• Rumor has it that the PSN database that was stolen from Sony has now hit underground forums and is for sale. The database contains 2.2 million Credit Card Numbers with the much-needed CVV2 code. Some underground “financial” trading forums make note of the database for sale.

    The database was also offered to Sony to buy back but Sony didn’t wanted to pay money to get back what belonged to them. Thiefs don’t buy things back from other thiefs, that is not how it works. Criminals go after you if you steal something from them.

    Rumors are also that a very big part of the German database is stolen, which makes some people point to Graf because he is also German. Personally I think Graf has problems enough already and has nothing to with it, but maybe someone wants to make some money to pay for the “criminal” 1.000.000 euro claim

    Kevin Stevens, Security Researcher tweets that this indeed is NOT a rumor and it IS for sale (but nothing to confirm if database is legitimate or not).

    Discussion about #psnhack and possible speculation about the hackers being from Europe Logs - efnet - #ps3dev - 2011-04-26

    trixter, people I know had a shell on the psn servers

    did you know that sony didn’t disable the function that sets the psn server under maintenance ?

    The hackers that hacked PSN are selling off the DB. They reportedly have 2.2 million credits cards with CVVs #psnhack

    Sony was supposedly offered a chance to buy the DB back but didn’t #psnhack

    @mikkohypponen That is what is going around on some underground forums. The DB contains pretty much everything

    @the_pc_doc That is what I thought but the guys selling it say that they have CVV2 numbers

    @RiquezJP Well not properly securing your server breaks compliance as far as I know.

    @RangerRick Yeah, this information about the CVV2 numbers could be bogus. The guys selling the DB could just be making it up.

    Supposedly the hackers selling the DB says it has: fname, lnam, address, zip, country, phone, email, password, dob, ccnum, CVV2, exp date

    No, I have not seen the DB so I can not verify that it is true

    Here are some interesting screenshots of the so called “underground” forums and snippets of convo taking place.  Remember PS3Hax.net does not support this activity and we ask all links related to this forum to not be linked here.

    What do you guys think, bogus - or the real deal? Are these guys really hurting Sony or are they hurting the consumer (YOU)?

    [VIA PSX-Scene]

    Tags: ,

    Discuss in Forums (78)


  • 78 Comments

    1. hoosier_d
      04-28-2011
      05:02 PM
      1

      More of the same Ol' blah, blah, blah

    2. Thelostdeathknight
      04-28-2011
      05:09 PM
      2

      somebody should buy it and send some hookers to the heads of SCE as a thank you for psn being such a security fail

    3. Sidewinder_2011
      04-28-2011
      07:54 PM
      3

      ive read somewhere that sony did not store the CVV2 or the cv2 number on there server. so i dont know how the thieving dichhead hacker can say he got them

    4. jivex5k
      04-28-2011
      08:07 PM
      4

      Sony could be lying as well.

    5. Sidewinder_2011
      04-28-2011
      08:19 PM
      5

      if the did store the cv2 number they would be the 1st company i know off that does that

    6. Pirate
      04-28-2011
      08:40 PM
      6

      Moved to front page.

    7. blackmath
      04-28-2011
      08:52 PM
      7

      Glad I called my CC company yesterday and had a new card number issued. I'll never be buying from Sony again. Just on principle.

      This hurts Sony. Most customers can cancel a card and be done with it. It's tough to repair a bad reputation.

    8. $n!pR
      04-28-2011
      08:59 PM
      8

      I call BS. Sony don't store the CV2.

    9. nonenone123
      04-28-2011
      09:04 PM
      9

      F*ck psn I switch to 360 two day ago im not waiting for this retards just to go back in to the same bull again..... send some b*tches to sony's COE as a reward for his security

    10. Sidewinder_2011
      04-28-2011
      09:06 PM
      10

      Originally Posted by $n!pR
      I call BS. Sony don't store the CV2.
      thats what i think too

    11. Hanjin
      04-28-2011
      10:20 PM
      11

      I smell bs but I've already given up on Sony and have sold my PS3 since.

    12. downdog3702
      04-28-2011
      10:49 PM
      12

      i think it does hold this information cause i'm near sure wen i use to go and purchase something i didnt even need to input my 3 digit code from back of card :S. i could be wrong but new card for me has been issued too and this has just stopped me altogether bothering with anything belonging with sony

    13. iR0b1n
      04-28-2011
      11:10 PM
      13

      Sony really are useless !!! If indeed this is confirmed to be true, I will as well sell all my sony stuff. :@

    14. tryp
      04-28-2011
      11:40 PM
      14

      Damn. I was worried there for a minute. My brother (who was there when I set up my PSN account) reminded me I used false information. That's a relief. And the only CC I ever tried with them wouldn't work on PSN for some reason, so I always bought prepaid PSN funds from gamestop.com..(Now that I think about it, maybe it was because of the false information I used?) Damn.

      Well, anyway, they need to hurry up and get PSN back online, I just finished the Mortal Kombat arcade ladder on expert without losing a round, and I finished the story mode, I need to see if I can find some better competition than the computer...well I guess I did finish story mode on normal difficulty..I could try expert.. but I don't know how the hell I'm gonna beat Shao Kahn with Raiden on expert.. it was hard enough on normal.

    15. Sidewinder_2011
      04-28-2011
      11:42 PM
      15

      if they did store cv2 numbers then sony fuked cos it direct breach of PCI compliancy rules if they do . any companies can only use the cv2 number for immediate authorisation for payment thats it .

    16. MastaOfEvil
      04-29-2011
      01:22 AM
      16

      I think they do store the expiration date and 3 digit security number, If I remember correctly, when you recover a PSN account that has a credit card it asks you to confirm the 3 digit security number and the expiration date or delete the credit card info.

    17. bboyeff3ct
      04-29-2011
      01:31 AM
      17

      http://www.gamepro.com/article/featu...g-psn-debacle/

      go here for real answers this is all a bunch of f****** rumors and bull****
      hackers didnt obtain the cvv2 code the data was encrypted.

    18. Thelostdeathknight
      04-29-2011
      01:54 AM
      18

      Originally Posted by bboyeff3ct
      http://www.gamepro.com/article/featu...g-psn-debacle/

      go here for real answers this is all a bunch of f****** rumors and bull****
      hackers didnt obtain the cvv2 code the data was encrypted.
      I bet you believe everything sony tells the media to pull the wool over the eyes of sheepies. Sony will say anything at this point to try and cover their burnt rear ends in this psn fiasco

    19. pbanj
      04-29-2011
      01:58 AM
      19

      sony didnt encrypt anything, hell it was sent over your network threw http not https just plain old http

      made me lol

    20. pimpspter
      04-29-2011
      03:21 AM
      20

      Originally Posted by bboyeff3ct
      http://www.gamepro.com/article/featu...g-psn-debacle/

      go here for real answers this is all a bunch of f****** rumors and bull****
      hackers didnt obtain the cvv2 code the data was encrypted.


      I can't comment on whether the cvv2s were obtained but what I can tell you is that the network traffic at the very least was not encrypted.

      Look back at the front paged post on this very site that showed that sony's information passes in plain text. All this came soon after the discovery of the certificates on the console that lead to f*ck psn. Indeed it was probably this exposé that showed the hackers the door. Back then it was pointed out that credit card info was floating around in free text.....

    21. DaveOMac
      04-29-2011
      03:56 AM
      21

      I'm calling pastey faced mama boys here just trying to earn some extra "street-cred" .. No one in their right mind will pay for it without some kind of proof if that this is indeed the dreaded list. Also i am pretty sure if you were going to sell something like this you wouldn't put it on a known underground website forum like this... That is the most retarded thing I have ever heard.. looks at sony! do they work for you by any chance?

      What I find more worrying is that it appears that people had been running their own shells on the PSN servers for some time! Mathieulh even tweeted he knew some guys who had one on there but then again we all know Math can jump on the band-wagon and to claim sh1t that aint true. But in the remotest chance he did know I once again I demand to know where the hell was Sonys Internal Security experts and analysers?!

      EPIC LOL EDIT: I just did a search on the PSN news and found this, the people who are trying to sell the list are trying to sell it back to Sony :-S WTF?! am deffo calling BS on this! If was true then these people deserve everything coming to them and are retarded to boot.

