Well, That Was Fast: Sony's New PSN System? Hacked!

from the hiccup dept

So, it took a few weeks for Sony to get everything in order after its er... hiccup in exposing the details of everyone on the PlayStation Network. And, now it appears that the Japanese government's worries that Sony hadn't really fixed the problem or made its system secure appear to be coming true. There are reports this morning that the new password reset system has been exploited, such that you could change anyone's password if you have their email and date of birth. You know where you could have gotten that info? From the original hacked data. Right. *Hic*
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: hack, psn
Companies: sony


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Hephaestus (profile), 18 May 2011 @ 11:28am

    Dear Sony
    I see you are Having tea with Karma again.
    Sincerely,
    Anonymous

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 May 2011 @ 11:51am

    Dear Anonymous,

    OK WE GIVE UP!! PLEASE STOP!!

    - Sony

    link to this | view in chronology ]

  • icon
    Hephaestus (profile), 18 May 2011 @ 11:52am

    Oh .... better one !

    Dear Sony
    Karma Much??
    Sincerely,
    GeoHot

    link to this | view in chronology ]

  • icon
    Fzzr (profile), 18 May 2011 @ 11:57am

    Company-wide pattern?

    The PS3 crack that kicked off Sony's recent legal campaign against GeoHot and Anonymous' subsequent DDOS attacks was made possible by the PS3 validating all games through a single root key. Bad security practice appears to be endemic at Sony, from DRM to network security.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 18 May 2011 @ 2:02pm

      Re: Company-wide pattern?

      to their credit the PS3 went uncracked the longest out of any game system, so the DRM wasn't really flawed and they did fix what geohot did pretty fast and remove you from psn if you were using the modified firmware.

      However their network security seems be a one step beyond saying "Just set the password to "secret" who is gonna fuck with us?"

      link to this | view in chronology ]

      • icon
        crade (profile), 18 May 2011 @ 3:13pm

        Re: Re: Company-wide pattern?

        Well, sony also didn't ask to be hacked until pretty recently. There isn't much of a need to jailbreak something that officially supports running custom code. You can't really start the time until they stopped.

        link to this | view in chronology ]

      • icon
        Almost Anonymous (profile), 18 May 2011 @ 3:40pm

        Re: Re: Company-wide pattern?

        """to their credit the PS3 went uncracked the longest out of any game system, so the DRM wasn't really flawed and they did fix what geohot did pretty fast"""

        1. Not to Sony's credit because no one who knew what they were doing was really trying.
        2. Yes, the PS3 went "uncracked the longest", see #1.
        3. The DRM was very very very flawed. Sorry, I'm not going to give a link, but the hackers' who worked on the real crack (after Geohot) have put out a lengthy explanation.
        4. They did not "fix" what Geohot did at all.

        link to this | view in chronology ]

  • icon
    Mr. LemurBoy (profile), 18 May 2011 @ 12:04pm

    *Ahem*

    BWAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAH*wheeze*AHAHAHAHAH

    link to this | view in chronology ]

  • icon
    Hephaestus (profile), 18 May 2011 @ 12:04pm

    One more ....

    Dear Sony
    ha ... No Wait ... HA!!!!!
    Sincerely,
    The Xbox 360 Dev Team

    link to this | view in chronology ]

  • icon
    pixelpusher220 (profile), 18 May 2011 @ 12:21pm

    Not really a hack this time

    This is purely lousy design...

    link to this | view in chronology ]

  • icon
    Jay (profile), 18 May 2011 @ 12:22pm

    My turn!

    Dear Sony,

    You should have done what we did...
    Friend codes are the future!

    Sincerely,
    Nintendo

    link to this | view in chronology ]

  • identicon
    A non-mouse, 18 May 2011 @ 12:28pm

    More hiccups?

    Dear Sony,

    Those hiccups must be just awful, what with your head so far up your ass!

    link to this | view in chronology ]

  • icon
    Chuck Norris' Enemy (deceased) (profile), 18 May 2011 @ 12:34pm

    Sony IT guy

    Sony IT guy - "Okay! Just rebooted the system. Does it work now?"

