Well, the hackers came in through the PSN servers, not the SOE servers. So initially they though they hadn't gotten that far in the system. Most likely once the auditors knew what to look for, they were able to determine that the hackers did get into the PSN servers. I don't really have an issue with SOE thinking their servers were safe. Those servers have been online for over 11 years without ever being compromised. Wasn't until the PSN came online and got sloppy that things went to poop.
Most information is suggesting that the SOE servers were exploited the same way that the PSN servers were and not by tunneling through the PSN servers.
Either way, SOE took down their servers, "enchaned" the security and put them back online. 11 days later they had to take their servers down a second time. "enhance" security a SECOND time and only then did they seek outside help to and I quote "figure out what happened".
So not only did they put evalute their server security on the 21st and fail to secure all the problems, they still didn't understand "what happened" on May 2nd when they took the servers down the second time.
Question is will we BOO HISS MMORG.com for letting them in, like many people are doing to Sony? Should we sue MMORPG.com for their lax security? Should we expect compensation?
Or will we agree that nothing can ever be fully secure from hacking scum like that? That is it an online security war, and the best we can hope for is to to catch the crooks and maybe limit the damage?
Could it possibly be double standards from some who will vilify those spamming MMORG.com, but praising anyone who attcks the hated Sony?
That is what troubles me the most in Sony case. Criminals will always be 1 step ahead and cyber criminality is no different.
When it comes to criminality, it was always very local so far. Even frauds at large companies are rather small scale.
In case of cyber criminality though, the damage can take epic proportions because you are targeting infrastructures instead of local, specific targets.
Sony incident with change the world for the future.
Note: To your post above, Sony did not admit the out dated server. They only stated that they knew about the vulnerability in the system. Just minor inaccuracy.
Large scale 'leaks' have happened before and will happen again. Nothing is 100% in terms of security.
TJX, Google Gmail vs China, Apple with its 'location-gate', Facebook and their use of profiles etc.
All deal with our personal information.
Despite what anyone might think, I don't 'hate' Sony nor do I 'like' Sony.
I just want to make sure 'speculation' is not clouding the facts.
Gdemami - Informing people about your thoughts and impressions is not a review, it's a blog.
Originally posted by Daffid011 The other division was incapable of detecting the intrusion. They didn't properly resolve their security issues.
Can you specify what made their resolution not proper and what steps, that were relevant to information avaiable at the time, they should have taken? Do you have any arguments to back this up?
You somehow think that they could have done better, despite you your technical ignorance, lack of evidence, and general knowledge about the nature of the things.
When a grenade explodes in your front lines, the damage is evident, whether the shrapnel hit someone who was behind the line is not as apparent though.
Please do not say I agree to fallacy of your reasoning, that is simply not true.
Because of your inability participate in the discussion in any reasonable fashion and your arguments are being equal to 'Sony sucks', I do not see any point in wasting my time.
Originally posted by jpnz Large scale 'leaks' have happened before and will happen again.
That is the part of the problem I have on mind.
Cyber criminality wasn't never as severe but as the online world and data exchange is growing, and it is growing rapidly, we can expect the increase the of the criminality in this regard as well as damage that can be done.
Cyber criminality grows hand in hand with the online world and so does grow the scale of those leaks and the value of the data they steal.
Sony data theft is still huge compared to any other leak before but most importantly, I see it as a beginning only.
Not saying sky is falling but the change is coming. Whether it will be for good or bad, only time will tell.
SOE showed a lot of incompetence in how they handled this situation.
What you consider an incompetence is your own ignorance. That is why I say there is no screw up.
On the contrary, Sony handled the situation very well, but for that you would need to understand what such investigates takes, in a least bit.
If you have bothered to read what I said about , you could get a clue how things work. And you are the proof I was right.. I say it again:
You cannot rule out that something was NOT stolen or NOT accessed and if you inform people early, you will get blamed later if the info turns out inaccurate.
Only safe network is the one that is unplugged. That is a nature of the things.
Regarding the Anonymous, yes, that is a slip on my side as word 'supposed' did not make it through heavy editing of my post in futile attempt making it easy to read, which you did not even bother. I have also clearly said that the Anonymous denied the responsibility for the attack.
Again you seem to have little recourse but to attack my character and not the points I make. Your arguments are getting rather shallow at this point.
Enough of talking about how hard it is to do these things as if that excuses the mistakes SOE made. It is their job to resolve these issues and if it is to hard for them to accomplish that, they should have hired outside help IMMEDIATELY like SCEI did.
Mistake 1: SOE didn't get outside expert help to diagnos the problem that was obviously beyond their ability
If it is so hard to rule out that something was or wasn't stolen, then SOE should not have made public claims that information was secure. SCEI seemed to have no trouble figuring this out, so there is no reason to excuse SOE for being incapable of doing the same.
Mistake 2: Declaring personal information safe when it wasn't. Soes investigation came to the wrong conclusion. I don't care how you try to downplay this, the result is that SOE made a mistake. There were incapable of making the correct conclusion. See mistake 1 for how this is resolved.
