lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <BANLkTin29d3smxqtA2RLnVwyViJWgSgV4g@mail.gmail.com>
Date: Sun, 1 May 2011 23:28:31 +0530
From: satyam pujari <satyamhax@...il.com>
To: アドリアンヘンドリック
	<unixfreaxjp22@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: psnhack - playstation network hack

Thanks Buddy.

Updated my blog.Hope others will updated soon.

http://esploit.blogspot.com/2011/05/psnhack-sony-q.html

Cheers :)
Satyamhax


2011/5/1 アドリアンヘンドリック <unixfreaxjp22@...il.com>:
> Mr. Satyam Pujari,
>
> Applology accepted. No hard feeling.
>
> Cheers.
>
> 2011/5/2 satyam pujari <satyamhax@...il.com>:
>> Hello Hendrik,
>>
>> Sorry buddy , If I've upset you. I just shared the information
>> available. I didn't realize it would hurt someone.
>> I'll update it.Thanks for sharing.
>>
>> Regards,
>> Satyamhax
>>
>> 2011/5/1 アドリアンヘンドリック <unixfreaxjp22@...il.com>:
>>> Dear all,
>>>
>>> Sorry for conveniences.
>>> At least I have to reveal the truth here.
>>>
>>> Since the parts of my translation text is up online in some sites
>>> (without my permission at all!) anyway.Looks it was downloaded during
>>> my middle editing and fixing the words,
>>>
>>> As security developer I am very sad if it is used for the bad purpose.
>>>
>>> I don't think that ps3dev was on it, yet I don't know what anonymous
>>> is and I don't care of  it.
>>> What I cared is so many misinformation happens, and so many people got
>>> worried for the privacy got leaked.. I personally got 2 accounts in
>>> PSN too, and have some rage in my heart for the incident follow up.
>>>
>>> But, what was happened in the press conference today was moving my heart .
>>> The reporters which many of them are from security professionals was
>>> asking sharp questions related to the incident handlings , thumbs up,
>>> And for the SONY, they answered it well. And this is the truth. I feel
>>> like all sides want to play fair to compensate every damages occured,
>>> which it is good deed, gentlemen. So let's the good stuffs rolling.
>>>
>>> Herewith I am passing you the attachment of the real translation of
>>> Q&A between reporters and them, this is for the above purpose.
>>> Actually it was half personal notes for me..(comments exist), please
>>> read the note above the translation text which said that I am not a
>>> professional translator, which text was being CUT by any irresponsible
>>> guy who uoload it.
>>> I
>>> f  some of you have the access to the sites who onlined this
>>> translations like the below URLs mentioned by Mr.satyam pujari
>>> below....
>>> -------------------------------------------------------------
>>> http://esploit.blogspot.com/2011/05/psnhack-sony-q.html
>>> http://www.thehackernews.com/2011/05/anonymous-vs-sony-word-by-word-qa-bw.html
>>> -------------------------------------------------------------
>>> ....please upload the REAL finished and FULL TEXT translation then!
>>> Which is the one attached in this email and please NOT ALLOWED TO CUT,
>>> MODIFIED or CHANGED it please,
>>>
>>> Actually I am still pissing off to know this text is up and online in
>>> a hacker site too..., but anyway, please help me to upload the truth
>>> then.
>>>
>>> I compared (diff) my text and the uploaded text and found some slight
>>> differences too, and somehow the translations was cut/ not full in the
>>> middle... and cut at the top..., this is really giving me bad name. To
>>> proof  it  below is the diff of it:
>>>
>>> I am now in fukushima and visiting my family who got to moved to
>>> another place to live now, remote connecting to my desktop , its sad
>>> enough for seeing disaster here,
>>> is already hard and please don't make it harder.
>>>
>>> Regards
>>> ---
>>> Hendrik ADRIAN
>>> ZeroDay.JP http://0day.jp
>>>
>>> /*Begin the diff code to be paste here....*/
>>>
>>> $ diff -a text1.txt text2.txt
>>> 1,5c1,7
>>> < Q. The accuracy of approximately 10 million credit flow
>>> < A. There is no firm evidence of leakage. Cannot say wether a leak or
>>> not. There is no report so far.
>>> <
>>> < Q. prospect of resuming services.
>>> < A. We want to restart the service country/region base. Basically
>>> approx within a week schedule. (a week from today?.. previously we
>>> heard about same "a week matter..)
>>> ---
>>>> Q. The accuracy of approximately 10 million credit flow
>>>> A. There is no firm evidence of leakage. Cannot say wether a leak or not.
>>>>    There is no report so far.
