The point is, we have yet to know if it was SoE's incompetence or SCEI's in competence. None of us know the internal structure. If it had been only SoE than yes, it would be easy to lay blame at their feet. But a seperate entity that no one from SoE has anything to do with faced the same hacking.
People are saying SoE is guilty, when we don't have any evidence that they are.
Ok, tell me how you would interpret this
SOE took down their servers in light of the playstation network being hacked.
SOE conducted a security review and enhanced their security measures.
SOE determined that everything was fine and announced to their playerbase that their information was safe.
SOE one week later determined that everything was not safe. That information had been stolen. That credit and banking information was stored on their server that they were NOT EVEN USING. Most of this was stored in clear text.
SOE then had to take down their service a second time. Perform a security review a second time. Enhance their security a second time.
SOE for whatever reason did not take down their facebook game servers offline until an outside party forced them too. I guess they don't do a security review or enhance security until after something has already been hacked and cleaned out.
At this point it doesn't matter who or how the network was hacked. That above shows that SOE is incompetent with their network security. They violated the security protocals set up by credit card companies. They failed to detect an intrusion even after they knew someone had breached the Sony network. They failed to properly secure their network the first time they brought it down.
On top of that SCEI (not SOE) was ready to bring the PSN back online when the hackers published some of the names they had stolen. In response to this Sony delayed opening the service up again citing how complicated things had gotten. Obviously they didn't know the hackers got that information.
This isn't a case of SCEI or SOE being at fault. Both are total failures in this situation. Neither can pass the buck to the other, because they are both making massive mistakes.
How do we know SoE is responsible for their own network security anymore?
Sure, when they were under Sony Motion Pictures its almost definite they were responsible. but once they were transferred to SCEI/SCEA, well maybe they saw the oppurtunity to use the same system for both services so they could cut costs and only have one security team.
Its obvious they both use the same system since they both were hacked in the same attack. In fact, its possible a single hack got them into both systems.
Given all the staff cuts SoE has suffered since 2008 I would actually bet that their security guys were amongst the first to go.
It is without a doubt that a division, or more, of Sony is responsible. But which division(s), that we don't know.
Still people having reservations about SoE games because of this are justified because SoE's security will still likely be run by the division thats running it now (although Id hope some of the people will have changed)
They might not have known exactly how bad it was. The tech guys might not have been able to convince the men at charge. Who knows. Maybe it was a inside job. We will never know for sure, because SOE will spin the tale I'm sure.
You realize how hard it would be as a tech guy to tell the suits you need to shut the WHOLE network, from PS3 to PC down? Really. That is a TON of cash going down the drain EVERY day.
SOE just downsized it's workforce and now they get hacked....hmmmm I can take a guess at how this hacker knew the system. Maybe it was one of the people who designed it. Which means, SOE is in serious trouble.
The only thing that throws this theory into question is then how did PSN get hacked as well? If they have the same system with the same holes is it SoE's fault, PSN's fault, or the division that oversees both?
We don't know if they each have their own security team or not, and we don't know if they went to SCEI and said 'hey we need resources to fix this' and SCEI said 'No. we can't afford it and the risk is to minimal to warrant it'
How do we know SoE is responsible for their own network security anymore?
Sure, when they were under Sony Motion Pictures its almost definite they were responsible. but once they were transferred to SCEI/SCEA, well maybe they saw the oppurtunity to use the same system for both services so they could cut costs and only have one security team.
Its obvious they both use the same system since they both were hacked in the same attack. In fact, its possible a single hack got them into both systems.
Given all the staff cuts SoE has suffered since 2008 I would actually bet that their security guys were amongst the first to go.
It is without a doubt that a division, or more, of Sony is responsible. But which division(s), that we don't know.
Still people having reservations about SoE games because of this are justified because SoE's security will still likely be run by the division thats running it now (although Id hope some of the people will have changed)
What?
First you suggest that SCEI is running the security for SOE servers. Then you suggest that SOE cut security staff during their layoffs and that has some effect on this. You can't seem to make up your mind who you think is in charge of the SOE servers.
If SCEI was running the servers then SOE would have went down the same minute the PSN servers did and would not have come back up. At least SCEI had the common sense to stay offline until they were certain they fully understood the problems.
If SCEI was in charge of the SOE servers both divisions would have taken the same exact actions. Instead you have SCEI and SOE taking almost complete opposite actions from each other in response to the problems.
The hack was detected in the PSN networks, where it wasn't in the SOE network.
The PSN network correctly identified that personal and credit information was stolen, where as SOE incorrectly determined their information was safe
The PSN network was immediately taken down and stayed offline until the problem was properly investigated. The SOE network was down less than a few hours and reopened with security flaws undiscovered.
