Originally Posted by Mac the Geek
That's a bit of a stretch at this point. If someone hits you with their car, is it Henry Ford's fault? Hotz might have shown others how to get all the way into the console, but he's been too busy getting sued to actively work on any of the custom firmware currently circulating. Don't blame the pioneer, blame the people who wrote Rebug.
What you just said with the car is nothing in comparison to what I said.
You also contradict yourself, because assuming that Rebug is the main tool that enabled the hacker to find the exploit in PSN, then the blame IS NOT the people who wrote Rebug either. You wouldn't blame the "pioneer" of CFW, yet you would blame the "pioneer" of Rebug who might not have even had anything to do with this?
The PSN breach was a result of Rebug (assuming this is true, which is likely) which is a direct result of Geo and failoverflow's CFWs business. And almost all of this hacking business and "down with Sony" stuff to begin with ALSO falls under the fault of Geo specifically which contributes greatly to any of this illegal "let's do Sony harm" stuff.
And again... there's been speculation that Rebug enabled the data theft, but nothing has been proven at this point. I'm skeptical that it was the primary culprit, for one big reason: if "developer access" was all that was required to gain access to personal information, then every PS3 developer - for the life of the PS3 - had the potential to compromise the system. If you're going to tell me that not one programmer tasted forbidden fruit they had easy access to, I'm going to disbelieve you. Bottom line: if Rebug made the data theft possible, then every PS3 user's personal information has been vulnerable for years.
That logic is terrible to use against something like this.
If pretty much everything has an exploit, and there is always an exploit
for pretty much everything, then by your logic anything has been vulnerable for all of time
This isn't an argument you can use against Sony specifically, as it's an argument you can use again anything
If there are always exploits waiting to be found, then anything has been vulnerable for practically all of time ( or since said anything's existence).
It isn't like the exploit has been known about. It was only just found out. To say "well it's been vulnerable all this time" holds true: but the same could be said about ANY type of exploit situation.
Epsilon or even Gawker for example. Both situations are for all intents and purposes almost EXACTLY the same situation that's going on with Sony. By your logic, Epsilon and Gawker have been vulnerable for years.
BUT the problem being that only just now someone found the exploit just recently and abused it. The exploit existed, it's a true statement that Epsilon and Gawker have been vulnerable this entire time BUT only just recently was that exploit found.
The PS3 had no exploits until all of this stuff came about. For 4-5 years, the Sony PS3 has no known
exploits. Turns out, this entire time - yes the PS3 has been vulnerable through OtherOS and later on because the signature keys weren't random at all - the variable was 4. Ok, your statement holds true: the PS3 was vulnerable this entire time. BUT the exploits were only just found.
For those 4-5 years, the PS3 was invulnerable.
Amazon.com recently fixed a security flaw where you could input a password that was CLOSE to the exact password, and it would work (ie my password really is: omeganemesis28. You could put in the password omeganemesis and still get in) Only affected some accounts, but it's not like this exploit was really known about. Your statement, again, is true. This entire time for ALL these years: Amazon.com has been vulnerable. But, only until recently has this exploit been known.
I mean, I could go on and on. I'm just giving some recent examples that relate specifically to the PSN case. I could talk about pad locks, and how there are exploits to breaking into them. "Padlocks have been vulnerable this entire time!" Of course, anything is vulnerable. It's a matter of finding
the exploit. And even if that exploit gets fixed, there is always another one somewhere.
There is no full proof system. The PS3 itself is an example of that ironically enough. It's been vulnerable since the day it launched, but it took almost 4 years to find one through OtherOS which Sony was more or less forced to remove to prevent it which only lead hackers to find another
exploit being the keys. Doesn't change that the PS3 wasn't exploited for those 4 years, it was unknowingly vulnerable.
In the Reddit thread, there's a post with a link to an alleged transcript of hackers chatting about PSN. Towards the end of that transcript, it's noted that Sony ran an authentication server with an outdated version of Apache atop an outdated version of RHEL. That's a security breach waiting to happen, and that's a much more likely source for stolen data than anything that could have been gained by developer-level access to PSN.
True, it's possible that Rebug might not have been the problem. But looking at the timing - it's a highly likely situation. What I stated about Geo being responsible indirectly is just assuming that Rebug was the cause. I could be entire wrong, and someone breached the network through other-non-CFW means. But if Rebug was indeed the cause, the roots reach back to Geo ontop of all this "down with Sony."
This isn't like saying the inventor of airplanes caused 9/11 to occur at all, like you would imply with the car hitting me and I'm blaming Ford.
For what it's worth, I agree. But if a corporation wants to be trusted with personal information, they need to be held to a very high standard. We don't yet know just how much effort Sony had put into its security efforts. If the Rebug rumor is true, then Sony was mind-bogglingly negligent (and shady developers could have been committing identity theft undetected for a very long time). If the authentication server was the point of entry, Sony bears a significant amount of blame, as do most companies who neglect their security infrastructure and get burned. It's even possible (though not likely) that everything we've heard thus far has been false information, and Sony's security was top-notch. We can't assess blame until we know facts, and at the moment we don't have any.
I agree that customer information is something that needs to be secured properly and that companies need to be held to a higher standard regarding them. Absolutely. But I feel no information the internet is safe, and things like these will inevitably happen.
I do think Sony was wrong for not encrypting all the member material
Again, assuming Rebug is the cause, Sony believing that there could be unauthorized access to the developer network is a bit of a stretch in and of itself. There is a reason why the developer network is the developer network. It isn't exactly something you just happen to get access to. You can't expect Sony to have put the same fine tooth comb for exploits through the developer network like they did on the public network. It doesn't make sense to, even with the eve of CFWs. How could they predict the exact scenario of a CFW being made to make your console into a developer console with access to the developer network and then finding an exploit that Sony doesn't know of to begin with? That's a stretch to put blame on something.
And it's not like developers themselves are going to be finding and using said exploits too - actual developers on the Sony network are giving access directly from Sony themselves. Sony was able to catch unauthorized access on their network breaching security, if you think Sony wouldn't be able to catch developers of all people breaching their security and bring the hurt down even more so I would think again. That's the equivalent of the hacker giving his name to Sony and THEN exploiting their security.
Does a company with poor security "deserve" to get hacked? No. But do individual consumers have the right to expect that their private data will be protected to the best of a company's ability? Absolutely. Do some companies neglect their security infrastructure until it's too late? Unfortunately, yes. And that's the real problem; far too many companies look at their IT departments as a cost to be minimized, rather than as the backbone of their customer-relations and -retention efforts.
I agree completely with all of this. I just feel like people are treating Sony as if they are the only ones with the problem here, just for the sake of the whole hacker CFW Geohot failoverflow OtherOS garbage. This problem is universal, particularly with the Epsilon problem recently. Pretty coincidental too if you ask me.
For the record, you're pretty much the only post I've responded to regarding this whole PSN nonsense without feeling like the other person was off their wagon. Your response was incredible unbiased and credible in my opinion.