lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <BANLkTikJHpSExi=67g1_oK7Pqx-DJ_2Eww@mail.gmail.com>
Date: Mon, 2 May 2011 02:50:03 +0900
From: アドリアンヘンドリック
	<unixfreaxjp22@...il.com>
To: satyam pujari <satyamhax@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: psnhack - playstation network hack

Mr. Satyam Pujari,

Applology accepted. No hard feeling.

Cheers.

2011/5/2 satyam pujari <satyamhax@...il.com>:
> Hello Hendrik,
>
> Sorry buddy , If I've upset you. I just shared the information
> available. I didn't realize it would hurt someone.
> I'll update it.Thanks for sharing.
>
> Regards,
> Satyamhax
>
> 2011/5/1 アドリアンヘンドリック <unixfreaxjp22@...il.com>:
>> Dear all,
>>
>> Sorry for conveniences.
>> At least I have to reveal the truth here.
>>
>> Since the parts of my translation text is up online in some sites
>> (without my permission at all!) anyway.Looks it was downloaded during
>> my middle editing and fixing the words,
>>
>> As security developer I am very sad if it is used for the bad purpose.
>>
>> I don't think that ps3dev was on it, yet I don't know what anonymous
>> is and I don't care of  it.
>> What I cared is so many misinformation happens, and so many people got
>> worried for the privacy got leaked.. I personally got 2 accounts in
>> PSN too, and have some rage in my heart for the incident follow up.
>>
>> But, what was happened in the press conference today was moving my heart .
>> The reporters which many of them are from security professionals was
>> asking sharp questions related to the incident handlings , thumbs up,
>> And for the SONY, they answered it well. And this is the truth. I feel
>> like all sides want to play fair to compensate every damages occured,
>> which it is good deed, gentlemen. So let's the good stuffs rolling.
>>
>> Herewith I am passing you the attachment of the real translation of
>> Q&A between reporters and them, this is for the above purpose.
>> Actually it was half personal notes for me..(comments exist), please
>> read the note above the translation text which said that I am not a
>> professional translator, which text was being CUT by any irresponsible
>> guy who uoload it.
>> I
>> f  some of you have the access to the sites who onlined this
>> translations like the below URLs mentioned by Mr.satyam pujari
>> below....
>> -------------------------------------------------------------
>> http://esploit.blogspot.com/2011/05/psnhack-sony-q.html
>> http://www.thehackernews.com/2011/05/anonymous-vs-sony-word-by-word-qa-bw.html
>> -------------------------------------------------------------
>> ....please upload the REAL finished and FULL TEXT translation then!
>> Which is the one attached in this email and please NOT ALLOWED TO CUT,
>> MODIFIED or CHANGED it please,
>>
>> Actually I am still pissing off to know this text is up and online in
>> a hacker site too..., but anyway, please help me to upload the truth
>> then.
>>
>> I compared (diff) my text and the uploaded text and found some slight
>> differences too, and somehow the translations was cut/ not full in the
>> middle... and cut at the top..., this is really giving me bad name. To
>> proof  it  below is the diff of it:
>>
>> I am now in fukushima and visiting my family who got to moved to
>> another place to live now, remote connecting to my desktop , its sad
>> enough for seeing disaster here,
>> is already hard and please don't make it harder.
>>
>> Regards
>> ---
>> Hendrik ADRIAN
>> ZeroDay.JP http://0day.jp
>>
>> /*Begin the diff code to be paste here....*/
>>
>> $ diff -a text1.txt text2.txt
>> 1,5c1,7
>> < Q. The accuracy of approximately 10 million credit flow
>> < A. There is no firm evidence of leakage. Cannot say wether a leak or
>> not. There is no report so far.
>> <
>> < Q. prospect of resuming services.
>> < A. We want to restart the service country/region base. Basically
>> approx within a week schedule. (a week from today?.. previously we
>> heard about same "a week matter..)
>> ---
>>> Q. The accuracy of approximately 10 million credit flow
>>> A. There is no firm evidence of leakage. Cannot say wether a leak or not.
>>>    There is no report so far.
>>>
>>> Q. prospect of resuming services.
>>> A. We want to restart the service country/region base. Basically approx within a week schedule.
>>> (a week from today?.. previously we heard about same "a week matter..)
