They aren't talking about the PSN Hack that brought down the network this time, they are going back and forth about how PSN stores the user's CC information in plain text on the console and that a shady/grey custom firmware has the potential to skim that information off the hardware and onto a bad guy's server.
The only slightly frightening thing about this is how they allude to the idea that this plain text CC information and security codes are transmitted over plain text, but that information is false. All transactions done between your PS3 console and the PSN network were done over SSL.
I don't think "user2" is claiming that the credit card information was sent in plaintext:
normally you ATLEAST enccrypt the securtity code, even if its ssl
That seems to refer to encrypting the CC security code before sending it over SSL using public key encryption, which is good practice if you subscribe to defence in depth. But it's nothing I'd get upset about.
I'm with you on all points; however, what I find interesting is that these guys talk explicitly about the credit card data being available via the path they took. If these are the same people--or if perhaps it was someone lurking in the channel--the suggestion is that the technique used would have exposed the credit card data of these users--despite Sony claiming that they felt it was unlikely.
I'm not sure there's a lot of "news" to this post; my feeling is that if Sony, "isn't ruling out the possibility" that my credit card information was stolen, I'm working under the assumption that it was. I'd encourage everyone else who was subscribed to PSN to do the same.
They only talk about the unencrypted credit card data available to the console, not to PSN. This chat happened weeks before whoever gained access into PSN's network. Basically the same thing as pointing out the flaws in someone storing their passwords in a plain text file on their desktop. It isn't secure, but you'd have to get access to the single machine before you could get anywhere else.
I agree. This isn't much for "news".
I am, however, curious on the repercussions of the current hack of other services tied to the PSN network, like Netflix, that aren't directly gaming related. Do you think it will make companies give pause to developing dedicated clients for 3rd party services on game consoles that rely on the manufacturer of the console to maintain a network outside of the 3rd parties control?
Right, so what changed in mid-April then to prompt Sony to pull their own plug?
All I can figure is either Sony saw evidence that someone was sniffing their decrypted SSL traffic, or Sony is exaggerating a little (or passive-aggressively erring on the side of it) to bring the heat of financial crimes down on the console/PSN hackers. The latter seems like a reeely expensive and painful way to combat a few console hackers.
I glanced at some PSN domains and noticed that their certs were fairly old and not revoked, and they were being served by some kind of 3rd party DDoS mitigation service. They're likely using some form of SSL offload hardware, which might provide more opportunity for the unencrypted (now plain HTTP) traffic to pass in view of a compromised node.
Looks to me like guys trying to get banned PS3s back on the game network, not steal user info and credit card numbers.
[user12] know this, sony in realtime, monitors all messages over psn
[user12] I verified that, its part of my privacy threats thing I am doing
[user5] ok too bad id like the psn messenger on pc
[user12] the realtime monitoring is a bit bothersome to me
It seems plausible though that people were using this info to do things which violated Sony's security model and that their security model also didn't effectively separate credit card info from the game data.
For example, there were claims a few weeks ago (Wired or ARS I think) that they were all mixed together in the same SSL stream.
This is fascinating. As a developer, I enjoy reading such logs and stories. I like the thought that if you make something good, popular or interesting, there will be someone that will admire your work, play with it and try to break it.
Here's an abridged version, let me know if you want something shorter:
[user2] I just finished decrypting 100% of all psn functions, you can forget all the history wiper and log remove apps, there's a independent check which transfers all games and their playtime every time you login. You can modify it like the firmware version tho. Also they can detect backups this way
[user4] user2, is that in data sent to
a0.[CC].np.communication.PlayStation.net
[user2] Sony is the biggest spy ever, lol. All connected devices return values sent to Sony server. Returns tv, fw version, fw type, console model. also i found data it collects when i had USB device attached etc etc. so if they ever sue someone for PSN stuff, they will be sued themselves, as most of the data they collect is just not legal
[user6] user2: do you now know enough to wipe all traces, so that people who never had their consoles on the internet can avoid sending this information now?
