I put 3D Dot Game Heroes in, and there was an update for it. I downloaded it, and now I can play as Sackboy! Neato! I didn't realize I could download an update without psn.
PSN isn't down because of server failures. The ability to access it is just shut off. Update servers are all still running and delivering content.
I put 3D Dot Game Heroes in, and there was an update for it. I downloaded it, and now I can play as Sackboy! Neato! I didn't realize I could download an update without psn.
The update servers are unrelated to the PSN.
SmokeStacks on
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
I'm not trying to spread paranoia. I'm just trying to share best practices, from my perspective.
I guess it's just in my nature to sound paranoid, though. I believe it was Synthesis who once compared me to Dustin Hoffman in Outbreak, but with computers instead of monkeys. I cannot find fault in that comparison.
Sony should have acted. It was only a matter of time until there would be a big data breach.
It kind of makes you wonder who the heck anyone was being paid for such a shoddy job. Microsoft, Google, Apple, Amazon etc haven't be victims of data breaches at this scale.
SpaceKobura on
Stuck on a videogame or looking for cheat codes and tips? TipNinjas is a gaming question and answer site run by gamers.
Why do I trust Amazon over Sony? Because Amazon secures my password in SHA-2 salted hashes. Not in cleartext files. I assume they use similar or higher encryption for the more sensitive of my data.
Sony admits the server vulnerability was a known exploit. Again, they were incompetent in keeping their server software and security up to date.
While you can get your info stolen anywhere, its a more sound decision to trust the companies which have shown an ability to perform simple security measures vs a company that thinks its okay to leave my login password unhashed. Or to store my CC# in probably unsalted hash. Hell, I expect to hear they use md5. Just to add insult to injury.
Why do I trust Amazon over Sony? Because Amazon secures my password in SHA-2 salted hashes. Not in cleartext files. I assume they use similar or higher encryption for the more sensitive of my data.
Sony admits the server vulnerability was a known exploit. Again, they were incompetent in keeping their server software and security up to date.
While you can get your info stolen anywhere, its a more sound decision to trust the companies which have shown an ability to perform simple security measures vs a company that thinks its okay to leave my login password unhashed. Or to store my CC# in probably unsalted hash. Hell, I expect to hear they use md5. Just to add insult to injury.
Wait, what? Did Sony actually announce that they haven't been hashing at all? In the last thread this was all lols, but you seem a lot more certain all of a sudden.
I've missed out on the last few days of this thread. Are there any confirmed cases of hijacked cards yet?
Movitz on
0
Options
The AnonymousUh, uh, uhhhhhh...Uh, uh.Registered Userregular
edited May 2011
There have been a few reports on this very forum about credit card hijinks (all PSN users to boot), but none of us know for certain because of how vague Sony is being.
Why do I trust Amazon over Sony? Because Amazon secures my password in SHA-2 salted hashes. Not in cleartext files. I assume they use similar or higher encryption for the more sensitive of my data.
Sony admits the server vulnerability was a known exploit. Again, they were incompetent in keeping their server software and security up to date.
While you can get your info stolen anywhere, its a more sound decision to trust the companies which have shown an ability to perform simple security measures vs a company that thinks its okay to leave my login password unhashed. Or to store my CC# in probably unsalted hash. Hell, I expect to hear they use md5. Just to add insult to injury.
Wait, what? Did Sony actually announce that they haven't been hashing at all? In the last thread this was all lols, but you seem a lot more certain all of a sudden.
In regards to PSN passwords, and all your user info, Sony has said that none of it was encrypted. The only thing they said was encrypted was the CC info, which was on a different part of the server.
We're not going to get confirmed cases of cards being hijacked from PSN: in any individual case, the breach could potentially have happened anywhere, and we're only going to get anecdotal evidence here. Lack of confirmed cases means nothing: whether it's happening or not, anecdotal is all we'll get, so it would be imprudent to act only on confirmed reports.
Seol on
0
Options
MichaelLCIn what furnace was thy brain?ChicagoRegistered Userregular
edited May 2011
Yeah, it's very likely PSN related, but until someone says they had a PSN-only card that they used for nothing else and keep in a block of ice in their freezer, it's just assumptions.
Since I personally was dumb and used my debit, I decided the risk was too high. Had it been a regular CC, it may have been different.
Sony has taken all SOE games down with the message:
We have had to take the SOE service down temporarily. In the course of our investigation into the intrusion into our systems we have discovered an issue that warrants enough concern for us to take the service down effective immediately. We will provide an update later today (Monday).
Sony should definitely publish a list of all the compromised CC information, so we can match the stolen information against those who have had fraudulent activity on their cards.
Hmmm...give Sony the benefit of the doubt and assume they took down all the SoE stuff to update it's security, or assume fuckmuppetry and that it took Sony two weeks to realize all the Everquest users' credit cards were compromised as well?
