PSN is still down (as it was this morning when I wrote the exact same words in this post) because hackers broke in and Sony discovered the breach a few weeks ago.
How long ago? This boards.ie thread links to this pastebin log which is apparently an IRC conversation between a few guys discussing the security problems Sony had.
The hostname updptl.de.np.community.playstation.net is mentioned and a week or two ago I fired off a “lynx -head -dump” request to find out what it’s running and it was definitely running an old version of Apache at that time. I tried this morning and the request was forbidden so thankfully Sony are tightening up things.
The forum thread also links here, a post written back in February. Unfortunately that site is down but I found the meat of that post here.
A well known hacker i don’t want to reveal here had all the Sony PlayStation Network functions 100% decrypted as well as providing some nice info about how Sony dealing with PSN members privacy in their online servers.
Apparently, Sony server gathered everything they can from the PSN connected PS3 console. When i said everything, i meant it. Here, i make all the list of what they squeezed from the IRC chat logs conversation between the hackers.
Sony monitors all messages over PSN.
All connected devices return values sent to Sony server returns TV, Firmware version, Firmware type, Console model
They also collects data in your USB attached device.
Credit card sent as plain text, example:
Code:
creditCard.paymentMethodId=VISA&creditCard.holderName=Max&creditCard.cardNumber=4558254723658741&creditCard.expireYear=2012&creditCard.expireMonth=2&creditCard.securityCode=214&creditCard.address.address1=example street%2024%20&creditCard.address.city=city1%20&creditCard.address.province=abc%20&creditCard.address.postalCode=12345
The best part of all, the list is stored online and updated when u login PSN and random.
But, that’s not all, with the PSN functions fully decrypted, this hacker can use the function to get all games, DLC, you name it, from PSN store without paying anything.Wow, i am just speechless! We can really sue Sony for monitoring ALL data including our credit card info providing that we are connected to PSN, of course. Man, that is really big fail, as well as the PSN fail oh and the PS3 fail. Everything just FAIL, Sony!
You can read the IRC chat logs at the link below. We censored the names just to be safe.
This IRC log seems to be the source for this ARS article from back then in February. Despite what the report above says, the data was sent over SSL however. The main problem then was for people using custom firmware because the credit card details were stored on the machine too.
As a final note to finish, the replies on this thread on playstation.com are I think unfortunate.
Heh, I am happy that the article has eased any fears that you may of had surrounding your card details.
I would still ‘watch this space’ in case all of this goes horribly wrong and it turns out that we are in danger, but judging from the information and the articles, I think we our security is very much safe. Some sites generally like to jump on the band-wagon too early and cause a racket even if their information has not even been sourced.
Here’s hoping PSN comes back soon.
