If they want to do that they need to change up their algorithms and...

go for the smallest possible feature size on the silicon. Adding some 'junk DNA' to the mix would be smart too.

Exactly, the law only comes into play when...

the knowledge gained is used, and that depends on how it is used and what it is used for.

They're only going top have redidential power two days out of seven and...

the whole country will have rolling blackouts to compensate for the lack of electricity generated by wind/Solar/pixy dust renewable sources.

Please review the available evidence before opening your mouth.

The fuel rod casings reached high enough temperatures to become flexible and fail - they melted. the Fuel pellets on the other hand did not melt (as far as anyone knows). The evidence that the fuel itself did not melt is actually pretty solid because there has been no measurable release of fuel from any of the reactors, only fission products.

Hold on. The actual fuel did not melt, it was the metal cladding>>>

...the metal cladding on the fuel rods was melted, or heated beyond tolerance and ceased to hold it's shape. Either way, the fuel pellets were released from the fuel rods, but the actual fuel did *not* melt. that's why you have seen no release of fuel material to the environment.

No, it's not Sony, It's Lockheed "Skunk works" Martin...

I can't help wondering why some want to hold Sony to a higher degree of scrutiny than a leading defense contractor. I note that even the article takes a conciliatory tone over the attack.

Good grief, this is a major defense contractor that works on highly classified projects, and yet their network was penetrated and will be down for a period of at least two weeks for remote access users all of whom now have to get new tokens. Should we not expect that if anyone can secure a network against attack it would be a leading defense contractor that is a clear target for foreign sponsored cyber attacks?

Sony treats it's customers as friends

I've been a customer of theirs for decades and so far, I've yet to feel that they do not value my loyalty, in fact I would say that in my experience they do treat their *paying* customers are friends.

Jack - people who disagree with you are not shills...

That kind of paranoid thinking has got fail written all over it. Whether Hotz firmware allowed piracy or not, the keys were released by him along with what amounted to an How To guide. You'll note, if you re-read my post I did not mention the firmware he produced, although I would definitely challenge it's legality on the basis that I don't for a nano-second believe that Hotz penned all 100% of the code he posts as firmware, and in fact he's either modifying Sony's code and/or incorporating their code in his 'custom' firmware.

Jack, if you have a PS3 and have ever played online, or started PSN, you have agreed to many terms, including the license for the firmware. The very nature of your own arguments strongly suggests that you are more than aware of the terms of the license. As to your line about your PROPERTY, you're a damned fool if you believe that. Software is licensed, hardware is sold. You do not own the software.

Zongo, Sony doesn't give a darn what you do to the hardware, as soon as you physically modify the hardware beyond the scope of permitted upgrades they consider the warranty nullified and don't care about your **hardware**. The system software running on that hardware is not part of the hardware, it is stored on the hardware but it is a separate element, and Sony does very much care what you do with that. That's why it's encumbered with license terms.

I honestly can't see what is so hard with the concept that you buy the hardware and license the software. If you break the software license, be aware of the terms is provides in the case of one or other side breaking the license.

Whatever Jack, whatever...

I've been following PS3 and the attempts to hack it since before GeoHot drilled his first hole in a motherboard. I know what happened and when. Facts are facts, and they do not line up with your passionately held opinions. Remember though, no matter how dear you hold your opinion, a single fact can make your opinion irrelevant.

Sony needs to re-think? Are you kidding me?

You know, if you actually go back through the history of Sony, the PS3 and all of this bullcrap that's been going on and look objectively at Sony, the various hackers and others, as well as the Media reactions, it's actually very hard to see where Sony has treated anyone particularly badly.

Sony sued GeoHot et al after the metldr key was published along with information on how to use it to circumvent all copy protection on the PS3. They obtained court orders against one German hacker who was engaged in similar works of publishing protected information about the PS3's security mechanisms. All of these actions were taken in the realm of the legal system in the relevant countries. Sony's attorneys asked for some information pertaining to the locations of people that viewed the information published by GeoHot for the very limited legal purpose of establishing the jurisdiction for the court case n California against GeoHot. That was horribly mis-reported by the world plus dog as if Sony Corporation was seeking personal information on millions of people. That was never the case, nor could it have been. the court did not order that, and the information that was ordered could only go to Sony's attorneys, not Sony. Had Sony obtained additional information and mis-used it as so many alleged they wanted to, Sony would have been near instantly indicted at a high level by government prosecutors. It's ludicrous to make the kinds of claims some do about things like those subpoenas to establish jurisdiction.

