The news has gotten worse.



Not good.

I wonder if Sony will ever release more details on how it happened. One rumor out there is that a cracked firmware was circulating that somehow modified dev kit code to grant retail PS3s free access to the store. I didn't really buy that as the only reason, since it should have been trivial to just shut down the store instead of the entire network.

Really bad timing too, considering the PS3 release of Portal 2. Been wanting to play co-op with a friend Mac<->PS3.

I have already had a card number stolen due to PSN. Someone figured out my PSN password and bought a bunch of crap from PSN with a card that was stored on the account. I didn't even realize they were storing the card info.

These online stores just need to stop keeping your card number on file.

I guess it's possible that the dev firmware could exploit (or highlight) a flaw in the PSN code to allow somebody to cycle through the records, maybe some unused developer-only procedures or something?

Otherwise it could have been anything, from the compromised employee's machine, a server hack, or some other intrusion.

I'm sure we will get quite a bit more detail at some stage, if it is an exploit of the user-side then I'm sure it will be explained in detail by an outsider, anything else and it will probably be a high level explanation.

Senator Blumenthal is concerned over the breach and lack of quick response.

New statement from Sony about the slow notification, and a FAQ.

"We knew the attack was serious enough to completely shut down our service, but not serious enough to warn people of a potential identity theft situation."

Um, yeah. Not buying it. The real answer is that they suspected as much as soon as they brought the service down, but were hoping they could prove that it wasn't true. Now that they've been getting bad press they come out and say that it's possible. Nothing but a PR-related decision.

Yeah, that part has me agreeing more with your side then what Sony is saying, especially when you factor in the SOE outage. SOE's systems aren't even tied to anything PSN related with the exception of DCUO and FreeRealms PS3 versions. Everything else goes through a separate Station.com account. Something major happened, and they knew it, but weren't willing to share any info. Initially it was called "emergency maintenance", and many just passed it off as more DDOS attacks.

So far I haven't seen an e-mail from Sony about this as promised, but I did go back and look at what they had sent me to see what card they had. I found this message sent March 24, 2011:


Beyond the odd url in the message, it also came from innovyx.net instead of a Sony controlled domain.

Ditto, plus I can't download the Mac version until I link my Steam and Playstation accounts.

Another Q&A from Sony: http://blog.us.playstation.com/2011/04/27/qa-1-for-playstation-network-and-qriocity-services/ , including confirmation there is a criminal investigation occurring. If that makes it all the way to the courts, should be pretty revealing in what actually happened. They also note that credit card data was encrypted, but other personal data wasn't.

And Gamasutra is reporting some developers have already been sent a new SDK for their dev kits with fixed security. Leading more credence the initial exploit did involve devkit related materials somehow.

Looks like the SOE downtime was more of a precaution, they are stating no customer data was compromised on their side.

One strange part from the Q&A yesterday:

Odd that they feel the need to physically relocate where the network is hosted.

About that "no SOE data was compromised" part...
https://www.soe.com/securityupdate/
oops

Oh, and plan for more Sony fun this weekend.

Sounds like a 3rd attack is planned....

sigh

Sony Offering Free ‘AllClear ID Plus’ Identity Theft Protection in the United States

That's the first thing I've heard that actually sounds like Sony taking a step in the right direction. That said, I'm sure that the "AllClear ID" folks are giving them a huge discount hoping that people will re-up their subscriptions at the end of whatever Sony provides.

Isn't that kind of like buying life insurance after someone dies? Sony should give everyone a full refund back to their original sign-up date, plus no less than 24 additional months for free, along with wiping all personal details from their records and, by court-order never again being allowed to store customer financial details online for any of their business units for a period of no less than 10 years.

Going after the hackers is the wrong thing here. Sony are the ones that need to be punished.

On this, they already have for most PSN users. It's always been free.

Why do they have financial information (credit cards) on file for something that's free? Or do you mean you can log in for free, but activities/options cost money?

Sony ranks somewhere way South of Google on my least trusted companies list and they have for a long time. This latest news is just gravy.

The base Playstation Network is free, but you have to provide basic info to sign up for it. PSN provides online matchmaking, friends lists, messaging, and voice chat in games for free, along with Playstation Home (a weird second life like environment). As to what info was mandatory, I can't remember now that it's been close to 5 years since I signed up. 77 million accounts existed here, for PSN or Qriocity access.

On top of that is the Playstation Store. It's a digital storefront that people can use to download free demos and videos, along with paid games, extra content for games, and TV/movie shows. It also handles subscription services, such as DC Universe Online, Qore and PSN Plus. 12.3 million accounts had credit card information saved.

To fund the store, Sony allows people to enter their credit card details to put money into a "Playstation Wallet". This wallet could also be funded via cards bought in retail stores, and I think possibly via PayPal and some other more direct debit services. This database containing the payment details was encrypted, but it's unknown if the hackers actually gained access to any information here. Sony still claims that they have not seen any reports from the credit card companies indicating fraud from this specific hack.

There's also a "Playstation Plus" service, which along with Qriocity (terrible name), are the two services all PSN users will get a free month of when everything's back up! Yay! How generous of Sony to offer a brief free sample of their paid services. They really know how to treat their users.

Some are saying this won't hurt Sony in the long run. I tend to think it will. Not an enormous amount, but I think it'll have more of a consumer impact than when everyone forgot about the rootkit.

Playstation Plus where the games you download only work whilst you have an active subscription! Sounds like an amazing deal.

Some friends told me SOE is giving away a free month and then an extra day for every day the game is down for EQ2 subscribers. I imagine they are doing something similar for the rest of the subscription games they have. At least short term, this is going to have a decent impact on their revenue. Not to mention everybody jonesing for a game that go and find a new one to play.

I'm sure they won't make the money, but it's not like they're losing it. These services are so much profit it's ridiculous. I'm sure they could afford to give a little more than a single month and a handful of days for exposing 77 million people to possible identity theft.

Keep in mind Sony Online Entertainment (SOE) is a separate standalone company from Sony Network Entertainment (SNE). SNE is the Playstation Network where the 77 million came from (with ~12 million credit cards on file). SOE had a separate database with ~24 million accounts.

Giving away a free month is going to hurt SOE badly. DC Universe just launched a few months ago, so that right there will be a huge impact since they haven't gotten many subscription cycles yet. And the company just finished another round of layoffs, the 3rd such event in the past 3 years, this time closing 3 studios and impacting the remaining 2, including Austin where Caleb works.

People here tend to see Sony as one large faceless corporation. It's more properly a group of affiliated companies, with some of them like SOE running pretty independently with their own financials, leadership structure and so on. SOE is an LLC, one that reports currently into SCE (Sony Computer Entertainment, the Playstation group). In the past, they were under SPE (Sony Pictures Entertainment, the movie group).

Sorry, I forgot this was SOE and not Sony.

PSN is coming back online now, with a state by state restoration. SOE games are also showing back online now. No current ETA on the return of the PSN store.