Originally posted by lukeborgman After yet another SOE Facebook post saying "SOE services will remain offline today...", I've seen another person comment that refers to some statement by SOE that servers will be up by May 31. Can anyone cite the source (post an URL) for where SOE stated that plan? Although I'm a bit surprised that being down for a month is the best they can do, it'd be nice to see them actually communicating a plan. So far, their customer relations has been just slightly better than nothing.
It's PSN, not SOE. People care little about 'details' on these boards...
Even if we accept that all the information that we've heard about this incident is pure specualtion and we don't have any real facts because we aren't privy to what actualy happened, we can NOT conclude that SONY "did nothing wong"
Why not?
If there is no evidence they did anything wrong, the conclusion is that there is no evidence they did anything wrong. Simple as that and no more than I am saying...
(Note: I did say that outdated database in SOE network was something that seems as very wrong. If there is reason to doubt, I do doubt but I am just careful with reasons)
1) If you have no evidence that there was anything stolen(SOE) there is no potential thus only what you can announce is that you have no evidence about data theft - exactly what SOE did.
2) Discussed in other thread.
From what I could read(years back though), was that Europe got way more strict rules about personal data handling than US and I am familiar with EU legislative and know how loose it is. Basically it says: Just don't let it laying freely around and it will be ok.
I have said same thing earlier on in these posts like this where people attack them with not one iota of evidence suggesting that they are at fault. People always like to point fingers and never seem to step back and ask the important questions. I agree with you 100% as stated by me before the same concerns.
After yet another SOE Facebook post saying "SOE services will remain offline today...", I've seen another person comment that refers to some statement by SOE that servers will be up by May 31. Can anyone cite the source (post an URL) for where SOE stated that plan?
Although I'm a bit surprised that being down for a month is the best they can do, it'd be nice to see them actually communicating a plan. So far, their customer relations has been just slightly better than nothing.
It's PSN, not SOE. People care little about 'details' on these boards...
Wrong there was an article that mentioned they hoped to have BOTH up by may 31 in the san francisco chronicle. What people care little for is your jihad to relieve $oe of any and all fault,negligence,or wrongdoing hidden behind spin and misdirection.
They were trusted with peoples details, both personal and financial. They have a duty of care to protect this information. European law is very strict on the responsibilities placed on companys who hold such information.
On the issue as to wether they have done something wrong or not. I have received my Email as an ex SOE customer living in the UK. It states quite clearly that my details including debit card, email and postal address have been compromised.
In February of this year I specifically requested ( and still retain the email) that my details were removed from their servers, as my wifes account had been hacked and SOE were quite rude when she tried to get assistance. We both quit EQ2 and requested all our details were wiped. I now have an email from SOE stating that unfortunately our request was not carried out.
Now I have the problem and worry of wether this information will lead to fraud or other problems.
Originally posted by JeroKane As long as PSN isn't up and running, so won't SOE's network. Read the news! SOE's communication has always been lackluster and they are "renown" for keeping their customers in the dark. But a Sony spokesman has already said that BOTH networks won't be up before May 31st ! Not just PSN.
They were trusted with peoples details, both personal and financial. They have a duty of care to protect this information. European law is very strict on the responsibilities placed on companys who hold such information.
On the issue as to wether they have done something wrong or not. I have received my Email as an ex SOE customer living in the UK. It states quite clearly that my details including debit card, email and postal address have been compromised.
In February of this year I specifically requested ( and still retain the email) that my details were removed from their servers, as my wifes account had been hacked and SOE were quite rude when she tried to get assistance. We both quit EQ2 and requested all our details were wiped. I now have an email from SOE stating that unfortunately our request was not carried out.
Now I have the problem and worry of wether this information will lead to fraud or other problems.
No of course Sony have done nothing wrong...
This...
As if being a SWG vet wasnt bad enough.. they also compromise your accounts and all your PII.. if anything.. this whole situation is a reaffirmation of everything that i've come to dislike about SOE.. and of course.. SONY.. i'd laugh at them if only my own account/personal details hadnt been compromised.. as it is.. im just furious'er (x10)
Here are some sites that if you go to them you can see that this was coming. As to whether or not anyone was actually on top of this stuff hard enough is another question but even some of our government agencies have been compromised by all of these cyber attacks so if you would like more information on just how serious these hackers are check out these sites.
Even if we accept that all the information that we've heard about this incident is pure specualtion and we don't have any real facts because we aren't privy to what actualy happened, we can NOT conclude that SONY "did nothing wong"
Why not?
If there is no evidence they did anything wrong, the conclusion is that there is no evidence they did anything wrong. Simple as that and no more than I am saying...
(Note: I did say that outdated database in SOE network was something that seems as very wrong. If there is reason to doubt, I do doubt but I am just careful with reasons)
1) If you have no evidence that there was anything stolen(SOE) there is no potential thus only what you can announce is that you have no evidence about data theft - exactly what SOE did.
2) Discussed in other thread.