Regarding the whole OtherOS, Sony was in the end vindicated in their removal of OtherOS in response to GeoHots original hacking of the hypervisor - yes children, Sony reacted to defend their platform against hacking. the hacking predated the removal of OtherOS, not that anyone bothers to mention that little factoid anywhere. It would not be necessary for anyone to 'restore' otherOS had the little moron GeoHot not indulged in his little egofest of publicly proclaiming he had 'pwned' the PS3. Oh, but, I guess we should forget that it's HIS own fricking fault that OtherOS was removed, otherwise we can't cast the little guttersnipe as a freedom fighter trying to restore what the greedy corporation took.

Oh, I guess we should also point out that for those so married to their OtherOS that they'd rather break the law, cost companies millions of dollars and adversely affect millions of consumers than give it up, you didn't have to give up OtherOS. If you were so bloody keen on it, you simply didn't need to install the firmware upgrade that disabled it. Yeah, I know you would lose access to PSN then, well, so what? PSN is a free service and you have to meet it's requirements to use it. But is that minor inconvenience really a justification for all that has happened? Really? I mean, really? You couldn't just have put up with a minor inconvenience rather than have all that has occurred since?

Oh, and while we're at it, since GeoHot was the reason for OtherOS getting the boot, why are you blaming Sony again since it was not them that attacked the system?

Actually, when you look at it all, Sony has not been the one mistreating anyone. But I know I'll get downvoted for saying so. The media, the hackers, the anonymous, the freetard gamer population who bear no consequences for their words, these people have been treating Sony like public enemy number one. Hell, I've seen more vitriol aimed at Sony than Osama Bin Laden. That's plain stupid, but it's truly the case.

As for dictatorial actions, did you read GeoHot's terms for settlement with Sony when their action first started in court? That was dictatorial. The ultimate settlement that had GeoHot all but grovel in apology is a far cry from his demands earlier. That should tell you something about the merits of his case. Perhaps that should tell you something about the merits of this entire thing.

Ah well, I know none of this will change your mind, but perhaps someone reading it might take a moment or two to stop and actually think...

They sued not after people tried to restore Linux to old PS3...

The sued after some a$$hat called GeoHot decided to publish the Metldr key that was not required to restore OtherOS, but which effectively allowed hackers to ignore any semblence of copy protection on games - resulting in the ability to load pirated copies of games on custom firmware systems. Get your facts straight at least.

Sorry what? Rootkitting everyone's PCs?

Are you still blathering on about the BMG CD rootkit fiasco of more than 6 years ago as if it was current and universal? Holy crap, can we apply just a modeerate amount of perspective and stop talking like there is a current issue - which there is not? Well, not unless you count the millions of malware attacks a day that attempt to root kit your PC that have nothing to do with Sony.

Funnily enough, I thought that taking legal action to protect legally protected information and systems was...well...legal. Seems to me, that you have a chip on your shoulder about something and have elected to blame Sony for it regardless of cause.

Oh, so every instance of web page defacing means....

...means that root access to OS and Database services was attained? Oh really? Where' did you get that computer science degree son, the box of cereal you opened this morning?

That's just a ridiculous thing to say. Website defacing has been going on since the web started and does not require or imply root level access, or much elevated access at all.

You are not ignoring the law, you are electing to accept the consequence.

If I break a law, I am aware of that, and prepared to accept the consequence. that is the gist of what you are saying.

Well, OK then. That's nice. However the hacktivists here, and the hackers cracking the PS3 do not accept the consequence of their illegal acts. In fact they believe that they have done nothing wrong because they believe that the laws are wrong, and therefore do not apply.

Even if you decide to break a law, knowing what it is and what the consequences are, you are still paying attention to it, you are still respecting it because you are aware your actions carry consequences. If you were simply ignoring the law, you would not accept that there are consequences, and would do as many in this hacktivist scene have.

