Thoughts on the Playstation Network breach

So over the past week, Sony shut the Playstation Network down with no warning or communication to its users. Originally, speculation was that it was a byproduct of the conflict between Sony and the hacker group known as Anonymous due to Sony's overreaching legal practices regarding the jailbreak of their PS3 console. Anonymous had previously attacked Sony's DNS servers and brought nearly all of their services down as a result, but in this instance, Anonymous claimed they had changed their target to avoid collateral damage to PSN. Soon after, people began putting together the puzzle pieces and, as the service remained down with little to no word from Sony, whispers of a much more troubling picture began to emerged.

Finally, after days of silence, Sony made an announcement on this past Tuesday, April the 26th. The event was a worst case scenario. A breach which not only compromised the network, but also leaked the user data of every user on the network, including passwords, email addresses, and potentially even credit card numbers and expiration dates. The network has an estimated 77 million users. Sony has announced that the PSN will be down for the foreseeable future as a result, while they try to plug this massive hole that has been revealed by this attack.

So what happened? Well let's look over what is known before we begin to speculate about the events that transpired.
-A commenter on Reddit, identifying himself as a PSX-Scene moderator, made mention of Rebug potentially being related to the intrusion shortly before the Sony announcement. I've quoted the relevant portion below:

Ok, I've seen a bunch of speculation of why people think PSN is down, and I thought I should just post what the community knows in comparison to what Sony is telling everyone. The truth is, there was a new CFW (custom firmware) released known as Rebug ([1] http://rebug.me). It essentially turns a retail console into a dev console (not fully, but gives you a lot of the same options that usually dev's only have access to). Anyway, this new CFW was quickly figured out by 3rd parties (not Rebug) to give CFW users access to the PSN network again via the dev networks. With a little manipulation of the URL's through a proxy server you could get your hacked console back online. Not that big of a deal, right? Well, it also turns out that some people over at NGU found out that you could provide fake CC# info and the authenticity of the information was never checked as you were on Sony's private developer PSN network (essentially a network that Sony trusted). What happened next was extreme piracy of PSN content. Sony realizing the issue here shut down the network. Now, before you go freaking out about the latest information posted about Kotaku, no ones personal information was accessible via this hack. Not to say they couldn't get it, but no one is admitting to it being available. Anyway, that's the real reason for the PSN downtime. Sony is now rebuilding all of it's PSN servers to be more secure and (hopefully) make sure the CFW users cannot get online anymore.

-It's notable that there were reports that CC info wasn't being checked on the developer network before purchasing, which lead to widespread piracy of PSN content. This implies that there was no validation on the dev side of the PSN.

So what does this mean? Well, it provides an attack vector. It's likely that the reason validation didn't exist on the dev network because the dev network is older than the consumer facing network, and was never updated with proper validation, etc. Now this raises the question of whether it at least validated against SQL injections into the credit card and user data fields. I would bet it did not, and this seems to be a likely avenue for attack.

Now in Sony's announcement, they did not specify whether the stolen data was encrypted. But if it were, why wouldn't they say so? Absence of evidence is evidence in this scenario. The PR nightmare would be severely mitigated if the data were all encrypted, so by not stating either way, the implication is that it was not.

User data should, of course, always be encrypted with something like AES256, using a key that's mathematically mangled by the code. For example, take the sign up date, change it to the unix timestamp, and do some math on it to use it as key. Maybe use two data sources if you have them, like the userid. This makes the key unique to each user, easily retrievable, and impossible to decrypt without direct backend server code access, which the hackers likely never obtained.

Had Sony done these things, this would be a non issue. The hackers would have a ton of data, none of which they could use or decrypt without a key which they had no access to.


So who is to blame in all of this? The hackers who may have stolen the data definitely broke the law, but it was Sony's lax security which allowed this to happen in the first place. If you're sitting in a sinking boat, you do not blame the water for rushing in and sinking you. You look to the hole in the hull, because that's the problem you can actually act on and fix.

