PSN Hack: Why I blame Sony more than the hackers

Unless you’ve been under a rock for the past days, you probably know that Sony announced they have been hacked, and our private information (potentially including credit card numbers) has been stolen from the PSN. This potentially impacts 77’000’000 customers.

I’ve received many emails/comments telling me “Wololo, you’re always in favor of CFW, and always on the side of the hackers, so what do you say now?”

Well, clearly I’m not happy that some people did that, I’m not happy that my information got stolen by these people. I want to point out that I never claimed that hacking into a corporation’s network was a good thing. Just like other people who are in favor of hacking and jailbreaking, I think customers should be able to enjoy their hardware the way they want, as long as they do not interfere with other people’s freedom. This makes things very clear: I’m not in favor of piracy, cheating online, identity theft, or anything like that.

This attack is unrelated to jailbreak

I’ve seen various comments on the net that this attack was performed “thanks” to some Custom firmware installed on some PS3s. This triggered new “anti jailbreak” comments from various people, including this guy who, despite making the efforts to do some research on the subject (and that’s good, because most people don’t do that), clearly should not be talking about stuff he doesn’t understand. I’m a computer engineer, I don’t talk about fashion. He’s a gamer and shouldn’t talk about security.

So, why do I claim that this has nothing to do with jailbreaks? Well, assuming the hack was performed “thanks” to a hacked PS3, it means Sony’s servers “trust” a PS3 accessing their system to not be hacked or modified. This is crazy, and this is security 101: the server should NEVER trust the client, end of story, NO exception. I trust Sony’s engineers to know this, so I believe this is not what happened. If I’m wrong, and if indeed there was some backdoor in the Sony system that allowed to trust a PS3 more than say, MediaGo running on a PC, then whoever designed such a backdoor in place is highly responsible for what happened. And Sony is guilty of believing that security through obscurity works. As I read somewhere, the good thing about open source software is that you can’t start to believe that your “opponent” won’t be able to read your code. So you design your security accordingly.

Now, my opinion is that a Jailbroken PS3 was not involved with this. Why would it be needed? You can connect to the PSN on a PC with MediaGo. It sounds fairly reasonable to me that somebody could investigate the code from that client and find some flaws in there, who knows? So for all we know, PS3 hardware wasn’t even involved in this attacks, making even a stronger point that this has nothing to do with jailbreaking a PS3. And if a PS3 was actually involved and you think it means jailbreak is related to this issue, then read the paragraph above.

As customers, Sony is the one responsible for our security, we can’t trust 6 billion people to play nice

Whatever you do, there will be people in the world trying to screw you, people not respecting the law. When these people attack you, you are free to hate them. As I said, I’m not happy some people stole my information, I don’t like these guys, but I know the world is made of people stealing your stuff, and it will always be the case.

Would you give your credit card number to me, or would you enter it on a form in my website? No. Because I’m a nobody, and there is no history of me not being a bad guy. I also have no way to be contacted easily in person. But you give your credit card information to Sony. Because it is a respected company, and you trust them to handle that kind of stuff correctly. By putting your trust in them, you implicitly ask them to be responsible, and by accepting your money and your credit card number, they accept to be responsible for your information’s security, even if their stupid PSN License says they can’t be responsible for a security breach.

Sony store the account information for 77’000’000 people. With such a big number of customers, I expect them to dedicate time and energy into securing their system. No system is perfect, but I expect them to apply the minimum security rules to their systems. First, the information retrieved by the hackers shouldn’t be usable in any way, because the information they stole should be encrypted, or hashed. Passwords should be hashed. It allows login systems to recognize that your password is correct without really knowing it. How comes Sony announced that our passwords were stolen then? How can they even be “unsure” if our credit card information was stolen? Our credit card information shouldn’t even be stored on their system, at worst it should be an encrypted version, and the rest should be 100% handled by Visa or Mastercard.

