PSN Outage

By Shamus
on Apr 27, 2011
Filed under:
Video Games

splash_psn.jpg

This story about the Playstation Network being hacked is huge. Just trying to draw a chalk outline around the thing is a major undertaking. The degree to which this will impact the behavior and attitudes of the rest of the industry is hard to judge. But you can bet the people in Redmond are letting out a slow breath and saying, “Thank God this didn’t happen to us.” And then they laugh and go back to brainstorming new ways to make Games for Windows LIVE even more horrible.

This is the worst-case scenario for Sony. Their entire network is down, it’s been down since last week, and they don’t even have an estimate of when it will be up again. They don’t have an explanation. And someone out there has all of the personal data of all of the PSN users, ever.

Here is an email from my brother Patrick, this morning:

I’m sure you have heard of the PSN leak last week. I was actually affected by this. Someone tried to buy some monitors or tv’s or something using info from dell using information they got off the Playstation network. It didn’t go through because DELL, not my credit card, called me to make sure that I was who I said I was. Because of this I am free and clear, and Playstation has already said anyone affected will have their credit score fixed on their dime. (I Have a copy of the email they sent if you want it.)

This is EXACTLY the kind of liability a developer assumes when using online services for activations, game sales, DLC offerings and anything else. Aside from from all the other costs one has to wonder if companies are going to determine that DRM and online activation costs are being offset by the percentage of piracy they are eliminating.

Try to imagine the combined credit score and combined credit available if someone were to get into Blizzards servers. How many kids have online accounts with their parents cards? Now imagine a smart crook who would wait until blizzard server is being inundated with cash transactions, say during a diablo3 release and all the thefts aren’t caught until people start getting large CC bills a month later.

This is why middlemen still exist. It always sounds good to ‘eliminate the middleman’…. But he has his purpose.

Think about how many people use the same name / password pair everywhere. That means this hacker has more than just credit card numbers, they also have a bunch of potential World of Warcraft / Steam / Twitter / Facebook / Newegg / Gmail logins, along with a smattering of logins for various banks. The potential for widespread chaos and theft is alarming.

I am NOT a super-brain, and I can’t keep a unique name & password for every single site I visit. I have several tiers of passwords I use, from my low-security one I use for one-shot forum registrations, to my most secure login that I save for things with my credit card attached. I haven’t used my PSN login in a couple of years, but that is one place I would have trusted with one of my good passwords. I mean, Sony, right? Multi-billion dollar company. This isn’t some shady blog or forum or Facebook app. This is a major corporation. They know what they’re doing when it comes to security, right?

And let’s not forget how the Playstation store began, back in the day. It’s quite possible these guys never knew what they were doing.

Think about all the ways this will cost them down the line:

  • The cost of repairing the network and getting it running again with new safeguards in place.
  • The cost of making things right with their customers. (Paying for credit score fixes, paying damages on any lawsuits, etc.)
  • The cost of the brand damage to the Playstation name, which includes any drop in sales of Playstation consoles. Remember that one of the selling points with the PS3 is that the online aspect is free. Well… it’s suddenly costing people a lot. When you realize that your credit card info might be in the hands of a thief in another country, that $50 a year for Xbox LIVE is going to start looking pretty cheap.
  • The cost of any games that might get pushed back. After all, you don’t want to release a PSN game with a multiplayer component if PSN is down.
  • The loss of future sales because people will be reluctant to use the Playstion store.
  • Some small developers might shy away from bothering to put their wares on PSN, at least for now, until they see how this turns out. That will translate into lost sales down the road.

This could be a billion dollar mistake.

UPDATE: While the PSN notification about the breech arrived in the same morning as the news of my brother’s credit card theft, there are other factors in play here that point elsewhere. It’s impossible to say for sure, but let’s not lay the blame for this on Sony just yet.

Enjoyed this post? Please share!


A Hundred!A Hundred!201221 COMMENTS? What are you people talking about?!?

From the Archives:

  1. Psithief says:

    Breaking news on Shamus’ blog! This is the first time I’ve heard of someone actually using this data.

    • Nathon says:

      It was on the radio this morning; the press release is here.

      • Psithief says:

        All the news sites have reported that this data has been stolen, but Shamus is the first to post anecdotal evidence (oxymoron?) that it’s already being used.

        (i.e. I’m not convinced that Patrick hasn’t had his details stolen from PSN exactly)

        Here’s another ‘might be’ report. (I just found it) http://www.abc.net.au/news/video/2011/04/28/3201912.htm

        (Aside: At the end of the linked video is a shot of the Mass Effect 2 loading screen. *spew*)

      • Shamus says:

        Gah!

        The press release makes it sound like the intrusion came from WITHIN the network. I hope that was just them simplifying it for non-technical people, but if that was really the case, then… I just can’t even imagine how stupid that is. I’ve been assuming it was someone who gained access to the servers themselves, either physically or through some overlooked gap in their company network. But if PSN was hackable from WITHIN PSN, then this is truly amazing.

        • Nathon says:

          The break-in almost certainly came from some Anonymous person (that’s a member of Anonymous, not an anonymous person) who was cheesed off about the GeoHot case. I’d say that this is what Sony gets for withdrawing a widely used feature from a shipping product, then suing someone who figures out a way to put it back, but that doesn’t excuse this sort of idiocy. There are legitimate ways to make grievances known and this isn’t one of them.

          • Psithief says:

            Experts in the field believe it was NOT Anonymous. Why? Because it’s the first time they’ve denied anything!

            • Velkrin says:

              They’ve denied things before, such as hacking the Westboro Church website. Mind you then did so later after WBC kept claiming it was them.

              Rule of thumb tends to be Anon shuts sites down rather than going for a profit. That’s a level of FBI attention they don’t want.

              Hackers vary like any other group, and due to Anon’s (singular, group) status as the current bad boys of hacking they tend to get blamed for everything from Amazon’s cloud failure to someone’s 89 year old grandmother not being able to remember her cashed e-mail password.

          • Jjkaybomb says:

            I thought Anonymous claimed that they didnt do this… but I dont know much about them. Could they be lying, or unable to control people under their name?

            • uberfail says:

              They’re like terrorists, if they brought PSN down they would take credit for it.

              • Taellosse says:

                It’s an imperfect analogy. My understanding is that Anonymous doesn’t have any sort of command structure. It’s just a bunch of people that meet on obscure forums or IRC channels and collectively agree to do something. The specific people involved varies from one event to the next, and if it lasts for a bit, even within a given event.

                So just because Anonymous “officially” called off the dogs on Sony prior to this particular intrusion doesn’t mean someone “from” Anonymous didn’t do it anyway.

            • Winter says:

              “Anonymous” can’t control anyone, it’s just a banner (like the Black Flag for anarchists) that people operate under. That said, strategically it would be a bad move for anonoymous to pull this sort of stunt and they know it. I think it’s almost certainly someone cheesed off about GeoHot (which, incidentally, is 90% Sony’s fault anyway) deciding to strike back at Sony.

          • Chris B Chikin says:

            I doubt it’s just one guy from 4chan. Generally those guys are pretty worthless beyond DDoS attacks. I’m thinking properly organised criminal organisation here.

            • Alexander The 1st says:

              From what I’ve heard, they disclaimed that this wasn’t them.

              Also, Shamus – wouldn’t it be EASIER to hack from within the building? I mean, if you can get around a firewall and get direct access to it *Not from programming VPN access*, then couldn’t you have access to EVERYTHING the code internally runs? No amount of SQL-injection protection can save you when you can bypass that protection entirely.

              Also, Shadow Broker-esque way then – someone within the company decided to defect and capture the data and sell it. Doesn’t sound impossible, improbable, perhaps.

              Also, if it was the hacked PS3’s just being able to pirate content, trust me, they wouldn’t have dropped this bomb of an update. This would’ve just been REALLY bad PR. Yes, worse than Sony could ever be.

              • ZekeCool says:

                The big A has come out and said that, and I quote, “For once, it wasn’t us.” Which is even scarier to me to be perfectly honest. Sure they’re the terrible douches of internet society, but they’re mostly harmless. This is someone new.

                • BenD says:

                  Most likely, it is a hacking organization that saw A’s claim in first quarter that PSN was hackable and said, ‘well, those guys know what they’re doing… let’s go find out.’

              • Shamus says:

                By “within the network” I meant “someone hooked up, at home, like a normal user, connected to PSN”. There should be all sorts of safeguards to prevent those people from getting anything remotely important.

                • Kyte says:

                  Actually, the speculation points that it was something pretty much like that.
                  Here’s the info.
                  Basically, there’s a custom firmware that gives pseudo-dev status to a console. From there, they can access the dev network, from where some jiggering gets you the main network. Credit card checks weren’t done through there, either, so it was basically infinite free games. The, I suppose, someone figured out how to access everything else.

                • Zak McKracken says:

                  @ Kyte:
                  I’m pretty sure that link is not going where it should be going. Or the info is hidden somewhere in a Japanese manga …

              • Supah_Ewok says:

                Supposedly Anonymous isn’t a very centralized organization. It’s like a big conglomerate of hackers. Just because the organization isn’t claiming credit for this, doesn’t mean that hackers that are part of Anon or are a group within Anon aren’t acting themselves in a way that they think furthers Anon’s goals.

                However, Anon’s stated goal is “sticking it to the man.” What personal information they have gained for their own use has been used as harassment, not for stealing identities. If Anon EVER admitted to this sort of activity, all of a sudden, they’ll quit being looked upon as online vigilantes for “real” justice and will be viewed as criminals and thugs. (Which, to me, they are anyways, but that’s besides the point)

                Anyways, my point is that it is overwhelmingly likely that the whole of Anon would not have condoned this, as it is against their mission and it goes against their word that they wouldn’t mess with PSN. However, that doesn’t exclude the possibility that someone within Anon is indeed behind this. It’s also just as likely that an organized crime group saw the possibilities in Anon’s earlier “protests” and figured out how to do this themselves.

          • Deadpool says:

            Actually, interestingly enough, it doesn’t look that way.

            They DID attack PSN originally, then shortly afterwards stopped to try and come up with a way that “wouldn’t affect users.”

            THEN this new situation happened, and they actually came out and said they had nothing to do with it.

            Normally I’d say never trust criminals, but these guys LOVE taking credit for things… Although the timing is kinda close.

            April 5th: http://www.joystiq.com/2011/04/05/hacker-group-anonymous-attacks-sony-and-psn/

            April 7th: http://www.joystiq.com/2011/04/07/anonymous-suspends-psn-attack/

            April 22nd: http://www.escapistmagazine.com/news/view/109475-Anonymous-on-PSN-Outage-For-Once-We-Didnt-Do-It

          • Zukhramm says:

            Multiple comments about Anonymous above so I’ll reply here. Anonymous doesn’t really exist as a group at all. Because of that, one Anonymous claiming Anonymous did not do it means nothing since someone else could do it as Anonymous without anyone knowing.

            • Fat Tony says:

              But the collective (known as) Anonymous do indeed say when or where they do something it’s quite possible IT’S A ROGUE CELL!
              but seriously it could be one or a few from Anon or from the collective known as Anonymos but not acting for the collective.

              • Zukhramm says:

                The collective hasn’t said anything because there is no collective. The ones saying they didn’t do it might as well be a rogue cell, acutally, with Anonymous every single person is a rogue cell.

        • Nathon says:

          Meta-question: Am I in the moderation queue because I’ve been posting too much, or because I posted a reply to something you said?

          • Shamus says:

            The word “anonymous” set it off. It’s a common name for troublemakers engaging in thread necromancy to post unwanted crap.

