View Single Post
Old 04-28-2011   #15
Xan
█▄▄█▄▄█ █▬█ █
 
Xan's Avatar
 
Join Date: May 2006
Location: Slovenia
Posts: 4,587
Xan has a reputation beyond reputeXan has a reputation beyond reputeXan has a reputation beyond reputeXan has a reputation beyond reputeXan has a reputation beyond reputeXan has a reputation beyond reputeXan has a reputation beyond reputeXan has a reputation beyond reputeXan has a reputation beyond reputeXan has a reputation beyond reputeXan has a reputation beyond repute
Sony has thousands of server for their PSN network, but as far as I hear only a limited support staff.

Security wise nothing is unbreakable. Nothing. If It's secure, it can be broken.

The main question here is why didn't Sony deploy any additional countermeasures to secure the network? After digging a bit it was predicted a long long time ago that the network was wide open to anybody with malicious intent.

The information on the vulnerabilities (HTTPS being bypassed by self made certs, proxy inbuilt to CFW used to steal data) can be found by any child with internet access as well as details on how to secure said exploitable venues.

Sure, it's not Sony's fault for having to deal with custom firmware. But look at PGP encryption:

A single 2048 bit key is unbreakable by any standard. And when generated you have two portions of a key

1. Public key (Can be shared with anybody, used to encrypt data meant only for the holder of the key)

2. Private key (Can be used to generate/validate the public key, and it's main function is to decrypt any information sent by the public key holder).

Without the private key, you cannot in any possible way tell what the encrypted data is. The private key is your 50 foot Adamantium bank vault. As long as this portion is secure, you will never have to worry about anybody reading your transmitted data.

This was, all Sony would have to do is keep the Private Key secure, and you couldn't touch any data being transmitted to them via HTTP or HTTPS.

Yet Sony decided to sit back and take faith that no cybercriminal would take the easy meal.


--

This is my longass comment from the front page. I have no idea if a PGP implementation would have done any good for them, but it's sure better than relying on HTTPS which is pretty much broken due to proxies and etc being used to man in the middle.

I even found a ps3hax article on this. Some certain people with access to one of the proxies being used to gain access to the PS3Network decided to do a test, and they managed to easily get CC information being sent to Sony via HTTPS.

Ash was right. There was a ton of warning flags being placed in-front of Sony but nothing was done about it.
__________________
Xan is offline   Reply With Quote