SCEI quickly announed it was rebuilding their network security from the ground up in light of the problem. SOE self determined their network was safe and resumed normal operation for over a week before shutting down for a second time to fix the security problems.
SCEI immediately hired outside help to resolve thier security issues. SOE waited until after a week of saying their servers and our information was secure only to be shown wrong. Only then did they figure it was time to seek help from security experts.
There is no reason to believe the one team in charge of both divisions servers would make such drasticially different decisions for each set of services, especially considering how large this issue if for the entire company as a whole.
I believe planetside next will put soe back on top, or at least put them in good standing if they don't screw it up. After all they have cancelled a less known title and reorganized development and money to give it their full attention, that says a lot
We don't know if they each have their own security team or not, and we don't know if they went to SCEI and said 'hey we need resources to fix this' and SCEI said 'No. we can't afford it and the risk is to minimal to warrant it'
With all the problems that SCEI is trying to fix (security and their reputation) do you really think they wouldn't dedicate some resources to SOE if they thought it might explode into another massive problem for the company?
In your scenario SOE asks for help, because they think they might have been compromised also and SCEI tells them tough luck, they can't spare resources? Like they couldn't hire more security firms to help SOE?
So once the breach to SOE was confirmed where did the resources suddenly appear to hire an outside security firm for SOE?
I think your theories have a lot of holes in them. Even when looked at casually.
SOE took down their servers in light of the playstation network being hacked.
SOE conducted a security review and enhanced their security measures.
SOE determined that everything was fine and announced to their playerbase that their information was safe.
SOE one week later determined that everything was not safe. That information had been stolen. That credit and banking information was stored on their server that they were NOT EVEN USING. Most of this was stored in clear text.
SOE then had to take down their service a second time. Perform a security review a second time. Enhance their security a second time.
SOE for whatever reason did not take down their facebook game servers offline until an outside party forced them too. I guess they don't do a security review or enhance security until after something has already been hacked and cleaned out.
At this point it doesn't matter who or how the network was hacked. That above shows that SOE is incompetent with their network security. They violated the security protocals set up by credit card companies. They failed to detect an intrusion even after they knew someone had breached the Sony network. They failed to properly secure their network the first time they brought it down.
On top of that SCEI (not SOE) was ready to bring the PSN back online when the hackers published some of the names they had stolen. In response to this Sony delayed opening the service up again citing how complicated things had gotten. Obviously they didn't know the hackers got that information.
This isn't a case of SCEI or SOE being at fault. Both are total failures in this situation. Neither can pass the buck to the other, because they are both making massive mistakes.
This is the information we do know for absolutely sure SoE and Sony did: the storing of "outdated" on a perfectly hackable i.e. online database. But thing is, if this is "industry standard", then any game company can be hacked and that information stolen. That is what worries me the most. The failure to recognize a breach in security until a substantial amount of stuff was taken is also deeply worrisome. That shows SoE's incompetence.
Again, we don't know about the firewall thing, or some of the other speculations. But the fact that databases containing information were kept online that, in my opinion based on common sense, shows me that SoE were indeed negligent. Why the hell were they keeping that information around online?
It might seem not-so important to hack a database from 2007, but the hackers still have our real names, birth dates, addresses (pertinent if you haven't moved since 2007), account names, passwords, and maybe even bank account details.
I've done a bit of prepaid credit card research, and it seems like there are a lot of more-or-less seedy internet sites that offer one, but if you buy them online, it's no different than giving your details to SoE. They can be compromised just as easily. Checking with my banks, they do not offer them in an offline manner.
Nothing is 100% hack proof.. but companies should be a lot more vigilant than they have been.
A department store isn't 100% theft proof.. but if somebody was stealing a ton of stuff a security guard would stop them.
Same thing goes for Sony.. If somebody was taking a ton of personal data... somebody should have noticed. Sure if it was an in and out hack and lasted a short time people might be more understanding.
This theft is the equivalent of robber's clearing out nearly the entire store with sony being the sleeping security guard.
They should have been scrutinizing their networks a lot more closely.
Originally posted by Daffid011 SOE showed a lot of incompetence in how they handled this situation.
What you consider an incompetence is your own ignorance. That is why I say there is no screw up.
On the contrary, Sony handled the situation very well, but for that you would need to understand what such investigates takes, in a least bit.
If you have bothered to read what I said about , you could get a clue how things work. And you are the proof I was right.. I say it again:
You cannot rule out that something was NOT stolen or NOT accessed and if you inform people early, you will get blamed later if the info turns out inaccurate.
Only safe network is the one that is unplugged. That is a nature of the things.
