Again, this is based on speculation by a security expert. He said the things he said based on the information he had available to him, however, that does not mean he is right. If you based a lawsuit on that kind of information, I bet it would be thrown out of court. You would have to be 100% sure you have your facts straight going in, otherwise you'll end up with egg on your face.
If you can read French, I recommend reading Le Monde and L'Express' websites. They have really good articles about this incident. The latter published an article about Sony's security, saying that SoE/Sony *most likely* cut corners with security because they may not have been PCI DSS certified (the protocol that credit card companies use) probably because it is very expensive. From the way the attacks happened, the experts think that they were not using certified PCI DSS. However, the authors of the article were quick to point out that even with it, it's very possible to get hacked, as has been the case of credit card companies using it. Even without it, it doesn't necessarily mean that Sony was completely sloppy, it means that Sony's security is 'artisanal' rather than being 'industry standard'.
Anyway, SoE itself might not be liable for being sued, but rather the parent corp Sony. If SoE started suffering worse financial problems, it will be swallowed up by Sony anyway. I don't think that the EQ franchise is going to be sold off to xyz.
I wouldn't be surprised if the outcome of this incident is that more MMO companies get targetted by organized criminals.
A lot of posters here have been sticking it to SOE ever since galaxies was changed, that lot believe sony to be culpable because they want them to be. Personally I wouldn't be surprised if they are, but I also realize right now it's hard to say what measures Sony took without having hard factual evidence of it, and hearsay isn't it.
For every minute you are angry , you lose 60 seconds of happiness."-Emerson
Because thats what it always comes down to with SoE. All other gripes (until this) are petty (RMT that doesnt affect gameplay) or misplaced/uninformed (Vanguard). NGE is why people hate SoE.
When you make comments like this you are admitting that you are not being open minded to the topic. It is a completely dismissive and disingenuous approach to having a discussion, because no matter what information, facts or situations are presented to you, you have your arsenal of excuses ready to go. Most of which attack the person posting their ideas instead of debating the ideas they are posting.
Is someone really made about SWG if they complain about SOEs incompetance to secure the personal information, bank and credit card information for up to 25 million accounts? Are they misinformed about something there?
Soe has given its customers a long list of reason to be upset with them. Seeing how poorly the company has been doing the last five years it is pretty clear to see the results of their business practices. Shit, just look at the complete failure that is DCU and try to rationalize that one as being the fault of players misinformation or swg.
This same mentality is echoed in the original post and even the title. "A tough break for SOE" as if they are some poor company that just can't catch any good luck despite their best efforts to do things right. That snake oil doesn't sell anymore.
The point is, we have yet to know if it was SoE's incompetence or SCEI's in competence. None of us know the internal structure. If it had been only SoE than yes, it would be easy to lay blame at their feet. But a seperate entity that no one from SoE has anything to do with faced the same hacking.
People are saying SoE is guilty, when we don't have any evidence that they are.
When a recognized security expert testifies in front of congress that he has read reports that state the Sony servers were running outdated, unpatched versions of apache and did not have a proper firewall installed/configured I am going to put a little faith in his statements.
I doubt he was called before congress for his forum surfing expertise to repeat heresay.
Did you read his testimony or even the quote? He's got his information from 'news reports' only, from them open forums.
Anyway, who takes congress hearing seriously...
Yes I read it, but I don't just assume he is reading random blogs or open forums and presenting meaningless speculation. Recognized security expert who travels in a network of security experts. I'm not going to assume he is referencing some random post from blogspot.com to congress, but you can if you wish.
He felt it was credible enough to mention in a congressional hearing, so he must feel that those who wrote the reports have credibility.
When a recognized security expert testifies in front of congress that he has read reports that state the Sony servers were running outdated, unpatched versions of apache and did not have a proper firewall installed/configured I am going to put a little faith in his statements.
I doubt he was called before congress for his forum surfing expertise to repeat heresay.
Did you read his testimony or even the quote? He's got his information from 'news reports' only, from them open forums.
Anyway, who takes congress hearing seriously...
