PSN outage info - PS3ers - must read!

[Art Blade]

I meant to quote you earlier on this:

Osama shouldn't have written his real address on his PSN account.    :)

which was hilarious  ^+-+ :-X

[spaceboy]

I can't take credit, someone else shared that with me.  I thought it was quite funny though, yeah.

[Art Blade]

It was meant to be read as "thank you for sharing that quote with us, it was hilarious" :)

[mmosu]

anyways, it was Superman III apparently....

They did the same thing in the movie Office Space, except they got caught because one of the programmers misplaced a decimal point in the code, and instead of the intended result, they had siphoned off millions in a couple of days!  When they were going over their plan, someone kept saying it sounded familiar.  Later, the same guy that messed up the program admitted he got the idea from Superman 3  ^+-+

[spaceboy]

lol Art - I should have known you don't miss a thing!

I think I did see Office Space but I don't remember much about it.  Is that the one where the guy pushes over his cubicle wall?

[Art Blade]

:) I didn't quote the whole thing, which would have made it clearer, because I usually only quote the single bit that I want to refer to.

Unlike some quotes I keep seeing that include half the forum even if the reply to that quote is only the post following the one quoted.. as if it was impossible to go back one post to read it in order to see the reference to the following reply. Just saying.. hehe  :-D 8-X

[mandru]

Is this a good time to buy a PS3?   ????

I noticed all day long yesterday one of the major network's subsidiary cable shopping channel was offering a PS3 Move Bundle for $600 but as far as I could tell there was no mention of the PS3 site closure that is the topic of this thread.

It really looked like Sony was making an effort to move a whole lot of product as quickly as possible.   ::)

I was wondering about the procedure required to register and use a new game or for that matter a new PS3.  Do you have to first register online to be able to play it as required by so many of the PC games?

By selling who knows how many multiples of thousands of new PS3 bundles is there going to be a whole new wave of frustrated PS3 owners?

[spaceboy]

It's always a good time to buy a PS3!!  lol

Actually mandru, you're in the US aren't you?  Where are you seeing $600!!  that's nuts.  You can get a 320GB system with the Move bundle for $399 and a lot of places quite often offer $50 gift cards upon purchase.

Since PSN is down still, you should have no problem turning it on and playing.  No need to register.  I did buy a new game recently and it found and downloaded the updates.  But if you never enter your internet info into it it won't even do that.  So no need to register upfront to play.

Eventually once you set up your 'net connection it'll want to do updates (which admittedly are slow).

Seriously though, $600 is not the going price in the US, but perhaps I forget where you live.

EDIT - yep I just saw your location says Utah - so definitely don't pay $600.  You can even get a lower GB model for cheaper - I definitely saw a 160GB model for $299 with a $50 gift card back,  that'll be enough for awhile - and upgrading is easy.  I put in a 500GB drive that cost me $55 last year.  Separate Move bundles can also be seen for deals.

the PSN hacking fiasco will be behind us soon enough and everyone can get back to online gaming.  As for me, I've been enjoying offline gaming so no real problem there.

[mandru]

It was admittedly a sizable bundle including:

# Playstation Move
# PlayStation 3 320 GB system
# DualShock 3 wireless controller
# PlayStation Move motion controller (wireless)
# PlayStation Eye camera
# Sports Champions Blu-ray game
# PlayStation Move game demos disc
# AC power cord, AV cable, USB cable
# Blu-Ray Remote Controller
# Horizontal Slim Console Stand
# Two Silicon Skins for Dual Shock Controllers
# HDMI Cable
# System Messenger Bag
# Archery Bow Attachment for Move
# Sword and Shield Attachments for Move
# Table Tennis Paddle 2 Pack for Move
# Two Silicon Skins for Move
# Two Wrist Straps
# Bocce, Volleyball & Disc Golf Attachments for Move

I was just wondering if Sony was scrambling to turn some quick liquid cash flow for the PS3 corporate division.  It is good to know that they are not pulling something underhanded and that the units can be used without the site connection.

It's funny, after discussing the hacking situation with my wife she's become interested in the ongoing news coverage and reports back to me when she gets home each day the things she's heard on the car radio about it as she's traveling between site locations for her job.   ^+-+

[spaceboy]

better to go a la cart for this stuff.  I wouldn't recommend any attachments for Move or any silicon skins for controllers.  You can get inexpensive HDMI cables too of course.  If it's giving you a 2nd dual shock and a 2nd Move controller that's probably about a $100 value though. 

I'd seen discounts prior to the outage and like this they are store discounts like gift cards back, not official Sony price drops.  These unofficial bundles have nothing to do with Sony really.

[Art Blade]

# Two Silicon Skins for Dual Shock Controllers

any silicon skins

Boys.. I believe you're talking about that soft stuff used for breast implants. If so, then you may be wondering if a certain Silicon Valley got its name because it looks like an inverted breast, like a giant foundry mould for massive implants.

Or if silicon is the stuff your CPUs are made of and Silicon Valley got its name after the many computer companies located there. In that case you're probably talking about Silicone..

