" Nice. E: Wow, actually got it. Anyways, I've been pretty disappointed with how Sony has handled this situation as a whole. The amount of time it has taken them to even attempt to try and answer the public's questions has been somewhat absurd. I understand it's been a difficult situation for them and all, but really Sony when something this big happens you really need to jump on the ball far faster. "
I work at a company that deals with data security... we wish everyone that lost a laptop or left data unencrypted had used our product(s) first. The fact is, NOBODY is impervious to being hacked. It happens all the time to tons of companies. It happens at a much larger scale than the 75M PSN users.
By data breach standards, what Sony has done here is the absolute text book implementation of what to do correctly. They didn't put protocol aside to keep selling PSN content. They didn't put protocol aside to let gamers keep gaming, potentially muddying up the systems being scoured for clues. They didn't try to hide that this happened. They didn't try to analyze it themselves but instead brought in experts.
The people and sites that are faulting Sony on how they've handled this so far are simply, and I mean no disrespect by the use of the very most accurate word I can think of... "ignorant" as to what they're talking about.
If you think Sony should've battened down the hatched and never gotten hacked... talk to the HUNDREDS of other companies/brands/organizations out there that have endured the exact same fate. If you think Sony shouldn't have been storing credit card information (at all or in a certain way) you should know that all there are now are recommendations or guidelines, there are no LAWS yet that force companies to certain degrees of protection and even if they were adequately protected, depending on the extent and nature of the hack, having them protected to PCI DSS guidelines STILL might not prevent people from getting to our credit card information...
That said, Sony said there was no evidence that our credit cards were compromised. They recommended (and to be honest, this was worded well) that "While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained." How can they be faulted for that? Would you rather them lie and say "you're safe" or "they were compromised"?
This was a text book reaction to a large scale data breach and unlike MOST companies where we'd simply get an unexpected letter in the mail, we were somewhat kept in the look by the raised awareness that PSN being down leading them to say something. You don't spill details during an investigation and these things take time. Hell, try checking out your computer after you've had a trojan installed and activated... now amplify that work by about a bajillion. Going through that stuff takes time.
We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident.It was necessary to conduct several days of forensic analysis, and it took our expertsuntil yesterday to understand the scope of the breach
Their statement is that they knew someone broke in on the 19th, and closed down the PSN while they investigated. It was during this time they said it'd be back up and running within 2-3 days. They stated didn't know about the loss of personal data until monday(?) night, they then told everyone the next morning. Since then, they've stated that the time till the PSN comes back online has gone to a week, while they continue to research and investigate the matter.
All we have to go on is what they've told us, and this is what they've told us. Everything beyond that is speculation and fear mongering.
I had my CC info stored on my account dude, don't think I'm not worried. I am not, however, going to start wearing a tinfoil had and claiming some elaborate conspiracy to keep this information from us. I am going to take the time to read what they have to say on the matter, and do what I have to do to protect myself. I am going to take what they have to say right now as truth, since they are the only source that knows what is going on right now. I am going to trust that they are WELL AWARE that fucking with us right now and withholding information from us could result in lawsuits that may very well bring that company to it's knees. That's about all any of us can do right now.
It's really silly to see everyone else losing their shit on things that no one really has any information on, or worse, have been given information on, and have chosen to gloss over.
Who knows how long the hacker(s) have been working on breaching PSN.
I understand why Sony is being vague on this issue right now. Why would they go into specifics and give the hacker(s) a hint at what they are doing security wise and help them hack it again? Just keep an eye on your credit card statements and activity.
We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident.It was necessary to conduct several days of forensic analysis, and it took our expertsuntil yesterday to understand the scope of the breach
Their statement is that they knew someone broke in on the 19th, and closed down the PSN while they investigated. It was during this time they said it'd be back up and running within 2-3 days. They stated didn't know about the loss of personal data until monday(?) night, they then told everyone the next morning. Since then, they've stated that the time till the PSN comes back online has gone to a week, while they continue to research and investigate the matter.
All we have to go on is what they've told us, and this is what they've told us. Everything beyond that is speculation and fear mongering.
I had my CC info stored on my account dude, don't think I'm not worried. I am not, however, going to start wearing a tinfoil had and claiming some elaborate conspiracy to keep this information from us. I am going to take the time to read what they have to say on the matter, and do what I have to do to protect myself. I am going to take what they have to say right now as truth, since they are the only source that knows what is going on right now. I am going to trust that they are WELL AWARE that fucking with us right now and withholding information from us could result in lawsuits that may very well bring that company to it's knees. That's about all any of us can do right now.
It's really silly to see everyone else losing their shit on things that no one really has any information on, or worse, have been given information on, and have chosen to gloss over.
"
It is not a tinfoil hat conspiracy to wonder what the fuck Sony was doing for the past week in not informing their customers on what was going on.
And I will reiterate, for the last time, that they didn't say what was going on, because until Monday, they didn't know what was going on. If you're not getting this, there's not much more I can say to help you here.