Yes I read it, but I don't just assume he is reading random blogs or open forums and presenting meaningless speculation. Recognized security expert who travels in a network of security experts. I'm not going to assume he is referencing some random post from blogspot.com to congress, but you can if you wish.
He felt it was credible enough to mention in a congressional hearing, so he must feel that those who wrote the reports have credibility.
The company behind Apache Web Server have warned Sony months ago that they were using an outdated version that was not updated nor patched and people in the IT security field had noticed Sony wasn't using any Firewalls either and posted their concerns on the Sony forums.
I think that is more than enough credible evidence.
The company behind Apache Web Server have warned Sony months ago that they were using an outdated version that was not updated nor patched and people in the IT security field had noticed Sony wasn't using any Firewalls either and posted their concerns on the Sony forums.
I think that is more than enough credible evidence.
Have a link to that bit about Apache contacting SOE? I've been looking for hard evidence like that haven't found any.
As for "people in the IT field notcied Sony wasn't using any Firewalls either and posted their concerns on the Sony forums". How did these people know they weren't using a firewall? How are you sure (from a forum post) they are who they say they are as well as what they are saying is true?
For every minute you are angry , you lose 60 seconds of happiness."-Emerson
The point is, we have yet to know if it was SoE's incompetence or SCEI's in competence. None of us know the internal structure. If it had been only SoE than yes, it would be easy to lay blame at their feet. But a seperate entity that no one from SoE has anything to do with faced the same hacking.
People are saying SoE is guilty, when we don't have any evidence that they are.
Ok, tell me how you would interpret this
SOE took down their servers in light of the playstation network being hacked.
SOE conducted a security review and enhanced their security measures.
SOE determined that everything was fine and announced to their playerbase that their information was safe.
SOE one week later determined that everything was not safe. That information had been stolen. That credit and banking information was stored on their server that they were NOT EVEN USING. Most of this was stored in clear text.
SOE then had to take down their service a second time. Perform a security review a second time. Enhance their security a second time.
SOE for whatever reason did not take down their facebook game servers offline until an outside party forced them too. I guess they don't do a security review or enhance security until after something has already been hacked and cleaned out.
At this point it doesn't matter who or how the network was hacked. That above shows that SOE is incompetent with their network security. They violated the security protocals set up by credit card companies. They failed to detect an intrusion even after they knew someone had breached the Sony network. They failed to properly secure their network the first time they brought it down.
On top of that SCEI (not SOE) was ready to bring the PSN back online when the hackers published some of the names they had stolen. In response to this Sony delayed opening the service up again citing how complicated things had gotten. Obviously they didn't know the hackers got that information.
This isn't a case of SCEI or SOE being at fault. Both are total failures in this situation. Neither can pass the buck to the other, because they are both making massive mistakes.
Originally posted by Daffid011 Yes I read it, but I don't just assume he is reading random blogs or open forums and presenting meaningless speculation.
Listen to his speech for yourself.,
The point is, he was not even involved in the discussion or the matter. If you make general claims, do as you wish but when you talk about someone in particular, you make damn sure your information is first hand or be very specific and disclose your sources.
No one who wants to be taken seriously would do anything like the guy did.
Your credibility does not come from your expertize nor your personal feelings but only from factual evidence of your claim.
His authority isn't an argument.
When you want to remain factual, there is no resemblance between this hearsay and actual intrusion, so little is known about the supposedly unpatched server and the attack.
Originally posted by Daffid011 That above shows that SOE is incompetent with their network security.
Just because you got it wrong does not make you right.
19th of April Sony detected unauthorized activity in their network and further investigation found out that between 17th - 19th April there was a successful intrusion made into PSN.
20th of April, PSN was shut down to prevent further damage and subject to further investigation.
1st of May, the ongoing investigation indicates that SOE was also a victim of the intrusion and the network was taken offline.
There isn't anything wrong there, Sony did great job in handling the situation, amazing job I would say.
I listened to it and still feel the same way. If he felt his peers were presenting credible information that is why he mentioned it.
I'm not saying it is a smoking gun of hard facts, but it certainly isn't just some random babblings by nobodies on a meaningless blog either.
