On the PSN Relaunch Announcement

 Pages PREV 1 2 3 NEXT
 

Totally agree. A lot of people seem to be hating on Sony for this, but they've handled the situation both gracefully and generously. It's difficult to humbly admit to and apologise for our mistakes, and it's hard to imagine how tough it must have been for such a large-scale problem.

They didn't bring out fucking "Kevin Butler", that's good enough for me.

Baldr:
No, they have not fixed the problem. It all about their lack of network security and it is still horrid. It should have never been that bad to begin with, and now they are a big target.

Working for Sony, you know all their new security systems, and can comment with this kind of confidence.

Otherwise, this comment would be foolish.

Stevepinto3:
They didn't bring out fucking "Kevin Butler", that's good enough for me.

Penny Arcade had a diffrent take on that...

OT: This didn't affect me, though I find it funny that the same people who were raging last week saying they were over with Sony are now back. Like an abusive husband...

cpt blackamar:
well, it's about the only thing they've done right here

"It?" You mean the list? That's a lot of things they've done right, right there.

High praise.

Dexter111:
I saw this on your Blog-thingie :P

Honestly, it rather reminded me of this:

Actually, I kind of see that as almost the opposite. For a while there, BP was taking every opportunity it could to show you how good a job it was doing cleaning up the spill (hell, watch the video that you posted--he brags about how this is the biggest cleanup ever). Sony owned up to the mess, accepted responsibility, and asked for our trust and patience. BP, conversely, said that they're doing an awesome job and that we should be proud of them for saving the day. Whereas Sony used the announcement as a true apology, BP used it to advertise. Maybe you didn't see it that way, but their entire campaign really bothered me (it's kind of like they were expecting a reward for trying to clean up their own mess--which they didn't even do a very good job of).

This thread is painful to read.

OT: I agree, this was about as good as they could get in terms of an apology.

SL33TBL1ND:
This thread is painful to read.

Yeah, the fanboys and anti-fanboys are really out in force here.

Delusibeta:

SL33TBL1ND:
This thread is painful to read.

Yeah, the fanboys and anti-fanboys are really out in force here.

That and the <300 posters with their awful grammar and assumptions.

I personally find the apology acceptable and indeed even admirable. Not only do they admit they had a hand in the problem (an admission that will almost certainly cost hundreds of millions if not billions of dollars) but they don't try and use the fact that they, for a brief moment had my undivided attention to sell me some product or another. I honestly don't know what people actually expect Sony to do in this case above and beyond what they have already done short of time traveling and preventing the problem in the first place. To all those who remain unsatisfied, what could Sony realistically and reasonably do as a gesture of apology that would satisfy you?

Jumplion:

unwesen:

One group of people had (or might have) the password for everyone else.

This. This should never have happened. It's a n00b mistake to store plaintext passwords; any half-witted security engineer will tell you not to do it. That Sony has someone done it is unforgivable, in terms of trusting their security solutions.

It wasn't in plaintext/cleartext, though, they've clarified on that.

Alright, I hadn't seen that! That's good news, I think. So far I'd only seen that passwords were stolen, which suggests plaintext, otherwise there's nothing to steal... unless they hashed them without a salt. Unfortunately, they didn't clarify that in the article :(

I'm glad to hear a report/article that I can actually get behind. I don't use my PSN much at all, but reading the reports of what happened and how Sony was responding, I kept thinking, "From their standpoint, could I do much better at this point?" I don't know anything aside from what has come out from Sony and other sources, but it seems to me they are MUCH better than most other companies when it came to owning up to what happened and telling their customers what was going on.

I was reminded of Wizards of the Coast, who essentially stopped supporting a premium service for around 3 months before telling anyone why they were doing it. Sony is showing the appropriate amount of contriteness for me, though apparently there are some who will never be satisfied no matter what Sony says.

unwesen:
-Snip-

Thank you. Mainly your last part is something I'm glad others have taken note of.

No one seems to realize that this "breach" has seriously put people who used a universal password for their online accounts at serious risk.