Regarding the Anonymous, yes, that is a slip on my side as word 'supposed' did not make it through heavy editing of my post in futile attempt making it easy to read, which you did not even bother. I have also clearly said that the Anonymous denied the responsibility for the attack.
Originally posted by MurlockDanceBut thing is, if this is "industry standard", then any game company can be hacked and that information stolen. That is what worries me the most. The failure to recognize a breach in security until a substantial amount of stuff was taken is also deeply worrisome. That shows SoE's incompetence.It might seem not-so important to hack a database from 2007, but the hackers still have our real names, birth dates, addresses (pertinent if you haven't moved since 2007), account names, passwords, and maybe even bank account details.
I've done a bit of prepaid credit card research, and it seems like there are a lot of more-or-less seedy internet sites that offer one, but if you buy them online, it's no different than giving your details to SoE. They can be compromised just as easily. Checking with my banks, they do not offer them in an offline manner.
Great points and spot on.
You underestimates what it takes to identify an intrusion.
It all depends on the nature and method of intrusion. If the intruders are 'amateurs', they will most likely get caught quickly and won't get very far. On the other hand if the attack is sophisticated and performed by highly skilled entity that does make an effort to hide tracks of their presence, it will take considerably more time and effort. Again, it solely depends on case by case basis and you are speculating only that Sony could have done better.
Sony detected the intrusion, what was way more difficult was to track down the scope of it. And that really takes time because you do need forensic evidence in that case.
You are spot on about the personal data manipulation. Sony indeed represents standard practice in the industry and there will be a big discussion about personal data handling and their security. It will be very interesting to watch the changes that will come because the issue is technically as well as procedurally challenging.
What most people seem to neglect, and what truly a reason for Sony criticism can be, is the outdated database running on their network. Sony so far wasn't able to explain why the database was connected in the first place and the fact they stored credit card numbers there is 'outrageous'. If you want to bash Sony for something, this would be reasonable target.
Originally posted by jpnz Mind pointing me when I debated on 'What ifs'? By Sony's presentation we know the following. 1. There was a vunerability. 2. This was known to Sony 3. This vunerability was used to hack Sony. Someone else can spin this. I don't bother and stick with what we know.
Every system has vulnerabilities, the difference is what their nature is and how you treat them.
How do we know SoE is responsible for their own network security anymore?
Sure, when they were under Sony Motion Pictures its almost definite they were responsible. but once they were transferred to SCEI/SCEA, well maybe they saw the oppurtunity to use the same system for both services so they could cut costs and only have one security team.
Its obvious they both use the same system since they both were hacked in the same attack. In fact, its possible a single hack got them into both systems.
Given all the staff cuts SoE has suffered since 2008 I would actually bet that their security guys were amongst the first to go.
It is without a doubt that a division, or more, of Sony is responsible. But which division(s), that we don't know.
Still people having reservations about SoE games because of this are justified because SoE's security will still likely be run by the division thats running it now (although Id hope some of the people will have changed)
What?
First you suggest that SCEI is running the security for SOE servers. Then you suggest that SOE cut security staff during their layoffs and that has some effect on this. You can't seem to make up your mind who you think is in charge of the SOE servers.
If SCEI was running the servers then SOE would have went down the same minute the PSN servers did and would not have come back up. At least SCEI had the common sense to stay offline until they were certain they fully understood the problems.
If SCEI was in charge of the SOE servers both divisions would have taken the same exact actions. Instead you have SCEI and SOE taking almost complete opposite actions from each other in response to the problems.
The hack was detected in the PSN networks, where it wasn't in the SOE network.
The PSN network correctly identified that personal and credit information was stolen, where as SOE incorrectly determined their information was safe
The PSN network was immediately taken down and stayed offline until the problem was properly investigated. The SOE network was down less than a few hours and reopened with security flaws undiscovered.
SCEI quickly announed it was rebuilding their network security from the ground up in light of the problem. SOE self determined their network was safe and resumed normal operation for over a week before shutting down for a second time to fix the security problems.
SCEI immediately hired outside help to resolve thier security issues. SOE waited until after a week of saying their servers and our information was secure only to be shown wrong. Only then did they figure it was time to seek help from security experts.
There is no reason to believe the one team in charge of both divisions servers would make such drasticially different decisions for each set of services, especially considering how large this issue if for the entire company as a whole.
How would you explain that?
Well, the hackers came in through the PSN servers, not the SOE servers. So initially they though they hadn't gotten that far in the system. Most likely once the auditors knew what to look for, they were able to determine that the hackers did get into the PSN servers. I don't really have an issue with SOE thinking their servers were safe. Those servers have been online for over 11 years without ever being compromised. Wasn't until the PSN came online and got sloppy that things went to poop.
