Well, That Was Fast: Sony's New PSN System? Hacked!

(Mis)Uses of Technology

from the hiccup dept

Wed, May 18th 2011 11:46am — Mike Masnick

So, it took a few weeks for Sony to get everything in order after its er... hiccup in exposing the details of everyone on the PlayStation Network. And, now it appears that the Japanese government's worries that Sony hadn't really fixed the problem or made its system secure appear to be coming true. There are reports this morning that the new password reset system has been exploited, such that you could change anyone's password if you have their email and date of birth. You know where you could have gotten that info? From the original hacked data. Right. *Hic*

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: hack, psn
Companies: sony

47 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Hephaestus (profile), 18 May 2011 @ 11:28am

Dear Sony
I see you are Having tea with Karma again.
Sincerely,
Anonymous
[ link to this | view in thread ]
Phillip Vector (profile), 18 May 2011 @ 11:49am

Don't taunt hackers... Part Duex
http://www.techdirt.com/articles/20110518/03135114315/sony-ceo-howard-stringer-month-long-hackathon- merely-hiccup.shtml#c27

Just saying. They had it commin.
[ link to this | view in thread ]
Anonymous Coward, 18 May 2011 @ 11:51am

Dear Anonymous,

OK WE GIVE UP!! PLEASE STOP!!

- Sony
[ link to this | view in thread ]
Hephaestus (profile), 18 May 2011 @ 11:52am

Oh .... better one !
Dear Sony
Karma Much??
Sincerely,
GeoHot
[ link to this | view in thread ]
Fzzr (profile), 18 May 2011 @ 11:57am

Company-wide pattern?
The PS3 crack that kicked off Sony's recent legal campaign against GeoHot and Anonymous' subsequent DDOS attacks was made possible by the PS3 validating all games through a single root key. Bad security practice appears to be endemic at Sony, from DRM to network security.
[ link to this | view in thread ]
Sony Hacking Spree, 18 May 2011 @ 12:00pm

Re: Don't taunt hackers... Part Duex
What a travesty
[ link to this | view in thread ]
Mr. LemurBoy (profile), 18 May 2011 @ 12:04pm

*Ahem*

BWAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAH*wheeze*AHAHAHAHAH
[ link to this | view in thread ]
Hephaestus (profile), 18 May 2011 @ 12:04pm

One more ....
Dear Sony
ha ... No Wait ... HA!!!!!
Sincerely,
The Xbox 360 Dev Team
[ link to this | view in thread ]
pixelpusher220 (profile), 18 May 2011 @ 12:21pm

Not really a hack this time
This is purely lousy design...
[ link to this | view in thread ]
Jay (profile), 18 May 2011 @ 12:22pm

My turn!
Dear Sony,

You should have done what we did...
Friend codes are the future!

Sincerely,
Nintendo
[ link to this | view in thread ]
Hephaestus (profile), 18 May 2011 @ 12:27pm

Re: My turn! ...
Dear Sony PS3,
I feel your pain.....no kids want to play with me either.
Sincerely,
Michael Jackson
[ link to this | view in thread ]
A non-mouse, 18 May 2011 @ 12:28pm

More hiccups?
Dear Sony,

Those hiccups must be just awful, what with your head so far up your ass!
[ link to this | view in thread ]
Chuck Norris' Enemy (deceased) (profile), 18 May 2011 @ 12:34pm

Sony IT guy
Sony IT guy - "Okay! Just rebooted the system. Does it work now?"
[ link to this | view in thread ]
Chronno S. Trigger (profile), 18 May 2011 @ 12:34pm

Re: More hiccups?
Oh, so that's how you land in the hospital for a month with the hiccups.
[ link to this | view in thread ]
SD (profile), 18 May 2011 @ 12:42pm

Three possible explanations
1. They had the reset password auth key generator key from the previous intrusion, or got in again and stole it
The most likely scenario.

2. They found the auth keys in the confirmation page that shows after submitting an email address & DOB
Very poor design I've seen on some sites before but you'd have to be incompetent or negligent to code something like this.

3. They guessed it or social engineered it
Unlikely...
[ link to this | view in thread ]
The Buzz Saw (profile), 18 May 2011 @ 12:42pm

Sony should work on its fanbase...
Last I checked, having a supportive group of fans is far more effective than any amount of engineering. If the fans are on your side, you can tap into the community and summon its collective power to solve problems. Instead, Sony has built a fortress to defend itself from fans. It stays behind its walls and simply attaches bait (in the form of entertainment) to hooks and fishes for fans from the safety of its castle. Heaven forbid the fishermen have any meaningful interaction with their catch! The fish (or their money) are all that matter!
[ link to this | view in thread ]
A.R.M. (profile), 18 May 2011 @ 12:45pm

It could be worse!
You could receive a service pack on your game console which has a chance to brick your box and it's mandatory to enable additional copyright protection which makes reading retail disks impossible.

Though, you'll be blessed with a free console, at least two weeks of no games, and one year of XBox Live free of charge for the "trouble" of preventing your legally purchased products from working.