What if the one company they hired missed something during their investigation and ended up leaving another problem to exploit? If you have three teams combing through your network, you have three sets of eyes scanning the same area that would pick up on different problems. It is not a pointless waste of money, it is called being thorough in your investigation. Have you never looked at say, an essay or assignment and noticed something in it someone else missed, like a typo or just any sort of error that is detrimental to the work as a whole? Same sort of concept, different people find different problems, just as how these three firms are going to find different problems in different areas. It is just naive to think that one group's investigation is going to find everything.

I don't know about any of the rest of you, but I'm patient about the whole thing, they do their work, I have no business in nitpicking it.
Judging by the fact that absolutely everyone else is angry about it, should I be?

My god. People just love to hate. As an affected PS3 owner, I thought the apology and and rewards (Well that's debatable, but that's just luck of the draw I suppose) were pretty good. Considering nothing of this scale has happened before (to my knowledge), Sony responded the best they could.

My favorite part about this thread is how people are trying to call Shamus out. Yeah...real classy. Attack his opinion and insult his journalist integrity. That's gonna work out real well.

Scrustle:
This is probably the first real positive reaction I've seen to the return of PSN. So far all I've heard is entitled brats moaning about how 2 weeks without PSN has ruined their lives and how the welcome back bonus doesn't even come anywhere near healing the gaping mental scars of this whole fiasco (which they will probably forget about in a few months). Good to see someone is actually being mature about it.

Ignoring the whiny brats for a second, a lot of people have legitimate complaints about this whole fiasco. For starters, it wasn't down for two weeks. Try tripling that number. When all's said and done it'll have been out for ~40 days. That's huuuuuge. Enough to even make ME, a mega PS3 hater, feel sorry for them.

You have companies who only work on PSN who have been making zilch, and then you have legitimate adults with credit card info, email addresses, etc. stolen. This is well beyond children complaining about not being able to game.

The funny thing about scandals and catastrophes, be they real world or online, is that they generate a lot of negative press. There's a reason Microsoft wasn't getting lots of hugs and high-fives when the RRoD came a calling.

Do you really expect a lot of people to go around with warm and fuzzy feelings when talking about this? "Hey, wow! I'm so excited that I get to order a new credit card because my old one's been compromised! Yippee!"

My only problem with crediting Sony with anything at this point is that it's VERY easy to do the right thing when you don't have a CHOICE. They're on the hook; they're going to say WHATEVER YOU WANT TO HEAR. There are so many entities, corporations, governments, lawyers, etc, breathing down their necks right now, the decision on how to handle this is almost being taken away from them.

Call me if they show this lovely sense of humanity when the chips are in their favor and they have the wiggle room to decide how to handle things. THEN I will give them some credit.

Brian Hendershot:
My favorite part about this thread is how people are trying to call Shamus out. Yeah...real classy. Attack his opinion and insult his journalist integrity. That's gonna work out real well.

I'm networking-illiterate, so I can't speak to the information Shamus mentions in this particular article, but more than just occasionally he's shown a propensity of not ensuring his data/quotes are 100% accurate. Should we just nod and accept what he says instead of correcting him?

Baldr:
No, they have not fixed the problem. It all about their lack of network security and it is still horrid. It should have never been that bad to begin with, and now they are a big target.

Unless you've got a whole lot of details to share with us about how exactly the PSN network has been changed and not changed, I'm going to have to consider the "it is still horrid" assertion to be in the "bullshit walks" category.

The.Bard:

Brian Hendershot:
My favorite part about this thread is how people are trying to call Shamus out. Yeah...real classy. Attack his opinion and insult his journalist integrity. That's gonna work out real well.

I'm networking-illiterate, so I can't speak to the information Shamus mentions in this particular article, but more than just occasionally he's shown a propensity of not ensuring his data/quotes are 100% accurate. Should we just nod and accept what he says instead of correcting him?

Are you kidding? [sarcasm]. Let's just throw our opinions around like they are facts. And pull facts out of our ass and pretend like they are divine word. Because you see my friend, the first rule of the the internet club is that everyone is wrong. Even God.

EDIT: I love how people are super hung up over the fact that SONY hired more then one company to check out the security breach. If 77 million people's information has been stolen, I would hire every damn company in the world, just to make sure nothing get's missed.

