PSN Outage Continues, Console Hack Claimed To Be Responsible

Over the weekend, we discussed news that the PlayStation Network had been down for days, with Sony saying little other than that it was caused by an "external intrusion" and that they were "rebuilding their network." Many of you have written to point out that the outage continues, with Sony saying they "don't have an update or timeframe to share at this point." One theory about the cause behind the network's downtime was recently espoused on Reddit by 'chesh,' a moderator at PlayStation-modding enthusiast site PSX-Scene.com. According to him, recently released custom firmware called Rebug allowed people to essentially turn their PS3s into dev consoles, though some features were missing. A different group supposedly used this firmware to get on PSN through the developer networks, and also found that fake credit card numbers were not being validated for game purchases, leading to what chesh called "extreme piracy." He acknowledges that this theory is speculation. Sony's handling of this outage is starting to draw attention from the government. Update: 04/26 20:47 GMT by S : Sony just posted more details, saying that a massive data breach occurred: An "unauthorized person" has PSN users' "name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID." Billing address, password questions, and credit card info may also have been taken.

Speculation

[Sonny Yatsen]

I understand that the slashdot community might be anxious to see the PSN come back up, but do we seriously have to start publishing nothing more substantial than speculation?

Also, I've met Dick Blumenthal. He's a very nice man. However, he is, by no means, "the government", nor does a single letter from a freshman senator constitute "attention from the government".

Re:There's some karma for you, Mikey

[tripleevenfall]

A one-week outage does not make Xbox live better.

Re:government?

[tripleevenfall]

Is there anything that isn't government business anymore?

Re:government?

[kevinNCSU]

why is the PSN outage any of the (US?) government's business?

Because Senators are suppose to represent their constituents and the issues they care about (lets leave the vote pandering cynicism discussion as off-topic for now) and his constituents are worried their personal/financial details were compromised in the attack so it makes sense that he would ask Sony whether or not this is the case as he has a better chance of being responded to because he wields more power.

Re:There's some karma for you, Mikey

[Anonymous Coward]

It makes just about anything else better, for a week.

Re:There's some karma for you, Mikey

[Bobfrankly1]

A one-week outage does not make Xbox live better.

Yeah, it's not the outage that makes Xbox live better, it's the external intrusion. Nothing quite like an external intrusion into a company that holds your credit/debit card data to make you wish you could pay for better service.

Re:There's some karma for you, Mikey

[omnichad]

When one is free and one is paid? That certainly makes uptime LESS of a factor, though I suppose doesn't eliminate it.

Re:There's some karma for you, Mikey

[nschubach]

Even if Sony offered a pay service, the same would have likely happened. I don't see the validity in your complaint.

Re:There's some karma for you, Mikey

[smelch]

There's the whole fact that it is, you know, actually better. Xbox Live is just about fucking perfect. You can bitch all you want about paying less than a WoW subscription to play all of your console games online, but that doesn't make the PSN even close to XBox Live. PSN always makes me feel like I'm playing multiplayer in 1998. I mean that literally not as a slam. I enjoy games from 1998 still. This may have more to do with the fact that Halo has amazing multiplayer if you are in to the game, and there is a lot of consistency between titles with good matchmaking. As far as I can tell each game has to roll their own for PSN.

Re:And everyone was saying hacking their ps3 was o

[Chyeld]

Or we are seeing what happens when a company become so arrogant that they don't bother actually locking down this info despite the fact that it would be inevitable that someone would come along and find a backdoor.

Seriously, a 'hacked PS3' being able to do this is pretty much the definition of "Security Design Failure".

Re:why put up with this? Get a Gaming PC

[interkin3tic]

Spend hundreds of dollars at least to get a gaming PC, ignore the sunken cost of their PS3s, all to play portal 2 a few days sooner?

I've said it before and I'll say it again: PC fanboys really are the worst.

Disclaimer: I am a PC gamer, and do not have a PS3.

Cultural effect?

[vlm]

Lets look at two problems with a Japanese company. PSN down and TEPCO's reactor. Both had similar reactions.

Silence, followed by small admissions, followed by admissions its much worse that it appears, followed by more silence, followed by admissions that some members of the public may have been harmed, repeat. No timetables, no estimates.

Is this possibly a Japanese cultural thing?

