UNCONFIRMED - Early Versions of PSN May Have Sent User Information In Cleartext Over HTTP [UPDATED]

This is in no way confirmed to be legitimate, but if true is rather unbelievable.  A couple of days ago, lo-ping.org reported that they've found what appear to be chat logs from a group of PSN hackers.  Reading through them, they seem to be pretty legit, but obviously, again, there is no way to confirm this.  Among the most interesting things in the transcript is the following exchange:

<user5>  yeah if you go public with your info they either remove the store or psn all together
<user5>  as an update
<user6>  I doubt it :P
<user7>  from all the actions they've taken the past years, we can only deduce that Sony don't care about their customers
<user2>  impossible
<user7>  :)
<user2>  they wont update their whole psn lol
<user6>  but this should really get out there, but I guess it's on psx-scene.com in a matter of minutes already ;)
<user5>  3.60 removal of psn
<user2>  i know a few guys who worked @ sony's psn backend. just when the ps3 was released we talked bout the first psn, at this time ALL was http and unencrypted. so you could see userpass etc plain. i asked em why is it that way. lame answer was "we thought it was adressed." - lol
<user2>  sony qa --> trainees

If true, for an unknown amount of time Sony was committing a pretty grievous error intentionally in the world of security.  An error that may even be illegal, as they'd have been knowingly sending unencrypted credit card numbers via the Internet back to their servers.  In any case, if true, this shows exactly how seriously they valued the protection of their users' personal data.  I've reached out to Sony for comment on this, and will report more if I receive a response.  However, I realize I'm a miniscule fish in a big ocean of press and companies wanting their attention, and especially given their VERY recent PR history, so I'm not holding my breath.

UPDATED 4/29/11 3:12 EST - Added information that these don't appear to be *THE* PSN hackers, but rather a group of hackers that work on hacks for the PS3/PSN.

Sony Slapped With Class Action Lawsuit For PSN Data Theft

IGN has reported that Sony now faces a class action lawsuit related to the data theft from the PSN.  Quoting the article:

"We brought this lawsuit on behalf of consumers to learn the full extent of Sony PlayStation Network data security practices and the data loss and to seek a remedy for consumers. We are hopeful that Sony will take this opportunity to learn from the network vulnerabilities, provide a remedy to consumers who entrusted their sensitive data to Sony, and lead the way in data security best practices going forward," said Ira P. Rothken an attorney who filed the class action complaint.

Expect emails some time in the future to claim your piece of the pie, whatever that may end up being.

Hulu Responds to PSN Outage With Credit to Users

I haven't yet confirmed that this is going out to all users, and have reached out to Hulu for additional comment.  What I can confirm is that I just received a legitimate email from Hulu offering a $2.00 (one week) credit to Hulu plus users that have a PS3 registered on their Hulu Plus account.  Kudos to Hulu for reaching out to their community when this outage was nothing related to them, and their service can still be accessed via other means.  This is the type of customer support Sony should have showed from the beginning of the PSN outage.  A copy of this email is shown below:

UPDATE: I received an email from a source familiar with the offer. They stated that any user that accessed Hulu Plus content from a PS3 recently should have received the offer. In addition, if a user has their PS3 registered to Hulu Plus, but simply hadn't used it in a while, they can request the same credit with a reasonable expectation of receiving it.

Sony Drops Megaton - All Your Information Potentially Stolen

Via the Playstation Blog, Sony announced after nearly a week of silence that they believe essentially every piece of personally identifiable information they obtained through the PSN registration process may have been compromised.  In addition, they have no evidence as to whether credit cards stored on the PSN have also been compromised, but have nonetheless advised that this information may have been obtained.  Below is the quote from the post:

"Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained."

Further information has been given in the post regarding preventative measures to take regarding identity theft.  This information is planned to be distributed by email to every PSN subscriber.

The post also mentions that they expect to restore some PSN services "within a week".  No word yet on if any compensation will be offered to Playstation Plus subscribers, or subscribers that are unable to use the PSN with other services that they've purchased, such as Hulu+, Netflix or DC Universe Online to name a few.