It is difficult to understand exactly what information was stolen. I completely understand that my birthday, my address, my email, etc… are stored in clear, it’s the only way for the system to be able to re-display them on edit pages, or for Sony to contact me. But password and credit card info? Come on. So was this a wording mistake in the PR? Or a major encryption mistake in their system? Either way this is bad, and Sony will have to explain this to their customers.

So yeah, bad guys screwed up with Sony, but Sony screwed up by playing in League 1 against companies like Google, Amazon, or Apple, without having the necessary software skills (or without investing enough in these skills) to actually play this game. As I mentioned many times, Sony is a great hardware company, but they should definitely outsource their software and their security to companies that have more experience/resources.

This is why I blame them more than the hackers, who have been doing nothing more than what robbers have done for centuries: picking locks.

  1. svanheulen’s avatar

    I also blame Sony for dropping the ball. Again. Although I think them saying everything was compromised is just to cover their asses. It hopefully was encrypted and everything is safe, but I had my bank issue me a new debit card just in case.

    I think the real issue is not that they got hacked but that they waited 10 days to tell people that their credit cards may have been stolen. That’s beyond unacceptable.

    Also it bothers me that even though my account was closed months ago they must have kept my information in their system because I got the warning email.

    Reply

  2. Jurian’s avatar

    What’s your opinion on what this says?

    http://www.gameinformer.com/b/news/archive/2011/04/25/did-sony-shut-down-psn-to-combat-piracy.aspx

    Even if it was due to a ps3 cfw exploiting things, I still blame sony. And if what that guy in the link above says is true, then they should be drawn and quartered. Developer network or no, it’s idiotic.

    Reply

  3. Anonymous’s avatar

    Confirmed, no PSN hacking as told above. Just an anti-piracy measure.

    Confirmado, PSN no esta hackeado realmente. Es uan medida antipirateria.

    http://psgroove.com/showthread.php?2920-How-to-buy-games-using-Rebug-cfw-and-web-links

    Found similar things like that in other pages.

    Reply

    1. Angel’s avatar

      So, they were not hacked?? they desprestiged themselves just for those guys that were buying free games?, it’s kind of hard to believe, or I am misunderstanding this

      Reply

      1. wololo’s avatar

        I’m with Angel on this one. This is too bad for their image to be fake. Some information did get stolen, there’s no question about this to me.

        Reply

        1. svanheulen’s avatar

          Exactly. No one would willingly admit that 77 million user accounts were possibly compromised if it wasn’t true. That doesn’t mean it couldn’t be both though.

          Reply

          1. bluesora98’s avatar

            who knows, Sony might be playing with our minds this very moment. it’s possible

    2. equis’s avatar

      Hard to believe coming from a tiny forum with only two replies, taking into account the nature of the theme. Aside there are other unanswered questions, like actions taken previously by Sony, preventing this kind of actions months before, banning accounts, etc. This kind of behaviour, further, is easly detected (I think) by the administrators, so, why disconnect 77 millions in favor of some thousand of games easly detectable?

      Reply

  4. Anonymous’s avatar

    Well it seems like that. As told by wololo there is no possible explanation to get “all your info” at once. And i found several pages with codes to get DLCS and games using the CFW Rebug. 3.55.1, 3.56 and 3.6testbuild. So it may be that it was an anti-piratery measure, but also that could be the beginning of something else using Rebug, but no possible for hackers to get al 77million data info of CreditCard, Info and PSNUser as told by Sony. So i strongly belive in the anti-piratery measure, fits best for a corp that does not want to lose a single dime. And its costs nothing almost nothing for them to close servers it costs more to users specially the ones with “OnlineGames”. And all the lost savedatas and DLC that were interrupted but charged.
    Greets.

