I'm gobsmacked at how some of the forum folks can support the hackers. It's as someone said in a post on here that us players are being blackmailed.
This is very serious because if it's true that there will be a third attack and all of our information is aired, well, there's no taking that back. Once it's out, it's out and it will open every single one of us to potential identity theft. That could be even more horrible than having one's online credit card info compromised.
And think about those people from some European countries who might end up with their bank account details aired at the same time.
If I was extremely pissed off at SoE, my way of punishing them would be to cancel my account and never play one of their games again. I wouldn't ever go and hack them and create untold misery for millions gamers. These hackers are not just 'punishing' SoE, they're 'punishing' us! What did we ever do to them? I don't even own a PS3, so why should I have to be subjected to this?
And to be honest, these guys who are threatening to release our information onto the internet are beyond just some amateur, Robin Hood, hackertypes... these guys are blackmailers and serious criminals who I hope will be caught and will be treated as any other blackmailer would be.
Actually I am pissed off at SoE, and indirectly at the industry in general. They should not keep old data around. They need to get rid of credit card information and in fact, perhaps we shouldn't have recurring billing but rather be prompted to input CC information everytime a subscription is about to end. I don't think credit card information should be kept in a database period... in fact it should only be kept for the time it takes to make one charge, and then be erased.
I think the industry as a whole needs to rethink security for its players.
Originally posted by GrumpyMel2 No my arguement is that Sony got breached...therefore they failed somewhere. If they didn't, they wouldn't have gotten breached.
And I say again that that only applies if all situations are foreseeable and you can prevent them, which is logical fallacy thus your statement is invalid as well.
It ain't more complicated than that to rectify your argument because that is what will happen when you start using absolute values.
No my arguement is that Sony got breached...therefore they failed somewhere. If they didn't, they wouldn't have gotten breached.
And I say again that that only applies if all situations are foreseeable and you can prevent them, which is logical fallacy thus your statement is invalid as well.
It ain't more complicated than that to rectify your argument because that is what will happen when you start using absolute values.
Regardless of their fault in the matter.. sony is liable
Let me see if i can use a real life example
Say you flew into tokyo and decided to rent a car to go for a drive... most american's have driver's licenses.. so in japanese eyes that makes you a "professional" driver
The japanese aren't required to have driver's licenses to drive.. and by their law, if an accident occurs, its *always* the fault of the professional... even if the other guy was drunk and ran a red light
Thats the way the law is.. you would be liable.. even if you didn't break any laws
The same can be said of sony.. they are liable.. even if they didn't break any laws, or weren't negligent in any way
Wow good going guys, I'm sure these attacks will help the government make that decision on "Anonymous and the Internet". Although Sony should have better security.
Most people go through life pretending to be a boss. I go through life pretending I'm not.
I'm gobsmacked at how some of the forum folks can support the hackers. It's as someone said in a post on here that us players are being blackmailed.
This is very serious because if it's true that there will be a third attack and all of our information is aired, well, there's no taking that back. Once it's out, it's out and it will open every single one of us to potential identity theft. That could be even more horrible than having one's online credit card info compromised.
And think about those people from some European countries who might end up with their bank account details aired at the same time.
If I was extremely pissed off at SoE, my way of punishing them would be to cancel my account and never play one of their games again. I wouldn't ever go and hack them and create untold misery for millions gamers. These hackers are not just 'punishing' SoE, they're 'punishing' us! What did we ever do to them? I don't even own a PS3, so why should I have to be subjected to this?
And to be honest, these guys who are threatening to release our information onto the internet are beyond just some amateur, Robin Hood, hackertypes... these guys are blackmailers and serious criminals who I hope will be caught and will be treated as any other blackmailer would be.
Actually I am pissed off at SoE, and indirectly at the industry in general. They should not keep old data around. They need to get rid of credit card information and in fact, perhaps we shouldn't have recurring billing but rather be prompted to input CC information everytime a subscription is about to end. I don't think credit card information should be kept in a database period... in fact it should only be kept for the time it takes to make one charge, and then be erased.
I think the industry as a whole needs to rethink security for its players.
The way to increase the security of online transactions would be rather then having companies store credit card info. Have them collect it once, submit it to the payment provider and request the provider generate a "payment token" for that credit card. The "payment token" would ONLY be good for that particular VENDOR using that card. When the vendor wanted to charge against that card again it would submit the token..not the card info. That way the vendor is only storing info (the token) which is useful for that vendor making charges. For anyone else, the token would be absolutely useless...as only that vendor could make charges with it. The consumers CC info would only be stored by the issuing bank and CC company... never a vendor.