Originally posted by Daffid011 If SCEI was running the servers then SOE would have went down the same minute the PSN servers did and would not have come back up.
You are still confused about those two.
Those are 2 different networks. When network 1 is compromised, it does not necessarily mean that network 2 was compromised as well and if there are no signs that network 2 was affected as well, there is no reason to shut it down.
It seems like you think that Sony network is one body, it's not. Both networks have their own gateways and infrastructure, there is just internal link between those two.
Someone else can spin this. I don't bother and stick with what we know.
Every system has vulnerabilities, the difference is what their nature is and how you treat them.
You only speculate the did nothing about it.
Like I keep saying, I don't debate using 'what ifs'. I stick with what we know.
What the vulnerabilities there were and their nature or whatever is pure speculation.
What Sony did or did not do is absolutely 'what ifs' since Sony hasn't said anything about it.
Once again, the facts are:
1. There was a vunerability.
2. This was known to Sony
3. This vunerability was used to hack Sony.
I like to comment I did work in the IT industry so yes, I know the QA process can be time consuming and maybe Sony was about to patch it on their production servers 2 seconds after the hacking was done. But as I said before, I don't debate using 'what ifs'.
Stick with facts. Debate 101.
Gdemami - Informing people about your thoughts and impressions is not a review, it's a blog.
Nothing is 100% hack proof.. but companies should be a lot more vigilant than they have been.
A department store isn't 100% theft proof.. but if somebody was stealing a ton of stuff a security guard would stop them.
Same thing goes for Sony.. If somebody was taking a ton of personal data... somebody should have noticed. Sure if it was an in and out hack and lasted a short time people might be more understanding.
This theft is the equivalent of robber's clearing out nearly the entire store with sony being the sleeping security guard.
They should have been scrutinizing their networks a lot more closely.
It is nothing like stealing the whole store. That would have been spotted. An equivlant to that is the DDOS attack that they were under and WERE responding to.
The information they stole was specific and subtle - more akin to a master thief ignoring the fancy tv's and jewelery and pocketting the money out of the till whilst the guards are busy dealing with the vandals trying to kick the doors down. The guards would notice you carrying a huge tagged tv out, but much harder to spot an untagged wad in your pocket. It is data - probably only a few hundred mb in size, so quick and easy to slip out. Yes it is very important data, but digitally is small in size.
The error sony made was not having a proper dedicated watch on their digital till - i.e. lax Database security. Vandals at the door or not you would expect a major store to have someone on the tills.
Sony has admitted that the server was out of date. My question would be - how out of date? And waht was being done to update it?
It could well be that the servers were only a couple of builds behind, and the updates in testing - in which case they were more unlucky than negligent. Big companies cannot just upload the latest version upon release as it may cause problems. So instead must test everything, and that takes time.
However, and as I suspect is the case here, it may have been a 'if it isnt broke dont fix it' approach, where mamgement fail to understand the risk of attack and think only of the cost (monetary, employee wages and downtime) of updating the service. And here you can blame not just Sony, but the vast majority of companies out there - MMo and otherwise. Sony got caught, but it could well have been Cryptic, Blizzard, Bioware or any one else. You can bet they are rushing in security upgrades all over right now thinking 'phew lucky that was not us'.
The almighty and mega rich Blizzard is just as vulnerable - cf the massive number of hacked accounts when they went to battlenet - and their dubious response of ignoring the vulnerability and instead telling their customers that it is their problem and that they should buy an authenticator. And I'm sure you have all read the pretty much daily news stories of lost data, hacked systems and poor security out there. On the whole online security sucks big time - Sony is simply the latest big name to find that fact out.
All that being said though the biggest problem is that there are digital criminals out there - and we need to start treating them as such, and vilifying thema s the scum they are. Data theft is theft full stop - akin to stealing your card itself. And the anoymous DDOS attacks - digital vanadalism pure and simple. Would you be angry at vandals that smashed your car up becuase it was not green enough? Would you tolerate your work being smashed up becasue they presecuted someone for stealing the goods the make? No you wouldn't. But time and time again you see posts praising these digital vandals as heroes and making their victims out to be the bad guys. 'It is their fault that we could steal from them, and smash their system up. It is their fault that they couldn't stop us, and so no MMO's for you is their fault, not ours. Even though we engaged in illegal digital theft and vanadalism it is their fault'.
Whilst Sony did indeed fail in a big way do not forget that they, and all their customers, were the victims of a criminal act. be angry at Sony if you wish, but be also angry at the criminals.
Originally posted by jpnz What Sony did or did not do is absolutely 'what ifs' since Sony hasn't said anything about it.
