Security questions themselves are dumb as shit. It doesn't take much effort to obtain your mother's maiden name or the city in which you were born. If I absolutely am required to use one I'll always pick the option for info that would be "off the grid" like the name of my first pet or something. I really wish they weren't required most of the time.
Last edited by TonyTheTiger; 05-03-2011 at 10:28 AM.
...wait. People actually use real answers for their security questions?
Actually what they have said since day one is that they don't know if the credit card database was stolen or not.Originally Posted by Frankie_Says_Relax
Quoted from Sony's official statement: "While all credit card information stored in our systems is encrypted and there is no evidence at this time that credit card data was taken, we cannot rule out the possibility."
That, to me, doesn't say that the credit card database unequivocally wasn't stolen. What it says to me is, they can't tell if it was or not. When companies start saying that my information "may" have been leaked, that's good enough for me.
Sony also clarified that user passwords were "hashed" but not "encrypted". Big difference. Put it this way -- your passwords on Digital Press are "hashed". Before we had terabytes of storage at our fingertips, hashes were pretty good protection. Unfortunately, with rainbow tables, cracking hashed passwords is child's play. Ironically, there is a huge accessable cache of rainbow tables currently being hosted on a group of networked PS3s. Go figure.
I'll talk about hashes in another response not to bog this one down, but the bottom line is if you used your PSN password anywhere you should change it immediately.
If you want the answers to someone's questions, go to Facebook. People continue to post dumb shit like this about once a month:
"To get your Royal Name for the celebrations use this formula:
Male: Lord + Grandfather's First Name + First Pet's Name + Street Name you grew up on = Your Royal Name.
Female: Lady + Grandmother's First Name + First Pet's Name + Street Name you grew up on = Your Royal Name."
Two Facebook password reset questions: "What was the name of your first pet?" and "What was the name of the street you grew up on?" Jesus Christ, people.
Hash vs. Salt vs. Encrypted
Last response, then I gotta get back to real security work.
Hashes are one-way encryption techniques used on passwords to store them safely. Unless the application you are using was written by a homeless hobo, the passwords are probably hashed. To make this simple, let's say that MD5 uses a hash of "64". Now let's take a look at three users. Their passwords are "111", "222", and "333". When a website like Digital Press stores your password, it doesn't store "111". It stores "111 x 64", or "7104". If your password is "222", the database actually has "14208" in it, and so on.
When you log in and you put in "111" for your password, the application does NOT translate "7104" back into "111". It CAN'T -- hashes only work ONE WAY. Instead, what it does is multiply what you type in ("111") by "64" and gets 7104. It then compares those two answers. If they match, you put in the right password!
The advantage to this system is, if someone downloads the entire database, all they have are the hashed passwords. Even with "7104", there's no way I can convert it back to your real password. Sounds pretty secure, right?
Rainbow Tables are giant lists of hashed passwords. Even though we can never go back from "7104" back to "111", what we can do is randomly guess passwords and compare the results. Rainbow Tables are generated against specific known hashes, like MD5. FreeRainbowTables.com has them available for download (as do many other places). For example, for about 380GB, you can download the hashed version of every possible 8-character combination of numbers and letters. All you have to do at that point is search the database for "7104", which will tell you the original password of "111".
There are two ways around this. The first is, use a password so long that it won't appear in a rainbow table. There's an NTLM rainbow table available on the above website that's 8 characters and 430GB. Creating rainbow tables for 12+ character passwords would take a lifetime, so those are safe. Also, note that these tables are alpha-numberic. Something like an ascii symbol would never appear in one.
Salting is the other way to defeat rainbow tables. Salting hashes means adding another number to the equation. Let's say our salt number is 75. Now when a user enters "111", the password stored in the database is "111 x 64 x 75", or 532800. A rainbow table in this instance would be useless. The key to this working is keeping the salt value secret; not difficult with encryption and whatnot, unless someone steals your source code.
---
PSN stored their passwords hashed, but not salted, which means anyone with the list of passwords and the link I posted above probably already has the password of every person with a < 9 character password.
