[dsteinweg]

They seemed to be concerned about the lack of security they were witnessing, and they also alluded to "this could be bad in the hands of a spammer".

If this log is real, is it truly the conversation of those that took the data?

[bcrescimanno]

I'm with you on all points; however, what I find interesting is that these guys talk explicitly about the credit card data being available via the path they took. If these are the same people--or if perhaps it was someone lurking in the channel--the suggestion is that the technique used would have exposed the credit card data of these users--despite Sony claiming that they felt it was unlikely.

I'm not sure there's a lot of "news" to this post; my feeling is that if Sony, "isn't ruling out the possibility" that my credit card information was stolen, I'm working under the assumption that it was. I'd encourage everyone else who was subscribed to PSN to do the same.

[uxp]

They only talk about the unencrypted credit card data available to the console, not to PSN. This chat happened weeks before whoever gained access into PSN's network. Basically the same thing as pointing out the flaws in someone storing their passwords in a plain text file on their desktop. It isn't secure, but you'd have to get access to the single machine before you could get anywhere else.

I agree. This isn't much for "news".

I am, however, curious on the repercussions of the current hack of other services tied to the PSN network, like Netflix, that aren't directly gaming related. Do you think it will make companies give pause to developing dedicated clients for 3rd party services on game consoles that rely on the manufacturer of the console to maintain a network outside of the 3rd parties control?

[marshray]

Right, so what changed in mid-April then to prompt Sony to pull their own plug?

All I can figure is either Sony saw evidence that someone was sniffing their decrypted SSL traffic, or Sony is exaggerating a little (or passive-aggressively erring on the side of it) to bring the heat of financial crimes down on the console/PSN hackers. The latter seems like a reeely expensive and painful way to combat a few console hackers.

I glanced at some PSN domains and noticed that their certs were fairly old and not revoked, and they were being served by some kind of 3rd party DDoS mitigation service. They're likely using some form of SSL offload hardware, which might provide more opportunity for the unencrypted (now plain HTTP) traffic to pass in view of a compromised node.

[marshray]

Looks to me like guys trying to get banned PS3s back on the game network, not steal user info and credit card numbers.

[user12] know this, sony in realtime, monitors all messages over psn [user12] I verified that, its part of my privacy threats thing I am doing [user5] ok too bad id like the psn messenger on pc [user12] the realtime monitoring is a bit bothersome to me

It seems plausible though that people were using this info to do things which violated Sony's security model and that their security model also didn't effectively separate credit card info from the game data.

For example, there were claims a few weeks ago (Wired or ARS I think) that they were all mixed together in the same SSL stream.