[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] psnhack - playstation network hack
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] psnhack - playstation network hack
- From: アドリアンヘンドリック <unixfreaxjp22@xxxxxxxxx>
- Date: Mon, 2 May 2011 02:17:01 +0900
Dear all,
Sorry for conveniences.
At least I have to reveal the truth here.
Since the parts of my translation text is up online in some sites
(without my permission at all!) anyway.Looks it was downloaded during
my middle editing and fixing the words,
As security developer I am very sad if it is used for the bad purpose.
I don't think that ps3dev was on it, yet I don't know what anonymous
is and I don't care of it.
What I cared is so many misinformation happens, and so many people got
worried for the privacy got leaked.. I personally got 2 accounts in
PSN too, and have some rage in my heart for the incident follow up.
But, what was happened in the press conference today was moving my heart .
The reporters which many of them are from security professionals was
asking sharp questions related to the incident handlings , thumbs up,
And for the SONY, they answered it well. And this is the truth. I feel
like all sides want to play fair to compensate every damages occured,
which it is good deed, gentlemen. So let's the good stuffs rolling.
Herewith I am passing you the attachment of the real translation of
Q&A between reporters and them, this is for the above purpose.
Actually it was half personal notes for me..(comments exist), please
read the note above the translation text which said that I am not a
professional translator, which text was being CUT by any irresponsible
guy who uoload it.
I
f some of you have the access to the sites who onlined this
translations like the below URLs mentioned by Mr.satyam pujari
below....
-------------------------------------------------------------
http://esploit.blogspot.com/2011/05/psnhack-sony-q.html
http://www.thehackernews.com/2011/05/anonymous-vs-sony-word-by-word-qa-bw.html
-------------------------------------------------------------
....please upload the REAL finished and FULL TEXT translation then!
Which is the one attached in this email and please NOT ALLOWED TO CUT,
MODIFIED or CHANGED it please,
Actually I am still pissing off to know this text is up and online in
a hacker site too..., but anyway, please help me to upload the truth
then.
I compared (diff) my text and the uploaded text and found some slight
differences too, and somehow the translations was cut/ not full in the
middle... and cut at the top..., this is really giving me bad name. To
proof it below is the diff of it:
I am now in fukushima and visiting my family who got to moved to
another place to live now, remote connecting to my desktop , its sad
enough for seeing disaster here,
is already hard and please don't make it harder.
Regards
---
Hendrik ADRIAN
ZeroDay.JP http://0day.jp
/*Begin the diff code to be paste here....*/
$ diff -a text1.txt text2.txt
1,5c1,7
< Q. The accuracy of approximately 10 million credit flow
< A. There is no firm evidence of leakage. Cannot say wether a leak or
not. There is no report so far.
<
< Q. prospect of resuming services.
< A. We want to restart the service country/region base. Basically
approx within a week schedule. (a week from today?.. previously we
heard about same "a week matter..)
---
> Q. The accuracy of approximately 10 million credit flow
> A. There is no firm evidence of leakage. Cannot say wether a leak or not.
> There is no report so far.
>
> Q. prospect of resuming services.
> A. We want to restart the service country/region base. Basically approx
> within a week schedule.
> (a week from today?.. previously we heard about same "a week matter..)
11c13,14
< A. Hacking with the high skill technique was undergoing, was
confirmed. But we still dont know data was stolen / taken
---
> A. Hacking with the high skill technique was undergoing, was confirmed.
> But we still dont know data was stolen / taken
14c17,18
< A. The possibility existed, what/when/how was it still under
investigation. account numbers is between 7700000 to 7800000 accounts
plus there are double accounts.
---
> A. The possibility existed, what/when/how was it still under investigation.
> account numbers is between 7700000 to 7800000 accounts plus there are
> double accounts.
17c21,23
< A. Basically SNE is business foundation in US, reported to FBI and
asked for investigation. It's still under investigation so cannot make
more commane on this. (.. this part is the right thing to do..)
---
> A. Basically SNE is business foundation in US, reported to FBI and asked for
> investigation.
> It's still under investigation so cannot make more commane on this.
> (.. this part is the right thing to do..)
20c26,27
< A. There was a well-known vulnerability which we(SNE) did not even
know it exists in the system (this could be a web base kinda vulns...)
---
> A. There was a well-known vulnerability which we(SNE) did not even know it
> exists in the system
> (this could be a web base kinda vulns...)
22,23c29,31
< Q. The attacked server was what kind of server?
< A. If we answer it you will questioning us deeper more, so the
answer is no comment. (.. politics... politics..)