      Source: http://bits.blogs.nytimes.com/2011/0...ers-card-data/

      Kevin Stevens, senior threat researcher at the security firm Trend Micro, said he had seen talk of the database on several hacker forums, including indications that the Sony hackers were hoping to sell the credit card list for upwards of $100,000. Mr. Stevens said one forum member told him the hackers had even offered to sell the data back to Sony but did not receive a response from the company.
      EDIT2:

      Sony have responded to the LOL edit report, to quote:

      ”To my knowledge there is no truth to the report that Sony was offered an opportunity to purchase the list,” SCEA PR boss Patrick Seybold told the paper.
      Source: http://www.mcvuk.com/news/44131/PSN-...ls-up-for-sale

    22. loukas77
      04-29-2011
      04:15 AM
      22

      Finally i got saved for never using real sign up info... And thank Nathan Drake (well I didn't wanna say god :P not to offend anyone) that my CC is a prepaid one that now has 5 bucks in it hmm i should buy something quickly so i save my 5$! XD

      Sony really f'd up this time... Oh and btw if this true, ****... :P

    23. DaveOMac
      04-29-2011
      04:26 AM
      23

      Oh F*ck this sh1t just got real, a well respected and non-BS peddler user sabin1981 over at PSX-SCENE, wrote the following:

      source: http://psx-scene.com/forums/807424-post171.html

      Well I can sadly confirm my details HAVE been compromised. I checked my bank last night, since I'm in the middle of a dispute with an online site, and there was a Ł100 deposit. Less than an hour later, it was gone, and now my account is Ł0.00. Luckily for me I don't have overdraft facilities, so basically they can't get any more. I'm going to call my bank today, have them cancel my card and send a new one, I'll get a family member to send it from England to here.

      Awesome. Absolutely awesome.
      By the looks of the other reports, it is mainly EU PSN users are getting shafted! Great calling mastercard now.

      encrypted my arse sony! Oh no wait thats right it was but you dumb ****s left the f*ckin keys on the same server to unlock them.

    24. marty370
      04-29-2011
      04:28 AM
      24

      This is Bull, as the CC don't have either the expiry dates or 3 digit sercurity code, so this CC info is pretty useless other than names and addresses.

      http://n4g.com/news/753700/major-us-...it-information

    25. advocatusdiaboli
      04-29-2011
      04:30 AM
      25

      Originally Posted by carldenning
      ive read somewhere that sony did not store the CVV2 or the cv2 number on there server. so i dont know how the thieving dichhead hacker can say he got them
      Now, that’s just Sony trying to cover their buttockses.

    26. Chris9191
      04-29-2011
      04:43 AM
      26

      its a good job my details have changed

    27. king.of.dark
      04-29-2011
      04:43 AM
      27

      hey!!!! i need one

    28. KillerBug
      04-29-2011
      04:46 AM
      28

      Originally Posted by pbanj
      sony didnt encrypt anything, hell it was sent over your network threw http not https just plain old http

      made me lol
      [/URL]
      Yeah...people were even complaining about it (on account of it transmitting without permission or reason on every login)...but the $ony fanboys said there was nothing to worry about.

      Originally Posted by marty370
      This is Bull, as the CC don't have either the expiry dates or 3 digit sercurity code, so this CC info is pretty useless other than names and addresses.
      I can't say for certain what the hackers got, but I can say 100% for certain that this information is saved on the PSN servers...if hackers got everything from the PSN servers, then they have every detail of every CC currently linked to an account, and they probably have every detail of every CC ever used with the PSN.

    29. DaveOMac
      04-29-2011
      04:49 AM
      29

      Originally Posted by marty370
      This is Bull, as the CC don't have either the expiry dates or 3 digit sercurity code, so this CC info is pretty useless other than names and addresses.

      http://n4g.com/news/753700/major-us-...it-information
      yeah thats good and all but if you check the results of people saying that their accounts have been compromised you'll find the majority if not all are from the UK and EU states.

      Also don't believe all the media outlets, trust in real people with this real problem. Sony like most corporations own the media. Who do the papers trust more the businesses with deep pockets & a large legal team ready to sue or the average Jo blogs. Now with what I wrote earlier about sabin i do hope its not related to this story, I am hoping it is just a coincidence but this guy don't make sh1t up and aint an attension seeking wh0re like some other people I care not to mention.

    30. marty370
      04-29-2011
      05:16 AM
      30

      Yeh but Sony said that they never keep expiry dates or the 3 digit code on ther servers. So how could any hacker have complete CC info.

    31. DaveOMac
      04-29-2011
      05:18 AM
      31

      Yeah but Sony also said their system was unhackable and look where that got them. as my dad would say "Don't let your mouth write cheques, your arse can't cash".

    32. Wolfie708
      04-29-2011
      05:23 AM
      32

      Does that mean you sh1t money Dave?

    33. DaveOMac
      04-29-2011
      05:25 AM
      33

      lol Wolfie, shove a lump of coal up there & within 2 weeks you'll get a diamond!

      Thats my scottish side for you, being tight is written in my DNA.

    34. xxxRoccoSiffredixxx
      04-29-2011
      05:30 AM
      34

      last news from sony australian psn :
      Yesterday, we addressed a number of your questions< relating to the malicious intrusion into our network. You can find that FAQ here. As we get closer to restoration of service, here are more answers to your questions, many of which are more gaming related:

      Q: Will our download history/friends list/settings be affected by the PSN downtime?
      A: No, they will not.

      Q: Will trophies that were earned in single-player offline games during the outage be intact when the service resumes?
      A: These trophies are intact and will be re-synched when the network is once again operational.

      Q: Will my PS+ cloud saves be retrievable?
      A: Yes, once PSN is restored.

      Q: What if we have a subscription to PS3 MMOs DC Universe Online or Free Realms? Will we get compensation for that?
      A: From Sony Online Entertainment: “We apologize for any inconvenience players may have experienced as a result of the recent service interruption. As a global leader in online gaming, SOE is committed to delivering stable and entertaining games for players of all ages. To thank players for their patience, we will be hosting special events across our game portfolio. We are also working on a “make good” plan for players of the PS3 versions of DC Universe Online and Free Realms. Details will be available soon on the individual game websites and forums.”

      Q: Will there be a goodwill gesture for the time we haven’t been able to utilize PSN/Qriocity?
      A: We are currently evaluating ways to show appreciation for your extraordinary patience as we work to get these services back online.

      Thank you for your continued feedback.

    35. Wolfie708
      04-29-2011
      05:33 AM
      35

      Ahhhhhhh...... The Scottish gene, or more commonly known as 'tight as a ducks arse' lol

      I'm up in bonny Scotland this weekend as it goes, Glasgow.

    36. DaveOMac
      04-29-2011
      05:34 AM
      36

      Originally Posted by xxxRoccoSiffredixxx
      Q: Will there be a goodwill gesture for the time we haven’t been able to utilize PSN/Qriocity?
      A: We are currently evaluating ways to show appreciation for your extraordinary patience as we work to get these services back online.
      Goodwill gesture... hmmm thanks Sony make mine a new XBOX 360 please!

    37. xxxRoccoSiffredixxx
      04-29-2011
      05:41 AM
      37

      Q: When will the PlayStation Network and Qriocity be back online?

      A: Our employees have been working day and night to restore operations as quickly as possible, and we expect to have some services up and running within a week from yesterday. However, we want to be very clear that we will only restore operations when we are confident that the network is secure.

    38. steve30x
      04-29-2011
      05:46 AM
      38

      They can buy the Visa number I used three years ago because I use a debit card that uses Visa numbers that expire after 30 days and I can only spend however much I top up the card to.

    39. jorg
      04-29-2011
      06:47 AM
      39

      Well if therumor about pan being hacked in February are true then they could of just waited for people to enter the code it and swipe it right out of memory

    40. tcmkenny
      04-29-2011
      07:02 AM
      40

      well if this is true and gets into the wrong hands then sony is as good as dead, so many people will be sueing and rightfully so.

    41. URETROID
      04-29-2011
      07:02 AM
      41

      Real scums, $ony said that they not hold the entire cc number, false. And the best is at the end of their mail, Sony make believe...

    42. blitz7287
      04-29-2011
      07:11 AM
      42

      Just to be on the safe side ive blocked both my bank card and my credit card and getting new ones sent out.

    43. Sidewinder_2011
      04-29-2011
      07:24 AM
      43

      Originally Posted by advocatusdiaboli
      Now, that’s just Sony trying to cover their buttockses.
      yeah but like i said earlyer if they did store the cv2 numbers their be more fuked cos the in breach of some cc law thing which mean we will be able to sue cos 1) no details was encypted which fall under some data act and 2) they store the cv2 number when they cant not do that .

      another thing have any one thought the whole subject is bs , that no cc info been hacked this is why is could be bs 1) it would help the court case sony v jailbreak on there side 2) they want to shut the psn down anyway to rebuild it properly to keep jailbroken ps3 off psn and devs psn so with this bs less ppl will complain etc and they making out its for our safety cos cc when propely infact it just all for them so they invented this bs

    44. ps3haxter
      04-29-2011
      07:41 AM
      44

      JUst a FYI, Graf Is NOT German

    45. OoZic
      04-29-2011
      08:06 AM
      45

      Originally Posted by ps3haxter
      JUst a FYI, Graf Is NOT German
      His family-name (Egorenkov, Alexander) doesn't sound real German, more like a family-name from Poland or Russia, but he lives in Germany and was raided by the German police and has to go to German court for something he legit did and will be defended by German lawyers..... so what makes you think he has no German pasport?

