Cathode Tan - Games, Media and Geek Stuff
logo design by man bytes blog

Friday, April 29, 2011

More on the PSN Fail

I really don't want to keep blogging about this, I would think the message should be pretty clear: change your passwords and watch your accounts. However I'm almost mystified by the two extreme reactions on the net right now. The first is just pure impatience that PSN is down ... which is totally understandable, I've got some Portal 2 Coop to play after all ... but really seems to be missing the proportions of the breach in general. This thing was huge, and I can't imagine what all is going on over at Sony right now ... but I'm sure some engineers aren't getting much sleep in the process.

Then we have this:

Meanwhile, the New York Times reports -- citing security researchers -- that discussions on forums have popped up from hackers claiming they snagged credit card numbers from PSN users.

An excerpt from the article:

"Kevin Stevens, senior threat researcher at the security firm Trend Micro, said he had seen talk of the database on several hacker forums, including indications that the Sony hackers were hoping to sell the credit card list for upwards of $100,000. Mr. Stevens said one forum member told him the hackers had even offered to sell the data back to Sony but did not receive a response from the company."

The New York Times also says they could not prove this list exists. On Thursday, Sony revealed credit card data was encrypted and there was no evidence that numbers had been swiped.
-- PlayStation Network roundup: Impact on Sony, compensation, more

So here's what happened. Some guys on IRC were talking about the hack, and they talking about rumors that the DB was up for sale. On his twitter account, security research Kevin Stevens mentioned the chatter - which somehow media sources took as a recipe that the whole thing was probably on like Donkey Kong and start reporting that millions of credit card numbers are now up for sale, and that Sony turned down an offer to buy them back.

Woah. Let's slow the fsck down. The IRC log isn't even from anyone claiming to have seen the database, just people talking about rumors they've heard. They certainly seem familiar with the details, the security implications, etc. - but it's not like these are the actual hackers talking about how they can cash in data or anything. It's actually a pretty fascinating conversation, especially one key bit I'll get to in a bit, but it's no smoking gun. And that Kevin Stevens tweeted about it doesn't mean that Kevin Stevens is commenting on the authenticity of the rumors. It's all hearsay. But media outlets are now treating Stevens as if he intended to add credibility to the claims, which he makes clear in a later tweet that he wasn't. It was, as he puts it, "seeing a post on a forum and tweeting about it." It's one thing to tweet about it - but if you're a major news source and you are putting in a bit which ends with "we have no proof about any of this" ... maybe don't put it in at all.

Probably the biggest problem with the rumor is that there is a claim that the CVVN (CVV? CV2 - fsck, I can never remember) is part of the data. That's the number on the back of the card which which you enter with phone and online purchases these days. It was huge push back several years ago to help prove that you were in fact holding the card you said you were using and most online retailers use it now.

And for that reason, it should never be stored anywhere after the purchase is complete. It completely destroys the reason for its existence. So I'm willing to believe Sony wasn't storing them, and I don't recall ever giving it to Sony in the first place. So unless there was another massive breach somewhere, I don't see how that could be up for sale.

Unless, of course, the whole thing is fake and there's just a bunch of people trying to con a phony database on to people. Which is probably the most likely scenario, and the New York Times and USA Today just gave them free advertising. Bang up job, there, real journalists.

So database up for sale? I call shenanigans on that one.

However, there's one bit from this whole sordid tale which still has me on edge. In their first Q&A, Sony revealed that the personal data was unencrypted. Which, OK, obviously I wish it was encrypted but I can imagine a lot of companies don't encrypt information like billing address, first name, etc.

But my password?

My fscking password?

Please, someone from Sony, please, clarify this bit and tell us that the current PR blitz wasn't specific. Because when I first read that the passwords were certainly breached, I did - as should anyone - assume that meant that a hacker would eventually be able to read them.

But to think that my username and password were both sitting in a datatable within Sony's network with only "a very sophisticated security system" between it and prying eyes ... I ... I.