    Reply

  5. TMMDI’s avatar

    I’ll bet Sony pretended there was a breach in security to cover up the fact they are stealing people’s money with their credit cards! *ominous music*

    Reply

  6. bluesora98’s avatar

    I guess this is the situation now:
    -The users blame Sony for being overconfident in their security.
    -Sony blames the hackers for breaching their security.
    -The hackers blame the users for trusting Sony with their information.
    what a cycle hahaha

    Reply

  7. The_Black_Panther’s avatar

    Ya. I agree with Wololo and Angel. Sony will not announce something like this only to stop buying free games or something like that. Coz, this is already hitting them pretty hard. I believe, there security is truly hacked and some information has been stolen. And I don’t understand how come customers’ Credit Card information is stolen (until and unless PSN store them in their database.)???? And that’s not right.. :(

    Reply

    1. jlo138’s avatar

      You can store a credit or debit card on the site but you can remove those at any time. They remain there for your future purchases so you don’t have to put the info in each time. Whether or not they keep records of those cards even after removal is yet to be known. If they do, then yea that was a bad move on there part.

      Reply

  8. Raziel’s avatar

    PlayStation store Top 5 Downloads.

    1. Mastercard.xml
    2. Visa.xml
    3. call of duty..
    4. killzone 3…
    5. prince of persia

    LOLLL XD

    Reply

  9. Wolfdre’s avatar

    There was a statement regarding the Rebug CFW using custom certificates and certain individuals thought it was for that reason that security was breached. This is isnt likely and those that were effected by such a scenario would also have to be running Rebug CFW on their console. So does seem plausible that the use of CFW had very little to do with this security breach.

    Reply

  10. Wolfdre’s avatar

    ^^^Sry for the spelling errors (This (is) isnt)

    Reply

  11. 10$man’s avatar

    Mind if I relay a story? (I got this from a possibly accurate source and possible accomplice of the hackers (yes with a “s”))

    Sony computers (Located in Sonys) are hooked up to Sony’s main frame. These computers have DIRECT access to Sony’s Main Frame. One of the hackers, Possibly a Sony employee (probably not) simply walked to one of these computer, plugged in a flash drive that contained a autorun file that booted a program to open some ports of the computer (known to other hackers in the group). These ports were then used to exploit the computer wirelessly. Then the real hacking began. The Main System know was in direct view of the hackers, possibly password protected. The hackers bypassed This and Gained access to Sony’s main system. The ports must be blocked for the Attack to stop (I believe they are but i can’t know for sure)
    The source that I found this out from said that:
    “Indeed members from Anonymous were involved”

    I DO NOT KNOW IF THIS IS ACCURATE. THIS IS JUST WHAT I HEARD.

    Reply

    1. svanheulen’s avatar

      “Indeed members from Anonymous were involved”

      You say that like Anonymous is a clearly defined group of people. Anyone can say they’re part of Anonymous, that’s the point.

      Reply

      1. 10$man’s avatar

        Annomous IS a group of people, I KNOW the members cannot be defined.
        I said nothing that says it is a defined group of people.

        Reply

  12. Inside Job’s avatar

    Its probably an inside job/ Sony’s drama to win the favor of the people about Geohotz….

    Or to make people hate CFW’s….

    Good work though Sony on the gadgets but not the network….

    Reply

  13. Anonymous’s avatar

    Anonymous its not involved in any manner.

    Reply

    1. svanheulen’s avatar

      The hackers aren’t giving out their names are they? Do you know the definition of anonymous? Like I said, that’s the beauty of anonymous, anyone can be anonymous and no one is in charge so you can’t say who is or isn’t anonymous.

      Reply

  14. jake’s avatar

    as much as i wonna be mad at sony im not i mean imagine how bad this would be if you were the leader of sony and he built walls to protect the people and crops in there villige and some archer breached there walls and over night the archer burned all there crops with fire arrows and now everybody is mad at there king and not the archer who fucked shit up. i say fuck the archer and let the king fix the walls to be more powerfull then before with his own archers on the roof and throw the archer in jail.

    Reply

  15. Jim’s avatar

    Well, I’m not so sure it’s a result of an Anonymous attack towards Sony as they have compromised PSN users’ accounts and not Sony themselves. Anonymous stated they didn’t want to disrupt PSN services as this effects users more than Sony. But then again, who knows!? Whoever has attacked Sony I am certain it was immigrants, they are to blame for everything these days.