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 18 May 2011 @ 1:12pm

      Re: Sony IT guy

      What IT guy? It's probably some lawyer that knows how to reinstall windows and thus he thinks he can fix a server. After all sony's workforce is 99% lawyers

      link to this | view in chronology ]

      • icon
        testcore (profile), 18 May 2011 @ 8:57pm

        Re: Re: Sony IT guy

        You'd be surprised at how true this really is. I used to be a game tester for them back in the PS2 days testing games for platform compliance. We were theoretically supposed to be finding bugs before a game went gold. Reality tho was that we would have to write up any and all game issues which could create a liability for Sony. 80+ Game Testers writing up "bugs" about trademarks appearing in other publishers' titles. We worked for the Legal Dept.

        link to this | view in chronology ]

    • identicon
      Anonymous Coward, 18 May 2011 @ 1:20pm

      Re: Sony IT guy

      I have to say it...this is getting well into TJX territory.

      link to this | view in chronology ]

      • identicon
        pclanguy, 18 May 2011 @ 2:50pm

        Re: Re: Sony IT guy

        TJX territory? They passed TJX territory at the first hiccup.

        Sony needs to redesign their console with a ring of status lights and a LCD display. This way they can red ring of death their consoles while scrolling your personal and credit card information in the LCD.

        That's considered notification that your personal information has been leaked isn't it? As an added bonus, you won't have to wait 7 days to find out.

        link to this | view in chronology ]

  • icon
    SD (profile), 18 May 2011 @ 12:42pm

    Three possible explanations

    1. They had the reset password auth key generator key from the previous intrusion, or got in again and stole it
    The most likely scenario.

    2. They found the auth keys in the confirmation page that shows after submitting an email address & DOB
    Very poor design I've seen on some sites before but you'd have to be incompetent or negligent to code something like this.

    3. They guessed it or social engineered it
    Unlikely...

    link to this | view in chronology ]

    • identicon
      DCX2, 18 May 2011 @ 2:20pm

      Re: Three possible explanations

      4. The seed for the auth key generator is the same seed for all the PS3 keys.

      link to this | view in chronology ]

      • icon
        SD (profile), 18 May 2011 @ 6:11pm

        Re: Re: Three possible explanations

        ALWP dude. I think that would fall under option 3 though, as well as brute-forcing.

        link to this | view in chronology ]

    • icon
      Josh in CharlotteNC (profile), 18 May 2011 @ 2:35pm

      Re: Three possible explanations

      Read the article.

      When logging back into the PSN, Sony is forcing everyone to reset their passwords.

      To verify a user, since the old passwords were stolen, they needed to use some other piece of information to confirm users.

      So instead they decided to use the email and DOB. The same information that was stolen along with the passwords.

      This kind of oversight is epic Picard level facepalm.

      link to this | view in chronology ]

      • icon
        SD (profile), 18 May 2011 @ 5:36pm

        Re: Re: Three possible explanations

        I read the article and my list of possible explanations are correct.

        Resetting passwords by email address alone(no DOB) is a standard way of starting a two-phase authorization.

        If you read the forum thread that Kotaku linked to, you can see that someone received an initial email that said something along the lines of "Click this link to reset your password".

        Normally that's where a fraudulent password reset request would end unless someone had access to a user's email account, however seconds later they received another email saying the request was completed.

        Sony just stated on their blog that this was a "URL exploit", so now I present two other explanations which I forgot to list.

        4. Sony set their script to automatically bypass the second phase so people wouldn't have to check their email account.
        Heads should roll if this is true, but I doubt it. Why even make a two-phase auth system if they're going to bypass it themselves?

        5. Sony let blank auth keys reset passwords (the official explanation?)
        Maybe the programmer accidentally put something like a = instead of == for matching... But the structure of the links make me call bull on this.

        link to this | view in chronology ]

        • icon
          SD (profile), 18 May 2011 @ 5:58pm

          Re: Re: Re: Three possible explanations

          Now I think I know what really happened. Check out update #3 on Kotaku article.

          The script set a cookie when someone reset a password. Then it let blank auth keys go through, and figured out what account you wanted to reset based on the cookie they set earlier.

          link to this | view in chronology ]

  • icon
    The Buzz Saw (profile), 18 May 2011 @ 12:42pm

    Sony should work on its fanbase...

    Last I checked, having a supportive group of fans is far more effective than any amount of engineering. If the fans are on your side, you can tap into the community and summon its collective power to solve problems. Instead, Sony has built a fortress to defend itself from fans. It stays behind its walls and simply attaches bait (in the form of entertainment) to hooks and fishes for fans from the safety of its castle. Heaven forbid the fishermen have any meaningful interaction with their catch! The fish (or their money) are all that matter!

    link to this | view in chronology ]

  • icon
    A.R.M. (profile), 18 May 2011 @ 12:45pm

    It could be worse!

    You could receive a service pack on your game console which has a chance to brick your box and it's mandatory to enable additional copyright protection which makes reading retail disks impossible.