Lars on
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited May 2011
In the wake of the PSN attack, SOE did claim that all of their customer data was perfectly safe.
We have been conducting a thorough investigation and, to the best of our knowledge, no customer personal information got out to any unauthorized person or persons.
There's a possibility that they found an urgent issue they needed to patch, it couldn't wait, and they brought the system down to fix it before another attack occurred. Then again, I suppose they could've been mistaken when they first made that statement, or an actual second attack has transpired. Only time will tell, unfortunately.
Hmmm...give Sony the benefit of the doubt and assume they took down all the SoE stuff to update it's security, or assume fuckmuppetry and that it took Sony two weeks to realize all the Everquest users' credit cards were compromised as well?
Overwhelmed as one would be, placed in my position
Such a heavy burden now to be the one
Born to bare and read to all the details of our ending
To write it down for all the world to see
But I forgot my pen...
Why do I trust Amazon over Sony? Because Amazon secures my password in SHA-2 salted hashes. Not in cleartext files. I assume they use similar or higher encryption for the more sensitive of my data.
Sony admits the server vulnerability was a known exploit. Again, they were incompetent in keeping their server software and security up to date.
While you can get your info stolen anywhere, its a more sound decision to trust the companies which have shown an ability to perform simple security measures vs a company that thinks its okay to leave my login password unhashed. Or to store my CC# in probably unsalted hash. Hell, I expect to hear they use md5. Just to add insult to injury.
Wait, what? Did Sony actually announce that they haven't been hashing at all? In the last thread this was all lols, but you seem a lot more certain all of a sudden.
In regards to PSN passwords, and all your user info, Sony has said that none of it was encrypted. The only thing they said was encrypted was the CC info, which was on a different part of the server.
sony said that passwords weren't encrypted, they were HASHED.....encryption can be reversed, hashing cannot (although you can still brute force hashing)
On Tuesday, April 26 we shared that some information that was compromised in connection with an illegal and unauthorized intrusion into our network. Once again, we’d like to apologize to the many users who were inconvenienced and worried abut this situation.
We want to state this again given the increase in speculation about credit card information being used fraudulently. One report indicated that a group tried to sell millions of credit card numbers back to Sony. To my knowledge there is no truth to this report of a list, or that Sony was offered an opportunity to purchase the list.
One other point to clarify is from this weekend’s press conference. While the passwords that were stored were not “encrypted,” they were transformed using a cryptographic hash function. There is a difference between these two types of security measures which is why we said the passwords had not been encrypted. But I want to be very clear that the passwords were not stored in our database in cleartext form. For a description of the difference between encryption and hashing, follow this link.
To reiterate a few other security measures for your information: Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well. To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports.
We continue to work with law enforcement and forensic experts to identify the criminals behind the attack. Once again, we apologize for causing users concern over this matter.
Our objective is to increase security so our customers can safely and confidently play games and use our network and media services. We will continue to provide updates as we have them.
Take that however you want.
edit: No mention of which hash function was used, but I'd imagine Sony regard that as a security issue and would never disclose it.
Hashing can be useless if you're using an outdated hash. If it was DES or MD5, then your passwords may have just as well been in clear text.
Additionally, why the hell weren't they salting the hashes? That's standard practice.
nobody said they weren't salted
as for what urahonky said, no they can't be reverse engineered...you can have a huge database of results that a person can test against, but if your password is even slightly complicated there's no chance it will be in the database....all this "cracker" is doing is a search on passwords they have md5'd and put in their database
Hashing can be useless if you're using an outdated hash. If it was DES or MD5, then your passwords may have just as well been in clear text.
Additionally, why the hell weren't they salting the hashes? That's standard practice.
nobody said they weren't salted
as for what urahonky said, no they can't be reverse engineered...you can have a huge database of results that a person can test against, but if your password is even slightly complicated there's no chance it will be in the database....all this "cracker" is doing is a search on passwords they have md5'd and put in their database
Yes, but if you have the hash list, and the hash algorithm you can brute force against the hash list, rather than pinging the nonexistent auth servers. I think that ability would speed up the brute forcing substantially, especially once you start getting a pre-hashed dictionary built up. but that's assuming that the hash algorithm was acquired before everything fell apart too. Anyone remember if there was a character limit for the passwords? Looks like no upper limit, min was 8 characters. letters and numbers only, so that gives 62 possibilities per character, minimum of 8 characters, no repeated characters beyond 2 in sequence. "Average" people will go with the minimum requirement of 8 characters so that gives about 2.18340106 × 10^14 possible hashes. That is a <i>massive</i> number, but combine standard pass cracking dictionaries to the hash algorithm and you will probably unlock a good 30-50% of the "low hanging fruit"
So, possible that they can get de-hashed, but if your smart about your password, not really all that probable.
I need to stay off of forums when I have bouts of insomnia!
