/me watches mailbox intently...
/me watches mailbox intently...
This signature is dedicated to all those
cyberpunks who fight against injustice
and corruption every day of their lives
Gahhh ... just when I thought I was out ... they pull me back in.
Well, Bruce Shneier did anyway.
This is an interesting read on the matter containing the unfiltered opinions of a person that many consider to be an expert in his field.
http://ca.kotaku.com/5797602/dont-bl...t-any-networks
Last edited by Frankie_Says_Relax; 05-04-2011 at 12:51 PM.
"And the book says: 'We may be through with the past, but the past ain't through with us.'"
The latest lawsuit for.......1....billion....dollars.
Last edited by The 1 2 P; 05-05-2011 at 05:45 PM.
ALL HAIL THE 1 2 P
Originally Posted by THE 1 2 P
Sony details steps that they took after the hack. Only quoting part of it, but read the rest if you'd like. From what it states though, once they confirmed that information was stolen, we were notified the next day. So Sony didn't know day one that the information was stolen, they just knew that their was a breach in their system and took it offline until they checked it out. So technically, we were all notified within a day, not a week.
On April 19, at 4:15 p.m. Pacific, members of the Sony Network Entertainment America network team detected unauthorized activity in the network system, according to the letter.
"The network service team immediately began to evaluate this activity by reviewing running logs and analyzing information in order to determine if there was a problem with the system," Hirai writes.
On April 20, in the early afternoon, the team discovered evidence that the unauthorized intrusion had occurred and that data of some kind had been taken from the Playstation Network servers. The team didn't know what the data was, so they shut the system down.
That shut down kicked off what Hirai calls an "exhaustive and highly sophisticated process of identifying the means of access and the nature and scope of the theft."
Later that afternoon, Sony Network Entertainment of America brought on a "recognized security and forensic consulting firm" to copy the servers and begin a deeper investigation in the break in. As the investigation continued, Hirai writes, the scope and complexity grew.
On April 21, Sony brought in a second computer security and forensic consulting form to help. By the evening of April 23, the experts confirmed that intruders had used "very sophisticated and aggressive techniques" to break into the network undetected.
On Easter Sunday, now realizing how serious the breach was, Sony brought on a third team that specialized in these sorts of intrusions. By April 25, the teams confirmed that personal data had been stolen from the network, but still could not determine whether credit card info was stolen.
On April 26 Sony notified users that personal information had been taken and that they could not rule out credit card theft.
http://kotaku.com/#!5798492/sony-exp...yberterrorists
They still should've notified us all when they shut the system down, why they did so.
So in short, the breach happened that Wednesday and they didn't know the severity of it until Monday, which is when they made the announcement about the personal data being stolen. I thought this would have been common knowledge by now, but I guess a hater is gonna hate right?
Again I'm not saying that Sony isn't without fault here, but people are acting like they kept the entire breach a secret and then laid it all out on us a week later.
Looks like Sony was more guilty of their portion of the blame then we initially thought. Looks like those two lawsuits will have alittle bit of ground to work with now.
ALL HAIL THE 1 2 P
Originally Posted by THE 1 2 P
From the article:
"Dr. Gene Spafford, a professor of computer science at Perdue University since 1987 and an expert in information security (he's the editor of the oldest journal in the field of information security), was part of a panel that provided testimony on just how terribly weak Sony's system was. Spafford pointed out that numerous weaknesses in Sony's system actually became evident via security mailing lists a considerable time (read: months) before the breach occurred.
Worse yet, Spafford noted that key parts of PSN actually ran on Apache servers that "were unpatched and had no firewall installed." He said that this was known because of comments in a forum frequently visited by Sony employees.
Bottom line: if the severe network weaknesses were known months in advance and Sony made no attempts to enhance the security of their systems, even as major threats were being made publicly by Anonymous, then Sony looks highly culpable for negligence in this fiasco."
The frightening thing is: how many other giant companies have similarly unprotected networks??
That's exactly my point. Even taking this as true, we still don't know whether or not that qualifies as negligent. Sure, in hindsight (or even foresight depending on how knowledgeable a person might be) this looks bad. And no doubt about it, it is bad. But depending on how things play out, Sony might just be able to say "But this is just how it's always been done." At some point that excuse might not fly as the world gradually gets more sophisticated. But there's still a chance it might work today depending on the norms this industry and others operate on day to day.