As for your example about marijuana, governments have been considering legalization for decades now, and not one has done it, nor are they likely to.

The law is that which separates civilization from anarchy.

@Jack

Utter bollocks? Yes, keep telling yourself that, one day you'll grow up and realize you buy the hardware to run the software. The software is a separate product, and even if you're allowed to use it for free, that comes under certain terms and conditions that restrict what you can, and cannot do with it.. Firmware is software that you are allowed to use for free, it is, for your convenience, installed on the PS3 you buy, but it is still considered a separate thing and governed by it's own license and terms.

Openly criminal eh?

Care to explain, or are you too full of piss and vinegar about BMG's rootkit fiasco of 6 years ago?

Same Sony that made Trinitron, Playstation and Walkman...yes?

Sony didn't place a rootkit on CDs, BMG did, yes they are owned by Sony. However, Sony, and SCE in particular had nothing to do with that at all. Not to mention the fact that they admitted the wrongdoing and had to make good. Never mind that the music CD fiasco affected a relatively small number of people in fact, let's all just trot it out as an excuse to hate years later shall we?

I don't even know how to begin to address the rest of your post since Sony as a Japanese company has little or nothing to do with politically motivated US Supreme court decisions relating to the insane topic of granting corporations rights as individuals. Personally, I think you are letting your own irrational hatred cloud your judgement with respect to Sony. Though I suspect that we agree on the utter folly of granting corporations individual rights in the US.

No to mention...

four separate security groups (that we know of) working with Sony's own in-house team.

What I find interesting is that URL exploit that was found on the password reset page last week. that looked to me like a day 1 kind of flaw, and yet it was not found until now. The odds are it was never even exploited in anger. But it has taken an unprecedented degree of scrutiny on their network security to find these things. I wonder how many other companies with big networks are aware of how insecure they really are?

Oh really?

Since anonymous has virtually no control of it's 'membership' it's impossible to know whether there is a large number of criminals who operate under the guise of Anonymous. I rather suspect that there are, after all, if some naive group of script kiddies is going to do as they do, why not take advantage of such a perfect smoke screen.

Hacktivism

My problem with this kind of Hacktivism is two-fold.

First is the pompous crap emanating from the hacking community and Anonymous. I mean, seriously, do they honestly believe the stuff they say? Secondly, there is a really simple problem with all of this. the law. The law exists to protect society, and provide a structure by which wrong doing is punished. You can't simply decide which laws you will respect and which you will ignore. Either you have law or you do not.. If we're supposed to accept that it's OK for hackers to ignore intellectual property laws or computer mis-use laws or privacy laws because they are inconvenient or because there is some higher purpose, then does that mean we accept that anyone can decide which laws they will pay attention to because in their mind it's convenient or has a higher purpose?

That's completely ridiculous as most people accept. As soon as you start allowing people to ignore laws they dislike you set a horrible precedent that can open up the possibility of people ignoring all kinds of laws. Does the world really need to give criminals that kind of a break?

The law is the law. Law varies from country to country, but in general most western nations have similar legal systems and laws governing intellectual property and computer mis-use. If you break the law, you pay the price, even if you claim your some kind of virtual freedom fighter trying to restore OtherOS.

Jack, at least research things before casticgating Sony.

The subpoenas from Sony's Attorneys were for sufficient information to establish jurisdiction in the Californian court. The data did not, nor would it ever, go to Sony. Sony is not trying to silence people who talk about the Ps3, or people who modify their hardware. You can turn your Ps3 into a Foreman grill if you like, they don't care. If you start discussing protected information such as encryption methods, or keys or how to circumvent those things, they care. If you put that discussion on the Internet, they care, of you modify your Ps3 with custom firmware that allows the breaking of game copy protection or PSN security - they care.

Sony sued GeoHot in the US civil court. GeoHot was never in any danger of jail time (try telling that to the usual hot heads that bleat about Sony trying to put him away for good). Sony did not in any way act illegally, they use the civil law in the US just like everyone else can.

