They're gonna need to be a bit more transparent about how much encryption we're talking about before I even CONSIDER giving them my information again.
PlayStation 3
Platform »
The PlayStation 3 (often abbreviated PS3) is the third home video game console created and released by Sony Computer Entertainment Inc.
Sony Publishes Q&A to Address More PSN Concerns, Still Unanswered Questions
Quoted from Sarcastic Gamer user rothbart (OP: http://forums.sarcasticgamer.com/showpost.php?p=645846&postcount=734)" Nice. E: Wow, actually got it. Anyways, I've been pretty disappointed with how Sony has handled this situation as a whole. The amount of time it has taken them to even attempt to try and answer the public's questions has been somewhat absurd. I understand it's been a difficult situation for them and all, but really Sony when something this big happens you really need to jump on the ball far faster. "
I work at a company that deals with data security... we wish everyone that lost a laptop or left data unencrypted had used our product(s) first. The fact is, NOBODY is impervious to being hacked. It happens all the time to tons of companies. It happens at a much larger scale than the 75M PSN users.
By data breach standards, what Sony has done here is the absolute text book implementation of what to do correctly. They didn't put protocol aside to keep selling PSN content. They didn't put protocol aside to let gamers keep gaming, potentially muddying up the systems being scoured for clues. They didn't try to hide that this happened. They didn't try to analyze it themselves but instead brought in experts.
The people and sites that are faulting Sony on how they've handled this so far are simply, and I mean no disrespect by the use of the very most accurate word I can think of... "ignorant" as to what they're talking about.
If you think Sony should've battened down the hatched and never gotten hacked... talk to the HUNDREDS of other companies/brands/organizations out there that have endured the exact same fate. If you think Sony shouldn't have been storing credit card information (at all or in a certain way) you should know that all there are now are recommendations or guidelines, there are no LAWS yet that force companies to certain degrees of protection and even if they were adequately protected, depending on the extent and nature of the hack, having them protected to PCI DSS guidelines STILL might not prevent people from getting to our credit card information...
That said, Sony said there was no evidence that our credit cards were compromised. They recommended (and to be honest, this was worded well) that "While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained." How can they be faulted for that? Would you rather them lie and say "you're safe" or "they were compromised"?
This was a text book reaction to a large scale data breach and unlike MOST companies where we'd simply get an unexpected letter in the mail, we were somewhat kept in the look by the raised awareness that PSN being down leading them to say something. You don't spill details during an investigation and these things take time. Hell, try checking out your computer after you've had a trojan installed and activated... now amplify that work by about a bajillion. Going through that stuff takes time.
Their statement is that they knew someone broke in on the 19th, and closed down the PSN while they investigated. It was during this time they said it'd be back up and running within 2-3 days. They stated didn't know about the loss of personal data until monday(?) night, they then told everyone the next morning. Since then, they've stated that the time till the PSN comes back online has gone to a week, while they continue to research and investigate the matter.We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident.It was necessary to conduct several days of forensic analysis, and it took our expertsuntil yesterday to understand the scope of the breach
Who knows how long the hacker(s) have been working on breaching PSN.
I understand why Sony is being vague on this issue right now. Why would they go into specifics and give the hacker(s) a hint at what they are doing security wise and help them hack it again? Just keep an eye on your credit card statements and activity.
" @Hailinel:It is not a tinfoil hat conspiracy to wonder what the fuck Sony was doing for the past week in not informing their customers on what was going on.Their statement is that they knew someone broke in on the 19th, and closed down the PSN while they investigated. It was during this time they said it'd be back up and running within 2-3 days. They stated didn't know about the loss of personal data until monday(?) night, they then told everyone the next morning. Since then, they've stated that the time till the PSN comes back online has gone to a week, while they continue to research and investigate the matter.We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident.It was necessary to conduct several days of forensic analysis, and it took our expertsuntil yesterday to understand the scope of the breach
All we have to go on is what they've told us, and this is what they've told us. Everything beyond that is speculation and fear mongering.I had my CC info stored on my account dude, don't think I'm not worried. I am not, however, going to start wearing a tinfoil had and claiming some elaborate conspiracy to keep this information from us. I am going to take the time to read what they have to say on the matter, and do what I have to do to protect myself. I am going to take what they have to say right now as truth, since they are the only source that knows what is going on right now. I am going to trust that they are WELL AWARE that fucking with us right now and withholding information from us could result in lawsuits that may very well bring that company to it's knees. That's about all any of us can do right now.It's really silly to see everyone else losing their shit on things that no one really has any information on, or worse, have been given information on, and have chosen to gloss over."