You know, I've seen many companies screwed up big time. But in my statistically biased observations, I seem to have the impression that Japanese corporations tend to do a better job admitting their mistakes compared to other nations.

Don't know what you guys think abt it. But personally i think Toyota did a good job with their recall crisis, the Jap nuclear crisis was also handled rather nicely with their apologies.

Fact is we all screw up, it's not like the Japs screw up more often, but I do appreciate their sincerity over other companies like BP. Seriously I really wanted to punch the narrator of their apology video. It came off as super arrogant.

Brian Hendershot:

EDIT: I love how people are super hung up over the fact that SONY hired more then one company to check out the security breach. If 77 million people's information has been stolen, I would hire every damn company in the world, just to make sure nothing get's missed.

Haha, yeah totally agree wtih you, but so far I've only seen 1 "hubris" fool complaining abt hiring 3 companies as an arrogant action. He got totally taken apart by the rest of the forumers lol...

powell86:

Brian Hendershot:

EDIT: I love how people are super hung up over the fact that SONY hired more then one company to check out the security breach. If 77 million people's information has been stolen, I would hire every damn company in the world, just to make sure nothing get's missed.

Haha, yeah totally agree wtih you, but so far I've only seen 1 "hubris" fool complaining abt hiring 3 companies as an arrogant action. He got totally taken apart by the rest of the forumers lol...

Lol I just skimmed over everything I must admit. I just figured it was a bunch of people getting mad, instead of one guy repeating himself or getting quoted a lot.

I kinda stopped caring about the PS3 thing. I only read this article because, well, its Shamus Young.

I have and still take the view that no-one really knows anything about what went on, positive or negative, Sony or not Sony.

I mean Sony and national security organisations have been on the HUNT and turned up not a whole lot and are pleading for leads and information after a detailed month+analysis on the problem with highly trained professional experts.

And what we've seen in this thread, is the wikipedia problem, of how rumours and blogs get sourced by rumours and blogs which are then posted as fact and people look at this, fit it into their world view and then unavoidably end up posting their rumour-substantiated subjective opinion as fact.

I mean I've ended up doing it in this post and it's not like I meant to.

On the internet anyone can pretend they're a Sony insider and every time a rumour is posted, no matter how much it's debunked, it increases the information because the very fact that it's posted as news makes it seem important in our minds (the Fox News strategy, if you report every wild accusation that Obama is a foreign spy, no matter if you say at the end "this is a rumour that hasn't been substantiated yet" you end up with 61% of your viewership doubting their evidence of Secret Service vetting and multiple birth certificates)

So yeah, nice post by Shamus but this thread (and this post) fails life :D

Brian Hendershot:
Are you kidding? [sarcasm]. Let's just throw our opinions around like they are facts. And pull facts out of our ass and pretend like they are divine word. Because you see my friend, the first rule of the the internet club is that everyone is wrong. Even God.

Precisely right. Which is why, when someone like Shamus makes a mistake, it's important to correct him, whether it's so he can update the article with the correct info (which I've seen him do), or to let others know that what he has may not be 100%. I think it's the strength of conviction he puts into his articles that makes people want to call him out when he's wrong. But I'm just guessing.

Any rate, my point is just because we can't achieve perfection doesn't mean we should shrug our shoulders when something is wrong. Especially now that everyone and their mother has a voice out here. Bad info spreads fast.

EDIT: I love how people are super hung up over the fact that SONY hired more then one company to check out the security breach. If 77 million people's information has been stolen, I would hire every damn company in the world, just to make sure nothing get's missed.

Are they? Other than the shock of how long this thing has been going on (I don't own a PS3, so my concern is more like the dude slowing down for the car wreck) I'm way out of the loop on the pulse of this PS3 ordeal. I'd agree with you, though. If I was working for Sony's security branch I'd probably be hiring every security expert available to help clean up the mess.

Sony screwed up. We know it, they know it. This is one part of the story. They should have better security layering than that.

However, I think Sony did handle the debacle quite well. And I share the feelings of the OP about each and every topic. I was sincerely hoping for a Playstation Blog message, some crappy indie games and a sad face emoticon.

