Level 3
TTDegs wrote:
Pyrofer wrote:
CFW leaves you with MORE risk, OFW still has risk.
Yes, same risk as with ANY online retailer, however anybody sensible encrypts the DATA as well as relying on the SSL transport.
Plus they are required to store it in non-readable format. I doubt the decode it in order to send as clear text and then re-code it at the other end.
So the implication is its stored BOTH ends in clear text too, THAT is the problem.
Pyrofer.
I'm sorry, but I really do feel the need to pick up on this one, and apologies in advance, as I've not yet read beyond this post.
1) "anybody sensible encrypts the DATA as well as relying on the SSL transport" Can you please back this up with some evidence? And preferably include the method by which said data is encrypted at client side, and then decrypted at server side? Specifically detailing exactly how the encryption key is passed between the two?
I've worked with transmission and usage of credit card data for quite a few years now, at two different well known card acquirers, and - well basically if you can solve that issue without the need for either hardware, or a random key (ie one that the client doesn't know - useful!), then you stand to make some serious money...
2) "Plus they are required to store it in non-readable format. I doubt the decode it in order to send as clear text and then re-code it at the other end."
Erm.... They DO encode it to send - that's what SSL encryption does....
The whole point of an encryption algoritm is that you put plain data in one end, and it comes out encrypted.
At the other end, your put the encrypted data in, and it come out unencrypted.
And then, for many, many reasons, when you store that data, you encrypt it again - by whatever method you see fit.
This is what PCI-DSS is all about (well, partly anyway, there is a bunch of other stuff too)
3) "So the implication is its stored BOTH ends in clear text too, THAT is the problem."
THAT would be a problem - IF your implication held water.
But it is a MASSIVE 'IF'.
Which neither you, nor I, nor anyone else outside of Sony, can prove or dis-prove.
And whilst this is a Sony forum, and we are talking about the PS3 specifically, in the interests of fairness, exactly the same thing could be said of any other card aquirer, or payment processing web site.
sounds like some interesting points there, ive been following the last few pages or more, quite interested to see the evidence of all this & the wole card details in plain txt
dont the hacker etc usually do something called "proof of concept" or something to prove they can do what they say? like when this all started the failoverflow group did to prove their work,
how come theres no "proof of concept" or anything even close for all this resent stuff being said by the pro hackers on here, surely they'd just go away grab the evidence they needd & show it, or perfom what they need to then come back & show us?(ofcourse in a way thats not explaining how to do it, isnt that the whole point of proof of concept?)
(I wish! 
)
Level 6
The-Smoker69 wrote:
[---]sounds like some interesting points there, ive been following the last few pages or more, quite interested to see the evidence of all this & the wole card details in plain txt
dont the hacker etc usually do something called "proof of concept" or something to prove they can do what they say? like when this all started the failoverflow group did to prove their work,
Like I've said before, this is pure speculation..
My guess is that the dump being circulated is a proof of concept. It's just been warped into something it really wasn't from the beginning.
It may have started as someone simply being able to find out how to snoop the plain text data prior to encryption. But the point was to show that they could intercept the data in a presentable form; it really does no more than that. It's not any form of attack at all.
Then someone saw the plain text dump, interpreted it as it was being sent exactly like that over the wire, and then went on to post it as a statement of fact, rather than a speculation.
Again, this is speculation on my part. The dump does not seem entirely unbelievable to me. The fact that it would be sent plain text does. And that the person who retrieved the dump from the beginning would have claimed it was sent in plain text does not sound plausible to me. I think someone filtered the original message and added some FUD to it. But without knowing the original source, there's really no way of knowing.
Level 6
zinep wrote:
The-Smoker69 wrote:
[---]sounds like some interesting points there, ive been following the last few pages or more, quite interested to see the evidence of all this & the wole card details in plain txt
dont the hacker etc usually do something called "proof of concept" or something to prove they can do what they say? like when this all started the failoverflow group did to prove their work,
Like I've said before, this is pure speculation..
My guess is that the dump being circulated is a proof of concept. It's just been warped into something it really wasn't from the beginning.
It may have started as someone simply being able to find out how to snoop the plain text data prior to encryption. But the point was to show that they could intercept the data in a presentable form; it really does no more than that. It's not any form of attack at all.
Then someone saw the plain text dump, interpreted it as it was being sent exactly like that over the wire, and then went on to post it as a statement of fact, rather than a speculation.
Again, this is speculation on my part. The dump does not seem entirely unbelievable to me. The fact that it would be sent plain text does. And that the person who retrieved the dump from the beginning would have claimed it was sent in plain text does not sound plausible to me. I think someone filtered the original message and added some FUD to it. But without knowing the original source, there's really no way of knowing.
