About That PSN hack

Let's just get this out there right now: If you hack the Playstation 3 and figure out how to disable its significant copyright security mechanisms and you publish your information on how to do so, they will sue you. If Sony, due to their negligence and extremely insecure data security cause your personal information, including your billing address, credit card information, PSN login and password, email address, birthday, etc. to be disclosed, they will "regret the inconvenience."

There's simply no excuse for what happened. Storing CC data in plaintext should never be done. In fact, storing it encrypted isn't necessary as their payment gateway(s) should provide them with a reusable ID token once the CC is authorized. Storing user data in plaintext is bad, but a common mistake. Passwords, though.. where did they get these programmers from?!? Password hashing is security 101. It gets more sophisticated depending on your paranoia level, but if they stored passwords in plaintext like it appears they did, then the persons responsible deserve to be fired. Immediately.

It's been speculated that the data was found outside of the database in http logs since the data exchange between the PS3 and PSN has this data in a GET string. This is probably wrong, unless the PS3 has the CC data stored and is transmitting it to PSN on a regular basis (another unbelievable security screwup, if that's the case). Many long time users have reported CC fraud since the initial break-in, which is at odds with the http-log-GET-string explanation.

It's an interesting situation to watch, both the PS3 firmware exploitation (and the resulting lawsuit and blowback) and the PSN hacking. 70 Million accounts! If there was complete disclosure of everything, this might be one of the largest security breaches in history, both in size and impact. Sony has been an extremely poor corporate citizen so far this year and I wouldn't be surprised if people start showing their displeasure by spending their dollars elsewhere.