It's scary to think that huge companies we trust with our information are not Fort Knox. But I wouldn't be surprised to hear that it's a pretty common thing.
Last edited by TonyTheTiger; 05-05-2011 at 05:19 PM.
From:
http://ca.kotaku.com/5797602/dont-bl...t-any-networks
(Again, worth a read in full if you haven't yet.)
Bruce Shneier, internationally renowned security technologist and author of Applied Cryptography, Secrets and Lies and Schneier on Security, said:
... "Everyone is probably equally sucky," he said of network security in general. "Some may be better than others."
"Unfortunately, the moral here is that you give your information to a third-party, blindly trusting them, a bank, a credit card company, a phone company, Amazon, J. Crew, or Sony. You are blinding trusting that they will use the information wisely and secure it. And you have no say how they do that and you have no recourse if they fuck up."
But, the famously cynical Schneier adds, "Even with all of that, most people are really safe all of the time."
"You're doing OK, I'm doing OK. I buy stuff online all of the time. I bank online. And what other option is there?"
"And the book says: 'We may be through with the past, but the past ain't through with us.'"
Sorry for the double post, this was too noteworthy to let go.
http://blog.us.playstation.com/2011/...ward-stringer/
A program for U.S. PlayStation Network and Qriocity customers that includes a $1 million identity theft insurance policy per user was launched earlier today and announcements for other regions will be coming soon.
Alrighty then.
So we all get free identity theft insurance good for up to $1,000,000.00 per user with Debix.
http://blog.us.playstation.com/2011/...ugh-debix-inc/
No matter what side of the issue you're on, I hope that we're all capable of seeing that as a decent (also necessary) reparation.
"And the book says: 'We may be through with the past, but the past ain't through with us.'"
Completely agree that this move by Sony is necessary and satisfactory. Much better than some free games or crap like that.
Life is like a hurricane...
Hmm, now to wonder when they will get the network back online. If this thread gets its name changed to "PSN now back online" or a new thread is created for that, that would be awesome. I don't want to hook my PS3 back up until it's fixed.
Has anyone had any problems with their digital downloads after accepting the changes in April? I want to make sure Vandal-Hearts: Flames of Judgement and Sonic 4: Episode I both still work just fine.
It doesn't matter if other companies do the same thing, hooking up an unpatched server to the open network without a firewall is negligent. It's also worth noting that leaving your server in that state after being told it's vulnerable, even as a hacker group is publicly announcing it will target you, is also negligent.
Whether or not it's a matter of what is or is not "industry standard",
in this day and age the potential for sub-par network security on a massive entertainment platform is indeed a problem that hackers have, through this Sony fiasco exposed to the public and to the mainstream media.
I know that saying what has happened in the past is moot isn't what some people want to hear, but frankly, unless a company has professed that they're not going to make changes to fix/better the situation, it is ultimately moot. It looks like the message of many was clearly heard, understood and taken seriously and changes have been made.
And, hopefully other companies that may hold our personal/sensitive data and may have similarly not encrypted every level of data are now scrambling to take similar measures based on the public outcry and government involvement in this case. That would actually be an unaccounted for positive to come out of this.
Aside from everything that Sony is reporting about increasing and monitoring security moving forward, I'm quite certain that they'll be running the top of the line firewalls and encrypting everything on every single level of their database that needs it when they flip that switch back on. I shudder to think of the repercussions if they were to bring the network back up and somebody uncovers that it's running identically to the way it was prior to the compromise.
And, as far as I'm aware there are still no reports of fraud directly linked to this intrusion. Shortly Sony will be footing the bill on identity protection/insurance services for all registered PSN users, so, hopefully that will stave off any potential damage there.
Total clusterfuck of a situation? Yes indeedy. Total.
Reasonable outcome from said clusterfuck?
Looks like it to me, and even some less optimistic folks I've discussed it with seem to think that this was the best that we could have hoped for all things considered.
- Public apology.
- Internal identification/recognition of technical/security failings.
- Correction of those failings that addresses both the problem that occurred and the possibility for other similar and/or potentially unrelated security problems.
- Complimentary products and fraud protection/insurance services offered to all affected.
Aside from the random people who want "emotional damages" accounted for/addressed, what else would Sony need to do to reasonably rectify this thing?
"And the book says: 'We may be through with the past, but the past ain't through with us.'"