To my surprise, they did exactly the opposite. They admitted to the screw-up without any garbled marketish, they gave the playerbase some great choices of games (which, of course, could be more varied, but hey), and they treated their customers as adults. I cannot stress how important the last item is for me, and for many others.

I go back with Sony since Betamax. And I'll continue to support them if they are willing to learn from their mistakes and continue to treat us as non-imbeciles.

Nice read, OP, thanks.

I agree with Shamus completely.
Maybe I'm too much of good guy, but I was like "hacks happen, nothing is 100% safe" and Sony's bow I thought "Wow these are serious about this..."

captcha: basic saysmiti

They handled it OK. Not above expectations, not below them either. Though I'm not entirely sure of how I feel about the "free month of Playstation Plus" compensation. I know it's supposed to compensate for the downtime and not for the whole identity theft mess, but is it really appropriate to use a situation as grave as this one to push what is essentially a free trial of their paid service?

Littaly:
They handled it OK. Not above expectations, not below them either. Though I'm not entirely sure of how I feel about the "free month of Playstation Plus" compensation. I know it's supposed to compensate for the downtime and not for the whole identity theft mess, but is it really appropriate to use a situation as grave as this one to push what is essentially a free trial of their paid service?

Having worked at a few completely unrelated companies, I can say that it seems that companies first response to any problem is something along the lines of, "Let's see what we can do about it, and in the meantime, here's 30 days of some extra service for free."

sunami88:
In fact, I'm proud to say that I haven't bought anything with the name "SONY" on it since about 2006;

You're entitled to the feeling of course, but why would you feel "proud" about that? Because you're better than us poor people that have purchased Sony products? Because you've purchased products from companies with flawless track records? If you've got an Xbox360 I'd daresay the RROD problem is not looked upon fondly by anyone.

Oh wait, you've got a Wii, right? With it's robust and well done online component and easily navigable store and endlessly retreaded franchises?

Come on, don't play off your personal opinion of Sony into some sort superiority complex. No one, and no company is perfect. You may not like Sony (personally I don't like Microsoft but I was never proud to not owned any of it's products), but there's nothing to be proud of there.

sunami88:
I don't see why they couldn't just get one team and work with them.

Exactly. You don't and can't see why they might hire three companies and not just one, so where do you get off questioning it?

Pandabearparade:

Scrustle:
So far all I've heard is entitled brats moaning about how 2 weeks without PSN has ruined their lives.

Granted, I don't own a PS3 and don't think I ever will, but isn't PSN something they have to -pay- for? If so, it's a service that they -literally- are entitled to, so they have right to behave accordingly. The same would apply if their cable went out for two weeks, that's a service they paid for and they have a right to demand quality.

Of course, this argument is nulled if the PSN is a free service, I'm too lazy to check.

You know, it would have been way quicker to google whether or not the PSN is free, than it was to type out that mindless comment.

For the record, basic PSN access is free. PSN+ is a paid service.

Sovereignty:

unwesen:
-Snip-

Thank you. Mainly your last part is something I'm glad others have taken note of.

No one seems to realize that this "breach" has seriously put people who used a universal password for their online accounts at serious risk.

Let's be clear here, though - people who use a universal password for their online accounts have been seriously at risk from the moment they started doing that. Sony exposed that password, but they were waiting for the doom to come down upon them. And I suspect that their password has already been compromised at least a few times - hell, the most sophisticated scams I've seen involve people put up sites that advertise a legit product (or, more cleverer still, a potential product that's desirable), ask people to create an account, and then just run the site while their friends use the user/pass combo every where they can think of.

*That's* nasty.

Doesn't excuse Sony in the slightest, to be sure.

unwesen:

Around the three minute mark he did point out the hackers are always hacking things, like they do, but he didn't repeat the meme I've been hearing lately that "no network can ever be secure".

Not so much a meme but simple truth. It's also true that networks can usually be secured just enough for the requirements of the use-case.

Good solution to the PSN password problem.

Debatable.

One group of people had (or might have) the password for everyone else.

This. This should never have happened. It's a n00b mistake to store plaintext passwords; any half-witted security engineer will tell you not to do it. That Sony has someone done it is unforgivable, in terms of trusting their security solutions.

From their standpoint, how could you ever be sure of anyone's credentials ever again?

