:

Male: Lord + Grandfather's First Name + First Pet's Name + Street Name you grew up on = Your Royal Name.

Female: Lady + Grandmother's First Name + First Pet's Name + Street Name you grew up on = Your Royal Name."

Two Facebook password reset questions: "What was the name of your first pet?" and "What was the name of the street you grew up on?" Jesus Christ, people.

It doesn't matter in this case. That was my point if it's true that the answers were leaked. You could have said your mother's maiden name was %4das34 and it wouldn't make a lick of difference. That's why it's stupid organizations mandate security questions. It's just another point of fail.

But I also want to point out that, again, this could have happened to any organization. Which is why I don't get the hate for Sony in particular. It makes me think that I may as well rob a Home Depot and grab whatever customer credit card documentation they may have. While people are busy blaming Home Depot and demanding restitution I get to be the phantom nobody thinks to go after.

That was my point if it's true that the answers were leaked. You could have said your mother's maiden name was %4das34 and it wouldn't make a lick of difference. That's why it's stupid organizations mandate security questions. It's just another point of fail.

If the hackers obtained my email address and PSN password, they could try that same password to get into my email account. If I use a different password, the hackers can't get in unless they have the answers to my security questions.

In this case, the hackers supposedly *did* obtain the answers to the security questions, so now even if I used a different password for all of my online accounts, they have a much better chance of getting in if the same security questions/answers are used on different accounts.


In other words, if I typed in "%4das34" as my mother's maiden name in my PSN account *and* in my email account, the hackers will have a much easier time getting into my email...and once they're in, they can see which bank I use (assuming I have some bank emails in there)...and once they know which bank I use, they have my security question answers to also get into my online bank account.


Anyway, that's the reason why people are getting so upset. People don't care that they can't play their online games; they care that hackers had an entire week to get into their email accounts, bank accounts, credit card accounts, etc. while Sony was silent.



But I also want to point out that, again, this could have happened to any organization. Which is why I don't get the hate for Sony in particular.

I think a lot of the hate comes from the fact that Sony was silent for a week. If Sony had sent a daily email update keeping its customers informed about the situation, that would have helped dramatically, allowing people to take precautions sooner.

Since it's relevant to current points brought up ...

It appears that for forthcoming security measures Sony won't be using those "security questions". Here's a response from a Sony Exec on the official blog:

+ Patrick Seybold on May 2nd, 2011 at 2:50 pm said:

Those security questions will not be used. As an added layer of security, the password can only be reset on the hardware in which it was created, or through a validated email confirmation. If necessary, Customer Service representatives have alternative methods of validating accounts, but the primary means will be through the console on which the account was created.


I think a lot of the hate comes from the fact that Sony was silent for a week. If Sony had sent a daily email update keeping its customers informed about the situation, that would have helped dramatically, allowing people to take precautions sooner.

Do you REALLY believe that if it were 10 minutes, 24 hours or one week that there would be any dramatic difference in the reaction of the community or the snowball effect of the reaction that we're seeing?

Do you REALLY believe that if it were 10 minutes, 24 hours or one week that there would be any dramatic difference in the reaction of the community or the snowball effect of the reaction that we're seeing?

You're right, PSN customers would be upset no matter what, but the fact that Sony was silent for a week (therefore giving the hackers that whole week to get into people's online financial accounts unbeknownst to the victims) made the situation much worse.

I realize Sony wanted to avoid a public relations nightmare, but in the end, it's always better to be transparent with customers from the very first minute. Now unfortunately, Sony faces a much worse PR nightmare instead, whether it's deserved or not.


I don't care who the company is- whether it's Amazon, Bank of America, Best Buy, or Apple- if it's hacked, I want to know about it immediately so I can decide whether or not I have to take precautions. I'd be annoyed, but I'd respect the company for doing that. However, if Amazon were hacked and it didn't let me know until a week later, I'd be furious and would never use its service again.

And of course, I'd want the hackers brought to justice, too.


It's unfortunate that Sony was hacked, but it's also unfortunate the way Sony handled the situation.

Since it's relevant to current points brought up ...

It appears that for forthcoming security measures Sony won't be using those "security questions". Here's a response from a Sony Exec on the official blog:

+ Patrick Seybold on May 2nd, 2011 at 2:50 pm said:

Those security questions will not be used. As an added layer of security, the password can only be reset on the hardware in which it was created, or through a validated email confirmation. If necessary, Customer Service representatives have alternative methods of validating accounts, but the primary means will be through the console on which the account was created.

Works for me. The more of that data they throw out the better.



