Well, That Was Fast: Sony's New PSN System? Hacked!

from the hiccup dept

So, it took a few weeks for Sony to get everything in order after its er... hiccup in exposing the details of everyone on the PlayStation Network. And, now it appears that the Japanese government's worries that Sony hadn't really fixed the problem or made its system secure appear to be coming true. There are reports this morning that the new password reset system has been exploited, such that you could change anyone's password if you have their email and date of birth. You know where you could have gotten that info? From the original hacked data. Right. *Hic*


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    Hephaestus (profile), May 18th, 2011 @ 11:28am

    Dear Sony
    I see you are Having tea with Karma again.
    Sincerely,
    Anonymous

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Anonymous Coward, May 18th, 2011 @ 11:51am

    Dear Anonymous,

    OK WE GIVE UP!! PLEASE STOP!!

    - Sony

     

    reply to this | link to this | view in thread ]

  3.  
    icon
    Hephaestus (profile), May 18th, 2011 @ 11:52am

    Oh .... better one !

    Dear Sony
    Karma Much??
    Sincerely,
    GeoHot

     

    reply to this | link to this | view in thread ]

  4.  
    icon
    Fzzr (profile), May 18th, 2011 @ 11:57am

    Company-wide pattern?

    The PS3 crack that kicked off Sony's recent legal campaign against GeoHot and Anonymous' subsequent DDOS attacks was made possible by the PS3 validating all games through a single root key. Bad security practice appears to be endemic at Sony, from DRM to network security.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Sony Hacking Spree, May 18th, 2011 @ 12:00pm

    Re: Don't taunt hackers... Part Duex

    What a travesty

     

    reply to this | link to this | view in thread ]

  6.  
    icon
    Mr. LemurBoy (profile), May 18th, 2011 @ 12:04pm

    *Ahem*

    BWAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAH*wheeze*AHAHAHAHAH

     

    reply to this | link to this | view in thread ]

  7.  
    icon
    Hephaestus (profile), May 18th, 2011 @ 12:04pm

    One more ....

    Dear Sony
    ha ... No Wait ... HA!!!!!
    Sincerely,
    The Xbox 360 Dev Team

     

    reply to this | link to this | view in thread ]

  8.  
    icon
    pixelpusher220 (profile), May 18th, 2011 @ 12:21pm

    Not really a hack this time

    This is purely lousy design...

     

    reply to this | link to this | view in thread ]

  9.  
    icon
    Jay (profile), May 18th, 2011 @ 12:22pm

    My turn!

    Dear Sony,

    You should have done what we did...
    Friend codes are the future!

    Sincerely,
    Nintendo

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    Hephaestus (profile), May 18th, 2011 @ 12:27pm

    Re: My turn! ...

    Dear Sony PS3,
    I feel your pain.....no kids want to play with me either.
    Sincerely,
    Michael Jackson

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    A non-mouse, May 18th, 2011 @ 12:28pm

    More hiccups?

    Dear Sony,

    Those hiccups must be just awful, what with your head so far up your ass!

     

    reply to this | link to this | view in thread ]

  12.  
    icon
    Chuck Norris' Enemy (deceased) (profile), May 18th, 2011 @ 12:34pm

    Sony IT guy

    Sony IT guy - "Okay! Just rebooted the system. Does it work now?"

     

    reply to this | link to this | view in thread ]

  13.  
    icon
    Chronno S. Trigger (profile), May 18th, 2011 @ 12:34pm

    Re: More hiccups?

    Oh, so that's how you land in the hospital for a month with the hiccups.

     

    reply to this | link to this | view in thread ]

  14.  
    icon
    SD (profile), May 18th, 2011 @ 12:42pm

    Three possible explanations

    1. They had the reset password auth key generator key from the previous intrusion, or got in again and stole it
    The most likely scenario.

    2. They found the auth keys in the confirmation page that shows after submitting an email address & DOB
    Very poor design I've seen on some sites before but you'd have to be incompetent or negligent to code something like this.