No matter what industry you're in, hackers will ALWAYS look for and exploit attack vectors in your code, be it for financial gain, notoriety, or even just for laughs. It was the JOB of Sony's devs to anticipate and plan for this. Instead, they left a massive hole in their network in the form of the developer network, which checked the developer status not by comparing it to a registered list, but instead by simply asking the console "Are you a developer?" and therein lies the underlying problem. The first rule of programming server side code: never trust the client sending the data. This is especially true when the client is out there in the wild. It does not matter how secure the client is. If it is your only mode of defense, then you have failed in securing your system.

So yes, I blame Sony. Because if it wasn't the exploitation of the homebrew community's hack, it just would've been someone else's. Someone quieter, someone less vocal, who would've used the hack themselves and stolen this data and Sony would've never known. Blaming hackers is like blaming the wind for knocking over a poorly built house. There are two factors that caused the collapse, and you can only control one of them.

Facebook, Twitter, and IP Addresses

Some things I have learned:

If your server doesn't have a domain name yet (for example, while working on a production server and website to replace an existing website/server which is currently using the domain name), Twitter and Facebook act weird.

Twitter's share button fails outright saying you didn't pass it a url (even though you did).

And Facebook fails to load the image thumbnail from its share widget, even if you have all of your OpenGraph tags filled out correctly. Note that it will lint it correctly, and post it correctly, but when you hit share, you won't see the thumbnail.

Just felt I should share...

A retrospective

So I stumbled across a little retort I made a year ago online, and felt, given the proximity to the new year, it was appropriate to put it up (why I neglected to put this up last year is beyond me...):

In reply to the following article: Microsoft's Vision For the Future Gives Me Hope For Humanity

rudez90 said:

this video is depressing only because i dont think we will actually see this in fruition until a lot later than 2019

My response:

Cin said:

You sir, lack perspective. This is 10 years from now. Do you remember 1999? 1999 was the year the very first BlackBerry debuted, it was a 2 way pager, here's a picture.

10 years later, it plays video, surfs the web, has a completely different interface, is in full color, plus much more, and weighs like 1.3 times the first BlackBerry's weight (We found some old ones where I worked, they were pretty bulky).

The first iPod wasn't debuted until 2001, becoming one of the first mp3 players with mass appeal and adoption. Back in 1999, Apple was struggling to stay afloat with their brand new iMac line (the ones that still had all the fruity colors). Now, 10 years later, Apple has expanded in all directions, dominated the digital music distribution market, and has released a handheld which has far-reaching implications for mobile computing.

1999 to 2009 is the difference between Windows 98 and Windows 7. It is the difference between Linux being primarily used by hobbyists and programmers, to being used in more and more consumer applications and even being sold at retail on desktops and notebooks.

Wikipedia was not founded until 2001, and in 1999, Google had only existed for a year, and was finally moving out of a garage in Menlo Park, California to an office in Palo Alto. As recently as May of 2002, there were only 26 million internet subscribers with broadband in the US (there were far less in 1999). Today that number is approaching 70 million [Note: It is currently over 75 million, fyi].

When you consider the fact that technology has an exponential growth pattern, and that the internet has increased the dissemination of ideas and information in ways that our forefathers never imagined possible, then yeah, 2019 is going to be very different from our world today, and I for one can't wait.

And finally, I was reminded to put something like this up thanks to this:

Wrapping clones

Fun fact: Creating a virtual object in JQuery via the clone method makes some functions unable to interact with it.

For example, the following will work as expected, adding the class to the clone and not the original:

$('.myClass').clone().addClass('.myOtherClass');

The following, however, will NOT work:

$('.myClass').clone().wrap("<div class='container'></div>"');

As a result, the clone will remain unchanged. If you want to use wrap, and other functions with this limitations, you'll need to place it somewhere in the DOM first, and then manipulate it.

On Z-Index

Common issue but one that I often forget and see people asking about:

The z-index css property does not work on static positioned elements (the default positioning). Make it at least position: relative to make z-index do something.

The problem with Mac users finally getting Steam...

Now that everyone on Macs can experience Valve's games, and Portal in particular, I've noticed a bit of a problem on the internet the last few weeks...

Calculate the age from a DOB in one line

There are lots of complex ways to calculate someone's age from their DOB via PHP, but here's a simple one:

function getAge($dob) {
   return date("Y", time() - strtotime($dob)) - 1970;
}

echo getAge($dob);