Showing results for 
Search instead for 
Do you mean 
Reply
Splicer
Registered: 10/31/2013
Offline
52 posts
 

Re: Regarding "Heartbleed" and PSN - SEN - PS.com

Apr 17, 2014

Thanks for letting us know. :smileyhappy:

Message 21 of 34 (530 Views)
Reply
0 Likes
Treasure Hunter
Registered: 11/20/2006
Offline
4382 posts
 

Re: Regarding "Heartbleed" and PSN - SEN - PS.com

Apr 17, 2014

TwinDad wrote:

The-Sarge wrote:

Thanks for letting us know so quickly.  :smileymad:

 

I mean, after all, the exploit was made public a week ago.  Some have only been trying to get information from Sony customer support since the 8th.  Other major companies have only let people know their security status since that same date.

 

What the hell is wrong with Sony?  Do you not think that your customers deserve to know the security status of their private information that they have entrusted to you.

 

The exploit may not have been your fault, but the way you handle informing customers of the situation is.

 

I tell you, some laws need to start being passed regarding these type of things.  Companies should be, by law, issuing a security status statement to it's customers within 24 hours of such a vulnerability being made public.  With the current status of the security, and ETA of patch completion.

 

One week of saying nothing, especially when you have been asked repeatedly is ridiculous.

 


I agree to a point. 24 hours isn't enough time to find all the systems that would be vulnerable to that patch, and to find out a way to patch them. Could they have posted we are aware. Sure, they could have. Is the time from the 8th to the 15th acceptable, no, but they in the past would have never communicated with us about this, so small victories.

 

Also, and more important, when you have enemies, I think based on the PSN outage they have them, you never, never, never, tell your enemy if you are vulnerable, and when you plan on patching it.

 

BTW security patches are released daily/monthly, why not just put a post on the web that states " we are aware of the security risk, and are working on patching it. Thank you."


24 hours was enough time for Google, Yahoo, and a slew of other companies, including my own.  24 hours was enough time for the Canadian government to shut down all their web sites to help protect against problems until they were sure.

 

And warning us would have given us the ability to make the choice if we wanted to continue logging into, and purchasing from the PSN, as your information was safe unless it was actively being transferred over Open SSL, such as logging in or submitting CC information.

 

Letting people know if they were vulnerable would not have invited any more hackers from trying to hack them then announcing that the vulnerability existed.  As soon as the existence of Heartbleed was announced, hackers were trying to use it against any large company or website.  They didn't need confirmation from the company if they were affected or not before they started probing.

 

All that would have happened, if Sony let us know the state of their security, is that we could have made informed decisions as to the risks we wanted to take in our dealings with their web sites.  Plain and simple.

And being able to make such an informed decision, is a right that every consumer should have in this day and age.

 

Sony just didn't want people to stop using their cash generating web sites during this time, and they were willing to put our personal information at risk in order to satisfy this greedy objective.

 

So yes, laws need to be passed for these types of things.  If companies are going to be care takers of people's personal information, then they have a minimum standard of care that is required.  And immediately informing their customers as to the state their personal information is secured, especially when such a universal issue arises that draws that state of security into question, should be part of that standard of care.

 

And it should definately be communicated to the customer when the customer specifically asks that question of the company, using the only channel the company has given the customer to ask such questions.

 

 


 


 


 


Be One With The Game.

Message 22 of 34 (487 Views)
Reply
0 Likes
Treasure Hunter
Registered: 03/14/2007
Online
8582 posts
 

Re: Regarding "Heartbleed" and PSN - SEN - PS.com

Apr 17, 2014

The-Sarge wrote:

TwinDad wrote:

The-Sarge wrote:

Thanks for letting us know so quickly.  :smileymad:

 

I mean, after all, the exploit was made public a week ago.  Some have only been trying to get information from Sony customer support since the 8th.  Other major companies have only let people know their security status since that same date.

 

What the hell is wrong with Sony?  Do you not think that your customers deserve to know the security status of their private information that they have entrusted to you.

 

The exploit may not have been your fault, but the way you handle informing customers of the situation is.

 

I tell you, some laws need to start being passed regarding these type of things.  Companies should be, by law, issuing a security status statement to it's customers within 24 hours of such a vulnerability being made public.  With the current status of the security, and ETA of patch completion.

 

One week of saying nothing, especially when you have been asked repeatedly is ridiculous.

 


I agree to a point. 24 hours isn't enough time to find all the systems that would be vulnerable to that patch, and to find out a way to patch them. Could they have posted we are aware. Sure, they could have. Is the time from the 8th to the 15th acceptable, no, but they in the past would have never communicated with us about this, so small victories.