Oh, and by the way, regarding the user license agreement that people are so fond of virtually shredding; when you buy hardware, you buy only the hardware, nothing else. The firmware that comes installed on the hardware is *not* yours, it is not part of the hardware and is not part of the purchase price. the firmware is software that you use subject to license terms. that is how Sonftware is sold and distributed. All that free open source software is governed by the GPL, if you break the GPL, you will end up in court, it happens every day. Just because Sony is a large corporation and has their own specific license terms for their software does not alter the fact that the software is licensed to you under the terms of the license. just as access to PSN is granted under certain terms of service. Neither the software license nor the terms of service for PSN are invalidated because someone labels them an EULA and unenforceable. Software licenses have to be enforceable otherwise software will simply not continue to be be a profitable business. Terms of service on networks have to be enforceable to prevent rogue devices on proprietary networks and to prevent unauthorized access. It's their network, if they don't want modded PS3s on it, that's their right. the fact that you have modded your PS3 does not put Sony in the wrong when they perma ban your console and PSN ID.

Last, all the glee at Sony's discomfort comes not at the expense of some disembodied evil corporate entity. It comes at the expense of ordinary working people working for Sony in whatever capacity who no longer have a job thanks to the economic impacts of hacking or piracy. Yeah, that's right, people do lose their jobs when companies lose profits thanks to criminals. So all that 'dancing for joy' crap that people indulge in over the heroic hackers attacking the evil Sony, comes at the expense of ordinary people who have in no way done anyone any harm.

I guess it's easier to think of Sony as a disembodied Sith Lord though since looking at it in a realistic way means you have to recognize that real people can get hurt.

Re Graf. Sony did no door kicking, it was the German police with a German court order

Whatever Graf did, in Germany Sony has sufficient strength of case against him to gain two court orders that involved the police seizing items from Graf. Not Sony, the German police. Sorry, but whatever your personal opinions of the laws, if you break them, there are consequences. Graf seems to think that because 'hacking the PS3 is his life' he should be exempt from German computer mis-use laws, It doesn't work that way BTW, Graf also published a great deal of information about the PS3 firmware's innards, much of which is useful to those attempting to break the platform's security, pirate games and access PSN in unauthorized ways.

@LuMan

Excellent post. This is all targeted at Sony today, and for whatever reason Sony has garnered a great deal of hatred from a certain fraction of the tech community (hatred that is far in excess of any wrong doing that Sony, or BMG could ever have been accused of). However, Next year, tomorrow, whenever it could easily be someone else. there is a bigger picture that goes far beyond the petty hatred for Sony and the glee at their discomfort.

Sorry, what? Are you kidding me?

Sony and others are supposed to just give up and take no action to protect their products and services in case a bunch of cyber-terrorists decide to go after them? What's next? Protection money?

Suggesting that Sony shouldn't have tried to protect the PS3 after people (including Hotz) publicly posted various keys and information that lead directly or piracy and platform insecurity because the hackers threaten revenge is like telling someone to give in to blackmail. You simply can't do that.

It's ridiculous to expect any company to give in to the implied threats of a bunch of malcontents, anarchists and script kiddies if said company tries to protect it's products. There's no way in hell that's sustainable, and no one should expect it to be. I know lots of commenters here have a hatred for Sony that goes so deep as to be irrational, but I would hope that even they can see that if you take Sony out of this discussion and substitute any leading tech company in instead, you cannot expect them to give in to that kind of blackmail or threat. It's just impossible. You cannot do business in a situation where your ability to do business is governed by the whim of a few entitlement minded hackers and their egotistical friends in dark places.

Actually...

...for out of warranty systems, it's about $150 and you can get a refurb of the same model, or you can get s refurb'd slim for about $20 less.

If you sell someone a gun, you have to verify who they are....

It used to be the case that if you sold someone military grade encryption (DES) you had to do checks into who they were and verify them, and even have them obtain a license from the DoD. Considering that Amazon is selling what amounts to supercomputing for hire, one has to wonder why they are not required by law to more carefully check their clients. The same would be true of any cloud vendor offering cloud computing services. I mean, in this case they're saying that the people who did this used fake information and stolen card numbers. I don't know, but it sure seems like those are things that should have prevented the account from being opened in the first place.

Indeed, looks like security will need a new play....