SOE put their servers back online April 21 saying they enhanced the security and things were fine. Not only did they have to take down the servers a second time, because the security needed to be upgraded again, they had to get outside help.
Mistake 3: SOE did not fully secure their servers. It doesn't matter how "hard" this is. SOE failed to fix all the security holes they found after their audit on April 21st. They were incapable of properly identifiying the problem and made the wrong conclusion. Agian, nothing you say changes that fact.
SOE, not SCEI, was incompetent. When a company makes the wrong decision or conclusion, that my friend is a mistake.
You keep calling my ability to understand something into question, but you seem to struggle with the simple concept of what a mistake is.
You keep excusing these mistakes, because networking is hard and takes time. Well it didn't seem to be to much of an obsticle for SCEI to make the correct conclusions and corrective actions. They correctly concluded that their information was stolen, their servers were vulnerable and they needed outside help.
SOE was attacked by THE SAME HACKERS and came to the exact opposite conclusions. Spin it however you want, the fact remain unchanged. SOE screwed up and made several mistakes.
The other division was incapable of detecting the intrusion. They didn't properly resolve their security issues.
Can you specify what made their resolution not proper and what steps, that were relevant to information avaiable at the time, they should have taken? Do you have any arguments to back this up?
You somehow think that they could have done better, despite you your technical ignorance, lack of evidence, and general knowledge about the nature of the things.
When a grenade explodes in your front lines, the damage is evident, whether the shrapnel hit someone who was behind the line is not as apparent though.
Please do not say I agree to fallacy of your reasoning, that is simply not true.
Because of your inability participate in the discussion in any reasonable fashion and your arguments are being equal to 'Sony sucks', I do not see any point in wasting my time.
So wait, when your excuse are entirely made up of "things like this ard hard and take time" that is somehow evidence and a clear demonstration of understanding? Yet you want me to detail a complete security strategy even when I'm pointing out a fact that SOE didn't do enough? Facts that SOE presented, but I somehow don't understand the situation.
Do I have any arguments to back up my claims? Yes SOE had to take down their servers a second time, because there were still security holes. That comes directly from the infromation SOE supplied. Unless you want to say SOE is lieing, then I think I have correctly detailed the situation.
I don't need to talk about grenades and question your intelligence. Just pointing out the facts is enough to show you are wrong, but feel free to keep trying to perform damage control all you want.
Originally posted by Daffid011 Again you seem to have little recourse but to attack my character and not the points I make.
Just to clarify, I am not attacking your character, I am attacking ignorance of yours and that flaw of your points is due inadequate technical knowledge.
Being ignorant isn't an insult nor it is a problem, making conclusions without minimal required expertize or knowledge in the field is a problem though.
Again you seem to have little recourse but to attack my character and not the points I make.
Just to clarify, I am not attacking your character, I am attacking ignorance of yours and that flaw of your points is due inadequate technical knowledge.
Being ignorant isn't an insult nor it is a problem, making conclusions without minimal required expertize or knowledge in the field is a problem though.
let's not have this devolve into personal attacks.
Even though we are all ignorant of something, it doesn't bode well for the discussion to call people ignorant during a debate. Better to say you are debating his point as opposed to "attacking ignorance".
Let's keep this discussion civil.
reminder of the rules of conduct because those are always fun.
ok sorry about that but let me explain where im coming from, being a ps3 owner and owned and played about every MMOrpg that sony had made. Im a little bit mad that now that im just entering adulthood with getting my first place to my self and a newish car, that sony would not secure my identity enough so i do not have to worry about identity theft because of a game i played online. Go Army
Originally posted by Soliloquy let's not have this devolve into personal attacks. Even though we are all ignorant of something, it doesn't bode well for the discussion to call people ignorant during a debate. Better to say you are debating his point as opposed to "attacking ignorance". Let's keep this discussion civil. reminder of the rules of conduct because those are always fun. http://www.mmorpg.com/disclaimers.cfm#conduct
Eww, bad wording on my end. Did not realize it could be considered as personal attack because it was never meant to be.
I saw a report on the BBC show Click last night . Its crucial for any online buisness to protect its customers information . I'm sure SOE will be more on the ball in future but I guess the damage is done . Its a little like when Mythic overcharged people . I've never felt like going back to Warhammer for the odd month again . Something I used to do . I was thinking about getting DC Universe but I wont try that now . What really suprises me that a company as large as SONY managed to get hacked in such a fashion you would think thier top priority would be to make thier security was virtual invulnerable . From the BBC show I gather that hackers are looking for what was called soft targets so sadly I think we may see this type of thing in furture . Credit card details were encrypted so they should be safe but its the personal data thats a worry . Not for me though luckily I don't have a ps3 or an SOE account .
Again you seem to have little recourse but to attack my character and not the points I make.
Just to clarify, I am not attacking your character, I am attacking ignorance of yours and that flaw of your points is due inadequate technical knowledge.
Being ignorant isn't an insult nor it is a problem, making conclusions without minimal required expertize or knowledge in the field is a problem though.
