So this PSN/Sony Hacker Drama...

[mrd]

A third attack planned: http://news.cnet.com/friday-poll-hacker ... 444-1.html

The next blow, should it happen, could prove to be one of the worst public relations disasters to ever strike a consumer electronics company. Hackers say they have access to some of Sony's servers and plan to publicize all or some of the information they can copy from those servers. This may include consumers' credit card details. (A source tells CNET that this group of hackers claims to have access to Sony's servers, which are different from the servers already hacked to expose more than 77 million user accounts.)

Such private information would undoubtedly travel quickly around the world through torrents and download sites. Sadly, the vessel for this material would most likely be a simple text file, perhaps only 10MB-20MB in size. That may not sound like a large file, but in terms of pure text, its a bible's worth of names and numbers. Countless credit/debit cards would have to be replaced, and identities would have to be protected (for free, courtesy of Sony). Trust would be lost, perhaps never to be gained again.

[Transient]

That's just peachy.

[Tsakali]

ouch. being that i don't know shit about high level security and hacking, not sure how much of this was their own fault,and not sure that if someone with the right knowhow targets you if there is really anything realistic you can do to prevent it.

[mrd]

I'm honestly surprised that Sony didn't take their entire company's network off the internet when they discovered the first breach. Obviously this is a huge step to take but when your entire global reputation is on the line, huge steps have to be taken. I think it was pretty naive of them to think that if their PSN got fucked over that something else was not in the pipe or already in the process of happening. The timing of all these events together is problematic for Sony, what with Anonymous claiming to have their own on-going operation in the midst of all this other hacking and distribution of their data.

It's the same old story, and you hit it on the head Tsakali, if there is a will, there is a way. The problem with network security is that breaches of this scale are so uncommon that they are essentially a black swan. Network ops get complacent because they just see the same bullshit all day, every day in the logs. From their perspective, a well planned attack is virtually impossible to predict or prepare for and indeed, a well planned attack would get through anyway, as this one did. I think as this progresses people are going to start realizing that nothing is sacred and nothing is safe, because it isn't. I personally don't have much pity for any of the people who lost their shit nor do I have pity for Sony. Be more diligent with who you give your fucking personal information to, especially when it's a multi-billion dollar corporation who likes to do shit like store all data collected from every user, ever, in a large server farm.

This could get interesting in the next few days...

[Foo]

I'm honestly surprised that Sony didn't take their entire company's network off the internet when they discovered the first breach.

That just wouldn't happen. Corporations are big beasts and there's no way there's a single IT faction responsible for the entire infrastructure. They're separate business units and lots of isolated silos. If your website gets hacked you don't shut down your company's internal domain controllers, but that's essentially the kind of thinking you'd need to take a company with multiple online presences 'off the grid'. There'd be no logic in doing that.

Obviously this is a huge step to take but when your entire global reputation is on the line, huge steps have to be taken.

I think they did take a huge step. Downing the entire PSN is a huge step.

I think it was pretty naive of them to think that if their PSN got fucked over that something else was not in the pipe or already in the process of happening.

Absolutely. Though this is a classic IT problem - You run day-to-day with a particular number of operatives, and as soon as a big problem hits, you divert many of them into fixing that problem. If a second problem comes your way at that same time, most of your operatives are distracted with the first problem. Sony did the only logical thing which was engaging with an outside specialist to bulk up the number of operatives they had. The problem with this of course is that outside parties aren't intimate with your systems. You still have to take some people away from the front line and divert them to the issue. So you still weaken your overall IT operations ability whenever you're responding to a crisis.

The problem with network security is that breaches of this scale are so uncommon that they are essentially a black swan.

I disagree. They're certainly a big scary unknown to your day-to-day sysadmin (myself included), but there are security specialists that deal with this kind of thing every day in other fields such as banking and stocks, and there's a big body of knowledge building up around the subject that has been accumulating for decades. Of course, this knowledge tends to be concentrated around a few specialist consulting outfits, but I don't think it's reasonable to say that this kind of attack is a 'black swan'.

Network ops get complacent because they just see the same bullshit all day, every day in the logs. From their perspective, a well planned attack is virtually impossible to predict or prepare for and indeed, a well planned attack would get through anyway, as this one did.

True. Or more accurately, it's very rare that management dedicates sufficient man hours to what is perceived as a low-likelihood risk, especially if your business isn't one of the classic targets (banking, politics). The answer to this is adopting and applying appropriate strategies and principles, such as Defense in depth. Of course, if you're a network admin in a team of 5 that would need a team of 10 to have the time just to implement those things, stuff just isn't going to get done.