PSN Still Down, No End In Sight

Yes folks, this is what still greets you when trying to sign in to the PSN.  Today marks the fourth consecutive day that the network has been down, and while Sony admitted last night on it's official US blog that an "external intrusion" was the cause of the outage we've yet to hear any details of the intrusion.  No info such as if credit card information had been obtained, user information leaked, or accounts being compromised has been detailed.  On top of this, there's no end in sight either.  No ETA to restoration of service has been given.  Not even a nebulous "we'll have it back up this weekend".  The utter lack of communication here has been extremely troubling.  The fact that their own statement has them voluntarily keeping their own network down says a lot for the severity of what has occurred.  You would think (HOPE!) that they would see the value in informing their customers as to what exactly has happened, rather than continuing to allow rampant speculation to continue on unabated.  So I'll do what any good blogger would do in this situation.  Let's piss some gasoline on the fire!  Here are my theories as to what's happened, and they're in order of most to least scandalous, but with a likelihood factor on a scale of 1 (least) to 10 (definite).  I'm not limiting myself to only one of them being on the money... more than one could provide explanation for the delay.

Anonymous Succeeded In "Making Information Free" - Likelihood 2/10


Given that some of the group Anonymous's point was that the information that Geohot made public should be free, and that anyone should be able to do what they like with their system, imagine this scenario.  Geohot provides all the information he has on the PS3 to Anonymous despite it breaking the rules of his settlement, or he'd already provided this information to the group beforehand as an ace in the hole to cause Sony anguish if things went south in the legal department.  Anonymous finds a way to jailbreak *ALL* PS3's simply by logging on to the PSN.  Sony is then forced to keep the network down until they're able to ensure no PS3's end up jailbroken once they hit the PSN.  In addition to being a pretty spectacular feat, it would likely provide more "lulz" than the group has probably ever had at anyone's expense.  Combining the fact that, again, Sony voluntarily has the network down and won't say why, this is *almost* plausible.

Hackers Have Crippled the PSN, Sony Themselves Can't Get It Working Again - Likelihood 1/10


I put this likelihood at one of ten, but yet, part of me thinks this is more plausible than I'm giving it credit for being.  The geek in me realizes we live in an age of change control, constant backups, offsite disaster recovery sites and the like.  The other side of me can't help but wonder that since the PSN is free to all if Sony didn't skimp on these types of protections and is now really and truly in a world of hurt.

User Accounts Have Been Compromised - Likelihood 7/10


This is way more likely than I'd like to actually admit.  But like a broken record, I keep coming back to the fact that Sony is the one keeping the network down at this time.  A good reason to do this would be if account information was compromised that would allow the hacker group to log in as any of these accounts.  Sony would want to notify these users (maybe?!?) and let them have the ability to change their password to prevent the theft of any of their information or credit card numbers that have been assigned to the account before turning the network back on.  If this one is true, we will certainly be notified.  Much like the emails that went out detailing the failings of the email provider for several major corporations earlier this month, we will be notified if any of our information has been thieved.

Sony's Intrusion Detection Alerted Them To An Issue, But They're Still Investigating If Any Damage Actually Occurred - Likelihood 9/10


My money is personally on the fact that the red alert went up from Sony's intrusion detection systems, and it was serious enough to warrant investigation.  Rather than risk any potential for harm to the users, they've shut everything down until they're certain that there's nothing now hiding in the system that could bite users (and them) in the tuckus later.

Sony PR Has No Way to Spin This Positively, Kevin Butler Is Firing People At Will - Likelihood 10/10


At this point, Sony pretty much has its pants around its ankles.  They have a lot of explaining to do, and three statements with next to no information to the public in four days of outage aren't going to quell the rage of a consumer base that just bought Portal 2 or Mortal Kombat on Tuesday and now cannot play them online as they'd planned.  On top of that, with the 4/22 statement that they themselves took the network down, it makes their statements on 4/20 and 4/21 outright lies.  Which is it guys?  You don't know why it's down, or you took it down?  I really hope a journalist with more clout than my tiny little blog will take them to task for their lack of/conflicting information.  PR's only move at this point can be damage control and it will be very interesting to see what track they will take.  Will it be free stuff to the masses?  Will it be a giant middle finger and "Thanks for your patience during our downtime"?  Only time will give us that answer.

Another Amazon Video Game Lightning Deal Day!

Wow, so it seems this is all I have time to post lately, but here's the rundown for today and my guesses in parenthesis.  The Deal of the Day is Starcraft II: Wings of Liberty for $39.99.  This is available all day as usual.  The Lightning deal games will be revealed as the times arrive as well as what the deal is:

(All times EST)
9:00am - World of Warcraft Battle Chest
11:00am - Dragon Age 2
1:00pm - Killzone 3 Helghast Edition
3:00pm - Bulletstorm
5:00pm - Final Fantasy XIII
7:00pm - The Sims Medieval
9:00pm - Kingdom Hearts Birth by Sleep
11:00pm - Major League Baseball 2K11