      Edit: graf makes note on his blog he is back Back from a few days off I think because he didn't add anything to his blog lately

    46. Wolfie708
      04-29-2011
      08:09 AM
      46

      Originally Posted by carldenning
      another thing have any one thought the whole subject is bs , that no cc info been hacked this is why is could be bs 1) it would help the court case sony v jailbreak on there side 2) they want to shut the psn down anyway to rebuild it properly to keep jailbroken ps3 off psn and devs psn so with this bs less ppl will complain etc and they making out its for our safety cos cc when propely infact it just all for them so they invented this bs
      I doubt it's Sony faking it as the amount of bad PR for them far outweighs bad PR for hackers etc. Most Sony fans and courts think hackers are scum anyways, and Sony did need a kick to actually admit it too.

    47. DaveOMac
      04-29-2011
      08:21 AM
      47

      Well on the bright side, when all the Sony data shows up on BitTorrent, I'll finally be able to recover my lost PSN password.
      Found this on twitter & LOL'd.

    48. ps3haxter
      04-29-2011
      08:27 AM
      48

      Originally Posted by OoZic
      His family-name (Egorenkov, Alexander) doesn't sound real German, more like a family-name from Poland or Russia, but he lives in Germany and was raided by the German police and has to go to German court for something he legit did and will be defended by German lawyers..... so what makes you think he has no German pasport?

      Edit: graf makes note on his blog he is back Back from a few days off I think because he didn't add anything to his blog lately

      True..He's Russian , he told me... He's good guy,

    49. BobbyBlunt
      04-29-2011
      08:32 AM
      49

      We talked about that quite a bit. I've been loyal to the Playstation brand for 14 years. They have just made themselves look like total ********. You don't do dumb **** like that. No ssl or anything....really? Basic community college network security has taught me better than that, but they have certified engineers....lmao. If Sony did indeed store that number they are so screwed by everyone. Thanks I know what I'm buying next generation.

    50. vp5665900
      04-29-2011
      08:40 AM
      50

      Sounds like they won't be makeing a ps4 lol think sony should just make there electronics shut up and leave the system game alone everyone keep your fingers crossed for a new atari LMAO

    51. DaveOMac
      04-29-2011
      08:41 AM
      51

      oopa has another theory on what happened and I think it is absolutely brilliant. The post is here: http://psx-scene.com/forums/807063-post61.html

      Could be plausible on why Sony is moving the servers to a more "secure location" either way great read, love the bulldozer part.

    52. Sidewinder_2011
      04-29-2011
      10:07 AM
      52

      Originally Posted by BobbyBlunt
      Thanks I know what I'm buying next generation.
      this is why i hate games that only made for one console eg socom is a ps3 consloe game only and i love all the socom games . so i still buy a sony ps4 buy it will be 2nd hand and what ever socom that is out then that be 2nd hand , looks like im stuck with sony till socom stops bein made

    53. Da ToxicFox
      04-29-2011
      10:59 AM
      53

      The person who did this has done a lot of damage to Sony and to people who have a PSN account. From the looks of things even if you deleted your card info it could of still been stolen cause Sony didn't delete it. This thief is bad for everyone and I don't think anyone should support what they have done.

      If you had your card on PSN get a new card and block the old one before it can be used cause cleaning it up after its been used is far from easy. My brother had his card jacked and it was a mess.

    54. Wolfie708
      04-29-2011
      11:12 AM
      54

      Personally I'd be hoping my account was compromised and things were being bought on my card (I never signed up with my details). Yes, it causes a lot of hassle and even heartache, but at end of the day this is covered by law. The company who has lost your details is the one who has to sort it all out and being told to change your card etc is not an acceptable way as what about all the other bills you pay with that card?

      Just inform your card supplier and tell them what has happened (state the first possible date, February if I remember correctly?) and you may be at risk (I did say this back when the first wee tiny hint was announced). After that it is between your card supplier and Sony. If your card supplier cancels your card for you and supplies you with another you just bump it back to Sony and ask for compensation for your time and any subsequent distress they have caused you regardless of whether you lose money or not.

      It does work this way, you just have to stand your ground and push for it.

    55. Da ToxicFox
      04-29-2011
      11:49 AM
      55

      Originally Posted by Wolfie708
      Personally I'd be hoping my account was compromised and things were being bought on my card (I never signed up with my details). Yes, it causes a lot of hassle and even heartache, but at end of the day this is covered by law. The company who has lost your details is the one who has to sort it all out and being told to change your card etc is not an acceptable way as what about all the other bills you pay with that card?

      Just inform your card supplier and tell them what has happened (state the first possible date, February if I remember correctly?) and you may be at risk (I did say this back when the first wee tiny hint was announced). After that it is between your card supplier and Sony. If your card supplier cancels your card for you and supplies you with another you just bump it back to Sony and ask for compensation for your time and any subsequent distress they have caused you regardless of whether you lose money or not.

      It does work this way, you just have to stand your ground and push for it.
      If your card got stolen use another card for your other bills and ask for a new card. If you try and get Sony to pay for damages after it gets used you'd be locked in a court case where you'll lose more money. Your credit card company won't fight for you if you tell them what happen odds are they'll ask if you want a new card. If you say no they aren't going to fight Sony when bad charges start popping up. They will probably lock your card and you'll have to call them to unlock it or get a new card. Taking care of the card is really your job not your card company's they just lend a hand with things. They protect you by locking your card when a questionable charge pops up and offer new cards to people who have lost or had their card stolen.

      If you have sex with someone who has a STD and doesn't tell you its not just his fault you got the STD its yours for not protecting yourself.

    56. jojobanin
      04-29-2011
      11:55 AM
      56

    57. Mystt
      04-29-2011
      11:56 AM
      57

      Also to follow up on wolf's comment; if you were smart and bought Credit Card insurance, they'll replace any used portions of your credit in question, without asking any questions. That's how it is with both my Mastercards any how.

      Still Sony will eventually be found liable to some degree throughout the courts. In the meantime I really hope most people had insurance on their cards.

    58. Prince Valiant
      04-29-2011
      12:01 PM
      58

      Originally Posted by Da ToxicFox
      If your card got stolen use another card for your other bills and ask for a new card. If you try and get Sony to pay for damages after it gets used you'd be locked in a court case where you'll lose more money. Your credit card company won't fight for you if you tell them what happen odds are they'll ask if you want a new card. If you say no they aren't going to fight Sony when bad charges start popping up. They will probably lock your card and you'll have to call them to unlock it or get a new card. Taking care of the card is really your job not your card company's they just lend a hand with things. They protect you by locking your card when a questionable charge pops up and offer new cards to people who have lost or had their card stolen.

      If you have sex with someone who has a STD and doesn't tell you its not just his fault you got the STD its yours for not protecting yourself.
      Indeed.

      Who would be stupid enough to sell a list of millions of credit card numbers?

    59. Wolfie708
      04-29-2011
      12:14 PM
      59

      Which part of 'After that it is between your card supplier and Sony' do some people struggle with understanding?

      And as to the STD comment, that is stupid as to all intents and purposes Sony Did ensure safety as they Have to follow the same online sale and purchase rules as everyone else.

      It is attidtudes like this and the 'oh well, it may have happened so I will bend over backwards to help them' that let big companies get away with it so easily.

      My cards are covered by the same guarentees as anyone elses (UK at least) and whether you believe it or not, you Do actually have some power, all you have to do is stand up and use it instead of rolling on the floor like a pet puppy.

      Sorry if that sounds insulting, but this will sound worse... Grow a spine and stand up for yourself. If you were served a meal in a restaurant that was riddled with maggots would you just not eat it and pay for a new meal? That's is MY ridiculous comparison btw, but at least mine makes sense.

    60. Da ToxicFox
      04-29-2011
      12:15 PM
      60

      Originally Posted by Prince Valiant
      Indeed.

      Who would be stupid enough to sell a list of millions of credit card numbers?
      A fool cause odds are the FBI or some other government agencies will be buying it and will track the data transfers. If not that then they'll grab them when they get handed a HDD.

      I believe the thief who did it either gave the data base to the person selling or sold it to them. I personally wouldn't try selling it openly and would never use one of the cards far too risky. Then again I'm smart enough to see stealing credit cards as foolish. They can be tracked easy and all the cops have to do is get the address is where a ordered item was shipped.

      Edited to not double post.

      Originally Posted by Wolfie708
      Which part of 'After that it is between your card supplier and Sony' do some people struggle with understanding?

      And as to the STD comment, that is stupid as to all intents and purposes Sony Did ensure safety as they Have to follow the same online sale and purchase rules as everyone else.

      It is attidtudes like this and the 'oh well, it may have happened so I will bend over backwards to help them' that let big companies get away with it so easily.

      My cards are covered by the same guarentees as anyone elses (UK at least) and whether you believe it or not, you Do actually have some power, all you have to do is stand up and use it instead of rolling on the floor like a pet puppy.