Update: I may have found the article from where these rumors originated. And it does indeed explicitly state that credit card information is transferred unencrypted. Though another (much more reliable) news site reports the same thing, but with an update/correction which stipulates that the hackers have written a document in which they clarified that it was in fact encrypted with SSL.
My gut feeling may have been pretty much spot on (well, provided the whole thing isn't completely made up): The original hackers didn't claim it was sent unencrypted; they just showed a dump of the unencrypted data, and some people (read: journalists) either misunderstood or willfully misinterpreted it and spread FUD.
Level 3
zinep wrote:
zinep wrote:
The-Smoker69 wrote:
[---]sounds like some interesting points there, ive been following the last few pages or more, quite interested to see the evidence of all this & the wole card details in plain txt
dont the hacker etc usually do something called "proof of concept" or something to prove they can do what they say? like when this all started the failoverflow group did to prove their work,
Like I've said before, this is pure speculation..
My guess is that the dump being circulated is a proof of concept. It's just been warped into something it really wasn't from the beginning.
It may have started as someone simply being able to find out how to snoop the plain text data prior to encryption. But the point was to show that they could intercept the data in a presentable form; it really does no more than that. It's not any form of attack at all.
Then someone saw the plain text dump, interpreted it as it was being sent exactly like that over the wire, and then went on to post it as a statement of fact, rather than a speculation.
Again, this is speculation on my part. The dump does not seem entirely unbelievable to me. The fact that it would be sent plain text does. And that the person who retrieved the dump from the beginning would have claimed it was sent in plain text does not sound plausible to me. I think someone filtered the original message and added some FUD to it. But without knowing the original source, there's really no way of knowing.
Update: I may have found the article from where these rumors originated. And it does indeed explicitly state that credit card information is transferred unencrypted. Though another (much more reliable) news site reports the same thing, but with an update/correction which stipulates that the hackers have written a document in which they clarified that it was in fact encrypted with SSL.
My gut feeling may have been pretty much spot on (well, provided the whole thing isn't completely made up): The original hackers didn't claim it was sent unencrypted; they just showed a dump of the unencrypted data, and some people (read: journalists) either misunderstood or willfully misinterpreted it and spread FUD.
well your last 2 posts certainly cleared things up for me, & from what i've read you could well be right about when it originated the person never claimed this info was sent plain txt, although its hard finding reliable info from google sometimes lol, thanks for a well thoughtout & respectible post(s)
Level 3
Firefox2000 wrote:
Pyrofer wrote:
I love the assumption that because I can't prove it its not true.
Can somebody who has been the victim of card fraud tell me exactly where and how their card got copied?
No?
That's because the criminals prefer you not to know, so you don't you know, stop them?
How the frack can I prove where a stolen card number comes from?
My point about the GeoHot thing, doesn't matter if he is right or wrong, if it gets settled without even going to court because he doesn't have the money to defend himself, that is bad. Getting your day in court shouldn't depend on how rich you are.Well as i said already, if he was so smart he would never have gotten himself into this position in the first place and would never had needed a day in court......he has only one person to blame now for his predicimnet........himself.
What will be funny will be the utter and total lack of support he will get from the very freetards who have rubbed his ego and played him like a puppet for the last 4 years In a effort to get their freetards dream of a hacked PS3....they must be ***** themselves laughing now this brain dead ***** has been left holding the bag.
Not really, from all accounts hes been gettin alot and i mean alot of money to help him fight this case.
Again not defending him, just saying he his indeed getting the support from the hackers and from there pockets.
Level 11
Pyrofer wrote:
TTDegs, Thanks for your input.
I will of course bow to your knowledge on this one as you obviously have access to a lot more info than me here!
My point rests on this bit,
"3) "So the implication is its stored BOTH ends in clear text too, THAT is the problem."
THAT would be a problem - IF your implication held water.
But it is a MASSIVE 'IF'.
Which neither you, nor I, nor anyone else outside of Sony, can prove or dis-prove."
The evidence given so far by the hackers suggests its true. Lots of people here will try to discredit them with whatever, but the fact is, when it comes to CC details, that tiny 'if' is enough to make me keep mine off the PS3 from now on.
What evidence? 
Level 6
It's beginning to get tiring, seeing the "lone crusader" act being drawn out for so many pages without anything substantial other than mere speculation and personal input. Without naming names a single individual is completely derailing the thread all in the name of saving face.
While I don't think reporting is the solution (it is only an alternative view if a stupid one), is anyone up for a FULL recap of the events in a single post complete with quotes, sources and images? I would happily give up an hour or two making that if it meant people either side of the fence would start to bring more sense to the table!!!
What do you think, guys?
Website ©2013 Sony Computer Entertainment Europe
All content, game titles, trade names and/or trade dress, trademarks, artwork and associated imagery are trademarks and/or copyright material of their respective owners. All rights reserved. [more info]