Short memory, huh?
Originally posted by jpnz Sony knew about the vunerability but when the hacking happened, they didn't do anything about it on their production servers.
Originally posted by jpnz How can the vunerability be exploited if they 'fixed' it?
Because the fix might not be available at the time, fix may turn out to be insufficient, fix might not be applied for whatever reason, etc... many things you do not know about...
Talking about spinning, speculations are not facts.
Originally posted by jpnz More speculations and 'what if's'. I don't really see the point in speculations.
It would be a speculation if I was implying that one of those possibilities is true, which is what you are doing with your statement about Sony not doing anything about the vulnerability.
More speculations and 'what if's'. I don't really see the point in speculations.
It would be a speculation if I was implying that one of those possibilities is true, which is what you are doing with your statement about Sony not doing anything about the vulnerability.
I am just pointing out the lack of evidence.
Like my previous posts says, the 'not doing anything' was a comment to say the vulnerability was still exploited even though Sony knew about it before.
All we know is that the vulnerability was known before the hacking happened, and the hacking exploited that vulnerability.
Gdemami - Informing people about your thoughts and impressions is not a review, it's a blog.
Question is will we BOO HISS MMORG.com for letting them in, like many people are doing to Sony? Should we sue MMORPG.com for their lax security? Should we expect compensation?
Or will we agree that nothing can ever be fully secure from hacking scum like that? That is it an online security war, and the best we can hope for is to to catch the crooks and maybe limit the damage?
Could it possibly be double standards from some who will vilify those spamming MMORG.com, but praising anyone who attcks the hated Sony?
Originally posted by Stuntie Hackers and apmmers have targetted MMORPG!!!!!. Question is will we BOO HISS MMORG.com for letting them in, like many people are doing to Sony? Should we sue MMORPG.com for their lax security? Should we expect compensation? Or will we agree that nothing can ever be fully secure from hacking scum like that? That is it an online security war, and the best we can hope for is to to catch the crooks and maybe limit the damage? Could it possibly be double standards from some who will vilify those spamming MMORG.com, but praising anyone who attcks the hated Sony?
That is what troubles me the most in Sony case. Criminals will always be 1 step ahead and cyber criminality is no different.
When it comes to criminality, it was always very local so far. Even frauds at large companies are rather small scale.
In case of cyber criminality though, the damage can take epic proportions because you are targeting infrastructures instead of local, specific targets.
Sony incident with change the world for the future.
Note: To your post above, Sony did not admit the out dated server. They only stated that they knew about the vulnerability in the system. Just minor inaccuracy.
If SCEI was running the servers then SOE would have went down the same minute the PSN servers did and would not have come back up.
You are still confused about those two.
Those are 2 different networks. When network 1 is compromised, it does not necessarily mean that network 2 was compromised as well and if there are no signs that network 2 was affected as well, there is no reason to shut it down.
It seems like you think that Sony network is one body, it's not. Both networks have their own gateways and infrastructure, there is just internal link between those two.
Funny how you can read my entire post and miss the obvious points I was making.
Again I do completely understand the situation. I do understand that SOE and SCEI are different server networks and both SOE and SCEI have made that clear in their press releases.
The point was that both networks had vulnerabilities. Both had customer databases stolen. One division detected the intrusion and theft. One division kept their servers offline to resolve the security issues and hired outside help.
The other division was incapable of detecting the intrusion. They didn't properly resolve their security issues. They falsely told their customers their infromation was safe. They didn't take their servers offline to resolve their security holes. They didn't conduct a proper. SOE was simply incapable of doing the job that was required in this situation and all your excuses and apologies will not change that.
Why did SCEI get the job done and make the right choices while SOE failed in every single aspect they tried? The only excuse you have offered is that "things like this are hard". In essence you are agreeing with everything I say when you make that statement.
SCEI was capable enough to get the job done, but SOE wasn't. I point out their inability to do their job properly and you make the excuse that it is to hard. Same result, you just don't want to be honest about SOEs lack of ability in this situation and it is crystal clear they failed in that respect.
Listen, the only reason SOE knew there was a problem, was because it was being discussed by hackers. This was well after SOE had cleared themselves of any danger and certified their servers secure. Mistake and mistake, despite your claims that their were no mistakes.
Comments
How do we know SoE is responsible for their own network security anymore?
Sure, when they were under Sony Motion Pictures its almost definite they were responsible. but once they were transferred to SCEI/SCEA, well maybe they saw the oppurtunity to use the same system for both services so they could cut costs and only have one security team.
Its obvious they both use the same system since they both were hacked in the same attack. In fact, its possible a single hack got them into both systems.