[user2] @xxxx: we could modify the data via proxy between the tunnels, like delete all data between the XML tags or something
[user1] the only avoidance is block all
*.PlayStation.net
[user2] it could be that it's used for online playtime or PSN logged in playtime. For example: [redacted plain text code, includes false credit card number] sent as plaintext
[user1] wow, plaintext :S
[user5] plaintext wow
[user3] I'm never putting in my details like that
[user2] normally you AT LEAST encrypt the security code, even if its ssl
[user5] I'd hope Sony would do such in a safe manner, psn cards probably plain text to then
[user2] but hey it's Sony –> it's a feature
[user7] from all the actions they’ve taken the past years, we can only deduce that Sony don’t care about their customers
[user2] I know a few guys who worked @ Sony's PSN backend. Just when the ps3 was released we talked bout the first PSN, at this time ALL was HTTP and unencrypted. So you could see user/pass etc plain. I asked them, why is it that way. Lame answer was “we thought it was addressed.” – lol
[user8] that fits nicely into the “#define rand() 4″ mentality.
[user2] another funny function I found is regarding PSN downloads, its when a pkg game is requested from the store, in the URL itself you can define if you get the game free or not. Requires some modification in hashes and so on though. It's like drm:off
[user1] :facepalm:
[user2] still wondering when the big ban wave arrives
[user1] if they ban everyone, even using backups legally in their country (but in their opinion a TOS violation), it will be a huge tsunami, not a wave
[user4] an open PSN would be nice, even if it was just a player matching service
[user2] ya, a PSN host by the community
[user3] that actually could be perhaps possible, if you can get auth working
[user12] you can try to analyze the protocol and say “if X then Y” type responses the problems come up when you get something you haven't seen before. But for stuff like that the ticket has to exist on the PSN side of things, because if I send my ticket to a vendor server they will validate it against PSN, and if it's not there it will fail. Know this, Sony in realtime, monitors all messages over PSN. I verified that, it's part of my privacy threats thing I am doing. They appear to have at the very least keywords they look for, not sure just how invasive the whole thing is, but …
[user4] the censor word-list is ridiculous
[user12] the censor words in home is on your system, it downloads a dict list of words. an empty file resolves that
[user2] There actually is an easy way to get userlists. It would fuck PSN pretty hard if some skiddy releases a spam app. The highscore and matchmaking lobbies you can request per game id and get user mails for PSN. Huge list + spam app == sux. And we all know what happens if cool homebrew arrives, remember open remote play? Sony just releases an official tool lol. The PSN has 45 environments all working independent, we could just change to another environment. And they also need to have an eye to the official developers which use environments too, and the QA which needs to work with older firmware sometimes, so they can't update all environments and block all
[user4] luckily they use
CN=*.*.np.community.PlayStation.net
which saves a bit of hassle, just calling openssl from your app user12 ?
[user12] openssl libs, not the app itself. And I do it for ALL ssl connections in realtime, so even if you use the web browser it will generate certs for that too. It is similar in function to “sslsniff” but mine works with the ps3 and logs correctly
[user2] btw you know the login url for auth is like:
[user14] please not connect to external DNS IP with your ps3. Your passwords and email and other data is revealed on the external side. spam people can use this info for spamming
[user12] if it's just the firmware check then no, because there is nothing private sent in that http (cleartext) request. So it depends on what hosts they are looking at
[user2] for a test POST i worked with 1 only and always worked. Probably many to identify the service
[user12] the ticket is sent to say a game, Netflix, etc. anything that uses PSN. That way you do not send credentials to anyone but Sony
[user2] if it's like you say then this is another vuln, lol, as i tested if always first ticket works you could hijack a session the ticket and session i used didn't timeout and if it always creates a new ticket as you say there would be many sessions
[user12] I also know that the server that does the x-i-5 tickets is a bit more tight about the ciphers than any other system in sonyland. If Sony is watching this channel they should know that running an older version of apache on a redhat server with known vulnerabilities is not wise, especially when that server freely reports its version and its the auth server.
auth.np.ac.PlayStation.net
[user11] you know, watching this conversation makes me think about whether it was a good idea after all to buy a couple of games from PSN using a Visa card
[user12] they are running linux 2.6.9-2.6.24 on that box too. that too is old. My guess is that it really is undermaintained “it works why change anything”.