    3. They guessed it or social engineered it
    Unlikely...

     

    reply to this | link to this | view in thread ]

  15.  
    icon
    The Buzz Saw (profile), May 18th, 2011 @ 12:42pm

    Sony should work on its fanbase...

    Last I checked, having a supportive group of fans is far more effective than any amount of engineering. If the fans are on your side, you can tap into the community and summon its collective power to solve problems. Instead, Sony has built a fortress to defend itself from fans. It stays behind its walls and simply attaches bait (in the form of entertainment) to hooks and fishes for fans from the safety of its castle. Heaven forbid the fishermen have any meaningful interaction with their catch! The fish (or their money) are all that matter!

     

    reply to this | link to this | view in thread ]

  16.  
    icon
    A.R.M. (profile), May 18th, 2011 @ 12:45pm

    It could be worse!

    You could receive a service pack on your game console which has a chance to brick your box and it's mandatory to enable additional copyright protection which makes reading retail disks impossible.

    Though, you'll be blessed with a free console, at least two weeks of no games, and one year of XBox Live free of charge for the "trouble" of preventing your legally purchased products from working.

    Thank goodness I own a Wii! Since developers shunned this piece of crap, I've nothing to worry about.
    :|

     

    reply to this | link to this | view in thread ]

  17.  
    icon
    A.R.M. (profile), May 18th, 2011 @ 12:46pm

    It could be worse!

    You could receive a service pack on your game console which has a chance to brick your box and it's mandatory to enable additional copyright protection which makes reading retail disks impossible.

    Though, you'll be blessed with a free console, at least two weeks of no games, and one year of XBox Live free of charge for the "trouble" of preventing your legally purchased products from working.

    Thank goodness I own a Wii! Since developers shunned this piece of crap, I've nothing to worry about.
    :|

     

    reply to this | link to this | view in thread ]

  18.  
    icon
    Greevar (profile), May 18th, 2011 @ 1:01pm

    And thus was the beginning of the end for the PS3.

    Maybe they will learn that any security that can be unlocked, can be broken? There are enough people with the will and skill to do it out there. And they love a good challenge as much as they love wiping the smug grins from Sony's face.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Anonymous Coward, May 18th, 2011 @ 1:07pm

    Obvious fail is obvious. Couldn't happen to a nicer company. bwahahahahahahaha. Eat it Sony!

     

    reply to this | link to this | view in thread ]

  20.  
    icon
    harbingerofdoom (profile), May 18th, 2011 @ 1:07pm

    wow, the fanbois are going to be having a fit of apoplexy over this.


    okay... thats +1 for the use of fanboys, +.5 for the alternate spelling, +3 for big archaic word used correctly and its on a triple word space... +70.5 for me.

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Anonymous Coward, May 18th, 2011 @ 1:10pm

    If this is a hiccup god forbid they get the flu.

     

    reply to this | link to this | view in thread ]

  22.  
    icon
    DaveL (profile), May 18th, 2011 @ 1:12pm

    haiku (so maybe Sony will understand)

    My dearest Sony,
    Obvious fail on this one,
    Karma is a bitch...

    *giggle*

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Anonymous Coward, May 18th, 2011 @ 1:12pm

    Re: Sony IT guy

    What IT guy? It's probably some lawyer that knows how to reinstall windows and thus he thinks he can fix a server. After all sony's workforce is 99% lawyers

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Gh0st, May 18th, 2011 @ 1:13pm

    Well sucks to be them.

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Anonymous Coward, May 18th, 2011 @ 1:20pm

    Re: Sony IT guy

    I have to say it...this is getting well into TJX territory.

     

    reply to this | link to this | view in thread ]

  26.  
    icon
    Greevar (profile), May 18th, 2011 @ 1:24pm

    Re:

    Yahtzee!

