Forgot your password?
typodupeerror
Sony PlayStation (Games) Security

PSN Up, And Then Down Again 282

Posted by CmdrTaco
from the go-go-magic-yo-yo dept.
RdeCourtney writes "The PlayStation Network is down again. Sony had originally enabled passwords to be reset onscreen simply by entering an email address and date of birth. Whoever has the data from Sony, could, in theory, then reset any of the captured users accounts simply by entering the details they stole."
This discussion has been archived. No new comments can be posted.

PSN Up, And Then Down Again

Comments Filter:
  • by elrous0 (869638) * on Wednesday May 18, 2011 @11:30AM (#36166554)

    I've never been a particularly big fan of Sony, mind you. But even I am shocked by the level of security incompetence they've shown over this whole thing. This is a major corporation, for fuck's sake! Do they even *have* a full-time security staff in there online division? Their press releases make it sound like they only stumbled on the whole PSN hack by accident and had to run out and contract for a bunch of security people. Surely to god they had SOMEONE monitoring security, right?

    As one of the effected users, I'm just glad I never gave them my credit card number (fortunately, I never bought anything on PSN). Now, I wouldn't give them a credit card number on a *dare*. Hell, I won't even give them my real *name* ever again. No online system is secure, but theirs looks like a complete joke.

    Meanwhile, you have the CEO of the company dismissing this whole thing as a "hiccup," [bloomberg.com] which pretty aptly demonstrates just how seriously Sony apparently takes its security. No way I want my CC number or private info involved in their next "hiccup."

    • Re: (Score:2, Insightful)

      by Moryath (553296)

      Be careful.

      Last time I pointed out how bad this was, a bunch of Sony Fanbois downmodded me.

      They seem to spend far more money on faked astroturf ad campaigns than they do on security, anyways. Remember the PSP incidents [dvorak.org]?

      The Sony Fanbois today are pretty much a standing example of FanDumb [tvtropes.org]... not surprising since anyone with any sense jumped ship from Sony a long while ago.

      • Re: (Score:2, Insightful)

        by elrous0 (869638) *

        It would take a pretty damned die-hard fanboy to be defending them at this point. About the best anyone can say is "Well, at least we got some free games out of it." Hell, everyone should get a free copy of L.A. Noire at this point, instead of just some old games. I think we're beyond the "Sorry about that, here's a free coupon" stage of fuckup.

      • by SimonTheSoundMan (1012395) on Wednesday May 18, 2011 @12:18PM (#36167286) Homepage

        You're supposed to say "I'm going to get modded to oblivion for this". You'll end up getting +5.

        I think I'll get modded to oblivion for this reply now.

      • by bonch (38532) * on Wednesday May 18, 2011 @12:35PM (#36167508)

        Speaking of dumb, PSN isn't down. This story's headline is completely inaccurate. What's been taken down is several website login pages that use PSN accounts, such as Qrocity.com.

        All that ranting about "fanbois," and you didn't even have all the facts. You said that last time you pointed out how bad things were, you were modded down, but your last post was actually a false claim that PS3 users weren't been able to play their games during the PSN outage [slashdot.org], and others corrected you.

        • Re: (Score:2, Insightful)

          by Moryath (553296)

          Oh do shut up.

          PS3 users weren't able to play any game requiring an online component. When the vast majority of them are PO'ed because they haven't been able to get on the various Call of Duty servers, that's no small problem.

        • by cpu6502 (1960974) on Wednesday May 18, 2011 @02:43PM (#36169210)

          I boycotted Sony (or more correctly: PS3) when I find-out they removed the ability to play my old PS1/2 games on the new unit. All incentive to upgrade disappeared.

          Then there was the whole "We installed software from your CD to your computer w/o telling you" bullshit. As far as I am concerned, that act should have been a jailable offense. The United States DOJ and European Commission should find the upper-level managers responsible for making that decision, prosecute them under US and EU Law for hacking, and then throw away the key.

      • Be careful. Last time I pointed out how bad this was, a bunch of Sony Fanbois downmodded me.