[user12] Sony really should update that stuff to something more current
[user2] but imagine, psn == 45 environments, and for example, every env has 50 subdomains
to external machines. It's rly rly huge. Who wants to do this xD ppl r lazy wont change
In my experience, most people who use "relatively obscure words" are doing it to provide a precise nuance, not to "sound important". What's the point of accumulating a large vocabulary through years of reading if you eschew certain words as being "pretentious"?
I think I would have gone with "summary" personally. Resume is rarely used (in the US anyway) as describing anything but a summary of credentials and work history for the purposes of applying for employment.
Or, given that this is the internet, perhaps a "tl;dr" would be more appropriate.
Jesus, now that we're done with all the pointless bickering about language, could someone provide a Zusammenfassung? I skimmed it, and saw nichts interessantes.
* Sony spies on basically everything PS-related (hardware plugged in, games played, etc.) and uploads it. There are "independent checks" and history wipers, etc. don't work. This may only happen when the device is networked. They can detect backups, piracy, etc.
* It sends CC data, etc. via SSL, but leaves unencrypted logs on the HD that contain that data in the URLs visited. It may not have used SSL at all at launch.
* You can modify a few things when you download something from the PSN store to tell it that you should be getting the game for free.
* Sony monitors all messages sent over PSN, may be searching that for keywords.
* Has a big list of censor words that lives on your HD. Checks this list on receipt of a message, not sending. Easy to bypass now.
* Various worries about people creating spam apps with this data.
* Comments indicating that Sony is running old Apache servers with known vulnerabilities internally.
Most of stuff that they are talking requires use to have CFW in order to still. Hardware information are probably for statistical information and show me at least one service that they don't log messages, specially once that are hosted in the cloud. and they didnt talk anything about apatch, as long as they got this in EULA that you accepted it's fine. Best of all this log have nothing to do with the current situation, it's normal CFW development talk
"Résumé" does mean summary, but "précis" merely means "precise" in day-to-day French. Using it when you mean "summary" is incredibly old fashioned and a bit pompous; most people wouldn't even understand what you mean.
Not quite; I believe calpaterson was asking for a summary.
Also, I understand your point, but it isn't terribly difficult to Google "precis" and figure out the definition -- and once you do, you've added a new word to your vocabulary, which is hardly ever a bad thing.
"Précis" is a French word, so wouldn't the fact that many people who frequent HN are non-native speakers of English mean that using a French word increases the number of people who understand?
Sorry (and I'm sorry that you've been downvoted, that seems a bit unfair). I didn't realise it was such a unusual word. Schools in the UK often ask children to précis some longer piece of work.
I think you might have done it again though; I am very unfamiliar with the use of the word "resume" to be synonymous with summary, especially when not dealing with a human history.
Anyone in the channel could have posted it from their own IRC logs - most IRC programs will allow you to log everything you see. That they've censored the nicknames of the people talking before posting gives me the feeling that it was probably one of the people talking in the channel that posted it.
Pure genius -- fool the hackers by making your "random" number static, they'll never guess! Now that PSN users are actually seeing money ciphered from their debit accounts, it's only a matter of minutes until the class action lawyers are all over this.
The problem was that one of the parameters they used in their ECDSA signatures, k, was the same at least once. This allowed the key to be computed with simple math, but the generation of the key itself was not the issue.
They aren't talking about the PSN Hack that brought down the network this time, they are going back and forth about how PSN stores the user's CC information in plain text on the console and that a shady/grey custom firmware has the potential to skim that information off the hardware and onto a bad guy's server.
The only slightly frightening thing about this is how they allude to the idea that this plain text CC information and security codes are transmitted over plain text, but that information is false. All transactions done between your PS3 console and the PSN network were done over SSL.