Thank goodness I own a Wii! Since developers shunned this piece of crap, I've nothing to worry about.
:|
[ link to this | view in thread ]
A.R.M. (profile), 18 May 2011 @ 12:46pm

It could be worse!
You could receive a service pack on your game console which has a chance to brick your box and it's mandatory to enable additional copyright protection which makes reading retail disks impossible.

Though, you'll be blessed with a free console, at least two weeks of no games, and one year of XBox Live free of charge for the "trouble" of preventing your legally purchased products from working.

Thank goodness I own a Wii! Since developers shunned this piece of crap, I've nothing to worry about.
:|
[ link to this | view in thread ]
Greevar (profile), 18 May 2011 @ 1:01pm

And thus was the beginning of the end for the PS3.
Maybe they will learn that any security that can be unlocked, can be broken? There are enough people with the will and skill to do it out there. And they love a good challenge as much as they love wiping the smug grins from Sony's face.
[ link to this | view in thread ]
Anonymous Coward, 18 May 2011 @ 1:07pm

Obvious fail is obvious. Couldn't happen to a nicer company. bwahahahahahahaha. Eat it Sony!
[ link to this | view in thread ]
harbingerofdoom (profile), 18 May 2011 @ 1:07pm

wow, the fanbois are going to be having a fit of apoplexy over this.

okay... thats +1 for the use of fanboys, +.5 for the alternate spelling, +3 for big archaic word used correctly and its on a triple word space... +70.5 for me.
[ link to this | view in thread ]
Anonymous Coward, 18 May 2011 @ 1:10pm

If this is a hiccup god forbid they get the flu.
[ link to this | view in thread ]
DaveL (profile), 18 May 2011 @ 1:12pm

haiku (so maybe Sony will understand)
My dearest Sony,
Obvious fail on this one,
Karma is a bitch...

*giggle*
[ link to this | view in thread ]
Anonymous Coward, 18 May 2011 @ 1:12pm

Re: Sony IT guy
What IT guy? It's probably some lawyer that knows how to reinstall windows and thus he thinks he can fix a server. After all sony's workforce is 99% lawyers
[ link to this | view in thread ]
Gh0st, 18 May 2011 @ 1:13pm

Well sucks to be them.
[ link to this | view in thread ]
Anonymous Coward, 18 May 2011 @ 1:20pm

Re: Sony IT guy
I have to say it...this is getting well into TJX territory.
[ link to this | view in thread ]
Greevar (profile), 18 May 2011 @ 1:24pm

Re:
Yahtzee!
[ link to this | view in thread ]
Anonymous Coward, 18 May 2011 @ 2:02pm

Re: Company-wide pattern?
to their credit the PS3 went uncracked the longest out of any game system, so the DRM wasn't really flawed and they did fix what geohot did pretty fast and remove you from psn if you were using the modified firmware.

However their network security seems be a one step beyond saying "Just set the password to "secret" who is gonna fuck with us?"
[ link to this | view in thread ]
Anonymous Coward, 18 May 2011 @ 2:05pm

Re: It could be worse!
brand new free system, freebies valued at 70$, two weeks 'ish' downtime. Not sure how its worse....

although its definitely shitty, yeah console breaking drm
[ link to this | view in thread ]
DCX2, 18 May 2011 @ 2:20pm

Re: Three possible explanations
4. The seed for the auth key generator is the same seed for all the PS3 keys.
[ link to this | view in thread ]
Jon B. (profile), 18 May 2011 @ 2:22pm

Whatever profit Sony was supposedly "losing" to piracy and jailbreaking has been immensely surpassed by the ongoing degree of fuckupitude.
[ link to this | view in thread ]
Josh in CharlotteNC (profile), 18 May 2011 @ 2:35pm

Re: Three possible explanations
Read the article.

When logging back into the PSN, Sony is forcing everyone to reset their passwords.

To verify a user, since the old passwords were stolen, they needed to use some other piece of information to confirm users.

So instead they decided to use the email and DOB. The same information that was stolen along with the passwords.

This kind of oversight is epic Picard level facepalm.
[ link to this | view in thread ]
pclanguy, 18 May 2011 @ 2:50pm

Re: Re: Sony IT guy
TJX territory? They passed TJX territory at the first hiccup.

Sony needs to redesign their console with a ring of status lights and a LCD display. This way they can red ring of death their consoles while scrolling your personal and credit card information in the LCD.

