Personally I’d believe that on the count that Sony is not telling you that your currently listed creditcard is compromised, but that any creditcard you used is compromised. ![]() Until further pointers, it cannot be entirely ruled out that the intrusion was an inside job, maybe happening for months or more by now, and that the DoS only served unintentionally as a method to catch the auditing guys’ eyes. By experience, it sounds like oversimplifying the situation. Most complainers seem also to ignore Sony’s statement about finding out only later on that the database was compromised up to this point. Speaking about long-term, I’m still not sure why everybody’s assume that the (apparent) DoS on Sony’s infrastructure was related to the intrusion. I’ll leave a point for discussion for those who have had to deal with credit cards handling: I know that there are security protocols that need to be followed to be given access to processing credit cards is the “hash the passwords” one missing? If so it might be as much fault of the credit card companies as it is of Sony. A more complex (but still feasible) explanation is that the intrusion was a long-term one, and that the intruders were able to snoop the passwords between the user and the authentication chain, during the time they are left in cleartext, from the application’s point of view. I’m not sure about this myself to be honest: it sounds very stupid for them to make such a puny mistake, but Occam’s Razor calls for the most obvious explanation and that is definitely it. The fact that Sony declared passwords and (interestingly) security questions as compromised, makes it apparently likely that they didn’t store the hashes, but rather the cleartext passwords. Which is why on good systems you have “Reset password” options, and not “Recover password” ones (and why I loathe those systems which do send me back my password). Bonus points for salting such hash so that the same password, on two different users’ records, would be saved differently. When you design a secure login system you do not store the password, but rather a function (hash) of it when the login request comes in, you take the received string, apply the same function to it, and compare the result with the one you stored. Given that I expect most people commenting or reading about this are non-technical gamers (and people who don’t play but, as I said above, want to feel smug about it), I don’t expect most of them to put this into context: “ Obviously Sony knows my password! I tell it to them every time I connect!” - which for anybody who ever worked on securing web application is a very naïve statement. But then again, my main reason to think that Sony misdesigned their whole network is a simple one: the intruders gathered the users’ passwords. Definitely I don’t count a general intrusion an EPIC FAIL by itself: most systems out there are going one way or another to fail… of course, we don’t expect them to fail as badly as putting at risk this many users. Sure there were a couple of things that as a Linux enthusiast and hacker I would have liked to be able to do, but with the exception of the clustering efforts to crunch numbers (which seem to be a field nowadays in the hand of high-end graphics cards), the most useful thing I have seen done with Linux on a PlayStation 3 has been testing BluRay movies with Linux, like Steve “beandog” has posted on Planet Gentoo a long time ago.īut my take is more interested in putting into prospective what the EPIC FAIL was about. ![]() ![]() But I also read enough posts over the last year or so that seem to pretend that each and every PS3 owner should have felt robbed of the opportunity or running Linux on their systems… and as a PS3 owner myself, I don’t really see what’s the point. or even more likely because they would like for Sony to invest more in developing consoles but pretend not to pay for games.Īm I being cynical? Probably. A lot of the sentiment you see out there seem to come from people who aren’t in that database at all, and that are just trying to take a shot at Sony, either because they hate all corporations alike, or because they still feel they should have kept Linux an option on the PS3s. On the other hand, even though I’m one of those users who have enough rights to be upset with Sony (I just renewed my Plus subscription a couple of weeks ago), I don’t feel like this is all like people pretend it to be. First of all let me be clear: it was an EPIC FAIL, anybody saying otherwise is pretty much deluded.
0 Comments
Leave a Reply. |