---
> Q. The attacked server was what kind of server?
> A. If we answer it you will questioning us deeper more, so the answer is no
> comment.
> (.. politics... politics..)
29c37,40
< A. we did the internal hacking announce, shutdown the system,
requesting investigation, shutdown was also done in steps,..in order
to disclose, firstly the current data need to be analyze, was huge,
the time was taken more than expected. (... looks like they don't know
where to start..)
---
> A. we did the internal hacking announce, shutdown the system, requesting
> investigation,
> shutdown was also done in steps,..in order to disclose, firstly the current
> data need to be analyze, was huge,
> the time was taken more than expected.
> (... looks like they don't know where to start..)
41c52,54
< A. As a long-term response to this matter, we will fix strategy both
short-and-long-term security vision of the network service. NGP and
roadmap at the moment is unchanged.
---
> A. As a long-term response to this matter,
> we will fix strategy both short-and-long-term security vision of the
> network service.
> NGP and roadmap at the moment is unchanged.
46,47c59,62
< Q. How about the users which will not/dont/cant change the password
for later, you will provide the action from the PSN system?
< A. We will announce the request to reset the password for all PSN
users. Wether system will perform some action aor not we will confirm
it.
---
> Q. How about the users which will not/dont/cant change the password for later,
> you will provide the action from the PSN system?
> A. We will announce the request to reset the password for all PSN users.
> Wether system will perform some action aor not we will confirm it.
51c66
< We won't forgive the customazation/modification in our product.
---
> We won't forgive the customazation/modification in our product.
53c68
< Sony: "The password was not encrypted, BUT protected by HASH"
---
> (UPDATE)(interrupt) Sony: "The password was not encrypted, BUT protected by
> HASH"
56,57c71,74
< Q. Do you know the risk of the current incident will be happened,
but WHY you keep continuing service? What will be your plan?
< A. We will keep on continuing protecting the user's privacy. So we
took this hard lesson and supprting it accordingly.
---
> Q. Do you know the risk of the current incident will be happened,
> but WHY you keep continuing service? What will be your plan?
> A. We will keep on continuing protecting the user's privacy.
> So we took this hard lesson and supprting it accordingly.
59c76,77
< Q. Why there is the different time lag regarding to the official
blog announce between the international to Japan one?
---
> Q. Why there is the different time lag regarding to the official blog
> announce between the
> international to Japan one?
65,66c83,87
< Q. For the compensation you said you will consider to launch free
download contents campaign, But what about the FINANCIAL GUARANTEE for
the compensation?
< A. We guarantee the privacy of the credit card users, we also
guarantee for the loss related to the service shutdown, if there is
loss related to the card being used then we will guarantee and support
it case by case.
---
> Q. For the compensation you said you will consider to launch free download
> contents campaign,
> But what about the FINANCIAL GUARANTEE for the compensation?
> A. We guarantee the privacy of the credit card users,
> we also guarantee for the loss related to the service shutdown,
> if there is loss related to the card being used then we will guarantee and
> support it case by case.
72,73c93,96
< Q. You explained before that you protecting systems with the best,
but in the end why you can get hacked?
< A. We did the best we think for the security system. You may say
that we were weak, but we WILL improve it.
---
> Q. You explained before that you protecting systems with the best,
> but in the end why you can get hacked?
> A. We did the best we think for the security system.
> You may say that we were weak, but we WILL improve it.
79,80c102,106
< A. Due to the after-intrussion we were busy focusing the monitoring.
The vulnerability was discovered at the same time too.. Can not
support efforts to accelerate the cycle for everything at the same
time, as soon as we sure than we announce.
< (...in a very diplomatic way to say.. this part needs my energy to
make english corrent nuanse ..)
---
> A. Due to the after-intrussion we were busy focusing the monitoring.
> The vulnerability was discovered at the same time too..
> Can not support efforts to accelerate the cycle for everything at the same
> time,
> as soon as we sure than we announce.
> (...in a very diplomatic way to say.. this part needs my energy to make
> english corrent nuanse ..)
85,86c111,116
< Q. While you released the information about the priacy stolen on
27th, why you DID NOT make the press conference at that time??
< A. The privacy leak possibility existance was clarified on 27th we
made the announce of it in - the same day by blogs, we are doing the
press release today as per scheduled in the internal roadmap.
---
> /* (UPDATE) there was the announce of the numbers of users and product
> sales.. but it was so mumbling.. cannot hear it well */
>
> Q. While you released the information about the priacy stolen on 27th,
> why you DID NOT make the press conference at that time??