This sort of change would pretty much have to come from the CC companies though.
I'm shocked people are actually arguing over sony's liability in this matter
ok so maybe not.. people argue over stupid stuff on the internet all the time but still >_>
Either way, Sony has a responsibility to keep customer's data safe and secure
That data was compromised... so sony is responsible to remedy the problem
Regardless of their degree of "fault"
Even if they had the most secure network in the known universe or let pedro the janitor run the network the night of the hack.. they are still responsible.
I don't know what the standard is throughout the world.. but I feel a few things should be common for a large company
They maintain sales / customer data securely (w/e the current encryption/firewall industry standards ar)
If the data is stolen then affected customer's / parties should be notified in a timely manner.. (2~3 days at most maybe)
And the company should assist victims of identity theft in recovering stolen money.
It would probably be smart for a large company to have insurance to protect against damage from hacks into their networks.. Seems pretty common sense to me.. hacks will happen.. nothing is 100% safe
But there are ways to limit the damage from hacks.. namely notifiying people in a timely manner
There have been many large scale databases hacked in the past few years.. not limited to sony... I think TJ maxx had 50 million credit card numbers / pins stolen in 2005 and customers ended up losing a lot (150 million iirc)
There probably should be some sort of streamlined identity theft recovery process in place... because the current system isn't designed to handle large scale theft that happens these days... and will continue to happen (because nothing is 100% safe)
If credit card companies / banks had the ability to shut off cards (enmass) it would be a good thing i think
I am concerned about giving the government more power to abuse but a law with strict guidelines on when and how a power like this could be used would be helpful.
SoE are responsible for the data they take from us sure, and as you say yourself, past a certain point there isn't much they can do if someone really wants to hack them. Outside of gross negligence in handling customer data or not having any security at all, what exactly do people expect SoE to do? That's what I don't understand about the guy who is doing a class action lawsuit against them. The hackers are way more responsible. If anything, once caught, they're the ones who should be sued, not SoE.
In fact maybe it should be a class action lawsuit. Can you imagine being sued to pay millions of subscriptions? Ouch!
By the way, credit card companies and banks DO have the ability to shut off lots of cards at once. I remember even 10 years ago going into a store and discovering that my credit card had been blocked. When I called my bank to find out why, they said they had shut off all numbers ending with the same 4 numbers as my card to prevent credit card fraud.
The information they hacked supposedly did not include credit card information which seems to suggest that there are parts of their system which are more protected than other parts. I for one don't see the necessity of providing a birth date especially since there are no age restrictions on who can play the game. The address should only be necessary for credit card verification and stored on a separate server which I suspect it is. However, it also appears that there is another copy stored on the active server for identity verification when you log in which makes it much more accessible.
In the interest of personal security you should not provide any true details about yourself to an online game company. They have no legitimate reason for requiring this information. The only thing that is necessary is to determine if in fact the person playing is the same person who is paying for the service. You could call yourself Joe Blow and it wouldn't matter. To demand the information implies that they want to have some recourse against you in the future should the need arise. I believe that to be required to provide this information means that they fully intend to enforce some type of legal justice upon you should you do something they feel is against their EULA.
Of course, the obvious argument is how do you prove you are in fact Joe Blow should something happen such as your account getting hacked and your characters plundered. By that point all your information could have been changed and without verifiable information it would be a daunting task to determine who is the real Joe Blow.
Well, if the gaming company was truly interested in protecting your information they would provide a way to identify your game account without needing that personal information.
NEWS.NETCRAFT.COM - Parts of the Sony PlayStation Network are coming back online after more than two weeks of continuous downtime. The PlayStation Store website went online around 02:00 UTC today, although online gaming services through the PlayStation Network are still undergoing maintenance. Sony yesterday began the final stages of testing the new PlayStation Network and Qriocity services, making sure they are secure before the services are relaunched.
I'm shocked people are actually arguing over sony's liability in this matter
ok so maybe not.. people argue over stupid stuff on the internet all the time but still >_>
Either way, Sony has a responsibility to keep customer's data safe and secure
That data was compromised... so sony is responsible to remedy the problem
Regardless of their degree of "fault"
Even if they had the most secure network in the known universe or let pedro the janitor run the network the night of the hack.. they are still responsible.
