By using this site, you agree to our Privacy Policy and our Terms of Use. Close

Forums - Sony Discussion - What people blaming Geohotz and the "hackers" seem to be missing...

Gnizmo on 28 April 2011
BMaker11 said:

Banks have some high end security. Infrared lighting, cameras, thick security walls, etc. They still get robbed. Is it the bank's fault that someone knew what to do to get the money of the many customers the bank holds? That's what you're basically saying right now. I'd say cameras (to see who enters the bank), thick walled vaults (so they can't easily be broken into), and infrared lights (so if the robbery happens at night, it'll trigger an alarm) is preparing for the 'worst case scenario' (the worst case scenario for any bank is being robbed)......but robberies STILL happen.

It's not a BS analogy. It's the same situation. You're placing blame on the victim for what someone else does. And it's not ok. Just like when women get raped and someone says she "deserved" it because she was dressing a certain way. No....she was raped because she was raped. And Sony got hacked because Sony got hacked, not because they told someone to do it.


The analogy is imperfect. You need to take it a step further. That is, the bank is robbed and then the bank waits a week before informing anyone of a potential problem. Sony can't be blamed for the hack. They can be blamed for lack of informing those affected, and failing to properly encrypt some data*. You can't stop in the middle of what happened. Sony being hacked is the smallest portion of the problem here. Their method of handling it was the biggest. Storing all the info the way they did is somewhere in the middle dependant on specifics we will likely never know.

*I admit I am mostly up about the passwords not being encrypted. That is the sloppiest thing you can do. I am stunned a company the size of Sony would let it happen. While I continue to hear stories of companies storing passwords in plain text I continue to rail on them for being stupid too. Unbelievable everytime at every level.



Starcraft 2 ID: Gnizmo 229

Around the Network
imaprettyhotguy on 28 April 2011
Gnizmo said:
imaprettyhotguy said:

And the whole thing your basis it on is a rumor not even confrimed so you might even be wrong about the hole so yeah people really need to lay off Sony since there are so many other examples of companies doing so much worse and not one of one doing better 


I can name a thousand companies right now that are doing better. They haven't been hacked or had significant portions of data compromised. That automatically puts Sony behind them on the scale you are using. What gets me is everyone seems to assume these other companies got a pass on the same problem. You link news articles slamming the companies over the problem and yet tell people not to do the same with Sony? Why shouldn't they be held to the same standard? Sony also failed in one major one those other companies almost universally didn't. They told their users  the second it appeared the data could have been compromised. There is no excuse for sitting on that information for a week. None at all.

I damn near changed banks after an issue with a data leak that was far less serious. The only reason I stopped is they knew precisley who was potentially affected, informed me immediately and then took steps to make sure none of it came back to me. That is, any charges I contested would be instantly assumed fraudulent unless proven otherwise (not the status quo for debit cards by the by) and I would have no liability for anything potentially related to the mishap.

Nope you can have no defenses and still not get hacked if people don't try, and what standard are you talking about, Sony is getting worse PR then all those other ones and they lost less and no they didn't tell users right away one guy in this thread pointed out that other ones told weeks to months for people to be told with actual CC information stolen so yeah, you are wrong 



Gnac on 28 April 2011
BMaker11 said:
yo_john117 said:

[...] I don't wanna hear any bullshit anologies.

Banks have some high end security.

Perhaps Sony Online Network could learn from banks.



WHERE IS MY KORORINPA 3

rocketpig on 28 April 2011
imaprettyhotguy said:
fordy said:
BMaker11 said:

A question to those saying that Sony's security is bad or that they were negligent:

Do you know how Sony's security works? How was the hack carried out? Could you have hacked PSN? I mean, Sony just doesn't care about our sensitive information and their security is so weak, right? 

How many of you work in IT and how many of you are just adolescents blabbering whatever you just read on the internet? 

Do I believe that "Sony can do no wrong"? Of course not, but then again, I also don't go around saying things like I know how everything about the topic works. Until someone can tell me how the infrastructure of PSN works and how they (the poster) can hack it, then all of you bashers are just idiots who know nothing. 

Everything electronic in this world is hackable. But you don't see me saying how easy it is to hack high level company's infrastructure because they are so negligent, and *I* just so happen to be smart enough to know how to invade their network. If I was the most intelligent person on this planet, and I could hack everything known to man, I wouldn't blame the company that made the product because I knew how to hack it.


I'm a Systems Analyst, with some ties to the Software Engineering department. This is my 12th year.