        Fanboys will find you no matter what. If all other fanboys fail to get you, there's going to be a PC fanboy who mods you down for discussing console gaming.

      • You're trolling really hard right now, how can you expect to not be modded down?

        There's even a classification for it.

      • Re: (Score:2, Insightful)

        by overlordofmu (1422163)
        Jumped ship to what? Not the Wii.

        What is the other option, as the Wii is not a current generation system?

        The choices are PS3, PC Gaming or an Xbox2? Let me rephrase that. The choices are Sony, Microsoft or Microsoft.

        I pick Sony. You pick Microsoft. Both companies do some evil shit. We are both sleeping with the devil.

        Possibility: Neither of us is gaming with a moral company with top notch security practices.

        Do you agree with that possibility?
    • by stanlyb (1839382)
      It is simple, they simply don't have the competent, and found guilty SF sysadmin, who actually did his job, no matter the consequences... As simple as that.
    • by h4rr4r (612664) on Wednesday May 18, 2011 @11:48AM (#36166810)

      But even I am shocked by the level of security incompetence they've shown over this whole thing. This is a major corporation, for fuck's sake!

      The reason they are like this is because they are a major corporation. Anything smaller could not survive such a fiasco. Security costs money, it is the first thing out the window in a major corporation.

      • by cobrausn (1915176) on Wednesday May 18, 2011 @12:19PM (#36167294)

        The reason they are like this is because they are a major corporation. Anything smaller could not survive such a fiasco. Security costs money, it is the first thing out the window in a major corporation.

        This logic fails to pass the smell test. Amazon is a major corporation, and they have proven to be quite secure. And if security costs money, why do only small companies (who don't have the capital to spare) have security? Surely they would try to save some money here and there and possibly consider cutting security measures.

        Big corporations can be guilty of many things, but this seems more like anti-corporate ranting than an 'Insightful' analysis of the situation.

        • by h4rr4r (612664)

          Stop applying logic to the actions of business school product.

          Amazon is online only, they have to do this. Good security is not capital intensive, it is within the reach of many small companies. Good design is step one, staying current with updates is step 2. Sony failed at step 1. Credit card data should never have been available to the PSN in anyway. It should come in via some other method and be only usable by the payment processing service that the games network has only one way communication with. Then

        • Amazon came of age in the internet era. Sony is a has been from the past era of 'we own you and do what we want'.
          • by cobrausn (1915176)

            Amazon came of age in the internet era. Sony is a has been from the past era of 'we own you and do what we want'.

            So less because they are a 'Big' corporation and more because they are an 'Old' corporation? I tend to think it's just more because they are, apparently, an 'Inept' corporation.

      • by tlhIngan (30335)

        Funny thing is, I think Sony really did manage to get away without a real security division. And Nintendo's probably next.

        Microsoft, being Microsoft, would probably be attacked so often there's an alarm that goes off when the number of detected attacks falls. After all, every script kiddie and hacker wants to go after Microsoft and its insecure software. So they're probably spending tons of time and money on security - things like defense in depth (firewalls, machines that can only access data it needs, etc

        • by Rydia (556444)

          That would be an interesting move, to try to crack Nintendo's network, seeing as Nintendo ... doesn't have a network. Or store CC info. Or really any personal info in general.

        • by DarkOx (621550)

          Nintendo is probably ok because by all indications they don't store CC numbers. You have to enter it every time you want to buy WiiPoints.

          The other thing Nintendo has going for them is they don't ask for your name, except when you use the a CC which makes me think that again they are not keeping the data. It seems like most of the time as far as Nintendo is concerned you are WiiNumber and nothing more. I could be wrong they could be keeping CC information attached to all that transaction data; but the bi

          • Hard to say on nintendo, they have very little to offer hackers, as you mentioned they probably don't keep much of that information. They also haven't intentionally stuck their junk into a hornets nest by directly attacking the individual hackers and fighting with lawsuits, they took down the homebrew channel, they attempt to secure their systems, but generally when the security is bypassed they shrug their shoulders and say ok it's broken oh well, rather then waging a full on war against majorly ticked off
    • Meanwhile, you have the CEO of the company dismissing this whole thing as a "hiccup," [bloomberg.com] which pretty aptly demonstrates just how seriously Sony apparently takes its security. No way I want my CC number or private info involved in their next "hiccup."