I don't know what the standard is throughout the world.. but I feel a few things should be common for a large company
They maintain sales / customer data securely (w/e the current encryption/firewall industry standards ar)
If the data is stolen then affected customer's / parties should be notified in a timely manner.. (2~3 days at most maybe)
And the company should assist victims of identity theft in recovering stolen money.
It would probably be smart for a large company to have insurance to protect against damage from hacks into their networks.. Seems pretty common sense to me.. hacks will happen.. nothing is 100% safe
But there are ways to limit the damage from hacks.. namely notifiying people in a timely manner
There have been many large scale databases hacked in the past few years.. not limited to sony... I think TJ maxx had 50 million credit card numbers / pins stolen in 2005 and customers ended up losing a lot (150 million iirc)
There probably should be some sort of streamlined identity theft recovery process in place... because the current system isn't designed to handle large scale theft that happens these days... and will continue to happen (because nothing is 100% safe)
If credit card companies / banks had the ability to shut off cards (enmass) it would be a good thing i think
I am concerned about giving the government more power to abuse but a law with strict guidelines on when and how a power like this could be used would be helpful.
SoE are responsible for the data they take from us sure, and as you say yourself, past a certain point there isn't much they can do if someone really wants to hack them. Outside of gross negligence in handling customer data or not having any security at all, what exactly do people expect SoE to do? That's what I don't understand about the guy who is doing a class action lawsuit against them. The hackers are way more responsible. If anything, once caught, they're the ones who should be sued, not SoE.
In fact maybe it should be a class action lawsuit. Can you imagine being sued to pay millions of subscriptions? Ouch!
By the way, credit card companies and banks DO have the ability to shut off lots of cards at once. I remember even 10 years ago going into a store and discovering that my credit card had been blocked. When I called my bank to find out why, they said they had shut off all numbers ending with the same 4 numbers as my card to prevent credit card fraud.
Good to know about the credit cards... I've never had to shut off a credit card before because of identity theft heh
I disagree with you on sony's liability though.. I think it is acceptable to hold them or any company responsible / liable for data they store and any damages done by its theft or misuse
I feel this causes / will cause a few things to happen
Companies will spend money on the latest network security technology / software / developments
They will create / use better data storage / deletion practices because of their liability for large scale hacks like this
They won't wait weeks to notify people their credit cards may be used illicitly
Companies only understand money.. not that this is a bad thing, free market works imo.. if you want a company to be extremely secure.. make sure the alternatives are more costly
besides.. large companies should be getting insurance for things like this anyways
The way to increase the security of online transactions would be rather then having companies store credit card info. Have them collect it once, submit it to the payment provider and request the provider generate a "payment token" for that credit card. The "payment token" would ONLY be good for that particular VENDOR using that card. When the vendor wanted to charge against that card again it would submit the token..not the card info. That way the vendor is only storing info (the token) which is useful for that vendor making charges. For anyone else, the token would be absolutely useless...as only that vendor could make charges with it. The consumers CC info would only be stored by the issuing bank and CC company... never a vendor.
This sort of change would pretty much have to come from the CC companies though.
Perhaps this change will happen as fall out from all of this, and I think the sooner the better. It sounds like the kind of change we need: a systemic change.
No my arguement is that Sony got breached...therefore they failed somewhere. If they didn't, they wouldn't have gotten breached.
And I say again that that only applies if all situations are foreseeable and you can prevent them, which is logical fallacy thus your statement is invalid as well.
It ain't more complicated than that to rectify your argument because that is what will happen when you start using absolute values.
Sorry, but your arguement is the equivalent of "No one can ever be held accountable for making a mistake because no one can ever anticipate all possible problems".... that's bunk.
It's IT Securities core function to anticipate risks and put measures in place to guard against them. If they didn't anticipate a risk then they failed in that job function. No need to crucify them...no one can bat 1000, but yeah...they screwed up.
Besides from all the information that's been made available.....this wasn't some elite team that used alien technology to beam into Sony's server rooms and steal the info. All the info that's floating around out there really points to Sony screwing up security 101.... This is what I've heard so far..
They had unpatched web-servers sitting on a public facing interface..
They either didn't have a FW in place or thier FW didn't have adequite filtering rules...
They didn't have any other sort of request filtering in place on those servers to guard against dangerous requests.