I do happen to run a network for a living so this issue isn't exactly a foreign concept for me, but you wouldn't know that, because you do not know anything about me. It is rather ironic that you are making conclusions about me when you have no real knowledge or awareness of me. I'm not insulted by the word ignorance and there are plenty of things I don't know, so no need to apologize. However if you are going to repeatedly call someone ignorant about something you really shouldn't do so from a position of ignornance yourself. Fair enough?
Anyhow, realize it or not most of what you are doing is trying to discredit me instead of debating the issues and information I present. I have no problem debating the issues of the subject if you would like to, but when you resort to trying to discuss me then I have better things to do with my time. You choice.
I do have a question for you though, so answer this question if you can.
Lets say you owned a computer network and SOE was running it. There was a hacking attempt on april 17-19th. On April 21st after less than 24 hours of review they told you the servers were secure and fit to be put back online. On April 28th they told you that no information was stolen and to let your customers know immediately that their information is safe. On May 2nd (2 weeks later) they tell you that the servers need to come down for immediate security enhancements.... AGAIN. That data was in fact stolen and that they stored it in an unsecure and easily compromised format. Also that they would need to call in outside expert help to figure out "what happened", because after almost two weeks they incorrectly diagnosed every aspect of the situation.
Would you say that SOE performed their job well or displayed a lack of competence? Did they do a good job or a poor job?
Keep in mind SOE's sister company had the same exact problems for their servers, but correctly identified them and took the correct actions to minimize security exposure and damage to company image.
let's not have this devolve into personal attacks.
Even though we are all ignorant of something, it doesn't bode well for the discussion to call people ignorant during a debate. Better to say you are debating his point as opposed to "attacking ignorance".
Let's keep this discussion civil.
reminder of the rules of conduct because those are always fun.
Eww, bad wording on my end. Did not realize it could be considered as personal attack because it was never meant to be.
No worries. As I said, we are all ignorant about something or another. I'm pretty sure people could say I was ignorant about any number of things and they would be correct.
Having said that it's just a matter of perception and sometimes people might take it as an attack.
As the person you were addressing freely admits he is ignorant about things (as we all are) no harm or foul. I just wanted people to be mindful of the words they use "just in case".
carry on (my wayward son... don't ya cry no more! - we all rock out.)
Again you seem to have little recourse but to attack my character and not the points I make.
Just to clarify, I am not attacking your character, I am attacking ignorance of yours and that flaw of your points is due inadequate technical knowledge.
Being ignorant isn't an insult nor it is a problem, making conclusions without minimal required expertize or knowledge in the field is a problem though.
I do happen to run a network for a living so this issue isn't exactly a foreign concept for me, but you wouldn't know that, because you do not know anything about me. It is rather ironic that you are making conclusions about me when you have no real knowledge or awareness of me. I'm not insulted by the word ignorance and there are plenty of things I don't know, so no need to apologize. However if you are going to repeatedly call someone ignorant about something you really shouldn't do so from a position of ignornance yourself. Fair enough?
Anyhow, realize it or not most of what you are doing is trying to discredit me instead of debating the issues and information I present. I have no problem debating the issues of the subject if you would like to, but when you resort to trying to discuss me then I have better things to do with my time. You choice.
I do have a question for you though, so answer this question if you can.
Lets say you owned a computer network and SOE was running it. There was a hacking attempt on april 17-19th. On April 21st after less than 24 hours of review they told you the servers were secure and fit to be put back online. On April 28th they told you that no information was stolen and to let your customers know immediately that their information is safe. On May 2nd (2 weeks later) they tell you that the servers need to come down for immediate security enhancements.... AGAIN. That data was in fact stolen and that they stored it in an unsecure and easily compromised format. Also that they would need to call in outside expert help to figure out "what happened", because after almost two weeks they incorrectly diagnosed every aspect of the situation.
Would you say that SOE performed their job well or displayed a lack of competence? Did they do a good job or a poor job?
Keep in mind SOE's sister company had the same exact problems for their servers, but correctly identified them and took the correct actions to minimize security exposure and damage to company image.
I will answer that. SOE was total incompetent. Most places would have shut down the connection at that point. Diagnosed what happened and implemented a fix. Waiting 2 weeks after the fact then shutting down, is lame.
I been playing soe games since everquest came out. I still play EQ2 that is if soe ever comes back online and at this point it looks like they already been given the death blow.
Bringing the servers down and keeping them that way tells me something else happened. I smell an inside job, and I smell deleted database or multiple deleted files. Hacking is one thing but this is something else. I think this is all a cover for something going on. I think they took the time to move all the servers to San Diego, after letting 209 folks go, and something did not work right, then try to blame all this on some hackers.
It might be hackers, it might be an inside job. If it was hackers somebody inside was helping it was too precise of an attack.
Even if it was a malicious hack that was after more than just personal infomation but to destroy/delete the game's sony runs
itself, Sony should have had data back up for anything that was deleted. I'm not too sure of the exact prices of data storage..
but I wouldn' t imagine it being terribly expensive to have a back up server and store all data on it once a day.
