The new forums will be named Coin Return (based on the most recent vote)! You can check on the status and timeline of the transition to the new forums here.

[PATV] Tuesday, August 30, 2011 - Extra Credits Season 2, Ep. 18: NOT a Security Episode

DogDog Registered User, Administrator, Vanilla Staff admin
edited May 2012 in The Penny Arcade Hub
image[PATV] Tuesday, August 30, 2011 - Extra Credits Season 2, Ep. 18: NOT a Security Episode

Now that the whole PSN mess is (mostly) wrapped up, we discuss the changing relationship between corporation and consumer, and the trust that relationship is going to require.

Read the full story here

Dog on

Posts

  • ghellergheller Registered User new member
    Just had a few things to say related to some of what you said about security in this episode.

    1. I think it's perfectly reasonable to blame Sony for getting hacked, though I'm not sure it's entirely their fault so much as the entire IT industry's fault. Just ask yourself, "Why are there companies that make anti-virus software?" Nowadays this seems to be just "the way things are" but there was a time when viruses first started showing up and the need for anti-virus software first became evident, and at that time, the big players like Microsoft, Sony, etcetera, could have bought out the companies that wrote that software and integrated it into their software, making anti-virus software part of what you bought when you bought a box. And if consumers had gotten used to anti-virus software being part of their PC experience, they would have demanded it be part of their console experience as well. The reason this never happened is that the big players never did and still don't take cyber security seriously enough, perhaps because it isn't THEIR information that is at risk, it is their customers' information, and in a continually expanding industry, getting NEW customers was always more important than keeping old ones. This is also a result of specifically the gaming industry's mistaken assumption that all its consumers are 13 years old. If you only have to keep them around a couple years, who cares if some of their info gets stolen? There will be a new crop of 13-year-olds next year who haven't been burned yet. Microsoft's entrance into the console market made this worse, because it has historically spent so little money and resources on information security and got away with it, its competitors felt they couldn't risk spending more if they were going to make competitive profits. So it's really a systemic problem, that just happened to bite Sony in the butt first and hardest. But they certainly COULD have done a number of things that would have prevented it. They would have just have to turn around more than a decade of industry apathy about customer information security to do it.

    2. There is definitely a way for personal information not to be stored on PSN's servers. It could be stored on the console, and sent to PSN upon request. So long as Sony doesn't skimp on encryption making these transmissions easy to intercept, and can manage to do the right thing and actually delete the data after every transaction, well then, problem solved. Sure, if someone steals your console, they might be able to steal your information off of it, but they're not going to steal everyone's consoles all at once, and if they steal yours, you know there's a potential problem and can call your bank. The only reason Sony didn't go with this solution is that your information is worth more money to them than it is to you, mostly because you don't know how much it is worth.

    Almost everything else you said in this episode I agree with, though, so good work! I think the main problem is that if you're going to make a "not-a-security" episode because you don't actually know that much about security, you can't really claim to know how much security is reasonable to expect, nor where information can reasonably be stored.

  • JHTriuneJHTriune Registered User new member
    @Gheller If there is anything I've learned being an IT student, it's that NOTHING IS PERFECT EVER. No matter how great your IT staff, the highest quality of your AV software or even encryption, it will be hacked at some point. On your first point...

    1. I HIGHLY doubt any company has the frame of mind to not care about their current customers. Video games, as it has been said, are niche market. They have become more and more generalized (my aunt plays Farmville, I have friends that don't own a console, but love Angry Birds) but for 360, PS3, and the Wii, it is technically still a niche market. Yes there will always be new customers, but wouldn't it be a better business model to keep those customers around as long as possible to make the most profit? Now that sounds more like what PSN did, not say "Oh well, we got hacked, we don't care, so we're going to do something else to try and get OTHER customers." If they had done that, we would be talking about the console wars between 360 and Wii. We as consumers would have thrown a fit, and Sony would have lost possibly billions trying to save their imagery. Instead, they did the best they could (even if it wasn't enough), and promised compensation, information on what happened, and so forth.

    2. Local storage of sensitive information is a terrible idea. Think about it, you have to send your private info over a non-secure line to reach a secured place. When you make a purchase on...say Amazon, it's secure because they have VeriSign and the site itself is encrypted (httpS). Yes, it can still be hacked but it is MUCH harder to accomplish. However, 360 and PS3 on your local device, and especially your lines in a house are not. A hacker then could wait until you make a purchase and intercept that data. Not to mention if it's on your local device and stolen, they now have access to all of your private and sensitive information. I personally would rather they take my 360 and I just lose that. It's not just about the money they might steal, it's other information like my address, my age, and my banking info that scares me. That can lead to fraud, and it's a terrible thing to experience. I'd rather let Microsoft or Sony keep my data, even if it means it might get hacked because it is not as hard to hack my 360 versus the guys that build them.

    Yes, they could create a secure line, an encrypted tunnel, to your house, but that is insanely expensive to do and might not follow laws or regulations in state/city/country.