The hackers exploited KNOWN vulnerabilties (i.e. not zero day exploits) on those web servers to compromise them.
They had sensitive data sitting around unencrypted on thier db-servers.
They didn't have an IDS or any sort of content control system to pickup on the fact that a HUGE volume of data was being dumped out to an external source.
FWIW, if you've ever dealt with Sony on the tech side of things...none of the above, appaling as it might seem...will come as any surprise.
On one level, I do feel sorry for them. It sucks being breached.....and it sucks having to deal with this sort stuff when all you want to do is do business. On another level, they really, really should know better.
Unfortunately the person most likely to take the fall for it at Sony will probably be some poor low-mid level tech grunt..... while probably the real fault lies with upper management for not putting enough resources and pull behind IT Security. At least that's the way it tends to go in 90 percent of these cases.
I disagree with you on sony's liability though.. I think it is acceptable to hold them or any company responsible / liable for data they store and any damages done by its theft or misuse
I agree with you about misuse as in if SoE sold players' personal data to third parties without telling us, but theft? No. Again, this is with the understanding that SoE took all proper precautions to protect peoples' data. Only an investigation by a third party entity can really say.
Companies will spend money on the latest network security technology / software / developments
They will create / use better data storage / deletion practices because of their liability for large scale hacks like this
I am not a computer security wiz, but again I think there is only so much that can be done. If someone really wants to break into a database or server, they will do it. Why do you want to punish further the company IF they took ALL proper precautions? We don't know if SoE did or didn't... there is a lot of speculation on the webz it seems...
Companies only understand money.. not that this is a bad thing, free market works imo.. if you want a company to be extremely secure.. make sure the alternatives are more costly
It already is more costly. SoE/Sony is losing a lot of money over this. People can't buy station cash and whatever the equivalent is for the PSN, or any ganes, or having any recurring subs go through right now, and further more, SoE will be giving us free time on top of however long it takes to get the servers back up and running. That's not including all of the players who are spooked by this who will stop using Sony game products or SoE for that matter. That *is* the free market at play, so if you like free market stuff, then you should be perfectly content with what is already in place.
besides.. large companies should be getting insurance for things like this anyways
You guys amuse me other then a minor settlement nothing will happen to sony. You think the public got to sue the airline for allowing its plane to be hijacked NO!!! This is considered actually a act of terrorism on the corporate level. No one in this country is gonna get jack from whining when homeland security and the FBI involved. Whoever did do it knows full well you got the big dogs watching now not some company IT flunky. Your a complete and total greedy fool if you want to set a standard for E-piracy to award the consumers. And the government will never allow that to happen. So cut out the whining its good it happen so weak security across the world can take notice.
Originally posted by GrumpyMel2 Sorry, but your arguement is the equivalent of "No one can ever be held accountable for making a mistake because no one can ever anticipate all possible problems".... that's bunk.
Before you stated that: One is always accountable for even unforeseeable circumstance even though one cannot prevent them.
Now you state that: One is never accountable because there are only unforeseeable circumstances.
That is just the same ill logic, and it is indeed a bunk. Nothing I have said though.
Where you fail and what you are missing is this:
There are foreseeable or unforeseeable circumstances that can be either prevented or not.
Sorry, but your arguement is the equivalent of "No one can ever be held accountable for making a mistake because no one can ever anticipate all possible problems".... that's bunk.
It's IT Securities core function to anticipate risks and put measures in place to guard against them. If they didn't anticipate a risk then they failed in that job function. No need to crucify them...no one can bat 1000, but yeah...they screwed up.
Besides from all the information that's been made available.....this wasn't some elite team that used alien technology to beam into Sony's server rooms and steal the info. All the info that's floating around out there really points to Sony screwing up security 101.... This is what I've heard so far..
They had unpatched web-servers sitting on a public facing interface..
They either didn't have a FW in place or thier FW didn't have adequite filtering rules...
They didn't have any other sort of request filtering in place on those servers to guard against dangerous requests.
The hackers exploited KNOWN vulnerabilties (i.e. not zero day exploits) on those web servers to compromise them.
They had sensitive data sitting around unencrypted on thier db-servers.
They didn't have an IDS or any sort of content control system to pickup on the fact that a HUGE volume of data was being dumped out to an external source.
FWIW, if you've ever dealt with Sony on the tech side of things...none of the above, appaling as it might seem...will come as any surprise.