Processor power might be expensive.. but flat out hard-drive space is cheap
Only places I know of with real time data back up / redundancy are airports and the nasdaq / stock exchanges.. now that would be expensive heh
Now I'd be pretty mad if more than a day or 2 of game data was lost... less than that i could be understanding.. but I don't play any sony games atm either way ^^
was considering going back to everquest though .. have to see how they handle this whole situation first
How do we know SoE is responsible for their own network security anymore?
Sure, when they were under Sony Motion Pictures its almost definite they were responsible. but once they were transferred to SCEI/SCEA, well maybe they saw the oppurtunity to use the same system for both services so they could cut costs and only have one security team.
Its obvious they both use the same system since they both were hacked in the same attack. In fact, its possible a single hack got them into both systems.
Given all the staff cuts SoE has suffered since 2008 I would actually bet that their security guys were amongst the first to go.
It is without a doubt that a division, or more, of Sony is responsible. But which division(s), that we don't know.
Still people having reservations about SoE games because of this are justified because SoE's security will still likely be run by the division thats running it now (although Id hope some of the people will have changed)
What?
First you suggest that SCEI is running the security for SOE servers. Then you suggest that SOE cut security staff during their layoffs and that has some effect on this. You can't seem to make up your mind who you think is in charge of the SOE servers.
If SCEI was running the servers then SOE would have went down the same minute the PSN servers did and would not have come back up. At least SCEI had the common sense to stay offline until they were certain they fully understood the problems.
If SCEI was in charge of the SOE servers both divisions would have taken the same exact actions. Instead you have SCEI and SOE taking almost complete opposite actions from each other in response to the problems.
The hack was detected in the PSN networks, where it wasn't in the SOE network.
The PSN network correctly identified that personal and credit information was stolen, where as SOE incorrectly determined their information was safe
The PSN network was immediately taken down and stayed offline until the problem was properly investigated. The SOE network was down less than a few hours and reopened with security flaws undiscovered.
SCEI quickly announed it was rebuilding their network security from the ground up in light of the problem. SOE self determined their network was safe and resumed normal operation for over a week before shutting down for a second time to fix the security problems.
SCEI immediately hired outside help to resolve thier security issues. SOE waited until after a week of saying their servers and our information was secure only to be shown wrong. Only then did they figure it was time to seek help from security experts.
There is no reason to believe the one team in charge of both divisions servers would make such drasticially different decisions for each set of services, especially considering how large this issue if for the entire company as a whole.
How would you explain that?
First off, SCEI is who runs SoE. We dont know what extent of the decision making is given to them vs. Smedley. You obviously failed reading comprehnsion too. I said its possible that the SoE layoffs were security people, but I never said SoE was the ones that laid them off.
As for your argument as SoE would have gone down when PSN went down if they were linked, Im sure you have played an MMO where a block of servers went down while others stayed up, right?
And finally, with your last point...Since the issue was so important for the company and given that SCEI runs both the PSN and SoE services you can bet your ass they at least were part of the team that looked at the SoE network. They are ultimately the ones that have to answer to Sony
I will answer that. SOE was total incompetent. Most places would have shut down the connection at that point. Diagnosed what happened and implemented a fix. Waiting 2 weeks after the fact then shutting down, is lame.
I been playing soe games since everquest came out. I still play EQ2 that is if soe ever comes back online and at this point it looks like they already been given the death blow.
Bringing the servers down and keeping them that way tells me something else happened. I smell an inside job, and I smell deleted database or multiple deleted files. Hacking is one thing but this is something else. I think this is all a cover for something going on. I think they took the time to move all the servers to San Diego, after letting 209 folks go, and something did not work right, then try to blame all this on some hackers.
It might be hackers, it might be an inside job. If it was hackers somebody inside was helping it was too precise of an attack.
Put away the tinfoil hat. No game data was harmed, people were playing after the attack happened. You think Sony took down the PSN for so long to cover for SoE?
It seems like someone is definately trying to make a career out of spinning this incident in a positive light for Sony.
Even if we accept that all the information that we've heard about this incident is pure specualtion and we don't have any real facts because we aren't privy to what actualy happened, we can NOT conclude that SONY "did nothing wong" and "did a great job".
You can't have it both ways, Gdemami, either there is enough information out there to draw real conclusions about what happaned internaly or there isn't. If there isn't, then claiming Sony did nothing wrong is simply dishonest...because you don't know what really happaned and they could have done EVERYTHING wrong.
In this case, I think "the Lady doth protest too much."
I do know 2 things....
1) Ethical companies inform thier clients when thier is a POTENTIAL that their data has been compromised...they don't wait around for a full investigation.... they disclose the possibility immediately. There is an important reason for that....when data is compromised, particulary data that can lead to ID theft...SPEED of response is important. You want your clients to be able to report that possibility to the agencies they do business with ASAP so they can monitor for suspicious activity on those accounts...and do things like change security questions abd passwords.
2) Encypting personaly identifiable information both on disk and in transit isn't just good security practice...it happens to be the LAW....at least if any of the people your collect such info on happen to be residents of MA or NV.