Given all the staff cuts SoE has suffered since 2008 I would actually bet that their security guys were amongst the first to go.
It is without a doubt that a division, or more, of Sony is responsible. But which division(s), that we don't know.
Still people having reservations about SoE games because of this are justified because SoE's security will still likely be run by the division thats running it now (although Id hope some of the people will have changed)
The only thing that throws this theory into question is then how did PSN get hacked as well? If they have the same system with the same holes is it SoE's fault, PSN's fault, or the division that oversees both?
We don't know if they each have their own security team or not, and we don't know if they went to SCEI and said 'hey we need resources to fix this' and SCEI said 'No. we can't afford it and the risk is to minimal to warrant it'
What?
First you suggest that SCEI is running the security for SOE servers. Then you suggest that SOE cut security staff during their layoffs and that has some effect on this. You can't seem to make up your mind who you think is in charge of the SOE servers.
If SCEI was running the servers then SOE would have went down the same minute the PSN servers did and would not have come back up. At least SCEI had the common sense to stay offline until they were certain they fully understood the problems.
If SCEI was in charge of the SOE servers both divisions would have taken the same exact actions. Instead you have SCEI and SOE taking almost complete opposite actions from each other in response to the problems.
The hack was detected in the PSN networks, where it wasn't in the SOE network.
The PSN network correctly identified that personal and credit information was stolen, where as SOE incorrectly determined their information was safe
The PSN network was immediately taken down and stayed offline until the problem was properly investigated. The SOE network was down less than a few hours and reopened with security flaws undiscovered.
SCEI quickly announed it was rebuilding their network security from the ground up in light of the problem. SOE self determined their network was safe and resumed normal operation for over a week before shutting down for a second time to fix the security problems.
SCEI immediately hired outside help to resolve thier security issues. SOE waited until after a week of saying their servers and our information was secure only to be shown wrong. Only then did they figure it was time to seek help from security experts.
There is no reason to believe the one team in charge of both divisions servers would make such drasticially different decisions for each set of services, especially considering how large this issue if for the entire company as a whole.
How would you explain that?
With all the problems that SCEI is trying to fix (security and their reputation) do you really think they wouldn't dedicate some resources to SOE if they thought it might explode into another massive problem for the company?
In your scenario SOE asks for help, because they think they might have been compromised also and SCEI tells them tough luck, they can't spare resources? Like they couldn't hire more security firms to help SOE?
So once the breach to SOE was confirmed where did the resources suddenly appear to hire an outside security firm for SOE?
I think your theories have a lot of holes in them. Even when looked at casually.
This is the information we do know for absolutely sure SoE and Sony did: the storing of "outdated" on a perfectly hackable i.e. online database. But thing is, if this is "industry standard", then any game company can be hacked and that information stolen. That is what worries me the most. The failure to recognize a breach in security until a substantial amount of stuff was taken is also deeply worrisome. That shows SoE's incompetence.
Again, we don't know about the firewall thing, or some of the other speculations. But the fact that databases containing information were kept online that, in my opinion based on common sense, shows me that SoE were indeed negligent. Why the hell were they keeping that information around online?
It might seem not-so important to hack a database from 2007, but the hackers still have our real names, birth dates, addresses (pertinent if you haven't moved since 2007), account names, passwords, and maybe even bank account details.
I've done a bit of prepaid credit card research, and it seems like there are a lot of more-or-less seedy internet sites that offer one, but if you buy them online, it's no different than giving your details to SoE. They can be compromised just as easily. Checking with my banks, they do not offer them in an offline manner.
Playing MUDs and MMOs since 1994.
Nothing is 100% hack proof.. but companies should be a lot more vigilant than they have been.
A department store isn't 100% theft proof.. but if somebody was stealing a ton of stuff a security guard would stop them.
Same thing goes for Sony.. If somebody was taking a ton of personal data... somebody should have noticed. Sure if it was an in and out hack and lasted a short time people might be more understanding.
This theft is the equivalent of robber's clearing out nearly the entire store with sony being the sleeping security guard.
They should have been scrutinizing their networks a lot more closely.
What you consider an incompetence is your own ignorance. That is why I say there is no screw up.
On the contrary, Sony handled the situation very well, but for that you would need to understand what such investigates takes, in a least bit.
If you have bothered to read what I said about , you could get a clue how things work. And you are the proof I was right.. I say it again:
You cannot rule out that something was NOT stolen or NOT accessed and if you inform people early, you will get blamed later if the info turns out inaccurate.
Only safe network is the one that is unplugged. That is a nature of the things.
Regarding the Anonymous, yes, that is a slip on my side as word 'supposed' did not make it through heavy editing of my post in futile attempt making it easy to read, which you did not even bother. I have also clearly said that the Anonymous denied the responsibility for the attack.