On one level, I do feel sorry for them. It sucks being breached.....and it sucks having to deal with this sort stuff when all you want to do is do business. On another level, they really, really should know better.
Unfortunately the person most likely to take the fall for it at Sony will probably be some poor low-mid level tech grunt..... while probably the real fault lies with upper management for not putting enough resources and pull behind IT Security. At least that's the way it tends to go in 90 percent of these cases.
I'd rather wait for a proper investigation into what went wrong exactly. I wouldn't just listen to SoE press releases or what gaming forums, which tend to be anti-SoE, say. I prefer to hear it from less biased sources, like the BBC.
You're stating the above as if they are known givens, but people were bickering about this earlier in this thread. Seems to me like there is still a speculative element to this and I am not sure how "kosher" the sites quoted in the links are.
Considering that potential lawsuits seem to be threatening over this, it's something that no side can afford to base on speculation...
ehh.. thats generally how insurance works.. costs are handed down to the consumer's
It doesn' t make it a bad idea though
I agree there should be some systemic changes to the way online transactions / data are processed and stored but at the end of the day somebody has to be held responsible / liable for any thefts / misuse of said data (and I'm not just talking about this particular case or any "alleged" theft from the "pure hearted" hackers that may have occured.)
I'd rather the responsibility be on the companies than a pennyless basement dweller/hacker or some sort of federally mandated program (bailout)
Insurance is a practical approach to help deal with damages from attacks that *will* happen in the future.
Originally posted by MurlockDance I'd rather wait for a proper investigation into what went wrong exactly.
That's a problem, if you were supposed to verify and rely on supported information only, you would risk that it won't fit your boat. It is better just grab anything that suits your case, regardless how reliable the information is...
It's indeed partly SOE's fault for not encrypting passwords to begin with, God knows how they store personal information. Here's a quote from an email I got from SOE today:
Dear Valued Sony Online Entertainment Customer: Our ongoing investigation of illegal intrusions into Sony Online Entertainment systems has discovered that hackers may have obtained personal customer information from SOE systems. We are today advising you that the personal information you provided us in connection with your SOE account may have been stolen in a cyber-attack. Stolen information includes, to the extent you provided it to us, the following: name, address (city, province, zip, country), email address, gender, birthdate, phone number, login name and hashed password.
What's funny is that I distinctly remember SoE saying they were safe from hacks because they were on completely different servers from PSN. 1 day later they get hacked, lol.
Speaking of Security, this could also be a lesson to other companies to tighten their belt on the matter.
Ive heard that Microsoft usually get attacked by all forms every 30 seconds, makes me wonder if they hire some of these
hackers to the benefit of being at the top of their game when it comes to protection.
Actually quite a few companies hire "Ethical Hackers" for exactly this type of deal. Its called penetration testing.
You pay an organization to target your security perimeter and they try and breach it during specific times or on specific system. Works wonders for fixing your stuff. However, folks saying anything is hackable... well yeah technically, but its a time game.
This is why networks have IDS (Intrusion detection systems) and IPS (Intrusion Prevention Systems). Systems can be breached, but this was a colossal screw up of epic proportions. Sony allowed a hacker to penetrate three layers of their security and then connect to their backend database long enough to yank out millions of user data. Thats a lot of data... and would be considerable size.
The screw up is either A letting them stay connected to the database for that period of time yanking that size of data with out a red flag going up and killing it or B letting tons of computers bypass the three layers of security multiple times yanking the data. I only recently got my security+ cert... but even as a security novice there are so many stupid, negligent, and flat out incompetent mistakes made in this ordeal it just boggles my mind.
Sony is going to get hammered by lawsuits and assuming what sony has said and some of the rumors going around its not going to take much to nail these guys for negligence, at which point you are going to see a settlement check with quite a few zeros being sent out.
It's indeed partly SOE's fault for not encrypting passwords to begin with, God knows how they store personal information. Here's a quote from an email I got from SOE today:
Dear Valued Sony Online Entertainment Customer:
Our ongoing investigation of illegal intrusions into Sony Online Entertainment systems has discovered that hackers may have obtained personal customer information from SOE systems. We are today advising you that the personal information you provided us in connection with your SOE account may have been stolen in a cyber-attack. Stolen information includes, to the extent you provided it to us, the following: name, address (city, province, zip, country), email address, gender, birthdate, phone number, login name and hashed password.
A hashed password is an industry standard setup. Most folks would consider this a form of encryption.
