PSN Down

[stick d00d]

http://blog.us.playstation.com/2011/04/30/press-release-some-playstation-network-and-qriocity-services-to-be-available-this-week/

Lots of good news in here, from the press conference. Services should begin coming back on this week.

[Jmac]

The company will also rollout the PlayStation Network and Qriocity ?Welcome Back? program, to be offered worldwide, which will be tailored to specific markets to provide our consumers with a selection of service options and premium content as an expression of the company?s appreciation for their patience, support and continued loyalty.

Central components of the ?Welcome Back? program will include:

?Each territory will be offering selected PlayStation entertainment content for free download. Specific details of this content will be announced in each region soon.
?All existing PlayStation Network customers will be provided with 30 days free membership in the PlayStation Plus premium service. Current members of PlayStation Plus will receive 30 days free service.
?Music Unlimited powered by Qriocity subscribers (in countries where the service is available) will receive 30 days free service.

Heh, they're trying to be suck up to us now that they've lost our credit card info. They're jerks, but I'll take it... >:(

[Scotty]

but I'd guess that if they managed to compromise all the information they did, they were probably also able snatch the salt as well...

That is fine just as long as they cant use pre-existing Rainbow Tables. Because then its no different from a normal brute-force attack to make a new Rainbow Table for that salt. Top that with a compute intensive hash it becomes not imposable but much less likely to get anything useful out of the data anytime soon.

If there is a salt added to the hash, then any pre-existing rainbow table is useless, and they'd have to process all the passwords adding in the salt in, which they'd have to determine not only the salt, but also the pattern at which they incorporate the salt before using any form of encryption (md5, sha-1, etc...).  If they can't determine the pattern for how Sony adds in the salt, then they might as well just give up, even more so if the salt is "properly" added in to the password string, and the salt string length is anything more than a couple of characters.  I don't care to do the math, but if they had to determine the string length for anything over 20 characters (minimum for a raw binary sha-1 string) up to 40 or more (sha-1's default hexadecimal number length), I can't even begin to image the computing power and disk space required to store all possibilities and time it would take to process out one of the trillions of results (if not more).  Even if they could "use" any pre-existing salt tables (be it they have a rainbow table that would enable the addition of a salt string), they wouldn't be able to compute the added salt on top of the pre-existing values without extreme amounts of overhead required to add in the salt.  Something that could take a day to compute would quickly turn into a year at that rate with today's technology.

[ARTgames]

Yes vary true. But looking how Sony does encryption on there PS3 when it got hacked that would never happen. :P

[Scotty]

True, if they secure their system with one generic string of characters, I somehow doubt they would bother to get overly complicated with their password storage/encryption.

[stick d00d]

Sony posted this on their blog today, regarding the passwords:

One other point to clarify is from this weekend?s press conference. While the passwords that were stored were not ?encrypted,? they were transformed using a cryptographic hash function. There is a difference between these two types of security measures which is why we said the passwords had not been encrypted. But I want to be very clear that the passwords were not stored in our database in cleartext form. For a description of the difference between encryption and hashing, follow this link.

Full article here:
http://blog.us.playstation.com/2011/05/02/playstation-network-security-update/

[ARTgames]

Well thats a little better. With what has been happing to them I would have believed they would be using clear text. :P But I wonder how well they hashed it?

[Scotty]

I stand corrected then.  The terms are often used synonymously with each other.  Seems like the hashing function probably isn't the concern, but rather that they properly hashed them (e.g. unique salt values for each password, etc...).

[Scotty]

BWAHAHAHA!!!

http://arstechnica.com/gaming/news/2011/05/sony-attacked-again-12700-non-us-cc-numbers-feared-stolen.ars

Wow, PSN is never coming back online at this rate!

[Meiun]

BWAHAHAHA!!!

http://arstechnica.com/gaming/news/2011/05/sony-attacked-again-12700-non-us-cc-numbers-feared-stolen.ars

Wow, PSN is never coming back online at this rate!

Oi, what a nightmare. Although SOE is totally independent of the Playstation though, so it likely won't impact how soon the PSN comes back (lets hope).

[Scotty]

Way to go Sony, ya bunch of douchecopters.  Didn't know your lawyers had their sleeves rolled up while getting dirty in the server rooms, to busy to not attend their hearing.  I'd love to hear them complain over how decisions were made without them being present to defend themselves.  Oddly enough though, I'm actually rather accepting of their discussions regarding penalties for half ass-security measures.  Might encourage people to actually pull their heads out of their rears and realize personal data is not something to be handled light-heartedly.

[stick d00d]

http://blog.us.playstation.com/2011/05/04/sonys-response-to-the-u-s-house-of-representatives/

Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack.
We discovered that the intruders had planted a file on one of our Sony Online Entertainment servers named ?Anonymous? with the words ?We are Legion.?
By April 25, forensic teams were able to confirm the scope of the personal data they believed had been taken, and could not rule out whether credit card information had been accessed. On April 26, we notified customers of those facts.
As of today, the major credit card companies have not reported any fraudulent transactions that they believe are the direct result of this cyber attack.
Protecting individuals? personal data is the highestpriority and ensuring that the Internet can be made secure for commerce is also essential. Worldwide, countries and businesses will have to come together to ensure the safety of commerce over the Internet and find ways to combat cybercrime and cyber terrorism.
We are taking a number of steps to prevent future breaches, including enhanced levels of data protection and encryption; enhanced ability to detect software intrusions, unauthorized access and unusual activity patterns; additional firewalls; establishment of a new data center in an undisclosed location with increased security; and the naming of a new Chief Information Security Officer.

[ARTgames]

And then Sony became a Synonym for untrustworthy.

[Scotty]

Please sony, don't ever release another console ever again...

http://kotaku.com/5803050/sony-playstation-network-password-reset-page-exploited-customer-accounts-potentially-compromised

I was being serious:

http://arstechnica.com/security/news/2011/05/sony-hacked-again-used-to-host-phishing-site.ars

[Scotty]

Sony Playstation - Check!
Sony Online Entertainment - Check!
Sony Pictures - Check!

Seriously, what's left?  I'm amazed we haven't seen management resign yet.

EDIT: Forgot - Sony Ericcson - Check!