Do you REALLY believe that if it were 10 minutes, 24 hours or one week that there would be any dramatic difference in the reaction of the community or the snowball effect of the reaction that we're seeing?

I know I don't. I think that it's natural (although not particularly prudent) to go after the known entity involved in the event rather than the unknown one. And if the known entity happens to be a big faceless corporation, all the easier to lay blame. The cynical attitude here would be to conclude that Sony, the victim of a crime, takes the blame for other victims/potential victims losses and the actual criminal(s) walks away scot free, maybe even taking advantage of Sony's restitution himself.

You're right, PSN customers would be upset no matter what, but the fact that Sony was silent for a week (giving the hackers time to get into people's online financial accounts) made the situation much worse.

Well, all anybody can do at this point is be smart, be safe and move on.

If they feel the need to cancel a credit card, empty their bank account, get fraud protection services, sell their PS3/PSP, boycott all future Sony products, write a letter to their senator, file a lawsuit against Sony, run naked through the streets or preemptively shuffle off this mortal coil by their own hands so be it.

Me, I'ma jus wait it out and see what happens.

Or, maybe I'll do that naked thing.

Well, all anybody can do at this point is be smart, be safe and move on.

At this point, yes. But for those who are wondering why people are so upset with Sony right now, that's the reason (that week of silence).

What's the standard amount of time before thinking there may have been an intrusion, finding out there was one, and making a public statement? If that turnaround usually takes a day or two then sure. But I'm not sure if a week is entirely out of the ordinary. How long did the Gawker debacle take? I don't remember off hand.

At this point, yes. But for those who are wondering why people are so upset with Sony right now, that's the reason (that week of silence).

That's certainly a reason, but everybody seems to have a specific/individual issue on the matter ...


The amount of time between taking the networks down and reporting

Circumventable security

Alleged theft of info

Proposed reparations not being "good enough"


... and lets call a spade a spade, it's no secret that many harbor bias based on recent past business decisions by the electronics giant. The removal of Linux and PS2 backwards compatibility still resonate with many who feel "wronged" by those actions, and the public pursuit of George Hotz swatted the proverbial hornets nest that likely spurred this intrusion.

So. Yeah. People don't like Sony much.

Except those of us who do.

It's always tended to be a challenge to be in the latter camp, these days it can be a real headache.

What's the standard amount of time before thinking there may have been an intrusion, finding out there was one, and making a public statement?

I don't know, but if there was even a question of an intrusion, Sony should've sent its customers an email right from the start stating there *may* have been an attack and personal data *may* have been compromised. That way, customers can decide for themselves how to proceed.

Again, I understand Sony didn't want to get its customers in a tizzy and face a PR disaster, but being transparent from the first inkling of a potential problem is the best course of action.

This is all Sony had to send to its customers on day one:

"Dear PSN customer, our network may have been hacked and your personal information may have been leaked. We're investigating the situation now and will keep you updated. In the meantime, it seems prudent to change the passwords and security question answers on all of your other online accounts, just to be safe. Whether the hackers were successful or not, we've hired two security teams to improve security on our network to avoid a similar problem in the future. We apologize for the inconvenience and will send another update soon."

Instead, whether it's deserved or not, Sony is now a laughing stock on tech podcasts and video game forums.

I think it's safe to say that the title of this thread is officially incorrect.

That's certainly a reason, but everybody seems to have a specific/individual issue on the matter ...


The amount of time between taking the networks down and reporting

Circumventable security

Alleged theft of info

Proposed reparations not being "good enough"


... and lets call a spade a spade, it's no secret that many harbor bias based on recent past business decisions by the electronics giant. The removal of Linux and PS2 backwards compatibility still resonate with many who feel "wronged" by those actions, and the public pursuit of George Hotz swatted the proverbial hornets nest that likely spurred this intrusion.

So. Yeah. People don't like Sony much.

Except those of us who do.

It's always tended to be a challenge to be in the latter camp, these days it can be a real headache.

And this is the point where I bow out -- where people aren't willing to look at a situation objectively. Blindly defending Sony is just as annoying as blindly attacking them.

There are two ways around this. The first is, use a password so long that it won't appear in a rainbow table ... Also, note that these tables are alpha-numberic. Something like an ascii symbol would never appear in one.
If you had a password that included punctuation marks or other symbols like <>/=+-_ would that be included in these tables?

I think it's safe to say that the title of this thread is officially incorrect.

I just tried connecting and it's still down for me.

And this is the point where I bow out -- where people aren't willing to look at a situation objectively. Blindly defending Sony is just as annoying as blindly attacking them.