From what I could read(years back though), was that Europe got way more strict rules about personal data handling than US and I am familiar with EU legislative and know how loose it is. Basically it says: Just don't let it laying freely around and it will be ok.
There is no evidence that flying pink unicorns don't exist on a planet orbiting Alpha Centuri, by your logic does that mean the statement "Flying pink unicorns exist in the Alpha Centuri system" is supportable?
- SONY network security was breached.
- By your own admission, you lack sufficient knowledge of how that breach was achieved or what security measures needed to be overcome.
The best you can supportably claim under the above is "I lack sufficient evidence to make a conclusion"
To supportably claim that "SONY did nothing wrong" ( a postive statement of opinion), you would need some detailed knowledge of the security controls that SONY had in place and how they were overcome in order to judge that thier measures were upto a reasonable standard.
You've taken others in this thread to task for making postive statements of opinion i.e. "Sony screwed up" without any factual data to support such a claim... yet hear you are doing exactly the same thing in reverse. I call shenanigans.
Even if we accept that all the information that we've heard about this incident is pure specualtion and we don't have any real facts because we aren't privy to what actualy happened, we can NOT conclude that SONY "did nothing wong"
Why not?
If there is no evidence they did anything wrong, the conclusion is that there is no evidence they did anything wrong. Simple as that and no more than I am saying...
(Note: I did say that outdated database in SOE network was something that seems as very wrong. If there is reason to doubt, I do doubt but I am just careful with reasons)
1) If you have no evidence that there was anything stolen(SOE) there is no potential thus only what you can announce is that you have no evidence about data theft - exactly what SOE did.
2) Discussed in other thread.
From what I could read(years back though), was that Europe got way more strict rules about personal data handling than US and I am familiar with EU legislative and know how loose it is. Basically it says: Just don't let it laying freely around and it will be ok.
2) Did you actualy even bother to read the text of the MA statute that I cited? Or lookup the NV one. I don't care what your experience in Europe is. Part of my job is dealing proffesionaly with technical requirements for compliance with such statutes...they most definately do NOT boil down to "Just don't let it laying freely around and it will be ok".
The language of the MA statute specificaly states that if your collect PII on MA citizens it MUST be encrypted both on disk and when in transit over any public network (i.e. the internet) . Period. No exceptions. That's the law. If SONY had any such information stored in unencrypted format on it's servers, it was out of compliance. period.
Are you nutcases still arguing that nothing was stolen from SOE?
In case this is aimed at my post above, read it again and read post I was replying to.
As long as PSN isn't up and running, so won't SOE's network.
Read the news! SOE's communication has always been lackluster and they are "renown" for keeping their customers in the dark.
But a Sony spokesman has already said that BOTH networks won't be up before May 31st ! Not just PSN.
You have been the king of misleading people in the whole Sony debacle.
Playing: PO, EVE Waiting for: WoD Favourite MMOs: VG, EVE, FE and DDO Any person who expresses rage and loathing for an MMO is preposterous. He or she is like a person who has put on full armor and attacked a hot fudge sundae.
Are you nutcases still arguing that nothing was stolen from SOE?
In case this is aimed at my post above, read it again and read post I was replying to.
As long as PSN isn't up and running, so won't SOE's network.
Read the news! SOE's communication has always been lackluster and they are "renown" for keeping their customers in the dark.
But a Sony spokesman has already said that BOTH networks won't be up before May 31st ! Not just PSN.
You have been the king of misleading people in the whole Sony debacle.
So far there have been many conjectures as to when it will be up. I am not totally sure where this information is coming from because Sony itself has not given any ETA and do I blame them? Heck no! At this time releasing an ETA might not only be a security risk but if they don't meet it then they will have a whole lot of angry players.
The only thing that has come straight from Sony themselves is at LEAST a few more days.
Now looking at everything combined my assumption would be that yes it means SOE will be up probably and hopefully at the same time as the PSN network considering they both use the internet and everything they have is connected in one way or the other.
For myself I am keeping up on eq2wire with the daily updates and facebook. There is also Twitter who Sony is communicating with as well.
And I am not sure but I do not believe that the May 31st date was actually collaberated by any Sony employees that I heard of.
Are you nutcases still arguing that nothing was stolen from SOE?
In case this is aimed at my post above, read it again and read post I was replying to.
As long as PSN isn't up and running, so won't SOE's network.
Read the news! SOE's communication has always been lackluster and they are "renown" for keeping their customers in the dark.
But a Sony spokesman has already said that BOTH networks won't be up before May 31st ! Not just PSN.
You have been the king of misleading people in the whole Sony debacle.
Really? What is misleading about what jerokane has stated. Lets see how it looks
As long as PSN isn't up and running, so won't SOE's network.
How did it work out for Sony to allow SOE to proclaim itself secure, customers data was safe are return to online status less that 24 hours after the PSN went down on April 20th? Sony had to eat a big plate of crap, because SOE screwed up, misinformed their clients and had to be taken offline a second time.