[1] First off, SCEI is who runs SoE. We dont know what extent of the decision making is given to them vs. Smedley. You obviously failed reading comprehnsion too. I said its possible that the SoE layoffs were security people, but I never said SoE was the ones that laid them off.
[2] As for your argument as SoE would have gone down when PSN went down if they were linked, Im sure you have played an MMO where a block of servers went down while others stayed up, right?
[3] And finally, with your last point...Since the issue was so important for the company and given that SCEI runs both the PSN and SoE services you can bet your ass they at least were part of the team that looked at the SoE network. They are ultimately the ones that have to answer to Sony
[1] SCEI is the division SOE reports to. Smedly runs SOE.
SCEI reports to Sony. Do you think Sony has a security team running the PSN servers? Wouldn't that also mean that they also run the SOE servers?
SOE used to report to Sony Motion Picture division. Do you think Sony Pictures was running the SOE servers before SOE moved to SCEI?
You say we don't know the extent of decision making SCEI has, but that hasn't stopped you from making wild speculation about what command they have taken over on the SOE server sercurity has it? Do you have even the slightest bit of information to back up your speculations?
As for your layoff comments, if SCEI was doing the SOE servers what would it matter who SOE fires, since they are not running the servers. For that matter why would SOE even have security people if they were not running the servers?
[2]
You do realize we are not talking about the actual game servers right?
[3]
There you go again saying matter of factly that SCEI runs the SOE servers. I'm not sure why you think the same team took two drastically different approaches to the same problem affecting their servers. Everything suggests that this is two completely different teams. One taking the necessary actions to minimize security exposures and the other completely fucking the situation up at every step.
SOE runs their own servers. They have their own data centers. But wouldn't be suprised they shared it together with SCEI.
All that doesn't matter.
Fact is, both PSN's as SOE's IT department has obviously gotten the dump the past years and let things get totally out of hand.
Latest report says PSN won't be up and running before May 31st.
As SOE is two weeks behind (they shut everything down 2 weeks later, didn't do crap, because they thought everything was peachy), so don't be suprised that they won't be up until middle of June.
Not really a suprise, as they got at least a year to catch up on updating and patching of their servers, update their security and have everything tested and validated.
It's not a small job, especially since they have endured lay offs after lay offs... so they are most probably understaffed as well... only having them even taking longer getting all the work done!
But hey! That's what you get with clueless management who only thinks of their IT department as a useless cost center!
Sony needs to aim for a new MMO that will revive them in the MMO market there games are coming to expiration, I played everquest for years then swg up till a few months ago. Both of these games are dying especially swg since it can not go free like eq II did because of the unique housing and city system...
That was what DCUO is suppose to be. SOE's standard launch practices has crippled it and the population has dwindled. They are now merging all servers on that game. SOE needs a top down review and shakedown of its pratices. From this fiasco, it looks like it might need it for all of Sony. Maybe, Sony, the customer is alway right?
We've gone a full business week now and there is still no ETA or explanation of a plan to restore services. I understand that mistakes happen, but now it's gone on long enough to have a stated plan. Daily "still offline" today messages are now becoming salt on players wounds.
I hope they get their plan together soon and communicate it to their customers. A week is long enough to have a plan and be honest about it.
Last i heard they planned to have things back up before the end of may.
After yet another SOE Facebook post saying "SOE services will remain offline today...", I've seen another person comment that refers to some statement by SOE that servers will be up by May 31. Can anyone cite the source (post an URL) for where SOE stated that plan?
Although I'm a bit surprised that being down for a month is the best they can do, it'd be nice to see them actually communicating a plan. So far, their customer relations has been just slightly better than nothing.
We've gone a full business week now and there is still no ETA or explanation of a plan to restore services. I understand that mistakes happen, but now it's gone on long enough to have a stated plan. Daily "still offline" today messages are now becoming salt on players wounds.
I hope they get their plan together soon and communicate it to their customers. A week is long enough to have a plan and be honest about it.
Last i heard they planned to have things back up before the end of may.
After yet another SOE Facebook post saying "SOE services will remain offline today...", I've seen another person comment that refers to some statement by SOE that servers will be up by May 31. Can anyone cite the source (post an URL) for where SOE stated that plan?
Although I'm a bit surprised that being down for a month is the best they can do, it'd be nice to see them actually communicating a plan. So far, their customer relations has been just slightly better than nothing.
It was a san francisco chronicle article but the link isnt working and i couldnt find the article in the 5 minutes i just spent looking
Originally posted by GrumpyMel2Even if we accept that all the information that we've heard about this incident is pure specualtion and we don't have any real facts because we aren't privy to what actualy happened, we can NOT conclude that SONY "did nothing wong"
Why not?
If there is no evidence they did anything wrong, the conclusion is that there is no evidence they did anything wrong. Simple as that and no more than I am saying...
(Note: I did say that outdated database in SOE network was something that seems as very wrong. If there is reason to doubt, I do doubt but I am just careful with reasons)
1) If you have no evidence that there was anything stolen(SOE) there is no potential thus only what you can announce is that you have no evidence about data theft - exactly what SOE did.