I'm sure the truth will come out one way or another, but seeing how poorly SCEI/SOE have handled everything else with their servers and our information I don't find it the least bit unbelievable that their sercurity was this messed up. It seems that every time one of these companies says something the problem seem to get worse and worse and solutions/answers get farther and farther away.
If you want to believe that Sonys security was up to date and properly implemented thats cool. To each their own I guess.
And despite, how much everyone in this thread wants to nitpick the whats or whos - they were hacked (meaning there were vulnerabilities). Sony now is in the middle of updating thier systems (meaning the previous systems were inadequate). And AGAIN, by their own admission they were noncomplaint in terms of data storage and encryption. Thier own admission. Most businesses that are guilty of this usually get their rights to process credit cards revoke or at best, put on a security risk tier and pay additional fees per transactions.
And as for that congressional committee - nothing goods comes from such an assembly. It is my belief that this will be the venue that several states base their individual cases off of in terms of its violations to their laws.
That above shows that SOE is incompetent with their network security.
Just because you got it wrong does not make you right.
19th of April Sony detected unauthorized activity in their network and further investigation found out that between 17th - 19th April there was a successful intrusion made into PSN.
20th of April, PSN was shut down to prevent further damage and subject to further investigation.
1st of May, the ongoing investigation indicates that SOE was also a victim of the intrusion and the network was taken offline.
There isn't anything wrong there, Sony did great job in handling the situation, amazing job I would say.
You seem to have overlooked
April 21 SOE games went offline for the previously mentioned security review link
April 28 SOE announced "the the best of their knowledge" all data is safe. AFTER the servers were already back online. LINK
May 1st Well SOE did fail. Servers offline again, more security reviews, tons of data lost, blah blah blah. No denying they screwed up.
Originally posted by Daffid011 You seem to have overlooked April 21 SOE games went offline for the previously mentioned security review link April 28 SOE announced "the the best of their knowledge" all data is safe. AFTER the servers were already back online. LINK May 1st Well SOE did fail. Servers offline again, more security reviews, tons of data lost, blah blah blah. No denying they screwed up.
Doens't look like I was wrong after all does it?
Um...your provided link does not say the servers were back online on 28th...
There is no screw up.
I have posted the basic course of actions and did not focus on the announcements regarding data theft because I wrongly assumed you understand that investigation takes time and new evidence is being discovered in the process.
The problem is, the data has no physical form, they can be copied so you have a hard time to determine what was copied or even accessed or not.
You cannot rule out that something was NOT stolen or NOT accessed. Which makes whole thing very difficult.
Because of said above and because of ongoing investigation, later you release the information, more accurate it will be. It is though decision you have to make:
You inform people early, you will get blamed later if the info turns out inaccurate. You inform people later, you will be blamed for leaving people in the wind.
This applies to any investigation but there you can usually compare physical evidence to documented evidence, something you cannot really do with electronic data.
Hope that helped.
Here is a link to Sony response to congressional hearing, all of above is covered.:
All we know is both the PCN and the PC games are down. I think the PS3 guys will be OK, however I don't think the PC side of things will.
We already had dwindling populations in EQ2, and other games. I think were seeing the worst case scenario. I actually think some of SOE's games are done for if not the entire branch of the online pc side.
I hate it not been able to play EQ2 in a week.
Also I want to add this, if you think a hack has brought them down for over a week, I'm going to say other stuff has to be going on. Not sure what but being soe as who they are they don't tell you nothing until its too late.
I'd bet if this were a U.S. Gov Nuclear installation you wouldn't be calling it a tough break. Failures are often the results of poor planning and execution. If anyone here has had to go through a NSA grade server and network security audit, you would have a very different view of how things are done.
Kyleran: "Now there's the real trick, learning to accept and enjoy a game for what
it offers rather than pass on what might be a great playing experience
because it lacks a few features you prefer."
John Henry Newman: "A man would do nothing if he waited until he could do it so well that no one could find fault."
FreddyNoNose: "A good game needs no defense; a bad game has no defense." "Easily digested content is just as easily forgotten."
LacedOpium: "So the question that begs to be asked is, if you are not interested in
the game mechanics that define the MMORPG genre, then why are you
playing an MMORPG?"