>> 11c13,14
>> < A. Hacking with the high skill technique was undergoing, was
>> confirmed. But we still dont know data was stolen / taken
>> ---
>>> A. Hacking with the high skill technique was undergoing, was confirmed.
>>>    But we still dont know data was stolen / taken
>> 14c17,18
>> < A. The possibility existed, what/when/how was it still under
>> investigation. account numbers is between 7700000 to 7800000 accounts
>> plus there are double accounts.
>> ---
>>> A. The possibility existed, what/when/how was it still under investigation.
>>>    account numbers is between 7700000 to 7800000 accounts plus there are double accounts.
>> 17c21,23
>> < A. Basically SNE is business foundation in US, reported to FBI and
>> asked for investigation. It's still under investigation so cannot make
>> more commane on this. (.. this part is the right thing to do..)
>> ---
>>> A. Basically SNE is business foundation in US, reported to FBI and asked for investigation.
>>>   It's still under investigation so cannot make more commane on this.
>>> (.. this part is the right thing to do..)
>> 20c26,27
>> < A. There was a well-known vulnerability which we(SNE) did not even
>> know it exists in the system (this could be a web base kinda vulns...)
>> ---
>>> A. There was a well-known vulnerability which we(SNE) did not even know it exists in the system
>>> (this could be a web base kinda vulns...)
>> 22,23c29,31
>> < Q. The attacked server was what kind of server?
>> < A. If we answer it you will questioning us deeper more, so the
>> answer is no comment. (.. politics... politics..)
>> ---
>>> Q. The attacked server was what kind of server?
>>> A. If we answer it you will questioning us deeper more, so the answer is no comment.
>>> (.. politics... politics..)
>> 29c37,40
>> < A. we did the internal hacking announce, shutdown the system,
>> requesting investigation, shutdown was also done in steps,..in order
>> to disclose, firstly the current data need to be analyze, was huge,
>> the time was taken more than expected. (... looks like they don't know
>> where to start..)
>> ---
>>> A. we did the internal hacking announce, shutdown the system, requesting investigation,
>>> shutdown was also done in steps,..in order to disclose, firstly the current data need to be analyze, was huge,
>>> the time was taken more than expected.
>>> (... looks like they don't know where to start..)
>> 41c52,54
>> < A. As a long-term response to this matter, we will fix strategy both
>> short-and-long-term security vision of the network service. NGP and
>> roadmap at the moment is unchanged.
>> ---
>>> A. As a long-term response to this matter,
>>>    we will fix strategy both short-and-long-term security vision of the network service.
>>>    NGP and roadmap at the moment is unchanged.
>> 46,47c59,62
>> < Q. How about the users which will not/dont/cant change the password
>> for later, you will provide the action from the PSN system?
>> < A. We will announce the request to reset the password for all PSN
>> users. Wether system will perform some action aor not we will confirm
>> it.
>> ---
>>> Q. How about the users which will not/dont/cant change the password for later,
>>>    you will provide the action from the PSN system?
>>> A. We will announce the request to reset the password for all PSN users.
>>>    Wether system will perform some action aor not we will confirm it.
>> 51c66
>> < We won't forgive the customazation/modification in our product.
>> ---
>>>    We won't forgive the customazation/modification in our product.
>> 53c68
>> < Sony: "The password was not encrypted, BUT protected by HASH"
>> ---
>>> (UPDATE)(interrupt) Sony: "The password was not encrypted, BUT protected by HASH"
>> 56,57c71,74
>> < Q. Do you know the risk of the current incident will be happened,
>> but WHY you keep continuing service? What will be your plan?
>> < A. We will keep on continuing protecting the user's privacy. So we
>> took this hard lesson and supprting it accordingly.
>> ---
>>> Q. Do you know the risk of the current incident will be happened,
>>>    but WHY you keep continuing service? What will be your plan?
>>> A. We will keep on continuing protecting the user's privacy.
>>>    So we took this hard lesson and supprting it accordingly.
>> 59c76,77
>> < Q. Why there is the different time lag regarding to the official
>> blog announce between the international to Japan one?
>> ---
>>> Q. Why there is the different time lag regarding to the official blog announce between the
>>>    international to Japan one?
>> 65,66c83,87
>> < Q. For the compensation you said you will consider to launch free
>> download contents campaign, But what about the FINANCIAL GUARANTEE for
>> the compensation?
