| BMaker11 said: A question to those saying that Sony's security is bad or that they were negligent: Do you know how Sony's security works? How was the hack carried out? Could you have hacked PSN? I mean, Sony just doesn't care about our sensitive information and their security is so weak, right? How many of you work in IT and how many of you are just adolescents blabbering whatever you just read on the internet? Do I believe that "Sony can do no wrong"? Of course not, but then again, I also don't go around saying things like I know how everything about the topic works. Until someone can tell me how the infrastructure of PSN works and how they (the poster) can hack it, then all of you bashers are just idiots who know nothing. Everything electronic in this world is hackable. But you don't see me saying how easy it is to hack high level company's infrastructure because they are so negligent, and *I* just so happen to be smart enough to know how to invade their network. If I was the most intelligent person on this planet, and I could hack everything known to man, I wouldn't blame the company that made the product because I knew how to hack it. |
I'm a Systems Analyst, with some ties to the Software Engineering department. This is my 12th year.
Your view of "everything is hackable" is indeed correct. However, the ease of breaching security is related to the amount of encryption placed on the data. You could be the smartest person in the world, but it still comes down to taking pot-shots in the dark when it comes to breaking encryption, and as key bitrates rise, the likelihood of success for one of these breaches becomes exponentially lower.
Sony made a few fundamental mistakes, and I'll point them out:
1. Sony stated that passwords may have been stolen. This in itself is a scary concept, considering a good system never actually stores the password in a text format, rather a hash of a digestable encryption format (complexity level 1 in one direction, but complexity level 2 ^ encryption-bitrate to decode). When the user enters a password, that is then digested, and checked against the stored hash. To say that passwords were taken implies that they have been keeping them in text format.
2. Sony was incredibly defensive over the security integrity with it's PS3 consoles for a reason. The fact of the matter is that they assumed that since they had the client-side locked down, there was no need to enforce a 2nd level of security on the PSN. It was to cut the costs in order to maintain a free service. Why else would they have a zero-tolerance approach to such consoles, even ones that weren't openly abusing the jailbreak for cheating. They neglected a major fundamental taught to even first year engineering students, and that is to never assume a secure system across a communications medium.
3. This hasn't been 100% confirmed, but there is talk that Credit card info was secured using 128bit encryption. This may have been acceptable in the 1990s, but it's 2011. Even Virtual Private Networks are encrypted with at least 256bit (plenty in the 2048bit range). Processing power has climbed to levels that can breach a 128bit encryption using purely brute-force (ie, checking every possible combination of 2^128 within the given time of expiration of the encryption. Once again, might just be a rumor floating around.
Sony is not 100% to blame, of course not. However, some of these obvious oversights does mean they deserve a good portion of the blame.