April 21 SOE games went offline for the previously mentioned security review link
April 28 SOE announced "the the best of their knowledge" all data is safe. AFTER the servers were already back online. LINK
May 1st Well SOE did fail. Servers offline again, more security reviews, tons of data lost, blah blah blah. No denying they screwed up.
Doens't look like I was wrong after all does it?
Um...your provided link does not say the servers were back online on 28th...
There is no screw up.
I have posted the basic course of actions and did not focus on the announcements regarding data theft because I wrongly assumed you understand that investigation takes time and new evidence is being discovered in the process.
The problem is, the data has no physical form, they can be copied so you have a hard time to determine what was copied or even accessed or not.
You cannot rule out that something was NOT stolen or NOT accessed. Which makes whole thing very difficult.
Because of said above and because of ongoing investigation, later you release the information, more accurate it will be. It is though decision you have to make:
You inform people early, you will get blamed later if the info turns out inaccurate.
You inform people later, you will be blamed for leaving people in the wind.
This applies to any investigation but there you can usually compare physical evidence to documented evidence, something you cannot really do with electronic data.
Hope that helped.
Here is a link to Sony response to congressional hearing, all of above is covered.:
Wow, I didn't think I would really needed to post a link showing that the SOE servers were not down for an entire week prior to the 28th announcement that customer data was safe, but Here you go.
SOE said on April 22nd AND April 28th that things were fine at SOE.
There are two ways to view the results.
Looking at things in broad generalizations about these things being hard for companies to find problems like this or things like this taking time. None of which really addressing the specifics of this situation.
The other way of looking at the actions taken by SOE and the failure of those actions. The servers were declared safe and clear of threat TWICE. They were online and running before SOE concluded that customers data was safe. The security was reviewed, enhanced and declared safe to be put back online in less than 1 day.
However you want to look at it the fact is SOE missed that their customers information was hacked for over a week. They had to take down their servers for a second time, AFTER they were already reviewed and declared secure, to go through a SECOND security review and update.
Those are the facts of this situation. Talking about theortical situations like this being "hard and taking time" doesn't alter that. If these things are hard and take time, then SOE was premature in putting the servers back online the same day. At least SCEI was smart enough to keep their service offline until they knew for certain what happened and that was 2 weeks ago.
Just compare how SCEI handled their intrusion and how SOE handled theirs. Both divisions of the same company under the same attack, but such drastic differences in how each handled it.
They knew on the 20th that there was a breach in their security. That is the date they should have reported to their customers that sensitive information could have been stolen and to take precautions.
Originally posted by Daffid011 Wow, I didn't think I would really needed to post a link showing that the SOE servers were not down for an entire week prior to the 28th announcement that customer data was safe, but Here you go.
Where do you read that?! I do not see anything like that written there.
Text from the link:
by Jef Reahard on Apr 23rd 2011 3:00PM
Sony Online Entertainment has acknowledged an issue that has caused its MMORPGs and game-related websites to be sporadically unavailable since Thursday, April 21st. SOE's Linda "Brasse" Carlson posted on the EverQuest II forums late last night, attributing the trouble to "an external intrusion."
Users have experienced connection issues in everything from Vanguard, to EQII, to Free Realms, and EQII's main website remains inaccessible as of press time. Station Cash and account services appear to be working normally.
"As a result of an external intrusion on its system, SOE interrupted its services on April 21.Promptly upon learning of the intrusion, SOE initiated an investigation and took corrective steps to bring its games and other services back up," Carlson explained. "We are working hard on bringing all of our player sites back online, but have no ETA at this time. We apologize for the inconvenience and thank you for bearing with us."
LastPass is a company that uses a master password to help you manage all your passwords (I think sites like these are dumb but that's just me). They think there was a security breach after <24 hours of research and notified their users.
They didn't beat around the bush and play games. They stepped up and told users what's going on. They may lose some customers for it but I'd think most of their users will be glad that the company immediately notified people. They also immediately made players aware that their master passwords are encrypted and the only method honestly to decrypt them is brute-force/dictionary attacks.