If Woody had gone straight to the police...

[tekrat]

If Sony had never removed "other OS" feature, they would never have encountered the focused rage of the entire enthusiast community.

Now, it's possible that the Playstation Network, and possibly the entire PS3 platform, is finished.

You reap what you sow, Sony....

Re:Take note

[cbhacking]

*passwords* (haven't they heard of a f'ing hash!)

This is the company that used a constant instead of a random value to feed a critical encryption algorithm in their flagship product. You really think they understand password security? Even if they hashed the passwords, what do you figure the odds are that they salted, much less peppered, them? Apply rainbow tables and go home happy, since i can't imagine many of the users would have bothered with a particularly secure password.

Evils of DRM

[tekrat]

Yeah, can't you wait until your Blu-Ray player stops working too, every time you want to watch a movie? This is why you can't have "server" verification. Because there's no guarantee the server will be there.

Tell your friend to return the game. It's broken. Get his money back. It's designed to fail.

Re:I am not a security expert

[tao]

They almost certainly had that info on separate systems. Why else the "Billing address, password questions, and credit card info may also have been taken." disclaimer. If the information had been on the same system they would have been sure. However rather than assume that the information is safe just because it was on a separate server, they're saying that "at the moment we don't know. Please be vigilant until we can give a definite answer".

Re:There's some karma for you, Mikey

[Bobfrankly1]

Bottom line: This can CERTAINLY happen to XBOX Live (or any system hosted on a public network). The fact that it's taking so long to correct is a little disconcerting, but I'd rather they fully correct it then bring a vulnerable system back online.

I'd be surprised if (evil) Microsoft didn't have a much more elaborate and robust system for countering "external intrusions". I'd chalk up their unwillingness to tie into many outside networks (Steam for one) as proof of their caution. With as much money as Live makes for them, they'd be foolish not to protect their cash cow.
(eviler) Sony, on the otherhand, has shown the opposite. With the rootkit on audio CDs, and now this. As well, Sony LOSES money [push-start.co.uk] on the playstation network. Their focus is likely on how to make it profitable, not secure.
If you'd rather trust your personal data (including credit/debit card) to the company with a record of security failure, have at it.

Re:There's some karma for you, Mikey

[Bobfrankly1]

Even if Sony offered a pay service, the same would have likely happened. I don't see the validity in your complaint.

Yet, if the same thing happened with XBOX live, Microsoft would have communicated the outage, and an expected uptime. If the downtime was significant, Microsoft would have comped paying subscribers with a free xbox live game. The risk of alienating paying subscribers is a motivating force for communication and haste.

Sony doesn't have this motivation, and what little they've communicated so far comes across as "It'll be done when it's done, and not before. Now leave us alone so we can get this done".

Re:Cultural effect?

[manaway]

Lets look at every problem with any company. (E.g. BP Oil spill, Three Mile Island, TEPCO's reactor, Sony's rootkit, Exxon Valdez, Apple's antenna, Microsoft's uhhh everything, various company's spinach, peanuts, milk, salmonella in meat, etc.) They all have similar reactions.

Silence, followed by small admissions, followed by admissions it's much worse that it appears, followed by more silence, followed by admissions that some members of the public may have been harmed, repeat. No timetables, no estimates.

Is this possibly a corporate thing?

Answer: yes

Re:There's some karma for you, Mikey

[mug funky]

face-saving talk...

if they say "may have been", they mean "definitely has been".

if they say "working around the clock to fix it", they mean "shitting in our pants and yelling at our techies but not authorizing overtime for them".

the mere mention of CC details, and the advice to avoid scammers is basically confirmation.

they're using the same language that TEPCO has been using the last month (not just Japanese).

Re:Cultural effect?

[doctor_no]

Sorry, but this is plain racist.

We've had industrial accidents in West as well, as systems that have been hacked into. BP is the most recent example, and Union Carbine's Bhopal disaster is another (which killed 3,700 people and inured close to half a million). Cover ups, slow-response, not very unique to one country or company.

None of it is "cultural thing". In fact, Sony isn't very Japanese these days, its run by a British-born American, and Western executives pull a lot of sway, especially in the music division, movie studios and Playstation division where a lot of its is centered in the US. Their phone division is split with Ericsson, their music division with Germany's BMG.