> A. The privacy leak possibility existance was clarified on 27th we made the
> announce of it in -
> the same day by blogs, we are doing the press release today as per
> scheduled in the internal roadmap.
89c119,120
< A. Firewall couldn't detect it as intrusion, it looks as the normal
data-transaction, looks like it was the regular commands process
between clients-servers.
---
> A. Firewall couldn't detect it as intrusion, it looks as the normal
> data-transaction,
> looks like it was the regular commands process between clients-servers.
92c123,125
< A. It is currently under investigation, we have nothing to inform at
the time being. regarding to the result it will bring possibilities
which will effect the time line. So ..No comment for now.
---
> A. It is currently under investigation, we have nothing to inform at the time
> being.
> regarding to the result it will bring possibilities which will effect the
> time line.
> So ..No comment for now.
95c128
< A. There was not anything like this. for this kind of intrusion this
is the first time.
---
> A. There was not anything like this. for this kind of "intrusion" this is the
> first time.
97,98c130,131
< Q. How about the firmware the current security?
< A. We will improve it.
---
> Q. How about the PS3 firmware's current security condition related to this
> incident?
> A. We will improve it.
101,104c134,135
< A. No such hard evidence for the privacy leak even until now, so we
cannot response to your question, however if there is any financial
damage occurred we will handle it case by case.
<
< Q. It was detected that the user agreement rules has be changed in
28th, why was it?
< A. The system itself is not user's base registration system like
software does, so basically there's no such of user's agreement scheme
that you assume. But we are-considering the procedure for cancelling
the user registration for the current special case.
---
> A. No such hard evidence for the privacy leak even until now, so we cannot
> response to your
> question, however if there is any financial damage occured we will handle
> it case by case.
106,107c137,164
< Q. Is not the matter of the Credit Card got stolen, above it, what
do you plan for your PRIVACY LEAK incident?
< A. If THERE IS ANY DAMAGE reported about this, we will start to deal
with it, so far there is no report no claim come to us about this
leaking matter.
---
> Q. It was detected that the user agreement rules has be changed in 28th,
> specially regarding to
> the cancellation of registration terms by users or system due to
> incident,why was it?
> A. The PSN system itself is not user's base registration system like software
> does,
> so basically there's no such of user's agreement scheme that you assume.
> But we are-
> considering the procedure for cancelling the user registration for the
> current special case only.
>
> Q. You always said about credit card matters. It is not the matter of the
> Credit Card got stolen only,
> above it, what do you plan for your PRIVACY LEAK incident?? (angry voice
> of a reporter)
> A. If THERE IS ANY DAMAGE reported about this, we will start to deal with it,
> deeply sorry about the privacy matter, but -
> so far there is no report no claim come to us about this leaking matter
> (from japan at least it's what he meant)
>
> Q. How soon the PSN will be up?
> A. Cannot online or up soon. Approcimately in a max a week. The security
> assessment still ongoing.
> The security syste, will be fix to be better, now there's so many things
> that has to be done.
>
> Q. How about Anomymous group who said responsible to the attack?
> A. It is only the mass media communication matters and irrelevant to the
> current incident,
> could not find the connection of it.
>
> Press conference was over, they bows and went away...
>
> (end)
>
> -----
> Translated by @unixfreaxjp/twitter
> Please do not misuse this information and this is my private log only
> http://0day.jp
$
/* End of the diff code */
2011/5/1 アドリアンヘンドリック <unixfreaxjp22@xxxxxxxxx>:
> Dear operators of Full disclosure,
>
> Please do not make the below message to be up in the maillist.
> The link which contains translation text is currently being used by
> what so called anonymous and they put it in their site.
> I am really angry and frustrated for it, and erasing the text file in
> my server now.
> Sorry for the inconvenience.
>
> On Sun, May 1, 2011 at 9:22 PM, ZeroDay.JP <unixfreaxjp22@xxxxxxxxx> wrote:
>> Just having some additional info to share regardingly. Sorry for interrupt.
>>
>> In Japan people were very patient to wait for announce from Sony, while in
>> heart worried so much.
>> It was 27th just a day before summer holiday here when the announce came ..
>> I got to hold the phone for 3hours to passed thru to cancell all cards.
>>
>> Today I was watching the whole Sony news conference and writing it in text
>> word by word the took time to translate to english. The reporters here was
>> presenting the user's feelings very well, and I really respect them a lot,
>> they cleverly cornered Mr. Hirai's team with very logical questions.