>>>>
>>>> Q. prospect of resuming services.
>>>> A. We want to restart the service country/region base. Basically approx within a week schedule.
>>>> (a week from today?.. previously we heard about same "a week matter..)
>>> 11c13,14
>>> < A. Hacking with the high skill technique was undergoing, was
>>> confirmed. But we still dont know data was stolen / taken
>>> ---
>>>> A. Hacking with the high skill technique was undergoing, was confirmed.
>>>>    But we still dont know data was stolen / taken
>>> 14c17,18
>>> < A. The possibility existed, what/when/how was it still under
>>> investigation. account numbers is between 7700000 to 7800000 accounts
>>> plus there are double accounts.
>>> ---
>>>> A. The possibility existed, what/when/how was it still under investigation.
>>>>    account numbers is between 7700000 to 7800000 accounts plus there are double accounts.
>>> 17c21,23
>>> < A. Basically SNE is business foundation in US, reported to FBI and
>>> asked for investigation. It's still under investigation so cannot make
>>> more commane on this. (.. this part is the right thing to do..)
>>> ---
>>>> A. Basically SNE is business foundation in US, reported to FBI and asked for investigation.
>>>>   It's still under investigation so cannot make more commane on this.
>>>> (.. this part is the right thing to do..)
>>> 20c26,27
>>> < A. There was a well-known vulnerability which we(SNE) did not even
>>> know it exists in the system (this could be a web base kinda vulns...)
>>> ---
>>>> A. There was a well-known vulnerability which we(SNE) did not even know it exists in the system
>>>> (this could be a web base kinda vulns...)
>>> 22,23c29,31
>>> < Q. The attacked server was what kind of server?
>>> < A. If we answer it you will questioning us deeper more, so the
>>> answer is no comment. (.. politics... politics..)
>>> ---
>>>> Q. The attacked server was what kind of server?
>>>> A. If we answer it you will questioning us deeper more, so the answer is no comment.
>>>> (.. politics... politics..)
>>> 29c37,40
>>> < A. we did the internal hacking announce, shutdown the system,
>>> requesting investigation, shutdown was also done in steps,..in order
>>> to disclose, firstly the current data need to be analyze, was huge,
>>> the time was taken more than expected. (... looks like they don't know
>>> where to start..)
>>> ---
>>>> A. we did the internal hacking announce, shutdown the system, requesting investigation,
>>>> shutdown was also done in steps,..in order to disclose, firstly the current data need to be analyze, was huge,
>>>> the time was taken more than expected.
>>>> (... looks like they don't know where to start..)
>>> 41c52,54
>>> < A. As a long-term response to this matter, we will fix strategy both
>>> short-and-long-term security vision of the network service. NGP and
>>> roadmap at the moment is unchanged.
>>> ---
>>>> A. As a long-term response to this matter,
>>>>    we will fix strategy both short-and-long-term security vision of the network service.
>>>>    NGP and roadmap at the moment is unchanged.
>>> 46,47c59,62
>>> < Q. How about the users which will not/dont/cant change the password
>>> for later, you will provide the action from the PSN system?
>>> < A. We will announce the request to reset the password for all PSN
>>> users. Wether system will perform some action aor not we will confirm
>>> it.
>>> ---
>>>> Q. How about the users which will not/dont/cant change the password for later,
>>>>    you will provide the action from the PSN system?
>>>> A. We will announce the request to reset the password for all PSN users.
>>>>    Wether system will perform some action aor not we will confirm it.
>>> 51c66
>>> < We won't forgive the customazation/modification in our product.
>>> ---
>>>>    We won't forgive the customazation/modification in our product.
>>> 53c68
>>> < Sony: "The password was not encrypted, BUT protected by HASH"
>>> ---
>>>> (UPDATE)(interrupt) Sony: "The password was not encrypted, BUT protected by HASH"
>>> 56,57c71,74
>>> < Q. Do you know the risk of the current incident will be happened,
>>> but WHY you keep continuing service? What will be your plan?
>>> < A. We will keep on continuing protecting the user's privacy. So we
>>> took this hard lesson and supprting it accordingly.
>>> ---
>>>> Q. Do you know the risk of the current incident will be happened,
>>>>    but WHY you keep continuing service? What will be your plan?
>>>> A. We will keep on continuing protecting the user's privacy.
>>>>    So we took this hard lesson and supprting it accordingly.
>>> 59c76,77
>>> < Q. Why there is the different time lag regarding to the official
>>> blog announce between the international to Japan one?
>>> ---
>>>> Q. Why there is the different time lag regarding to the official blog announce between the
>>>>    international to Japan one?