Your view of "everything is hackable" is indeed correct. However, the ease of breaching security is related to the amount of encryption placed on the data. You could be the smartest person in the world, but it still comes down to taking pot-shots in the dark when it comes to breaking encryption, and as key bitrates rise, the likelihood of success for one of these breaches becomes exponentially lower.

Sony made a few fundamental mistakes, and I'll point them out:

1. Sony stated that passwords may have been stolen. This in itself is a scary concept, considering a good system never actually stores the password in a text format, rather a hash of a digestable encryption format (complexity level 1 in one direction, but complexity level 2 ^ encryption-bitrate to decode). When the user enters a password, that is then digested, and checked against the stored hash. To say that passwords were taken implies that they have been keeping them in text format.

2. Sony was incredibly defensive over the security integrity with it's PS3 consoles for a reason. The fact of the matter is that they assumed that since they had the client-side locked down, there was no need to enforce a 2nd level of security on the PSN. It was to cut the costs in order to maintain a free service. Why else would they have a zero-tolerance approach to such consoles, even ones that weren't openly abusing the jailbreak for cheating. They neglected a major fundamental taught to even first year engineering students, and that is to never assume a secure system across a communications medium.

3. This hasn't been 100% confirmed, but there is talk that Credit card info was secured using 128bit encryption. This may have been acceptable in the 1990s, but it's 2011. Even Virtual Private Networks are encrypted with at least 256bit (plenty in the 2048bit range). Processing power has climbed to levels that can breach a 128bit encryption using purely brute-force (ie, checking every possible combination of 2^128 within the given time of expiration of the encryption. Once again, might just be a rumor floating around.

 

Sony is not 100% to blame, of course not. However, some of these obvious oversights does mean they deserve a good portion of the blame.

For 1 isn't it possible that the hacker too the passwords in their encrypted form? and basing an oversight over a rumor isn't very smart, so that leaves you with one oversight, pretty much everything has atleast one major oversight if you care to look 

Taking encrypted passwords is like taking a "map" that contains merely two dots on it and nothing more. Completely useless and chances are, Sony wouldn't have mentioned it if they had.




Or check out my new webcomic: http://selfcentent.com/

imaprettyhotguy on 28 April 2011
rocketpig said:
imaprettyhotguy said:
fordy said:
BMaker11 said:

A question to those saying that Sony's security is bad or that they were negligent:

Do you know how Sony's security works? How was the hack carried out? Could you have hacked PSN? I mean, Sony just doesn't care about our sensitive information and their security is so weak, right? 

How many of you work in IT and how many of you are just adolescents blabbering whatever you just read on the internet? 

Do I believe that "Sony can do no wrong"? Of course not, but then again, I also don't go around saying things like I know how everything about the topic works. Until someone can tell me how the infrastructure of PSN works and how they (the poster) can hack it, then all of you bashers are just idiots who know nothing. 

Everything electronic in this world is hackable. But you don't see me saying how easy it is to hack high level company's infrastructure because they are so negligent, and *I* just so happen to be smart enough to know how to invade their network. If I was the most intelligent person on this planet, and I could hack everything known to man, I wouldn't blame the company that made the product because I knew how to hack it.


I'm a Systems Analyst, with some ties to the Software Engineering department. This is my 12th year.

Your view of "everything is hackable" is indeed correct. However, the ease of breaching security is related to the amount of encryption placed on the data. You could be the smartest person in the world, but it still comes down to taking pot-shots in the dark when it comes to breaking encryption, and as key bitrates rise, the likelihood of success for one of these breaches becomes exponentially lower.

Sony made a few fundamental mistakes, and I'll point them out:

1. Sony stated that passwords may have been stolen. This in itself is a scary concept, considering a good system never actually stores the password in a text format, rather a hash of a digestable encryption format (complexity level 1 in one direction, but complexity level 2 ^ encryption-bitrate to decode). When the user enters a password, that is then digested, and checked against the stored hash. To say that passwords were taken implies that they have been keeping them in text format.

2. Sony was incredibly defensive over the security integrity with it's PS3 consoles for a reason. The fact of the matter is that they assumed that since they had the client-side locked down, there was no need to enforce a 2nd level of security on the PSN. It was to cut the costs in order to maintain a free service. Why else would they have a zero-tolerance approach to such consoles, even ones that weren't openly abusing the jailbreak for cheating. They neglected a major fundamental taught to even first year engineering students, and that is to never assume a secure system across a communications medium.

3. This hasn't been 100% confirmed, but there is talk that Credit card info was secured using 128bit encryption. This may have been acceptable in the 1990s, but it's 2011. Even Virtual Private Networks are encrypted with at least 256bit (plenty in the 2048bit range). Processing power has climbed to levels that can breach a 128bit encryption using purely brute-force (ie, checking every possible combination of 2^128 within the given time of expiration of the encryption. Once again, might just be a rumor floating around.