Even if they didn't know, they could have done more to inform users that there was a suspected breach in security and that time was necessary to determine its extent, thus giving everyone a very solid explanation of why they couldn't play their games online and also provide advance warning that bad news might be coming." @Hailinel:
And I will reiterate, for the last time, that they didn't say what was going on, because until Monday, they didn't know what was going on. If you're not getting this, there's not much more I can say to help you here.
"
sony has been into so much crap this gen, i feel kinda bad for the company.
on the other hand, a lot of it was their fault. i doubt any of this would have happened if
they just kept all the ps3 features and listened to failoverflow that their so-called
"sophisticated security system" is full of holes.
Uggh, just realized I made a PSN account to manually update my PSP in 2006. Fuck. (no credit card information shared with them though.)
I would have liked a press release to the tune of "hacking happened, PSN down, standby" the day, or maybe day after they took the network offline, but that didn't happen. It seemed kinda stupid of them not to at least give everyone a one or two paragraph press release stating it was down due to an intrusion on their system, but you know what? I'll live. And to again go back to your original complaint, who in their right minds would email 75 million users and say "all your information might have been stolen, just a heads up", 6 days before their teams had even discovered that was the case? The PSN encompases more then just our personal data, you know. There are games, save files, profiles, trophy lists, movies, ads, etc, etc, etc. that are all part of this network. Is it really so hard to fathom that a system so large would take time to comb through to find out the information they presented us with on Tuesday? They're still not even sure if the CC information was taken, but here they are telling us, as a precaution, because they now know our information was accessed.Why did it take them a week to tell users that their personal data might have been compromised and leave everyone in the dark in the meantime?
This isn't going to change my sticking to Sony. I'm a PC gamer first, but I still like Sony's system for consoles. Meh!
" @Rockdalf said:It would actually be a good cop / bad cop act with Butler cracking jokes while Jack Tretton punches hackers in the face." @MooseyMcMan said:I want Sony to make an ad with Kevin Butler storming into basements and beating up hackers. "" So, top men are on it? Hopefully? "
"
" @MooseyMcMan said:Only if Kaz Hirai is watching from the shadows smiling menacingly." @Rockdalf said:It would actually be a good cop / bad cop act with Butler cracking jokes while Jack Tretton punches hackers in the face. "" @MooseyMcMan said:I want Sony to make an ad with Kevin Butler storming into basements and beating up hackers. "" So, top men are on it? Hopefully? "
"
It's a small price for Sony to pay to ease people's concerns, even if it turns out to be a much smaller problem.
I don't care about my credit card info at all. If shit happens, I will report it and get a new card and all my money back. I JUST WANT TO PLAY MORTAL KOMBAT... this whole thing makes me really sad...
"Mad Quotes"Cool. So security breeches happen all the time. Your point?
No matter how often it happens customers have every right to be pissed when a company they've trusted personal information too loses it. Whether it is a direct result of a company fuck up or something that just happened because it happened is irrelevant. In the end Sony is at the middle of one hell of a mess and they have done a pretty poor job of answering their customers questions.
You also need to keep in mind that Sony isn't a bank or something similar where the customers really don't know about the data breech until something goes wrong or the company notifies them. The fact that the PSN is down has been staring us in the face for days and we certainly knew it was due to an intrusion for a while now. Give the public those two pieces of info and they'll connect the dots. The fact that Sony is only now addressing these concerns just doesn't sit well with me. Going to use the "they didn't even know for themselves until now" argument? I don't care. If my personal information, including credit card info, is at risk I want to know immediately. That's a reasonable expectation for any customer to have when they trust a company with their information.
I don't care what anyone has to say I went up to the bank today to cancel my card. Better safe than sorry especially when you're as tight on money as I am.
This is a terrible thing for Sony and it's customers. It's the sort of thing they may never be able to recover from. I consider the PS3 to be a superior product but now that their infrastructure has been compromised I am really unsure if I will ever buy from them again. I don't hold any grudges but I also don't want to take any chances.
