[bcrescimanno]

I'm with you on all points; however, what I find interesting is that these guys talk explicitly about the credit card data being available via the path they took. If these are the same people--or if perhaps it was someone lurking in the channel--the suggestion is that the technique used would have exposed the credit card data of these users--despite Sony claiming that they felt it was unlikely.

I'm not sure there's a lot of "news" to this post; my feeling is that if Sony, "isn't ruling out the possibility" that my credit card information was stolen, I'm working under the assumption that it was. I'd encourage everyone else who was subscribed to PSN to do the same.

[uxp]

They only talk about the unencrypted credit card data available to the console, not to PSN. This chat happened weeks before whoever gained access into PSN's network. Basically the same thing as pointing out the flaws in someone storing their passwords in a plain text file on their desktop. It isn't secure, but you'd have to get access to the single machine before you could get anywhere else.

I agree. This isn't much for "news".

I am, however, curious on the repercussions of the current hack of other services tied to the PSN network, like Netflix, that aren't directly gaming related. Do you think it will make companies give pause to developing dedicated clients for 3rd party services on game consoles that rely on the manufacturer of the console to maintain a network outside of the 3rd parties control?

[marshray]

Right, so what changed in mid-April then to prompt Sony to pull their own plug?

All I can figure is either Sony saw evidence that someone was sniffing their decrypted SSL traffic, or Sony is exaggerating a little (or passive-aggressively erring on the side of it) to bring the heat of financial crimes down on the console/PSN hackers. The latter seems like a reeely expensive and painful way to combat a few console hackers.

I glanced at some PSN domains and noticed that their certs were fairly old and not revoked, and they were being served by some kind of 3rd party DDoS mitigation service. They're likely using some form of SSL offload hardware, which might provide more opportunity for the unencrypted (now plain HTTP) traffic to pass in view of a compromised node.