Posted June 02, 2011
Ermac.469
Telekinesis
Ermac.469 Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Apr 2009
From Japan
EndlessKnight
Magic Missile!
EndlessKnight Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Mar 2010
From Canada
Posted June 02, 2011
Sony Pictures is run by different people than the company that runs PSN, but yes... They should have wised up when it came to their security.
I think the hackers just don't want Ghostbusters 3 to see release. :-P
I think the hackers just don't want Ghostbusters 3 to see release. :-P
Post edited June 02, 2011 by EndlessKnight
cogadh
Banned? Never.
cogadh Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Oct 2008
From United States
Posted June 02, 2011
Sweet zombie Jesus! Has Sony learned nothing from the past two months? Seriously, what kind of IT morons have they got working there, one guy with a "Computer Servers for Dummies" book? My kid could set a more secure infrastructure than these dumbasses have.
Post edited June 02, 2011 by cogadh
kodeen
New User
kodeen Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: May 2011
From United States
Raptomex
Listen to Slayer
Raptomex Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Nov 2009
From United States
Posted June 02, 2011
I bought a PS3 for one game, Twisted Metal. It's like a chore to have the console now. Changing credit card information. I don't think I'll ever trust Sony's security ever again. Luckily, I have a PC, 360, and Wii to keep me covered.
GamezRanker
Disagreement Verboten!
GamezRanker Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Sep 2010
From United States
Posted June 02, 2011
cogadh: Sweet zombie Jesus! Has Sony learned nothing from the past two months? Seriously, what kind of IT morons have they got working there, one guy with a "Computer Servers for Dummies" book? My kid could set a more secure infrastructure than these dumbasses have.
lukipela: Yeah, i mean, we have no idea what their security infrastructure is like, but wtf, havent they read a servers for dummies book? Everyone knows security is easy. Especially for large multinational corporations with multiple server sites. FFS, shut up.
noisegrrrl
Ribbit ribbit
noisegrrrl Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Nov 2008
From France
orcishgamer
Mad and Green
orcishgamer Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Jun 2010
From United States
Posted June 02, 2011
The NSA assumes they are compromised, they are a high value target, they try to minimize any damage a compromise can do. That's probably the most effective security a big juicy target can have.
Network and server security is actually really hard and even if you do everything correctly some doofus package maintainer upstream can make a mistake that allows some sort of attack through no fault of your own. Big targets like Sony have made mistakes and here's what they really are:
1) Didn't always follow their own best practices or industry best practices (95% is good in most things but in security that will get you owned). They probably need more people and to pay them more.
2) They made themselves a bigger target by pissing on people for years. Earlier this year Extra Credits said, "Sony, you do not want to tangle with the kinds of people who install Linux on their PS3s, you will lose." No, it wasn't the same crowd responsible for these attacks, the point is, know who you're tangling with, it's best not to bully anyone, but if you're going to bully someone best not to bully people who have little to lose or the ability to fight back.
Network and server security is actually really hard and even if you do everything correctly some doofus package maintainer upstream can make a mistake that allows some sort of attack through no fault of your own. Big targets like Sony have made mistakes and here's what they really are:
1) Didn't always follow their own best practices or industry best practices (95% is good in most things but in security that will get you owned). They probably need more people and to pay them more.
2) They made themselves a bigger target by pissing on people for years. Earlier this year Extra Credits said, "Sony, you do not want to tangle with the kinds of people who install Linux on their PS3s, you will lose." No, it wasn't the same crowd responsible for these attacks, the point is, know who you're tangling with, it's best not to bully anyone, but if you're going to bully someone best not to bully people who have little to lose or the ability to fight back.
GamezRanker
Disagreement Verboten!
GamezRanker Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Sep 2010
From United States
Posted June 02, 2011
Angry Sony apologist itt.
noisegrrrl
Ribbit ribbit
noisegrrrl Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Nov 2008
From France
Posted June 02, 2011
Emualynk: Uh? No.
Even if it's not easy, that's no reason to stock informations like password or credit card informations in plain text.
At least encrypt that stuff.
lukipela: You have no idea what you are talking about. You have no idea what their security infrastructure is like. I have serious doubts your IT security experience goes beyond windows firewall. Even if it's not easy, that's no reason to stock informations like password or credit card informations in plain text.
At least encrypt that stuff.
I am in engineering school, more precisely I'm learning informatics, that includes making websites, and excuse me, but using MD5 to encrypt data before storing it in a database IS FUCKING EASY.
So shut the fuck up please.
Senteria
GOG Café Admin
Senteria Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: May 2011
From Netherlands
Posted June 02, 2011
So why did the hackers hack. Just to say: Your security sucks?
That's pretty weird.
That's pretty weird.
orcishgamer
Mad and Green
orcishgamer Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Jun 2010
From United States
Posted June 02, 2011
lukipela: You have no idea what you are talking about. You have no idea what their security infrastructure is like. I have serious doubts your IT security experience goes beyond windows firewall.
Emualynk: Oh well. You know what? Fuck you. I am in engineering school, more precisely I'm learning informatics, that includes making websites, and excuse me, but using MD5 to encrypt data before storing it in a database IS FUCKING EASY.
So shut the fuck up please.
Oops.
Also, you can't hash a credit card number since you need to use it again, better make sure the criminals can't get the decryption key, that your programs must have access to, after they've owned your servers.
Like I said, good security is hard, people think it's easy.
And like I said, you may or may not know this stuff, however I see comments like yours a lot and the commenters in many cases turn out to not know it.
noisegrrrl
Ribbit ribbit
noisegrrrl Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Nov 2008
From France
orcishgamer
Mad and Green
orcishgamer Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Jun 2010
From United States
Posted June 02, 2011
orcishgamer: Now you may mean with salts, but that's just it, a lot of people think using a MD5 hash is good enough and call it a day.
Oops.
Also, you can't hash a credit card number since you need to use it again, better make sure the criminals can't get the decryption key, that your programs must have access to, after they've owned your servers.
Like I said, good security is hard, people think it's easy.
And like I said, you may or may not know this stuff, however I see comments like yours a lot and the commenters in many cases turn out to not know it.
Emualynk: The thing is, they weren't even using a MD5 hash. Oops.
Also, you can't hash a credit card number since you need to use it again, better make sure the criminals can't get the decryption key, that your programs must have access to, after they've owned your servers.
Like I said, good security is hard, people think it's easy.
And like I said, you may or may not know this stuff, however I see comments like yours a lot and the commenters in many cases turn out to not know it.
I'm certainly not saying a MD5 would have been enough. But they weren't even using a MD5 hash.
And what the hell with the "security is not easy" talk.
They are a fucking huge company. Don't they have the funds to afford good security?
Also, even if you're perfect: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=281595 or the bug where the openssh maintainer forgot to salt the keys from ssh-keygen, oopsie, now timing attacks become possible.
I already said what mistakes I felt Sony made in addition to what steps they needed to take to correct them, feel free to refer to my previous posts. I haven't bothered to read this article, but the previous stories covering the previous attacks certainly didn't manage to agree on whether Sony had hashed or encrypted DB contents or not, so I'm taking claims with a grain of salt.
DarrkPhoenix
A1 Antagonist
DarrkPhoenix Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Nov 2008
From United States
Posted June 02, 2011
This is just the latest of several other Sony systems and sites that have also gotten owned over the past month. Basically it's open season on Sony right now, and it looks like their security wasn't even close to being up to the task of minimizing the damage (as if there was any doubt of that after the PSN hack).