    Reply

  16. Shinny’s avatar

    i dont care about psn cuz i dont have one… and yeah ill never blame hackers they give freedom to the console

    Reply

  17. Cloudhunter’s avatar

    Wow, some people really believe that Sony would fake 70 million users information being stolen to cover up that people were downloading games for free?

    Accounts compromised is a way bigger thing than a few users downloading stuff. It would be like saying that they commuted murder to cover up a petty crime.

    Reply

  18. oxenh’s avatar

    this is a total dissaster by sony
    the don´t care for user
    the only think they care is how mony gonna lost with this
    i more than happy of selling my ps3 and buying with the same money a wii and another stuffs XD

    Reply

  19. dan’s avatar

    sony should have known better
    (i know this is off topic, but can somone please give me a step by step tutorial on how to get cwcheatpops to work on 6.20 pro b-5?, and where do i put the DB for cwcheat/pops? thank you in advance)

    Reply

  20. Asmith906’s avatar

    Wololo, I didn’t peg as the kind of guy who defend people who are doing something that is clearly illegal and doesn’t do anything that helps consumers but actually hurts them. While it is bad to defend a company when the screw up it’s just as bad to defend the criminals that did this because you are anti Sony.

    Reply

    1. wololo’s avatar

      Uh? Did you actually read the article? Where do I defend the criminals? I said I blame Sony *more* that these hackers, not that I didn’t blame the hackers at all…

      Reply

    2. Huey’s avatar

      Tsk tsk. See what happens when you skip English class?

      Reply

  21. cscash241’s avatar

    DID U SAY THE PASSWORD WERE NOT ATLEAST MD5 HASHED???!!!! and the credit card info wasn’t encrypted???

    Reply

  22. Norml’s avatar

    Sony’s fault, Consumers get plowed over and over again. It’s a prevalent idea that’s been used widespread through out companies.

    Reply

  23. dan’s avatar

    nevermind my last post
    the cwcheatpops part, i got it working
    just not for shadow man :(

    Reply

  24. dan’s avatar

    (got shadow man working)

    Reply

  25. Gen. TJ’s avatar

    i read in a article that some that worked for sony is the one that hacked the net work and stole the info.
    and that he was fired and will be facing charges times the amount of users info he stole

    Reply

    1. Gen. TJ’s avatar

      (that some “one” that worked)

      Reply

  26. jlo138’s avatar

    @wololo, when this is finally solved you can re-do the poll on whether we would buy sony products again. My answer will have changed by then more than likely.

    Reply

  27. Tesseract’s avatar

    It’s possible and even likely the passwords and cc info are saved in some encrypted format, however if the people who got the info took the encrypted data, Sony would have to consider it potentially compromised as there is always the possibility however remote that someone could decrypt it. (of course even if the encryption were somehow completely unbreakable that still wouldn’t excuse their other security lapses nor their long delay in alerting customers.)

    Reply

  28. yeahbitches’s avatar

    as long as the network is back on i am totaly fin man
    and didnt you read the guy might have been working at sony so do you think he relized that when he hacked the net work

    Reply

  29. Dongtian86’s avatar

    One would think this is Sony’s mess they had the warnings and chose to ignore (ddos) attacks then did nothing about upping there security on said sites. Most likely this could have been prevented. To blame anonymous is a excuse for there incompetent choices. The knowledge of the attacks was out there someone used this to his/her advantage.

    Reply

  30. MaxMouseDLL’s avatar

    Quote:
    I also have no way to be contacted easily in person.

    You sure about that? :p

    Reply

  31. TobeyDemon’s avatar

    alright, im in the process of getting the kingdom hearts birgth by sleep iso for my psp 3001. cuz as every 3000 owner, the disc drive sucks. so im using either umd dumper & umd killer to make my iso. someone send me an email saying if this is legal. i do believe it is if you own the disc which i bought from target for $20.

    Reply

  32. TobeyDemon’s avatar

    rhoadsbrady@gmail.com is my email. im running 6.60 official & lcfw pro b10 6.60, lcfw me 1.8 6.60, & a lite test 6.60 hen.

    Reply

Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>