      And also saying he can't promise you security after this attack [smh.com.au]. "It's the beginning, unfortunately, or the shape of things to come. It's not a brave new world — it's a bad new world" is what he said exactly. So is he preparing us for an endless number of "hiccups"?

      • To be fair, though, if he promised no more security breaches everyone would laugh since every system is vulnerable at some point. He really can't win no matter what he says.

        • by h4rr4r (612664)

          He could have promised that if it happens again they might offer games that are not either cheap crap or so old anyone who wanted them already has them.

      • by h4rr4r (612664)

        This is pathetic, playing it off like they're not at fault. Sure you got hacked, but this is like having a bank that stores the money out back in a dumpster and then blaming the thieves for your inability to secure deposits. At least try you assholes.

      • by Machtyn (759119)
        Perhaps he is referring to the state of computer and social security (not the gov't savings plan). It is entirely possible that XBox Live or the Nintendo network could be hit in the same way. Perhaps maybe not XBox, because Microsoft has had to deal with this type of thing for a very long time. Getting attacked, for them, is SOP on a daily basis.

        In any case, any sufficiently motivated person will eventually find the weak link in the system and exploit it. The trick is to minimize the depth of any part
    • Re: (Score:2, Funny)

      by Anonymous Coward

      Here is the video I think that everyone is thinking right now:

      http://www.youtube.com/watch?v=wjLgekyOZA0#t=0m58s

    • by bonch (38532) * on Wednesday May 18, 2011 @12:23PM (#36167356)

      Speaking of police work, Slashdot editors should try actually verifying their stories. PSN isn't down. It's up right now I type this. Apparently, what's down is the email reset page.

      As for your credit card number, there is no evidence credit card data was obtained in the PSN breach. Credit card companies would have noticed an increase in fraud and alerted their customers. The alarmism on forums is ridiculous, and most of it is driven from Sony hatred rather than facts. This is the website on which a commenter to a story on the Japan earthquake delaying the Sony NGP [slashdot.org] justified the lethal disaster by saying, "Anything that hurts Sony is good for the consumer." [slashdot.org] It got +3 Funny.

  • by digitaldc (879047) * on Wednesday May 18, 2011 @11:34AM (#36166600)
    Did Sony's security team even THINK about testing and verifying they were doing was indeed secure when they brought the system back up again?

    Sounds like the corporate culture over at Sony is horrible. First the DRM scandal, then the PSN hack and now this.
    • Apparently not. Surely it makes more sense to send out e-mails to each user with account specific tokens in order to reactivate the accounts? Its not perfect, but provides a bit more security. There are probably other suitable way, so if you know of any let me know.

      • by digitaldc (879047) *
        The other suitable way is to visit each PSN network member personally in their homes and verify through a series of extremely-intrusive questions, birth-certificate verification, and DNA tests that they indeed are who they say the are.
      • It'd make sense. Sucks for the guy who signed up for PSN with my e-mail address instead of his, but I tried twice to get Sony to fix it and they didn't care.
      • by Machtyn (759119)
        I am curious. This would likely work except that users are probably using the same password for their email accounts. What is the likelihood that the attackers have setup a script to analyze email address/password combinations for any hits? (High, I would say.)
    • The most likely scenario involves the sales side seeing their stream of Yen dry up and demanding the restoration of service from their engineering group. Rinse, repeat hourly since the geeks pulled the plug with an ever increasingly rabid sales department demanding their blood.
  • Its just sony (Score:5, Interesting)

    by unity100 (970058) on Wednesday May 18, 2011 @11:34AM (#36166604) Homepage Journal
    they are the company who shut down japanese swg servers suddenly one morning to the face of at least 4000 players without warning. they decided the servers were not profitable, and they decided to shut them off to their customers' faces without a word. if you played a char for 2-3 years and had memories etc, you couldnt even take a screenshot.