For instance, if your password is password in a sha1 hash it would be 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
Now, you can take more precautions by taking said hash and salting it. For instance, your first name is Bob you can append that to the password and add a random number Bob52 that then turns it into 16cf0d6b55d500d40071a20a07da0628cae2e12c
Pretty big difference with just that little extra.
Heavily salted passwords with sha1 hash and a good password policy (I.E. 9 - 10 characters, numbers, upercase, and special characters) make it pretty damn hard to crack.
Rainbow tables can do it. But you are looking at an EXTREMELY long time for each password and not worth it for your SOE pw. SoE screwed up by letting these folks in, but a hashed password is a fairly common industry standard technique for protecting password information.
Comments
I'm gobsmacked at how some of the forum folks can support the hackers. It's as someone said in a post on here that us players are being blackmailed.
This is very serious because if it's true that there will be a third attack and all of our information is aired, well, there's no taking that back. Once it's out, it's out and it will open every single one of us to potential identity theft. That could be even more horrible than having one's online credit card info compromised.
And think about those people from some European countries who might end up with their bank account details aired at the same time.
If I was extremely pissed off at SoE, my way of punishing them would be to cancel my account and never play one of their games again. I wouldn't ever go and hack them and create untold misery for millions gamers. These hackers are not just 'punishing' SoE, they're 'punishing' us! What did we ever do to them? I don't even own a PS3, so why should I have to be subjected to this?
And to be honest, these guys who are threatening to release our information onto the internet are beyond just some amateur, Robin Hood, hackertypes... these guys are blackmailers and serious criminals who I hope will be caught and will be treated as any other blackmailer would be.
Actually I am pissed off at SoE, and indirectly at the industry in general. They should not keep old data around. They need to get rid of credit card information and in fact, perhaps we shouldn't have recurring billing but rather be prompted to input CC information everytime a subscription is about to end. I don't think credit card information should be kept in a database period... in fact it should only be kept for the time it takes to make one charge, and then be erased.
I think the industry as a whole needs to rethink security for its players.
Playing MUDs and MMOs since 1994.
And I say again that that only applies if all situations are foreseeable and you can prevent them, which is logical fallacy thus your statement is invalid as well.
It ain't more complicated than that to rectify your argument because that is what will happen when you start using absolute values.
Regardless of their fault in the matter.. sony is liable
Let me see if i can use a real life example
Say you flew into tokyo and decided to rent a car to go for a drive... most american's have driver's licenses.. so in japanese eyes that makes you a "professional" driver
The japanese aren't required to have driver's licenses to drive.. and by their law, if an accident occurs, its *always* the fault of the professional... even if the other guy was drunk and ran a red light
Thats the way the law is.. you would be liable.. even if you didn't break any laws
The same can be said of sony.. they are liable.. even if they didn't break any laws, or weren't negligent in any way
Wow good going guys, I'm sure these attacks will help the government make that decision on "Anonymous and the Internet". Although Sony should have better security.
Most people go through life pretending to be a boss. I go through life pretending I'm not.
Its like interwebz for the insane.
Ppl identifying with the hackers and somehow feeling misstreated by Sony.
Time to grow up guys. Get a family, that changes perspective for most of us.
The way to increase the security of online transactions would be rather then having companies store credit card info. Have them collect it once, submit it to the payment provider and request the provider generate a "payment token" for that credit card. The "payment token" would ONLY be good for that particular VENDOR using that card. When the vendor wanted to charge against that card again it would submit the token..not the card info. That way the vendor is only storing info (the token) which is useful for that vendor making charges. For anyone else, the token would be absolutely useless...as only that vendor could make charges with it. The consumers CC info would only be stored by the issuing bank and CC company... never a vendor.
This sort of change would pretty much have to come from the CC companies though.
Yes, that I agree and Sony in this regards is doing great. Some of the Sony services are back online and other will follow most likely very soon!
All my point was that if you do everything 'right', it's not your fault.
SoE are responsible for the data they take from us sure, and as you say yourself, past a certain point there isn't much they can do if someone really wants to hack them. Outside of gross negligence in handling customer data or not having any security at all, what exactly do people expect SoE to do? That's what I don't understand about the guy who is doing a class action lawsuit against them. The hackers are way more responsible. If anything, once caught, they're the ones who should be sued, not SoE.
In fact maybe it should be a class action lawsuit. Can you imagine being sued to pay millions of subscriptions? Ouch!