      Sorry if that sounds insulting, but this will sound worse... Grow a spine and stand up for yourself. If you were served a meal in a restaurant that was riddled with maggots would you just not eat it and pay for a new meal? That's is MY ridiculous comparison btw, but at least mine makes sense.


      Well this is more then just a fight with Sony about home brew this is about protecting ourselves against fraud. I would rather protect myself and lose a little ground against Sony then have to spend weeks calling people to get the charges fixed. I'm merely saying people should error on the side of caution here cause if they don't they could be risking a lot more then just a chance to take a swing at Sony. Sony will still have to pay for this but you should protect yourself from what could happen since they screwed up. Protecting yourself isn't rolling over like a puppy its being safe so you don't get your bone stolen.

      The maggots made me laugh. I would call the health department and leave unless I order maggots that is. My point is don't risk your safety just to take a swing at Sony its not worth it. Even if you have means to protect yourself like insurance its still a risk and a hassle.

    61. Wolfie708
      04-29-2011
      12:43 PM
      61

      I actually used to warm up maggots under my tongue when I went fishing lol.

      Yes, of course we should take as many precautions as we should, and not just online. We should never let a waiter etc walk away with our card if we pay with it, he should swipe it at the table or we pay at the counter.

      I am just saying that all it takes is a call to notify your bank etc and they Do have a legal right to persue your report and cover any and all problems which may ensue from it.

      I honestly think that is the main reason Sony held out as long as they could with telling everyone (They did need an official kick) as they know once they admit it, they become bound by the law to pay in full for anything that results from their inadequate security. They have gone past the point where they can argue the toss lol

    62. Da ToxicFox
      04-29-2011
      12:50 PM
      62

      Originally Posted by Wolfie708
      I actually used to warm up maggots under my tongue when I went fishing lol.

      Yes, of course we should take as many precautions as we should, and not just online. We should never let a waiter etc walk away with our card if we pay with it, he should swipe it at the table or we pay at the counter.

      I am just saying that all it takes is a call to notify your bank etc and they Do have a legal right to persue your report and cover any and all problems which may ensue from it.

      I honestly think that is the main reason Sony held out as long as they could with telling everyone (They did need an official kick) as they know once they admit it, they become bound by the law to pay in full for anything that results from their inadequate security. They have gone past the point where they can argue the toss lol
      They tried to cover it up as long as they could and are in a lot of trouble. What actions governments take cause of this will be interesting and punishment for Sony will be painful I'm sure.

    63. Jerk McD0uchebag
      04-29-2011
      01:47 PM
      63

      19.99? lol

    64. yiyopr
      04-29-2011
      02:11 PM
      64

      Ummm if the website is so secret and undeground why can I clearly see the URL in the sig of "sutekh"????

    65. Da ToxicFox
      04-29-2011
      02:39 PM
      65

      Originally Posted by yiyopr
      Ummm if the website is so secret and undeground why can I clearly see the URL in the sig of "sutekh"????
      Shhhhh That's a secret...

    66. tryp
      04-29-2011
      03:28 PM
      66

      Well, if it weren't for "hackers" and "Homebrewers" this vulnerability would have never been discovered, and Sony would be the only ones currently robbing us.

      Sure, some might argue that the information wouldn't be out there right now, but the way I see it, the vulnerability would still be there for somebody to hack later, and Sony would still be keeping quiet about it. Only for us all to be robbed NEXT year (both by Sony and the DB thief).

    67. pizza
      04-29-2011
      07:26 PM
      67

      Here is the complete IRC Chat for those of you who are interested in:

      [SPOILER]
      user1] xxx: I don’t think there are many people involved in circumventing PSN access in /this/ channel [ "application/x-i-5-ticket" reason=40 > PSN error 80710101 ]
      [user2] talk about network stuff?
      [user2] nice
      [user2] i just finished decrypting 100% of all psn functions
      [user3]
      [user2] you can forget all the history wiper and log remove apps
      [user2] theres a independant check
      [user2] which transfers all games and their playtime
      [user2] every time you login
      [user2] you can modify it like the firmware version tho
      [user2] it looks like:
      [user2]
      [user2] aswell they can detect backups this way
      [user1] hash is eboot.bin to check for version?
      [user2] if you use a backup it will look like this:
      [user2] [user4] user2, is that in data sent to a0.[CC].np.communication.playstation.net
      [user2] sec lemme check
      [user4] im still collecting all the data
      [user2] updptl.de.np.community.playstation.net/
      [user2] thats the server
      [user3] user2: what about Blu-ray Master Disc/BD Emulator ?
      [user3] since, i use those features legitimately
      [user2] on debug or retail?
      [user2] i didnt check all on debug unit yet
      [user2] so no clue if it sends discid for bdemu
      [user2] but sony is the biggest spy ever lol
      [user2] they collect so much data
      [user1] true
      [user2] all connected devices return values sent to sony server
      [user2] example:
      [user3] user2: Debug models of course
      [user2] >32” TFT-TVOEMreleasecex
      [user4] i cannot find my PS3 connect to host with ‘updptl’ in the name
      [user2] returns tv, fw version, fw type, console model
      [user2] also i found data it collects when i had usb device attached etc etc
      [user2] so if they ever sue someone for psn stuff, they will be sued themselves as most of the data they collect is just not legal
      [user4] user2, at what time does it connect to that host?
      [user4] during the PSN logon?
      [user2] sec i check
      [user5] user2 how can you modify that data?
      [user6] user2: do you now know enough to wipe all traces so that people who never had their consoles on the internet can avoid sending this information now?
      [user4] no DNS request for a host with ‘updptl’ in the name in my packet captures :-
      [user2] @user5: it sents directly after user profile load and sometimes; - it seams random, just when u play a game or anything
      [user4] ohh
      [user2] @xxxx: we could modify the data via proxy between the tunnels, like delete all data between the xml tags or somehow
      [user5] oh so its not on the ps3 hdd itself?
      [user6] user2: aha, so this information is actually encrypted?
      [user2] ya
      [user2] the list is stored online
      [user2] and updated when u login psn and random
      [user5] damn
      [user6] but where is it stored before that? I have never been online with my ps3…
      [user6] so it must be somewhere
      [user5] was hoping it would be on the ps3 hdd
      [user5] then lock it or so
      [user1] the only avoidance is block all *.playstation.net
      [user2] MAYBE - i rly dont know - it doesnt save it at all on hdd
      [user2] so only transfers the games and stuff in one ps3 session when you go online
      [user2] so if u have ps3 offline and play a game, then shutdown and turn on again
      [user2] it MAY not transfer update
      [user2] cuz i didnt find any info for that list on hdd
      [user2] it could be that its used for online playtime or psn logged in playtime
      [user2] aswell you should never ever install a CFW from someone unknown
      [user2] cuz its way too easy todo scamming at this point
      [user2] for example:
      [user2] [redacted plain text code, includes false credit card number]
      [user2] sent as plaintext
      [user3] uh
      [user3] did you censor that card?
      [user2] ya its fake
      [user3] good
      [user1] wow, plaintext :S
      [user5] plaintext wow
      [user3] im never putting in my details like that
      [user2] ya is all fake lol
      [user2] i never used cc on ps3
      [user2] normally you ATLEAST enccrypt the securtity code, even if its ssl
      [user5] id hope sony would do such in a safe manner
      [user5] psn cards probably plain text to then
      [user2] fake certs are known since years as vuln so companies encrypt such data twice normally
      [user2] but hey its sony -> its a feature
      [user5] lol
      [user7] lol
      [user5] yeah if you go public with your info they either remove the store or psn all together
      [user5] as an update
      [user6] I doubt it
      [user7] from all the actions they’ve taken the past years, we can only deduce that Sony don’t care about their customers
      [user2] impossible
      [user7]
      [user2] they wont update their whole psn lol
      [user6] but this should really get out there, but I guess it’s on psx-scene.com in a matter of minutes already
      [user5] 3.60 removal of psn
      [user2] i know a few guys who worked @ sony’s psn backend. just when the ps3 was released we talked bout the first psn, at this time ALL was http and unencrypted. so you could see userpass etc plain. i asked em why is it that way. lame answer was “we thought it was adressed.” - lol
      [user2] sony qa -> trainees
      [user8] that fits nicely into the “#define rand() 4″ mentality.
      [user2] yep
      [user3] or more of
      [user3] ECDSA_PRIVATE_KEY privateKey;
      [user2] lol
      [user3] and PrivateKey is in a header file
      [user3] and it’s static
      [user2] xD
      [user3] and ECDSA_RANDOM in a header file
      [user3] and so on
      [user2] another funny function i found is regarding psn downloads
      [user2] its when a pkg game is requested from the store
      [user2] in the url itself you can define if you get the game free or not. requires some modification in hashes and so on tho
      [user3] ..
      [user2] is like
      [user8]
      [user3] my god
      [user2] drm:off
      [user5] lol
      [user2] lol
      [user1] :facepalm:
      [user8] well, that’s one way to offload the server.
      [user2] still wondering when the big ban wave arrives
      [user1] if they ban everyone, even using backups legally in their country (but in their opinion a TOS violation), it will be a huge tsunami, not a wave
      [user10] ask ur friends
      [user2] prolly they take it like it is now, unstoppable anyways
      [user2] new firmware to ban all further actions and done
      [user4] an open psn would be nice
      [user4] even if it was just a player matching service
      [user2] ya
      a PSN host by the community
      [user3] that actually could be perhaps possible
      [user3] if you can get auth working
      [user3] and all
      [user3] a new np environment
      [user2] the friend list management is easiest
      [user2] simple jabber server
      [user11] don’t some games use their own servers?
      [user1] some use p2p
      [user11] which check from the official psn servers whether you’re logged in and who you are
      [user2] imagine the traffic load
      [user2] whod pay this xD
      [user11] yes, but even p2p games do use publisher or sony provided servers for matchmaking
      [user3] NpCommerce2
      [user12] I am getting behind everything on doing my security analysis
      [user12] started a couple months ago monitoring SSL stuff, and theen got distracted with blackops and havent pursed it, seems a lot of people are starting to take interest in it now
      [user2] and regarding matchmaking and lobby systems
      [user2] the functions built in firmware and/or game
      [user2] how would you answer them
      [user2] the server side code we dont know of
      [user12] some stuff appears to be in lv2 and not in sprx for network stuff
      [user2] so we can not create proper answers
      [user12] you can try to analyze the protocol and say “if X then Y” type responses the problems come up when you get something you haveent seen before
      [user12] that was done with counterstrike for example so that people could cheat
      [user12] so its not entirely impossible although it is time consuming
      [user12] sometimes its happy accidents, reason code 21 means bad cipher, 51 bad firmware version - for x-i-5 tickets for example
      [user11] wasn’t cs/hl server software available for anyone to download even back then?
      [user6] anyone found a way to change DVD region on ps3 yet, btw?
      [user11] for psn you can’t even get binaries for the server side
      [user5] user2 i remember some months ago you made a psntool with a psn messenger in it but not yet functional is that still being worked on?
      [user12] but for stuff like that the ticket has to exist on the psn side of things because if I send my ticket to a vendor server they will validate it against psn and if its not there it will fail
      [user1] xxx: wasn’t syscall 0×363 0×19004 3rd byte usefull for that?
      [user2] @xxxx: at this time i could finish the tool yes but im not sure if it is useful at all
      [user12] xxxx: no but you can monitor traffic, even send some “bad” things and watch the responses… I discovered x-i-5 reason code 21 by accident, I did not force my proxy to mirror the cipher that the ps3 presented
      [user2] i mean why would someone want to chat with a someone on ps3
      [user2] while any1 anyway have msn/icq/aol
      [user12] know this, sony in realtime, monitors all messages over psn
      [user12] I verified that, its part of my privacy threats thing I am doing
      [user5] ok too bad id like the psn messenger on pc
      [user12] the realtime monitoring is a bit bothersome to me
      [user6] user1: such information is quite useless to me, as I’m not that into the technical stuff was more hoping someone had an easy way to do it.. like a DVD region changer or something.
      [user2] @user12: the realtime jabber monitoring as most likely for realtime censor of messages
      [user12] they appear to have at the very least keywords they look for, not sure just how invasive the whole thing is, but …
      [user12] well they have osme odd things in there
      [user11] yeah they have that dumb automatic word filter
      [user4] the censor word-list is ridiculous
      [user13] psn messenger would be helpful, just yesterday was killed 2 times when typing response on the message + its so slow loading
      [user12] a psn code that is not really valid if you sent that via email it becomes valid but you cant add funds to your wallet. The fact that emailing that code to someone makes it valid for you is odd … why monitor that code?
      [user11] which makes it much more difficult to have a sensible conversation in languages other than english
      [user12] why change its state on sending it?
      [user12] the censor words in home is on your system, it downloads a dict list of words
      [user12] an empty file resolves that
      [user2] tryin to find my jabber logs… >.< [user12] so it only censors on receipt not on transmission [user12] dunno how the other stuff does it [user12] mostly because I have yet to look [user12] now you have me curious I am gonna go redo my network a little bit to start monitoring again [user2] btw aswell a reason AGAINST pc to ps3 messenger is spam [user2] cuz there actually is an easy way to get userlists [user2] would **** psn pretty hard if some skiddy releases a spam app [user2] the highscore and matchmaking lobbies you can request per game id and get user mails for psn [user13] ugh, yeah [user2] huge list + spam app == sux [user3] argghhhh [user3] why do my trophies never sync to np [user2] anyway sony just would have to open a port on the jabber server, so you could login with icq [user5] lol [user2] and we all know what happens if cool homebrew arrives, remember open remote play [user2] sony just releases an official tool lol [user12] thing is the more people do things and discuss what they do and explain how to do it the more likely sony will lock down psn in the future [user2] psn is a core feature of ps3 [user12] making it harder and harder to do anything, like using older firmwares to log in, that will probably be the first to go away [user2] they would be sued like with otheros [user5] yeah but they also blocked open remote play [user11] user12: that already went away, didn’t it [user12] if you are not running current firmware you do not have a right to psn [user11] user12: even for debug users [user12] not really, not yet anyway [user12] 3.56 did not break it but the next release might [user12] especially because it stops people running backups and other stuff on psn [user11] well i mean 3.41 [user2] ya would be all possible for them [user12] not sure what, if anything, changed with 3.41 [user11] you used to be able to sign in on debug 3.41 until someone released that psn enabler hack [user2] one way more difficult than the other so i think they first will go on with backup ban on psn [user11] even though 3.42 and 3.50 had already been released [user2] via playlists and stuff i meantioned before [user2] a secure way to fix it would require firmware and server update tho [user2] wondering what prevents em of this way [user12] I just got a new ps3 yesterday, has 3.40, gonna put 3.55 on it and do my work [user12] I *might* try with 3.40 and see if I can do enough of my work, that would make it somewhat harder though [user1] banwave possibly, new FW + plus they still need to fix that 3.56-1st/2nd harddrive exchange bug in the next version [user12] because my work is specialized and very limited in scopee [user2] the psn has 45 environments all working independant [user2] prolly that is the reason [user2] we could just change to another environment [user2] and they also need to have an eye to the official developers which use environments too [user2] and the qa [user2] which needs to work with older firmware sometimes [user2] so they cant update all environments and block all [user4] probably so much ITIL process management so they can’t fart without a work request [user2] hehe [user12] the way that people are getting on now is to change the user agent in the login request, well x-platform-version specifically. but if the x-platform-passphrase changes in how its constructed then its easy to detect people trying to use an older firmware [user2] they can even without the xi [user2] as the firmware version is in a lot more requests than the auth [user4] version is sent to the getprof servers also [user2] ppl change only the xi one atm [user4] and ena. [user2] but its in netstart, xi, game starts [user12] I understand that part of it, I was just talking about x-i-5 auth stuff [user2] many many functions send the real fw version [user2] but only xi5 is checked [user12] I realize that many functions send the fw version, anything that uses libhttp.sprx does [user2] ya [user12] remember I have been donig this for a couple months [user12] even wrote software that lets me do the ssl parts on the fly instead of to a fixed server, mirroring the CN of the real server [user4] what is the data in xi5 at 0xC0 ->EOF ? some crypto/salt ?
      [user4] luckily they use CN=*.*.np.community.playstation.net which saves a bit of hassle, just calling openssl from your app user12 ?
      [user12] openssl libs
      [user12] not the app itself
      [user12] and I do it for *ALL* ssl connections in realtime
      [user12] so even if you use the webbrowser it will generate certs for that too
      [user4] nice tool you made
      [user12] it is similar in function to “sslsniff” but mine works with the ps3 and logs correctly
      [user2] for the first i think ppl should use a replace of all 3.5.5 and 355 strings but regarding to the user agent, else psn wont load
      [user2] user12 which certs u use?
      [user2] only 05 i guess ?
      [user2] CA i mean sorry
      [user12] user2: I use them all
      [user12] there is a place that the firmware version is in lv2 that is not a “string”
      [user12] its ‘decimal’ “035500″ not sure if its 32 or 64 bit in size though,
      [user2] btw u know the login url for auth is like:
      [user12] but that is not the ascii 3 its the decimal value
      [user2] &serviceid=IV0001-NPXS01001_00&loginid=MYMAIL&password=MYPASS&first=true&consoleid=MYID
      [user12] I have complete logs for the auth stuff
      [user2] did u already change the “first” param?
      [user2] i wonder what it does
      [user12] first=true is only there if you had not previously loggged into psn
      [user2] ah ok
      [user12] its missing if you were previously logged in but you need a new ticet
      [user12] ticket
      [user14] hi
      [user14] please not connect
      [user14] to external dns ip
      [user14] with your ps3
      [user14] your passwords and email and other data is revealed on the external side
      [user12] which you need for each service id that you need one for, meaning if you sync trophies you get 1 ticket, when you play a game you get a 2nd ticket, when you watch netflix you get a 3rd
      [user14] spam people can use this info
      [user12] most likely if they are mapping that host
      [user12] if its just the firmware check then no, because there is nothing private sent in that http (cleartext) request
      [user12] so it depends on what hosts they are looking at
      [user14] to start a spamming attack
      [user2] hm didnt check that ticket stuff yet
      [user2] as when i used a ticket
      [user2] for a test POST
      [user2] i worked with 1 only
      [user2] and always worked
      [user2] prolly many to identify the service
      [user12] the ticket is sent to say a game, netflix, etc. anythibng that uses psn. That way you do not send credentials to anyone but sony
      [user2] if its like u say then this is another vuln lol
      [user2] cuz as i tested if always first ticket works
      [user2] you could hijack a session
      [user2] the ticket and session i used didnt timeout
      [user2] and if it always creates a new ticket as u say
      [user2] there would be many sessions
      [user12] I also haave yet to monitor how long the tickets are valid for, I know that the ps3 does not reuse them between apps but that could just be the way its coded (they might be valid even though a normal ps3 will never reuse)
      [user2] for one user open
      [user12] it may invalidate old ones on issuance of a new, I never looked
      [user12] I just know that I saw it getting one at app launch
      [user2] hm wierd with the tickets
      [user2] i know the ticket is build outta few params
      [user2] the serial
      [user2] the userid
      [user2] issueddare
      [user2] service id
      [user2] online id
      [user2] many many
      [user12] I also know that the server that does the x-i-5 tickets is a bit more tight about the ciphers than any other system in sonyland
      [user12] if sony is watching this channel they should know that running an older version of apache on a redhat server with known vulnerabilities is not wise, especially when that server freely reports its version and its the auth server
      [user2] its not old version, they just didnt update the banner
      [user12] I consider apache 2.2.15 old
      [user2] which server
      [user12] it also has known vulnerabilities
      [user12] auth.np.ac.playstation.net
      [user2] ya the displayed version u see via banner is not the real version
      [user12] unless they updated it in the last couple weeks
      [user12] I doubt that since its not trivial to change that
      [user12] its a bit more invasive than just setting it to Prod like they do on their other servers
      [user11] you know, watching this conversation makes me think about whether it was a good idea after all to buy a couple of games from psn using a visa card
      [user2] its just backported security patches
      [user11] i did remove all my info after downloading the games though
      [user12] that is just psn not the store
      [user12] they are running linux 2.6.9-2.6.24 on that box too
      [user12] that too is old
      [user2] lol @ buying on store
      [user11] yes, but their general attitude towards security just seems…ugh
      [user2] sony wont misuse the info i bet xD
      [user2] but just prevent using cfw’s of unknown ppl
      [user2] even better from ALL ppl
      [user2] make ur own lol
      [user12] so I doubt that they are spoofing the network stack on that box as well
      [user12] my guess is that it really is undermaintained “it works why change anything”
      [user2] could be
      [user12] sony really should update that stuff to something more current
      [user2] ya
      [user2] but imagine
      [user2] psn == 45 environments
      [user2] and for example
      [user2] every env has 50 subdomains
      [user2] to external machines
      [user2] its rly rly huge
      [user2] who wants to do this xD
      [user2] ppl r lazy
      [user2] wont change
      [/SPOILER]