 

Also, and more important, when you have enemies, I think based on the PSN outage they have them, you never, never, never, tell your enemy if you are vulnerable, and when you plan on patching it.

 

BTW security patches are released daily/monthly, why not just put a post on the web that states " we are aware of the security risk, and are working on patching it. Thank you."


24 hours was enough time for Google, Yahoo, and a slew of other companies, including my own.  24 hours was enough time for the Canadian government to shut down all their web sites to help protect against problems until they were sure.

 

And warning us would have given us the ability to make the choice if we wanted to continue logging into, and purchasing from the PSN, as your information was safe unless it was actively being transferred over Open SSL, such as logging in or submitting CC information.

 

Letting people know if they were vulnerable would not have invited any more hackers from trying to hack them then announcing that the vulnerability existed.  As soon as the existence of Heartbleed was announced, hackers were trying to use it against any large company or website.  They didn't need confirmation from the company if they were affected or not before they started probing.

 

All that would have happened, if Sony let us know the state of their security, is that we could have made informed decisions as to the risks we wanted to take in our dealings with their web sites.  Plain and simple.

And being able to make such an informed decision, is a right that every consumer should have in this day and age.

 

Sony just didn't want people to stop using their cash generating web sites during this time, and they were willing to put our personal information at risk in order to satisfy this greedy objective.

 

So yes, laws need to be passed for these types of things.  If companies are going to be care takers of people's personal information, then they have a minimum standard of care that is required.  And immediately informing their customers as to the state their personal information is secured, especially when such a universal issue arises that draws that state of security into question, should be part of that standard of care.

 

And it should definately be communicated to the customer when the customer specifically asks that question of the company, using the only channel the company has given the customer to ask such questions.

 


Point well made. I had not thought about the fact that they would indeed be workign on checking every site for heart bleed regardless of a company annoucement. I see and agree with your point. IN the case of where I work we did as google and the others did. WE did what we had to do to protect in 24 hours. However we didn't notify other parties until after. So as a consumer I think we do need to work on better laws for consumers and to that protect and notification in terms to information and leaks.

Message 23 of 34 (475 Views)
Reply
0 Likes
PlayStation MVP
Registered: 11/09/2013
Offline
45 posts
 

Re: Regarding "Heartbleed" and PSN - SEN - PS.com

Apr 17, 2014

yes thx for the news 1st iv heard of this 

Message 24 of 34 (451 Views)
Reply
0 Likes
Welcoming Committee
Registered: 06/18/2011
Offline
2725 posts
 

Re: Regarding "Heartbleed" and PSN - SEN - PS.com

Apr 18, 2014

hEdward Snowden basically informed us that Nothing on the internet is safe. If you will recall, he said that the NSA required "backdoors" in all the security and encryption software. Perhaps when this vulnerability in SSL was found, the Security analysts just found that NSA backdoor. After all, it is 2 years old. 

 

Sony is a potential victim as are all of us. The public announcement of Heartbleed was our warning. No, actually, Snowden was our warning. 

Posted Image

 
Message 25 of 34 (407 Views)
Reply
0 Likes
Umbrella Scientist
Registered: 05/27/2009
Online
12148 posts
 

Re: Regarding "Heartbleed" and PSN - SEN - PS.com

Apr 19, 2014

The-Sarge wrote:

Thanks for letting us know so quickly.  :smileymad:

 

I mean, after all, the exploit was made public a week ago.  Some have only been trying to get information from Sony customer support since the 8th.  Other major companies have only let people know their security status since that same date.

 

What the hell is wrong with Sony?  Do you not think that your customers deserve to know the security status of their private information that they have entrusted to you.

 

The exploit may not have been your fault, but the way you handle informing customers of the situation is.

 

I tell you, some laws need to start being passed regarding these type of things.  Companies should be, by law, issuing a security status statement to it's customers within 24 hours of such a vulnerability being made public.  With the current status of the security, and ETA of patch completion.

 

One week of saying nothing, especially when you have been asked repeatedly is ridiculous.

 


sorry for the bump. Sony isn't the only one here the warned us late. 

 

Gearbox Software and Ustream warned us late. even i was warned but ignored until I found it a week late

 photo AL2009manBanner2013_zpsd80ecc86.png
Message 26 of 34 (370 Views)
Reply
0 Likes
MVP Support
Registered: 12/18/2002
Online
18731 posts
 

Re: Regarding "Heartbleed" and PSN - SEN - PS.com

[ Edited ]
Apr 23, 2014

Blazeking wrote:

Adding my IT knowledge into this:

 

The whole situation was handled correctly. If the IT techs would have announced the bug too early, a mass amount of people would have changed their passwords before the fix was completely implemented. That involved getting new private keys for SSL certs; which takes a little bit of time considering the mass amounts of admins who had to scramble for them. It would have made the chance of somebody out there still trying to hack being even more successful. Announcing the complete fix and a notice to change passwords at the same time was the way to go. If you changed your password before the fix, a hacker could have still gotten your new password while you think changing the password saved you.