Ultimately I think the Sony breaches are a direct consequence of this - Sony had x number of IT staff and those staff implemented these systems, but didn't choose to spend or weren't permitted to spend sufficient time implementing security into those systems. Or they didn't have sufficient knowledge/training to know that they should even be doing it. Stuff like hashing and salting passwords stored in a database are fundamental web programming basics, but personally I've seen it demonstrated time and time again that many (perfectly intelligent and otherwise capable) developers simply never got taught this, and other very important concepts.

There are also still wide gulfs of misunderstanding between developers and operations, and there's a necessary symbiotic relationship between them that simply isn't present in most organizations. This results in devs releasing insecure systems and ops implementing them while each side will rely on being able to blame the other. This is the 'not my problem' culture that I reckon probably got Sony into this doo-doo.


Edit: LOL WALL OF TEXT

[mrd]

Aye, good points. I guess it's easy for me to say "Sony should have done this and done that" after everything has happened and as a third-party observer. I suppose when you're in the thick of it and your multi-billion dollar company is getting fucked by random dude #742 on the internet, its a bit unnerving. But... what you said about the not-my-problem culture is essentially what it boils down to. Maybe they should start teaching more network admins to get into network programming and developing their own applications, etc. instead of relying on third party software? Or is that generally what happens at the moment?

ps - I love walls of text

[Foo]

Maybe they should start teaching more network admins to get into network programming and developing their own applications, etc. instead of relying on third party software? Or is that generally what happens at the moment?

Tricky. Each is its own dedicated role nowadays, as each takes someone concentrating at it full-time for years to develop necessary skills and a body of knowledge.

2 things apparently went wrong on a fundamental level over at Sony:

1. Someone breached the network perimeter - Sysadmin issue
2. The data that was obtained during the breach was able to be read - Developer issue

I'm hoping more info becomes available over the next couple of months (I'd love it if there were an HBGary-style email leak as well) as this appears to be a great case study for how to do things wrong.

[Eraser]

Be more diligent with who you give your fucking personal information to, especially when it's a multi-billion dollar corporation who likes to do shit like store all data collected from every user, ever, in a large server farm.

That's an Utopian ideology. These days, you cannot do anything that involves computers without divulging personal information. One could say that you simply shouldn't give up personal info like your name or address, but then you're opting out of so many services Internet provides that I don't think it's realistic to not give up some portion of your private info.

I'm not talking about putting your whole life on Facebook here, but something simple as placing an online order with your creditcard simply requires you to give up name and address info. And still, even the more diligent people would expect a large company like Sony to have their shit together, right? That may be naive, but compared to "www.bobs-second-hand-cars-and-assault-rifles.com" Sony should be a lot more worthy of that trust.

[Eraser]

Maybe they should start teaching more network admins to get into network programming and developing their own applications, etc. instead of relying on third party software? Or is that generally what happens at the moment?

I don't think that's what happening and I don't think it should either. You see, if everyone will start developing their software for themselves, each and everyone will fall into the same traps. One piece of software that's constantly being reviewed by different people and used on thousands of online services has a lot bigger chance of becoming secure than if you have 100 different applications that power one or two websites. All 100 are most likely to share the same faults.

Of course, software being popular in use also means it's a meaty target for hackers. Hack it, and you've got yourself access to countless of sites and services, which may not all be as strict in keeping up with the latest software updates as they should be.

[Kenrohan]

The Hacker managed to bring down all of Sony, websites, games everything is down. =(

[Transient]

Sony Offering Free ‘AllClear ID Plus’ Identity Theft Protection in the United States through Debix, Inc.
http://blog.us.playstation.com/2011/05/ ... debix-inc/

[mrd]

Be more diligent with who you give your fucking personal information to, especially when it's a multi-billion dollar corporation who likes to do shit like store all data collected from every user, ever, in a large server farm.

That's an Utopian ideology. These days, you cannot do anything that involves computers without divulging personal information. One could say that you simply shouldn't give up personal info like your name or address, but then you're opting out of so many services Internet provides that I don't think it's realistic to not give up some portion of your private info.