>>> 65,66c83,87
>>> < Q. For the compensation you said you will consider to launch free
>>> download contents campaign, But what about the FINANCIAL GUARANTEE for
>>> the compensation?
>>> < A. We guarantee the privacy of the credit card users, we also
>>> guarantee for the loss related to the service shutdown, if there is
>>> loss related to the card being used then we will guarantee and support
>>> it case by case.
>>> ---
>>>> Q. For the compensation you said you will consider to launch free download contents campaign,
>>>>    But what about the FINANCIAL GUARANTEE for the compensation?
>>>> A. We guarantee the privacy of the credit card users,
>>>>    we also guarantee for the loss related to the service shutdown,
>>>>    if there is loss related to the card being used then we will guarantee and support it case by case.
>>> 72,73c93,96
>>> < Q. You explained before that you protecting systems with the best,
>>> but in the end why you can get hacked?
>>> < A. We did the best we think for the security system. You may say
>>> that we were weak, but we WILL improve it.
>>> ---
>>>> Q. You explained before that you protecting systems with the best,
>>>>    but in the end why you can get hacked?
>>>> A. We did the best we think for the security system.
>>>>    You may say that we were weak, but we WILL improve it.
>>> 79,80c102,106
>>> < A. Due to the after-intrussion we were busy focusing the monitoring.
>>> The vulnerability was discovered at the same time too.. Can not
>>> support efforts to accelerate the cycle for everything at the same
>>> time, as soon as we sure than we announce.
>>> < (...in a very diplomatic way to say.. this part needs my energy to
>>> make english corrent nuanse ..)
>>> ---
>>>> A. Due to the after-intrussion we were busy focusing the monitoring.
>>>>    The vulnerability was discovered at the same time too..
>>>>    Can not support efforts to accelerate the cycle for everything at the same time,
>>>>    as soon as we sure than we announce.
>>>>   (...in a very diplomatic way to say.. this part needs my energy to make english corrent nuanse ..)
>>> 85,86c111,116
>>> < Q. While you released the information about the priacy stolen on
>>> 27th, why you DID NOT make the press conference at that time??
>>> < A. The privacy leak possibility existance was clarified on 27th we
>>> made the announce of it in - the same day by blogs, we are doing the
>>> press release today as per scheduled in the internal roadmap.
>>> ---
>>>> /* (UPDATE) there was the announce of the numbers of users and product sales.. but it was so mumbling.. cannot hear it well */
>>>>
>>>> Q. While you released the information about the priacy stolen on 27th,
>>>>    why you DID NOT make the press conference at that time??
>>>> A. The privacy leak possibility existance was clarified on 27th we made the announce of it in -
>>>>    the same day by blogs, we are doing the press release today as per scheduled in the internal roadmap.
>>> 89c119,120
>>> < A. Firewall couldn't detect it as intrusion, it looks as the normal
>>> data-transaction, looks like it was the regular commands process
>>> between clients-servers.
>>> ---
>>>> A. Firewall couldn't detect it as intrusion, it looks as the normal data-transaction,
>>>>    looks like it was the regular commands process between clients-servers.
>>> 92c123,125
>>> < A. It is currently under investigation, we have nothing to inform at
>>> the time being. regarding to the result it will bring possibilities
>>> which will effect the time line. So ..No comment for now.
>>> ---
>>>> A. It is currently under investigation, we have nothing to inform at the time being.
>>>>    regarding to the result it will bring possibilities which will effect the time line.
>>>>    So ..No comment for now.
>>> 95c128
>>> < A. There was not anything like this. for this kind of intrusion this
>>> is the first time.
>>> ---
>>>> A. There was not anything like this. for this kind of "intrusion" this is the first time.
>>> 97,98c130,131
>>> < Q. How about the firmware the current security?
>>> < A. We will improve it.
>>> ---
>>>> Q. How about the PS3 firmware's current security condition related to this incident?
>>>> A. We will improve it.
>>> 101,104c134,135
>>> < A. No such hard evidence for the privacy leak even until now, so we
>>> cannot response to your question, however if there is any financial
>>> damage occurred we will handle it case by case.
>>> <
>>> < Q. It was detected that the user agreement rules has be changed in
>>> 28th, why was it?
>>> < A. The system itself is not user's base registration system like
>>> software does, so basically there's no such of user's agreement scheme
>>> that you assume. But we are-considering the procedure for cancelling
>>> the user registration for the current special case.
>>> ---
>>>> A. No such hard evidence for the privacy leak even until now, so we cannot response to your
>>>>    question, however if there is any financial damage occured we will handle it case by case.
