Well, That Was Fast: Sony's New PSN System? Hacked!
from the hiccup dept
So, it took a few weeks for Sony to get everything in order after its er... hiccup in exposing the details of everyone on the PlayStation Network. And, now it appears that the Japanese government's worries that Sony hadn't really fixed the problem or made its system secure appear to be coming true. There are reports this morning that the new password reset system has been exploited, such that you could change anyone's password if you have their email and date of birth. You know where you could have gotten that info? From the original hacked data. Right. *Hic*
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
I see you are Having tea with Karma again.
Sincerely,
Anonymous
[ link to this | view in chronology ]
Don't taunt hackers... Part Duex
Just saying. They had it commin.
[ link to this | view in chronology ]
Re: Don't taunt hackers... Part Duex
[ link to this | view in chronology ]
OK WE GIVE UP!! PLEASE STOP!!
- Sony
[ link to this | view in chronology ]
Oh .... better one !
Karma Much??
Sincerely,
GeoHot
[ link to this | view in chronology ]
Company-wide pattern?
[ link to this | view in chronology ]
Re: Company-wide pattern?
However their network security seems be a one step beyond saying "Just set the password to "secret" who is gonna fuck with us?"
[ link to this | view in chronology ]
Re: Re: Company-wide pattern?
[ link to this | view in chronology ]
Re: Re: Company-wide pattern?
1. Not to Sony's credit because no one who knew what they were doing was really trying.
2. Yes, the PS3 went "uncracked the longest", see #1.
3. The DRM was very very very flawed. Sorry, I'm not going to give a link, but the hackers' who worked on the real crack (after Geohot) have put out a lengthy explanation.
4. They did not "fix" what Geohot did at all.
[ link to this | view in chronology ]
BWAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAH*wheeze*AHAHAHAHAH
[ link to this | view in chronology ]
One more ....
ha ... No Wait ... HA!!!!!
Sincerely,
The Xbox 360 Dev Team
[ link to this | view in chronology ]
Not really a hack this time
[ link to this | view in chronology ]
My turn!
You should have done what we did...
Friend codes are the future!
Sincerely,
Nintendo
[ link to this | view in chronology ]
Re: My turn! ...
I feel your pain.....no kids want to play with me either.
Sincerely,
Michael Jackson
[ link to this | view in chronology ]
Re: Re: My turn! ...
[ link to this | view in chronology ]
More hiccups?
Those hiccups must be just awful, what with your head so far up your ass!
[ link to this | view in chronology ]
Re: More hiccups?
[ link to this | view in chronology ]
Sony IT guy
[ link to this | view in chronology ]
Re: Sony IT guy
[ link to this | view in chronology ]
Re: Re: Sony IT guy
[ link to this | view in chronology ]
Re: Sony IT guy
[ link to this | view in chronology ]
Re: Re: Sony IT guy
Sony needs to redesign their console with a ring of status lights and a LCD display. This way they can red ring of death their consoles while scrolling your personal and credit card information in the LCD.
That's considered notification that your personal information has been leaked isn't it? As an added bonus, you won't have to wait 7 days to find out.
[ link to this | view in chronology ]
Three possible explanations
The most likely scenario.
2. They found the auth keys in the confirmation page that shows after submitting an email address & DOB
Very poor design I've seen on some sites before but you'd have to be incompetent or negligent to code something like this.
3. They guessed it or social engineered it
Unlikely...
[ link to this | view in chronology ]
Re: Three possible explanations
[ link to this | view in chronology ]
Re: Re: Three possible explanations
[ link to this | view in chronology ]
Re: Three possible explanations
When logging back into the PSN, Sony is forcing everyone to reset their passwords.
To verify a user, since the old passwords were stolen, they needed to use some other piece of information to confirm users.
So instead they decided to use the email and DOB. The same information that was stolen along with the passwords.
This kind of oversight is epic Picard level facepalm.
[ link to this | view in chronology ]
Re: Re: Three possible explanations
Resetting passwords by email address alone(no DOB) is a standard way of starting a two-phase authorization.
If you read the forum thread that Kotaku linked to, you can see that someone received an initial email that said something along the lines of "Click this link to reset your password".
Normally that's where a fraudulent password reset request would end unless someone had access to a user's email account, however seconds later they received another email saying the request was completed.
Sony just stated on their blog that this was a "URL exploit", so now I present two other explanations which I forgot to list.
4. Sony set their script to automatically bypass the second phase so people wouldn't have to check their email account.
Heads should roll if this is true, but I doubt it. Why even make a two-phase auth system if they're going to bypass it themselves?
5. Sony let blank auth keys reset passwords (the official explanation?)
Maybe the programmer accidentally put something like a = instead of == for matching... But the structure of the links make me call bull on this.
[ link to this | view in chronology ]
Re: Re: Re: Three possible explanations
The script set a cookie when someone reset a password. Then it let blank auth keys go through, and figured out what account you wanted to reset based on the cookie they set earlier.
[ link to this | view in chronology ]
Sony should work on its fanbase...
[ link to this | view in chronology ]
It could be worse!
Though, you'll be blessed with a free console, at least two weeks of no games, and one year of XBox Live free of charge for the "trouble" of preventing your legally purchased products from working.
Thank goodness I own a Wii! Since developers shunned this piece of crap, I've nothing to worry about.
:|
[ link to this | view in chronology ]
It could be worse!
Though, you'll be blessed with a free console, at least two weeks of no games, and one year of XBox Live free of charge for the "trouble" of preventing your legally purchased products from working.
Thank goodness I own a Wii! Since developers shunned this piece of crap, I've nothing to worry about.
:|
[ link to this | view in chronology ]
Re: It could be worse!
although its definitely shitty, yeah console breaking drm
[ link to this | view in chronology ]
And thus was the beginning of the end for the PS3.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
okay... thats +1 for the use of fanboys, +.5 for the alternate spelling, +3 for big archaic word used correctly and its on a triple word space... +70.5 for me.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
haiku (so maybe Sony will understand)
Obvious fail on this one,
Karma is a bitch...
*giggle*
[ link to this | view in chronology ]
Re: haiku (so maybe Sony will understand)
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Spitball caption on ad:
Brought to you by the same folks that braught you Climate-Gate. The same folks that filled the need in "Waste 60 bucks on a game I cant demo? FTS" & Sony hacks brings you....
The thing of it is the entertainment value is huge. Think about Hacker(the movie) like competitions on destroying senators that go against he public interest. I distinctly remember if the government fears the people....
[ link to this | view in chronology ]
or even Facebook, or most social networks.
[ link to this | view in chronology ]
Why they got hacked
Who uses Other OS? - people who make supercomputers from lots of PS3's - what do they use them for?
security research
"On 30 December 2008, a group of researchers announced at the 25th Chaos Communication Congress how they had used MD5 collisions to create an intermediate certificate authority certificate which appeared to be legitimate when checked via its MD5 hash.[7] The researchers used a cluster of Sony Playstation 3s at the EPFL in Lausanne, Switzerland"
Irony of ironies - were Sony hacked by their own hardware?
[ link to this | view in chronology ]
http://latimesblogs.latimes.com/technology/2011/05/sony-servers-hacked-host-credit-car d-phishing-site.html
[ link to this | view in chronology ]
http://www.foxnews.com/scitech/2011/05/20/sony-hacked-playstation-so-net-isp/
[ link to this | view in chronology ]