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    Anonymous Coward, May 18th, 2011 @ 2:02pm

    Re: Company-wide pattern?

    to their credit the PS3 went uncracked the longest out of any game system, so the DRM wasn't really flawed and they did fix what geohot did pretty fast and remove you from psn if you were using the modified firmware.

    However their network security seems be a one step beyond saying "Just set the password to "secret" who is gonna fuck with us?"

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Anonymous Coward, May 18th, 2011 @ 2:05pm

    Re: It could be worse!

    brand new free system, freebies valued at 70$, two weeks 'ish' downtime. Not sure how its worse....

    although its definitely shitty, yeah console breaking drm

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    DCX2, May 18th, 2011 @ 2:20pm

    Re: Three possible explanations

    4. The seed for the auth key generator is the same seed for all the PS3 keys.

     

    reply to this | link to this | view in thread ]

  30.  
    icon
    Jon B. (profile), May 18th, 2011 @ 2:22pm

    Whatever profit Sony was supposedly "losing" to piracy and jailbreaking has been immensely surpassed by the ongoing degree of fuckupitude.

     

    reply to this | link to this | view in thread ]

  31.  
    icon
    Josh in CharlotteNC (profile), May 18th, 2011 @ 2:35pm

    Re: Three possible explanations

    Read the article.

    When logging back into the PSN, Sony is forcing everyone to reset their passwords.

    To verify a user, since the old passwords were stolen, they needed to use some other piece of information to confirm users.

    So instead they decided to use the email and DOB. The same information that was stolen along with the passwords.

    This kind of oversight is epic Picard level facepalm.

     

    reply to this | link to this | view in thread ]

  32.  
    identicon
    pclanguy, May 18th, 2011 @ 2:50pm

    Re: Re: Sony IT guy

    TJX territory? They passed TJX territory at the first hiccup.

    Sony needs to redesign their console with a ring of status lights and a LCD display. This way they can red ring of death their consoles while scrolling your personal and credit card information in the LCD.

    That's considered notification that your personal information has been leaked isn't it? As an added bonus, you won't have to wait 7 days to find out.

     

    reply to this | link to this | view in thread ]

  33.  
    icon
    crade (profile), May 18th, 2011 @ 3:13pm

    Re: Re: Company-wide pattern?

    Well, sony also didn't ask to be hacked until pretty recently. There isn't much of a need to jailbreak something that officially supports running custom code. You can't really start the time until they stopped.

     

    reply to this | link to this | view in thread ]

  34.  
    icon
    Falindraun (profile), May 18th, 2011 @ 3:16pm

    Re: Re: My turn! ...

    ouch!

     

    reply to this | link to this | view in thread ]

  35.  
    identicon
    Anonymous Coward, May 18th, 2011 @ 3:28pm

    A Sony Representative claims that these "Security breaches are a very rare exception to the rule, a once in a lifetime event," at the same time that his servers are being hacked.

     

    reply to this | link to this | view in thread ]

  36.  
    icon
    Almost Anonymous (profile), May 18th, 2011 @ 3:40pm

    Re: Re: Company-wide pattern?

    """to their credit the PS3 went uncracked the longest out of any game system, so the DRM wasn't really flawed and they did fix what geohot did pretty fast"""

    1. Not to Sony's credit because no one who knew what they were doing was really trying.
    2. Yes, the PS3 went "uncracked the longest", see #1.
    3. The DRM was very very very flawed. Sorry, I'm not going to give a link, but the hackers' who worked on the real crack (after Geohot) have put out a lengthy explanation.
    4. They did not "fix" what Geohot did at all.

     

    reply to this | link to this | view in thread ]

  37.  
    icon
    Chris in Utah (profile), May 18th, 2011 @ 3:59pm

    I think I mentioned this yesterday. Somebody needs to start a PR team in Anonymous to start getting kickstarter pools together for future projects.

    Spitball caption on ad:
    Brought to you by the same folks that braught you Climate-Gate. The same folks that filled the need in "Waste 60 bucks on a game I cant demo? FTS" & Sony hacks brings you....