Nikkei.com on Monday reported that an online Sony gaming network has once again fallen victim to a cyberattack. This time, the attack may have exposed the credit card numbers of thousands of Sony customers from around the world. According to the report, over 12,700 customer credit card numbers were stolen during a breach of Sony’s online gaming network, Sony Online Entertainment. According to Nikkei.com, Sony discovered the possible attack on Sunday. Sony recently suffered a similar attack on its PlayStation Network, which was offline for days as a result of the breach. Though Sony has yet to confirm this new incident publicly, the Sony Online Entertainment portal has been taken offline while Sony investigates the matter.
Lolsony?
Edit: Can't tell if it is accurate because I don't have a Nikkei account.
Couscous on
0
Options
Triple BBastard of the NorthMARegistered Userregular
Posts
The update servers are unrelated to the PSN.
I'm not trying to spread paranoia. I'm just trying to share best practices, from my perspective.
I guess it's just in my nature to sound paranoid, though. I believe it was Synthesis who once compared me to Dustin Hoffman in Outbreak, but with computers instead of monkeys. I cannot find fault in that comparison.
http://www.eurogamer.net/articles/digitalfoundry-ps3-security-in-tatters
Sony should have acted. It was only a matter of time until there would be a big data breach.
It kind of makes you wonder who the heck anyone was being paid for such a shoddy job. Microsoft, Google, Apple, Amazon etc haven't be victims of data breaches at this scale.
http://www.tipninjas.com
Zeboyd Games Development Blog
Steam ID : rwb36, Twitter : Werezompire, Facebook : Zeboyd Games
There is going to also be some sort of software gift though, right? PSP owners will probably get that, right?
Sony admits the server vulnerability was a known exploit. Again, they were incompetent in keeping their server software and security up to date.
While you can get your info stolen anywhere, its a more sound decision to trust the companies which have shown an ability to perform simple security measures vs a company that thinks its okay to leave my login password unhashed. Or to store my CC# in probably unsalted hash. Hell, I expect to hear they use md5. Just to add insult to injury.
That explains why the console was open to running pirated games, but it doesn't say anything about Sony having insecure servers.
Wait, what? Did Sony actually announce that they haven't been hashing at all? In the last thread this was all lols, but you seem a lot more certain all of a sudden.
In regards to PSN passwords, and all your user info, Sony has said that none of it was encrypted. The only thing they said was encrypted was the CC info, which was on a different part of the server.
Since I personally was dumb and used my debit, I decided the risk was too high. Had it been a regular CC, it may have been different.
I got this message when trying to acces Free Realms, and the main EQ2 site gives the same.
Link: http://maintenance.station.sony.com/
Does anyone know what's going on with this?
What in the hell is going on over there?
There's a possibility that they found an urgent issue they needed to patch, it couldn't wait, and they brought the system down to fix it before another attack occurred. Then again, I suppose they could've been mistaken when they first made that statement, or an actual second attack has transpired. Only time will tell, unfortunately.
Ha ha you pretend there's a choice. Yer funny.
Such a heavy burden now to be the one
Born to bare and read to all the details of our ending
To write it down for all the world to see
But I forgot my pen...
e: depending on the hash, of course, but stuff like: http://www.tmto.org/pages/passwordtools/hashcracker/ exists.
Additionally, why the hell weren't they salting the hashes? That's standard practice.
I just got really hungry and started thinking about how to serve it with eggs.
I imagine this was also Sony's reaction.
Take that however you want.
edit: No mention of which hash function was used, but I'd imagine Sony regard that as a security issue and would never disclose it.
as for what urahonky said, no they can't be reverse engineered...you can have a huge database of results that a person can test against, but if your password is even slightly complicated there's no chance it will be in the database....all this "cracker" is doing is a search on passwords they have md5'd and put in their database
Yes, but if you have the hash list, and the hash algorithm you can brute force against the hash list, rather than pinging the nonexistent auth servers. I think that ability would speed up the brute forcing substantially, especially once you start getting a pre-hashed dictionary built up. but that's assuming that the hash algorithm was acquired before everything fell apart too. Anyone remember if there was a character limit for the passwords? Looks like no upper limit, min was 8 characters. letters and numbers only, so that gives 62 possibilities per character, minimum of 8 characters, no repeated characters beyond 2 in sequence. "Average" people will go with the minimum requirement of 8 characters so that gives about 2.18340106 × 10^14 possible hashes. That is a <i>massive</i> number, but combine standard pass cracking dictionaries to the hash algorithm and you will probably unlock a good 30-50% of the "low hanging fruit"
So, possible that they can get de-hashed, but if your smart about your password, not really all that probable.
I need to stay off of forums when I have bouts of insomnia!
Good lord. I just saw SOE was taken down to. This should be fun. /sigh
They'd better pray not, or else it's going to make them look downright incompetent. Especially since they swore SOE was in the clear earlier.
Edit: Can't tell if it is accurate because I don't have a Nikkei account.
why would you put more salt on it