Geez.. I just couldn't resist :-D

[spaceboy]

lol Art - you don't miss a thing!

Regarding the PSN issue:  important info!!

Sony to pay for 12 months free credit monitoring.  below is info for US customers, other region info to follow

http://blog.us.playstation.com/2011/05/05/sony-offering-free-allclear-id-plus-identity-theft-protection-in-the-united-states-through-debix-inc/

info on Debix/AllClearID
http://www2.debix.com/index.php

https://www.allclearid.com/sony

http://www.identitytheftlabs.com/loudsiren-review/

[mmosu]

I must have been reading some of those as you were typing this space, good w@&k staying up on this  :-X
Imagine my surprise this morning to find the network is still down!  As far as I new (because I hadn't heard anything to the contrary) things went back up as planned on Wednesday.  Looks like they still have a few bugs to w@&k out.  Oh well, at this point it's like a new game that gets delayed - it doesn't really matter how long it takes, as long as the extra time actually goes in to making it better.

[spaceboy]

yeah, that's how I feel, I'd much rather wait longer than have them rush to get it up.  Rumors of another attack on the way are circulating too which maybe they want to prep for.  Plenty of fun offline of course, but for their sake I hope it gets up soon as the bad press isn't good.  (been enjoying Motorstorm Apocalypse this week  ;D - I'll have to post about it when I get the chance)

[mandru]

Not sure if this was mentioned here or how factual it is but a week or so back I'd heard something on TV news along the lines that this whole thing had occurred because one person had discovered the hack and published it on a user group page then Sony went after him and in retaliation other members of the group exploited the information they had been given.

This could be completely wrong or misreported as often happens.  Has anyone heard something to verify or knock this down?   ????

[spaceboy]

that is essentially true - here's the quick version

1. hacker geohot (George Hotz) "jailbreaks" the PS3 itself and publishes the root key or whatever
2. Sony sues him and iritates hackers
3. hacker group Anonymous (not related to geohot)  threatens Sony and performs denial of service attacks on Sony sites, stages events at stores, etc. - They claim they won't mess with the PSN which would hurt gamers ability to play online.
4. PSN network is hacked, Anonymous says it ain't them, but Sony finds a file called Anonymous in their servers with some wording that they use "We are Legion" or something like that
5. Sony is working with the FBI and security specialists

Maybe it was Anonymous or maybe another hacker or group did the big network hack knowing that Anonymous was going to be the easily blamed culprit.

[mandru]

Thanks for the verification and clarification spaceboy.   :)  :-X

[Art Blade]

mandru, I read about that issue and memorise it as follows: An employee of Sony realises that certain data is hosted on machines running old software (unpatched) and lacking a firewall, too. So he posts that on a forum (I think accessible to Sony only) and nothing happens for a few months. Time enough for anyone with enough knowledge to make use of that post (either for performing a hack themselves or leaking out crucial info). The hack takes place and someone leaves a note pointing to Anonymous. Anonymous states that it hadn't been them but that they'd have done the same thing, leaving a false trail to distract pursuers.

[spaceboy]

latest blog post - a letter to users: It's nicely written I think.

http://blog.us.playstation.com/2011/05/05/a-letter-from-howard-stringer/

[spaceboy]

PSN is back up!   :)

There is a mandatory system update and you have to change your password.  Not sure if all regions are up, but we are here. 

[Art Blade]

 :) :-X

Keep an eye out for special free offers now. They wanted to offer two free games and one month of free use regarding their music/media services.

[spaceboy]

yeah I think detail on that will come once the Store portion is up and running, which it isn't yet.  First step is the actual online gaming part.   Subsequently I was also able to officially create my Steam account now that PSN can verify me.

[Art Blade]

I hope you PSN guys will be able to play without further issues. And that Sony learned their lesson and subsequently help those affected.

[JRD]

FYI

WARNING

From Nyleveia

I want to make this clear to ALL PSN users. Despite the methods currently employed to force a password change when you first reconnect to the PlayStation network, your accounts still remain unsafe.
A new hack is currently doing the rounds in dark corners of the internet that allows the attacker the ability to change your password using only your account's email and date of birth.

It has been proven to me through direct demonstration on a test account, so I am without any shadow of a doubt that this is real.

I would suggest that you secure your accounts now by creating a completely new email that you will not use ANYWHERE ELSE, and switching your PSN account to use this new email. You risk having your account stolen, when this hack becomes more public, if you do not make sure that your PSN account's email is one that cannot be affiliated with or otherwise traced to you.

While we originally assumed this was a poor hoax designed only to stir the community into another frenzy, the individual who we are in contact with requested just two pieces of information from us: this being an account email and the date of birth used for that account. We promptly created a new account via us.playstation.com and provided the individual with the email address and date of birth used.

Roughly a minute later they requested that we try to login with the password we used for the account (which they did not know at any point), and sure enough, we were presented with an invalid username and/or password prompt.

In addition to this, within a few minutes we received an email from Sony stating the following:

    This email confirms that your PlayStation(R)Network password account has been changed successfully.