I'm not talking about putting your whole life on Facebook here, but something simple as placing an online order with your creditcard simply requires you to give up name and address info. And still, even the more diligent people would expect a large company like Sony to have their shit together, right? That may be naive, but compared to "www.bobs-second-hand-cars-and-assault-rifles.com" Sony should be a lot more worthy of that trust.

I suppose you're right. I try to give only as much info. out as is needed to complete whatever the transaction is. I honestly don't trust anyone, especially not a faceless corporation over the internet. I've actually been thinking I should change my credit card number simply because of all this bullshit that's been going on lately. I would agree that Sony should be more trustworthy than bob's rifles.com but it's really hard to say. Sometimes the little guys are the ones who put more work in where it counts. To draw a comparison, take a look at most Linux distros. They're free, open source and developed by countless folk in their spare time. Many people would argue they are better than Windows in almost every aspect, which is expensive, slow, closed-source and developed by a massive bureaucratic process. Obviously it's not the same situation as X-company getting hacked, I'm just trying to draw a correlation between the little guys and a solid product/work ethic.

RE: You make some valid points about the software but I guess my point was driving toward competent software engineers/network administrators who design custom software that is catered specifically to their network architecture and would not be used in any other situation. Obviously this would mean a lot of redundant code being generated and such but... to me, when the alternative is a compromised system, I would rather go the extra mile and instill something unique. And you've already mentioned why this could be a useful tactic... if 10,000 companies all use XYZ program to do their firewalling or whatever, and all the hackers know it... hack one company, you've hacked 10,000. If most sysadmins were also fluent, competent and driven software engineers, my guess is that it would be a lot harder to hack into them. Pair them up with a good electrical engineer or two and design some custom hardware... it'd be nigh on fucking impossible to breach that sort of arrangement. I guess that is sort of Utopian too, but I don't think it should be.

[Κracus]

I hacked PSN. It was fun.

[Eraser]

Hacked it with a lead pipe I bet

[r0n1n]

Looks like psn is back up. You'll have to change your password once you try and login though. Hard to believe that was 24 days or so of down time.

[o'dium]

Whats the free stuff games wise? ATM I'm still on the fence about upgrading because I never bothered to stick a USB HDD on it to play backup games anyway, but if theres some half decent free shit (that isn't Resistance) then I may just upgrade for a larf...

[brisk]

I'm not upgrading. Showtime is the killer homebrew app everyone wanted for the PS3 and theres no way i'm gonna lose it. Sony should just sign it for them and make it an official downloadable app. Or better yet, give proper MKV support to the actual PS3 video player

[MKJ]

lets see how long it takes for it to be hacked again

[Don Carlos]

Wont be long...

[o'dium]

Was reading DCEmu forums earlier and theres already talk of an exploit found... That doesn't mean that NETWORK is hacked again, but it does mean theres a possible backdoor to getting homebrew back...

The same thing happened with PSP ages ago. They kept making the system harder and harder to crack and then one day decided to re-write huge chunks to make it impossible for hackers, btu actually ended up adding more holes that could be exploited.

[brisk]

Shame the devs who work on the PS3 scene are egotisitical, shivering little pricks who refuse to release anything for the most part. Especially that french mong Math. I don't give a shit about piracy, I just want to be able to keep showtime, keep my emulators/FTP support and play the latest games.

Oh and not have all my personal info stolen. That'd be grand

[tnf]

With the resources Sony has to throw at this, are the odds good that they will catch those involved you think?

I haven't followed the story beyond the basic headlines, but are they thinking this was an organized group of people or just one kid in his parents' basement?

[mrd]

They're blaming the hacktivist group Anonymous for doing it, as they found a file called 'Anonymous' on their server containing the text 'We are legion' which apparently is Anonymous' slogan. However, Anonymous wrote back and claimed it wasn't them as they have never and would never encourage a breach for the sole purpose of netting CC data and other personal information. Kind of makes sense too, because if you look at all their other attacks (for lack of better word), they are all on things like servers for governments that are doing shitty things to their people (middle eastern countries) and that sort of thing. I don't think they have ever done something as simple as hacking a giant corporation just to steal data. They are usually doing it to push a human-rights or freedom of speech message. Sony has nothing to do with either of those, so my guess is that Sony just painted Anonymous red because they actually have no fucking idea who did it
Also, doubt it was one person but it is possible.

[Don Carlos]

'Anonymous' have been saying for weeks they are nothing to do with it...

[Eraser]

Last week there was talk of the people doing this actually being related to Anonymous but the hack wasn't set up by anonymous as a whole.