  • lordshelllordshell Registered User regular
    You should check out a book by David Brin called "The Transparent Society". It's from 1998 but a lot of what you're seeing now is contained therein. http://www.amazon.com/gp/product/0738201448/ref=as_li_tf_tl?ie=UTF8&tag=f0cd4-20&linkCode=as2&camp=1789&creative=9325&creativeASIN=0738201448

  • .Zephyr..Zephyr. Registered User regular
    I think its really a general problem with something completely new - huge databases with zero mass processing cost. With paper database maintaining that huge amount of data is really hard, and any attempt to process it costs huge amount of time and money.

    With huge base in computer-based storage (PC/cluster/cloud/whatever) you can transfer/alter/query incomprehensible amount of data in no time. With such possibilities security becomes key issue. And with that at stake and complication of IT systems and possibility of anyone being a hacker due to Internets communication and education boost creates a huge Pandora box. Its a really tough topic, but current state is appalling i think with no easy security solutions developed yet.

    Verification needed to write this post shows how non developed our current solutions are. Unique id and password generated by user for every site... this is so bad... both from user experience perspective and security - with that many id/pass you have to be a genius or do weak passwords or repeat id/pass or store them somewhere. All of above are not really secure.

    I'm actually a bit glad Sony's incident happened, as it highlights very strongly what is to come. Its completely new problem for humanity, so mistakes are expected to happen.

    More technical notes:
    Using IP for anything other than connivance is not really a good idea as its not even designed to be secure. You can bounce of any proxy server that will say you are him to fool it.

    Interface issues are not security issues - you can keep data locally without need for reentering them, you can connect token with personal data to console etc, so centralization and storing all data in one place is not the only way to do it in a convenient way. Security of all those solutions is a completely different matter. I think more local storage is actually better, as it makes large scale attacks harder. But with ITs ease of automatisation (write a script to attack many individuals) this might not really help. On the other hand it can lead to variety of protective measures... this is an interesting topic but i guess its for security specialists to discuss especially as new technologies can make the situation completely different.

  • NocturnoCultoNocturnoCulto Registered User new member
    edited February 2013
    As .Zephyr. hinted, the only reason for databases of user data to exist at all is to allow the collecting corporation to use the data as they please. To protect both parties would need to use encoded data on both ends, with the user data stored locally, and accessed via a secure (some variation of asymmetric trusted keys comes to mind) connection.

    But any and all machines connected over TCP/IP (the Internet) suffer from the basic "fault." It's not secure, because it's like the postal service. You can send a postcard with everything about you. Or you can put an cryptogram of your message in an envelope to increase security.

    There is a cryptographic method to ensure that only a certain receiver can read a message sent from your machine, and that only your machine can read a message received from the other machine, over any medium, be it the Internet or international mail, or you shouting it out over a stadium full of people keen on knowing what you are telling.

    If they had used a secure client-server system, and not gathered it into a database that can be breached over the internet (would you make your business accounts available over all the Internet, instead of company intranet? IRS could get into your system!) this might have never happened. But they were sloppy.

    NocturnoCulto on
  • TimeDagarTimeDagar Registered User new member
    Im really late to this party, only just found "Extra Credits" and im running through the archives.

    For your question: why doesn't sony just use the IP Address to determine location rather than gathering and storing it from the user...
    I don't see an answer in the comments, and I have no idea if anyone emailed it to you, so here is mine in all its humble opinioness.

    Fact is a lot of companies already do use the IP Address to determine location and they do so to offer you targeted content and even adjust pricing. Retail Web portals (ex Best Buy) will actually adjust the costs of items based on your location demographics (wealth, education level etc) and even the pressence or lack of competing retailers near you.

    But theres a problem with IP Address being the sole method; in that tech savy customers are able to tunnel and spoof thier IP so that it looks like the end point is located elsewhere. This is often used by people who want to access content that is restricted for legal reasons. One example is a Canadian who choses to tunnel through to US Servers and set up a US based Netflix account because the licensing agreements of some material is only Valid for the US.

    Companies that Deliver content with such restrictions need to do thier best to provide services that are compliant with thier legal agreements. To solely rely on an IP Address when it is known that this information's validity can not be definitively known (and in most cases is assigned dynamically) would be lacking in due dilligance required to uphold the agreement.

    At least, if they have to ask for your location, and vet that information with lets say...a real Credit Card company for example, with 'real' information from the applications the user filed to get said card, then the company can plausibly say "from our end, it all matches up, so if there is any faud or false information it is definatly the user feeding it to us, so the owness is on them"

    By putting the "burden of proof" onto the end user, the service provider gains a level of plausible deniability. Customers are subject to the terms of service, and I will bet that there are legal provisions that cover this sort of intentional bypass of thier security. You know, along the lines of" by Agreeing to these terms, you assert you are of XYZ region" . If you are found to violate the terms, then they can take action.

    Them not focusing on automatically gathering your information from your equipment also generates positive outcomes. I like my privacy, and prefer to give my personal information at my discretion. It also makes your Online Enabled, "bought and paid for in america" game accessible elsewhere in the world because the system looks at what market you belong to natively rather than where you are right now.