They can't. They never could. You can sign up to PSN without any meaningful proof of who you are, so that hasn't actually changed much.

I'm not a security expert, ...

indeed.

... but I think their solution to the password problem is a good one.

It isn't, though.

You have to change your password when you log in again. You can only do so from the machine you've been using.

You think. Sony wants. It's a password-based authentication system, and the authenticity of the person trying to change the password is "proven" based on their old password.

The "machine" part can be faked. It'll take a bit to find out how to fake it; you'd better change your password before someone does that.

This means a hacker with the full list of passwords can't log in and pretend to be any of those people, even though he's got their login.

And that is not the problem. The problem is that most people re-use the same password (or almost the same password) over and over again. I doubt the PSN hackers cared about hacking PSN; I'm fairly sure they cared about obtaining email addresses, user names and passwords. Now they can use that to pay with your paypal account, read your email, harvest more information from your facebook account, etc. That's where the value of having stolen passwords lies.

Having said all the above, I don't think Sony responded particularly badly. They did what you need to do: shut down (ignore the cost of that), and hire someone who knows what they're doing to perform an audit. Engineer a solution for people to regain control over their account. Apologize.

But the damage is already done, and because of a painfully silly oversight. That doesn't really make me feel warm and fuzzy inside about whatever they've replaced their system with.

This.

I'd rather sony say something along the lines of 'well, at least it'll take them an average of a million years to figure out what they stole guys. So change your passwords before then eh? Ha!'

Seriously? Plaintext? Really sony? REALLY?

Zom-B:

You know, it would have been way quicker to google whether or not the PSN is free, than it was to type out that mindless comment.

*shrug* I added a caveat in case I was wrong (which I was), but I was reasonably sure that PSN was a charged feature, like xbox live. Regardless, no need for hostility.

Firehound:

This.

I'd rather sony say something along the lines of 'well, at least it'll take them an average of a million years to figure out what they stole guys. So change your passwords before then eh? Ha!'

Seriously? Plaintext? Really sony? REALLY?

As was pointed out to me, Sony *did* issue a statement that the passwords were not stored in plaintext, but as hashes. Unfortunately, the statement did not include whether or not the hashes were salted.

A bit of an aside as to the non-crypto-geeks about hashes and salting:

Hashing means transforming plaintext (like your password) into some other bytes. Given the same plaintext and the same hashing algorithm, the result will always be the same. That means that websites (or PSN) doesn't have to store your plaintext password to know whether the password you entered is correct: they store the hash, compute the hash of what you've entered, and if they're the same then you got the password right.

Cryptographic hashes have another important property: they look random, which means a tiny change in the plaintext will lead to massively different hashes. That makes them fairly secure for storing passwords, as it's next to impossible to guess what the plaintext password was by looking at the hash.

But attackers can work around that with something called a rainbow table. That's just a big table of plaintext and hashes computed from that plaintext. Just like the server doesn't need to know the plaintext if it knows the hash, neither does the attacker. If they see a hash, and look that hash up in a rainbow table, they can find the plaintext password.

So it's best to "salt" hashes: for that, you concatenate the password with some random gibberish called a salt, e.g. "s3kr1t" + "shfkusg", and compute hash over that. Then you store the resulting value and the random salt.

When a legitimate user enters a password, you can still compute hash as you know the salt, and make the same check as before. But when someone tries to compare your hash against a rainbow table, they will fail, because it's infeasible for them to try all possible salts. Even if they *did* know the salt, computing a hash with all possible passwords for that salt would take ages.

My problem with Sony is now a bit different: given that they spoke about passwords being stolen, I must assume one of two things:
a) They did not, in fact, communicate well. If salted hashes of passwords were being stolen, that's not too bad of a problem.
b) The hashes were unsalted, and therefore the theft of those hashes is akin to stealing password, and they communicated well. But they still failed at basic cryptography.

Would love to know which it is.

 Pages PREV 1 2 3 NEXT

Reply to Thread

Log in or Register to Comment
Have an account? Login below:
With Facebook:Login With Facebook
or
Username:  
Password:  
  
Not registered? To sign up for an account with The Escapist:
Register With Facebook
Register With Facebook
or
Registered for a free account here