Sony Publishes Q&A to Address More PSN Concerns, Still Unanswered Questions

They're gonna need to be a bit more transparent about how much encryption we're talking about before I even CONSIDER giving them my information again.

People in these forums are some of the biggest fucktards imaginable.

" Nice. E: Wow, actually got it. Anyways, I've been pretty disappointed with how Sony has handled this situation as a whole. The amount of time it has taken them to even attempt to try and answer the public's questions has been somewhat absurd. I understand it's been a difficult situation for them and all, but really Sony when something this big happens you really need to jump on the ball far faster. "

I work at a company that deals with data security... we wish everyone that lost a laptop or left data unencrypted had used our product(s) first. The fact is, NOBODY is impervious to being hacked. It happens all the time to tons of companies. It happens at a much larger scale than the 75M PSN users.

By data breach standards, what Sony has done here is the absolute text book implementation of what to do correctly. They didn't put protocol aside to keep selling PSN content. They didn't put protocol aside to let gamers keep gaming, potentially muddying up the systems being scoured for clues. They didn't try to hide that this happened. They didn't try to analyze it themselves but instead brought in experts.

The people and sites that are faulting Sony on how they've handled this so far are simply, and I mean no disrespect by the use of the very most accurate word I can think of... "ignorant" as to what they're talking about.

If you think Sony should've battened down the hatched and never gotten hacked... talk to the HUNDREDS of other companies/brands/organizations out there that have endured the exact same fate. If you think Sony shouldn't have been storing credit card information (at all or in a certain way) you should know that all there are now are recommendations or guidelines, there are no LAWS yet that force companies to certain degrees of protection and even if they were adequately protected, depending on the extent and nature of the hack, having them protected to PCI DSS guidelines STILL might not prevent people from getting to our credit card information...

That said, Sony said there was no evidence that our credit cards were compromised. They recommended (and to be honest, this was worded well) that "While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained." How can they be faulted for that? Would you rather them lie and say "you're safe" or "they were compromised"?

This was a text book reaction to a large scale data breach and unlike MOST companies where we'd simply get an unexpected letter in the mail, we were somewhat kept in the look by the raised awareness that PSN being down leading them to say something. You don't spill details during an investigation and these things take time. Hell, try checking out your computer after you've had a trojan installed and activated... now amplify that work by about a bajillion. Going through that stuff takes time.    

Who knows how long the hacker(s) have been working on breaching PSN.

I understand why Sony is being vague on this issue right now. Why would they go into specifics and give the hacker(s) a hint at what they are doing security wise and help them hack it again? Just keep an eye on your credit card statements and activity.

" @MooseyMcMan said:

" @Rockdalf said:

" @MooseyMcMan said:

" So, top men are on it? Hopefully?  "

"

I want Sony to make an ad with Kevin Butler storming into basements and beating up hackers.  "

fuuuuck, I need this "

" @Hailinel: 

We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident.It was necessary to conduct several days of forensic analysis, and it took our expertsuntil yesterday to understand the scope of the breach

Their statement is that they knew someone broke in on the 19th, and closed down the PSN while they investigated. It was during this time they said it'd be back up and running within 2-3 days. They stated didn't know about the loss of personal data until monday(?) night, they then told everyone the next morning. Since then, they've stated that the time till the PSN comes back online has gone to a week, while they continue to research and investigate the matter.

All we have to go on is what they've told us, and this is what they've told us. Everything beyond that is speculation and fear mongering. 

I had my CC info stored on my account dude, don't think I'm not worried. I am not, however, going to start wearing a tinfoil had and claiming some elaborate conspiracy to keep this information from us. I am going to take the time to read what they have to say on the matter, and do what I have to do to protect myself. I am going to take what they have to say right now as truth, since they are the only source that knows what is going on right now. I am going to trust that they are WELL AWARE that fucking with us right now and withholding information from us could result in lawsuits that may very well bring that company to it's knees. That's about all any of us can do right now. 

It's really silly to see everyone else losing their shit on things that no one really has any information on, or worse, have been given information on, and have chosen to gloss over.

"

I wish I had bought Mortal Kombat for 360

" @Hailinel: 
And I will reiterate, for the last time, that they didn't say what was going on, because until Monday, they didn't know what was going on. If you're not getting this, there's not much more I can say to help you here.
"

Weeeeelp. Good thing my credit card is already maxed out!

sony has been into so much crap this gen, i feel kinda bad for the company.
on the other hand, a lot of it was their fault. i doubt any of this would have happened if
they just kept all the ps3 features and listened to failoverflow that their so-called
"sophisticated security system" is full of holes.

Personal information was just in plain text... great. Incoming virus emails.

So anon pulls a publicity stunt while some unknown dude/group takes the network down for weeks, I can't help but smile when I read about this. Sorry for all of you money-spending dudes though.

Sony has been doing well with video game systems for about 17 years now. How this happened is beyond me.

This isn't going to change my sticking to Sony. I'm a PC gamer first, but I still like Sony's system for consoles. Meh!

