Sony PSN outage–more details, very little good news

Tyler Hardeman April 27, 2011

In the continuing saga of the PlayStation Network (PSN) outage that is now entering its 8th day, Sony has provided more details on exactly what happened, and the news only gets worse. Beyond the information they provided yesterday, an email went out to PSN users today which provided much of the information that I have already posted. What has come out today gives me an idea of exactly how this attack occurred.

First of all, the news that’s good. All credit card information was encrypted, and Sony does believe that no credit card data has been compromised. While you should still monitor your cards closely for the next while, this is good news, and does make me breath a little easier.
Now, the bad news. Based on wording in a Frequently Asked Question (FAQ) page for this issue, it appears that this was an actual physical attack on Sony’s data center. This means that an individual or group of people obtained physical access to the PSN data center and directly connected to a server and was able to download the personal data. According to Sony, the personal information was held in a database that was unencrypted, and that data was obtained by the intruders.

As a result of this attack, Sony is moving the PSN to a new data center in a “new, more secure location.” I believe that is why the restoration of service is taking so long. Moving a data center which accommodates over 70 million users is no small task, and will of course take some time. There is a sheer scale here that both helps and hinders. I’m sure that Sony is very efficient at adding capacity to the PSN by adding new servers to a cluster in a datacenter. But building a cluster from scratch, and then adding more capacity, is not an easy task. I’m also willing to bet that all personal information will be encrypted from this point forward as well, and it is likely that software engineers not only have to write the software to make that happen, they also have to write software that will let the PSN access that encrypted data, something they likely hadn’t planned for when designing the PSN. I actually feel bad for every employee of Sony who works on the software and hardware for the PSN. I have little doubt that this has probably been the worst week of their lives. The work they are doing to restore the service is enormous, and they will likely never get credit for what will be an amazing feat.

The last bit of news is one that is good for everyone. When the PSN comes back online, there will be be a software update (I assume for both the PS3 and the PSP), that will require users to change the PSN account passwords, since those have been compromised. I will theorize that the update will also include any new encryption pieces that are likely being build into the PSN right now.

I’ve thought about this for a bit, and I’m kind of torn on what to say. When someone gets physical access to a server, it is significantly easier to hack into that server and gather information. This does make me feel better about the robustness of the PSN itself, since the attack came from within. However, the fact that someone was able to get into what should be a secure area is unacceptable, but physical attacks can happen. This is akin to a bank robbery or a theft from a museum. We are appalled at how such a thing can be allowed to happen, and why there wasn’t more security, but the simple fact is that they do happen from time to time.

Because of the type of attack, I honestly don’t know where to start with how my personal information was obtained. It is easy to say that all of that personal information should have been encrypted on the servers, and that it should have been impossible to access, but in reality, I don’t know of too many companies that actually encrypt all data on their servers. To put it simply, encrypting everything is a significant amount of work, and does make recovering from issues more difficult. Data should be safe in a physically secure environment, and sometimes we depend on that to keep that data safe. I will grant that not many networks have data on the scale of Sony, but I also wonder if someone broke into a Google data center; how much personal information could be obtained there? That’s a question I hope we never find an answer to, but it is a valid question.

At the end of the day, the result of the attack is the same. Personal information of tens of millions of people, including myself, has been compromised. Everyone who is on the PSN is more vulnerable to identity theft, phishing attacks, and password attacks than they were two weeks ago. This is fact, and nothing I have said today changes that. I’m not trying to downplay the severity of this breach, because it is bad, among the worst I have ever heard of in the industry That being said, I find it a bit easier to, and this may not be a good word for this, sympathize with Sony on the method of attack; one which is arguably the most difficult to predict and defend against. I’m willing to bet that 90% of workplaces would be in a similar, albeit smaller scale, situation if the same thing happened to them. Would mine? I hope to never find out.

[Read] – Sony PlayStation Blog

[Read] - Joystiq

Sony PlayStation Network has been hacked–you are at risk

Tyler Hardeman April 26, 2011

On April 20^th, the PlayStation Network (PSN) went offline for “maintenance.” Here we are, on April 26^th as I write this, and it is still down. A lot has happened in the last two days regarding information as to what has happened, and the answers we are getting are, to be frank, frightening. To put it bluntly, if you own a PlayStation 3 (PS3) or a PlayStation Portable (PSP), and have created a PSN account to use online features, buy games online, etc, a good majority if your personal information has been compromised. The list of what has been compromised is below:

· Name

· Address

· Billing Address

· Country

· Birthdate

· Email address

· PSN login name and password

· Password security answers

· Purchase history

None of that is good, but the two bolded items are especially scary. I will get to that in a bit.

