imaprettyhotguy said:
rocketpig said:
Is that this security breach was a server-side flaw. "Hacking" a PS3 shouldn't give anyone access to critical PSN information any more than hacking a computer or install of Firefox would give you access to Amazon's customer database.
The tools to defend against this type of attack have been available for years. I can build a secure e-commerce store in a matter of hours and get it locked down to prevent this type of information breach using off-the-shelf software. Why can't Sony do the same on their PROPRIETARY system?
No matter whether you think Sony was in the right over the Geohotz fiasco, they royally screwed the pooch on this one.
And that is no one's fault but their own. They deserve every bit of bad press they're going to get over this.
|
Can you do it on a massive amount of worldwide servers that were built half a decade ago? Didn't think so, and I'm pretty sure whoever got into psn could easily get past whatever defences you can make
|
Assuming a remote client as secure and giving it high privileges just based on some special IDs was an unforgivable security design flaw even when computer networks were born. Even in the oldest networks, if properly set up, a compromised client owned and used by people that shouldn't have any high privileges on the servers can't compromise them. The world is full of infected PCs, they can be gathered in botnets and do DDoS attack, to send spam and phishing mails, to spread furtherly the viruses they are infected with, but they cannot enter correctly secured servers and networks, this is true on a worlwide scale, it should be even more true on proprietary networks that give remote users a lot less freedom than internet. Obviously also servers can have and actually have unknown bugs and holes waiting to be discovered and exploited, if malicious hackers find them before honest ones, but it's a totally different thing from a badly designed network security that lets the malicious hackers pierce it just comfortably hacking their remote clients, without the need to study the servers and find a hole in them, as the hole is actually the aforementioned design flaw that wasn't corrected until the disaster had already happened.
To sum it up: error and bugs happen, design flaws are worse than them, and design flaws made ignoring an easy and fundamental security rule that is taught even in the most basic engineering courses on these matters are the worst of all, really unforgivable. Actually Sony should have hoped that honest hackers found this hole a lot earlier, maybe they could have prevented the disaster. That takes us to two other basic rules: first, security by obscurity never works, it's just a disaster waiting to happen, second, don't sue honest hackers, let them do their work or hobby and just ask them to tell you first about the holes they found in your SW, networks and servers, if they arrive before malicious ones, they'll maybe allow you to thwart the attacks and to preserve the security of your honest users too.
Edit: just to make things clear, Sony isn't alone in doing unforgivable design errors, other users cited many disasters made by banks and credit card companies, but security design flaws of even bigger proportion have been made by MS too, for example until a few years ago, Internet Explorer, even if set up to never memorize passwords, credit card numbers and other sensible data, it nevertheless stealthily memorized them in the file index.dat, that wasn't even encripted, but just obfuscated, and waiting to be stolen (as default file sharing rules and permissions were extremely lax too in old versions of Windows, before the final, and finally decent, Service Packs of Win2000 and XP, if even available at all, 9x versions didn't offer file permissions at all). We are talking about several hundreds million Windows users that for a long period had their personal data at risk, without MS doing anything to protect them, instead having made this gross security hole on purpose, to spy them.