            • Michael says:

              Not to go hopelessly off topic, but you’ve once again spurned the use of “ne’er-do-wells”, perhaps one of the best words in the english language, besides defenestrate.

              Also, you’re starting to sound like an old man.

              “…troublemakers engaging in thread necromancy…”

              The only thing you’re missing is “GET OFF MY LAWN-TERNETS, YOU RASCALS!”

        • voxcogitatio says:

          Unfortunately, they are not simplifying. The PSN developer network is apparently not separate from the regular one, and by just spoofing some credentials that are kept client-side(!) you get extra privileges on that network..
          Source.

          • Peter H. Coffin says:

            This source more or less conflicts with the published Sony advice and announcements about what happened/is happening/might happen. Essentially, the reddit source cited say “some people hacked the dev network and were buying content with credit card numbers that didn’t exist”. Okay, that’s a problem. Is it a “shut down the whole network” level of problem? Probably not. They bump the version required of the dev firmware, that locks out all the dev consoles instantly, and there’s a grumble in the dev community about it.

            However, that doesn’t match what’s happened so far. We’ve got the whole network down and Sony calling it an “intrusion”. We’ve got user credentials being reported by Sony as being at risk. We have advice from Sony to watch credit reports, but (as yet) only hearsay discussions of Sony offering to pay for it. There’s two different PSN accounts in this household, and I’ve talked to probably a dozen other people with PSN accounts since the news broke. NONE of them have gotten an email from Sony detailing a risk or offering to fund monitoring. (Maybe someone has, but if you haven’t seen the email in question, being skeptical is probably a good idea. A friend knowing of some dude who got one? Nope.) We have 5-day delay between the network being shut off and results of triage, so there’s time for some pretty heavy risk analysis and examination of what could have been breached and how likely it was.

            Complete Speculation Area: Based on all the sources of information and a presumption that Sony actually hired people that kinda knew what they were doing, as opposed to chimpanzees, and that the potential intruders are technically savvy enough to do know their way around webservers, database connections, rootkits etc., but aren’t patient enough to wait for months or years to make stuff happen, here’s what I think really went down.

            Someone got access to PSN’s web-facing machines. Mechanism unknown. Doesn’t really matter that much. Webfacing machines have trivial access to databases containing email addresses, hashed passwords, user display names. The kind of stuff you expect to see on a web page or client app based on session information only. Sony’s stated as much here. Some stuff, such as purchase history, security questions and answers, and the requests to make/gift purchases or update a credit card, go through a transaction processing system (hereafter, the “financials system”) that’s not directly accessible from the net-facing servers. Credentials for connecting to that system were available on the net-facing servers, but probably pretty limited as to what they can do on that system on behalf of users via the net-facing servers. That is, there’s probably a database “API” for setting credit card info for one user at a time, an API for assembling an order, an API for committing an order,an API for fetching last-four/exp date credit card info for one user, an API for fetching purchase history for one user, etc. That kind of thing doesn’t happen as much and it’s higher-risk stuff, so putting it elsewhere than on the net-facing servers is pretty much a no-brainer. The use of the APIs means that access to the financials data access is supposed to be limited. There there ARE APIs to get out full credit card details in order to process payments, but those are supposed to be only accessible to the payment processing processes running off of lists of orders, but those are protected by different credentials which are not stored on the net-facing servers, and the entire financials machine is firewalled off from the net-facing servers except for that little API porthole. However, it’s not inconceivable that several things might not be as robust as assumed and whomever got in might have had inside information somehow, such as the order-processor credentials, so maybe the credit card info was readable, in an inconvenient way, and the intruder might have had the time and ability to write an extractor program to chew through a list users and ask for credit card details one by one, but (speculation) nothing was logged like that.

            Now, given that kind of a setup, an intruder gets in, pillages a bunch of account IDs, email addresses, hashed passwords, etc. That gets us to the rainbow-table and brute-forcing risk that makes individual passwords vulnerable. If you overlap IDs/email addresses/real names and passwords, then yeah, it’s time to change your passwords. Not only on PSN, but everyplace you used that password. Go find yourself a nice password vault program and use it to store a different password for every system. (That old yarn about “never write down a password”? It’s done. Obsolete. Write down every password in your password vault thingy, except the password to your vault thingy. Trade those and only those passwords with your parent, partner, kid, attorney, whomever might need access to your accounts if you’re dead or in a coma, and no one else.) Theoretically, the API thing might have allowed the intruder to mass-extract information from financials system with the net-facing credentials. That’s where the purchase history comes in, and the part about the security questions. Those questions tend to be of a sort where they’re not very unique and some of them may overlap with the kind of information the credit reporting agencies use to sort out which Jane Doe is which. That gets us to the advice to watch your own history for credit probes, both into getting reports and for lending inquiries under your name. However, there (speculation again) no logs on the financials indicating unusual levels of inquires for those questions, so probably it didn’t happen.

            So, intruder in system could download the database/file for the trivial user info. That’s a risk that we might as well assume is compromised. Low-hanging fruit. Intruder probably sees enough code lying around to be able to work out how to forge up an order or simply rainbow-tables/brute-forces some passwords and goes on a shopping spree on PSN. A whole bunch of people get receipts for things they didn’t buy and complain to Sony. Sony looks at the rate the complaints are coming in and says “This isn’t just a couple of jackass neighbors over and sneaking buys while the owner’s in the bathroom and the usual dependent kids buy stuff on Mom’s account. This is too many.” The only obvious way to stop it is to wall off ALL the net-facing servers. Then they call in experts to help analyze what could have been reached from there and what couldn’t.

            End massive speculation area

            Now, there’s clearly some ass-covering happening from Sony, and some handwaving in the communication coming from them. But they are a huge company with lots of lawyers looking over the communications, so they’re going to be very careful about what they saw, err on the side of caution, and presume it’s better to warn people about stuff that might happen than hope that it didn’t. They’re also going to know that most of their users might be able to drive browsers and log into websites, but they won’t know a password hash from corned beef hash, so they’re not going to bother nerding up their communications more than necessary to accurately state what happened. Hence we get things like “may have accessed passwords” when it’s more likely that “people that have dictionary words or really unlucky passwords might have their plain-text exposed if the intruder runs it through a brute-force against a cracklib dict or rainbow table” is probably more likely to be the case.

            • Irridium says:

              About the email… all they do(for US members at least) is point you in the direction of 3 credit bureaus. Not sure who said they would pay for anything that might have been bought from a users account, but that is not the case.

              • Mari says:

                Thank you. I was irritated at that but decided to scan the existing comments before posting an irate tirade about how hopelessly un-savvy Americans are about personal finance.

                Sony’s financial liability for identity theft stemming from a breach in their system: $0.
                YOUR financial liability for identity theft stemming from a breach in Sony’s system: $0.

                If Dell hadn’t called Patrick to check out the order it would have gone through and been charged to his card. When he got his statement he would have called the card company declaring that he bought no such thing. Eventually after many protestations, he would have been transferred to the fraud/identity theft department where they would have directed him to file a police report and have an affidavit notarized declaring that he didn’t make the disputed purchases and have both items forwarded to the card issuing bank. They would credit his card the disputed amount (actually this is USUALLY but not always done in the first 10 days of the dispute) and be forced to pursue the money owed them through legal channels.

                Basically, at that point the odds are bad that the cops are going to announce that they’ve caught the person responsible unless Patrick was able to name that person at the time he filed the police report (80% of identity theft is committed by someone the victim KNOWS) so the company has to eat the loss and they eventually pass it along in the form of enterprising new fees when they’ve had their bellies full.

                The same goes for damage to the credit score itself. You pursue this process with each named creditor and after you have filed all your police reports and affidavits, if it’s still not removed from the credit record you write directly to Experian, Equifax, or TransUnion with copies of the same documents and they remove it. Money never changes hands. The only thing you’re out is some postage, a lot of time, and a lot of stress (not least because most credit card companies will come just shy of calling you a liar when you claim identity theft and you have to fight them every step of the way to finish the legal process.)

                • Jonathan says:

                  I had a minor identity theft issue back in October, and Discover was very easy to work with. They had my card suspended and a new one on order within 10 minutes.

                • Winter says:

                  Actually this is only mostly true. It’s true insofar as it goes, but my understanding is that it only applies to credit cards. With a debit card, you can still refuse to pay and then the bank eats the cash hit, but your credit score (or whatever) can be affected (unlike with credit cards).

                  See more here, and elsewhere.

                  This is why i have two cards: a bank card, which i use for everyday stuff; and an actual credit card, which i use for online stuff as well as “bigger” purchases. Credit cards are an incredible pain in the neck in terms of actually managing it and not paying 3000% interest rates and fees and stuff, but there are some actual benefits.

                • Deadpool says:

                  Yeah, the run around you get from credit cards companies IS annoying as hell, but in the end they’ll invariably return your money.

                  I had a minor run in with that a while back. Someone took a card of mine to play Ashron’s Call (okay, maybe more than a while). After getting the run around on the phone for half an hour, they remove the charge.

                  Interesting tid bit, the game company (whomsoever runs Ashron’s Call) actually PROTECTS THE INDENTITY THIEF. I didn’t think the information would be real, but when I asked them for the name on the account (the account that I PROVED I was paying for), they refused to give it to me!

                  BUT, following month, they reinstate the charge. They send me two letters (one for each charge, they charged two months worth in one statement. No idea why), one of them had Ashron’s Call’s ToS, with highlighting on the part that says I can’t claim fraud after 3 months (and the non highlighted part that says I don’t have to pay the first month, plus the whole statement comes several weeks after the charge, one must wonder WHEN I could claim fraud) and the other had the name and address on the account, WHICH WEREN’T mine. Both letters read something along the lines of “because of the enclosed information, we are denying your claim of fraud”.

                  Another phone call, and some run around later, the problem was solved. Still damned annoying.

                • Mari says:

                  It’s actually even more complicated than that, Winter. If the unauthorized transactions involve only the NUMBER not an actual lost or stolen card (ie electronic transactions vs. “swipe” transactions) then your liability is different. In the case of something like the compromise of PSN where only the number, not the physical card, is involved in the fraud you would only be responsible for “transfers that occur after 60 days following the mailing of your bank statement containing the unauthorized use and before you report the loss” according to the FTC.

        • Reid says:

          http://www.reddit.com/r/gaming/comments/gx6o4/im_a_moderator_over_at_psxscenecom_the_real/

          It looks like PSN was compromised from hacked PS3’s pretending to be devs.

    • Michael says:

      Same here. As soon as I read it I started contacting my friends with PSN accounts.

      Thanks for the update Shamus.

  2. Nathon says:

    This is a good demonstration of the fact that it doesn’t matter who you are; your network is vulnerable. We’ve seen it already with Google and RSA being broken into, but this is going to really highlight the vulnerability of large networks. The way to avoid intrusions is apparently to:

    1) Don’t piss off the wrong people.
    2) Have a better bike lock than the other guy.
    3) Don’t have anything of value.

    This is not a good situation and it’s not going to get better fast. I work on boxes that prevent this sort of thing from happening, but there are certain things (like spear phishing) for which you can’t build an automated defense.

    • DanMan says:

      When I was running a tech support company in college, a guy called me saying he was having problems getting connected to the internet in his apartment.

      After about an hour fiddling with settings (This is when Vista was brand new and inventing new ways to suck), I found that he had an anti-virus software that, but default, blocked ALL TCP/IP connections. Could have unplugged the ethernet cable from the wall and saved the guy the time of installing the software.

      The software litterally said “you are invisible to hackers.” Only way to be completely safe from hackers is not to use the internet at all

      Don’t use the internet for anything = Best. Security. Ever.