Why I you doing it then?
Mind pointing me when I debated on 'What ifs'?
By Sony's presentation we know the following.
1. There was a vunerability.
2. This was known to Sony
3. This vunerability was used to hack Sony.
Someone else can spin this. I don't bother and stick with what we know.
Gdemami -
Informing people about your thoughts and impressions is not a review, it's a blog.
Great points and spot on.
You underestimates what it takes to identify an intrusion.
It all depends on the nature and method of intrusion. If the intruders are 'amateurs', they will most likely get caught quickly and won't get very far. On the other hand if the attack is sophisticated and performed by highly skilled entity that does make an effort to hide tracks of their presence, it will take considerably more time and effort. Again, it solely depends on case by case basis and you are speculating only that Sony could have done better.
Sony detected the intrusion, what was way more difficult was to track down the scope of it. And that really takes time because you do need forensic evidence in that case.
You are spot on about the personal data manipulation. Sony indeed represents standard practice in the industry and there will be a big discussion about personal data handling and their security. It will be very interesting to watch the changes that will come because the issue is technically as well as procedurally challenging.
What most people seem to neglect, and what truly a reason for Sony criticism can be, is the outdated database running on their network. Sony so far wasn't able to explain why the database was connected in the first place and the fact they stored credit card numbers there is 'outrageous'. If you want to bash Sony for something, this would be reasonable target.
Again, great points.
Every system has vulnerabilities, the difference is what their nature is and how you treat them.
You only speculate the did nothing about it.
Well, the hackers came in through the PSN servers, not the SOE servers. So initially they though they hadn't gotten that far in the system. Most likely once the auditors knew what to look for, they were able to determine that the hackers did get into the PSN servers. I don't really have an issue with SOE thinking their servers were safe. Those servers have been online for over 11 years without ever being compromised. Wasn't until the PSN came online and got sloppy that things went to poop.
You are still confused about those two.
Those are 2 different networks. When network 1 is compromised, it does not necessarily mean that network 2 was compromised as well and if there are no signs that network 2 was affected as well, there is no reason to shut it down.
It seems like you think that Sony network is one body, it's not. Both networks have their own gateways and infrastructure, there is just internal link between those two.
Like I keep saying, I don't debate using 'what ifs'. I stick with what we know.
What the vulnerabilities there were and their nature or whatever is pure speculation.
What Sony did or did not do is absolutely 'what ifs' since Sony hasn't said anything about it.
Once again, the facts are:
1. There was a vunerability.
2. This was known to Sony
3. This vunerability was used to hack Sony.
I like to comment I did work in the IT industry so yes, I know the QA process can be time consuming and maybe Sony was about to patch it on their production servers 2 seconds after the hacking was done. But as I said before, I don't debate using 'what ifs'.
Stick with facts. Debate 101.
Gdemami -
Informing people about your thoughts and impressions is not a review, it's a blog.
It is nothing like stealing the whole store. That would have been spotted. An equivlant to that is the DDOS attack that they were under and WERE responding to.
The information they stole was specific and subtle - more akin to a master thief ignoring the fancy tv's and jewelery and pocketting the money out of the till whilst the guards are busy dealing with the vandals trying to kick the doors down. The guards would notice you carrying a huge tagged tv out, but much harder to spot an untagged wad in your pocket. It is data - probably only a few hundred mb in size, so quick and easy to slip out. Yes it is very important data, but digitally is small in size.
The error sony made was not having a proper dedicated watch on their digital till - i.e. lax Database security. Vandals at the door or not you would expect a major store to have someone on the tills.
Sony has admitted that the server was out of date. My question would be - how out of date? And waht was being done to update it?
It could well be that the servers were only a couple of builds behind, and the updates in testing - in which case they were more unlucky than negligent. Big companies cannot just upload the latest version upon release as it may cause problems. So instead must test everything, and that takes time.
However, and as I suspect is the case here, it may have been a 'if it isnt broke dont fix it' approach, where mamgement fail to understand the risk of attack and think only of the cost (monetary, employee wages and downtime) of updating the service. And here you can blame not just Sony, but the vast majority of companies out there - MMo and otherwise. Sony got caught, but it could well have been Cryptic, Blizzard, Bioware or any one else. You can bet they are rushing in security upgrades all over right now thinking 'phew lucky that was not us'.
The almighty and mega rich Blizzard is just as vulnerable - cf the massive number of hacked accounts when they went to battlenet - and their dubious response of ignoring the vulnerability and instead telling their customers that it is their problem and that they should buy an authenticator. And I'm sure you have all read the pretty much daily news stories of lost data, hacked systems and poor security out there. On the whole online security sucks big time - Sony is simply the latest big name to find that fact out.