2) Discussed in other thread.
From what I could read(years back though), was that Europe got way more strict rules about personal data handling than US and I am familiar with EU legislative and know how loose it is. Basically it says: Just don't let it laying freely around and it will be ok.
Comments
Most information is suggesting that the SOE servers were exploited the same way that the PSN servers were and not by tunneling through the PSN servers.
Either way, SOE took down their servers, "enchaned" the security and put them back online. 11 days later they had to take their servers down a second time. "enhance" security a SECOND time and only then did they seek outside help to and I quote "figure out what happened".
So not only did they put evalute their server security on the 21st and fail to secure all the problems, they still didn't understand "what happened" on May 2nd when they took the servers down the second time.
Large scale 'leaks' have happened before and will happen again. Nothing is 100% in terms of security.
TJX, Google Gmail vs China, Apple with its 'location-gate', Facebook and their use of profiles etc.
All deal with our personal information.
Despite what anyone might think, I don't 'hate' Sony nor do I 'like' Sony.
I just want to make sure 'speculation' is not clouding the facts.
Gdemami -
Informing people about your thoughts and impressions is not a review, it's a blog.
Can you specify what made their resolution not proper and what steps, that were relevant to information avaiable at the time, they should have taken? Do you have any arguments to back this up?
You somehow think that they could have done better, despite you your technical ignorance, lack of evidence, and general knowledge about the nature of the things.
When a grenade explodes in your front lines, the damage is evident, whether the shrapnel hit someone who was behind the line is not as apparent though.
Please do not say I agree to fallacy of your reasoning, that is simply not true.
Because of your inability participate in the discussion in any reasonable fashion and your arguments are being equal to 'Sony sucks', I do not see any point in wasting my time.
That is the part of the problem I have on mind.
Cyber criminality wasn't never as severe but as the online world and data exchange is growing, and it is growing rapidly, we can expect the increase the of the criminality in this regard as well as damage that can be done.
Cyber criminality grows hand in hand with the online world and so does grow the scale of those leaks and the value of the data they steal.
Sony data theft is still huge compared to any other leak before but most importantly, I see it as a beginning only.
Not saying sky is falling but the change is coming. Whether it will be for good or bad, only time will tell.
Again you seem to have little recourse but to attack my character and not the points I make. Your arguments are getting rather shallow at this point.
Enough of talking about how hard it is to do these things as if that excuses the mistakes SOE made. It is their job to resolve these issues and if it is to hard for them to accomplish that, they should have hired outside help IMMEDIATELY like SCEI did.
Mistake 1: SOE didn't get outside expert help to diagnos the problem that was obviously beyond their ability
If it is so hard to rule out that something was or wasn't stolen, then SOE should not have made public claims that information was secure. SCEI seemed to have no trouble figuring this out, so there is no reason to excuse SOE for being incapable of doing the same.
Mistake 2: Declaring personal information safe when it wasn't. Soes investigation came to the wrong conclusion. I don't care how you try to downplay this, the result is that SOE made a mistake. There were incapable of making the correct conclusion. See mistake 1 for how this is resolved.
SOE put their servers back online April 21 saying they enhanced the security and things were fine. Not only did they have to take down the servers a second time, because the security needed to be upgraded again, they had to get outside help.
Mistake 3: SOE did not fully secure their servers. It doesn't matter how "hard" this is. SOE failed to fix all the security holes they found after their audit on April 21st. They were incapable of properly identifiying the problem and made the wrong conclusion. Agian, nothing you say changes that fact.
SOE, not SCEI, was incompetent. When a company makes the wrong decision or conclusion, that my friend is a mistake.
You keep calling my ability to understand something into question, but you seem to struggle with the simple concept of what a mistake is.
You keep excusing these mistakes, because networking is hard and takes time. Well it didn't seem to be to much of an obsticle for SCEI to make the correct conclusions and corrective actions. They correctly concluded that their information was stolen, their servers were vulnerable and they needed outside help.
SOE was attacked by THE SAME HACKERS and came to the exact opposite conclusions. Spin it however you want, the fact remain unchanged. SOE screwed up and made several mistakes.
So wait, when your excuse are entirely made up of "things like this ard hard and take time" that is somehow evidence and a clear demonstration of understanding? Yet you want me to detail a complete security strategy even when I'm pointing out a fact that SOE didn't do enough? Facts that SOE presented, but I somehow don't understand the situation.
Do I have any arguments to back up my claims? Yes SOE had to take down their servers a second time, because there were still security holes. That comes directly from the infromation SOE supplied. Unless you want to say SOE is lieing, then I think I have correctly detailed the situation.
I don't need to talk about grenades and question your intelligence. Just pointing out the facts is enough to show you are wrong, but feel free to keep trying to perform damage control all you want.
Just to clarify, I am not attacking your character, I am attacking ignorance of yours and that flaw of your points is due inadequate technical knowledge.
Being ignorant isn't an insult nor it is a problem, making conclusions without minimal required expertize or knowledge in the field is a problem though.
let's not have this devolve into personal attacks.