OK, look, I'm not a security expert. I did a stint as a Data Security Analyst for a major insurance company many, many, many years ago. I've got friends in the hacker community which I don't really keep in touch with that much. And yet, data security 101 will tell you never to store passwords unencrypted at any time. It's just too sensitive. The only person on this planet who should be able to see their own password is the user. It's just a fundamental concept of data security. That password is the key piece of evidence that you are you. If anyone can read it? Then anyone can be you. Everything you do after that is simply a fail. You have lost the game.

I called PlayStation support to clarify. They could not (not too surprising, and I don't envy their job right now so I didn't hassle them on it). Sony's blog hasn't clarified. Then I read this in the log from Kevin's tweet:

[21:54:45] I doubt sony stored passwords in plaintext on the server
[21:55:04] kkk: they either did that or they hash em cause they are sent plaintext
[21:55:49] kkk: unsalted hashes wouldn't be too far from plaintext anyway :D
-- #ps3dev log

So a hashed string is essentially an encrypted string. "Unsalted" means that the encryption has no additional randomization to it, and these days hackers can use something called a rainbow table to unencrypt it. Salting adds randomization, which makes rainbow tables time/cost prohibitive to use.

But you know what? I'd at least like confirmation that Sony encrypted the damn things in any way. I'd prefer it to be a decent enough way that the hackers would at least have to break a sweat to get it. I don't need, or even want, to know the exact methods Sony used to encrypt my password.

I'd just like to know they bothered to do so. It doesn't mean I can ignore the fact that they're out there in the wild.

But at least I could assume Sony's data security wasn't being run like this.

Have a good weekend, people.

Game Play: Sword and Sworcery

My interest for Sword and Sworcery started just by seeing the screenshots. It's a game that's quite unique in several ways, and hence actually becomes somewhat difficult to review. The experience is designed from the ground up for someone who really has very little knowledge about the game's story, mechanics, characters and ... heck, even style. I was rather surprised by some of the tone of the narration - even though everything from the writing style to the mechanics corresponds quite nicely to create a rich gaming experience.

Without getting to specific, the impressive thing about Sword and Sworcery is its ability to play up old school gameplay from the days of King's Quest while rolling in modern concepts like social media. It is also a game which is neatly, I guess "metasmart" for lack of a better term. It's probably the least cliche use of the player being a "god's finger" that I can think of, but also neatly explains why you can point a direction for the hero and rustle bushes as well.

I wish I had access to the iPad version, but the iPhone version seems suited well enough for the smaller screen real estate. It is an absolute must to play this game with headphones (or really good speakers, I suppose). Not only is the music part of the rich experience the Superbrothers are weaving together, but there are few spots which use audio cues in critical moments as well.

I'm in the third session, and as an aside I enjoy the fact that the game actually insists on a bit of an intermission (it's part of that "metasmart" portion of the design). I've been using S&S as something of a night time read - and it feels in some way like an interactive story right for bedtime that you can simply put a bookmark in and pick up later.

My only complaint so far is that a few of the moments where they clearly want you to explore as oppose to explain get somewhat confusing, and I actually found some of the mechanics of the first boss battle a bit annoying (like holding down the shield to heal, which seems like a silly warmup exercise at best). But these are really small things compared to the game as a whole - which I highly recommend.

Tuesday, April 26, 2011

PSN #FAIL: Yes, it is probably time to change some passwords

That the PlayStation Network has been down isn't exactly earth shattering news, but Sony just released the first real information on the outage, which started on April 20th.

It's not good. Recently, rumors came about that the outage was done to build a defense around an a custom firmware hack called "Rebug", which allowed normal consoles to be identified as debug consoles which apparently gives them all manner of access on the network, including download free versions of games. Sony has yet to confirm if that was the original cause, but they have confirmed a successful intrusion into the network, which as a result has...

obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.
-- Update on PlayStation Network and Qriocity

Everyone who has a PSN account should probably take the time to read that again. It's pretty significant, even if the intrusion did not successfully gain any credit card numbers. Consider this:

Many online systems now accept a valid email address as your username
Most users reuse the same password across multiple websites
Most users reuse the same security question information, when possible

And that's not adding on the truckload of personal information now open for social engineering.