>> < A. We guarantee the privacy of the credit card users, we also
>> guarantee for the loss related to the service shutdown, if there is
>> loss related to the card being used then we will guarantee and support
>> it case by case.
>> ---
>>> Q. For the compensation you said you will consider to launch free download contents campaign,
>>>    But what about the FINANCIAL GUARANTEE for the compensation?
>>> A. We guarantee the privacy of the credit card users,
>>>    we also guarantee for the loss related to the service shutdown,
>>>    if there is loss related to the card being used then we will guarantee and support it case by case.
>> 72,73c93,96
>> < Q. You explained before that you protecting systems with the best,
>> but in the end why you can get hacked?
>> < A. We did the best we think for the security system. You may say
>> that we were weak, but we WILL improve it.
>> ---
>>> Q. You explained before that you protecting systems with the best,
>>>    but in the end why you can get hacked?
>>> A. We did the best we think for the security system.
>>>    You may say that we were weak, but we WILL improve it.
>> 79,80c102,106
>> < A. Due to the after-intrussion we were busy focusing the monitoring.
>> The vulnerability was discovered at the same time too.. Can not
>> support efforts to accelerate the cycle for everything at the same
>> time, as soon as we sure than we announce.
>> < (...in a very diplomatic way to say.. this part needs my energy to
>> make english corrent nuanse ..)
>> ---
>>> A. Due to the after-intrussion we were busy focusing the monitoring.
>>>    The vulnerability was discovered at the same time too..
>>>    Can not support efforts to accelerate the cycle for everything at the same time,
>>>    as soon as we sure than we announce.
>>>   (...in a very diplomatic way to say.. this part needs my energy to make english corrent nuanse ..)
>> 85,86c111,116
>> < Q. While you released the information about the priacy stolen on
>> 27th, why you DID NOT make the press conference at that time??
>> < A. The privacy leak possibility existance was clarified on 27th we
>> made the announce of it in - the same day by blogs, we are doing the
>> press release today as per scheduled in the internal roadmap.
>> ---
>>> /* (UPDATE) there was the announce of the numbers of users and product sales.. but it was so mumbling.. cannot hear it well */
>>>
>>> Q. While you released the information about the priacy stolen on 27th,
>>>    why you DID NOT make the press conference at that time??
>>> A. The privacy leak possibility existance was clarified on 27th we made the announce of it in -
>>>    the same day by blogs, we are doing the press release today as per scheduled in the internal roadmap.
>> 89c119,120
>> < A. Firewall couldn't detect it as intrusion, it looks as the normal
>> data-transaction, looks like it was the regular commands process
>> between clients-servers.
>> ---
>>> A. Firewall couldn't detect it as intrusion, it looks as the normal data-transaction,
>>>    looks like it was the regular commands process between clients-servers.
>> 92c123,125
>> < A. It is currently under investigation, we have nothing to inform at
>> the time being. regarding to the result it will bring possibilities
>> which will effect the time line. So ..No comment for now.
>> ---
>>> A. It is currently under investigation, we have nothing to inform at the time being.
>>>    regarding to the result it will bring possibilities which will effect the time line.
>>>    So ..No comment for now.
>> 95c128
>> < A. There was not anything like this. for this kind of intrusion this
>> is the first time.
>> ---
>>> A. There was not anything like this. for this kind of "intrusion" this is the first time.
>> 97,98c130,131
>> < Q. How about the firmware the current security?
>> < A. We will improve it.
>> ---
>>> Q. How about the PS3 firmware's current security condition related to this incident?
>>> A. We will improve it.
>> 101,104c134,135
>> < A. No such hard evidence for the privacy leak even until now, so we
>> cannot response to your question, however if there is any financial
>> damage occurred we will handle it case by case.
>> <
>> < Q. It was detected that the user agreement rules has be changed in
>> 28th, why was it?
>> < A. The system itself is not user's base registration system like
>> software does, so basically there's no such of user's agreement scheme
>> that you assume. But we are-considering the procedure for cancelling
>> the user registration for the current special case.
>> ---
>>> A. No such hard evidence for the privacy leak even until now, so we cannot response to your
>>>    question, however if there is any financial damage occured we will handle it case by case.
>> 106,107c137,164
>> < Q. Is not the matter of the Credit Card got stolen, above it, what
>> do you plan for your PRIVACY LEAK incident?