    If you did not change your password...
    This email has been sent to you because the password for the relevant PlayStation(R)Network account has been changed.
    If you did not change your password, please contact Customer Support at the following address:

    networksupport@uk.playstation.com

    The PlayStation(R)Network Team

While we will not reveal specific details regarding how the exploit is performed for obvious reasons, we can say that the exploit involves a vulnerability in the password reset form currently implemented, not properly verifying tokens.

UPDATE: In the interest of sidestepping the naysayers and getting the warning out there, if someone working for a larger, more well known site (Kotaku, Destructoid, IGN, etc) wants to contact me for a live demonstration that this exploit is the real deal, you can do so at nevada@nyleveia.com.

UPDATE 2: Web based PSN login / Password recovery is now down for maintenance, hopefully as a result of our contact with SCEE. And more importantly, hopefully to fix the security issue.

UPDATE 3: To clarify the situation, we had confirmed ourselves the method used last night, and contacted SCEE, SCEE have acted upon this information, we felt the information previously provided in our tweets and this article may have been a little too revealing to the vulnerability, thus we "dumbed down" the explanation of the security hole. We have provided SCEE with a detailed description of the security hole.
While it's unclear at this time if they will actually patch the flaw while they have the system taken down, I can also confirm that the system went down approximately 15 minutes after I received a response from SCEE on the matter.

We for rather obvious reasons do not want to elaborate further on the exact details of the exploit, on the off chance that when the web based interface for PSN is restored the exploit has not been patched.

UPDATE 4: Last update on the topic most likely, i notice a lot of people are saying that we should not have posted this information and simply contacted Sony, and you're right in thinking this, however we contacted SCEE as soon as we had confirmed that the exploit was in fact real, the problem was that at the time there was a good 8-9 hour stretch where SCEE would not see our messages and given the rate at which the exploit method was spreading in the dark corners of the internet, we felt as though we needed to publicise the exploit advising users to change the emails used for their PSN accounts to secure them until Sony could patch the security hole.

Originally we posted rough details on how the exploit operated, to give further evidence to users that it was a valid reason for them to change their passwords, as with most news like this on the internet, people tend not to believe something until hoards of users have been affected, we posted an article on N4G advising PSN users to switch their email addresses which was promptly reported as spam/lame/fake by several users who refused to believe the news due to our site just being a small news outlet.

All along our main priority and focus has been to assist Sony and PSN users in keeping their accounts safe. If the current downtime for the web based forms results in the exploit being patched then our job is done and the potential thieft of countless user accounts has been nipped in the bud as early as humanly possible.

Thank you to everyone that has taken our warnings seriously and acted upon it, and to SCEE for their swift response to the matter.

UPDATE 5: Okay, due to the email response I felt i should answer some general common questions regarding the topic.

Q. If I already reset my password am I safe?
A. The exploit was possible on any account the email and date of birth was known for, regardless of if the password was changed or not, or what region the account was tied to.

Q. What if they don't know my Date of Birth or Email account?
A. Then the average user would not be able to take your account, however due to the database being illegally accessed in April, it's safe to assume that someone, somewhere, has access to a large number of users details, which include date of birth and email addresses, this alone should be reason enough to change your email.

Q. Are you sure this is real?
A. Yes, it was demonstrated to one of our empty accounts, then we were able to repeat the process ourselves after figuring out the method, this was additionally confirmed when a twitter user provided us with his data and requested that we change his password as proof.
We have since emailed him his new password, and no other data on his account was changed.

Q. Can Sony fix it?
A. Shortly after containing SCEE, the online forms connected to login and password recovery for the PlayStation and other linked networks was shut down and placed in a maintenance mode, I can only assume this is a direct response to our detailed reports to SCEE, with that said, I assume that when services resume the exploit will be patched and everyone's data once again safe.

Q. If Sony fixes the hole should I worry?
A. I would suggest that everyone, regardless of if they have been affected or not, create a new password and change their account email to one they do not use anywhere else, and will not be sharing with anyone else just for additional security.

Q. Will you give us more details on the exploit?
A. Until we have confirmed that the security hole has been patched we will not release further details on how and why the exploit was possible.

[spaceboy]

Thanks JRD - I really appreciate you posting that.  I saw a small bit of that but not the whole updates there.   Sony's blog says

We temporarily took down the PSN and Qriocity password reset page. Contrary to some reports, there was no hack involved. In the process of resetting of passwords there was a URL exploit that we have subsequently fixed.

Consumers who haven't reset their passwords for PSN are still encouraged to do so directly on their PS3. Otherwise, they can continue to do so via the website as soon as we bring that site back up.

hack or URL exploit seems a fine line to me.  since a URL exploit CAN be used as a hack I assume.  It's great that that site verified it and then sent the info to Sony.  Clearly they are admitting some URL exploit (whatever that is) was true.   

I've already changed my password obviously, but now I may go ahead and think of changing my email address, but that is a minor pain in the butt as I hate having mulitple emails to check...