The Great 2011 PSN Outage Megathread *Post 1 updated*

SeanQCitizen wrote: »

I don't know much* about web security but it strikes me that if Sony did have Apache and if Apache was such hot sh!t then everyone who runs Apache would be bricking it because that would suggest that Apache didn't stop the hack. Obviously there was something that as yet is specific to Sony's format of security protocals that was weak that enabled this to happen. Or else there is a suggestion that if you are targeted by dedicated hackers all you can do is delay but eventually they will get through even if you stay current with the best(at least considered in the market place) software.

*anything

GothPunk wrote: »

You haven't detailed how you know that Sony's servers were set up in such a dumb ass way? Do you have any proof for example, as the article you linked to advises against, that the servers were being run as root? Perhaps they had their permissions for sharing files a bit too open as the hackers were able to download such a large amount of data from several of their servers, but that's just speculation on my part - I have no proof of that. Do you?

So far in this thread you have come to the discussion with old information that has since simply been shown to be incorrect. For example, certain less than reputable websites that you and others have linked to said that Sony's servers were running an out of date version of Apache - which a Beyond3D user demonstrated is simply false. Sure you could argue that only some of their servers were running the most up-to-date version, but it still paints the websites that were reporting that all the servers were running out of date firmware etc as in a bad light. It seems like they were just capitalising on the situation, spreading FUD and making stuff up.

Secondly, they said that the credit card information was sent in plain text - it has since been confirmed that the credit card information was encrypted, which I'm sure we're all aware is a PCI standard of such large scale businesses are suggested to employ. We also haven't seen a single case of credit card fraud out of this, and seeing as how the passwords were hashed, we also haven't seen anyone's accounts, email etc being hacked. It seems all we've seen so far is an increase in spam for some people. If Sony were truly in breach of PCI requirements, we would be seeing at least some cases of fraud out of this. The report that the credit card details were being sold on the black market was also demonstrated to be false. It's all nonsense!

If you want to posit that Sony are lying, you'll need some facts to back up your claim, instead of just some speculation and FUD posted on some trashy hacker friendly website or blog. The FBI are on board to aid Sony in sorting out this mess - do you really think they're going to lie about this stuff with a federal investigation of their IT infrastructure going on? With US Congress asking for clarification of how consumers were affected?

Do I really need to explain to you that you shouldn't believe everything you read on the internet? That last link you linked to is bullshít, another FUD article - looking at their extrapolation of 77 million accounts to cost Sony $15 billion is just ludicrous! Can't you see that they're just talking out of their ass? They want hits, they don't care about fact checking. Look at their wording 'Certain sources allege...' '...the potential damage...'.

Our survey says: WRONG!

Achilles wrote: »

One simple question: If Sony were running secure servers then how was the data compromised?

Perhaps the following article will clear it up for you or is GeoHot considered too hacker friendly too?!

http://geohotgotsued.blogspot.com/2011/04/recent-news.html

Now until more information is revealed on the technicals, I can only speculate

Sephiroth_dude wrote: »

Any new news?

Achilles wrote: »

The fact remains... if their system was so secure then how did somebody get in? Hrmmm?

Benzino wrote: »

I'm of the believe that any system is hackable. Xbox Live, Amazon, Play.com etc You name it, it can be hacked. All it takes is a group of dedicated hackers.

Why have none of the above been hacked but yet Sony have? Because none of the above have gone and pissed off a group of hackers!

Greeting to you

I know you may feel very surprised to receive my letter at this moment
but i am in deep pains and left with no option and that is why i am
contacting you. My name is Muhammad Arraf, an oil dealer from Libya,
within the past few weeks; I believe you must have heard or seen on
the news regarding the massacre and crisis in my country (Libya). Our
president Muammar Abu Minyar al-Gaddafi who has been ruling our
country for the past 42 years,(
http://en.wikipedia.org/wiki/Muammar_al-Gaddafi )he has refused to
step down and this has led the protectors seeking his resignation just
like it happened in Egypt.
The bad news right now is that more than 6,000 people have been killed
so far and i do not know how many that will die in the next few days.
My wife and my two children were also killed. As i am writing you now,
my life is in danger.

I want to leave this country by any means and run for my life before I
get killed also. I already transferred my business capital $US4.4
Million (Four Million, Four Hundred Thousand Dollars) to Financial
security company in England but we are not authorized to travel to UK
because the UK embassy here has been closed as a result of the crisis.
Other embassies are still open but may close anytime if they receive
instructions. I am so confused right now because i don't know where to
run to. I am writing you because i want to relocate to your country
and start a new life with my capital. I am seeking for your help
because I want to transfer my fund in UK to another country since I
cannot have a UK visa right now. I am not doing anything in this
country where my life is in danger and I have lost the only family
I’ve got.

I believe you can assist me to transfer my capital in UK to your
country while i prepare the documents here to relocate to your country
and start a new life. Please listen to my cry for help, a lot of
people have been killed now and i don't want to die. See the video
clip of the recent killings on youtube.com

I promise to reward you with 10% of my business capital in
appreciation for what you did for me as soon as i arrive your country.
Please help, I am a very rich man here but being rich is not important
to me now, what matters to me right now is my life. I hope to receive
your response and also the details on how i can know much about you.

Thanks and may Allah bless you.

Please be informed that all forms of telephone communications have
been disabled because of the crisis, email will be the only form of
communication for now.

Muhammad Arraf

Achilles wrote: »

Lest I also point out the fact that Sony have repeatedly failed to adhere to PCI Complaince which is a legal requirement of any card handlers that operate in America for instance.

These are the guidelines that they should have been following:
https://www.pcisecuritystandards.org/security_standards/getting_started.php

This article outlines how they have failed PCI compliance:
http://www.merchantprocessingresource.com/apps/blog/show/next?from_id=6874218

Beefy78 wrote: »

If the QSA misses something then what can the company themselves do?

donalg1 wrote: »

Is it back yet?

donalg1 wrote: »

Xbox 360 owner here, i genuinely want to know but cant be bothered going through all these pages.

donalg1 wrote: »

Have Sony said what they are giving each user to say sorry yet?