You'd really think Sony would have pulled out all the stops and finally got PSN to at least start looking secure.
Completely and utterly pathetic...
Four days after the PlayStation Network reopened, Sony has taken down login and password recovery pages for the service following reports they contained a serious flaw that was actively exploited to hijack user accounts. The vulnerability, which was first reported by UK-based gaming news site Nyleveia.com, required only that an …
So, knowing the sign in ID, DOB and e-mail address enabled the ability to reset the password. And this makes SONY a bunch of tossers?
Seriously, given that data for almost ANY online service you could change the password. 3D secure for instance, that great level of protection provided to us by the card companies doesn't even need that much info to crack - DOB is all you need. Let's remember PSN is a gaming network at it's heart, not a damn bank.
Bring on the fanboy flames. Sony aren't any worse than everyone else who's got user data when all's said & done.
Be under no illusion that 3D secure is there the help the consumer. It is simply a tool to make it easier for banks to pass the blame to you if your account gets hijacked.
It was *never* designed to make transactions secure; most of the details (sans DOB) needs to be put into the transactions.
But that's not what the banks tell us it is. You are free to assume I'm an idiot, but I would personally prefer you to judge based on what I have said, rather than things I haven't.
I honestly didn't think it would be needed for me to list every service on the web that you can crack if you know the sign in, DOB and e-mail address for an account. I just plucked an example out of my head for which you need just one of the three.
You mean the fucking whole of Asia. I have not been able to log in to my PSN account for over a month now. Apparently they want to have Japan's servers back up first before turning on the Hong Kong/Taiwan server, which will then restore services to the rest of Asia.
Aside from getting that 3.61 firmware update, I've not used my PS3 for anything useful since it went down.
So a PS3 can't be used without a 'net connection? Glad I didn't go through with buying one a month or two ago! I was planning to use it as a Blu-Ray player, maybe to stream content off my home network and to maybe play games.
But it if needs an Internet connection to do that - forget it.
Connecting to the internet works perfectly fine on the PS3. The problem for the last month is the PSN network (a service that runs on the internet). This solely affects services tied to PSN i.e. online gaming, music services like Quirocity, Vidzone.
Obviously you can still play Blurays and access online stuff from them (as it doesn't need PSN) and you can stream stuff on your online network (as that clearly has nothing to do with PSN). Games you can STILL play - just not any online features (as that will be tied to PSN).
So stop moaning.
Yes, a PS3 will work without an internet connection. It can get firmware updates via the game media, and it'll still stream stuff from the likes of PS3 Media Server without any issues (I've got my PS3 attached to my network but configured in such a way that it doesn't get onto the Internet and it works fine, it also works fine with the wireless turned off and the Ethernet cable not connected).
For the SOE network I didnt have to do any workarounds or special methods, I launched a game and was asked to change password on the SOE site, the site presented me with boxes to put my existing username+password in (the info that has been supposedly retrieved). I then put in a new password. That was it!?!
at the very least I would have had it initiate sending a link to my email to present a reset password page to at the very least help verify who I was with a method that requires more than whats already been leaked to change my account info.
...but not everyone on the PSN is as organised as you. A significant number of users are:
1) 10 year olds
2) Lied about their age so they could play COD and forgot what birthday they used and
3) Just set up a now long forgotten Hotmail account to get access
Sony know this. As a result they also know what kind of PR disaster they'd have on their hands if 10 million 10 year olds all lost their rankings, trophies & other "achievements". If you'd tried it on a different console you would have been forced to go through an e-mail confirmation scenario.
Although I wasnt talking about PSN, I said SOE! the other part that got h4x0r3d!
Yes I find it odd have said my suggestion of it being unsecure to just need a username and password to change the details and needs some additional way to secure it and avoid only needing the details that have been retrieved, clearly some people are stupid!
SOE setup only needed a username and password, let me do what I want with it, it seems yes I did get an email to say someone changed those details but I actually missed that, assuming it was spam/ads no doubt.. an after the event warning is not a good process, what if someone has changed their emails since??
I repeat.. pathetic SONY!