That's considered notification that your personal information has been leaked isn't it? As an added bonus, you won't have to wait 7 days to find out.
[ link to this | view in thread ]
crade (profile), 18 May 2011 @ 3:13pm

Re: Re: Company-wide pattern?
Well, sony also didn't ask to be hacked until pretty recently. There isn't much of a need to jailbreak something that officially supports running custom code. You can't really start the time until they stopped.
[ link to this | view in thread ]
Falindraun (profile), 18 May 2011 @ 3:16pm

Re: Re: My turn! ...
ouch!
[ link to this | view in thread ]
Anonymous Coward, 18 May 2011 @ 3:28pm

A Sony Representative claims that these "Security breaches are a very rare exception to the rule, a once in a lifetime event," at the same time that his servers are being hacked.
[ link to this | view in thread ]
Almost Anonymous (profile), 18 May 2011 @ 3:40pm

Re: Re: Company-wide pattern?
"""to their credit the PS3 went uncracked the longest out of any game system, so the DRM wasn't really flawed and they did fix what geohot did pretty fast"""

1. Not to Sony's credit because no one who knew what they were doing was really trying.
2. Yes, the PS3 went "uncracked the longest", see #1.
3. The DRM was very very very flawed. Sorry, I'm not going to give a link, but the hackers' who worked on the real crack (after Geohot) have put out a lengthy explanation.
4. They did not "fix" what Geohot did at all.
[ link to this | view in thread ]
Chris in Utah (profile), 18 May 2011 @ 3:59pm

I think I mentioned this yesterday. Somebody needs to start a PR team in Anonymous to start getting kickstarter pools together for future projects.

Spitball caption on ad:
Brought to you by the same folks that braught you Climate-Gate. The same folks that filled the need in "Waste 60 bucks on a game I cant demo? FTS" & Sony hacks brings you....

The thing of it is the entertainment value is huge. Think about Hacker(the movie) like competitions on destroying senators that go against he public interest. I distinctly remember if the government fears the people....
[ link to this | view in thread ]
Anonymous Coward, 18 May 2011 @ 4:03pm

Re: haiku (so maybe Sony will understand)
Whilst claiming that these security holes have been fixed, the servers are being hacked as the rep speaks.
[ link to this | view in thread ]
Bas (profile), 18 May 2011 @ 4:53pm

"if you have their email and date of birth"

or even Facebook, or most social networks.
[ link to this | view in thread ]
SD (profile), 18 May 2011 @ 5:36pm

Re: Re: Three possible explanations
I read the article and my list of possible explanations are correct.

Resetting passwords by email address alone(no DOB) is a standard way of starting a two-phase authorization.

If you read the forum thread that Kotaku linked to, you can see that someone received an initial email that said something along the lines of "Click this link to reset your password".

Normally that's where a fraudulent password reset request would end unless someone had access to a user's email account, however seconds later they received another email saying the request was completed.

Sony just stated on their blog that this was a "URL exploit", so now I present two other explanations which I forgot to list.

4. Sony set their script to automatically bypass the second phase so people wouldn't have to check their email account.
Heads should roll if this is true, but I doubt it. Why even make a two-phase auth system if they're going to bypass it themselves?

5. Sony let blank auth keys reset passwords (the official explanation?)
Maybe the programmer accidentally put something like a = instead of == for matching... But the structure of the links make me call bull on this.
[ link to this | view in thread ]
SD (profile), 18 May 2011 @ 5:58pm

Re: Re: Re: Three possible explanations
Now I think I know what really happened. Check out update #3 on Kotaku article.

The script set a cookie when someone reset a password. Then it let blank auth keys go through, and figured out what account you wanted to reset based on the cookie they set earlier.
[ link to this | view in thread ]
SD (profile), 18 May 2011 @ 6:11pm

Re: Re: Three possible explanations
ALWP dude. I think that would fall under option 3 though, as well as brute-forcing.
[ link to this | view in thread ]
testcore (profile), 18 May 2011 @ 8:57pm

Re: Re: Sony IT guy
You'd be surprised at how true this really is. I used to be a game tester for them back in the PS2 days testing games for platform compliance. We were theoretically supposed to be finding bugs before a game went gold. Reality tho was that we would have to write up any and all game issues which could create a liability for Sony. 80+ Game Testers writing up "bugs" about trademarks appearing in other publishers' titles. We worked for the Legal Dept.
[ link to this | view in thread ]
Richard (profile), 19 May 2011 @ 2:43pm

Why they got hacked
Sony remove Other OS

Who uses Other OS? - people who make supercomputers from lots of PS3's - what do they use them for?

security research

"On 30 December 2008, a group of researchers announced at the 25th Chaos Communication Congress how they had used MD5 collisions to create an intermediate certificate authority certificate which appeared to be legitimate when checked via its MD5 hash.[7] The researchers used a cluster of Sony Playstation 3s at the EPFL in Lausanne, Switzerland"

Irony of ironies - were Sony hacked by their own hardware?
[ link to this | view in thread ]
Anonymous Coward, 20 May 2011 @ 10:23am

And now a phishing site found on one of their servers...

http://latimesblogs.latimes.com/technology/2011/05/sony-servers-hacked-host-credit-car d-phishing-site.html
[ link to this | view in thread ]
Anonymous Coward, 20 May 2011 @ 11:09am

And it just keeps getting worse for Sony:

http://www.foxnews.com/scitech/2011/05/20/sony-hacked-playstation-so-net-isp/
[ link to this | view in thread ]