Sony has stated that this information was obtained during an “illegal and unauthorized intrusion into our network” that occurred between April 17^th and 19^th. Sony also states that while there is no evidence any Credit Card numbers or information has been compromised, they cannot rule out that possibility.

I’m not usually one to blow on a trumpet and say “this is scary” for a hack into a corporate network, it happens a lot more often than people realize. But this particular attack is frightening, for several reasons.

The first is that the attackers were able to obtain the actual user passwords. Anyone who has any knowledge of computer security whatsoever knows that one of the most basic principles of security is that passwords are stored in what is called a hash, which is a type of storage which is useless to anyone looking at it. A password would be stored as a series of random letters and numbers which cannot be reverse engineered to what the actual password is, as each hash is unique. To put it simply, if Sony had put the passwords in any secure matter whatsoever there would be no chance at all that they could have been compromised.

If you are a person who uses the same password for every account, this means that you should, right now, go and change your password for every other online service you use. I’m not kidding here. I’ll even wait for you to do it before I continue this post…….

Ok, now that that’s done, the second item, which could actually be worse, is that password security answers have been compromised. Those are the answers to the questions that you have to answer when you forget your password, the questions like “what is your mother’s maiden name?” or “what was your first pet’s name.” Having the answers to these questions doesn’t’ affect your PSN account, since they have your password anyway, but this means that even if you change it they have the answers to the questions that would let them change it again. And again, if you have used the same questions and answers to any other service, the potential exists for the attackers to compromise your passwords on other accounts, and again, even if you change the passwords, they can use these answers to get the new password.

Changing your security questions is likely harder than changing your password, but in the case of this breach, it is as important, if not more important than, changing those as well.

Again, Sony does say that there is no evidence that actual Credit Card numbers have been compromised, but that possibility does exist. I wouldn’t say you need to cancel your credit card associated with your PSN account right now, I’m not, but I will be watching it like a hawk for the foreseeable future.

Where does that leave us? Well this is a pretty significant breach, and one of those events that really should make everyone take a step back and think about their online presence, and how they protect themselves. The attackers in this case have more than enough information to steal a person’s identity, and potentially the ability to compromise every online account you have, possibly even an online bank account login. There’s really no way to sugar coat that, they have the info, it’s possible.

Now, honestly, the part I’m least worried about here is the possibility of identity theft. That may seem odd, but to be totally honest, if someone really wanted to get the information needed to steal my identity, it’s probably all on the internet anyway. Sure, this packages it up nicely for the attackers, but I’m 100% sure that I have, at least once, posted every bit of information needed. Does that scare me? When I write it out like I just did and really realize it, it kind of does. Do I worry? A bit, but not as much as I thought I would. It’s no different than if I, say, lost my wallet, or if someone intercepted my mail. If someone really wants to steal my identity, they’re going to do it, regardless of any safeguards I take.

What really worries me is the fact that Sony was apparently so careless with user passwords. I am simply at a loss for words as to how this attack could have compromised actual user passwords. At my workplace, I have administrative access to every computer, server, and bit of information in the entire company. But there is physically no way for me to tell what someone’s actual password is. Sure, I can create a new password for someone when they forget theirs, but there is physically no way for me to find out what their current password is. The fact that the PSN is apparently not set up in the same matter is one of the most careless security practices I have ever heard of.

I have personally changed my password on every service I remember I’ve signed up for that may use that password. A few services, like my banking website and my primary email address, use completely different passwords that cannot be obtained through any part of this attack, should be safe, but I’m still a bit worried about them. But what about “random online service” that I signed up for 2 years ago that I absolutely cannot remember? If it used the same password that was on my PSN account, that account is compromised, and it’s possible that I could have personal information on those accounts that may be able to compromise me further. This attack has made me realize that I need to write down every online service I’m signed up for, not the passwords, maybe not even the usernames, but just the service so I know where I have accounts that have the potential to be compromised, because I am at risk here, and the fault is Sony’s.

As I’ve said above, I’m not usually one to panic when I hear about a company getting attacked and some information getting compromised, because most of that information is likely somewhere to be stolen anyway. But the severity of this attack is alarming, and has eroded almost all of the trust I had in Sony has a company. Am I going to throw my PS3 out? No. but I’m going to think long and hard about ever giving my Credit Card information to that company ever again. Sony had my trust, and they have now lost it. I’m not sure if they will ever be able to get it back.

Below are links to the articles I used in my post, including the official statement from Sony on the PlayStation Blog

[read] – Sony

[read] – This is my next…

[read] – Engadget

New Camera!