      • Nathon says:

        Maybe you’re too young to remember it, but there were widespread computer virii before there was widespread Internet usage. Back in the days of the floppy disk, I remember an outbreak in an office causing a lot of damage.

        There’s still stuff like Stuxnet, which spread via USB key. The only truly secure computer is unplugged.

        • Lalaland says:

          Reminds of a particularly nasty one I got that corrupted random bytes while installing stuff from floppy disks in the early 90s. I only worked this out after a dozen or more attempts to install the 12 disc ‘Discworld’ adventure game. It did eventually install but the random corruption meant the sound didn’t work and some puzzles were broken. It took me several months to cop that I had a virus and then I had to find a magazine with a cover mounted virus scanner (remember those?).

        • Falcon says:

          Here some defining of terms could be useful. What you are talking about is a virus that affects the computer by, essentially, breaking it. Sure it sucks, it’s a pain to fix, but relatively harmless. For a non-internet computer this is their only real threat. It’s something that exists for the lulz and not much more.

          Modern viruses are a much different, and far more complex beast. Sure there are your script kiddies designing virii to break computers because they’re jerks. What the real danger is are malware that phone hone with your data. These are professional hackers/ thieves. Calling both flavors of intrusion viruses is really confusing the issue. They aren’t even close.

        • Uristqwerty says:

          In my opinion, you can’t even be sure you are safe when using a USB drive that you overwrote completely using a hex editor from a Linux boot disc. If the disc or the BIOS or the USB drive itself had a virus, it could easily make it only appear that you were editing the whole drive, and keep a few (infected) sectors hidden, ready to infect the next computer you use it on.

          Can you even trust the hardware? Someone could have inserted a rootkit into the design for your HD, allowing certain aspects of the OS to be silently altered, disabling critical security features after the 37th boot, and adding code that would announce the computer to a remote site.

          The only way to be safe is to design and build your computer from the ground up, no trusting *anything* made by someone else or on someone else’s equipment (no, you cannot trust the IC manufacturer, their factory may have been compromised in a way that subtly alters your design before creating it), and even then you cannot assume that your system is invulnerable to all attacks the instant you plug it into the internet.

          Thankfully, you don’t need a complete guarentee that your system is safe, just that it’s significantly safer than that guy over there, who will hopefully be targeted first.

          • Miral says:

            I know I’m late to the party, but this reminded me of that story of the guy who was porting UNIX to a new type of machine, and decided to include a backdoor in the login program. But since everything was open-source, what he actually did was to put a special routine into the C compiler which would automatically insert the backdoor when compiling the login program, *and* automatically insert the backdoor-creator when recompiling itself. It went unnoticed for quite a long time.

        • Scott (Duneyrr) says:

          Man, I remember getting monkey.b back in the early ’90s. Man, that one was a pain to get rid of… at least is was a pain for an 8 year old me!

        • Mari says:

          Well thank you very much for bringing back all the trauma and angst of losing my favorite (pirated) aquarium screen saver (for MS DOS!!!) to the Monkey virus thanks to an infected disk I snagged from a friend who was toying with how to make something more virulent than Monkey.

        • Winter says:

          USB drive is the new best attack vector. If you’re trying to hit a corporate target, especially, it is very effective because often those will have externally facing firewalls that also act as antivirus… but… as soon as you breach it, the entire internal network is one big soft, vulnerable underbelly.

          (Ask me how i know…)

          • scowdich says:

            It’s actually a fairly common method in penetration-testing circles. The tester will leave a handful of thumb drives around the building – ashtrays, sidewalks, vestibules, whatever. Someone gets curious, plugs in the flash drive, boom, company’s infected without any internet penetration.

      • David says:

        My favorite quote from the book Daemon is the one by the cryptographer Robert Morris, “The three golden rules to ensure computer security are: do not own a computer; do not power it on; and do not use it.”

  3. Lalaland says:

    Yeah I’ve been stung by this too. I’m very angry as the presumed failure to hash passwords is just inexplicable to me. I was taught not to do that on a Red Hat course 8 years ago and yet the administrators/designers of the PSN didn’t know this?
    I can almost here the cries of ‘use more username/password combos’ but there are years of research available to anyone willing to look that forcing users to remember more than a handful of these combos is just asking for trouble. If as a designer you decide ‘sod human nature, they will conform to my system’ then you’ve just failed Human Factors 101.

    Soooo angry right now, I’ve even gone and complained to our Data Protection Commissioner here in Ireland in the hope of getting fuller answers out of Sony

    • Alexander The 1st says:

      So…when the passwords are hashed…would having the hashed passwords still count as retrieving password information? No one’s published the information yet as far as I can tell, so it’s likely that they could’ve just gotten the secured passwords, and are alerting the public because hashes CAN BE HACKED, given enough time.

      At least they can be honest about it, instead of “Sure, you credit card number was retrieved from our database, BUT IT WAS HASHED! DON’T WORRY! THEY’LL NEVER CRACK IT! Move along!”

      • Lalaland says:

        You are correct even hashed passwords are vulnerable for example using precomputed hashes for common passwords, called rainbow tables) you can compare and discover weak passwords that way but rarely more complex passwords. Further up the page ‘Phill’ and ‘Nathon’ discusses techniques for further obfuscating your hashed passwords by using ‘salted’ hashes (Wikipedia) and there are other techniques too.

        I take your point that they may be acting out of an abundance of caution but there’s been no attempt to clarify that the passwords were hashed, encrypted or otherwise secured so I remain doubtful they did anything at all.

        • Alexander The 1st says:

          How would you clarify it in a way that still informs people that they need to act?

          “User information has been compromised, but we suspect you won’t feel any effects while said hackers decrypt the salted passwords.”?

          Keep in mind, they shut it down 6-7 days ago, right? They don’t know how strong decryption tactics the hackers have, nor how long they’ve had – if, as Peter H. Coffin mentioned, they noticed un-authorised payments via the accounts, and THEN they disable the service – they just don’t know at this point. I imagine they aren’t even sure how long it has been since the hack happened – they just know that it did. It could have been a year ago, and the hacker only just cracked enough passwords to be able to use them, and it got flagged just now.

          Though hopefully they do a forced password reset…wait. The hacker’s might have the e-mail password as it is, so you can’t send it there. Security Question? They likely have the real names, and a check on Facebook beats that. Captcha? They stopped working. Oops. It’s honestly starting to sound like you’ll have to bring the device into an authorised Sony dealer (Or, like Future Shop, for example), to verify your account has been created and noted on that specific Sony product…oh wait. You’d need photo ID or something to verify your account.

  4. DanMan says:

    Well it depends on how exactly PSN stores passwords as to if that has really been leaked. If you’re doing it right, passwords stored in databases should not be human-readable. Unless they also got the decrypt key, the hackers shouldn’t have passwords as well.

    Not saying it didn’t happen, just saying a network leak doesn’t necessarily mean a password leak

    • Nathon says:

      Passwords should be stored in databases as hashes. Unfortunately, a password hash isn’t unbreakable. Rainbow tables and brute force methods combine to make it pretty easy to crack most (particularly bad) passwords in a reasonable amount of time. Furthermore, they stored names, addresses, and credit card data. Who needs your password when they can have your credit card number?

      • Phill says:

        Passwords should be stored in tables of salted hashes, which are all but immune to rainbow attacks. Throw in a long (say 128 char) salt randomly generated for each user, and even if the hacker does get the password file, there is precious little they can do with it (disclaimers as always apply that with enough time and effort, you can probably break any system).

        How to beat rainbow attacks is one of those things that has been known since the 70s, when slated hashing was first appearing. But people do insist on re-inventing the wheel, and making the same mistakes all over again precisely because those mistakes are really not obvious until your system has been broken.

        You’d *hope* that Sony would have the sense to stor credit card and password information securely enough that the hacker accessing the files wouldn’t actually pose much threat. And my guess is that they do, but since the files have been accessed, they have to at least warn people that the information is potentially compromised, even if in practive it might be effectively safe. But I say this without knowing what PSN actually did to protect information internally.

        • Nathon says:

          That’s mostly true about salted hashes, and it would prevent everyone who used “password” from being outed immediately, but the salts have to be in the database and brute-forcing passwords is not all that hard. Here is a good breakdown.

          • Phill says:

            Yeah, the salt it stored along with the hashed password, and if you are only after one particular account it doesn’t help much, but it does mean that you have to brute force each password in turn, as opposed to one brute force attack giving you every password for an unsalted hash.

            If you stick to 8 character minimum password that include non-alphanumeric characters (which I do for anything remotely important) and add a 4 byte salt to that, then it is still 80+ days to break each account in a class F attack (per Nathan’s link) – that is secure enough in practical terms. Realistically, you would still break a high percentage of password just using a dictionary salt-hash attack if you had access to the salt, and call that a good enough return on investment and not bother with the harder passwords…

            • Alexander The 1st says:

              “If you stick to 8 character minimum password that include non-alphanumeric characters”

              Password is “1PasswordO.”*

              I even added more security there than required – the period and the cap P and O, this must be SUPER SECURE.

              *Not my password. Just saying.

              Also, even if it took 80+ days to break, you still broke the password. If it hasn’t changed – or hasn’t changed much (The above additional password would be “2PasswordI.”, for example – don’t tell me you don’t know people who would do this.), that’s still hackable.

    • Volatar says:

      They screwed up. The passwords are human readable.

      Change your passwords.

    • Shamus says:

      It’s true, and I hope you’re right. But they’re saying “all your account info” was stolen. Along with credit cards. I am almost prepared to believe they stored the passwords in plaintext.

      • Ringwraith says:

        They did indeed store the credit card info in plaintext.

        Yes, they are that stupid.

        • Patrick the Unwashed says:

          I am appalled. Being hacked or sold-out by a disgruntled employee can happen to ANYONE, and I would be willing to overlook a one-time occurance.

          This is just laziness….pure and simple…

        • BenD says:

          That is probably illegal, at least for accounts that haven’t been used within a certain period of time.

          • Winter says:

            It is a violation of US federal law to store credit card info without encryption, so yeah. They had better have done so or they will probably be facing some pretty serious lawsuits.

        • It’s even worse. They transmit your credit card information as plaintext as well, if this is to be believed.

          The worst part is that article is over a month old, and obviously no one from Sony made any effort to correct that deficiency, hence everything being stored as plaintext and leeched one time.

        • Zukhramm says:

          Why? Why? Why? Why? Why?

          Sorry but seriously, why? I just see no reason to this. Is this something all companies do or is it justk Sony messing up? I mean, does Valve have my card number stored up somewhere? Because I do not see why it’s needed at any other time then right as they are requesting the money from my bank.

          After that it should be deleted, at least twice.

          • krellen says:

            For a brief time at my work, we had a database where we stored CC#s in plain text. But we realised what a horrible idea this was, and took the database down while we re-worked it.

  5. Bubble181 says:

    A billion dollar *problem*. I’m not convinced there’s been a really big mistake on the part of Sony (cad PR and stuff is another issue – I mean technically, the whole getting-hacked-and-stuff-stolen).
    I mean, yes, of course, in hindsight, their security should’ve been stronger. They should’ve had better back-up systems in place. They should’ve (etc.).

    But how much of this is Sony’s fault, and how much of it is bad luck? Could they’ve done the exact same thing with Games for Windows Live, or Steam, or the Xbox Arcade?

    Hackers/crackers/scipt kiddies have been hacking supposedly impregnable servers and networks since the dawn of the internet. How often have people succeeded in breaking some government network? Putting fake messages on the Pentagon site?