" @Hailinel: And I will reiterate, for the last time, that they didn't say what was going on, because until Monday, they didn't know what was going on. If you're not getting this, there's not much more I can say to help you here. "
Even if they didn't know, they could have done more to inform users that there was a suspected breach in security and that time was necessary to determine its extent, thus giving everyone a very solid explanation of why they couldn't play their games online and also provide advance warning that bad news might be coming.
sony has been into so much crap this gen, i feel kinda bad for the company. on the other hand, a lot of it was their fault. i doubt any of this would have happened if they just kept all the ps3 features and listened to failoverflow that their so-called "sophisticated security system" is full of holes.
Sure, they totally could have, though "providing advanced warning that bad news might be coming" implies that they suspected that our information was compromised from day one, which they have stated was not the case. That really doesn't have anything to do with your initial complaint though...
Why did it take them a week to tell users that their personal data might have been compromised and leave everyone in the dark in the meantime?
I would have liked a press release to the tune of "hacking happened, PSN down, standby" the day, or maybe day after they took the network offline, but that didn't happen. It seemed kinda stupid of them not to at least give everyone a one or two paragraph press release stating it was down due to an intrusion on their system, but you know what? I'll live. And to again go back to your original complaint, who in their right minds would email 75 million users and say "all your information might have been stolen, just a heads up", 6 days before their teams had even discovered that was the case? The PSN encompases more then just our personal data, you know. There are games, save files, profiles, trophy lists, movies, ads, etc, etc, etc. that are all part of this network. Is it really so hard to fathom that a system so large would take time to comb through to find out the information they presented us with on Tuesday? They're still not even sure if the CC information was taken, but here they are telling us, as a precaution, because they now know our information was accessed.
Now that they KNOW our information was compromised, they are taking steps to inform us of it and provide us with the tools we need to keep ourselves safe. Asking anymore then that from them right now is silly, and continuing to imply that they had any idea about a loss of personal information a full week before they told us is baseless, and what I was referring to when I mentioned "wearing the tinfoil hat".
So anon pulls a publicity stunt while some unknown dude/group takes the network down for weeks, I can't help but smile when I read about this. Sorry for all of you money-spending dudes though.
@saroorhai: Not a bad idea, all considering. The awful insurance company that I worked for last year had a similar breach that resulted in the company offering ID theft protection services to people who may have been compromised for a year.
It's a small price for Sony to pay to ease people's concerns, even if it turns out to be a much smaller problem.
I don't care about my credit card info at all. If shit happens, I will report it and get a new card and all my money back. I JUST WANT TO PLAY MORTAL KOMBAT... this whole thing makes me really sad...
Cool. So security breeches happen all the time. Your point?
No matter how often it happens customers have every right to be pissed when a company they've trusted personal information too loses it. Whether it is a direct result of a company fuck up or something that just happened because it happened is irrelevant. In the end Sony is at the middle of one hell of a mess and they have done a pretty poor job of answering their customers questions.
You also need to keep in mind that Sony isn't a bank or something similar where the customers really don't know about the data breech until something goes wrong or the company notifies them. The fact that the PSN is down has been staring us in the face for days and we certainly knew it was due to an intrusion for a while now. Give the public those two pieces of info and they'll connect the dots. The fact that Sony is only now addressing these concerns just doesn't sit well with me. Going to use the "they didn't even know for themselves until now" argument? I don't care. If my personal information, including credit card info, is at risk I want to know immediately. That's a reasonable expectation for any customer to have when they trust a company with their information.
@skilled_gamer: Same here man. I have both systems but mainly I'm also a 360 guy as well. Sony had my card as well but I only use my PS3 a few times a month.
I don't care what anyone has to say I went up to the bank today to cancel my card. Better safe than sorry especially when you're as tight on money as I am.
This is a terrible thing for Sony and it's customers. It's the sort of thing they may never be able to recover from. I consider the PS3 to be a superior product but now that their infrastructure has been compromised I am really unsure if I will ever buy from them again. I don't hold any grudges but I also don't want to take any chances.
While I hate the shit that I have to go through due to some company's incompetence, I still have to say that getting the PS3 around now is probably the best thing you can do. Sony, fearing the possibility of having this happen to them again, will probably beef up their security. I view it like a shuttle launch: When is it the best time to go into space? Right after a huge catastrophe, because everyone will be on guard to ensure that it won't happen again.
While I hate the shit that I have to go through due to some company's incompetence, I still have to say that getting the PS3 around now is probably the best thing you can do. Sony, fearing the possibility of having this happen to them again, will probably beef up their security. I view it like a shuttle launch: When is it the best time to go into space? Right after a huge catastrophe, because everyone will be on guard to ensure that it won't happen again. "
Normally I would agree with you but NASA just blew up their past two attempts at launching a new satellite...
While I hate the shit that I have to go through due to some company's incompetence, I still have to say that getting the PS3 around now is probably the best thing you can do. Sony, fearing the possibility of having this happen to them again, will probably beef up their security. I view it like a shuttle launch: When is it the best time to go into space? Right after a huge catastrophe, because everyone will be on guard to ensure that it won't happen again. "
Normally I would agree with you but NASA just blew up their past two attempts at launching a new satellite... "
From my point of view, this only means that their third attempt has tremendous odds of being successful. Now excuse me while I keep doubling my bet after a ten hand losing streak of black jack.