Tyler Hardeman July 17, 2010

Up until a few months ago I used, and was very happy with, a Canon Powershot SD870IS camera. I carried it with me pretty much everywhere, and used it quite a bit. Then one day, I pulled it out of my pocket, turned it on, and my LCD was cracked. I was presented with a small circular “hole” in the screen, right in the top center. The camera still works fine, however the crack in the screen is growing, and with no viewfinder having part of the LCD being broken really means that the camera becomes harder to use, eventually becoming impossible. I knew I’d need a replacement eventually.
As I slowly started to stop using the 870 I have been using my Palm Pre more and more for taking pictures. the 3 Megapixel camera in the Pre takes good pictures for the most part, and I have found that I didn’t really miss carrying my 870 with me all the time anymore. I knew I would eventually need a new camera, especially for when I am on holidays this year, but I waited until I absolutely needed it before buying, so I would know what kind of camera I would want, and waiting for new models to come out.
As much as I would love an SLR camera, they are very expensive, and quite frankly, I probably wouldn’t use it as much as I should because of the size. There would be no point to me owning an SLR camera if I’d never take it with me anywhere. So an SLR was out. I had a few features I really wanted in a smaller camera. They were

longer zoom, at least 8x
720p video mode
good low light images (for the type of camera)
some kind of manual controls
Good image stabilization

There were several cameras that met at least those requirements, the last two that I was looking at were the Sony Cybershot DSC-HX5V and the Canon Powershot SX210IS. I won’t break down all the features, but there are a few differences between them. The Canon camera has a longer zoom (14 over 10), more megapixels (again, 14 instead of 10), overall better camera controls, and a slightly better flash than the Sony camera. Where Sony’s camera excels is in it’s manual options, slightly better low light pictures, better video options (capable fo 1080i video, and more options for taking videos) as well as featuring a Compass and GPS for geotagging photos. The rest of the features were similar.
After trying out the cameras, and reading several reviews, I picked the Sony Cybershot over the Canon camera. There were a few reasons why, some of them more important than others. The Sony camera has been regarded as generally having better image quality, especially in lower light conditions. Sony pulls this off because their lens is a little shorter thanks to the smaller zoom and the sensor has a backlight that illuminates when the camera is in a low light situation to improve on the amount of light it can collect. Having fewer megapixels also helps a great deal, as fewer megapixles on the same size sensor means that each pixel will be larger. Because of that, each pixel can collect more detail. I’m very happy that Sony decided that the mexapixel arms race is not as important to them anymore, and kept it to a reasonable 10.2 megapixels in an effort to increase image quality, and it worked.
The better video modes on the Sony camera also really tipped the scales. the Sony Camera is capable of shooting 1080i AVCHD video, with full control of the zoom lens and the ability to focus while a video is shooting. I will likely be shooting in the camera’s 720p H.264 mode, because the file sizes are considerably smaller (60 seconds of recorded 1080i AVCHD video from the camera came out to a whopping 167MB), and H.264 is a format that is easier to manipulate and compatible with more software. Having a point and shoot with HD video, with full zoom and focus control, means that I can put my Flip Mino HD away, and can carry one camera to take images and video.
Having a GPS and compass was a nice little add on that I believe I will really appreciate over time. With that feature I can tag exactly where in the world I was when I took a picture, as well as what direction I was pointing when I took it. That info is built right into the EXIF data in the picture, so it will always be there. I’m looking forward to going into software like iPhoto in a few months and looking at all the different locations I’ve taken pictures, especially when I’m on holidays or on the road for work. My Palm Pre has geotagging on pictures thanks to it’s GPS, and while it doesn’t work 100% of the time thanks to a weak GPS in the phone, I really like looking at the map of the pictures I have taken, even around the city.
The last thing to say about this camera is that I didn’t buy it to take with me everywhere. It is very solid and sturdy and could stand up to that no problem, and when I’m going somewhere and carrying a bag of some sort with me, I’ll probably toss it into the bag. But when I’m just heading out, my Palm Pre does the job just fine. My hope is that the DSC HX5V will be the last “pocket camera” I ever buy, and that by the time I’m looking for a new phone again, the quality of the cameras in them will be almost as good, or nearly as good, as the point and shoots we get now. The iPhone 4 comes very close to this, and I look forward to others catching up. Maybe when that happens I can look at getting an SLR, but until then the Sony Cybershot DSC-HX5V will be my camera of choice, and it does the job well.
I will be taking a ton of pictures with the HX5V on an upcoming trip. Some of them will end up on Flickr while I’m on the trip (though I will mostly be uploading pictures taken with my Pre direct). After I’m back there will be a proper set on Flickr with the pictures taken with the camera.

thewunderbar