Sony Bastards - Teh Forum

From:	Peter (BOUGHTONP)	26 Apr 2011 23:16
To:	Ken (SHIELDSIT)	21 of 157

38415.21 In reply to 38415.6
Well, that bit was semi-sarcastic, you don't need lots, but you do need to have more than one. It shouldn't be possible to access actual customer databases from the Internet - only via applications that indirectly access it (one record at a time, so users can check/modify their own data). The database itself, and all the software that does bulk stuff should be behind a completely separate firewall, only accessible from within the company network. In addition to that, sensitive data should be encrypted. Perhaps the "may" is because credit card data was actually encrypted (but not securely enough to prevent decryption). Passwords should have been one-way encrypted with a salted hash, including a secret part which is not part of the database, making it near impossible to decrypt passwords if you've only got the database, and very hard even if you also have the source/secret code. A company the size of Sony which deals with card payments should be independently audited to make sure of all this. :/ `3.1415P265E589T932E846R64338`

0/0

Reply Quote

More

From:	koswix	26 Apr 2011 23:18
To:	Ken (SHIELDSIT)	22 of 157

38415.22 In reply to 38415.20
Does that store your passwords locally or on their servers? GIVE ME EYERON OR! :@ msg:38140.1

0/0

Reply Quote

More

From:	Matt	26 Apr 2011 23:21
To:	koswix	23 of 157

38415.23 In reply to 38415.1
Presumably, SCEE have PCI DSS compliance in the EU in order to store credit card numbers unencrypted. That means they've fucked up real bad.

0/0

Reply Quote

More

From:	koswix	26 Apr 2011 23:25
To:	Matt	24 of 157

38415.24 In reply to 38415.23
You mean they filled in a questionaire? GIVE ME EYERON OR! :@ msg:38140.1

0/0

Reply Quote

More

From:	Ken (SHIELDSIT)	26 Apr 2011 23:25
To:	koswix	25 of 157

38415.25 In reply to 38415.22

Just on their servers. LastPass

0/0

Reply Quote

More

From:	Ken (SHIELDSIT)	26 Apr 2011 23:26
To:	Peter (BOUGHTONP)	26 of 157

38415.26 In reply to 38415.21

I know it was sarcastic. I was being dumb.

They should know better and I hope they pay for it!

0/0

Reply Quote

More

From:	Matt	26 Apr 2011 23:26
To:	koswix	27 of 157

38415.27 In reply to 38415.19
Yes, but it doesn't do syncing itself. Syncing by Dropbox is a pretty good solution which I hadn't thought about, previously mentioned security concerns considered. You can get Keypass (KeyPassDroid) and Dropbox clients for Android. I haven't tried creating new passwords in KeyPassDroid, I just use it to copy passwords from, and the Dropbox client for Android doesn't do automatic sync as far as I can tell (probably so it doesn't munch your bandwidth), rather you download and upload files manually to it.

0/0

Reply Quote

More

From:	koswix	26 Apr 2011 23:27
To:	Ken (SHIELDSIT)	28 of 157

38415.28 In reply to 38415.25
in that case, I don't trust them :C GIVE ME EYERON OR! :@ msg:38140.1

0/0

Reply Quote

More

From:	Ken (SHIELDSIT)	26 Apr 2011 23:28
To:	koswix	29 of 157

38415.29 In reply to 38415.28

Can't be any worse than Sony! :-&

At least LastPass encrypts my stuff!

0/0

Reply Quote

More

From:	Matt	26 Apr 2011 23:29
To:	koswix	30 of 157

38415.30 In reply to 38415.24
I don't know what is involved, I just know it costs quite a bit if you fail compliance. According to the Evolve Online site, it's €5 per compromised account and €100,000 fine per incident. So that's at least €100,015 fine of the people in this thread I know have PSN accounts.

0/0

Reply Quote

More

From:	patch	26 Apr 2011 23:35
To:	koswix	31 of 157

38415.31 In reply to 38415.24

Self-certification (wrong term, but I can't think of the right one at the moment) can only be done by smaller companies who handle a smaller number of transactions every year. Large companies have to be audited by a certified QSA.

The only problem is that the actual requirements in PCI DSS are a bit vague in places, and what you need to do to achieve compliance depends on the interpretation of the QSA. Sony's lawyers will just end up saying that they were compliant so long as you squint at it from the right angle.

0/0

Reply Quote

More

From:	Drew (X3N0PH0N)	27 Apr 2011 00:27
To:	ALL	32 of 157

38415.32
Could someone explain how (in actual use) this keepass thing works? I don't really care much about security, but if it's a thing that can remember and fill in my password/s for me, then I'm interested.

0/0

Reply Quote

More

From:	Ken (SHIELDSIT)	27 Apr 2011 01:19
To:	Drew (X3N0PH0N)	33 of 157

38415.33 In reply to 38415.32

That's what LastPass does. Haven't used Keypass for a long time and I can't remember how it works.

0/0

Reply Quote

More

From:	Drew (X3N0PH0N)	27 Apr 2011 02:09
To:	Ken (SHIELDSIT)	34 of 157

38415.34 In reply to 38415.33
Ok, which is BETTER?

0/0

Reply Quote

More

From:	koswix	27 Apr 2011 02:11
To:	Drew (X3N0PH0N)	35 of 157

38415.35 In reply to 38415.34
Lastpass want you to pay to use their Android app :( GIVE ME EYERON OR! :@ msg:38140.1

0/0

Reply Quote

More

From:	Ken (SHIELDSIT)	27 Apr 2011 02:11
To:	Drew (X3N0PH0N)	36 of 157

38415.36 In reply to 38415.34

I love lastpass because it is available on all my browsers, work, home, where ever. Of course it's BETTER because I'm using it! I wouldn't use the inferior product man!

0/0

Reply Quote

More

From:	Drew (X3N0PH0N)	27 Apr 2011 02:11
To:	koswix	37 of 157

38415.37 In reply to 38415.35
Well that's fine since I don't have an Android.

0/0

Reply Quote

More

From:	Ken (SHIELDSIT)	27 Apr 2011 02:12
To:	koswix	38 of 157

38415.38 In reply to 38415.35

Yeah, I didn't like that. But it's not that expensive is it?

0/0

Reply Quote

More

From:	koswix	27 Apr 2011 03:09
To:	Ken (SHIELDSIT)	39 of 157

38415.39 In reply to 38415.38
More expensive than a packet of post-it notes :C GIVE ME EYERON OR! :@ msg:38140.1

0/0

Reply Quote

More

From:	Ken (SHIELDSIT)	27 Apr 2011 03:14
To:	koswix	40 of 157

38415.40 In reply to 38415.39

That's an odd thing to compare it too!

0/0

Reply Quote

More