Read the news! SOE's communication has always been lackluster and they are "renown" for keeping their customers in the dark.
Is SOE good about keeping their playerbase informed?
Did EQ2 players have advance knowledge that the station cash store existed before it was patched live in an overnight update? no.
Did the lead producer mislead the playerbase about EQ2 adopting a F2P model by omitting the fact that at the very moment he answered the question SOE was converting EQ2 to run as a F2P game that launched less than 30 days later? Yes
Did SOE make vague references to resolving the population issues with DCU nearly 2.5 months ago? Yes. Did they release information that was so non-descript that players cannot tell if it is cross servers ques, server mergers or something else? Yes.
Has SOE not updated their webpage on over more than a week? Yes.
It is almost corporate policy to keep players in the dark.
But a Sony spokesman has already said that BOTH networks won't be up before May 31st ! Not just PSN.
Calm down!!!! Fact is it happened. Life happens. Sony got hacked=part of the bed of roses with all of the thorns or =the bowl of cherries with all of the pits in it.
Sony will be up when everything is fixed and secure=fact.
Fact=Patience is a virtue. To get so emotionally worked up over what someone else says in this or over the fact that you do not agree is not healthy for you or your mental state of mind.
Truth is it is time to be patient and wait just like we had to wait for them to finally find Osama Bin Ladan a decade later. There is nothing we can reach in and do to change what has already happened all we can do is hope that all of the problems get worked out and that everything comes back up ok.
It has already been proven that Sony had the latest up-to-date security and it was patched. Hackers will get in when they want. It is like my Uncle always used to tell me. The only thing a lock keeps out is an honest person. If a criminal wants in bad enough they will get in one way or another with or without locks in their way.
Does it suck? Fact=YES!!!! But is there anything we can really do about it? All we can do is try to come to grips with what has happened and I have found that most people are finally getting there after venting enough but if you don't calm down you'll have a heart attack at an early age. And why? Because you did not do what it takes to secure yourself from not having it. And no I am not saying this as a personal attack. I would not wish that on anyone.
Best thing to do is just realize all we can do as citizens and victims at this point is to be patient and give authorities and what ever other entities were brought in the time needed to solve this diobolical crime, hopefully implement the best security put out thus far, and fix whatever damage was done.
[1] Sony will be up when everything is fixed and secure=fact.
[2] It has already been proven that Sony had the latest up-to-date security and it was patched.
[1]
That is what SOE said on Feb 21st when they put their servers back online and on Feb 28th when they said no data was stolen. What happened on May 2nd? Servers came down, because there are still problems. It wasn't until May 2nd that SOE decided to get outside help.
The only fact is that SOE did put the servers back online when they were not secure. You can HOPE they fix everything, but who knows what will happen.
[2]
Sonys chief information officer said their network had known vulnerabilities and there was more work they should have done to keep the network secure. That dismisses any claims that Sonys network was up to date. If sony was running the most current security features then that would mean this exploit existed on every network and hackers would waltz to all of them at will.
I know you really want to go to bat for SOE, but it really isn't your place to tell people to be quiet on a discussion forum.
Originally posted by GrumpyMel2 There is no evidence that flying pink unicorns don't exist on a planet orbiting Alpha Centuri, by your logic does that mean the statement "Flying pink unicorns exist in the Alpha Centuri system" is supportable?
Fixed:
There is no evidence that Sony did anything wrong, by your logic does that mean the statement: "Sony did something wrong" is supportable?
There you go.
And no, I am not doing the same because my comment is related to evidence, not absolute values...I think we had this discussion already...
[1] Sony will be up when everything is fixed and secure=fact.
[2] It has already been proven that Sony had the latest up-to-date security and it was patched.
[1]
That is what SOE said on Feb 21st when they put their servers back online and on Feb 28th when they said no data was stolen. What happened on May 2nd? Servers came down, because there are still problems. It wasn't until May 2nd that SOE decided to get outside help.
The only fact is that SOE did put the servers back online when they were not secure. You can HOPE they fix everything, but who knows what will happen.
[2]
Sonys chief information officer said their network had known vulnerabilities and there was more work they should have done to keep the network secure. That dismisses any claims that Sonys network was up to date. If sony was running the most current security features then that would mean this exploit existed on every network and hackers would waltz to all of them at will.
I know you really want to go to bat for SOE, but it really isn't your place to tell people to be quiet on a discussion forum.
1. Firstly, it wasn't February, it was April. At the time when they came up, they said based on investigations at that time, the attack only appeared to have been on the PSN. This would have been concluded by the secutiry team that were looking into the PSN attack. SOE was only taken at that time by Sony as a precautionary measure. There was no announcement that I can remember that mentioned anything about changing their security defenses after that initial downtime on the 21st, but it's hard to confirm this when the forums are down, where the response announcement was made.