    68. RoxasDe
      04-30-2011
      12:19 AM
      68

      Originally Posted by pizza
      Here is the complete IRC Chat for those of you who are interested in:

      [SPOILER]
      user1] xxx: I don’t think there are many people involved in circumventing PSN access in /this/ channel [ "application/x-i-5-ticket" reason=40 > PSN error 80710101 ]
      [user2] talk about network stuff?
      [user2] nice
      [user2] i just finished decrypting 100% of all psn functions
      [user3]
      [user2] you can forget all the history wiper and log remove apps
      [user2] theres a independant check
      [user2] which transfers all games and their playtime
      [user2] every time you login
      [user2] you can modify it like the firmware version tho
      [user2] it looks like:
      [user2]
      [user2] aswell they can detect backups this way
      [user1] hash is eboot.bin to check for version?
      [user2] if you use a backup it will look like this:
      [user2] [user4] user2, is that in data sent to a0.[CC].np.communication.playstation.net
      [user2] sec lemme check
      [user4] im still collecting all the data
      [user2] updptl.de.np.community.playstation.net/
      [user2] thats the server
      [user3] user2: what about Blu-ray Master Disc/BD Emulator ?
      [user3] since, i use those features legitimately
      [user2] on debug or retail?
      [user2] i didnt check all on debug unit yet
      [user2] so no clue if it sends discid for bdemu
      [user2] but sony is the biggest spy ever lol
      [user2] they collect so much data
      [user1] true
      [user2] all connected devices return values sent to sony server
      [user2] example:
      [user3] user2: Debug models of course
      [user2] >32” TFT-TVOEMreleasecex
      [user4] i cannot find my PS3 connect to host with ‘updptl’ in the name
      [user2] returns tv, fw version, fw type, console model
      [user2] also i found data it collects when i had usb device attached etc etc
      [user2] so if they ever sue someone for psn stuff, they will be sued themselves as most of the data they collect is just not legal
      [user4] user2, at what time does it connect to that host?
      [user4] during the PSN logon?
      [user2] sec i check
      [user5] user2 how can you modify that data?
      [user6] user2: do you now know enough to wipe all traces so that people who never had their consoles on the internet can avoid sending this information now?
      [user4] no DNS request for a host with ‘updptl’ in the name in my packet captures :-
      [user2] @user5: it sents directly after user profile load and sometimes; – it seams random, just when u play a game or anything
      [user4] ohh
      [user2] @xxxx: we could modify the data via proxy between the tunnels, like delete all data between the xml tags or somehow
      [user5] oh so its not on the ps3 hdd itself?
      [user6] user2: aha, so this information is actually encrypted?
      [user2] ya
      [user2] the list is stored online
      [user2] and updated when u login psn and random
      [user5] damn
      [user6] but where is it stored before that? I have never been online with my ps3…
      [user6] so it must be somewhere
      [user5] was hoping it would be on the ps3 hdd
      [user5] then lock it or so
      [user1] the only avoidance is block all *.playstation.net
      [user2] MAYBE – i rly dont know – it doesnt save it at all on hdd
      [user2] so only transfers the games and stuff in one ps3 session when you go online
      [user2] so if u have ps3 offline and play a game, then shutdown and turn on again
      [user2] it MAY not transfer update
      [user2] cuz i didnt find any info for that list on hdd
      [user2] it could be that its used for online playtime or psn logged in playtime
      [user2] aswell you should never ever install a CFW from someone unknown
      [user2] cuz its way too easy todo scamming at this point
      [user2] for example:
      [user2] [redacted plain text code, includes false credit card number]
      [user2] sent as plaintext
      [user3] uh
      [user3] did you censor that card?
      [user2] ya its fake
      [user3] good
      [user1] wow, plaintext :S
      [user5] plaintext wow
      [user3] im never putting in my details like that
      [user2] ya is all fake lol
      [user2] i never used cc on ps3
      [user2] normally you ATLEAST enccrypt the securtity code, even if its ssl
      [user5] id hope sony would do such in a safe manner
      [user5] psn cards probably plain text to then
      [user2] fake certs are known since years as vuln so companies encrypt such data twice normally
      [user2] but hey its sony –> its a feature
      [user5] lol
      [user7] lol
      [user5] yeah if you go public with your info they either remove the store or psn all together
      [user5] as an update
      [user6] I doubt it
      [user7] from all the actions they’ve taken the past years, we can only deduce that Sony don’t care about their customers
      [user2] impossible
      [user7]
      [user2] they wont update their whole psn lol
      [user6] but this should really get out there, but I guess it’s on psx-scene.com in a matter of minutes already
      [user5] 3.60 removal of psn
      [user2] i know a few guys who worked @ sony’s psn backend. just when the ps3 was released we talked bout the first psn, at this time ALL was http and unencrypted. so you could see userpass etc plain. i asked em why is it that way. lame answer was “we thought it was adressed.” – lol
      [user2] sony qa –> trainees
      [user8] that fits nicely into the “#define rand() 4″ mentality.
      [user2] yep
      [user3] or more of
      [user3] ECDSA_PRIVATE_KEY privateKey;
      [user2] lol
      [user3] and PrivateKey is in a header file
      [user3] and it’s static
      [user2] xD
      [user3] and ECDSA_RANDOM in a header file
      [user3] and so on
      [user2] another funny function i found is regarding psn downloads
      [user2] its when a pkg game is requested from the store
      [user2] in the url itself you can define if you get the game free or not. requires some modification in hashes and so on tho
      [user3] ..
      [user2] is like
      [user8]
      [user3] my god
      [user2] drm:off
      [user5] lol
      [user2] lol
      [user1] :facepalm:
      [user8] well, that’s one way to offload the server.
      [user2] still wondering when the big ban wave arrives
      [user1] if they ban everyone, even using backups legally in their country (but in their opinion a TOS violation), it will be a huge tsunami, not a wave
      [user10] ask ur friends
      [user2] prolly they take it like it is now, unstoppable anyways
      [user2] new firmware to ban all further actions and done
      [user4] an open psn would be nice
      [user4] even if it was just a player matching service
      [user2] ya
      a PSN host by the community
      [user3] that actually could be perhaps possible
      [user3] if you can get auth working
      [user3] and all
      [user3] a new np environment
      [user2] the friend list management is easiest
      [user2] simple jabber server
      [user11] don’t some games use their own servers?
      [user1] some use p2p
      [user11] which check from the official psn servers whether you’re logged in and who you are
      [user2] imagine the traffic load
      [user2] whod pay this xD
      [user11] yes, but even p2p games do use publisher or sony provided servers for matchmaking
      [user3] NpCommerce2
      [user12] I am getting behind everything on doing my security analysis
      [user12] started a couple months ago monitoring SSL stuff, and theen got distracted with blackops and havent pursed it, seems a lot of people are starting to take interest in it now
      [user2] and regarding matchmaking and lobby systems
      [user2] the functions built in firmware and/or game
      [user2] how would you answer them
      [user2] the server side code we dont know of
      [user12] some stuff appears to be in lv2 and not in sprx for network stuff
      [user2] so we can not create proper answers
      [user12] you can try to analyze the protocol and say “if X then Y” type responses the problems come up when you get something you haveent seen before
      [user12] that was done with counterstrike for example so that people could cheat
      [user12] so its not entirely impossible although it is time consuming
      [user12] sometimes its happy accidents, reason code 21 means bad cipher, 51 bad firmware version – for x-i-5 tickets for example
      [user11] wasn’t cs/hl server software available for anyone to download even back then?
      [user6] anyone found a way to change DVD region on ps3 yet, btw?
      [user11] for psn you can’t even get binaries for the server side
      [user5] user2 i remember some months ago you made a psntool with a psn messenger in it but not yet functional is that still being worked on?
      [user12] but for stuff like that the ticket has to exist on the psn side of things because if I send my ticket to a vendor server they will validate it against psn and if its not there it will fail
      [user1] xxx: wasn’t syscall 0×363 0×19004 3rd byte usefull for that?
      [user2] @xxxx: at this time i could finish the tool yes but im not sure if it is useful at all
      [user12] xxxx: no but you can monitor traffic, even send some “bad” things and watch the responses… I discovered x-i-5 reason code 21 by accident, I did not force my proxy to mirror the cipher that the ps3 presented
      [user2] i mean why would someone want to chat with a someone on ps3
      [user2] while any1 anyway have msn/icq/aol
      [user12] know this, sony in realtime, monitors all messages over psn
      [user12] I verified that, its part of my privacy threats thing I am doing
      [user5] ok too bad id like the psn messenger on pc
      [user12] the realtime monitoring is a bit bothersome to me
      [user6] user1: such information is quite useless to me, as I’m not that into the technical stuff was more hoping someone had an easy way to do it.. like a DVD region changer or something.
      [user2] @user12: the realtime jabber monitoring as most likely for realtime censor of messages
      [user12] they appear to have at the very least keywords they look for, not sure just how invasive the whole thing is, but …
      [user12] well they have osme odd things in there
      [user11] yeah they have that dumb automatic word filter
      [user4] the censor word-list is ridiculous
      [user13] psn messenger would be helpful, just yesterday was killed 2 times when typing response on the message + its so slow loading