    This reinforces the need for good and up-to-date security, both on the side of the server, and on the part of the end user. Doesn’t mean much else, I think. Had it been the MSN servers, everybody’d say “just typically Microsoft”.

    • Erik says:

      Their biggest mistake is that they (apparently) store passwords as plain text. It’s very easy and therefor inexcusable not to encrypt passwords. Yes, they can still be decrypted given enough time, but only one at a time.

      • Bubble181 says:

        Well, yes, if they did that, there’s an utter moron working somewhere within the PSN administration. Most probably some management committee somewhere decided that it wasn’t necessary to use safety precaution X because they were already using safety precaution Y, even though the two were unrelated….I can just imagine the meeting now.

        No matter ho it came about, if they did store the passwords in plain text or easily decryptable, that IS an enormous, glaring error.

        • Klay F. says:

          Plus, the fact that this was done apparently right under Sony’s nose, with them reacting literally like a Slowbro. It took them THIS long to figure out private data might have been stolen. Hackers usually leave a trail, at least if it was an external attack.

          Sony reaction to this mess is really all the evidence I need to know that their security was almost criminally subpar.

    • Patrick the Unwashed says:

      Doesn’t really matter whether it’s bad luck or incompetence, PSN is liable. In the same way a homeowner is liable for injuries that occur on his property even if it was a freak accident that couldn’t have been avoidable. Sony could have had the most cryptic, unbreakable and locked-down security possible and if an escape of information occured they would STILL be liable. And if it was an inside job, which it probably was at some level, then NO AMOUNT of security would have sufficed.
      Contents of any object/building/database has a lock.
      Every lock has a key.
      Every key is capable of being stolen.
      So the contents are only as secure as the key.

    • ehlijen says:

      It was a mistake in that they grossly underestimated the threat and still decided to get that many people to put all their valuable info into the one place.

      The very fact that hackers have been doing this since the dawn of the internet should have been a clear sign that maybe building such a network wasn’t that great an idea to begin with. Sure, it’s convenient, but convenience has always been the number one enemy of security.

      It’s like building a wooden bank vault next to a free dynamite stand and putting the entire town’s savings in it. You can use oak and make the walls as thick as you want, you still have strangers with dynamite just a few meters to the left.

  6. kodra says:

    So what is the right answer to this?

    Do companies running these digital distros need to go to trusted third parties like paypal for financial transactions? Or does the onus get put on the financial organizations (banks, credit cards) to provide secure tools a distro to use so they don’t hold on to CC info.

    And what is the right answer to shared PWs? Are we going to start seeing better online identity management tools on the internet to prevent this from happening?

    It seems to me that there is a short term market for Security as a Service models, but that demand will go away the moment this hack is out of people’s mind. Unless the content providers start pushing SECaaS models onto their users, I think the status quo will remain.

    • Bubble181 says:

      “trusted third parties” aren’t invulnerable either…

      Anyway, if I want to buy something from Steam or GoG, I go to their site, click buy….Get taken to a PayPall site, log in there, click OK…..Get taken to a site of my bank, which asks me to put my credit card in an off line reader and type in a bunch of numbers and my PIN, and give back another string of numbers, to finalize the transaction. It’s bloody annoying and cumbersome. I don’t see how adding more layers is going to make it any safer. If they can hack my bank, they can take my money no matter what. If they hack Steam (or GOG, or amazon,…), they’ve got pretty much nothing interesting. If they hack PayPall, they have my credit card number and such, but they *shouldn’t* be able to make big withdrawals off of them.

      • Nathon says:

        It’s true; just look what happened to Comodo.

      • kodra says:

        Valve isn’t a security company. Whoever should be handling the financial transactions SHOULD be a security company, with a very security minded infrastructure.

        Personally I’d like to see a company with a business model that manages your online accounts/financial transactions from a single point, but requires you to use two factor authentication and has a company infrastructure so tightly locked down it takes executive approval to make any non-breakfix changes to infrastructure.

    • Sumanai says:

      Some online stores (or rather, some online payment methods) send me off to my bank’s site for confirmation. This means in my case inputting my client number (not the correct name for it, but it’s secret, only used on the bank’s website and the bank account number is separate) and a one-time password. Even with a keylogger it should only grab my client number and a, now useless, password.

      Unfortunately, most places don’t use the system, so I’m forced to use my debit card like a credit card (enabled a setting that it can be used without a confirmation trip to the bank’s website).
      Luckily it’s my secondary bank account, so I can’t lose all of my money and it doesn’t have any credit so I can’t (or shouldn’t be able to) go in debt.

    • Patrick the Unwashed says:

      I dont know if there is a RIGHT answer. My arguement all along is that you should stick with what you know, and deviation from a companies comfort zone is problematic. Costs can be cut and profits can be made by eliminating middleman or assuming the role of a third party support vendor ( which is what Sony did, rather than trust security to a third party who specializes in network security) may seem like a great cost cutting move, but only if worst-case scenarios are accurately laid out with probablility for that occuring.

      Sure McDonalds could start making pizza in an effort to a greater market share ( and I’m sure they have looked into it) but we can all admit that would be a colossal failure.
      Time warner thought it was a great idea getting into the internizzle industry when it bought AOL.
      Mercedes thought it was a great idea buying an american car company when it bought Chrysler.
      Ford thought it was capable of designing a car with its own engineers, rather than using a marketing firm. It came up with the Edsel.
      Sometimes YOU NEED THE MIDDLEMAN.
      This is why Ebay uses Paypal, a seperate entity who specializes in monetary transactions. If for no toher reason than SEPERATION OF LIABILITY.
      eh…what do i know…

      • Jeff #3 says:

        Regarding McPizza: They did and it was.

        • Patrick the Unwashed says:

          Seriously?!?! WTF….

          • SolkaTruesilver says:

            I am one of the few people who actually liked their pizza…

            But it was in the early/mid-90s..

          • SiliconScout says:

            Yeah but it wasn’t that bad.

            $10 for 2 large peperoni pizzas, they weren’t the best but they weren’t as bad as $5 each should have made them.

            I missed them when they took it away.

          • False Prophet says:

            It’s true. Some people really liked it but it was slow to make compared to the rest of the menu and the general public just didn’t accept McDonald’s as a pizza joint.

            On the other hand, their latest attempt to grab a piece of the coffee market here in Canada has resulted in some pretty good coffee.

  7. Almoturg says:

    One aspect of this that I haven’t seen mentioned is the fact that it should be impossible for the account passwords to be stolen if Sony handled this correctly. You should only store hashes of passwords never the cleartext. Of course that wouldn’t have prevented credit card information from being stolen.

    • DanMan says:

      Well credit card numbers are required to be stored encrypted. I worked on a project a few years ago where we would store credit card numbers and I was told it is a US Federal law that the actual numbers are stored in at minimum 256-bit encryption.

      Could have just been my boss BSing me, but we stored them encrypted. Doesn’t mean they were well encrypted or that they encryption key wasn’t also stolen.

      The problem with encryption is that the legit system needs to be able to unecrypt the data. That key is stored in really stupid places sometimes.

  8. HerrSunk says:

    To spare everyone else I have to say the following to get it out of the system for the silly dimduggers that seems to live to “argue” the Console vs PC… thing;

    Lul Console n00b haxxed – buy PC Iz Betterest!

    I feel less of a man for saying that, sorry. And it needn’t be said here, to be honest. But… you just know the humpernickles are using this event to fuel even more pointless bickering – drawing away from the massive repercussions this event will have. Wonder if Sony can salvage this AND save face in any possible way.

    Free top hat for every settled lawsuit?

    • StranaMente says:

      I know why you said that, and I hope you’ll understand why I have to say:
      Steam haz all of your passwordz!

      Infact, if, or when, steam will have a similar problem many people will go reeeaaal crazy (me included).

  9. Irridium says:

    This is why I have 5 set passwords that I remember. That being said, I’m still going to have to change some passwords…

    Damn shame this happened. Thankfully I don’t use credit cards, but I’m pretty sure my step dad has his credit card info on there. Needless to say, he’s pretty pissed about this.

    • Mari says:

      I wish I only had to remember 5. My bank alone (paranoid small-town entity that it is) requires me to change passwords monthly and no password can be reused in a 12-month period. Each password for them has to be a minimum of 8 characters and must include a lower case letter, an upper case letter, a number, and a special character and it can not match any word in their “dictionary” software. I can’t tell you how often I’ve had to call or e-mail the bank’s tech support because I’ve gotten locked out of my account because I forgot what I changed the password to last week. In the end, I’ve taken to actually writing it down. Yep, I violate the basic #1 rule of password security just trying to circumvent their password security.

      Want to hear the even better part? Not only is a log-in name and the ridiculous password required to log into that account, you must also do a certificate exchange every time you log in PLUS an image identification captcha (picture of an animal and you have to type the animal into the box). All for a bank account with a debit card that has a $150 daily spending limit on it and a requirement that all electronic transactions be pre-approved in writing before they occur.

      • krellen says:

        My bank’s most recent security overhaul included changing all their client’s usernames and default passwords to be their SSNs. When I called them on this, they claimed the SSN was not “Wallet Info”, so it was okay.

      • Zak McKracken says:

        I guess someone believes that inconvienience for the customer is directly proportional to level of security …
        The good news: Writing down paswords is ok, as long as the place where it’s written down is safe (like, protected by a stronger password). Also there are nice methods for generating new passwords in your head. You memorize one horribly complex password and think about some non-obvious way to modify it, according to the current month -> voila, a new password for every month of the year. Then work in the name of the forum/store/wherever you’re using the password, also in a non-obvious way (not just append it, for example, maybe not use the name directly but something connected to it), and you have a really strong password for every occasion.
        My bank gave me a key generator that fits in a pocket. For checking my account, I just need username and password, for money transfers I need to type in the account number the money goes to, and it gives me a hash that’s valid for 30 seconds or so, only for transfers to the account I entered. Pretty unabuseable (at least until someone cracks the hash and manages to generate their own, or steals the device).

        • Mari says:

          I’m not sure how I would make it work for my bank but the “single rule” thing appeals. Unfortunately using the same 3 characters in a row constitutes “the same password” according to the bank. So, for instance, if my password this month is Ebz22$st then no password for the next year can contain any three of those characters in that order again. So no Ebz33$st or anything of the sort.

          It’s all ridiculous but there’re literally 2 banks in a 60 mile radius of our home, both of them are small-town single-branch institutions. One doesn’t yet offer online banking. The other started offering it in 2010. The bank presidents are both in their 80s and fear this new-fangled technology stuff (including fire, I sometimes think). On the bright side, they’re both willing to do what no CitiMegaBOACorp would dare to do: make agriculture notes. None of that fancy mortgage or car loan stuff, but you can walk into the bank in February and say, “I’ve got 2000 acres lined up this year. Here’s how I plan to farm them. Here’s how much that’ll cost. Here’s how much I expect to make in January from the sales of the crops.” and the bank will loan you the money to farm the land until January. And if the freeze is late and one of your hands quits in the middle of harvest and you can’t sell the crop until February, a 5 minute chat with the bank president nets you an extra month or two to pay it off. I guess life is trade-offs.

      • Bubble181 says:

        Don’t worry. At my job (in security, of all things…*sigh*), we have to change passwords every month. That’s not too bad. We’re forced to use the same password on Windows, Outlook, and our own software, though, which have three different rules about what a password can and can’t be. It’s minimum 8 letters, maximum 10. There has to be at least one capital and one small letter, but special characters aren’t allowed. No letter -in the same spot- can be the same as that of your last 3 passwords (so “snuggleS” in january and “Mcundips” in april is out – both have a u as a third character). No password can be the same as one used in the last 24 months. And they’re checked against a dictionary in 5 languages.