    Though, you'll be blessed with a free console, at least two weeks of no games, and one year of XBox Live free of charge for the "trouble" of preventing your legally purchased products from working.

    Thank goodness I own a Wii! Since developers shunned this piece of crap, I've nothing to worry about.
    :|

    link to this | view in chronology ]

  • icon
    A.R.M. (profile), 18 May 2011 @ 12:46pm

    It could be worse!

    You could receive a service pack on your game console which has a chance to brick your box and it's mandatory to enable additional copyright protection which makes reading retail disks impossible.

    Though, you'll be blessed with a free console, at least two weeks of no games, and one year of XBox Live free of charge for the "trouble" of preventing your legally purchased products from working.

    Thank goodness I own a Wii! Since developers shunned this piece of crap, I've nothing to worry about.
    :|

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 18 May 2011 @ 2:05pm

      Re: It could be worse!

      brand new free system, freebies valued at 70$, two weeks 'ish' downtime. Not sure how its worse....

      although its definitely shitty, yeah console breaking drm

      link to this | view in chronology ]

  • icon
    Greevar (profile), 18 May 2011 @ 1:01pm

    And thus was the beginning of the end for the PS3.

    Maybe they will learn that any security that can be unlocked, can be broken? There are enough people with the will and skill to do it out there. And they love a good challenge as much as they love wiping the smug grins from Sony's face.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 May 2011 @ 1:07pm

    Obvious fail is obvious. Couldn't happen to a nicer company. bwahahahahahahaha. Eat it Sony!

    link to this | view in chronology ]

  • icon
    harbingerofdoom (profile), 18 May 2011 @ 1:07pm

    wow, the fanbois are going to be having a fit of apoplexy over this.


    okay... thats +1 for the use of fanboys, +.5 for the alternate spelling, +3 for big archaic word used correctly and its on a triple word space... +70.5 for me.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 May 2011 @ 1:10pm

    If this is a hiccup god forbid they get the flu.

    link to this | view in chronology ]

  • icon
    DaveL (profile), 18 May 2011 @ 1:12pm

    haiku (so maybe Sony will understand)

    My dearest Sony,
    Obvious fail on this one,
    Karma is a bitch...

    *giggle*

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 18 May 2011 @ 4:03pm

      Re: haiku (so maybe Sony will understand)

      Whilst claiming that these security holes have been fixed, the servers are being hacked as the rep speaks.

      link to this | view in chronology ]

  • identicon
    Gh0st, 18 May 2011 @ 1:13pm

    Well sucks to be them.

    link to this | view in chronology ]

  • icon
    Jon B. (profile), 18 May 2011 @ 2:22pm

    Whatever profit Sony was supposedly "losing" to piracy and jailbreaking has been immensely surpassed by the ongoing degree of fuckupitude.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 May 2011 @ 3:28pm

    A Sony Representative claims that these "Security breaches are a very rare exception to the rule, a once in a lifetime event," at the same time that his servers are being hacked.

    link to this | view in chronology ]

  • icon
    Chris in Utah (profile), 18 May 2011 @ 3:59pm

    I think I mentioned this yesterday. Somebody needs to start a PR team in Anonymous to start getting kickstarter pools together for future projects.

    Spitball caption on ad:
    Brought to you by the same folks that braught you Climate-Gate. The same folks that filled the need in "Waste 60 bucks on a game I cant demo? FTS" & Sony hacks brings you....

    The thing of it is the entertainment value is huge. Think about Hacker(the movie) like competitions on destroying senators that go against he public interest. I distinctly remember if the government fears the people....

    link to this | view in chronology ]

  • icon
    Bas (profile), 18 May 2011 @ 4:53pm

    "if you have their email and date of birth"

    or even Facebook, or most social networks.

    link to this | view in chronology ]

  • icon
    Richard (profile), 19 May 2011 @ 2:43pm

    Why they got hacked

    Sony remove Other OS

    Who uses Other OS? - people who make supercomputers from lots of PS3's - what do they use them for?

    security research

    "On 30 December 2008, a group of researchers announced at the 25th Chaos Communication Congress how they had used MD5 collisions to create an intermediate certificate authority certificate which appeared to be legitimate when checked via its MD5 hash.[7] The researchers used a cluster of Sony Playstation 3s at the EPFL in Lausanne, Switzerland"

    Irony of ironies - were Sony hacked by their own hardware?

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 May 2011 @ 10:23am

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 May 2011 @ 11:09am

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.