Time to add to the internet security playbook. If you run any kind of customer facing network, It's time that your firewalls and monitoring systems had rules for Cloud Computing sources. In fact I'd completely block their addresses on the firewalls and filters, set rules in the firewalls, filters and monitoring systems to check incoming packets for anything suggesting the packet claim from a cloud source, and once again block, quarantine and/or isolate such packets.

@CA

Sadly, such facts fall on purposefully deaf ears here, as elsewhere.

Well, try these two on for size...

health.net - 1.9 million customer details including names, addresses, **social security numbers**, and **credit/debit card details** (not disclosed for months after the attack)

Heartland Payments - 130 million Credit/Debit card records (not disclosed for months after the attack)

TJX - 45 million cardholder details including card numbers (was not disclosed for *years*)

The attackers here got names, email/postal address information, dates of birth and password hashes. They did not get the primary card databases, which were encrypted in any case, and in fact the only confirmed information theft of CC data was 900 active card numbers in a 4 year old backup/development database at SOE. Sony came forward within 2 days of the outage, and 4 days later with only the preliminary analysis complete they warned customers. In a very real sense Sony nearly jumped the gun by informing people so quickly. Typically such attacks and data breaches are not reported publicly for months afterwards because of the time taken to analyze the attack and restore/strengthen systems. Yet despite that, Sony got castigated for being *slow* to respond, when they were in fact abnormally *fast* to respond and advise customers. As much as non-technical gamers wish to decry their response, or people pre-disposed to hate on Sony wish to use this as a stick to beat Sony, the reality is that hacks happen and Sony has responded extremely quickly and strongly to the attack, and they have in reality done far more than any organization I can remember to compensate their customers. Attacks happen, and a determined attacker may be able to break into any network - given time. So, it's not just about the precautions you take, it's about how you respond. Were there flaws in Sony's Security? Sure, of course there were. That said, you could challenge any network of similar size and scope to prove itself free from security flaws. So, blame where blame is due, but let's keep this in perspective. If you accept that attacks are going to happen and no security is perfect, then what matter as much or more is how the victim of the hack responds to protect their customers. If you compare Sony's reaction to those of others, there is a contrast, and Sony doesn't look bad at all.

There's a story at Computer world that talks more about this if you want further reference.

You almost have to ask why the tech media jumped on Sony so strongly, when they soft pedal the coverage of other breaches - Last Pass anyone?

Try this article for some perspective...

http://www.computerworld.com/s/article/9216724/Is_Sony_getting_a_bad_rap_on_its_data_breach_

Sadly many networks, perhaps the majority of them, have...

...have some degree of this kind of thing. It's rare to find a network or organization of any significant size that is so disciplined with it's patching that there are no servers with unpatched vulnerabilities on them. And no, before some smart arse says it, Sony is not some kind of exception to that, and they really were not/are not out of the ordinary. right now there are hundreds of CIOs and thousands of network managers and architects praying that no one looks in their general direction because they know damned well that they would be hacked just as deeply as Sony have been if someone noticed them.

It's very much time though, that not just companies like Sony give this kind of thing the intense focus and attention it deserves. No, it's time that Governments, law enforcement and society in general started looking at the fact that in an economy that is dependent on information systems and the Internet to continue doing business, there is a duty of care on companies to ensure their systems are fully patched - yes, but at the same time there is also a desperate need for laws and regulations designed to foster a greater focus on data security and on creating an environment where cyber crimes are more easily detected, prevented, traced and solved. At the moment, a well executed attack may never yield a perpetrator to the authorities, if that situation continues, than the usefulness of this digital economy and our dependence on it presents a danger to our continued economic well-being.

Facts may help you understand

SOE lost a 12,700 record database of CC details that was around 4 years old. Only 900 (approximately) of those card numbers remained active.

Sony and their investigators have to date found no evidence to suggest that the PSN card database was accessed or taken. They have been able to confirm that the personal information such as names, addresses and usernames were accessed and taken. Considering that they are able to determine that the personal information was transferred off their servers by the hackers, the same logging, audit capability and tracing would allow them to see whether the CC data had also been accessed and taken. Obviously, it's essentially impossible to be 100% certain it was not. However in the absence of evidence from the investigation and auditing being done and with card issuers indicating they have seen no indication of fraud as a result of the hack either, it seems that Sony's statement that the card data was not taken holds a decent amount of water. They took so long to find the SOE hack because they were concentrating on PSN and only switched attention to SOE once their primary work had been completed and they were sweeping the rest of Sony's network in preparation to turn portions of PSN back on.