        However, one thing they don’t make impossible is just repeating a letter. This has the great side effect that my passwords in the beginning were quite strong, but now my passwords are, just like those of most of my colleagues, “Aaaaaaaaa” one month, “bBbbbbbbb” the next, “Cccccccc”,….and so on. Great security, that.

        • Alexander The 1st says:

          “And they’re checked against a dictionary in 5 languages.”

          Sounds like a great opportunity to learn some new languages.

          • Bubble181 says:

            Belgium. We’ve got 3 official languages (Dutch, French, German), for my job we all have to be fluent in English, and since the corporation is Swedish, some consultants/external managers are always passing by who speak that. So they check against all five of those. I *have* accidentally chosen Swedish words in the past :-P

            • Alexander The 1st says:

              “Pardon my Swedish”.

              But…wow. I live in Canada, and like…if you didn’t take French Immersion education, it’s pretty much implied you don’t speak French fluently. You can speak it partially, and write it relatively well, if formal (Like Avatar users :p), but can’t stand toe to toe with a native French speaker.

              And we only have to learn two languages; I am impressed by the fact that I know native Cantonese, Mandarin, Philipean, Arabic, and/or Japanese because…I only know key words in Latin, and only because of Chemistry 12.

  10. Rosseloh says:

    I’m like you, Shamus: can’t remember passwords well. Unfortunately, like you, the PSN password was my most secure one, and hell if I’ll be able to come up with another one like it (that’s as easy to remember for me).

    Fortunately I don’t think I ever used my credit card on the network, just logged in.

    • krellen says:

      No one can remember the range of passwords modern society “expects” us to. Two or three is the upper limit for anyone, and even that is pushing it.

      The systems we use at the University where I work require every single user to have at least three – and sometimes up to six – separate login credentials. No one can remember that many different passwords. I suggest to my users that they use similar passwords for as many of those as possible, but there are still a lot of people around here who write their passwords down – and then store those notes at their desk.

      This isn’t their failure. Whomever designed our systems clearly never got training on security, because when you get trained on security (as I have: I’m Security+ certified) you learn that the most important lesson is balancing security and usability, to protect your system from user-based points of failure.

      Honestly, the PSN network sounds like it was designed by another non-trained individual, though in this case they erred too much on the side of usability.

      • Rosseloh says:

        If I can have a minute to get on my soapbox: the part I hate most about the current systems for security on (say) websites, is that I COULD come up with a systematic password scheme that was easy to remember but difficult to guess.

        And yet, I can’t count the number of times that I’ve registered for something and gotten an “invalid character” message when I’m trying to put in a “~” or a “$”. BLIZZARD of all companies prevented me from using the tilde.

        Sorry, only marginally related, but it gets on my nerves.

      • Soylent Dave says:

        the most important lesson is balancing security and usability

        So very true.

        This is why most anti-virus software irritates me; it ends up slowing down or otherwise hobbling the system to the point that I may as well have just infected it with a virus in the first place…

      • Zak McKracken says:

        This is a wise remark. And I have the feeling that lots of recent technological trends would not have gone as they have if people had not sacrificed all for usability. See the Apple iPhone tracking problem, Android doing a similar thing, and what have you. Even the Credit Card system itself is pretty unsecure. Anyone who remembers what’s written on my card has access to my money … is that not completely weird? Using debit cards and bank transfers (at least in Europe) is much more secure, but somehow you can’t really get through without a credit card these days.
        I’m not sure whether there is a general lack of awarenes of privacy/data protection everywhere. Maybe it just looks like that to me since I’ve started reading up on these things … maybe everyone else should also read up a little.

    • some random dood says:

      Who cares if you have to change your password on PSN. The important question is: did you use that password anywhere else (bank account, e-mail,etc.). Apologies for shouting, but – THOSE ARE THE ONES YOU NEED TO CHANGE. Now. Stop reading, and go to those sites and change the passwords. Now. Really. Now! I mean it!

      • Rosseloh says:

        That’s what I’m talking about.

        We can’t even change our PSN password while the network is down. But I used this password on (for example), my LotRO account (just changed it). Fortunately I haven’t used it for any banking.

      • Alexander The 1st says:

        Actually, it was my weakest password.

        Good luck hacker. Have fun on invisionfree and GameFAQs. :p

  11. Annikai says:

    I was oddly lucky when this happened. The only credit card info that PSN had for me was a card that expired this month and when I was going around updating my passwords for everything else online I forgot to update my psn. Hopefully nothing bad happens with some of my linked accounts but I’m not too worried. I just hope that they get this fixed and make sure that it can’t happen again.

    • Chuck says:

      I’m in a similar boat. I never bought anything using PSN, so they don’t have bank account info. Yet. Considering how long ago this took place, some password changes should be sufficient to prevent anything worse. Although not remembering which password I used for PSN, and not having it recorded, is a bit disconcerting for me. Of course I’m always checking my bank info in case I get a worm or something.

      Really glad I didn’t buy Dead Money for New Vegas now :)

  12. Tango says:

    I’ve heard/seen several people comment on the amount of relief and schadenfreude the folks at XBox Live must be feeling over this issue. I have no doubt both are being felt, but I suspect the overwhelming sentiment is: “Could this happen to us? Is our information secure? What else can we do to protect it?”

    • Raygereio says:

      “Is our information secure?”
      The answer to that simple enough: no. The only real thing you can do hope you’re never important enough to have your information stolen, or attempt to make the act of stealing it too bothersome. The latter generally works pretty well.

      Heck even if you the finest security imaginable, there will always be holes in because at the end of the day people work with it.
      True story: a friend of mine works as a security consultant and is called in when companies want to test just how secure their network is. At one company she got access to the entire system and all data it contained without even touching a computer. How? By walking up to a techgeek who worked at the place and bribing him.
      Now you may think you can avoid situations like that by paying your employees enough, but you see that company did that and bribing sir geek with money didn’t work. Bribing him with the promise of my friend showying him her boobs however…

      • Josh R says:

        are there really people that desperate for boobs?

        • Bubble181 says:

          What do you qualify as “that desperate”? Perhaps he didn’t understand the importance of what he gave out, perhaps she asked something relatively-innocent-sounding which she then used to circumvent a bunch of other securities.
          Also, you don’t know how hot she was :-P

        • krellen says:

          I would have held out for more than boobs. Of course, accessing the information on the system I run is more than just corporate secrets – it’s federal law. We’ve got patient information here, so we fall under HIPAA.

        • Shamus says:

          I wrote about that a while back: (About halfway down.)

          http://www.shamusyoung.com/twentysidedtale/?p=1547

      • Bobby Archer says:

        This is known as the “Gaius Baltar” system vulnerability.

      • DirigibleHate says:

        I’ve heard of worse. I know someone who works at that kind of job, he went to the front desk, told them he had to perform maintenance on a server. He got given a guest passkey, went to the server room, unplugged a server, took it out and walked out the front door with it. No questions asked.

        • krellen says:

          The doors on each of our floors are locked here because – before my time – someone once came in and walked off with one of our servers, in broad daylight, because he acted like he belonged there.

        • Klay F. says:

          I know this is wrong, but just the image of someone walking out the front door with an entire server, and nobody notices, just makes me giggle uncontrollably.

          • Mari says:

            And yet it really does happen. One of the employees at the ISP where my husband worked when we met ended up arrested and jailed because he walked out with three of their servers (three separate occasions) which he turned around and sold for enough to fuel his coke habit for a couple of weeks. Basically his strategy was “wait until the boss leaves early then take another server home.” Seriously.

      • Viktor says:

        I prefer XKCD’s method of cracking security(and skulls).
        http://xkcd.com/538/

      • asterismW says:

        It’s well known that the weakest link in security is people. You can’t blackmail a computer, bribe a server, appeal to the basest desires of a domain controller, or smooth talk your way past a logon screen. And yet, humans MUST be able to administer computers, and so there will always be someone with easy access to sensitive information. You don’t need to spend a million years cracking a hash. You just need to figure out how to crack a person.

        • Mari says:

          Too true, too true. Once upon a time a couple of friends and I took over our ISP’s G-com BBS and attached systems including the DNS gateways and the payment server. For anyone who remembers Galacticomm back in the mid-90s knows it wasn’t exactly a major demonstration of prowess. The thing had more holes in it than my mother’s 65 year old colander. The impressive part (for us) was that we managed without exploiting any of the holes. I babysat for the admin and knew his dog’s name which also happened to be the password for admin privileges. After three days he managed to boot us out and changed the password – to his vanity license plate. It took nearly a month before he learned how to use real passwords.

          • Soylent Dave says:

            Along similar lines, I managed to give myself admin-level access at my college by realising that the head of IT wore Snoopy shirts every single day of the week, and that she was probably just as imaginative when it came to passwords.

            She noticed eventually, mostly because I amused myself by farting around with other user accounts when I got bored… but it wasn’t hard to figure out that her next password was small and yellow*.

            *I was free to do it again because I hadn’t been caught in the first place, thanks to being devious enough to give another – non-IT – student admin access, and using his account to do all the naughty stuff. (In my defence I was a teenager, and the worst I did was change passwords into appropriate and rude insults for people who annoyed me. A bit.)

            • Mari says:

              Yeah, that was me, too. We took it all over (as teens) just because we could. We farted around, locked out people we didn’t like, posted taunts to the administration team, and sent a few naughty e-mails in the admin’s name. Despite having access to a couple of hundred unencrypted credit card numbers, none of them were used or saved by us (well, there was another incident about a year later with ONE person who had been in on it with us, but it was a whole separate thing that the other 4 of us had no part in) and we left the DNS gateways running. More than anything back then it was just the sheer joy of doing something “clever” that we shouldn’t. I don’t get the script kiddies today. They’re just mean.

              • Alexander The 1st says:

                Sounds like they’re doing why you did it: Because they can.

                It just so happens that nobody’s impressed anymore that you can change their desktop image.

                “You made HOW much money buy selling private information over the weekend?” <- Much more impressive for script kids.

            • Zukhramm says:

              While never giving myself admin rights I’ve certainly been poking around I places I should not on a school network. That, and while every student had a small storage space on the servers I managed to have them give me some two gigabyte, so I changed the access rights to share it with a couple of friends and put some games on there.

  13. confanity says:

    Just wanted to note that I have a physical notepad where I keep all my accounts, logins, and passwords. The ones that are really important I remember because I use them commonly; the rest are unimportant enough that losing the pad won’t be an earth-shattering event; and the notes are cryptic enough that someone else getting their hands on it won’t make a difference. Et voila, separate passwords for everyone despite the limits of human memory. 8^P

  14. Ghalidrim says:

    Maybe I’m missing it, but I don’t see anywhere in the Sony email that it says they will pay for anything. It doesn’t sound like the Sony I know to actually pay to cover for their mistakes.

    • Patrick the Unwashed says:

      They said they paid for it the minute they admitted fault/error. Anyone who can prove damages in relation to this security breach would be entitled to free bags of money.
      I cant find the article but while employed at another company we had a training video about informaton security. The meat of the video revolved around a retail cashier who threw away the unwanted receipts from customers in a garbage can, the receipts were stolen and used for fraud. one receipt belonged to a woman who was in the midst of buying a house. Her credit was lowered and she lost financing at the last minute. Since she has sold her old home, she was now homeless. She succesfully sued the theif AND the retail company for the cost of living in a hotel for a year, storage for her belongings for a year, the extra cost of gas in commute, and a ridiculous amount of pain and suffering that was later reduced. The thief had no money, the retail chain did.