    that is TOTALLY leaving aside how they screwed their customers en large in star wars galaxies, at the cost of screwing up the game. they had the habit of routinely changing skill properties in order to force people to drop entire skill trees and level others so that they would keep paying - spent 2 months of your play time building up a character ? well - come next patch, you had to ditch on average 30% of your character and level another tree to remain viable. as long as you kept paying, it was all ok by soe.

    sony deserves whatever is shoved up their ass.
    • by kazade84 (1078337)

      Someone really needs to consolidate all the bad stuff Sony has done onto one web page. That way next time someone questions my adversity to all things Sony, I can just point at it.

    • by Xelios (822510)
      It's such a shame that SOE owns the Planetside IP. The first 6 months of that game were incredibly fun, one of the best online games I'd ever played. You could log in at any time, jump into a big battle, play for an hour and then log off again. No real grinding, no excessive travel times, no waiting for things to happen, it was great for people who wanted the unique kind of fun an MMO brings without spending ages to get it. Then slowly but surely they ran it into the ground. It should have been a great succ
  • Maybe they can use my SSN, or hmmm my old password, or how many fingers I'm holding up. Sony can't reset my password with data they never had and if the hackers stole all the data Sony had on me; Sony doesn't have much recourse than to use that data. The question now is balancing the pain of the process with the security of the process.
    • In addition to the email suggestions above, shouldn't they be able to use some sort of hardware ID? I don't think PSN accounts are tied to your machine, but they should have records of which machines you have used with PSN recently. Just require that you reactive your account from a machine which you regularly used prior to the intrusion. If they can't even verify that, then what good is their DRM at all?

    • I'm about 99% certain that Sony required you to reactivate your account from the PS3 it was activated on.

      This is an absolute non-issue /multiple PS3 owner

  • Hackers stole everything Sony knows about their users, so it's no surprise that re-verifying accounts is going to be a painful process.
    • by sycorob (180615)

      Couldn't they have used the email address on the account to send a security token, something like that?

      "An email has been sent to ********@yahoo.com with your confirmation code. Please check your email and enter this code to continue."

      Overall, wow - using the stolen information to re-register your account? Why bother making people change their password then? Heaping spoonful of FAIL.

      • by h4rr4r (612664)

        No, because for 90% of those users the PSN password and the email password are going to be the same.

        The only solution is new accounts and import trophies from the old one, but not anything sensitive.

        • by xaxa (988988)

          "An email has been sent to ********@yahoo.com with your confirmation code. Please check your email and enter this code to continue."

          "Important: if you use the same password for the Playstation Network and your email address, change your email password immediately."

          Problem solved? Making a new PSN account doesn't stop the crackers accessing email accounts -- they have those details.

        • by nschubach (922175)

          Eh... if you try to log in, they can send the email at that time. Anyone trying to hack all the accounts would be hard pressed to log in to that many accounts to activate and reset the passwords for any moment in the day. Now, if they sent out the activation codes in batches and let the users log in at any time, sure... I can see where that may be a bad idea, but having the activation code sent at the time of initial attempt would not be as exploitable.

          Now, a smart user would not use the same password for

        • by msauve (701917)
          Whoosh.

          Sending an email ensures that the unique info necessary to re-register gets to the correct person (unless their email account has _already_ been hacked, which they should already know about and have taken care of). And of course, anyone who was on the PSN and hasn't already changed their other passwords (assuming they reused their PSN one) is a fool.
          • by h4rr4r (612664)

            Most customers cannot be trusted to do that. Nor should they be. The level of complacency you are advocating is what got Sony into this mess to begin with.

  • Duh. (Score:3, Insightful)

    by jdkramar (803337) on Wednesday May 18, 2011 @11:43AM (#36166742)
    One way to verify who you are is to either require you reset your password from the console you last connected to the PSN with or just send an email to the email address they have stored... Because, theoretically neither of those items are accessible to the hackers.
  • That is the whole point isn't it? The bad guys stole all the info Sony knew about you so there is no reasonable way of Sony differentiating the correct user 'X' from the bad guys. What are you people really expecting? magic security fairy dust?

