Sony Blames 'External Intrusion' For Lengthy PSN Outage

Several readers have noted that outages on Sony's PlayStation Network have prevented online play for the past few days. The company has now blamed an 'external intrusion' for the trouble, saying they took down the network to "conduct a thorough investigation and to verify the smooth and secure operation of our network services going forward." Some suspect an attack by Anonymous, who declared war on Sony earlier this month, but Anonymous has disavowed knowledge of such an attack. Meanwhile, others are asking whether Sony should compensate users for the inability to play PS3 multiplayer modes, and even single-player modes on a few downloadable games.

Re:Anonymous

[Anonymous Coward]

Just because Anons and the ill-informed continue to proclaim this doesn't make it entirely true. They organize, they're a group, they coordinate. No leader doesn't mean parts of the group don't take it upon themselves to declare and such. Anon even sent out a press release once during this debacle. Don't pretend they aren't organized and don't have people that do the talking, they do, no matter how much they want to pretend they don't.

This is why I don't like online

[Psychotria]

I guess it's great for the content providers and their DRM, but when I can't play a single player game because either their servers are down, or I don't happen to have a connection at the time is annoying and stupid. (I don't have a Playstation, but several single player games on Steam behave in the same, or similar, way; e.g. f1-2010 I can't save progress without the internet because apart from steam, which launches the game just fine, there is the crazy Live-Games for Windows (or whatever it's called). Why I can't save progress is beyond me as the save games appear to be local files, but that's just how it is.

Humans are the vulnerability

[elucido]

It doesn't work like that. Assuming both sides are highly competent, securing something is a fundamentally harder problem than breaking in. To break in, you only need to figure out one vulnerability. To secure something, you need to make sure every component - as big as a data center and as small as every single instruction sent to the CPUs - in your system, is invulnerable. Hiring hackers would only help if the engineering team is highly incompetent to start with (like, they aren't even aware of basic things like why strcpy() to a fixed buffer can be a very bad idea).

You are underestimating the power of social engineers. If you have someones dox, if you have their social security number for example, and this someone happens to be either an employee for a rival corporation, within your own corporation, or anywhere else, it's very easy to build an intelligence file to find all their human vulnerabilities. Now if you want to see how vulnerable an entire corporation is, who is in charge of protecting the secret information or passwords or whatever? How psychologically stable as those people? If you have an intelligence file on every important employee within an organization, and you know which ones happen to be psychologically unstable, vulnerable to certain kinds of social engineering, etc, then you can probe the network for human weaknesses.

Which ones are most likely to write their passwords down and throw them in the trash? Which ones are most likely to go to an online dating service and meet a girl or guy? Knowing who is single, knowing who has what psychological disorder, knowing who cheats on their wife or husband, knowing anything which can be leveraged to compromise them. It's no different than in politics where politicians get targeted and corrupted over time, when enough eyes are on an employee then its only a matter of time before the employee does something which can put them in a compromised blackmailable position.

Once in that position then they have to choose between losing their wife/husband or losing their job. Once again blackmail, extortion, or outright social engineering where they think the boss told them to give the password, is usually all that is required to hack human networks. If you are trying to always hack it by technical means then yeah you'll have to hope there is some bug in the system but if you want to guarantee success you have to hack through all means, technical and social.

Personal Data?

[thecombatwombat]

What blows my mind is that people are asking whether or not they should be compensated, when will the service will be back up, and who's responsible, but not so much "is my credit card that the PSN stores secure?" How is this not the first thing Sony gives an update on when they officially say this is due to an attack?

I've been looking at the comments on every post I see about this. At first I was hoping for an answer, and now I'm mostly just curious. This seems to be the very least of everyone's concerns.

Re:Wow

[cgenman]

The system is not still down for forensic or investigational issues, its down because they haven't figured out how to bring it back up.

Generally, the worst attacks are the ones when you can't figure out how much access people still have, what they did while they were there, and whether or not it is safe to bring the system back online. If someone got root on Sony's update servers, you'd better believe those are staying offline. A problem there could leave Sony on the hook for the cost of 50 million very expensive plastic bricks. Similarly, someone with deep PSN access might be able to leverage that into accessing Sony's other internal systems, which could include things like VAIO firmware, manufacturing robots, sony picture entertainment, and baseball fields full of money.

Keep 'em down for a few days to do your security homework, or suffer a bigger break later.

Re:Right...

[_Sprocket_]

I would advise getting some world travel under your belt first - and not just the pre-packaged European holiday route.

Re:Right...

[tjhart85]

They took away a piece of functionality that it was advertised as having. If I had a PS3, I'd want them to take the whole thing back & credit me the full retail price (if I liked it, I'd pick up a used one ... at least then Sony wouldn't directly get my money).

I know there are a lot of analogies floating around out there, but to me the fact of the matter is it doesn't matter how big the functionality was, it was an advertised feature. What if it was blueray playing functionality that they decided to yank out? Not a big deal, right? I mean you can pick up a new blueray player for $80 or so, less if you find it on sale, hardly a real reason to be upset.

Re:Right...

[Anonymous Coward]

This is why liberals have mostly been in charge since the 1960s.

Yeah, don't let a little thing like 30 years of Republican presidents vs 15 years of Democrats since 1960 get in the way of your "facts".

Scapegoat

[JavaBear]

Anonymous is fast becoming the preferred scapegoat when a large corporation have an outage.

--
Maybe I should have posted this as "Anonymous Coward"?

Re:Scapegoat

[tomstockmail]

When said corporation is said to be the target for a few weeks prior, I think it's more than scapegoating. It's a confirmation.