"..........required only that an attacker know the date of birth and email address associated with a targeted user's account..............."
Actually the words that came to my mind were "shagging contest" and "brothel". All I can say other than that is *unfuckingbelievable*.
I'm beginning to wonder if Sony has anybody on the staff with even half a clue about RealWorld[tm] security.
I'm also beginning to wonder about the sanity of the fanbois flocking to get back into Sony's insecure network ... what are they thinking? And then I realize they are probably also running software written in Redmond or Cupertino, and I realize that they aren't.
This is why my company avoids open-source crap, they are afraid of being associated with all the crazies. That and the management is really starting to hate this whole "Open Source vs. Proprietary" war, event though the two aren't mutually exclusive, but the fanbois on both sides make it seem like they are.
I run Windows, OSX and Linux - and I'm not a fan of either but I find myself using OSX the most. However, somehow I don't have this compelling need to immediately bitch about anyone else's approach to computing.
You see, I don't need technology to have a degree of self worth. I only insult people because it amuses me :-)
... That is just such a schoolboy error. I know let's do a password reset...
Ok, we need a unique code that is sent to the account holders email address and that is all, we must store the code securely on our servers, the code should be a one shot affair and time out.
So send the code to the client browser too? No no no, just to the account holders email address otherwise it defeats the fricken point!
From the wisdom of Scott Adams, author of Dilbert.
Consultant is derived from two common english terms:
Con - (ruse, to persuade by deception). You need my services because I am an independant third party with some sort of industry certification that is deemed more essential than practical experience by marketing drones and I am cheaper since I require no medical, vacation, severance or other expenses. Since the IT team is a hodge podge of revolving door rent-a-techs documentation is available...somewhere...in bits and pieces....but probably not.
Insult - what is charged for services.
Consultants are there to con and insult you. However the Powerpoint presentation always bedazzles, contract gets signed!
Hopefully we get to know the name of what vendor they outsourced the maintenance of PSN to. Doesn't say they outsourced but c'mon, do we really need to connect the dots? 3 weeks and still hackable by simple means?
PS I am a consultant. Over 3 years here, used to have a really good team of engineers, all left for greener pastures and I now manage a group of revolving door rent-a-techs!! woohoo!!
If they are so deeply deficient you have an absolute mountain of a job to get it anywhere near secure, because it has all the decaying reek of a security retrofit (the "oops, we better add some" at the END of a development cycle).
I personally wouldn't want to get near a position which places you at the receiving end of pressure to go live as soon as possible by the clowns who commissioned the original cockup and who are now massively losing face, and the demands of a proper redesign where security is actually an integral part. Whatever happens, you get blamed. Having said that, if they pay a LOT I may reconsider, but here past record seems to suggest they will go for the cheapest bidder (again).
So no thanks. I'll step back a bit, get some popcorn and watch the fire instead.
At least in Firefox, even if i reset cookies, the fb page would just reset and say something about username or password error. Logging in under mobile, or/then switching to touch would allow me to then use my desktop page. Weird. Maybe my browser is jacked?
The Xbox360 team is laughing their heads off!
Say what you want about microsoft, eveny they would be hard pushed to create this kind of cockup. When people are paying for your service and it is a major revenue generator , you actually put effort into building the system and making sure it is secure!
As someone said, it's like watching a trainwreck in slo-mo.
How anyone would even consider going back on the PSN beggar's belief. Hell, I wouldnt even plug a sony telly into my network, not that i;d ever own a Sony product other than the 20yr old PLII pre-amp that sits under my monitor.
Paris cause she is obviously in charge of security at the struggling multi-national
This post has been deleted by a moderator
I got an email from Sony informing me that I had successfully changed my password, more than 12 hours BEFORE I actually managed to finally log on again after the PSN down-time and eventually change my password (not so curiously, the Sony PSN servers were very busy last Sunday!) from my PS3.
Whoever it was that logged into my account, it wasn't me... and curiously, they didn't bother to actually change my password, despite the Sony email.
(Paris because I can't think of anyone I'd more like to send into the future (or past))
Biting the hand that feeds IT © 1998–2021