It wasn't until the secutiry teams working on the PSN progressed through their investigations did they find that SOE had also been accessed. This isn't a failing specific to SOE but SCEI as a whole as their investigators are the ones that likely assumed based on prelimery investigations that SOE was fine. Either way, it's pointless argument - SOE wasn't brought down a second time due to a second attack after the intial April 21 downtime but due to evidence being discovered that showed that SOE had also been compromised in the initial attack that also took down the PSN on April 21. There was no second attack, it's all part of the original attack.
2. You're incorrect. It's been shown how you can use Google's search results to show that Sony's web servers were using the latest version of Apache. This doesn't mean that every other web server running that software is vulnerable, it just means that the way in which Sony has setup their websites was vulnerable. At a guess, I would expect they were using custom built add-ons for the webserver to intergrate their login services and this is what likely had the vulnerability.
It's certainly easy to beat up on Sony for this and to an extent, they do deserve some of it. However, this situation is not unique to Sony and nor will they be the last, it's just a case of "being in the wrong place at the wrong time". Secutiry vulnerabilities exist in all peices of software that connect to the Internet, leaving a constant game of tag between developers and hackers to find these before the other side does. In most cases, the developers win but from time to time, the hackers get there first and this is what we're left with.
Originally posted by GrumpyMel2 Part of my job is dealing proffesionaly with technical requirements for compliance with such statutes...The language of the MA statute specificaly states that if your collect PII on MA citizens it MUST be encrypted both on disk and when in transit over any public network (i.e. the internet) . Period. No exceptions.
1. Firstly, it wasn't February, it was April. At the time when they came up, they said based on investigations at that time, the attack only appeared to have been on the PSN. This would have been concluded by the secutiry team that were looking into the PSN attack. SOE was only taken at that time by Sony as a precautionary measure. There was no announcement that I can remember that mentioned anything about changing their security defenses after that initial downtime on the 21st, but it's hard to confirm this when the forums are down, where the response announcement was made.
It wasn't until the secutiry teams working on the PSN progressed through their investigations did they find that SOE had also been accessed. This isn't a failing specific to SOE but SCEI as a whole as their investigators are the ones that likely assumed based on prelimery investigations that SOE was fine. Either way, it's pointless argument - SOE wasn't brought down a second time due to a second attack after the intial April 21 downtime but due to evidence being discovered that showed that SOE had also been compromised in the initial attack that also took down the PSN on April 21. There was no second attack, it's all part of the original attack.
2. You're incorrect. It's been shown how you can use Google's search results to show that Sony's web servers were using the latest version of Apache. This doesn't mean that every other web server running that software is vulnerable, it just means that the way in which Sony has setup their websites was vulnerable. At a guess, I would expect they were using custom built add-ons for the webserver to intergrate their login services and this is what likely had the vulnerability.
It's certainly easy to beat up on Sony for this and to an extent, they do deserve some of it. However, this situation is not unique to Sony and nor will they be the last, it's just a case of "being in the wrong place at the wrong time". Secutiry vulnerabilities exist in all peices of software that connect to the Internet, leaving a constant game of tag between developers and hackers to find these before the other side does. In most cases, the developers win but from time to time, the hackers get there first and this is what we're left with.
[1]
SOE runs SOE servers and if they cannot figure out that someone hacked into their system that is a failure on their part. SOE was brought down a second time, because their network security was still insecure after SOE reviewed it on April 21st. SOE gave the servers the green light and pronounced everything safe. That is a second failure.
Anyway you spin it the buck for SOE server security stops at SOE and they failed several times.
[2]
I'm not incorrect. The google seach show only Sony WEB servers, but there are a lot more servers than what google is going to crawl isn't there? Also google doesn't probe how firewalls are configured or if they are not at critical junctions of a network.
This could theoritically happen to any company, but it didn't. It gets old hearing that excuse used for a company that seems to keep finding its way into the headlines.
To go one step further Sony continued and continues to have server vulnerabilities running live and exploited. Their network still fails basic security probes.
Look how many problems there still are. Sony is rebuilding the network from the ground up, because it was garbage. If their network was up to date and properly firewalled, then all they would have to do fix one exploit, but that isn't what needs to be done to resolve the problem is it?
If this intrusion was the result of a small problem in an otherwise well designed and secure network, it would have been fixed a long time ago and services restored.
Read this article and see that Sony is still running servers with exploits in them and they were hacked as recently as last week. Honestly, Sony just put in a security device and left the login page exposed to the internet with the login ID field populated. That is just a sample of how poorly Sony is running their networks.
1. Firstly, it wasn't February, it was April. At the time when they came up, they said based on investigations at that time, the attack only appeared to have been on the PSN. This would have been concluded by the secutiry team that were looking into the PSN attack. SOE was only taken at that time by Sony as a precautionary measure. There was no announcement that I can remember that mentioned anything about changing their security defenses after that initial downtime on the 21st, but it's hard to confirm this when the forums are down, where the response announcement was made.