      [user12] a psn code that is not really valid if you sent that via email it becomes valid but you cant add funds to your wallet. The fact that emailing that code to someone makes it valid for you is odd … why monitor that code?
      [user11] which makes it much more difficult to have a sensible conversation in languages other than english
      [user12] why change its state on sending it?
      [user12] the censor words in home is on your system, it downloads a dict list of words
      [user12] an empty file resolves that
      [user2] tryin to find my jabber logs… >.< [user12] so it only censors on receipt not on transmission [user12] dunno how the other stuff does it [user12] mostly because I have yet to look [user12] now you have me curious I am gonna go redo my network a little bit to start monitoring again [user2] btw aswell a reason AGAINST pc to ps3 messenger is spam [user2] cuz there actually is an easy way to get userlists [user2] would **** psn pretty hard if some skiddy releases a spam app [user2] the highscore and matchmaking lobbies you can request per game id and get user mails for psn [user13] ugh, yeah [user2] huge list + spam app == sux [user3] argghhhh [user3] why do my trophies never sync to np [user2] anyway sony just would have to open a port on the jabber server, so you could login with icq [user5] lol [user2] and we all know what happens if cool homebrew arrives, remember open remote play [user2] sony just releases an official tool lol [user12] thing is the more people do things and discuss what they do and explain how to do it the more likely sony will lock down psn in the future [user2] psn is a core feature of ps3 [user12] making it harder and harder to do anything, like using older firmwares to log in, that will probably be the first to go away [user2] they would be sued like with otheros [user5] yeah but they also blocked open remote play [user11] user12: that already went away, didn’t it [user12] if you are not running current firmware you do not have a right to psn [user11] user12: even for debug users [user12] not really, not yet anyway [user12] 3.56 did not break it but the next release might [user12] especially because it stops people running backups and other stuff on psn [user11] well i mean 3.41 [user2] ya would be all possible for them [user12] not sure what, if anything, changed with 3.41 [user11] you used to be able to sign in on debug 3.41 until someone released that psn enabler hack [user2] one way more difficult than the other so i think they first will go on with backup ban on psn [user11] even though 3.42 and 3.50 had already been released [user2] via playlists and stuff i meantioned before [user2] a secure way to fix it would require firmware and server update tho [user2] wondering what prevents em of this way [user12] I just got a new ps3 yesterday, has 3.40, gonna put 3.55 on it and do my work [user12] I *might* try with 3.40 and see if I can do enough of my work, that would make it somewhat harder though [user1] banwave possibly, new FW + plus they still need to fix that 3.56-1st/2nd harddrive exchange bug in the next version [user12] because my work is specialized and very limited in scopee [user2] the psn has 45 environments all working independant [user2] prolly that is the reason [user2] we could just change to another environment [user2] and they also need to have an eye to the official developers which use environments too [user2] and the qa [user2] which needs to work with older firmware sometimes [user2] so they cant update all environments and block all [user4] probably so much ITIL process management so they can’t fart without a work request [user2] hehe [user12] the way that people are getting on now is to change the user agent in the login request, well x-platform-version specifically. but if the x-platform-passphrase changes in how its constructed then its easy to detect people trying to use an older firmware [user2] they can even without the xi [user2] as the firmware version is in a lot more requests than the auth [user4] version is sent to the getprof servers also [user2] ppl change only the xi one atm [user4] and ena. [user2] but its in netstart, xi, game starts [user12] I understand that part of it, I was just talking about x-i-5 auth stuff [user2] many many functions send the real fw version [user2] but only xi5 is checked [user12] I realize that many functions send the fw version, anything that uses libhttp.sprx does [user2] ya [user12] remember I have been donig this for a couple months [user12] even wrote software that lets me do the ssl parts on the fly instead of to a fixed server, mirroring the CN of the real server [user4] what is the data in xi5 at 0xC0 ->EOF ? some crypto/salt ?
      [user4] luckily they use CN=*.*.np.community.playstation.net which saves a bit of hassle, just calling openssl from your app user12 ?
      [user12] openssl libs
      [user12] not the app itself
      [user12] and I do it for *ALL* ssl connections in realtime
      [user12] so even if you use the webbrowser it will generate certs for that too
      [user4] nice tool you made
      [user12] it is similar in function to “sslsniff” but mine works with the ps3 and logs correctly
      [user2] for the first i think ppl should use a replace of all 3.5.5 and 355 strings but regarding to the user agent, else psn wont load
      [user2] user12 which certs u use?
      [user2] only 05 i guess ?
      [user2] CA i mean sorry
      [user12] user2: I use them all
      [user12] there is a place that the firmware version is in lv2 that is not a “string”
      [user12] its ‘decimal’ “035500″ not sure if its 32 or 64 bit in size though,
      [user2] btw u know the login url for auth is like:
      [user12] but that is not the ascii 3 its the decimal value
      [user2] &serviceid=IV0001-NPXS01001_00&loginid=MYMAIL&password=MYPASS&first=true&consoleid=MYID
      [user12] I have complete logs for the auth stuff
      [user2] did u already change the “first” param?
      [user2] i wonder what it does
      [user12] first=true is only there if you had not previously loggged into psn
      [user2] ah ok
      [user12] its missing if you were previously logged in but you need a new ticet
      [user12] ticket
      [user14] hi
      [user14] please not connect
      [user14] to external dns ip
      [user14] with your ps3
      [user14] your passwords and email and other data is revealed on the external side
      [user12] which you need for each service id that you need one for, meaning if you sync trophies you get 1 ticket, when you play a game you get a 2nd ticket, when you watch netflix you get a 3rd
      [user14] spam people can use this info
      [user12] most likely if they are mapping that host
      [user12] if its just the firmware check then no, because there is nothing private sent in that http (cleartext) request
      [user12] so it depends on what hosts they are looking at
      [user14] to start a spamming attack
      [user2] hm didnt check that ticket stuff yet
      [user2] as when i used a ticket
      [user2] for a test POST
      [user2] i worked with 1 only
      [user2] and always worked
      [user2] prolly many to identify the service
      [user12] the ticket is sent to say a game, netflix, etc. anythibng that uses psn. That way you do not send credentials to anyone but sony
      [user2] if its like u say then this is another vuln lol
      [user2] cuz as i tested if always first ticket works
      [user2] you could hijack a session
      [user2] the ticket and session i used didnt timeout
      [user2] and if it always creates a new ticket as u say
      [user2] there would be many sessions
      [user12] I also haave yet to monitor how long the tickets are valid for, I know that the ps3 does not reuse them between apps but that could just be the way its coded (they might be valid even though a normal ps3 will never reuse)
      [user2] for one user open
      [user12] it may invalidate old ones on issuance of a new, I never looked
      [user12] I just know that I saw it getting one at app launch
      [user2] hm wierd with the tickets
      [user2] i know the ticket is build outta few params
      [user2] the serial
      [user2] the userid
      [user2] issueddare
      [user2] service id
      [user2] online id
      [user2] many many
      [user12] I also know that the server that does the x-i-5 tickets is a bit more tight about the ciphers than any other system in sonyland
      [user12] if sony is watching this channel they should know that running an older version of apache on a redhat server with known vulnerabilities is not wise, especially when that server freely reports its version and its the auth server
      [user2] its not old version, they just didnt update the banner
      [user12] I consider apache 2.2.15 old
      [user2] which server
      [user12] it also has known vulnerabilities
      [user12] auth.np.ac.playstation.net
      [user2] ya the displayed version u see via banner is not the real version
      [user12] unless they updated it in the last couple weeks
      [user12] I doubt that since its not trivial to change that
      [user12] its a bit more invasive than just setting it to Prod like they do on their other servers
      [user11] you know, watching this conversation makes me think about whether it was a good idea after all to buy a couple of games from psn using a visa card
      [user2] its just backported security patches
      [user11] i did remove all my info after downloading the games though
      [user12] that is just psn not the store
      [user12] they are running linux 2.6.9-2.6.24 on that box too
      [user12] that too is old
      [user2] lol @ buying on store
      [user11] yes, but their general attitude towards security just seems…ugh
      [user2] sony wont misuse the info i bet xD
      [user2] but just prevent using cfw’s of unknown ppl
      [user2] even better from ALL ppl
      [user2] make ur own lol
      [user12] so I doubt that they are spoofing the network stack on that box as well
      [user12] my guess is that it really is undermaintained “it works why change anything”
      [user2] could be
      [user12] sony really should update that stuff to something more current
      [user2] ya
      [user2] but imagine
      [user2] psn == 45 environments
      [user2] and for example
      [user2] every env has 50 subdomains
      [user2] to external machines
      [user2] its rly rly huge
      [user2] who wants to do this xD
      [user2] ppl r lazy
      [user2] wont change
      [/SPOILER]
      That was a long spoiler but managed to read it. But I just forgot what I read so here I go again....