It's a pretty big deal. And while I'm sympathetic to Sony that the event happened in the first place, I think waiting a whole week to notify users to the potential danger is a bit absurd. Did it take a week for Sony to realize the extent of the data theft? Or just a week to write the above update? Either way is a pretty massive fail.

If you're a person who falls under the bold behavior above, I'd recommend visiting your more sensitive online sites (banking, bill pays, mortgages, etc) and updating the password to something new. In this day and age, a good password should:

1) Not be based on personal data like birthdate, children names, home addresses. All of that was potentially just scooped up in this theft.

2) Be six characters in length or more. Five is still the standard used by many websites. Six is better.

3) Include at least one number, and at least one other non-alpha character like a "!", "#", etc.

4) Use a mixture of caps and non-caps.

I'm a pretty security aware kind of guy, and I'm honestly pretty annoyed at Sony right now. While I don't entirely fall into the mold of someone who uses "password" or "12345" everywhere - but this amount of data kinda spooks me. There's certainly a level of due dilligence that Sony is doing here, so I don't think we need to brace ourselves for some coming credit apocalypse ... but at the very least changing your passwords to something more secure is like calling your mother, it's always a good time to do it anyway.

Image lifted from Addicted Gamer

Monday, April 25, 2011

Nintendo Rumors: Revolution versus Cafe

There's something about Nintendo which sparks rumors to an extent greater than most companies. I'm not entirely sure what it is - it's not just because of how much of a game changer the Wii turned out to be, though those rumors certainly hit a high watermark. Now we're faced with the successor of the insanely popular Wii, now confirmed by the big N, and the rumor mill is churning at full speed.

One the big ones? That the controller will have a large, probably touchscreen, LCD display jammed into the middle of it. Something a like the picture to the left ... which was actually a rumored leaked image circulated for the Wii (or Revolution as it was called before being branded). Other rumors? That the Revolution would have a large hard drive, that it would have graphics comparable to the Xbox, and even that it would sport a 3D interface. I think someone even did a mockup of Revolution with a big holographic display in the middle - a la a Star Wars chess game.

The new controller rumors have decent weight behind them - and it may fit well into Nintendo trying to think out of the box. Of course, I'm an old Dreamcast guy ... so I don't find the idea overly revolutionary - but I do think Nintendo could make it work much better than the old white box did.

Otherwise, the rumors for Cafe are fairly reserved. That Nintendo would want to surpass the current generation of consoles is a bit of a no-brainer - when the Wii first faced off with the 360 and PS3, the HD generation was still expanding into critical mass. Now, HD sets are cheap and easily available - and Sony is even moving on to push 3D on the people. How much muscle Nintendo will throw down is an interesting question - since they're getting out of the gate earlier than Sony and Microsoft - they may be attempting a 360 strategy where their graphics will be good enough that they could soak up the early adopter marketshare. To make that work, they'll certainly need to bite the hard drive bullet - which given how cheap hard drive space is these days, seems a certainty.

On a geeky side, I have to wonder what Nintendo will use as a disc format. This could almost be the first console to not use a disc format, but that seems a stretch even for Nintendo. It wouldn't be a bad idea for Nintendo to embrace Blu-Ray, but Blu-Ray is probably not enough of a dominant HD format to justify licensing it from a competitor.

In fact, I'm not even all that interested in the Cafe hardware. Where Nintendo really needs to compete is on software. Both PSN and XBLA are excellent gamer networks, and if Nintendo was incapable of generating at least a worthy clone - the Cafe is going to have trouble out of the gate.

And the other thing Nintendo needs to fix, which I think has been mentioned in most of the previews up till now - is third party support. I'm not going to buy another piece of Nintendo hardware just to play the next Zelda or Metroid game. They're great franchises, sure, but they don't offer anything new to the table in the same way that, say, Little Big Planet or even Gears of War does. Nintendo needs to join the Call of Duty crowd for this generation - because while the old Nintendo mascots may have some of the most loyal following in the world, I don't see their numbers increasingly drastically in 2012.