(Although it is true that if the encryption method/salt is known, which they conceded it might be, it's easier to aim at several passwords at once than one at a time, but they probably require, like many sites, that your password consist of capital/lowercase letters and numbers which would make dictionary attacks almost useless.)
Spec'ing properly is a gateway drug. 12 Million People have been meter spammed in heroics.
Originally posted by thinktank001 They knew on the 20th that there was a breach in their security. That is the date they should have reported to their customers that sensitive information could have been stolen and to take precautions.
The fact you detect an intrusion into your systems does not mean anything was or even could have been stolen.
Comments
Congress hearing video is back again.
http://www.c-span.org/Events/Members-Look-at-Threat-of-Data-Theft/10737421279-1/
Listen to Spafford saying where did he get his information from - 55:00 min.
A lot of posters here have been sticking it to SOE ever since galaxies was changed, that lot believe sony to be culpable because they want them to be. Personally I wouldn't be surprised if they are, but I also realize right now it's hard to say what measures Sony took without having hard factual evidence of it, and hearsay isn't it.
For every minute you are angry , you lose 60 seconds of happiness."-Emerson
I LOLed. You win the thread.
Nothing says irony like spelling ideot wrong.
The point is, we have yet to know if it was SoE's incompetence or SCEI's in competence. None of us know the internal structure. If it had been only SoE than yes, it would be easy to lay blame at their feet. But a seperate entity that no one from SoE has anything to do with faced the same hacking.
People are saying SoE is guilty, when we don't have any evidence that they are.
Yes I read it, but I don't just assume he is reading random blogs or open forums and presenting meaningless speculation. Recognized security expert who travels in a network of security experts. I'm not going to assume he is referencing some random post from blogspot.com to congress, but you can if you wish.
He felt it was credible enough to mention in a congressional hearing, so he must feel that those who wrote the reports have credibility.
The company behind Apache Web Server have warned Sony months ago that they were using an outdated version that was not updated nor patched and people in the IT security field had noticed Sony wasn't using any Firewalls either and posted their concerns on the Sony forums.
I think that is more than enough credible evidence.
Have a link to that bit about Apache contacting SOE? I've been looking for hard evidence like that haven't found any.
As for "people in the IT field notcied Sony wasn't using any Firewalls either and posted their concerns on the Sony forums". How did these people know they weren't using a firewall? How are you sure (from a forum post) they are who they say they are as well as what they are saying is true?
For every minute you are angry , you lose 60 seconds of happiness."-Emerson
Ok, tell me how you would interpret this
SOE took down their servers in light of the playstation network being hacked.
SOE conducted a security review and enhanced their security measures.
SOE determined that everything was fine and announced to their playerbase that their information was safe.
SOE one week later determined that everything was not safe. That information had been stolen. That credit and banking information was stored on their server that they were NOT EVEN USING. Most of this was stored in clear text.
SOE then had to take down their service a second time. Perform a security review a second time. Enhance their security a second time.
SOE for whatever reason did not take down their facebook game servers offline until an outside party forced them too. I guess they don't do a security review or enhance security until after something has already been hacked and cleaned out.
At this point it doesn't matter who or how the network was hacked. That above shows that SOE is incompetent with their network security. They violated the security protocals set up by credit card companies. They failed to detect an intrusion even after they knew someone had breached the Sony network. They failed to properly secure their network the first time they brought it down.
On top of that SCEI (not SOE) was ready to bring the PSN back online when the hackers published some of the names they had stolen. In response to this Sony delayed opening the service up again citing how complicated things had gotten. Obviously they didn't know the hackers got that information.
This isn't a case of SCEI or SOE being at fault. Both are total failures in this situation. Neither can pass the buck to the other, because they are both making massive mistakes.
Listen to his speech for yourself.,
The point is, he was not even involved in the discussion or the matter. If you make general claims, do as you wish but when you talk about someone in particular, you make damn sure your information is first hand or be very specific and disclose your sources.
No one who wants to be taken seriously would do anything like the guy did.
Your credibility does not come from your expertize nor your personal feelings but only from factual evidence of your claim.
His authority isn't an argument.
When you want to remain factual, there is no resemblance between this hearsay and actual intrusion, so little is known about the supposedly unpatched server and the attack.