Even though we are all ignorant of something, it doesn't bode well for the discussion to call people ignorant during a debate. Better to say you are debating his point as opposed to "attacking ignorance".
Let's keep this discussion civil.
reminder of the rules of conduct because those are always fun.
http://www.mmorpg.com/disclaimers.cfm#conduct
I think this is just the unmitigated arrogance they've displayed, repeatedly, over the years finally catching up with them, in the worst possible way.
I feel bad for the people whose information was stolen, especially if it ends up leading to so many cases of ID theft..
For Sony, collectively, though? Not at all.
I hope they get burned big time for this.
and the cash shop selling asphalt..." - Mimzel on F2P/Cash Shops
ok sorry about that but let me explain where im coming from, being a ps3 owner and owned and played about every MMOrpg that sony had made. Im a little bit mad that now that im just entering adulthood with getting my first place to my self and a newish car, that sony would not secure my identity enough so i do not have to worry about identity theft because of a game i played online. Go Army
Eww, bad wording on my end. Did not realize it could be considered as personal attack because it was never meant to be.
I saw a report on the BBC show Click last night . Its crucial for any online buisness to protect its customers information . I'm sure SOE will be more on the ball in future but I guess the damage is done . Its a little like when Mythic overcharged people . I've never felt like going back to Warhammer for the odd month again . Something I used to do . I was thinking about getting DC Universe but I wont try that now . What really suprises me that a company as large as SONY managed to get hacked in such a fashion you would think thier top priority would be to make thier security was virtual invulnerable . From the BBC show I gather that hackers are looking for what was called soft targets so sadly I think we may see this type of thing in furture . Credit card details were encrypted so they should be safe but its the personal data thats a worry . Not for me though luckily I don't have a ps3 or an SOE account .
I do happen to run a network for a living so this issue isn't exactly a foreign concept for me, but you wouldn't know that, because you do not know anything about me. It is rather ironic that you are making conclusions about me when you have no real knowledge or awareness of me. I'm not insulted by the word ignorance and there are plenty of things I don't know, so no need to apologize. However if you are going to repeatedly call someone ignorant about something you really shouldn't do so from a position of ignornance yourself. Fair enough?
Anyhow, realize it or not most of what you are doing is trying to discredit me instead of debating the issues and information I present. I have no problem debating the issues of the subject if you would like to, but when you resort to trying to discuss me then I have better things to do with my time. You choice.
I do have a question for you though, so answer this question if you can.
Lets say you owned a computer network and SOE was running it. There was a hacking attempt on april 17-19th. On April 21st after less than 24 hours of review they told you the servers were secure and fit to be put back online. On April 28th they told you that no information was stolen and to let your customers know immediately that their information is safe. On May 2nd (2 weeks later) they tell you that the servers need to come down for immediate security enhancements.... AGAIN. That data was in fact stolen and that they stored it in an unsecure and easily compromised format. Also that they would need to call in outside expert help to figure out "what happened", because after almost two weeks they incorrectly diagnosed every aspect of the situation.
Would you say that SOE performed their job well or displayed a lack of competence? Did they do a good job or a poor job?
Keep in mind SOE's sister company had the same exact problems for their servers, but correctly identified them and took the correct actions to minimize security exposure and damage to company image.
No worries. As I said, we are all ignorant about something or another. I'm pretty sure people could say I was ignorant about any number of things and they would be correct.
Having said that it's just a matter of perception and sometimes people might take it as an attack.
As the person you were addressing freely admits he is ignorant about things (as we all are) no harm or foul. I just wanted people to be mindful of the words they use "just in case".
carry on (my wayward son... don't ya cry no more! - we all rock out.)
I will answer that. SOE was total incompetent. Most places would have shut down the connection at that point. Diagnosed what happened and implemented a fix. Waiting 2 weeks after the fact then shutting down, is lame.
I been playing soe games since everquest came out. I still play EQ2 that is if soe ever comes back online and at this point it looks like they already been given the death blow.
Bringing the servers down and keeping them that way tells me something else happened. I smell an inside job, and I smell deleted database or multiple deleted files. Hacking is one thing but this is something else. I think this is all a cover for something going on. I think they took the time to move all the servers to San Diego, after letting 209 folks go, and something did not work right, then try to blame all this on some hackers.
It might be hackers, it might be an inside job. If it was hackers somebody inside was helping it was too precise of an attack.
Even if it was a malicious hack that was after more than just personal infomation but to destroy/delete the game's sony runs
itself, Sony should have had data back up for anything that was deleted. I'm not too sure of the exact prices of data storage..
but I wouldn' t imagine it being terribly expensive to have a back up server and store all data on it once a day.
Processor power might be expensive.. but flat out hard-drive space is cheap
Only places I know of with real time data back up / redundancy are airports and the nasdaq / stock exchanges.. now that would be expensive heh
Now I'd be pretty mad if more than a day or 2 of game data was lost... less than that i could be understanding.. but I don't play any sony games atm either way ^^
was considering going back to everquest though .. have to see how they handle this whole situation first
First off, SCEI is who runs SoE. We dont know what extent of the decision making is given to them vs. Smedley. You obviously failed reading comprehnsion too. I said its possible that the SoE layoffs were security people, but I never said SoE was the ones that laid them off.