    The thing of it is the entertainment value is huge. Think about Hacker(the movie) like competitions on destroying senators that go against he public interest. I distinctly remember if the government fears the people....

     

    reply to this | link to this | view in thread ]

  38.  
    identicon
    Anonymous Coward, May 18th, 2011 @ 4:03pm

    Re: haiku (so maybe Sony will understand)

    Whilst claiming that these security holes have been fixed, the servers are being hacked as the rep speaks.

     

    reply to this | link to this | view in thread ]

  39.  
    icon
    Bas (profile), May 18th, 2011 @ 4:53pm

    "if you have their email and date of birth"

    or even Facebook, or most social networks.

     

    reply to this | link to this | view in thread ]

  40.  
    icon
    SD (profile), May 18th, 2011 @ 5:36pm

    Re: Re: Three possible explanations

    I read the article and my list of possible explanations are correct.

    Resetting passwords by email address alone(no DOB) is a standard way of starting a two-phase authorization.

    If you read the forum thread that Kotaku linked to, you can see that someone received an initial email that said something along the lines of "Click this link to reset your password".

    Normally that's where a fraudulent password reset request would end unless someone had access to a user's email account, however seconds later they received another email saying the request was completed.

    Sony just stated on their blog that this was a "URL exploit", so now I present two other explanations which I forgot to list.

    4. Sony set their script to automatically bypass the second phase so people wouldn't have to check their email account.
    Heads should roll if this is true, but I doubt it. Why even make a two-phase auth system if they're going to bypass it themselves?

    5. Sony let blank auth keys reset passwords (the official explanation?)
    Maybe the programmer accidentally put something like a = instead of == for matching... But the structure of the links make me call bull on this.

     

    reply to this | link to this | view in thread ]

  41.  
    icon
    SD (profile), May 18th, 2011 @ 5:58pm

    Re: Re: Re: Three possible explanations

    Now I think I know what really happened. Check out update #3 on Kotaku article.

    The script set a cookie when someone reset a password. Then it let blank auth keys go through, and figured out what account you wanted to reset based on the cookie they set earlier.

     

    reply to this | link to this | view in thread ]

  42.  
    icon
    SD (profile), May 18th, 2011 @ 6:11pm

    Re: Re: Three possible explanations

    ALWP dude. I think that would fall under option 3 though, as well as brute-forcing.

     

    reply to this | link to this | view in thread ]

  43.  
    icon
    testcore (profile), May 18th, 2011 @ 8:57pm

    Re: Re: Sony IT guy

    You'd be surprised at how true this really is. I used to be a game tester for them back in the PS2 days testing games for platform compliance. We were theoretically supposed to be finding bugs before a game went gold. Reality tho was that we would have to write up any and all game issues which could create a liability for Sony. 80+ Game Testers writing up "bugs" about trademarks appearing in other publishers' titles. We worked for the Legal Dept.

     

    reply to this | link to this | view in thread ]

  44.  
    icon
    Richard (profile), May 19th, 2011 @ 2:43pm

    Why they got hacked

    Sony remove Other OS

    Who uses Other OS? - people who make supercomputers from lots of PS3's - what do they use them for?

    security research

    "On 30 December 2008, a group of researchers announced at the 25th Chaos Communication Congress how they had used MD5 collisions to create an intermediate certificate authority certificate which appeared to be legitimate when checked via its MD5 hash.[7] The researchers used a cluster of Sony Playstation 3s at the EPFL in Lausanne, Switzerland"

    Irony of ironies - were Sony hacked by their own hardware?

     

    reply to this | link to this | view in thread ]

  45.  
    identicon
    Anonymous Coward, May 20th, 2011 @ 10:23am

     

    reply to this | link to this | view in thread ]

  46.  
    identicon
    Anonymous Coward, May 20th, 2011 @ 11:09am

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This