It wasn't until the secutiry teams working on the PSN progressed through their investigations did they find that SOE had also been accessed. This isn't a failing specific to SOE but SCEI as a whole as their investigators are the ones that likely assumed based on prelimery investigations that SOE was fine. Either way, it's pointless argument - SOE wasn't brought down a second time due to a second attack after the intial April 21 downtime but due to evidence being discovered that showed that SOE had also been compromised in the initial attack that also took down the PSN on April 21. There was no second attack, it's all part of the original attack.
2. You're incorrect. It's been shown how you can use Google's search results to show that Sony's web servers were using the latest version of Apache. This doesn't mean that every other web server running that software is vulnerable, it just means that the way in which Sony has setup their websites was vulnerable. At a guess, I would expect they were using custom built add-ons for the webserver to intergrate their login services and this is what likely had the vulnerability.
It's certainly easy to beat up on Sony for this and to an extent, they do deserve some of it. However, this situation is not unique to Sony and nor will they be the last, it's just a case of "being in the wrong place at the wrong time". Secutiry vulnerabilities exist in all peices of software that connect to the Internet, leaving a constant game of tag between developers and hackers to find these before the other side does. In most cases, the developers win but from time to time, the hackers get there first and this is what we're left with.
[1]
SOE runs SOE servers and if they cannot figure out that someone hacked into their system that is a failure on their part. SOE was brought down a second time, because their network security was still insecure after SOE reviewed it on April 21st. SOE gave the servers the green light and pronounced everything safe. That is a second failure.
Anyway you spin it the buck for SOE server security stops at SOE and they failed several times.
[2]
I'm not incorrect. The google seach show only Sony WEB servers, but there are a lot more servers than what google is going to crawl isn't there? Also google doesn't probe how firewalls are configured or if they are not at critical junctions of a network.
This could theoritically happen to any company, but it didn't. It gets old hearing that excuse used for a company that seems to keep finding its way into the headlines.
To go one step further Sony continued and continues to have server vulnerabilities running live and exploited. Their network still fails basic security probes.
Look how many problems there still are. Sony is rebuilding the network from the ground up, because it was garbage. If their network was up to date and properly firewalled, then all they would have to do fix one exploit, but that isn't what needs to be done to resolve the problem is it?
If this intrusion was the result of a small problem in an otherwise well designed and secure network, it would have been fixed a long time ago and services restored.
Read this article and see that Sony is still running servers with exploits in them and they were hacked as recently as last week. Honestly, Sony just put in a security device and left the login page exposed to the internet with the login ID field populated. That is just a sample of how poorly Sony is running their networks.
1. From what I remember of the initial annoucement after the 21st, there was no mention of changes. I'm assuming the initial investigations of SOE looked clean and whatever differences there are between SOE and the PSN were seen as enough to keep the same hackers out of SOE's systems. They were only down with other Sony sites intiially as a precaution as they knew the PSN had been hacked. It wasn't until more indepth investigations were carried out that it was discovered that they had also been breached. The investigations are being carried out by third parties, not Sony itself - I imagine this is due to the hackers covering up most of what they did.
2. The issue of excessive info being available on the internet aside (it'd be interesting to see the same processes done against other large companies, actually), none of that really mattered as the guy in the link also says that it wasn't a case of the hackers cracking the security and getting through but rather a likely case of using social engineering to get the info they needed to be able to get in. While humans are involved, all the security software/hardware in the world can't always combat a social engineering attack.
SOE runs SOE servers and if they cannot figure out that someone hacked into their system that is a failure on their part. SOE was brought down a second time, because their network security was still insecure after SOE reviewed it on April 21st. SOE gave the servers the green light and pronounced everything safe. That is a second failure.
Anyway you spin it the buck for SOE server security stops at SOE and they failed several times.
[2]
I'm not incorrect. The google seach show only Sony WEB servers, but there are a lot more servers than what google is going to crawl isn't there? Also google doesn't probe how firewalls are configured or if they are not at critical junctions of a network.
This could theoritically happen to any company, but it didn't. It gets old hearing that excuse used for a company that seems to keep finding its way into the headlines.
To go one step further Sony continued and continues to have server vulnerabilities running live and exploited. Their network still fails basic security probes.
Look how many problems there still are. Sony is rebuilding the network from the ground up, because it was garbage. If their network was up to date and properly firewalled, then all they would have to do fix one exploit, but that isn't what needs to be done to resolve the problem is it?
If this intrusion was the result of a small problem in an otherwise well designed and secure network, it would have been fixed a long time ago and services restored.
Read this article and see that Sony is still running servers with exploits in them and they were hacked as recently as last week. Honestly, Sony just put in a security device and left the login page exposed to the internet with the login ID field populated. That is just a sample of how poorly Sony is running their networks.