  15. Factoid says:

    What really infuriates me is that Sony can’t even make my account information available to me right now. I don’t know which credit card I have tied to that account. I’d rather not cancel all of them, it’s a huge PITA.

    I got an email yesterday morning before I heard the news about the data theft. It was a forwarded email that was sent to everyone on my gmail contact list with some spam in it. I freaked out and started changing all my passwords immediately, starting with bank and paypal and the email account you could use to reset those passwords (don’t over look that, your email account should have your STRONGEST password on it)

    I’m glad I got a head start on it, but I really need to find out what card was taken so I can get it cancelled as well.

    edit: Some searching on my bank revealed the card in question. I may have dodged a bullet. That card expired since the last time I used it, so anyone trying to use it would fail. Hopefully they don’t try experimenting with new expiration dates.

    • Zak McKracken says:

      Possibly, your account doesn’t matter anyway because whoever has it now has already changed your password. That would be a new round of fun … all those people not getting back in, and Sony having to find a way to verify the real account owners …
      That’s just hypothetically, but still…

  16. Alex says:

    For some reason, I feel bad for Valve right now. Even though it’s the fans who put up with so much of Sony’s nonsense who suffer the most, for some reason it’s that one developer who I think is getting especially screwed here.

    They made a huge deal about how Portal 2 and future games were going to be the -complete- experience on the Playstation 3. Steam on a console system. Cloud states and all that mumbo-jumbo. Even I was finally starting to consider that maybe purchasing a PS3 in this day and age wasn’t a completely ridiculous idea. They were going to do everything they would have done with the Xbox 360, if it weren’t for the draconian guidelines Microsoft placed on developers in regards to free updates and such. The reasons why Team Fortress 2 on the Xbox was received so horribly? That would supposedly never happen here. It sounded like they wanted to bring something closer to the perks their PC audience has over to the console crowd.

    And a couple of days after the launch of a game meant to be played with a friend or online, the testing ground that had the biggest chance to maybe convince the big M to rethink things, what happens? Only the biggest catastrophe imaginable for an online service like PSN.

    I can’t remember a disaster in video games like this since the 80’s crash. And there’s still barely an indication of why it happened, and how it’s going to get better. People are going to be talking about this one for ages.

  17. Josh R says:

    Correlation does not equate to causation… How sure is your brother that it is the psn information used here?

    • Klay F. says:

      It says pretty clearly, that he was contacted by Dell regarding purchases he did not make. Info from Dell being the info Patrick used to sign up for PSN. The connection was pretty easy to see I thought. While it is still not 100% certain, these kinds of things never are.

      • Peter H. Coffin says:

        Because Patrick signs up with different false information on every site and system? That’s clever.

        • Klay F. says:

          Maybe its just me, but I highly doubt this kind of thing would be coincidence, if I end up being wrong, then I will apologize, but until then, the timing seems a little convenient.

          • Peter H. Coffin says:

            There’s hardly any need for an apology. It’s just that credit card fraud happens all the time, and it doesn’t take a major system breach to account for one incident in a week, or even a thousand.

            • Klay F. says:

              Assuming the hacker/s didn’t leave a trail for authorities to follow and this/these person/s stole a large enough number of peoples data, they might never be caught. The sheer number of people who have their info stolen on a regular basis would assure that any cases actually attributable to said hacker/s would pretty much be like spitting in the ocean.

              I say all of this without the slightest clue what actually goes on under an identity theft investigation, so I could be talking out of my ass.

      • Caffiene says:

        Actually, it is not just “not 100% certain”, it is far from it. While I assume Shamus’ brother is a generally intelligent person and his assumption should be given some weight since he knows details we dont, think of it this way:

        Of all the people whose credit card information was obtained, what are the chances that *any* of them would have their credit card details stolen in some other way?

        The chances of Patrick’s details in particular being stolen and it being unrelated to PSN are small if we consider only him, but the chances of it happening to *somebody* in Shamus’ circle of friends and family is lower. The chances of it happening to somebody in Shamus’ circle of friends and family or a poster on his site are lower again.
        The chances of it happening to Shamus, his friends or family, a poster on his site, or the friends or family of a poster on his site… well, you get the idea.

        The chances of we, the readers of this site, hearing 2nd hand about it happening to somebody are really quite high.

  18. Paul Spooner says:

    So, do you think that developers will re-weigh the cost of storing customer data in connection with “modern” DRM, or will DRM only get worse, using the PSN hack as another excuse?

  19. WysiWyg says:

    For passwords; KeePass FTW! I only have to remember ONE password, then I can use totally random passwords for all other things.

    For money; E-cards! You create a new card-number for every transaction, and that “card” is limited both in time (usually only valid one month) and in money (you set the limit to what you are supposed to pay, and then the card will be declined for anything over that). The best? Both are totally free!

    (Disclaimer; E-cards may or may not be available with your bank. I reside in the lovely northern country of Sweden, and not even all the banks here have that service.)

    • Alexander The 1st says:

      E-cards would be nice to have.

      Also, the problem with KeePass – what if we hack KeePass? What now?

      • Topaz Wolf says:

        I have a bio-scanner that does this. One obscenely massive password that I don’t even have to remember. All I need is my fingers. Pretty nifty. If only Firefox 4 supported it so I didn’t have to move passwords around…

        • WysiWyg says:

          Only drawback is then that you have to bring that scanner with you if you want to access your passwords from another computer.

      • WysiWyg says:

        Your password database is stored on your computer, not on some server (although I think they offer that service), so first they need to get into your computer, which shouldn’t be to easy if you know what you’re doing. Even after that they still need to decrypt your password database. So it’s fairly safe, definitely one of the safest I can think of.

    • Zukhramm says:

      I used that before I got the card I have now. It’s nice, but not perfect, first of all some services just do not accept them.

      Secondly, it’s clumsy. I want to buy something? On to the bank’s website, log in with the security password generator that lies somewhere on the floor under my desk, log in, get to the e-card part, enter another password that I had forgotten I have, the card application opens in three new browser windows and then I set the time and money limit and then I have to keep switching back and forth between windows to enter the numbers it gave me.

      Sure, it’s nice to have but it’s so much easier just to reach into my pocket and pull a card out. Yeah, I’m lazy.

      • WysiWyg says:

        *laughing*

        Seems my bank knows what they are doing after all. I open up a link that pops up another window, I then enter my code, and then I press “new card”. Most of the time I only have to enter the amount, everything else is already right.

        Oh, and the best part? You can copy-paste the card number! Now, if only more services could learn to handle spaces in the number, that would be golden!

  20. Nevermind says:

    I am NOT a super-brain, and I can’t keep a unique name & password for every single site I visit.

    That’s why you should ALWAYS use password-keeper software. You can safely lock all your passwords in an encrypted database that YOU control, and only remember ONE password to rule them all. Better make it good password, though (-8

    • Abnaxis says:

      So then what happens when you need to access that password through a console, like the PS3 or PSP?

      • Nevermind says:

        Why would you need to access your passwords through a console? If you need to enter a password on a console, just look it up on your computer/smartphone… you have one of those, don’t you?

    • El Quia says:

      Until that passwords falls in the hands of a hobbit that’s friends with the people that banded together to destroy you!

      :p

      • Mari says:

        I approve this comment.

      • Jarenth says:

        In this analogy, Mount Doom could be replaced with 4chan as the place where secure passwords are tossed to die.

      • Alexander The 1st says:

        I wonder…is it possible to have a password with runes that causes you to immediately turn and face anyone who tries to use the password when it isn’t you?

        I want that service.

  21. Matt K says:

    Well, good thing I only ever used the PSN to redeem a free game when I got my PSP such that I believe all of my information is way out of date (and the CC is most likely long since canceled).

    Oh and MS is having thier own problems as well.

    http://www.escapistmagazine.com/news/view/109592-Latest-XBL-Exploit-Takes-Aim-at-Users-Credit-Cards

  22. Daemian Lucifer says:

    Sony already recovered from one major scandal,so itll probably recover from this one as well.

    However,not just smart crooks can use this to benefit,smart(and devious)customers can also benefit from this.Just tell someone to buy something with your credit card,and then tell sony how your account was violated.

    • Soylent Dave says:

      I’m not sure I’d consider “engaging in credit card fraud” to be particularly smart…

    • Klay F. says:

      If this gets as serious as I think it will get Sony might pull out of the console and videogame…uhh game altogether.

      Seriously, there could be literally endless lawsuits come from this. There is certainly no shortage of opportunistic assholes that would try to make a buck off Sony.

  23. ngthagg says:

    It seems the password problem is pretty common here. No one can remember enough strong, unique passwords for all the different websites that require one, so either the strength or uniqueness (or both) gets compromised.

    Here’s the thing: memorizing passwords is the WRONG way to go about this. The right way is to memorize a rule, a way to take an address and convert it into a password. If you design your rule well, it will generate a strong password from any input. And since every web address is different, you won’t ever repeat a password.

    • Bubble181 says:

      Hmm….Good thinking. Never really considered it. Not worth it for the unimportant thingies, but might help me diversify my more important passwords more.

      • K says:

        Worth even those. Your memorization effort actually decreases, because you only need to remember a single rule instead of multiple passwords.

    • Bobby Archer says:

      I do something fairly similar. I have the same basic password for most uses, but change a few characters of it based on the website/service it’s being used for. I save my brainspace for unique passwords for the few sites its most needed on (e-mail, banking, etc) and no two sites have the same exact password.

      Add to that the fact that I use a couple of different logins for reasons separate from security, and I’m reasonably secure.

      I’m still glad I’m too poor to have a PS3, though.

    • Don J says:

      How awesome is it that the first person on this thread to suggest my personal favorite approach is my little brother? And I’m pretty sure I have never talked to him about this subject, either.

      Anyway, mixed case alphanumeric plus symbols 16 character passwords with a unique version for each login in FTW!

      (Except for sites/services that still don’t permit passwords longer than 15 or 12 or 8 characters, and/or don’t allow non-alphanumeric characters. But I have rules to adjust my system for such sites as well, and the exceptions are few enough that they are pretty easy to remember. Plus I keep a coded note in Outlook that tells me what I need to know for specific password variations while remaining useless to anyone else.)

  24. Abnaxis says:

    I’m curious, how often is it the problem that a crack in security on one site propagates across to others? i.e. if a hacker gets my password to PSN, and I use the same password (with perhaps a different or a similar account name) on an e-mail account, how likely are they to put together A and B without personally knowing me?

    • Soylent Dave says:

      If you have an entirely different account name and e-mail address, you’re probably safe(r).

      If you don’t, then all the hacker has to do is google the account info it has, and try that account name in the popular webmail programs… if one of those turns out to be your main ‘safety’ e-mail account, the one you get all (or most) of your internet identities to e-mail passwords to if you ‘forget’ them, then he’s got access to pretty much everywhere you go online, even if you vary your passwords quite a bit.

      If he gets your Facebook out of it – because you’ve made your Facebook profile link the same as one of your account names, say – then he knows your real name. If you have your own webdomain, then he knows your real name and probably address / telephone number.

      And so on…

      (in this case, of course, the hacker has your account name, a password and at least one of your e-mail addresses anyway, so his job is even easier)

      I’d say it was probably pretty common. I mean – how much of the stuff I get from Googling ‘abnaxis’ is you?

      (yes, you can do exactly the same thing for me! I suspect you’ll also find my real name incredibly quickly… [Spoiler : it’s Dave])

    • Jon Ericson says:

      This is, I believe the usual method. Anecdotally, the two serious security breaches my project has suffered occurred because some other system was broken into and someone used the same credentials on our systems. In both cases, the password was also easy to extract from the hash table it was storied in on the other system. (Also both incidents were through the same, high-level individual.)