Here is one I copied from Facebook last year:
THE NAME GAME
1. YOUR ROCK STAR NAME: (first pet and current street)
2. YOUR MOVIE STAR NAME: (grandfather/grandmother on your mother’s side, your favorite candy)
3. YOUR “FLY GIRL/GUY” NAME: (first initial of first name, first two or three letters of your last name)
4. YOUR DETECTIVE NAME: (favorite animal, favorite color)
5. YOUR SOAP OPERA NAME: (middle name, city where you were born)
6. YOUR STAR WARS NAME: (first 3 letters of your last name- last 3 letters of mother’s maiden name, first 3 letters of your pet’s name)
7. JEDI NAME: (last name spelled backwards, your mom’s first name spelled backward)
8. PORN STAR NAME: (friend’s middle name, street you grew up on)
9. SUPERHERO NAME: (“The”, your favorite color, the automoblie you drive)
10. EMO BAND NAME: (first word in the top banner ad above, city of the away team of the last major sporting event you went to/remember)
They should have one called your "Dumbass Name" where your first name is just your password and your last name is your SSN.
One last thought: last year when Sarah Palin's e-mail got hacked, she was using Yahoo Mail. The way hackers gained access to her account was by resetting her password by using her security questions. Her 3 questions were: her zip code, her birth date, and where she met her spouse. All three questions were found via Google. The zip code took two tries. Her birth date was listed on Wikipedia. Where she met her husband (Wasalla High) showed up in Google.
But it does not state that it unequivocally was stolen either.
My issue, which I feel like I've made clear exhaustively at this point is that people, news outlets, blogs, etc. are frequently stating it as fact (ie "Our credit card records were stolen.") where there are currently no official reports that corroborate that.
Even if we agree to work from the logic that Sony is "not sure" if credit card data in their encrypted servers was stolen, until there is demonstrable, verifiable proof of theft, as much as one person coming forward with verifiable evidence that can be linked to a compromise of Sony's encrypted credit card servers I'm going to continue take issue with the indication that this has empirically, factually happened.
That's just me. Can't help myself.
That aside, as I've also stated repeatedly, there is absolutely nothing wrong with people taking every measure that they need to to be smart, be secure, and be safe going forward based on the news of this data compromise.
"And the book says: 'We may be through with the past, but the past ain't through with us.'"
It doesn't matter in this case. That was my point if it's true that the answers were leaked. You could have said your mother's maiden name was %4das34 and it wouldn't make a lick of difference. That's why it's stupid organizations mandate security questions. It's just another point of fail.
But I also want to point out that, again, this could have happened to any organization. Which is why I don't get the hate for Sony in particular. It makes me think that I may as well rob a Home Depot and grab whatever customer credit card documentation they may have. While people are busy blaming Home Depot and demanding restitution I get to be the phantom nobody thinks to go after.
Last edited by TonyTheTiger; 05-03-2011 at 12:46 PM.
If the hackers obtained my email address and PSN password, they could try that same password to get into my email account. If I use a different password, the hackers can't get in unless they have the answers to my security questions.
In this case, the hackers supposedly *did* obtain the answers to the security questions, so now even if I used a different password for all of my online accounts, they have a much better chance of getting in if the same security questions/answers are used on different accounts.
In other words, if I typed in "%4das34" as my mother's maiden name in my PSN account *and* in my email account, the hackers will have a much easier time getting into my email...and once they're in, they can see which bank I use (assuming I have some bank emails in there)...and once they know which bank I use, they have my security question answers to also get into my online bank account.
Anyway, that's the reason why people are getting so upset. People don't care that they can't play their online games; they care that hackers had an entire week to get into their email accounts, bank accounts, credit card accounts, etc. while Sony was silent.
I think a lot of the hate comes from the fact that Sony was silent for a week. If Sony had sent a daily email update keeping its customers informed about the situation, that would have helped dramatically, allowing people to take precautions sooner.
Last edited by Rob2600; 05-03-2011 at 01:04 PM.
Since it's relevant to current points brought up ...
It appears that for forthcoming security measures Sony won't be using those "security questions". Here's a response from a Sony Exec on the official blog:
+ Patrick Seybold on May 2nd, 2011 at 2:50 pm said:
Those security questions will not be used. As an added layer of security, the password can only be reset on the hardware in which it was created, or through a validated email confirmation. If necessary, Customer Service representatives have alternative methods of validating accounts, but the primary means will be through the console on which the account was created.
Do you REALLY believe that if it were 10 minutes, 24 hours or one week that there would be any dramatic difference in the reaction of the community or the snowball effect of the reaction that we're seeing?