Just so I'm clear, and I ask this with no intention to get in your or anybody else's face about this, since I think we've all remained remarkably civil.

Because I stated that I don't harbor any negative feelings/bias towards Sony for their recent past business decisions not specifically related to any criminal attack/data compromise, I'm somehow not looking at this situation objectively?

*edit* since I guess you've indeed bowed out, I'll take a moment to defend my position on the matter further.

For the record:

I don't think that Sony is 100% in the right here. They've obviously had clear security failings. I've never denied that. I've taken issue with editorial misrepresntation of fact through sensationalism, but, as I stated earlier, I'd have done that no matter what the company since that kind of thing typically burns me.

Where my personal position on Sony is concerned, I've said and done everything that I can to acknowledge the significance of the event while at the same time taking every opportunity to inject logic and reason into the discussion and prevent what I see as needless panic and fear mongering.

And where many have completely ignored them in favor of uniquely vilifying Sony, I've attempted to assign the appropriate amount of responsibility/blame on the hackers responsible for the criminal intrusion/potential theft of data in the first place.

Just because my opinion of Sony as a company isn't the popular one in this community and elsewhere, that doesn't mean that I think that they're completely free from responsibility. I simply feel that they've effectively publicly addressed their failings it to date, apologized and have offered assistance and reparations where they're able.

Wearing my passion for Sony's product on my sleeve is just plain honesty, not necessarily me being subjective where this fiasco is concerned.

If Microsoft got hacked in the exact same fashion with the exact same results I'd be happy to throw my two cents in for their defense the same way as I have for Sony while at the same time stating in similar honesty that I've not always been a fan of their products and and policies.

*shrug* not really sure what else to say about it. If I'm coming off with a bias where I'm trying to be logical/resonable to a fault, I guess I'll just bow out on the subject too. Knew that was an inevitability from the get-go.


I just tried connecting and it's still down for me.

I was referring to the "no chatter" portion, but I suspect you already knew that.

I was referring to the "no chatter" portion, but I suspect you already knew that.

Actually, no. I thought that it had come back up since today was originally to be when it returned, right? Or was that also just a baseless rumor?

Me, I'ma jus wait it out and see what happens.


This. That pretty sums up my mentality for this entire situation, while everyone else got their torches and pitchforks ready, I just waited to see what Sony had to say for themselves. There's no use in complaining when everything is said and done, it's not going to change what happened and only thing that's left to do is wait.

Actually, no. I thought that it had come back up since today was originally to be when it returned, right? Or was that also just a baseless rumor?

Heh, thought you were being clever.

They did say that service was on track to be restored sometime this week, we'll see.

The reported SOE info compromise may have derailed that time line.

Heh, thought you were being clever.


You should know me better than that. :p

And this is the point where I bow out -- where people aren't willing to look at a situation objectively. Blindly defending Sony is just as annoying as blindly attacking them.

Glad I'm not the only one who noticed, although I already brought this up a few days ago in this thread (http://www.digitpress.com/forum/showthread.php?t=153179&page=4). Some are going to hate Sony regardless of what they do and some will blindly defend them no matter how much worse the situation gets. I suppose those are the two sides of fan hatred and fan boys. Luckily most people in here have taken an objective view, where they are pissed that this happened but are willing to give Sony a chance to redeem themselves.

But atleast we now know one of Sony's upcoming E3 announcements: that PSN will be up and running again by fall.....2012.

and some will blindly defend them no matter how much worse the situation gets.

...

but are willing to give Sony a chance to redeem themselves.

But isn't that the problem, though? That no matter how bad the situation gets, Sony gets the blame. And just the same, Sony is expected to be the ones to do the redeeming.

Like I said earlier, if Sony's security measures were substandard that would be one thing. But all evidence so far points to their security being at least equal to standard practice, at least matching what would be the equivalent of the reasonable person standard in tort law.

Are we really going to hold Sony (or any other person/entity/organization) to a strict liability standard? That no matter how reasonable you acted, no matter what the standard practice is, if anything at all goes wrong you will be held responsible, even in the case of a focused, premeditated criminal attack?

I think Sony making amends is good business, sure. They don't want to come off as callous. But to lay moral/legal blame? I think that's a stretch unless, again, they were not acting responsibly with the data.

For all the outrage that Sony must pay, where's the outrage that the hackers/thieves should be in jail?

Like I said earlier, if Sony's security measures were substandard that would be one thing. But all evidence so far points to their security being at least equal to standard practice

As Flack outlined above, this is not true.