>> Access for the Q&A text is here... http://0day.jp/data/PSN.txt
>>
>> I hope this list allowed this message to pass through, for I got a strong
>> sense that maybe I cannot hold the the text uptime for too long.
>>
>> Best regards,
>> ---
>> Hendrik ADRIAN
>> ZeroDay Japan http://0day.jp
>> Twit: @unixfreaxjp, blog: "ZeroDay.JP" http://unixfreaxjp.blogspot.com
>>
>>
>>
>>
>> Sent to you by ZeroDay.JP via Google Reader:
>>
>>
>>
>>
>> Re: psnhack - playstation network hack
>>
>> via Full Disclosure on 5/1/11
>>
>> Posted by Peter Osterberg on May 01
>>
>> In Sweden they did that 14 days after they got hacked, and at the same
>> time informed us that we should pay attention to weird things happening
>> on our bank accounts...
>>
>> LOL, it's fucking lame to come out with that warning 14 days after it
>> happened... Quite obvious that they wanted to bury the whole thing...
>>
>> Thor (Hammer of God) skrev 2011-04-30 19:13:
>>
>>
>>
>>
>> Things you can do from here:
>>
>> Subscribe to Full Disclosure using Google Reader
>> Get started using Google Reader to easily keep up with all your favorite
>> sites
>>
>>
>>
>
/*... I am not the professional translator, so this is my personal transation
only...,
...since I got 2 credit cards rgist in PSN system, gotta understand this
well....
.. I got the report that one of CreditCard was having international transaction
bill..
...so maybe I will need this data later for legal matter....the bracket parts
is my comment...
..wrote this in rush too, for mistyping.. sorry...*/
/* Additional.. just got the notification to delete this.. please copy it to
somewhere..
...if this document link will not be up again terribly sorry..*/
//(Announcer words)...Hirai-san was appologized to the public.. bows...
//(Announcer words)...As a apologising present the game and music will be
freely downloadable in PSN!
BELOS IS THE Q & A BETWEEN REPORTER AND SONY:
Q. The accuracy of approximately 10 million credit flow
A. There is no firm evidence of leakage. Cannot say wether a leak or not.
There is no report so far.
Q. prospect of resuming services.
A. We want to restart the service country/region base. Basically approx within
a week schedule.
(a week from today?.. previously we heard about same "a week matter..)
Q. How was it the effect to the business so far?
A. Cannot tell it yet, many things to handle one at the time.
Q. What was the condition when you firstly sense the trouble?
A. Hacking with the high skill technique was undergoing, was confirmed.
But we still dont know data was stolen / taken
Q. Why did you announce privacy data was stolen then?
A. The possibility existed, what/when/how was it still under investigation.
account numbers is between 7700000 to 7800000 accounts plus there are double
accounts.
Q. What was your damage report and what is the legal actionyou took?
A. Basically SNE is business foundation in US, reported to FBI and asked for
investigation.
It's still under investigation so cannot make more commane on this.
(.. this part is the right thing to do..)
Q. Was there any security vulnerability was used as the attack vector?
A. There was a well-known vulnerability which we(SNE) did not even know it
exists in the system
(this could be a web base kinda vulns...)
Q. The attacked server was what kind of server?
A. If we answer it you will questioning us deeper more, so the answer is no
comment.
(.. politics... politics..)
Q. You guaranteed the credit card reissue procedures for each account?
A. Privacy Protection Law is differed in each region, so it depends on area.
Q. Information Disclosure for this incident was very slow, do you recognize it?
A. we did the internal hacking announce, shutdown the system, requesting
investigation,
shutdown was also done in steps,..in order to disclose, firstly the current
data need to be analyze, was huge,
the time was taken more than expected.
(... looks like they don't know where to start..)
Q. Any relation with the previous hacking incident with the current one.
A. Currently we are not in the condition to decide it yet..
Q. Do you know what is the target of the current intrusion incident?
A. Whe have no idea why they attack our network, and what is the purpose/target
of it.
Q. Are the passwords encrypted?
A. We made the intrusion prevention system as security therefore the password
was not encrypted.
Q. How about the current damage in network strategy?
A. As a long-term response to this matter,
we will fix strategy both short-and-long-term security vision of the network
service.
NGP and roadmap at the moment is unchanged.
Q. The currently registered account which needed to be deleted by users, how
will you follow?
A. We will follow it right. One by one.
Q. How about the users which will not/dont/cant change the password for later,
you will provide the action from the PSN system?
A. We will announce the request to reset the password for all PSN users.
Wether system will perform some action aor not we will confirm it.
Q. How about the future hacking and cracking things?
A. We will provide PSN with much better platform which including the 3rd party
collaboration for the future.