Hey!! I want to play that new EQ Progression server. Does anyone know when I can reactivate my account?
Just because you got it wrong does not make you right.
19th of April Sony detected unauthorized activity in their network and further investigation found out that between 17th - 19th April there was a successful intrusion made into PSN.
20th of April, PSN was shut down to prevent further damage and subject to further investigation.
1st of May, the ongoing investigation indicates that SOE was also a victim of the intrusion and the network was taken offline.
There isn't anything wrong there, Sony did great job in handling the situation, amazing job I would say.
I listened to it and still feel the same way. If he felt his peers were presenting credible information that is why he mentioned it.
I'm not saying it is a smoking gun of hard facts, but it certainly isn't just some random babblings by nobodies on a meaningless blog either.
I'm sure the truth will come out one way or another, but seeing how poorly SCEI/SOE have handled everything else with their servers and our information I don't find it the least bit unbelievable that their sercurity was this messed up. It seems that every time one of these companies says something the problem seem to get worse and worse and solutions/answers get farther and farther away.
If you want to believe that Sonys security was up to date and properly implemented thats cool. To each their own I guess.
As for the red hat server issue -
http://www.wired.com/threatlevel/2011/04/trixter/
The log being referenced.
http://173.255.232.215/logs/efnet/ps3dev/2011-02-16
And despite, how much everyone in this thread wants to nitpick the whats or whos - they were hacked (meaning there were vulnerabilities). Sony now is in the middle of updating thier systems (meaning the previous systems were inadequate). And AGAIN, by their own admission they were noncomplaint in terms of data storage and encryption. Thier own admission. Most businesses that are guilty of this usually get their rights to process credit cards revoke or at best, put on a security risk tier and pay additional fees per transactions.
And as for that congressional committee - nothing goods comes from such an assembly. It is my belief that this will be the venue that several states base their individual cases off of in terms of its violations to their laws.
You seem to have overlooked
April 21 SOE games went offline for the previously mentioned security review link
April 28 SOE announced "the the best of their knowledge" all data is safe. AFTER the servers were already back online. LINK
May 1st Well SOE did fail. Servers offline again, more security reviews, tons of data lost, blah blah blah. No denying they screwed up.
Care to explain where you think I was wrong?
There is no screw up.
I have posted the basic course of actions and did not focus on the announcements regarding data theft because I wrongly assumed you understand that investigation takes time and new evidence is being discovered in the process.
The problem is, the data has no physical form, they can be copied so you have a hard time to determine what was copied or even accessed or not.
You cannot rule out that something was NOT stolen or NOT accessed. Which makes whole thing very difficult.
Because of said above and because of ongoing investigation, later you release the information, more accurate it will be. It is though decision you have to make:
You inform people early, you will get blamed later if the info turns out inaccurate.
You inform people later, you will be blamed for leaving people in the wind.
This applies to any investigation but there you can usually compare physical evidence to documented evidence, something you cannot really do with electronic data.
Hope that helped.
Here is a link to Sony response to congressional hearing, all of above is covered.:
http://www.flickr.com/photos/playstationblog/5686963661/in/set-72157626521862165/lightbox/
Where the hell is Champions of Norrath 3, SOE?
I want you and Snowblind to PLEASE make another one those games. They were amazing!
All we know is both the PCN and the PC games are down. I think the PS3 guys will be OK, however I don't think the PC side of things will.
We already had dwindling populations in EQ2, and other games. I think were seeing the worst case scenario. I actually think some of SOE's games are done for if not the entire branch of the online pc side.
I hate it not been able to play EQ2 in a week.
Also I want to add this, if you think a hack has brought them down for over a week, I'm going to say other stuff has to be going on. Not sure what but being soe as who they are they don't tell you nothing until its too late.
I'd bet if this were a U.S. Gov Nuclear installation you wouldn't be calling it a tough break. Failures are often the results of poor planning and execution. If anyone here has had to go through a NSA grade server and network security audit, you would have a very different view of how things are done.