By the way, credit card companies and banks DO have the ability to shut off lots of cards at once. I remember even 10 years ago going into a store and discovering that my credit card had been blocked. When I called my bank to find out why, they said they had shut off all numbers ending with the same 4 numbers as my card to prevent credit card fraud.
Playing MUDs and MMOs since 1994.
Huh? What is back online?
http://twitter.com/#!/SonyOnline/soe-games
The information they hacked supposedly did not include credit card information which seems to suggest that there are parts of their system which are more protected than other parts. I for one don't see the necessity of providing a birth date especially since there are no age restrictions on who can play the game. The address should only be necessary for credit card verification and stored on a separate server which I suspect it is. However, it also appears that there is another copy stored on the active server for identity verification when you log in which makes it much more accessible.
In the interest of personal security you should not provide any true details about yourself to an online game company. They have no legitimate reason for requiring this information. The only thing that is necessary is to determine if in fact the person playing is the same person who is paying for the service. You could call yourself Joe Blow and it wouldn't matter. To demand the information implies that they want to have some recourse against you in the future should the need arise. I believe that to be required to provide this information means that they fully intend to enforce some type of legal justice upon you should you do something they feel is against their EULA.
Of course, the obvious argument is how do you prove you are in fact Joe Blow should something happen such as your account getting hacked and your characters plundered. By that point all your information could have been changed and without verifiable information it would be a daunting task to determine who is the real Joe Blow.
Well, if the gaming company was truly interested in protecting your information they would provide a way to identify your game account without needing that personal information.
Sony Playstation Store
http://us.playstation.com/
NEWS.NETCRAFT.COM - Parts of the Sony PlayStation Network are coming back online after more than two weeks of continuous downtime. The PlayStation Store website went online around 02:00 UTC today, although online gaming services through the PlayStation Network are still undergoing maintenance. Sony yesterday began the final stages of testing the new PlayStation Network and Qriocity services, making sure they are secure before the services are relaunched.
Good to know about the credit cards... I've never had to shut off a credit card before because of identity theft heh
I disagree with you on sony's liability though.. I think it is acceptable to hold them or any company responsible / liable for data they store and any damages done by its theft or misuse
I feel this causes / will cause a few things to happen
Companies will spend money on the latest network security technology / software / developments
They will create / use better data storage / deletion practices because of their liability for large scale hacks like this
They won't wait weeks to notify people their credit cards may be used illicitly
Companies only understand money.. not that this is a bad thing, free market works imo.. if you want a company to be extremely secure.. make sure the alternatives are more costly
besides.. large companies should be getting insurance for things like this anyways
Perhaps this change will happen as fall out from all of this, and I think the sooner the better. It sounds like the kind of change we need: a systemic change.
Playing MUDs and MMOs since 1994.
Sorry, but your arguement is the equivalent of "No one can ever be held accountable for making a mistake because no one can ever anticipate all possible problems".... that's bunk.
It's IT Securities core function to anticipate risks and put measures in place to guard against them. If they didn't anticipate a risk then they failed in that job function. No need to crucify them...no one can bat 1000, but yeah...they screwed up.
Besides from all the information that's been made available.....this wasn't some elite team that used alien technology to beam into Sony's server rooms and steal the info. All the info that's floating around out there really points to Sony screwing up security 101.... This is what I've heard so far..
They had unpatched web-servers sitting on a public facing interface..
They either didn't have a FW in place or thier FW didn't have adequite filtering rules...
They didn't have any other sort of request filtering in place on those servers to guard against dangerous requests.
The hackers exploited KNOWN vulnerabilties (i.e. not zero day exploits) on those web servers to compromise them.
They had sensitive data sitting around unencrypted on thier db-servers.
They didn't have an IDS or any sort of content control system to pickup on the fact that a HUGE volume of data was being dumped out to an external source.
FWIW, if you've ever dealt with Sony on the tech side of things...none of the above, appaling as it might seem...will come as any surprise.
On one level, I do feel sorry for them. It sucks being breached.....and it sucks having to deal with this sort stuff when all you want to do is do business. On another level, they really, really should know better.
Unfortunately the person most likely to take the fall for it at Sony will probably be some poor low-mid level tech grunt..... while probably the real fault lies with upper management for not putting enough resources and pull behind IT Security. At least that's the way it tends to go in 90 percent of these cases.