There seems to be some small confusion over encrypted data. Note that TRANSMITTING data over the air encrypted (SSL) and STORING data in a database in an encrypted form are two different things.
Using SSL to transmit the data from your PS3 to Sony's servers just means someone can't snoop on your traffic and easily access your credentials. If it were not also STORED in an encrypted (and salted -- this is important!) manner, then anyone able to access the database itself would have all of the information they needed, whether it was transferred via SSL or not.
In this case, they confirmed that the credit card information - as stored in the database table - was encrypted.
I hope they're telling the truth about that credit card encryption. It's a shame this happened, but I hope it acts as a wake up call for Sony to get their crap together on the software/internet side of things. They make pretty neat kit, but the software they run is kinda junky at times.
" I really wish people would shut up and calm down about this. Once this is resolved in a few days everything will be back to normal and no harm will be done.Bunch of trigger happy, paranoid idiots. "
nail on the fucking head. People love making waves and sensationalizing everything. Fucking morons.
In the email I received to the address I use on my console:
"Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state/province, zip or postal code), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID."
So in other words, they do have our passwords. Wouldn't have been better just to tell us that straight off the bat?
@boylie: Word of advice: Don't accuse others of wearing tinfoil hats when you're the one defending the actions of a company that has all but admitted to fucking up.
There was some Norwegian dude who allegedly had his credit card stolen an used for multiple PSN purchases. Not sure how that would happen if that data was encrypted.
@kalmis: You're not sure how someone on the internet would have their credit card details compromised and used to buy stuff on the internets? That's never happened before!
Word of advice: Listen to what people are telling you instead of making up "us vs. them" scenarios. I am advising level headedness, noting more. You would have to be a SUPREME asshat to think, after I've already told you my own personal CC details along with everything else on their servers have been compromised, that I'm acting as Sony's personal PR troll. I have re-stated what has been told to us, which at this point, is all we have to go on.
You, on the other hand, are accusing them of having had knowledge of compromised account information a full week before they decided to say anything, based on nothing but what they have told us (despite this being the EXACT OPPOSITE of what they told us), and your apparent pre-disposition to getting really deep into conspiracy theories.
I don't know how to be any more clear with you without resorting to drawing stick figures here. We're right in the middle of an ongoing investigation, and details are sparse. All we know is what they've told us. What they've told us is they had no idea that our personal information had been obtained until Monday night, and informed us on Tuesday. I'm more then allowed to be pissed my information was stolen without being so blind as to ignore what little facts that we have to go on. The more you argue this VERY SIMPLE concept, the more inept you look.
Now, if any of that sunk in, great. If not, I submit that we agree to disagree, as I have no particular desire to find new and interesting ways to tell you that making baseless accusations during a period of ongoing investigation during which facts are still trickling in makes only serves to make you look uninformed and ignorant.
" @boylie: Word of advice: Don't accuse others of wearing tinfoil hats when you're the one defending the actions of a company that has all but admitted to fucking up. "
Wait, so companies shouldn't admit to fucking up? Cover ups are better?
" @boylie: Word of advice: Don't accuse others of wearing tinfoil hats when you're the one defending the actions of a company that has all but admitted to fucking up. "
Wait, so companies shouldn't admit to fucking up? Cover ups are better? "
What? No. Don't go out of your way to defend companies that fucked up like Sony did. I don't know how you interpreted what I said the way you apparently did.
"We are working on a new system software update that will require all users to change their password once PlayStation Network is restored."
Will this update include OtherOS, or are they now shooting themselves in the foot in their argument that nothing stops you from staying on the old firmware version, and therefore no one has a legal standing to complain about its removal? Now you have to chose between your password (and by extension, everything protected by it) and your OtherOS?
I had assumed you can change your password through the PSN website, but this FAQ entry sort of imply that you can't?
" "We are working on a new system software update that will require all users to change their password once PlayStation Network is restored."Will this update include OtherOS, or are they now shooting themselves in the foot in their argument that nothing stops you from staying on the old firmware version, and therefore no one has a legal standing to complain about its removal? Now you have to chose between your password (and by extension, everything protected by it) and your OtherOS?I had assumed you can change your password through the PSN website, but this FAQ entry sort of imply that you can't? "
This isn't extortion. This is an update keyed to the new security measures of PSN. If you've been keeping your firmware up to date through legitimate means at all, then you already lost OtherOS functionality a long time ago.
@vividnova: Well of course. I am just saying that if the credit card data on Sony's servers is encrypted how could it be used like this Norwegian guy claims.
This edit will also create new pages on Giant Bomb for:
Beware, you are proposing to add brand new pages to the wiki along
with your edits. Make sure this is what you intended. This will likely
increase the time it takes for your changes to go live.
Comment and Save
Until you earn 1000 points all your submissions need to be vetted by other
Giant Bomb users. This process takes no more than a few hours and we'll
send you an email once approved.
Log in to comment