1. From what I remember of the initial annoucement after the 21st, there was no mention of changes. I'm assuming the initial investigations of SOE looked clean and whatever differences there are between SOE and the PSN were seen as enough to keep the same hackers out of SOE's systems. They were only down with other Sony sites intiially as a precaution as they knew the PSN had been hacked. It wasn't until more indepth investigations were carried out that it was discovered that they had also been breached. The investigations are being carried out by third parties, not Sony itself - I imagine this is due to the hackers covering up most of what they did.
2. The issue of excessive info being available on the internet aside (it'd be interesting to see the same processes done against other large companies, actually), none of that really mattered as the guy in the link also says that it wasn't a case of the hackers cracking the security and getting through but rather a likely case of using social engineering to get the info they needed to be able to get in. While humans are involved, all the security software/hardware in the world can't always combat a social engineering attack.
Servers offline, corrective measures taken, game services restored in a matter of hours? Seeing that the servers were later taken offline for almost 2 weeks, do you really think SOE did a good job the first time they performed a security review?
2)
Do you know how many things have to go wrong for a network admin to fall victom of a spear phishing attack? From stupidity, to failed email filtering, to failed workstation protection, to Sony allowing google to index a list of its network admins personal information (which we know is true) and so on. That would just illustrate yet another failure on their part.
None of that really matters though, because everyone including Sony admits that the intrusion was the result of hackers exploiting a known vulnerability. Sony servers were not properly patched and the network setup was so bad they had to rebuild the entier system from the ground up.
Comments
It's PSN, not SOE. People care little about 'details' on these boards...
http://www.bloomberg.com/news/2011-05-09/sony-s-playstation-qriocity-services-remain-shut-uncertain-on-restart.html
I have said same thing earlier on in these posts like this where people attack them with not one iota of evidence suggesting that they are at fault. People always like to point fingers and never seem to step back and ask the important questions. I agree with you 100% as stated by me before the same concerns.
Wrong there was an article that mentioned they hoped to have BOTH up by may 31 in the san francisco chronicle. What people care little for is your jihad to relieve $oe of any and all fault,negligence,or wrongdoing hidden behind spin and misdirection.
Are you nutcases still arguing that nothing was stolen from SOE?
SOE announced it on their own website.. here is a link
https://www.soe.com/securityupdate/
In case this is aimed at my post above, read it again and read post I was replying to.
Did nothing wrong!
They were trusted with peoples details, both personal and financial. They have a duty of care to protect this information. European law is very strict on the responsibilities placed on companys who hold such information.
On the issue as to wether they have done something wrong or not. I have received my Email as an ex SOE customer living in the UK. It states quite clearly that my details including debit card, email and postal address have been compromised.
In February of this year I specifically requested ( and still retain the email) that my details were removed from their servers, as my wifes account had been hacked and SOE were quite rude when she tried to get assistance. We both quit EQ2 and requested all our details were wiped. I now have an email from SOE stating that unfortunately our request was not carried out.
Now I have the problem and worry of wether this information will lead to fraud or other problems.
No of course Sony have done nothing wrong...
As long as PSN isn't up and running, so won't SOE's network.
Read the news! SOE's communication has always been lackluster and they are "renown" for keeping their customers in the dark.
But a Sony spokesman has already said that BOTH networks won't be up before May 31st ! Not just PSN.
Thanks for the (no) link.
Stop spreading lies.
This...
As if being a SWG vet wasnt bad enough.. they also compromise your accounts and all your PII.. if anything.. this whole situation is a reaffirmation of everything that i've come to dislike about SOE.. and of course.. SONY.. i'd laugh at them if only my own account/personal details hadnt been compromised.. as it is.. im just furious'er (x10)
Here are some sites that if you go to them you can see that this was coming. As to whether or not anyone was actually on top of this stuff hard enough is another question but even some of our government agencies have been compromised by all of these cyber attacks so if you would like more information on just how serious these hackers are check out these sites.
http://www.northeastern.edu/news/stories/2010/02/CyberQ&APapageorge.html
http://us.mobile.reuters.com/article/topNews/idUSTRE73P7GF20110426
http://knol.google.com/k/identity-theft-secrets/global-cyber-attack-compromises-over-2/1cr2uvc2n4ajo/155#
http://www.guardian.co.uk/media/2010/dec/08/mastercard-hackers-wikileaks-revenge
There is no evidence that flying pink unicorns don't exist on a planet orbiting Alpha Centuri, by your logic does that mean the statement "Flying pink unicorns exist in the Alpha Centuri system" is supportable?
- SONY network security was breached.
- By your own admission, you lack sufficient knowledge of how that breach was achieved or what security measures needed to be overcome.
The best you can supportably claim under the above is "I lack sufficient evidence to make a conclusion"
To supportably claim that "SONY did nothing wrong" ( a postive statement of opinion), you would need some detailed knowledge of the security controls that SONY had in place and how they were overcome in order to judge that thier measures were upto a reasonable standard.
You've taken others in this thread to task for making postive statements of opinion i.e. "Sony screwed up" without any factual data to support such a claim... yet hear you are doing exactly the same thing in reverse. I call shenanigans.