Last edited by Frankie_Says_Relax; 05-03-2011 at 01:02 PM.
"And the book says: 'We may be through with the past, but the past ain't through with us.'"
You're right, PSN customers would be upset no matter what, but the fact that Sony was silent for a week (therefore giving the hackers that whole week to get into people's online financial accounts unbeknownst to the victims) made the situation much worse.
I realize Sony wanted to avoid a public relations nightmare, but in the end, it's always better to be transparent with customers from the very first minute. Now unfortunately, Sony faces a much worse PR nightmare instead, whether it's deserved or not.
I don't care who the company is- whether it's Amazon, Bank of America, Best Buy, or Apple- if it's hacked, I want to know about it immediately so I can decide whether or not I have to take precautions. I'd be annoyed, but I'd respect the company for doing that. However, if Amazon were hacked and it didn't let me know until a week later, I'd be furious and would never use its service again.
And of course, I'd want the hackers brought to justice, too.
It's unfortunate that Sony was hacked, but it's also unfortunate the way Sony handled the situation.
Last edited by Rob2600; 05-03-2011 at 01:29 PM.
Works for me. The more of that data they throw out the better.
I know I don't. I think that it's natural (although not particularly prudent) to go after the known entity involved in the event rather than the unknown one. And if the known entity happens to be a big faceless corporation, all the easier to lay blame. The cynical attitude here would be to conclude that Sony, the victim of a crime, takes the blame for other victims/potential victims losses and the actual criminal(s) walks away scot free, maybe even taking advantage of Sony's restitution himself.
Well, all anybody can do at this point is be smart, be safe and move on.
If they feel the need to cancel a credit card, empty their bank account, get fraud protection services, sell their PS3/PSP, boycott all future Sony products, write a letter to their senator, file a lawsuit against Sony, run naked through the streets or preemptively shuffle off this mortal coil by their own hands so be it.
Me, I'ma jus wait it out and see what happens.
Or, maybe I'll do that naked thing.
"And the book says: 'We may be through with the past, but the past ain't through with us.'"
At this point, yes. But for those who are wondering why people are so upset with Sony right now, that's the reason (that week of silence).
What's the standard amount of time before thinking there may have been an intrusion, finding out there was one, and making a public statement? If that turnaround usually takes a day or two then sure. But I'm not sure if a week is entirely out of the ordinary. How long did the Gawker debacle take? I don't remember off hand.
That's certainly a reason, but everybody seems to have a specific/individual issue on the matter ...
- The amount of time between taking the networks down and reporting
- Circumventable security
- Alleged theft of info
- Proposed reparations not being "good enough"
... and lets call a spade a spade, it's no secret that many harbor bias based on recent past business decisions by the electronics giant. The removal of Linux and PS2 backwards compatibility still resonate with many who feel "wronged" by those actions, and the public pursuit of George Hotz swatted the proverbial hornets nest that likely spurred this intrusion.
So. Yeah. People don't like Sony much.
Except those of us who do.
It's always tended to be a challenge to be in the latter camp, these days it can be a real headache.
"And the book says: 'We may be through with the past, but the past ain't through with us.'"
I don't know, but if there was even a question of an intrusion, Sony should've sent its customers an email right from the start stating there *may* have been an attack and personal data *may* have been compromised. That way, customers can decide for themselves how to proceed.
Again, I understand Sony didn't want to get its customers in a tizzy and face a PR disaster, but being transparent from the first inkling of a potential problem is the best course of action.
This is all Sony had to send to its customers on day one:
"Dear PSN customer, our network may have been hacked and your personal information may have been leaked. We're investigating the situation now and will keep you updated. In the meantime, it seems prudent to change the passwords and security question answers on all of your other online accounts, just to be safe. Whether the hackers were successful or not, we've hired two security teams to improve security on our network to avoid a similar problem in the future. We apologize for the inconvenience and will send another update soon."
Instead, whether it's deserved or not, Sony is now a laughing stock on tech podcasts and video game forums.
I think it's safe to say that the title of this thread is officially incorrect.
"And the book says: 'We may be through with the past, but the past ain't through with us.'"
And this is the point where I bow out -- where people aren't willing to look at a situation objectively. Blindly defending Sony is just as annoying as blindly attacking them.
Posting Permissions
Reply With Quote