>> < A. If THERE IS ANY DAMAGE reported about this, we will start to deal
>> with it, so far there is no report no claim come to us about this
>> leaking matter.
>> ---
>>> Q. It was detected that the user agreement rules has be changed in 28th, specially regarding to
>>>    the cancellation of registration terms by users or system due to incident,why was it?
>>> A. The PSN system itself is not user's base registration system like software does,
>>>    so basically there's no such of user's agreement scheme that you assume. But we are-
>>>    considering the procedure for cancelling the user registration for the current special case only.
>>>
>>> Q. You always said about credit card matters. It is not the matter of the Credit Card got stolen only,
>>>    above it, what do you plan for your PRIVACY LEAK incident?? (angry voice of a reporter)
>>> A. If THERE IS ANY DAMAGE reported about this, we will start to deal with it,
>>>    deeply sorry about the privacy matter, but -
>>>    so far there is no report no claim come to us about this leaking matter (from japan at least it's what he meant)
>>>
>>> Q. How soon the PSN will be up?
>>> A. Cannot online or up soon. Approcimately in a max a week. The security assessment still ongoing.
>>>    The security syste, will be fix to be better, now there's so many things that has to be done.
>>>
>>> Q. How about Anomymous group who said responsible to the attack?
>>> A. It is only the mass media communication matters and irrelevant to the current incident,
>>>    could not find the connection of it.
>>>
>>> Press conference was over, they bows and went away...
>>>
>>> (end)
>>>
>>> -----
>>> Translated by @unixfreaxjp/twitter
>>> Please do not misuse this information and this is my private log only
>>> http://0day.jp
>> $
>> /* End of  the diff  code */
>>
>>
>> 2011/5/1 アドリアンヘンドリック <unixfreaxjp22@...il.com>:
>>> Dear operators of Full disclosure,
>>>
>>> Please do not make the below message to be up in the maillist.
>>> The link which contains translation text is currently being used by
>>> what so called anonymous and they put it in their site.
>>> I am really angry and frustrated for it, and erasing the text file in
>>> my server now.
>>> Sorry for the inconvenience.
>>>
>>> On Sun, May 1, 2011 at 9:22 PM, ZeroDay.JP <unixfreaxjp22@...il.com> wrote:
>>>> Just having some additional info to share regardingly. Sorry for interrupt.
>>>>
>>>> In Japan people were very patient to wait for announce from Sony, while in
>>>> heart worried so much.
>>>> It was 27th just a day before summer holiday here when the announce came ..
>>>> I got to hold the phone for 3hours to passed thru to cancell all cards.
>>>>
>>>> Today I was watching the whole Sony news conference and writing it in text
>>>> word by word the took time to translate to english. The reporters here was
>>>> presenting the user's feelings very well, and I really respect them a lot,
>>>> they cleverly cornered Mr. Hirai's team with very logical questions.
>>>> Access for the Q&A text is here... http://0day.jp/data/PSN.txt
>>>>
>>>> I hope this list allowed this message to pass through, for I got a strong
>>>> sense that maybe I cannot hold the the text uptime for too long.
>>>>
>>>> Best regards,
>>>> ---
>>>> Hendrik ADRIAN
>>>> ZeroDay Japan http://0day.jp
>>>> Twit: @unixfreaxjp, blog: "ZeroDay.JP" http://unixfreaxjp.blogspot.com
>>>>
>>>>
>>>>
>>>>
>>>> Sent to you by ZeroDay.JP via Google Reader:
>>>>
>>>>
>>>>
>>>>
>>>> Re: psnhack - playstation network hack
>>>>
>>>> via Full Disclosure on 5/1/11
>>>>
>>>> Posted by Peter Osterberg on May 01
>>>>
>>>> In Sweden they did that 14 days after they got hacked, and at the same
>>>> time informed us that we should pay attention to weird things happening
>>>> on our bank accounts...
>>>>
>>>> LOL, it&apos;s fucking lame to come out with that warning 14 days after it
>>>> happened... Quite obvious that they wanted to bury the whole thing...
>>>>
>>>> Thor (Hammer of God) skrev 2011-04-30 19:13:
>>>>
>>>>
>>>>
>>>>
>>>> Things you can do from here:
>>>>
>>>> Subscribe to Full Disclosure using Google Reader
>>>> Get started using Google Reader to easily keep up with all your favorite
>>>> sites
>>>>
>>>>
>>>>
>>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