2) Did you actualy even bother to read the text of the MA statute that I cited? Or lookup the NV one. I don't care what your experience in Europe is. Part of my job is dealing proffesionaly with technical requirements for compliance with such statutes...they most definately do NOT boil down to "Just don't let it laying freely around and it will be ok".
The language of the MA statute specificaly states that if your collect PII on MA citizens it MUST be encrypted both on disk and when in transit over any public network (i.e. the internet) . Period. No exceptions. That's the law. If SONY had any such information stored in unencrypted format on it's servers, it was out of compliance. period.
You have been the king of misleading people in the whole Sony debacle.
Playing: PO, EVE
Waiting for: WoD
Favourite MMOs: VG, EVE, FE and DDO
Any person who expresses rage and loathing for an MMO is preposterous. He or she is like a person who has put on full armor and attacked a hot fudge sundae.
So far there have been many conjectures as to when it will be up. I am not totally sure where this information is coming from because Sony itself has not given any ETA and do I blame them? Heck no! At this time releasing an ETA might not only be a security risk but if they don't meet it then they will have a whole lot of angry players.
The only thing that has come straight from Sony themselves is at LEAST a few more days.
Now looking at everything combined my assumption would be that yes it means SOE will be up probably and hopefully at the same time as the PSN network considering they both use the internet and everything they have is connected in one way or the other.
For myself I am keeping up on eq2wire with the daily updates and facebook. There is also Twitter who Sony is communicating with as well.
And I am not sure but I do not believe that the May 31st date was actually collaberated by any Sony employees that I heard of.
Really? What is misleading about what jerokane has stated. Lets see how it looks
As long as PSN isn't up and running, so won't SOE's network.
How did it work out for Sony to allow SOE to proclaim itself secure, customers data was safe are return to online status less that 24 hours after the PSN went down on April 20th? Sony had to eat a big plate of crap, because SOE screwed up, misinformed their clients and had to be taken offline a second time.
Read the news! SOE's communication has always been lackluster and they are "renown" for keeping their customers in the dark.
Is SOE good about keeping their playerbase informed?
Did EQ2 players have advance knowledge that the station cash store existed before it was patched live in an overnight update? no.
Did the lead producer mislead the playerbase about EQ2 adopting a F2P model by omitting the fact that at the very moment he answered the question SOE was converting EQ2 to run as a F2P game that launched less than 30 days later? Yes
Did SOE make vague references to resolving the population issues with DCU nearly 2.5 months ago? Yes. Did they release information that was so non-descript that players cannot tell if it is cross servers ques, server mergers or something else? Yes.
Has SOE not updated their webpage on over more than a week? Yes.
It is almost corporate policy to keep players in the dark.
But a Sony spokesman has already said that BOTH networks won't be up before May 31st ! Not just PSN.
I don't know the answer to this one: Maybe?
@Anyone who is still freaking out over this,
Calm down!!!! Fact is it happened. Life happens. Sony got hacked=part of the bed of roses with all of the thorns or =the bowl of cherries with all of the pits in it.
Sony will be up when everything is fixed and secure=fact.
Fact=Patience is a virtue. To get so emotionally worked up over what someone else says in this or over the fact that you do not agree is not healthy for you or your mental state of mind.
Truth is it is time to be patient and wait just like we had to wait for them to finally find Osama Bin Ladan a decade later. There is nothing we can reach in and do to change what has already happened all we can do is hope that all of the problems get worked out and that everything comes back up ok.
It has already been proven that Sony had the latest up-to-date security and it was patched. Hackers will get in when they want. It is like my Uncle always used to tell me. The only thing a lock keeps out is an honest person. If a criminal wants in bad enough they will get in one way or another with or without locks in their way.
Does it suck? Fact=YES!!!! But is there anything we can really do about it? All we can do is try to come to grips with what has happened and I have found that most people are finally getting there after venting enough but if you don't calm down you'll have a heart attack at an early age. And why? Because you did not do what it takes to secure yourself from not having it. And no I am not saying this as a personal attack. I would not wish that on anyone.
Best thing to do is just realize all we can do as citizens and victims at this point is to be patient and give authorities and what ever other entities were brought in the time needed to solve this diobolical crime, hopefully implement the best security put out thus far, and fix whatever damage was done.
[1]
That is what SOE said on Feb 21st when they put their servers back online and on Feb 28th when they said no data was stolen. What happened on May 2nd? Servers came down, because there are still problems. It wasn't until May 2nd that SOE decided to get outside help.
The only fact is that SOE did put the servers back online when they were not secure. You can HOPE they fix everything, but who knows what will happen.
[2]
Sonys chief information officer said their network had known vulnerabilities and there was more work they should have done to keep the network secure. That dismisses any claims that Sonys network was up to date. If sony was running the most current security features then that would mean this exploit existed on every network and hackers would waltz to all of them at will.
I know you really want to go to bat for SOE, but it really isn't your place to tell people to be quiet on a discussion forum.