    Its the same as people complaining about the lack of encryption on Apple's iPhone location cache, come on now, the phone needs to read and write that data, guess what that means? Even if it were encrypted the keys would need to be on the device too and the 'attack

    • by LanMan04 (790429)

      The bad guys stole all the info Sony knew about you so there is no reasonable way of Sony differentiating the correct user 'X' from the bad guys.

      Send me a letter (yes, snail-mail) that contains a one-time-use code that I can use to reset my password online. If you have my credit card info, you have my billing address...

      Problem solved. But oh wait, that costs MONEY to do!

      • by nschubach (922175)

        But if you put in your postal address into the PSN then the person will know where to steal your activation code!

        Any system can be explained away. Snail mail theft is a bit extreme, but so is sending everyone a snail mail code to re-activate. An email validation code should be good enough and if you're dumb enough to use the same password for PSN as your email and you haven't changed it yet, you deserve the long boring hold time while trying to get your password reset over the phone.

    • by Tridus (79566)

      They could start by sending the token that lets me change my password to my email account instead of simply throwing it up to whoever happens to hit the website with the data that was already stolen. They don't even need my old password to do this FFS.

      Bothering to have people change their passwords at all with security that week is just theatre.

  • After all the publicity, the best they come up with is to use a system that still lets you use your old credentials to get new ones? What exactly were they doing when they pulled the system down to fix the hack? If hackers really took everything Sony knows about its users, validating users accounts is going to be tough ... but will it be impossible?

    Julie
  • by tekrat (242117) on Wednesday May 18, 2011 @11:49AM (#36166828) Homepage Journal

    It seems to me that the 13-yr olds that run FARK have a far better security system in place than Sony does. Their people have no plan, no concept, no big picture at all, of what to do.

    They are grasping at straws, throwing stuff at the wall to see what sticks, or whatever tired car analogy you wish to entertain. Point is: I think it's time they gave up and went home.

    If they are lucky, they will shut down for 8 months and rebuild from scratch. If they are stupid (most likely scenario), they will continue to prop up a house of cards with a few pieces of sticky tape, and it will come down again and again, until no one is left and they've wasted a great deal of money only to arrive at the conclusion that they should have done the rebuild from scratch in the first place.

    Of course by then, management will look at the numbers and get out of the game business entirely, leaving MS and Nintendo.

    • by Anrego (830717) *

      If they are lucky, they will shut down for 8 months and rebuild from scratch.

      This is what they need to do, but no way will the horde of angry gamers wait that long (and really you can't blame them).

      As you said, nothing they can do in a few weeks is going to amount to anything more than duct tape and positive thought. There system is obviously broken at a fundemental infrastructure level. The foundation of the house is crumbling and they are working fevorishly to tilt the windows so as no one notices.

      The only thing I can think of is for them to strip out credit processing. Require pe

  • by wbav (223901) <Guardian.Bob+Slashdot@gmail.com> on Wednesday May 18, 2011 @11:49AM (#36166836) Homepage Journal
    But I've heard reports that the e-mail reset page is down.

    The e-mail included a key to keep this from happening, but someone must have broken that key generation scheme.
    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Pretty much this. The key generation scheme was cracked so people were getting confirmation emails to change their passwords and then getting mails notifying them that the password was changed successfully. These were on non-compromised emails.

  • by RogueyWon (735973) * on Wednesday May 18, 2011 @11:49AM (#36166844) Journal

    At the time I type this, the PSN is actually up and running. Or at least, it's online gaming components are. The Store and other features that require payments are still offline, as they have been since the initial shutdown several weeks ago. But you can, should you feel so inclined, log in and play games online at present. Whether this may change over the next few hours is open to question - while it wouldn't completely surprise me, I suspect that Sony will try to keep the network itself up this time..