    69. soplox2
      04-30-2011
      08:42 AM
      69

      Before the PSN went down I bought a $50 PSN Card and added the money to my PSN account and didn't use a single cent waiting for SSFIV AE so my question when PSN come back will my money be there?

    70. Vhayes1992
      04-30-2011
      09:27 AM
      70

      Originally Posted by soplox2
      Before the PSN went down I bought a $50 PSN Card and added the money to my PSN account and didn't use a single cent waiting for SSFIV AE so my question when PSN come back will my money be there?
      We'll if they are rebuilding their PSN from scratch,... All I have to say is good luck.

    71. soplox2
      04-30-2011
      09:51 AM
      71

      Originally Posted by Vhayes1992
      We'll if they are rebuilding their PSN from scratch,... All I have to say is good luck.
      SONY already said they wont do that I asked cuz the hackers could have used my account's money

    72. mooodey
      05-02-2011
      02:49 AM
      72

      XBox 360 FTW... and for member who lost track of the story here's a complete summary

    73. Law_Sayer
      05-08-2011
      07:51 AM
      73

      Damb this whole thing stinks of Fish.
      Whilst Sony wallows in its own stinking pool of poo Microsoft are lapping it up.
      There's one for the Conspiricy Theorists.

      Best defence to all this consol madness :----- Go back to the games machine thats best..........a PC ! least there we know where we stand.

      I cancelled my CC the day after the attack and it seems rightly so as Dear Sony stated "12,700 non-U.S. credit or debit card numbers and expiration dates (but not credit card security codes), and about 10,700 direct debit records of certain customers in Austria, Germany, Netherlands and Spain".
      I know of 2 people in the UK who have had thier bank accounts fleeced since the attack so looks like Sony may be holding back on info regarding the areas covered by the details stolen.
      As for Sony holding CV2 numbers....of course they do , I have made several purchases on PSN and i have only ever entered my details once , LOL check out the option that lets you disable automatic rebilling!!!!!!! How can you have automatic rebilling for services if Sony dont hold the CV2 numbers.....simple you cant cause if they didnt have the numbers the auto-bill would fail.
      As for Sony offering all PSN users one year’s free access to an identity protection scheme i think it should be free and built in to the network period.
      Although on the flip side if Sony are offering a service of this nature then they are pretty certain that this will happen again and they wont be able to stop it. Hence the need for ID protection scheme.

      Shame though PS3 is an awsome system ( I'm a Nvidia FanBoy LOL ).

      Oh well back to WoW

    74. RoxasDe
      05-08-2011
      08:38 PM
      74

      Originally Posted by mooodey
      XBox 360 FTW... and for member who lost track of the story here's a complete summary
      The Xbox 360 is just a expensive block used to play halo and gears. Indeed it rules *Sarcasm*

    75. Thelostdeathknight
      05-08-2011
      11:47 PM
      75

      Originally Posted by RoxasDe
      The Xbox 360 is just a expensive block used to play halo and gears. Indeed it rules *Sarcasm*
      The PS3 is just a expensive block used to play uncharted and killzone. Indeed it rules *Sarcasm* <- see what i did there

      my ps3 is a gigantic dust magnet. the only action my ps3 see is the occasional homebrew or blu-ray movie, maybe a ps3 exclusive. The ps3 may be more powerful but the xbox does so many more things the right way. cross game chat, in-game music, XBL, built in back-up support(not as nice as the ps3 HOMEBREW BM's) i mean really how hard is it for sony to implement the little things and not try to rape each and every customer

      But having said that i would sell all 3 consoles i own (wii, ps3, Xbox360) before i would even consider parting with my gaming PC. IMO, pc gaming is where it's at

      p.s. all three of those consoles collect so much dust it's not even funny

    76. OoZic
      05-09-2011
      05:33 AM
      76

      Came accross this funny pic, had to post it


      (source: gamepro)

    77. RoxasDe
      05-09-2011
      09:41 PM
      77

      Originally Posted by Thelostdeathknight
      The PS3 is just a expensive block used to play uncharted and killzone. Indeed it rules *Sarcasm* <- see what i did there

      my ps3 is a gigantic dust magnet. the only action my ps3 see is the occasional homebrew or blu-ray movie, maybe a ps3 exclusive. The ps3 may be more powerful but the xbox does so many more things the right way. cross game chat, in-game music, XBL, built in back-up support(not as nice as the ps3 HOMEBREW BM's) i mean really how hard is it for sony to implement the little things and not try to rape each and every customer

      But having said that i would sell all 3 consoles i own (wii, ps3, Xbox360) before i would even consider parting with my gaming PC. IMO, pc gaming is where it's at

      p.s. all three of those consoles collect so much dust it's not even funny
      There all a peice of **** *sarcasm* I play them all I own 2 wiis 2 ps3s and a xbox 360 slim that I had to send to microsoft after playing Halo Reach. Great stuff *sarcasm* can't wait to play halo and gears and all those other games that's I already have for ps3. I might as well pay for xbox live as its totally worth it *sarcasm* nah ill stick with pc as well.

    78. Law_Sayer
      05-12-2011
      07:25 PM
      78

      PC 3 votes :P