 

Sony is not 100% to blame, of course not. However, some of these obvious oversights does mean they deserve a good portion of the blame.

For 1 isn't it possible that the hacker too the passwords in their encrypted form? and basing an oversight over a rumor isn't very smart, so that leaves you with one oversight, pretty much everything has atleast one major oversight if you care to look 

Taking encrypted passwords is like taking a "map" that contains merely two dots on it and nothing more. Completely useless and chances are, Sony wouldn't have mentioned it if they had.

Yes they would, encryptions can be broken they have no way of knowing if the hacker has the ability or the tools or the will to break it 



Around the Network
Gnizmo on 28 April 2011
imaprettyhotguy said:

Nope you can have no defenses and still not get hacked if people don't try, and what standard are you talking about, Sony is getting worse PR then all those other ones and they lost less and no they didn't tell users right away one guy in this thread pointed out that other ones told weeks to months for people to be told with actual CC information stolen so yeah, you are wrong 


Security through obscurity is still security. They are still ahead. How can you cite news articles and then say they didn't get bad press over it? You are using the bad press to prove your point! You are proving yourself wrong with your own damned evidence!

Also you might want to read my statements. I never said other companies always told people up front. I made a specific point not to claim that. Many other companies delayed informing people. Most don't. Those that do should be slammed for failing to mention it, because they fucked up.



Starcraft 2 ID: Gnizmo 229

Gnizmo on 28 April 2011
imaprettyhotguy said:

Yes they would, encryptions can be broken they have no way of knowing if the hacker has the ability or the tools or the will to break it 


By the time the encryption is broken the password is changed, and your work is null and void. There is no point in taking encrypted passwords. Thats why you encrypt the passwords. Also, it is known now that the data was un-ecrypted. Sony has admitted as much.



Starcraft 2 ID: Gnizmo 229

rocketpig on 28 April 2011
imaprettyhotguy said:
Yes they would, encryptions can be broken they have no way of knowing if the hacker has the ability or the tools or the will to break it 

You don't really understand how encryption works. You need the key. The key changes.




Or check out my new webcomic: http://selfcentent.com/

Gnizmo on 28 April 2011
Ail said:

A lot of people are acting like this is the biggest hack ever.

It isn't like I posted earlier in this thread.

There have been bigger hacks in the last 5 years that stole more sensitive information ( like 100 million confirmed credit card accounts , some of them with SSN and personall information). This is just the one with the most publicity....

And it every previous case it took weeks if not months for the breach to be discovered and notified to people affected...

 

The biggest known case  is Heartland which affected up to 100 millions credit cards and they are even sure when the breach started to occur...

Heck while you guys are all focusing on this, another huge breach happened less than a month ago at another company.

http://www.reuters.com/article/2011/04/03/us-citi-capitalone-data-idUSTRE7321PI20110403

 

For those interested ( and especially Squilliam which seems not very well informed), here are 11 largest data breach in recent history :

http://wikibon.org/blog/the-11-largest-data-breaches-in-recent-history/


Two important bits here. You can't cite a news source and then say it didn't get coverage. Doesn't compute. Secondly, just because you are hearing more about it does not mean it wasn't covered. Major news outlets have not given this a ton of coverage from what I have seen. They have barely given it any at all until the Senator filed a suit. The gaming news is covering it more. Give you 3 guesses as to why that is.

You also kill another of your points. You try to claim there was a lack of response similar to Sony's, but then go on to state the hack wasn't discovered. Do you see the link there? You can't report a data leak you don't know about. Unless it is discovered there is no way to inform the public. The fact that it wasn't discovered in other cases is big news on its own, but linked to the other info as you have it all it does is invalidate more of your response.



Starcraft 2 ID: Gnizmo 229

rocketpig on 28 April 2011
Gnizmo said:
imaprettyhotguy said:

Yes they would, encryptions can be broken they have no way of knowing if the hacker has the ability or the tools or the will to break it 


By the time the encryption is broken the password is changed, and your work is null and void. There is no point in taking encrypted passwords. Thats why you encrypt the passwords. Also, it is known now that the data was un-ecrypted. Sony has admitted as much.

They admitted that passwords were unencrypted?

Jesus Christ.

FUCKING WORDPRESS USES ENCRYPTION FOR COMMENTING.

Fuck off, Sony. Seriously. Just retarded.




Or check out my new webcomic: http://selfcentent.com/