100 million? Not so much...

Of the 77 million PSN accounts, a little under 13 million actually had card information. So, your potential number has dropped rather dramatically with the introduction of a fact or two.

Well both right and wrong...

Janedoe is right in that the information isn't really much more than we give to many other sites online with far less reliable security. It's also true to say that hundreds of millions of people offer up far more information about themselves for free in environments that Facebook that are about as secure as a wet paper bag.

On the other hand, PSN is a closed network, so you do expect that the information remains secure.

In the real world of course, every system is vulnerable to attack in some way or another, it's all about how attractive the target is and how determined the attacker is. In the case of Sony and PSN it appears that a fairly large sense of entitlement and faux righteousness fueled some of the attack, plus PSN represents a fairly juicy target with some 10 million PSN users having card information on their account.

It should also be noted by Mr Anonymous coward that PSN passwords were not stored in plain text, they were hashed - Sony stated this clearly at their big press conference with Kaz Hirai. So, let's please put the stupidity to bed. CC data was encrypted and there's no indication it was stolen. PSN passwords were not stored on PSN, certainly not in plain text, and in fact only the hashes were keep. No word on how robust the hashing/salting was, but if a password hashing algorithm allows a password system to function properly, it's hackable - given enough resources. That is, sadly, one of the fundamental truths of password hashing, it has to be consistently repeatable to work, so it's attackable.

The least excusable element of the entire situation is that known vulnerabilities were allowed to remain on their systems for sufficient time to be exploited in an attack. Of course, that's not particularly unusual in the world today, but it's most definitely not excusable. Network service operators have to take care to patch known vulnerabilities or at least mitigate if there is no patch. It would seem that their internal security procedures need tightening up.

However if there is something I have learned over the last two weeks, it is that there is a crap-load of baseless and irrational hatred for Sony present among a large segment of US/UK techies, gamers and other associated groups. So much so that for two weeks people have wildly claimed that the systems were wide open - they were not. That passwords were stored as plain text - they were not and that cc data was unprotected - it was encrypted, secured and apparently not taken.

Could Sony have done better - sure. But then I could point to about 99 out of 100 organizations with an online presence and say that they could do better without any fear of contradiction.

Sorry, I'm just struggling to see why it is that we should all be so angry or outraged with Sony. Their systems were secure, they employed a variety of measures including firewalls, password hashing and data encryption and other precautions. It's not like they made no effort to protect the systems. None of the wild accusations about plaintext passwords or unencrypted card data are/were true. So, why are people still pushing the outrage and anger button?

Passwords were almost certainly not stored on PSN, only hashes.

PSN exists across many different legal jurisdictions. Just the UK for example with the data protection act has various laws which lay out the duty of care that a company has to protect data held by it. PSN has to accord to all the various laws and guidelines laid out across all the countries it operates in. That means that it is essentially a best case blend of all of the various regulation.

Either way, password hashing is so standard and has been for such a long time that it's completely unthinkable that passwords would not be hashed - at least. It is also noteworthy that with PSN if you forget your password, there is no password recovery option. If the passwords were stored on PSN they would be available for recovery by the use of your security question, but they are not. Instead the standard procedure of answering the security question correctly nets you an email to your registered account with a one time random password that you can use to get back into PSN, but you have to change the password when you log in. That procedure is a strong hint, along with all the other evidence, that passwords are not held by PSN, and that in fact they are hashed.

Now, how strong and salty the hashing is, is anyone's guess. Rainbow tables are easily obtained, and even if Sony really pushed the boat out the very nature of hashing passwords in such a way that they are still useful means that with sufficient time and resource a hacker group could compromise shorter and obvious passwords within a reasonable amount of time.

But the point is that if the password hashes were obtained ( clearly, they were), it's possible for any given user's password to be compromised. Hence the enforced password change when PSN restarts.