  25. Grag says:

    I am shocked no-one (especially Shamus) has referenced the Two Worlds II thing.

    http://www.shamusyoung.com/twentysidedtale/?p=11396

    Sony just gave everyone a reason to follow your example on this.

  26. Archaic says:

    ironically the only reason i found out about this psn hack was after two days of trying to get on the psn to install portal 2 on steam, i had to look it up and i must say personally that i fall under the category of just about every password being the same. this being a wake up call for myself to produce better passwords.

    although luckily i dont have any credit card info stored on my account, but my hope is that sony can figure out what’s going on and solve it in the best way possible.( by the way of the least amount of consumer base damage possible). although i wish they would set up a time frame or at least keep us sony customers in the loop since this is a great concern for us as a community.

  27. BenD says:

    I still haven’t received the email that Shamus’ brother has. Where is my email? Has anyone else not received this famous Sony email yet? Grr

    • Soylent Dave says:

      Guy interviewed ITV news (UK) hadn’t received any e-mails from Sony about the hack either, and was complaining about having to get all his information from Sony’s blog…

      Could different Sony regions being better about communication (I’ve had the impression before that Sony are pretty compartmentalised).

  28. I find this both amusing and sad.

    Amusing that people think it’s Anonymous that is behind this, I seriously doubt it. It’s more likely digital crime syndicates behind this, east europe/middle east/somewhere in asia. (no offense to the folks living there obviously).

    Secondly, the “password” and “password answers”, how the heck can that be the issue?
    Didn’t Sony at the very least do the following?…(Shamus knows what I’m talking about, if the password blooper turns out to be true he might explain this in more detail in a follow up article on this mess):

    The solution is simple (md5 or sha or similar hashing algo).

    passwordhash=md5(“userid:password:domainanme”) or similar,
    and the same for the password answer.

    HTTP Digest Authentication has been around for ages, http://en.wikipedia.org/wiki/Http_digest_authentication
    combine this with SSL/HTTPS during the login and users passwords and password answers would have been safe.

    Oh and that’s the sad part. I bet if you did an Audit on all the big companies you would find a horrifying large amount of them storing password and password answers and pass phrases in plaintext.

    I know it sucks for all the users, but maybe this will act as a huge industry wakeup, if nothing else due to the possibly huge classaction lawsuit that Sony might be facing due to this and the backlash in the creditcard/bank industry. (oh and expect card fees etc to rise because of this).

    • Phill says:

      Just to be picky, I’d avoid using MD5 for hashing passwords. Why? Because it is a fast algorithm. Hashing a password isn’t something that is using up a lot of processor time anywhere, so there is no need to use a fast algorithm, and in fact a very good reason to use a slow one: the speed only really matters if you are creating hash tables or brute forcing a password. And from a security point of view, slower is better. If you use a deliberately slow hash algorithm – 100 times slower than MD5 for example – then it takes 100 times as long to crack each password. That won’t make much difference for weak passwords, but does push strong passwords from the “easily do-able” to the “not worth bothering with” realm.

      • MD5 and HTTP Digest Authentication is safe, even with modern computing power.
        The user id for example as I mentioned acts as a unique seed, combine that with a domain/realm and the password can not be cracked.
        in fact it’s easier to instead exploit the underlying services and try and use the hash directly.

        Now I could be wrong and this is indeed what happen at sony (i.e Sony was clever). The hashed password can still be missused but only with PSN,
        the attackers have no idea what the plaintext password is, and using rainbow tables is kinda pointless and not worth the effort.

        I really wish Sony would state whether the passwords and password answers was in plaintext or not. if plaintext then everyone MUST change their passwords on all their services where they use the same password.

        But if they used something like passwordhash=md5(“userid:password:domainanme”) or similar, even if it’s “only” md5, then the actual password is still safe.
        I’d still advise changing it if it’s something really stupidly simple or a dictionary word, but anything complex and rainbow method won’t work.

        There is obviously the birthday paradox, but then again it’s just as easy to use the hash instead. and birthday paradox or the hash if implemented like in my example would only work with PSN anyway.

        One thing is sure, I’m glad I’m not one of the security experts or the top executives responsible, I wouldn’t be surprised if they’ll have various higher ups resign after this.

        • Blake says:

          The other thing to do with passwords is run a hash algorithm on them multiple (say 26) times (or different algorithms for added fun!).
          Unless they know the sequence of transformations done then even passwords such as ‘password’ would be as secure as they could be.

          • Nope! If part of the website code is exposed they might learn that.
            Sure it’ll be computationally expensive but they’ll know.
            passwordhash=md5(“userid:password:domainanme”) is just as easy/difficult as repeated hashing.

            The only reason I’m advocating passwordhash=md5(“userid:password:domainanme”) so much or rather HTTP Digest authentication method to be precise,
            is that if you look at that url/page I linked to earlier then you’ll see that passwordhash=md5(“userid:password:domainanme”) is actually stored like that, and it’s also how the hash is sent (actually it’s passwordhash + nonce etc hashed again) from the browser to the server,
            so even with a normal HTTP connection (rather than HTTPS connection) the act of login in would be relatively safe, even via public WiFi.

            The infuriating thing is that HTTP Digest Authentication has been around for like a decade +, and still pretty much all forums, blogs (even wordpress) do plaintext logins instead *sigh*.

            Even with HTTPS HTTP Digest Authentication makes sense as it helps protect the user’s password by ensuring that the server never gets uses it in raw/plain text form ever, so even if the server is compromised the hash is exposed, but the password is “safe”.

            Sure people can be smarter about picking better passwords, but when the top 500 most common passwords that was linked to here have something like “ou812” which albeit is short, but random looking enough (to me) is still in the top 400 most used passwords.
            Must be some cultural reference I’m missing on that one.

            Oh and you said hashing 26 times, you do realize that this would slow down login massively, you are thinking a single user, but with hundreds or even thousands log in at around the same time, such hashing could bring down a login server rather quickly.

        • Jan says:

          MD5 hashing safe? If you know the salting method, there are programs which can compute 5600M hashes per second on normal consumer hardware. It then takes at most 20 days to crack a fully random, using special symbols etc. password. I wouldn’t call that really safe. Of course, lots of lower hanging fruit there (using only upper and lower case letters and numbers are cracked in 10 hours(!)), MD5 hashing should be considered unsecure for all intents and purposes.

  29. K says:

    People not having unique passwords annoy me to no end. It’s so incredibly easy to use a one way function!

    Example time:

    “Use the first three letters of the service, and append ‘house15’ to all of them.”

    Gmail: gmahouse15
    Hotmail: hothouse15
    Steam: stehouse15
    WoW: worhouse15

    It’s incredibly simple, and utterly unbreakable without sophisticated pattern matching, which means you need more than a single of those passwords, plus a human brain looking at them. That is about as safe as you can get.

    You can make this a bit more complicated, such as not using “house15” as a static string (because it’s a dictionary word and therefore bad), use “lkao389.sikql” instead, and then don’t go for “3 letters from the beginning”, because that can sometimes be spotted, but rather “every second letter, up to 4”. That example results in perfect passwords, no questions asked. And you can remember them all easily. You can even convert your current passwords cheaply. Just use your current one, and add a rule to it related to the service name.

    If you don’t do this, I hope you get hacked so you can learn your lesson (and stop sending me spam from your involuntary botnet membership)! It’s like leaving the keys dangling on the outside of your car.

    • Soylent Dave says:

      It’s like leaving the keys dangling on the outside of your car.

      It’s more like using the same key for your house, car and office. Which would be incredibly convenient (and also very convenient for anyone who steals your key, obviously).

      If you don’t do this, I hope you get hacked so you can learn your lesson

      Let’s not create even a hypothetical world where victims are responsible for the actions of criminals – it’s never your fault if you’re the victim of a crime.

      You can do things to minimise being a target, or to minimise the impact if you are victimised – but that doesn’t make it your fault when and if you are.

      It’s still the guy nicking your stuff who’s the arsehole.

      • Kdansky says:

        Let me put it this way: If he steals from you, he’s a criminal. No matter how easy you made it for him to steal from you. I strongly feel he should go to prison (or whatever is appropriate).

        But if you practically asked for it and gave your money freely, then you are an idiot, and do not deserve any sympathy, respect or pity. You still deserve justice. Which is exactly what I say: I have no respect for people who dangle their keys in front of a gang of thugs at midnight in a dark alley, insulting them and telling them where they live. And offering to drive them there, in the case of using “password”.

        • Soylent Dave says:

          I wouldn’t agree that someone using the same password in several – supposedly secure – locations really equates to your example, though.

          It’s definitely an ‘all your eggs in one basket’ approach (especially if you use the same username as well) – but people do that all the time.

          If someone breaks into my house and steals my stuff (or there’s a fire), I’ll lose nearly everything I own – because I don’t store my belongings in multiple locations to minimise the impact (the optimal solution). I don’t think it makes me an idiot; it makes me someone who wants convenient access to his stuff.

          Similarly someone who uses the same password for everything isn’t a moron, he’s just enjoying the convenience of only needing to remember one password.

          (for the record, I’m not that guy. But I am sometimes the guy who has to make 3 or 4 different login attempts because he’s forgotten which password he uses where… I can’t say I feel too intelligent or smug when that happens!)

          • Kdansky says:

            It is not a “all eggs in one basket” approach. There is a huge difference! If you use Keepass, then you are playing egg/basket. Because if keepass is hacked, you are majorly screwed. You can’t even change your other passwords any more, because you cannot log in. Ouch! But as long as Keepass holds, you’re fine.

            But having the same pw everywhere is far worse. It doesn’t matter which company is hacked. You’ve got the same liability, but multiple times! Every single service you ever used can be compromised. Hell, there are sites that want you to make an account, just so they can sell the user/pass combination! If all services hold, except for your account at Gawker (they got hacked just recently), then you lose your mail, your facebook, your ebay, your amazon, your dell and your steam account. Isn’t that brilliant?

            Are you really going to argue that giving everyone you do business with a key to your house isn’t moronic? It may be convenient, but that doesn’t make it any less retarded.

    • Peter H. Coffin says:

      Next you have more than one account with an organization, for a legitimate reason. Like you have an Amazon account, and an Amazon Developer account, and an Amazon Web Services account. Then your worhouse15 WoW password overlaps with your “World of Cheese” password, at least until World of Cheese changes their name and becomes “eCheese Unlimited!”. Next, you find that little sister shoulder-surfed your password for PornTown and “porhouse15” needs to be something else. Do you remember “prnhouse15”? or “ptwhouse15”? Goddamit! This next site requires 12 character passwords, and that one needs at least one non-alphanumeric character!

      • Bobby Archer says:

        It still makes for more unique passwords than most people’s default of the couple they can remember, and more usability than trying to remember a different, unique password for every site. It’s better than most systems of similar time/effort invested.

      • What annoys me to no end is the password requirements some sites have.

        Some have the must be 3 to 8 letters and you must use letters and numbers.

        Why oh why is there a limit?
        I’d like to see “Enter a passphrase from 1 to 255 characters long, use letters or numbers or any UTF8 character as you see fit!”

        That is the dictionary/rainbow attack nightmare, and store that with a hash method similar to what I advised earlier above, a stolen database with passphrases like that would be of no use outside the service that was attacked.

        Passphrases are also a lot easier to remember, and easier to vary from site to site.

        • Klay F. says:

          How many passphrases then would a hacker catch just by using “May The Force Be With You.” or some other nerd motto?