    What's just been taken offline is web-interface for changing passwords. Now, that's still pretty bad - in fact, given how stupid the mistake in this case is, it's verging on the awful - but I dare say that a lot of PSN users may not actually notice until Sony tells them. Furthermore, just to add a little perspective, stupid though Sony's mistake here is (and it is very stupid indeed and then some), no additional personal information or credit card details beyond what has already been leaked will have been compromised as a result of this - not least because you can't, so far as I know, actually input new credit card details into the PSN yet.

    So it's a further embarrassment for Sony and will further undermine confidence in them (do you really, really want to trust them with your credit card details ever again). But unless I'm reading things wrong - and if I am then happy to be corrected- there's not been any actual additional harm done to users this time.

    • by Verunks (1000826)
      yeah as usual slashdot editors don't check what they post
    • there's not been any actual additional harm done to users this time

      You say that all that's lost is the ability to change one's password.

      Didn't Sony's user database just get stolen? Wouldn't people thus want to change their password, so attackers can't vandalize their game info/account?

      I honestly don't know how PSN works, so maybe I'm missing a piece of the puzzle, but that's the first thing that occurs to me.

  • by not already in use (972294) on Wednesday May 18, 2011 @11:52AM (#36166874)
    I'm sorry for all those who I've inconvenienced. This time it was my fault. I created a new username for security purposes. Apparently, PSN didn't take too kindly to the username "; drop table Users; --"
    • Bobby Tables; you're such an asshole
    • by TheCarp (96830)

      rotfl

      Brings back memories to the time I was hunting down a bug in the password change CGI for our old mail system at a previous job.... and found several instances of things like `grep $username /path/to/file` in the code (originally writen for PERL4)

      I went from debugging 1 bad error code, to re-writing the whole thing (and making snide remarks about the original author) as soon as I saw that.

      -Steve

    • by amaupin (721551)
      As buggy as the latest incarnation of Slashdot is, I'm surprised your comment didn't take it down as well.
  • by Paul Pierce (739303) on Wednesday May 18, 2011 @11:52AM (#36166884) Homepage
    Give Microsoft credit - xbox live is setup/run extremely well. They had to compete with xbconnect, Xlink Kai, and other freebies back in the day; they stepped up and created a better alternative. Everyone was willing to pay for a service - as long as it was worth it. It was and still is.

    The revenue has allowed them to build a better network and keep it up. I'm not claiming they too couldn't be hacked, just highly doubt it would be to this level.
    • by Nemyst (1383049)

      Microsoft is a software company.

      Sony is a hardware company.

      One gets catastrophic failure rates on hardware, the other gets dismal software security. Anybody suprised?

      • Please mod up, because that is exactly a concise summary.

        Interestingly enough, Apple is both a hardware and software company.

      • by DeadCatX2 (950953)

        A-ha! Sony and MS should get together on a merger and then they could solve each other's problems. And you know the FCC would approve it too!

  • by haapi (16700) on Wednesday May 18, 2011 @11:53AM (#36166894)

    ... it's not just for a day.
    -- B. D.

  • PSN up, up again, then down, down. Then Left, right, left, right, B, A, start.

  • If they have an email address, they can mail a password reset to it, but simply allowing users to enter it as if it were a password is a bit much.

    Of course, the problem is that if they have an email address and a password for their own system, for a large number of accounts, that password will be the password for the email system as well.

  • Anyone can make an omelet with eggs. The trick is to make one with none. Sony has learned this trick.
    I've heard that shame is a powerful motivator in the East.
    Apparently Sony has no shame.

    • are you quoting the bottom of the page, or did some /. admin read your post, and put your quote on the bottom?

      'cuz that'd be awesome.

  • and the shocking bad security for their actual paying Customers. Tells me all I need to know about who they are worried about taking care of. I will never buy a sony product again.
  • In the context where hackers/criminals have access to all the information Sony knows about its clients, there is no information that Sony can use to validate the identity of its clients. I wonder how this comes as a surprise now.

    The only safe way to check is through physical verification. For example, through PS or other registered device serial numbers. If you log in with the PS3 that has the same serial number has the one that was used to create the account (assuming they have that info), you can relative

When in doubt, mumble; when in trouble, delegate; when in charge, ponder. -- James H. Boren

Working...