/end
Epic Music: https://www.youtube.com/watch?v=vAigCvelkhQ&list=PLo9FRw1AkDuQLEz7Gvvaz3ideB2NpFtT1
https://archive.org/details/softwarelibrary_msdos?&sort=-downloads&page=1
Kyleran: "Now there's the real trick, learning to accept and enjoy a game for what it offers rather than pass on what might be a great playing experience because it lacks a few features you prefer."
John Henry Newman: "A man would do nothing if he waited until he could do it so well that no one could find fault."
FreddyNoNose: "A good game needs no defense; a bad game has no defense." "Easily digested content is just as easily forgotten."
LacedOpium: "So the question that begs to be asked is, if you are not interested in the game mechanics that define the MMORPG genre, then why are you playing an MMORPG?"
Wow, I didn't think I would really needed to post a link showing that the SOE servers were not down for an entire week prior to the 28th announcement that customer data was safe, but Here you go.
SOE said on April 22nd AND April 28th that things were fine at SOE.
There are two ways to view the results.
Looking at things in broad generalizations about these things being hard for companies to find problems like this or things like this taking time. None of which really addressing the specifics of this situation.
The other way of looking at the actions taken by SOE and the failure of those actions. The servers were declared safe and clear of threat TWICE. They were online and running before SOE concluded that customers data was safe. The security was reviewed, enhanced and declared safe to be put back online in less than 1 day.
However you want to look at it the fact is SOE missed that their customers information was hacked for over a week. They had to take down their servers for a second time, AFTER they were already reviewed and declared secure, to go through a SECOND security review and update.
Those are the facts of this situation. Talking about theortical situations like this being "hard and taking time" doesn't alter that. If these things are hard and take time, then SOE was premature in putting the servers back online the same day. At least SCEI was smart enough to keep their service offline until they knew for certain what happened and that was 2 weeks ago.
Just compare how SCEI handled their intrusion and how SOE handled theirs. Both divisions of the same company under the same attack, but such drastic differences in how each handled it.
/Facepalm
They knew on the 20th that there was a breach in their security. That is the date they should have reported to their customers that sensitive information could have been stolen and to take precautions.
Where do you read that?! I do not see anything like that written there.
Text from the link:
by Jef Reahard on Apr 23rd 2011 3:00PM
Sony Online Entertainment has acknowledged an issue that has caused its MMORPGs and game-related websites to be sporadically unavailable since Thursday, April 21st. SOE's Linda "Brasse" Carlson posted on the EverQuest II forums late last night, attributing the trouble to "an external intrusion."
Users have experienced connection issues in everything from Vanguard, to EQII, to Free Realms, and EQII's main website remains inaccessible as of press time. Station Cash and account services appear to be working normally.
"As a result of an external intrusion on its system, SOE interrupted its services on April 21.Promptly upon learning of the intrusion, SOE initiated an investigation and took corrective steps to bring its games and other services back up," Carlson explained. "We are working hard on bringing all of our player sites back online, but have no ETA at this time. We apologize for the inconvenience and thank you for bearing with us."
For everyone defending Sony--look up LastPass.
LastPass is a company that uses a master password to help you manage all your passwords (I think sites like these are dumb but that's just me). They think there was a security breach after <24 hours of research and notified their users.
They didn't beat around the bush and play games. They stepped up and told users what's going on. They may lose some customers for it but I'd think most of their users will be glad that the company immediately notified people. They also immediately made players aware that their master passwords are encrypted and the only method honestly to decrypt them is brute-force/dictionary attacks.
(Although it is true that if the encryption method/salt is known, which they conceded it might be, it's easier to aim at several passwords at once than one at a time, but they probably require, like many sites, that your password consist of capital/lowercase letters and numbers which would make dictionary attacks almost useless.)
Spec'ing properly is a gateway drug.
12 Million People have been meter spammed in heroics.
The fact you detect an intrusion into your systems does not mean anything was or even could have been stolen.
Sony is responsible for the hacks at the end of the day.
Arguing over who knew what and when they knew it might affect any negligence law suits sony is going to be hit with.
However, they are still liable for the consequences of the hack. It's the law.
They do seem to be offering all their customers 1 million dollar fraud insurance so that is one thing they are doing right imo.