As for your argument as SoE would have gone down when PSN went down if they were linked, Im sure you have played an MMO where a block of servers went down while others stayed up, right?
And finally, with your last point...Since the issue was so important for the company and given that SCEI runs both the PSN and SoE services you can bet your ass they at least were part of the team that looked at the SoE network. They are ultimately the ones that have to answer to Sony
Put away the tinfoil hat. No game data was harmed, people were playing after the attack happened. You think Sony took down the PSN for so long to cover for SoE?
It seems like someone is definately trying to make a career out of spinning this incident in a positive light for Sony.
Even if we accept that all the information that we've heard about this incident is pure specualtion and we don't have any real facts because we aren't privy to what actualy happened, we can NOT conclude that SONY "did nothing wong" and "did a great job".
You can't have it both ways, Gdemami, either there is enough information out there to draw real conclusions about what happaned internaly or there isn't. If there isn't, then claiming Sony did nothing wrong is simply dishonest...because you don't know what really happaned and they could have done EVERYTHING wrong.
In this case, I think "the Lady doth protest too much."
I do know 2 things....
1) Ethical companies inform thier clients when thier is a POTENTIAL that their data has been compromised...they don't wait around for a full investigation.... they disclose the possibility immediately. There is an important reason for that....when data is compromised, particulary data that can lead to ID theft...SPEED of response is important. You want your clients to be able to report that possibility to the agencies they do business with ASAP so they can monitor for suspicious activity on those accounts...and do things like change security questions abd passwords.
2) Encypting personaly identifiable information both on disk and in transit isn't just good security practice...it happens to be the LAW....at least if any of the people your collect such info on happen to be residents of MA or NV.
[1] SCEI is the division SOE reports to. Smedly runs SOE.
SCEI reports to Sony. Do you think Sony has a security team running the PSN servers? Wouldn't that also mean that they also run the SOE servers?
SOE used to report to Sony Motion Picture division. Do you think Sony Pictures was running the SOE servers before SOE moved to SCEI?
You say we don't know the extent of decision making SCEI has, but that hasn't stopped you from making wild speculation about what command they have taken over on the SOE server sercurity has it? Do you have even the slightest bit of information to back up your speculations?
As for your layoff comments, if SCEI was doing the SOE servers what would it matter who SOE fires, since they are not running the servers. For that matter why would SOE even have security people if they were not running the servers?
[2]
You do realize we are not talking about the actual game servers right?
[3]
There you go again saying matter of factly that SCEI runs the SOE servers. I'm not sure why you think the same team took two drastically different approaches to the same problem affecting their servers. Everything suggests that this is two completely different teams. One taking the necessary actions to minimize security exposures and the other completely fucking the situation up at every step.
SOE runs their own servers. They have their own data centers. But wouldn't be suprised they shared it together with SCEI.
All that doesn't matter.
Fact is, both PSN's as SOE's IT department has obviously gotten the dump the past years and let things get totally out of hand.
Latest report says PSN won't be up and running before May 31st.
As SOE is two weeks behind (they shut everything down 2 weeks later, didn't do crap, because they thought everything was peachy), so don't be suprised that they won't be up until middle of June.
Not really a suprise, as they got at least a year to catch up on updating and patching of their servers, update their security and have everything tested and validated.
It's not a small job, especially since they have endured lay offs after lay offs... so they are most probably understaffed as well... only having them even taking longer getting all the work done!
But hey! That's what you get with clueless management who only thinks of their IT department as a useless cost center!
Now they get the bill served.... ice cold!
That was what DCUO is suppose to be. SOE's standard launch practices has crippled it and the population has dwindled. They are now merging all servers on that game. SOE needs a top down review and shakedown of its pratices. From this fiasco, it looks like it might need it for all of Sony. Maybe, Sony, the customer is alway right?
After yet another SOE Facebook post saying "SOE services will remain offline today...", I've seen another person comment that refers to some statement by SOE that servers will be up by May 31. Can anyone cite the source (post an URL) for where SOE stated that plan?
Although I'm a bit surprised that being down for a month is the best they can do, it'd be nice to see them actually communicating a plan. So far, their customer relations has been just slightly better than nothing.
It was a san francisco chronicle article but the link isnt working and i couldnt find the article in the 5 minutes i just spent looking
Why not?
If there is no evidence they did anything wrong, the conclusion is that there is no evidence they did anything wrong. Simple as that and no more than I am saying...
(Note: I did say that outdated database in SOE network was something that seems as very wrong. If there is reason to doubt, I do doubt but I am just careful with reasons)
1) If you have no evidence that there was anything stolen(SOE) there is no potential thus only what you can announce is that you have no evidence about data theft - exactly what SOE did.
2) Discussed in other thread.
From what I could read(years back though), was that Europe got way more strict rules about personal data handling than US and I am familiar with EU legislative and know how loose it is. Basically it says: Just don't let it laying freely around and it will be ok.