        • Kdansky says:

          I forgot to add: Having silly long sentences is also a decent way to create passwords, but you still have the problem with uniqueness. You can combine both approaches though:

          “I forgot my password for Google 17 times.”
          “I forgot my password for Ebay 17 times.”

          Such passphrases are (for all practical purposes) impossible to break. If they are leaked in plain text however, a human brain would spot the function immediately.

      • Kdansky says:

        A: Your passwords may overlap. That happens. I’m using a really weak version of this technique, and I have one collision. Is that a problem? No. Because the alternative would be to have dozens of collisions, or the need to remember hundreds of passwords. So a hash function gives you the best middle ground.

        B: Namechanges of services. That happens. There are always these “reset my password” links on all sites. You just use that whenever you run into issues. It’s not very common that Amazon changes their name, so I can live with this tiny inconvenience.

        C: Your sister saw your password? Well d’uh, now you have to replace them all, exactly as you had to when you used the same one everywhere. Except that in the old case, you would have to replace all your passwords, no matter which one she spotted. In this case, you only need to replace them if you care about her opening that one site. And that is assuming you are such a slow typist and have such a short password that she could spot it, which I find unlikely and dumb respectively.

        D: Some sites require silly password restrictions. I’ve run into one which asked for my password to be no longer (!!!) than 8 characters. You know what you do with those? Use the password request function every time you forget the variation you used. And try to use a function which includes a Caps letter, a number, a letter, and at least 10 characters. That covers 99.9% of all pages, or more.

        E: Multiple accounts. Just use the same password. There is zero disadvantage to this, because hackers cannot try every password leaked with every username leaked on every possible site. Completely irrelevant.

        Conclusion: There is no free lunch, and every method has its limitations, this one is no different. But can you honestly say that these four very minor niggles are equal to losing every single account of yours if one of them is compromised?

        • Peachfuzz says:

          What about systems that require you to change your password every so often? I’m guessing you just do house16, house17, etc.?

          I’m not trying to play gotcha, I’m actually genuinely curious. This seems like a really neat solution, with a little tweaking.

          • Kdansky says:

            Those are incredibly inconvenient and very unsafe by definition. If you force your users to change their passes all the time, most will write them down on post-its, usually under the keyboard. I would recommend to use a completely different and unique password for them, and then append the current year. That way, change is easy to remember. If you use your usual hash function, you will probably have a hard time remembering the function, since it is wrong so often. There is no decent solution, because the problem is engineered to be resistant to all good password choices.

            • Mayhem says:

              Best trick for those is to append a month or year to the password.
              So use a common base like say worhouse17 and add the current month as 01 or 05 to the end each time you change it.

              If they really get picky and block more than previous 12 (which is bad enough but hey) just sit down one day and start repeatedly changing your password till you exceed the limit, then start again with your routine.

              Password reuse is a bad thing, but enforcing changes more than six times a year and blocking reuse past around 3-4 passwords is practically demanding your users do something even less secure. Most common practice in offices I support is to write them in a notebook and put it in their desk drawer. Not exactly secure.

              • Bubble181 says:

                Like I said earlier on – it’s every month, for 24 months here. I don’t know what nitwit came up with that, but he’s single-handedly responsible for making our entire network easier to break than an average egg. I think 90%+ of people here have repeats of a letter as a password (Aaaaaaa and the likes).

            • Mari says:

              LOL My post-it is behind my monitor. Of course, it’s in my house, not an office. And you either have to break in while I’m not here for that whopping hour and a half a day (max) that I’m out of the house or you have to break in while I’m here and fully armed.

              And yeah, like I said above. Monthly password changes, no reuse of previous 12 passwords, and any 3 characters in same order constitutes same password (ie no “STBhouse*01” “STBhouse*02” etc). And I dislike having to do a password reset every time because they require a photocopy of my driver’s license and Social Security card be faxed/e-mailed every time they reset the password which strikes me as way less secure than my post-it.

              With the exception of my bank, though, my password use is really quite secure. I’m not the complete idiot that my bank password makes me look. Like Shamus, I have access tiers. My World of Cheese log-in is the same as my Porn Town (same userid and completely moronic password like “password”) because neither of them have any information about me on file that would do any hacker any good anyway, just a web mail address registered in the same fake name as the WoC and PT accounts are in. Facebook is different because it has access to my real name so it’s a higher tier of information; accounts with real info get medium-security passwords according to a rule like the one above, but the information gleaned from such a site would still require you to gain access to a lot of other sites to be useful. Amazon is higher tier because it has access to bank information and thus requires an actual unique password.

  30. Blake says:

    “The cost of any games that might get pushed back. After all, you don’t want to release a PSN game with a multiplayer component if PSN is down.”

    Our game was released Thursday (release date was broken by most of a week), the online portion was a significant part of the game, if this badly affects sales it means bad things for the company =/

  31. Zaghadka says:

    I haven’t used my PSN login in a couple of years, but that is one place I would have trusted with one of my good passwords. I mean, Sony, right? Multi-billion dollar company. This isn’t some shady blog or forum or Facebook app. This is a major corporation.

    I would offer an alternative analysis, in which the size of the target makes this kind of thing more likely. Certainly the size of the installed Windows base has made it a cesspool of viruses, not because it’s any easier to break into, but because if you manage it, you break into 90% of the world’s computers.

    Steam, Blizzard, Sony, Microsoft are all primary targets, every day, 24/7. Big, long client lists are assured. As you aptly noted, MS is glad it’s happening to Sony, but it could have happened to any of them.

    As a result, I often feel more comfortable with the smaller companies. Who’s going to hack a mom-and-pop operation? Why? The only really big thing you have to worry about is if a fly-by-night operation doesn’t hash your password, and therefore might sell your credentials when times become hard. But I’m not worried about my credit card data being stolen at such a place, any more than I am worried that my waiter has eidetic memory and is storing away my credentials.

    The security community needs to do something about this “big target” problem. Cloud solutions only seem to consolidate the problem. This data needs to be stored in a way that a network compromise doesn’t net the entire customer database. Critical data should be encrypted, decoupled, and stay that way until it is needed, then hashed away again when it isn’t.

    • Deadpool says:

      Inconvenient as it is, I’m starting to appreciate Nintendo’s set up. No log ins, no passwords, no emails and they don’t keep your credit card information. The best anyone could hope to do to you when hacking THEIR network is use your saved Wii Points to buy games you don’t want…

      Amusing that through all their failures, Nintendo continues to provide costumers with things they want, even though they don’t ask for it, and often complain about it when they get it…

  32. HeadHunter says:

    Not that I’m indulging in schadenfreude, but suddenly I feel a lot better about paying for my XBox LIVE Gold subscription.

    I wonder if all the people who called me a fool for paying when their PSN was “free” still feel the same way.

    Folks may vilify Microsoft but they’ve never really done me wrong. Sony, on the other hand, is just a notch or two behind Verizon on my shitlist. Funny how I never seem to regret not doing business with those companies any longer…

  33. Amarsir says:

    It does sound like Sony made a number of dumb mistakes. Then again, all mistakes are dumb in hindsight. While I by no means want to cover for their sloppiness, I’m also mindful that security means covering every possible angle while critics have the luxury of waiting to see what happened then pointing out the fault.

    To-wit: dev access from consoles does seem like a weakness but I’m not sure I’d have closed that loophole were I in charge. These things don’t always flag themselves until afterward. (No defense of plaintext storage though.)

    • A piece of hardware should never have a builtin password/certificate/account, if that is what happen then this is Sony’s fault.

      If however a dev “account” leaked out then that is a different matter and Sony is not entirely at fault (still, if a dev account can access that much info then something is wrong still, as only account/tech support should have access to that info).

      And still the plaintext password and plaintext password answers is a huge red flag in and of itself that security is questionable with PSN.

  34. Zak McKracken says:

    I’ve just gone and deleted all my bank account information from my amazon account.
    I think one thing to learn from this is to not store that type of thing on the net, just for convenience.
    I hope they’re not still storing it elsewhere …

  35. LB says:

    That’s not even the worst part. I rented Portal 2 on Thursday and didn’t get to play the co-op at all!

    • Yeah, and that’s the thing that makes DRM haters (I dare say so) like me and Shamus both laugh and cringe and the same time,
      as PSN being down makes not only co-op and multiplayer not work.

      But patching a game (some games require that you patch up to the latest firmware during install, right?)
      Thus with PSN down you will probably be unable to play your single player game as well. (any reports coming in on this yet anywhere?)

  36. Simplex says:

    “Thus with PSN down you will probably be unable to play your single player game as well. (any reports coming in on this yet anywhere?)

    You cant play two Crapcom (no typo here) games released on PSN, because of their dumb DRM – single player game requires you to be signed into PSN! Ubisoft much?
    Amazingly, this DRM is not present in the XBLA version of their games.

    http://mmntech.blogspot.com/2011/04/psn-outage-exposed-capcom-drm-flaw.html

    What flaw? It was designed that way from the start ;)

  37. Arcanys says:

    Yeah right, a pretty billion dollar mistake it is. But to force our email providers to change passwords would be just like crossing the boundary. Its not likable regarding the outage time frame, their running out of choice. I do hope Sony will go live soon cause I’m foreseeing of lawsuit complaints. outsourcing company

  38. Zaxares says:

    This intrusion was actually reported on the mainstream news channel over here in Australia. That makes it BIG indeed, if it warranted airtime for a general public that usually doesn’t give two clicks about games and gamers.

    I sympathise with any PSN users out there, but I suggest using this as a wake-up call. After my Guild Wars account got hacked two years ago, I wisened up and started using a multi-tier system of passwords like Shamus does. And even then, passwords within the same tier are not exactly the same as each other.

  39. wootage says:

    Don’t forget the costs of the auditors to redo their compliance audits. This impacts Sony’s revenue, and as a publicly-owned corporation, they absolutely have been conducting and reporting audits that say “yup, everything is ok, there’s no reasonable way the flow of money can be impacted more than a couple of percent due to technology failures, including haxing”. SEC rules, y’know.

    So there’s some red faces in the C-level grounds and consequent carpet-calling going on with internal audit and their consultants right now, you betcha.

  40. Mephane says:

    Think about how many people use the same name / password pair everywhere.

    That would be a major failure on Sony’s side. If stored as salted hashes, especially with dynamic salt, even with the actual user database at hand, one would have to make a full-blown brute-force attack on every single user account. And the attacker wouldn’t even know which way the salt is applied exactly. So he doesn’t know the exact algorithm, has to try out a couple of variations, and all that for each and every user out there, just to find out the password that fits to the stored hash. Which means they’d be busy for months, if not years, which also gave people time to change their passwords in other places if they have the same one as in the compromised place.

    But I get your point. I wouldn’t be surprised if Sony stored password in plain text, but it would be stupid any way. The PSN hack is exactly the scenario why passwords should never be stored in clear text or in any recoverrable way.

  41. Dys says:

    *breach

    Hah. :P

  42. nehumanuscrede says:

    Old news by now, but Sony has taken their other gaming systems offline as well for the time being to determine if the damage extends to those systems as well. ( being Sony Online Entertainment )

    Everquest / Everquest II and all the other online MMORPG’s that SOE handles. IF the breach extends into these systems as well, the sheer amount of personal data exposed is staggering.

  43. Steve C says:

    Shamus said: This could be a billion dollar mistake.

    Yup. That’s exactly the figure someone else thinks too.
    Ontario woman suing Sony over PlayStation breach; seeks $1B in class action

  44. Severbus.eu says:

    Nice post. I was checking constantly this blog and I’m
    impressed! Extremely helpful info specially the last part
    :) I care foor such information a lot. I was looking forr this certain info for a lokng
    time. Thank you and good luck.