It's quite depressing how many tech journalists and site have made total arses of themselves by making lots of wild assumptions and accusations about the security of PSN, the security of CC data, and the security of passwords. Due to the international and national laws that Sony has to obey, and the card processing industry's own guidelines and practices, it's always been the case that there is a near certainty that passwords are not stored on PSN, only the hash values, and that CC data was properly encrypted and held separately from other user information. I mean, good god, even the crappy $150 e-commerce solutions consumers can buy to run their own T-shirt shop online can handle both of those requirements.

I guess it's just so fashionable to attack Sony that many people who know better simply cannot help taking leave of their senses.

Well...

To answer your first question, they didn't say this from the start because they didn't know the full extent at the start. It took several days for the security firm engaged to investigate to do the forensic data analysis and determine the scope of the attack.

To answer some of your other points

1. The original warning stated that there was no evidence of the credit card numbers being obtained, but out of an abundance of caution they suggested some precautionary measures. That's a very prudent step to take in the circumstances. A pity that so many people took it as a sign of the apocalypse instead of a precautionary warning.

3. They don't way what kind of encryption because you don't want to give attackers more information than they already have. Besides which, at this point it is rather moot.

Random twitter post is news?

The twitter twit says that the information includes the card verification number, something that Sony doesn't have, and has never requested from users. So, I'm gonna go out on a limb and suggest that the report you quoted is "full of it".

Read their statement. It took them this long because....

The third party security firm engaged to perform the forensic analysis only informed Sony on Monday afternoon of the extent of the hack and potential data compromise, so Sony informed all the appropriate people inside Sony, emailed PSN users and put out a public statement the very next day. It's not like they were sitting on this information.

But, why do I even bother pointing this out, no one will listen, their minds are already made up.

Apart from wild Internet speculation and BAD journalism, who said it was unprotected?

Seriously, I am getting extremely tired of this constant ignorance.

No one anywhere has stated, indicated, admitted or revealed that passwords and CC detailed were stored in an unencrypted format. Not one single time has anyone said that. Yet I read story after story where the journalist essentially states it as fact, it is not fact.

Passwords are stored as hashes and CC numbers are encrypted. If someone manages to penetrate a online commerce system and gains access to user and CC information, that doesn't mean it was stored in plain text. It means they got the information as it is stored - in hashes and encrypted formats. Yes usernames and such may be in plain text, but the CC details and password are not.

That said, if someone has the capability and sophistication to breech PSN to that degree, it's likely they also have the ability to reverse weak passwords and possibly decrypt the CC details. Either way, It's true to say that the attackers may have had access to the CC information, but that doesn't mean they have it in a decrypted format. Just as it's true to say that if password data was accessed along with user information, it's possible that some passwords could be revealed after some work by the attackers to reverse the weaker passwords. Even with the best encryption and hashing techniques, the very fact that a password can be verified by comparing it to the hashed value means that the hash can be calculated to perform a match, and so it's possible for an attacker to obtain the password using a brute force attack on the password hashes. The same is true for the CC data. Even if it was stored in a strongly encrypted format, the fact that it can be used for transactions means that it has to be possible to decrypt the CC number and other information. Once again, that means it's possible - however unlikely - that an attacker could obtain CC details from the encrypted data with the correct attack and sufficient time.

Since these things *are* possible and it's essentially impossible to 100% guarantee the security of a password or CC number, what Sony have said is perfectly correct. The data has been accessed, and perhaps some or all of it has been copied. But, that does *not* mean that the data has been decrypted and used by anyone at this time, nor does it mean that it will be easy for the attackers to do so.

But come on, with stories like this in The Register and all over the net right now basically claiming that Sony stored these things in an unprotected manner, what will people believe? the truth - as boring and inexact as it is, or the simple accusation that Sony didn't protect the data properly? At this point it wouldn't matter if Sony had used the best available methods for password hashing and cc encryption or not, people will still believe that Sony failed to protect their data.

Of course it's also fashionable in tech circles to hate on Sony and yet another feeding frenzy is in progress right now. So this will fall on deaf ears, as people with some inherent bias take out their personal frustrations in life on Sony.

I prepare to accept the collected downvotes of the Eye of Moron now. After all, I not only used fact, reason and sense, but even suggested Sony is not to blame. Shocking.