" I just got my ps3 too ;( "While I hate the shit that I have to go through due to some company's incompetence, I still have to say that getting the PS3 around now is probably the best thing you can do. Sony, fearing the possibility of having this happen to them again, will probably beef up their security. I view it like a shuttle launch: When is it the best time to go into space? Right after a huge catastrophe, because everyone will be on guard to ensure that it won't happen again.
" @Dandy said:Normally I would agree with you but NASA just blew up their past two attempts at launching a new satellite..." I just got my ps3 too ;( "While I hate the shit that I have to go through due to some company's incompetence, I still have to say that getting the PS3 around now is probably the best thing you can do. Sony, fearing the possibility of having this happen to them again, will probably beef up their security. I view it like a shuttle launch: When is it the best time to go into space? Right after a huge catastrophe, because everyone will be on guard to ensure that it won't happen again. "
From my point of view, this only means that their third attempt has tremendous odds of being successful." @Andorski said:
" @Dandy said:Normally I would agree with you but NASA just blew up their past two attempts at launching a new satellite... "" I just got my ps3 too ;( "While I hate the shit that I have to go through due to some company's incompetence, I still have to say that getting the PS3 around now is probably the best thing you can do. Sony, fearing the possibility of having this happen to them again, will probably beef up their security. I view it like a shuttle launch: When is it the best time to go into space? Right after a huge catastrophe, because everyone will be on guard to ensure that it won't happen again. "
Now excuse me while I keep doubling my bet after a ten hand losing streak of black jack.
There seems to be some small confusion over encrypted data. Note that TRANSMITTING data over the air encrypted (SSL) and STORING data in a database in an encrypted form are two different things.
Using SSL to transmit the data from your PS3 to Sony's servers just means someone can't snoop on your traffic and easily access your credentials. If it were not also STORED in an encrypted (and salted -- this is important!) manner, then anyone able to access the database itself would have all of the information they needed, whether it was transferred via SSL or not.
In this case, they confirmed that the credit card information - as stored in the database table - was encrypted.
I hope they're telling the truth about that credit card encryption. It's a shame this happened, but I hope it acts as a wake up call for Sony to get their crap together on the software/internet side of things. They make pretty neat kit, but the software they run is kinda junky at times.
" I really wish people would shut up and calm down about this. Once this is resolved in a few days everything will be back to normal and no harm will be done.Bunch of trigger happy, paranoid idiots. "nail on the fucking head. People love making waves and sensationalizing everything. Fucking morons.
In the email I received to the address I use on my console:
"Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state/province, zip or postal code), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID."
So in other words, they do have our passwords. Wouldn't have been better just to tell us that straight off the bat?
" @Hailinel said:What? No. Don't go out of your way to defend companies that fucked up like Sony did. I don't know how you interpreted what I said the way you apparently did." @boylie: Word of advice: Don't accuse others of wearing tinfoil hats when you're the one defending the actions of a company that has all but admitted to fucking up. "Wait, so companies shouldn't admit to fucking up? Cover ups are better? "
"We are working on a new system software update that will require all users to change their password once PlayStation Network is restored."
Will this update include OtherOS, or are they now shooting themselves in the foot in their argument that nothing stops you from staying on the old firmware version, and therefore no one has a legal standing to complain about its removal? Now you have to chose between your password (and by extension, everything protected by it) and your OtherOS?
I had assumed you can change your password through the PSN website, but this FAQ entry sort of imply that you can't?
" "We are working on a new system software update that will require all users to change their password once PlayStation Network is restored."Will this update include OtherOS, or are they now shooting themselves in the foot in their argument that nothing stops you from staying on the old firmware version, and therefore no one has a legal standing to complain about its removal? Now you have to chose between your password (and by extension, everything protected by it) and your OtherOS?I had assumed you can change your password through the PSN website, but this FAQ entry sort of imply that you can't? "This isn't extortion. This is an update keyed to the new security measures of PSN. If you've been keeping your firmware up to date through legitimate means at all, then you already lost OtherOS functionality a long time ago.
Please Log In to post.
This edit will also create new pages on Giant Bomb for:
Beware, you are proposing to add brand new pages to the wiki along with your edits. Make sure this is what you intended. This will likely increase the time it takes for your changes to go live.Comment and Save
Until you earn 1000 points all your submissions need to be vetted by other Giant Bomb users. This process takes no more than a few hours and we'll send you an email once approved.
Log in to comment