Fixed:
There is no evidence that Sony did anything wrong, by your logic does that mean the statement: "Sony did something wrong" is supportable?
There you go.
And no, I am not doing the same because my comment is related to evidence, not absolute values...I think we had this discussion already...
1. Firstly, it wasn't February, it was April. At the time when they came up, they said based on investigations at that time, the attack only appeared to have been on the PSN. This would have been concluded by the secutiry team that were looking into the PSN attack. SOE was only taken at that time by Sony as a precautionary measure. There was no announcement that I can remember that mentioned anything about changing their security defenses after that initial downtime on the 21st, but it's hard to confirm this when the forums are down, where the response announcement was made.
It wasn't until the secutiry teams working on the PSN progressed through their investigations did they find that SOE had also been accessed. This isn't a failing specific to SOE but SCEI as a whole as their investigators are the ones that likely assumed based on prelimery investigations that SOE was fine. Either way, it's pointless argument - SOE wasn't brought down a second time due to a second attack after the intial April 21 downtime but due to evidence being discovered that showed that SOE had also been compromised in the initial attack that also took down the PSN on April 21. There was no second attack, it's all part of the original attack.
2. You're incorrect. It's been shown how you can use Google's search results to show that Sony's web servers were using the latest version of Apache. This doesn't mean that every other web server running that software is vulnerable, it just means that the way in which Sony has setup their websites was vulnerable. At a guess, I would expect they were using custom built add-ons for the webserver to intergrate their login services and this is what likely had the vulnerability.
It's certainly easy to beat up on Sony for this and to an extent, they do deserve some of it. However, this situation is not unique to Sony and nor will they be the last, it's just a case of "being in the wrong place at the wrong time". Secutiry vulnerabilities exist in all peices of software that connect to the Internet, leaving a constant game of tag between developers and hackers to find these before the other side does. In most cases, the developers win but from time to time, the hackers get there first and this is what we're left with.
http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf
(5) Encryption of all personal information stored on laptops or other portable devices;
Professionally and you are so wrong in what the law says? What an irony...
Only supports all I said so far.
[1]
SOE runs SOE servers and if they cannot figure out that someone hacked into their system that is a failure on their part. SOE was brought down a second time, because their network security was still insecure after SOE reviewed it on April 21st. SOE gave the servers the green light and pronounced everything safe. That is a second failure.
Anyway you spin it the buck for SOE server security stops at SOE and they failed several times.
[2]
I'm not incorrect. The google seach show only Sony WEB servers, but there are a lot more servers than what google is going to crawl isn't there? Also google doesn't probe how firewalls are configured or if they are not at critical junctions of a network.
This could theoritically happen to any company, but it didn't. It gets old hearing that excuse used for a company that seems to keep finding its way into the headlines.
To go one step further Sony continued and continues to have server vulnerabilities running live and exploited. Their network still fails basic security probes.
LINK
Look how many problems there still are. Sony is rebuilding the network from the ground up, because it was garbage. If their network was up to date and properly firewalled, then all they would have to do fix one exploit, but that isn't what needs to be done to resolve the problem is it?
If this intrusion was the result of a small problem in an otherwise well designed and secure network, it would have been fixed a long time ago and services restored.
Read this article and see that Sony is still running servers with exploits in them and they were hacked as recently as last week. Honestly, Sony just put in a security device and left the login page exposed to the internet with the login ID field populated. That is just a sample of how poorly Sony is running their networks.
1. From what I remember of the initial annoucement after the 21st, there was no mention of changes. I'm assuming the initial investigations of SOE looked clean and whatever differences there are between SOE and the PSN were seen as enough to keep the same hackers out of SOE's systems. They were only down with other Sony sites intiially as a precaution as they knew the PSN had been hacked. It wasn't until more indepth investigations were carried out that it was discovered that they had also been breached. The investigations are being carried out by third parties, not Sony itself - I imagine this is due to the hackers covering up most of what they did.
2. The issue of excessive info being available on the internet aside (it'd be interesting to see the same processes done against other large companies, actually), none of that really mattered as the guy in the link also says that it wasn't a case of the hackers cracking the security and getting through but rather a likely case of using social engineering to get the info they needed to be able to get in. While humans are involved, all the security software/hardware in the world can't always combat a social engineering attack.
1)
LINK
Servers offline, corrective measures taken, game services restored in a matter of hours? Seeing that the servers were later taken offline for almost 2 weeks, do you really think SOE did a good job the first time they performed a security review?
2)
Do you know how many things have to go wrong for a network admin to fall victom of a spear phishing attack? From stupidity, to failed email filtering, to failed workstation protection, to Sony allowing google to index a list of its network admins personal information (which we know is true) and so on. That would just illustrate yet another failure on their part.
None of that really matters though, because everyone including Sony admits that the intrusion was the result of hackers exploiting a known vulnerability. Sony servers were not properly patched and the network setup was so bad they had to rebuild the entier system from the ground up.