 

I had to scramble and repair stuff at my job as we have a lot of sensitive info on the servers. We could not afford to make anybody accidentally expose themselves. This was a dangerous bug that couldn't be played around with. You simply could not alert the to world to your servers being vulnerable until you had that bug fixed. It's like waving a giant "Come hack me" flag to the general public of the internet.


 

 @Blazeking 


Agree but did you ever get a notice from SONY stating that we have nothing to worry for their current OpenSSL library is not affected OR letting us know that they have updated their OpenSSL library thus making it safe for us to securely update our SEN account passwords? I never got any of this notice from SONY.

 

We know which libraries are affected and which are not.  OpenSSL 1.0.1g rids of the ping/HeartBleed issue. OpenSSL releases  1.0.1, 1.0.1f,  & 1.0.2-beta are affected. It has been over 2 weeks, by now,  we should have received an official follow up letting us know what's up.

 

----------

I know we are not a community of SysAdmins nor computer engineers but we surely are a community of gamers formed by well educated individuals who live in an internet connected world. I expect the company I trust to keep me [us] informed. Trust is a 2-way path.

---------

7FXb|Thunderstorm Summer[Twitter] @SevenFactors Welcoming Committee 2.0 MVP
Message 27 of 34 (232 Views)
MVP Support
Registered: 12/18/2002
Online
18731 posts
 

Re: Regarding "Heartbleed" and PSN - SEN - PS.com

Apr 23, 2014

Aureilia wrote:

The-Sarge wrote:

Thanks for letting us know so quickly.  :smileymad:

 

I mean, after all, the exploit was made public a week ago.  Some have only been trying to get information from Sony customer support since the 8th.  Other major companies have only let people know their security status since that same date.

 

What the hell is wrong with Sony?  Do you not think that your customers deserve to know the security status of their private information that they have entrusted to you.

 

The exploit may not have been your fault, but the way you handle informing customers of the situation is.

 

I tell you, some laws need to start being passed regarding these type of things.  Companies should be, by law, issuing a security status statement to it's customers within 24 hours of such a vulnerability being made public.  With the current status of the security, and ETA of patch completion.

 

One week of saying nothing, especially when you have been asked repeatedly is ridiculous.

 


You probably know me, i don't usually defend Sony even in the slightest. But to be fair if they had warned you what would you have done?

 

Changed your passwords? Only to find out they hadn't secured everything yet? It wouldn't have accomplished anything to tell anyone until the job was done.

 

Plus by telling people before doing it in this case they would just get bombarded with mail when they could just be working on it.

 

They handled this one correctly. The last issue with PSN.. Not so well handled, Now that deserved a riot.


 

 

If their OpenSSL library was not affected by HeartBleed then they should have sent out an official notice out to their users letting them know we have nothing to worry about.

 

If they were affected then they needed to get to work and update their OpenSSL library to rid of HeartBleed & then sent a notice to us letting us know we have nothing to worry about and to please update our passwords.

 

2+ weeks in and nada.

7FXb|Thunderstorm Summer[Twitter] @SevenFactors Welcoming Committee 2.0 MVP
Message 28 of 34 (231 Views)
Welcoming Committee
Registered: 05/22/2013
Offline
9443 posts
 

Re: Regarding "Heartbleed" and PSN - SEN - PS.com

Apr 23, 2014

Definitely. I haven't been getting on as much due to this issue. Been running into some suspicious ip's at times as well.

Message 29 of 34 (226 Views)
Reply
0 Likes
MVP Support
Registered: 12/18/2002
Online
18731 posts
 

Re: Regarding "Heartbleed" and PSN - SEN - PS.com

[ Edited ]
Apr 23, 2014

Box9Missingo wrote:

Definitely. I haven't been getting on as much due to this issue. Been running into some suspicious ip's at times as well.


 

The internet is packed with suspicious IPs. These are bots scanning for open ports, vulnerable routers/serves. Many of these IPs are  from Asia & Europa.  This is The, if not,  A major reason why you want to have a router between your internet-connected devices and the open internet. If your router firewall if turned on, these unexpected by the router pings/pockets, should be automatically blocked/ignored.

 

 

7FXb|Thunderstorm Summer[Twitter] @SevenFactors Welcoming Committee 2.0 MVP
Message 30 of 34 (220 Views)
Reply
0 Likes