BruceTonge.Info

I have just tonight received the email I have been waiting for from Sony in regard to there PSN “Outage”. As you are all probably aware the PSN has been down for a week now and looks like it will be down for at least another week. It would appear that Sony have managed to loose there entire user database to an intruder. the only think they seem to have protected is the security code for credit cards though they are not finished investigating the breach so there is time yet…

The one thing that has struck me is that they have lost all the users passwords… Now this is quite alarming in a number of ways. Firstly let me note the two options I see there being for the loss of passwords as described by Sony (which is vague at best):

1. The passwords were stored in the clear (not protected by a hash) and were in the same databases that have been taken. Or.

2.The passwords were stored in a database that was compromised but they were hashed password.

Now if option 2 is the case I can only guess that there is some worry that the hashing method used is not very strong I.E. a known algorithm with no salt. This would be bad but excusable.

I fear however that Sony have kept the passwords in the clear. This is inexcusable. IF this turns out to be the case I dare say the protection of the credit card security codes will be as equally poor.

I will await the full disclosure of this incident before I decide weather to leave the PlayStation platform for good.

I have had a number of new regisers to my wp site in the last few days all with .pl domains the latest had the word spam in ther email address. I am a little worried a wp hack might be coming down the pipe. I think I am going to start dropping a few inactive and dubois users this week. If you want to stay post a comment.

Last year I joined the security knoladge transfer network (KTN). I attended there meeting in Manchester where they set out ther plans to help raise IT security knolage to uk companies and government. It would spear from looking at there site that there grand design has been raines in a lot. Bad news for everyone and no substitute in sight.

The live feed for the MacWorld keynote from MacRumours was hacked today. This hack also took down there regular site. From the text that was in replacement to the keynote info (provided by thoes that had hacked the site) it seems that access to the server controle pannel was hacked allowing access to the hole system. It also apeared that more than one hacker had had ago at the system as conversations emerged in the streem. At one point it seemed that other users of the site were also able to contribute as requests to stop were also included in the streem as well as info from other streem providers. Not a good day for MacRumours.

I have ordered my key now will be with me in two weeks so I can have a proper play then. But I have been thinking. This device doesn’t work if you can just buy one anonymously and create an identity with it and use it for authentication. All it is really good for a single user is for adding to existing accounts on systems and using the key as a single authentication device through the central auth system (openID). Other than that the key needs to be issued by a party and tied to there system and issued in a way so that it is securely placed into the hands of the correct owner for multi factor authentication. in this method for each system you need authentication to you would need a separate key ie for access to a bank account with one firm and access to a credit card held by another firm. One key will not do all. What this system needs is a central authentication system that can be trusted to some level. A bit like Thawte did with ssl certs all those years ago.