" @Rockdalf said:

" @MooseyMcMan said:

" So, top men are on it? Hopefully?  "

"

I want Sony to make an ad with Kevin Butler storming into basements and beating up hackers.  "

" @MooseyMcMan said:

" @Rockdalf said:

" @MooseyMcMan said:

" So, top men are on it? Hopefully?  "

"

I want Sony to make an ad with Kevin Butler storming into basements and beating up hackers.  "

It would actually be a good cop / bad cop act with Butler cracking jokes while Jack Tretton punches hackers in the face. "

I wanna play MK online. I'm almost done totally unlocking the krypt and still haven't even played online yet.

I don't care about my credit card info at all. If shit happens, I will report it and get a new card and all my money back. I JUST WANT TO PLAY MORTAL KOMBAT... this whole thing makes me really sad...

"Mad Quotes"

I don't care what anyone has to say I went up to the bank today to cancel my card. Better safe than sorry especially when you're as tight on money as I am.

...I can't believe personal info wasn't encrypted.

I just got my ps3 too ;(

This is a terrible thing for Sony and it's customers. It's the sort of thing they may never be able to recover from. I consider the PS3 to be a superior product but  now that their infrastructure has been compromised I am really unsure if I will ever buy from them again. I don't hold any grudges but I also don't want to take any chances.

" I just got my ps3 too ;( "

" @Dandy said:

" I just got my ps3 too ;( "

While I hate the shit that I have to go through due to some company's incompetence, I still have to say that getting the PS3 around now is probably the best thing you can do.  Sony, fearing the possibility of having this happen to them again, will probably beef up their security.  I view it like a shuttle launch: When is it the best time to go into space?  Right after a huge catastrophe, because everyone will be on guard to ensure that it won't happen again. "

" @Andorski said:

" @Dandy said:

" I just got my ps3 too ;( "

While I hate the shit that I have to go through due to some company's incompetence, I still have to say that getting the PS3 around now is probably the best thing you can do.  Sony, fearing the possibility of having this happen to them again, will probably beef up their security.  I view it like a shuttle launch: When is it the best time to go into space?  Right after a huge catastrophe, because everyone will be on guard to ensure that it won't happen again. "

Normally I would agree with you but NASA just blew up their past two attempts at launching a new satellite... "

There seems to be some small confusion over encrypted data. Note that TRANSMITTING data over the air encrypted (SSL) and STORING data in a database in an encrypted form are two different things.

Using SSL to transmit the data from your PS3 to Sony's servers just means someone can't snoop on your traffic and easily access your credentials. If it were not also STORED in an encrypted (and salted -- this is important!) manner, then anyone able to access the database itself would have all of the information they needed, whether it was transferred via SSL or not.

In this case, they confirmed that the credit card information - as stored in the database table - was encrypted.

I hope they're telling the truth about that credit card encryption. It's a shame this happened, but I hope it acts as a wake up call for Sony to get their crap together on the software/internet side of things. They make pretty neat kit, but the software they run is kinda junky at times.

" I really wish people would shut up and calm down about this. Once this is resolved in a few days everything will be back to normal and no harm will be done.Bunch of trigger happy, paranoid idiots. "

*gasp*

In the email I received to the address I use on my console:

"Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state/province, zip or postal code), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID."

So in other words, they do have our passwords. Wouldn't have been better just to tell us that straight off the bat?

There was some Norwegian dude who allegedly had his credit card stolen an used for multiple PSN purchases. Not sure how that would happen if that data was encrypted.

The bast part about this has been watching German news hosts struggle to pronounce Qriocity.

" @boylie:  Word of advice: Don't accuse others of wearing tinfoil hats when you're the one defending the actions of a company that has all but admitted to fucking up. "

" @Hailinel said:

" @boylie:  Word of advice: Don't accuse others of wearing tinfoil hats when you're the one defending the actions of a company that has all but admitted to fucking up. "

Wait, so companies shouldn't admit to fucking up? Cover ups are better? "

Any chance that this has anything to do with Will Smith's potato battery?  Think about the timeline.  That's all I'm sayin.

"We are working on a new system software update that will require all users to change their password once PlayStation Network is restored."

Will this update include OtherOS, or are they now shooting themselves in the foot in their argument that nothing stops you from staying on the old firmware version, and therefore no one has a legal standing to complain about its removal? Now you have to chose between your password (and by extension, everything protected by it) and your OtherOS?

I had assumed you can change your password through the PSN website, but this FAQ entry sort of imply that you can't?

" "We are working on a new system software update that will require all users to change their password once PlayStation Network is restored."Will this update include OtherOS, or are they now shooting themselves in the foot in their argument that nothing stops you from staying on the old firmware version, and therefore no one has a legal standing to complain about its removal? Now you have to chose between your password (and by extension, everything protected by it) and your OtherOS?I had assumed you can change your password through the PSN website, but this FAQ entry sort of imply that you can't? "