All that being said though the biggest problem is that there are digital criminals out there - and we need to start treating them as such, and vilifying thema s the scum they are. Data theft is theft full stop - akin to stealing your card itself. And the anoymous DDOS attacks - digital vanadalism pure and simple. Would you be angry at vandals that smashed your car up becuase it was not green enough? Would you tolerate your work being smashed up becasue they presecuted someone for stealing the goods the make? No you wouldn't. But time and time again you see posts praising these digital vandals as heroes and making their victims out to be the bad guys. 'It is their fault that we could steal from them, and smash their system up. It is their fault that they couldn't stop us, and so no MMO's for you is their fault, not ours. Even though we engaged in illegal digital theft and vanadalism it is their fault'.
Whilst Sony did indeed fail in a big way do not forget that they, and all their customers, were the victims of a criminal act. be angry at Sony if you wish, but be also angry at the criminals.
Cheers
Stuntie.
Short memory, huh?
Yeah, the vunerability was exploited so their production servers still had that vunerability.
The 'didn't do anyhting' comment is that the vunerability was still exploited btw.
Once again, the facts that we know do not favor Sony. That's all I am saying.
They knew about it but when the hacking happened that vunerability was exploited.
You can spin this all you want but I'm sticking with what I know.
Gdemami -
Informing people about your thoughts and impressions is not a review, it's a blog.
Because the fix might not be available at the time, fix may turn out to be insufficient, fix might not be applied for whatever reason, etc... many things you do not know about...
Talking about spinning, speculations are not facts.
More speculations and 'what if's'. I don't really see the point in speculations.
Spin it however you want but you can't refute the following statement.
'Sony knew about the vunerability before the hacking occured and the hacking exploited that vunerability.'
Gdemami -
Informing people about your thoughts and impressions is not a review, it's a blog.
It would be a speculation if I was implying that one of those possibilities is true, which is what you are doing with your statement about Sony not doing anything about the vulnerability.
I am just pointing out the lack of evidence.
Like my previous posts says, the 'not doing anything' was a comment to say the vulnerability was still exploited even though Sony knew about it before.
All we know is that the vulnerability was known before the hacking happened, and the hacking exploited that vulnerability.
Gdemami -
Informing people about your thoughts and impressions is not a review, it's a blog.
Hackers and apmmers have targetted MMORPG!!!!!.
Question is will we BOO HISS MMORG.com for letting them in, like many people are doing to Sony? Should we sue MMORPG.com for their lax security? Should we expect compensation?
Or will we agree that nothing can ever be fully secure from hacking scum like that? That is it an online security war, and the best we can hope for is to to catch the crooks and maybe limit the damage?
Could it possibly be double standards from some who will vilify those spamming MMORG.com, but praising anyone who attcks the hated Sony?
Cheers
Stuntie.
That is what troubles me the most in Sony case. Criminals will always be 1 step ahead and cyber criminality is no different.
When it comes to criminality, it was always very local so far. Even frauds at large companies are rather small scale.
In case of cyber criminality though, the damage can take epic proportions because you are targeting infrastructures instead of local, specific targets.
Sony incident with change the world for the future.
Note: To your post above, Sony did not admit the out dated server. They only stated that they knew about the vulnerability in the system. Just minor inaccuracy.
Funny how you can read my entire post and miss the obvious points I was making.
Again I do completely understand the situation. I do understand that SOE and SCEI are different server networks and both SOE and SCEI have made that clear in their press releases.
The point was that both networks had vulnerabilities. Both had customer databases stolen. One division detected the intrusion and theft. One division kept their servers offline to resolve the security issues and hired outside help.
The other division was incapable of detecting the intrusion. They didn't properly resolve their security issues. They falsely told their customers their infromation was safe. They didn't take their servers offline to resolve their security holes. They didn't conduct a proper. SOE was simply incapable of doing the job that was required in this situation and all your excuses and apologies will not change that.
Why did SCEI get the job done and make the right choices while SOE failed in every single aspect they tried? The only excuse you have offered is that "things like this are hard". In essence you are agreeing with everything I say when you make that statement.
SCEI was capable enough to get the job done, but SOE wasn't. I point out their inability to do their job properly and you make the excuse that it is to hard. Same result, you just don't want to be honest about SOEs lack of ability in this situation and it is crystal clear they failed in that respect.
Listen, the only reason SOE knew there was a problem, was because it was being discussed by hackers. This was well after SOE had cleared themselves of any danger and certified their servers secure. Mistake and mistake, despite your claims that their were no mistakes.