Playing MUDs and MMOs since 1994.
You guys amuse me other then a minor settlement nothing will happen to sony. You think the public got to sue the airline for allowing its plane to be hijacked NO!!! This is considered actually a act of terrorism on the corporate level. No one in this country is gonna get jack from whining when homeland security and the FBI involved. Whoever did do it knows full well you got the big dogs watching now not some company IT flunky. Your a complete and total greedy fool if you want to set a standard for E-piracy to award the consumers. And the government will never allow that to happen. So cut out the whining its good it happen so weak security across the world can take notice.
Before you stated that: One is always accountable for even unforeseeable circumstance even though one cannot prevent them.
Now you state that: One is never accountable because there are only unforeseeable circumstances.
That is just the same ill logic, and it is indeed a bunk. Nothing I have said though.
Where you fail and what you are missing is this:
There are foreseeable or unforeseeable circumstances that can be either prevented or not.
I'd rather wait for a proper investigation into what went wrong exactly. I wouldn't just listen to SoE press releases or what gaming forums, which tend to be anti-SoE, say. I prefer to hear it from less biased sources, like the BBC.
You're stating the above as if they are known givens, but people were bickering about this earlier in this thread. Seems to me like there is still a speculative element to this and I am not sure how "kosher" the sites quoted in the links are.
Considering that potential lawsuits seem to be threatening over this, it's something that no side can afford to base on speculation...
Playing MUDs and MMOs since 1994.
ehh.. thats generally how insurance works.. costs are handed down to the consumer's
It doesn' t make it a bad idea though
I agree there should be some systemic changes to the way online transactions / data are processed and stored but at the end of the day somebody has to be held responsible / liable for any thefts / misuse of said data (and I'm not just talking about this particular case or any "alleged" theft from the "pure hearted" hackers that may have occured.)
I'd rather the responsibility be on the companies than a pennyless basement dweller/hacker or some sort of federally mandated program (bailout)
Insurance is a practical approach to help deal with damages from attacks that *will* happen in the future.
That's a problem, if you were supposed to verify and rely on supported information only, you would risk that it won't fit your boat. It is better just grab anything that suits your case, regardless how reliable the information is...
This surely isn't making it better for the gamer, not being able to play online, worrying about theft, etc.
It's indeed partly SOE's fault for not encrypting passwords to begin with, God knows how they store personal information. Here's a quote from an email I got from SOE today:
What's funny is that I distinctly remember SoE saying they were safe from hacks because they were on completely different servers from PSN. 1 day later they get hacked, lol.
Actually quite a few companies hire "Ethical Hackers" for exactly this type of deal. Its called penetration testing.
You pay an organization to target your security perimeter and they try and breach it during specific times or on specific system. Works wonders for fixing your stuff. However, folks saying anything is hackable... well yeah technically, but its a time game.
This is why networks have IDS (Intrusion detection systems) and IPS (Intrusion Prevention Systems). Systems can be breached, but this was a colossal screw up of epic proportions. Sony allowed a hacker to penetrate three layers of their security and then connect to their backend database long enough to yank out millions of user data. Thats a lot of data... and would be considerable size.
The screw up is either A letting them stay connected to the database for that period of time yanking that size of data with out a red flag going up and killing it or B letting tons of computers bypass the three layers of security multiple times yanking the data. I only recently got my security+ cert... but even as a security novice there are so many stupid, negligent, and flat out incompetent mistakes made in this ordeal it just boggles my mind.
Sony is going to get hammered by lawsuits and assuming what sony has said and some of the rumors going around its not going to take much to nail these guys for negligence, at which point you are going to see a settlement check with quite a few zeros being sent out.
A hashed password is an industry standard setup. Most folks would consider this a form of encryption.
For instance, if your password is password in a sha1 hash it would be 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
Now, you can take more precautions by taking said hash and salting it. For instance, your first name is Bob you can append that to the password and add a random number Bob52 that then turns it into 16cf0d6b55d500d40071a20a07da0628cae2e12c
Pretty big difference with just that little extra.
Heavily salted passwords with sha1 hash and a good password policy (I.E. 9 - 10 characters, numbers, upercase, and special characters) make it pretty damn hard to crack.
Rainbow tables can do it. But you are looking at an EXTREMELY long time for each password and not worth it for your SOE pw. SoE screwed up by letting these folks in, but a hashed password is a fairly common industry standard technique for protecting password information.