We won't forgive the customazation/modification in our product.
(UPDATE)(interrupt) Sony: "The password was not encrypted, BUT protected by
HASH"
(...hashes... my password only protected by hashes.....good lord..)
Q. Do you know the risk of the current incident will be happened,
but WHY you keep continuing service? What will be your plan?
A. We will keep on continuing protecting the user's privacy.
So we took this hard lesson and supprting it accordingly.
Q. Why there is the different time lag regarding to the official blog announce
between the
international to Japan one?
A. Between area/country the announce/communication way is differences, that was
why.
Q. About the PS3 Root Key Cracking
A. For the security purpose we cannot comment much now, but, basically we will
deal with it in business(or can be asumed as legal) basis.
Q. For the compensation you said you will consider to launch free download
contents campaign,
But what about the FINANCIAL GUARANTEE for the compensation?
A. We guarantee the privacy of the credit card users,
we also guarantee for the loss related to the service shutdown,
if there is loss related to the card being used then we will guarantee and
support it case by case.
Q. What about your Risk Management responsibility?
A. First thing that has ot be done is to bring back the market trust to the
SONY product/service.
(...which that'll be he hard part to do I guess....)
Q. You explained before that you protecting systems with the best,
but in the end why you can get hacked?
A. We did the best we think for the security system.
You may say that we were weak, but we WILL improve it.
Q. SONY is Japan office too, why you did not eve cal to Japanese Police due to
this incident??
A. There is no prejudice matter in it, the request for investigation was
conducted to many countries authorities, not only to Japan.
Q. Until 20th there is no such announce from your side! Why? In the future what
will you do about this miss?
A. Due to the after-intrussion we were busy focusing the monitoring.
The vulnerability was discovered at the same time too..
Can not support efforts to accelerate the cycle for everything at the same
time,
as soon as we sure than we announce.
(...in a very diplomatic way to say.. this part needs my energy to make
english corrent nuanse ..)
Q. Currently, how many PS2 and PS3 market share? How many users is actually
exist now?
A. We don't have the latest data yet, we will reconfirm and inform later.
/* (UPDATE) there was the announce of the numbers of users and product sales..
but it was so mumbling.. cannot hear it well */
Q. While you released the information about the priacy stolen on 27th,
why you DID NOT make the press conference at that time??
A. The privacy leak possibility existance was clarified on 27th we made the
announce of it in -
the same day by blogs, we are doing the press release today as per scheduled
in the internal roadmap.
Q. You have FW and IPS yet the attack bypassed it, how? and why?
A. Firewall couldn't detect it as intrusion, it looks as the normal
data-transaction,
looks like it was the regular commands process between clients-servers.
Q. How about the disclosure of the logs?
A. It is currently under investigation, we have nothing to inform at the time
being.
regarding to the result it will bring possibilities which will effect the
time line.
So ..No comment for now.
Q. Until now was there any kind of similar intrussion before?
A. There was not anything like this. for this kind of "intrusion" this is the
first time.
Q. How about the PS3 firmware's current security condition related to this
incident?
A. We will improve it.
Q. Back to the incident compensation matter, how much do you plan to pay to
every users?
A. No such hard evidence for the privacy leak even until now, so we cannot
response to your
question, however if there is any financial damage occured we will handle it
case by case.
Q. It was detected that the user agreement rules has be changed in 28th,
specially regarding to
the cancellation of registration terms by users or system due to
incident,why was it?
A. The PSN system itself is not user's base registration system like software
does,
so basically there's no such of user's agreement scheme that you assume. But
we are-
considering the procedure for cancelling the user registration for the
current special case only.
Q. You always said about credit card matters. It is not the matter of the
Credit Card got stolen only,
above it, what do you plan for your PRIVACY LEAK incident?? (angry voice of
a reporter)
A. If THERE IS ANY DAMAGE reported about this, we will start to deal with it,
deeply sorry about the privacy matter, but -
so far there is no report no claim come to us about this leaking matter
(from japan at least it's what he meant)
Q. How soon the PSN will be up?
A. Cannot online or up soon. Approcimately in a max a week. The security
assessment still ongoing.
The security syste, will be fix to be better, now there's so many things
that has to be done.
Q. How about Anomymous group who said responsible to the attack?
A. It is only the mass media communication matters and irrelevant to the
current incident,
could not find the connection of it.
Press conference was over, they bows and went away...
(end)
-----
Translated by @unixfreaxjp/twitter
Please do not misuse this information and this is my private log only
http://0day.jp
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/