>>> 106,107c137,164
>>> < Q. Is not the matter of the Credit Card got stolen, above it, what
>>> do you plan for your PRIVACY LEAK incident?
>>> < A. If THERE IS ANY DAMAGE reported about this, we will start to deal
>>> with it, so far there is no report no claim come to us about this
>>> leaking matter.
>>> ---
>>>> Q. It was detected that the user agreement rules has be changed in 28th, specially regarding to
>>>>    the cancellation of registration terms by users or system due to incident,why was it?
>>>> A. The PSN system itself is not user's base registration system like software does,
>>>>    so basically there's no such of user's agreement scheme that you assume. But we are-
>>>>    considering the procedure for cancelling the user registration for the current special case only.
>>>>
>>>> Q. You always said about credit card matters. It is not the matter of the Credit Card got stolen only,
>>>>    above it, what do you plan for your PRIVACY LEAK incident?? (angry voice of a reporter)
>>>> A. If THERE IS ANY DAMAGE reported about this, we will start to deal with it,
>>>>    deeply sorry about the privacy matter, but -
>>>>    so far there is no report no claim come to us about this leaking matter (from japan at least it's what he meant)
>>>>
>>>> Q. How soon the PSN will be up?
>>>> A. Cannot online or up soon. Approcimately in a max a week. The security assessment still ongoing.
>>>>    The security syste, will be fix to be better, now there's so many things that has to be done.
>>>>
>>>> Q. How about Anomymous group who said responsible to the attack?
>>>> A. It is only the mass media communication matters and irrelevant to the current incident,
>>>>    could not find the connection of it.
>>>>
>>>> Press conference was over, they bows and went away...
>>>>
>>>> (end)
>>>>
>>>> -----
>>>> Translated by @unixfreaxjp/twitter
>>>> Please do not misuse this information and this is my private log only
>>>> http://0day.jp
>>> $
>>> /* End of  the diff  code */
>>>
>>>
>>> 2011/5/1 アドリアンヘンドリック <unixfreaxjp22@...il.com>:
>>>> Dear operators of Full disclosure,
>>>>
>>>> Please do not make the below message to be up in the maillist.
>>>> The link which contains translation text is currently being used by
>>>> what so called anonymous and they put it in their site.
>>>> I am really angry and frustrated for it, and erasing the text file in
>>>> my server now.
>>>> Sorry for the inconvenience.
>>>>
>>>> On Sun, May 1, 2011 at 9:22 PM, ZeroDay.JP <unixfreaxjp22@...il.com> wrote:
>>>>> Just having some additional info to share regardingly. Sorry for interrupt.
>>>>>
>>>>> In Japan people were very patient to wait for announce from Sony, while in
>>>>> heart worried so much.
>>>>> It was 27th just a day before summer holiday here when the announce came ..
>>>>> I got to hold the phone for 3hours to passed thru to cancell all cards.
>>>>>
>>>>> Today I was watching the whole Sony news conference and writing it in text
>>>>> word by word the took time to translate to english. The reporters here was
>>>>> presenting the user's feelings very well, and I really respect them a lot,
>>>>> they cleverly cornered Mr. Hirai's team with very logical questions.
>>>>> Access for the Q&A text is here... http://0day.jp/data/PSN.txt
>>>>>
>>>>> I hope this list allowed this message to pass through, for I got a strong
>>>>> sense that maybe I cannot hold the the text uptime for too long.
>>>>>
>>>>> Best regards,
>>>>> ---
>>>>> Hendrik ADRIAN
>>>>> ZeroDay Japan http://0day.jp
>>>>> Twit: @unixfreaxjp, blog: "ZeroDay.JP" http://unixfreaxjp.blogspot.com
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Sent to you by ZeroDay.JP via Google Reader:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Re: psnhack - playstation network hack
>>>>>
>>>>> via Full Disclosure on 5/1/11
>>>>>
>>>>> Posted by Peter Osterberg on May 01
>>>>>
>>>>> In Sweden they did that 14 days after they got hacked, and at the same
>>>>> time informed us that we should pay attention to weird things happening
>>>>> on our bank accounts...
>>>>>
>>>>> LOL, it&apos;s fucking lame to come out with that warning 14 days after it
>>>>> happened... Quite obvious that they wanted to bury the whole thing...
>>>>>
>>>>> Thor (Hammer of God) skrev 2011-04-30 19:13:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Things you can do from here:
>>>>>
>>>>> Subscribe to Full Disclosure using Google Reader
>>>>> Get started using Google Reader to easily keep up with all your favorite
>>>>> sites
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