    And with the advent of digital distribution and a bit of tech skills, one can now get their content free of localized censorship so that the exchange of ideas (for better or worse) becomes even more free. But thats bad to cultures that dont subscribe to our liberties.....like China, who's government does everything they can to control the flow of information to its people.

    TL:DR
    Companies do rely on IP Address Data to both Target and Restrict content based on region, market, demographics etc. However its not reliable as a sole source of a customer's location as the address presented can be manipulated by the end user to feed false data. Never assume they don't.

  • TimeDagarTimeDagar Registered User new member
    Im really late to this party, only just found "Extra Credits" and im running through the archives.

    For your question: why doesn't sony just use the IP Address to determine location rather than gathering and storing it from the user...
    I don't see an answer in the comments, and I have no idea if anyone emailed it to you, so here is mine in all its humble opinioness.

    Fact is a lot of companies already do use the IP Address to determine location and they do so to offer you targeted content and even adjust pricing. Retail Web portals (ex Best Buy) will actually adjust the costs of items based on your location demographics (wealth, education level etc) and even the pressence or lack of competing retailers near you.

    But theres a problem with IP Address being the sole method; in that tech savy customers are able to tunnel and spoof thier IP so that it looks like the end point is located elsewhere. This is often used by people who want to access content that is restricted for legal reasons. One example is a Canadian who choses to tunnel through to US Servers and set up a US based Netflix account because the licensing agreements of some material is only Valid for the US.

    Companies that Deliver content with such restrictions need to do thier best to provide services that are compliant with thier legal agreements. To solely rely on an IP Address when it is known that this information's validity can not be definitively known (and in most cases is assigned dynamically) would be lacking in due dilligance required to uphold the agreement.

    At least, if they have to ask for your location, and vet that information with lets say...a real Credit Card company for example, with 'real' information from the applications the user filed to get said card, then the company can plausibly say "from our end, it all matches up, so if there is any faud or false information it is definatly the user feeding it to us, so the owness is on them"

    By putting the "burden of proof" onto the end user, the service provider gains a level of plausible deniability. Customers are subject to the terms of service, and I will bet that there are legal provisions that cover this sort of intentional bypass of thier security. You know, along the lines of" by Agreeing to these terms, you assert you are of XYZ region" . If you are found to violate the terms, then they can take action.

    Them not focusing on automatically gathering your information from your equipment also generates positive outcomes. I like my privacy, and prefer to give my personal information at my discretion. It also makes your Online Enabled, "bought and paid for in america" game accessible elsewhere in the world because the system looks at what market you belong to natively rather than where you are right now.

    And with the advent of digital distribution and a bit of tech skills, one can now get their content free of localized censorship so that the exchange of ideas (for better or worse) becomes even more free. But thats bad to cultures that dont subscribe to our liberties.....like China, who's government does everything they can to control the flow of information to its people.

    TL:DR
    Companies do rely on IP Address Data to both Target and Restrict content based on region, market, demographics etc. However its not reliable as a sole source of a customer's location as the address presented can be manipulated by the end user to feed false data. Never assume they don't.

  • OsterPenPenOsterPenPen Registered User regular
    edited May 2013
    As a student getting a degree in IT Security I am certainly not an expert, but I definitely have more background in how the Internet works than the average lawyer... which is a shame, given that lawyers are trying to regulate it. Different topic.

    Anyway, IP information is notoriously unreliable. There are tools designed to help with this, read the Wikipedia page on IPSec if you want an idea of just how massively deep that rabbit hole goes. Ergh, different topic.

    So, IP information is unreliable. First and foremost, you IP address can and likely does change, regularly. It depends on your ISP. See, there's only 3,706,650,624 IP version 4 addresses available in the world. Last I heard, we were scheduled to run out about nine months ago. IPv6 was deployed to solve the problem, but like always the US has been slow to adopt the new technology, despite being fundamental in inventing it. So ISPs are overbooking their addresses. They'll take a pool of addresses, and only assign them "as needed". Now there are reasons why someone would need a constant IP address, and you can get that. It's called a "Static IP", and your ISP will be happy to tack on a charge for it. Otherwise... well, you never know. I could go on for hours, but that's the short answer to your question.

    And this is assuming people are being honest. There are ways to mask your IP address, or pretend to be someone else. It's not even hard, go to hidemyass.com for a simple, mainstream example.

    If you want to get an idea of just how deep this particular rabbit hole goes, read the Wikipedia page on IPSec. Really understanding the gist of what that particular protocol is for will probably take you an hour, as long as you don't worry too much about "how" and I think your mind will be boggled by just how much time and money is going into things the general public is, by definition, not supposed to ever worry about.

    OsterPenPen on
  • DesirsarDesirsar Registered User new member
    Working my way backwards through the seasons I haven't seen. Very amusing to see this with the statement for the platform holders at the end after the Xbox One PR disasters. The lesson was not learned.

Sign In or Register to comment.