"It is arrogant to think we are always going to come back. See ya next week!" I know, those two statements are made in two totally different contexts. I found it funny though.
Well, I do have a security background, work at a rather large CERT, so maybe I'm qualified to answer the questions presented. First of all, identifying the location of an IP address is of course possible. With some minor errors, sometimes, but in nearly all cases it's usually accurate. Though it is far from certain that this IP address identifies the location of a customer. It is fairly trivial for anyone with at least a passing knowledge of networking to configure a system in such a way to act as a proxy and hence make them appear to come from wherever this computer is located. Since it's also rather easy to rent a box in a server farm somewhere on this globe, this would allow someone to hail from wherever they want to. And that in turn might create a legal problem with local laws, where such a setup would allow people to buy games that were banned by their local government, which in turn could mean bad press or even a sales ban for the company involved if it gets out. The core of the matter is that if YOU identify your user by his IP address, YOU are responsible if it is wrong (even despite your user deliberately and with ill intent "displaced" himself to another country). If HE makes a false claim when choosing his country from your list, HE lied to you and you're in a legally far better position. So the "why don't you use my IP to see where I come from" question is more a legal than a technical one. This said, there is still no reason for Sony or any other company to store all that information. Every modern console has a built in mass storage system, either in the form of a HD or memory cards. The data in question is hardly large and would take up trivial amounts of storage space. So there is no need to enter it every single time you wish to use it, your console could store that information and transmit it if needed.
+Christen Edmundson I have to admit I don't exactly know which of two possible scenarios you are referring to now, either the physical theft of the console or the storage medium, or hacking a console as it is online. I will try to answer both. As for the hack of a console (i.e. hacking the consoles rather than the storage center): It is likely that this would be easier. It is likely that the console does not have the same level of security in place that a data center has that has to conform to the PCI-DSS requirements (and storing CC data, they have to conform to that). So yes, hacking a console and getting the data from that console is probably a far easier scenario for a potential attacker. But in such a scenario he only gets one single point of data, one CC info along with the personal data of one person. A mass hack, i.e. executing a hack on multiple IP addresses in the hope to catch a PS connected to it, will likely yield far fewer personal data records than the server hack, because it will only affect systems (and hence users) that happen to be connected to the internet at the very moment of the hack. Anyone offline or not playing at this time would not be affected, and it is likely that such a hack will not go unnoticed by Sony and security researchers (I cannot go into detail here, but mass hacks are terribly noisy). You would simply get a lot less data by hacking consoles. As for the physical theft of the devices or the storage media, it is even worse for the thief, effort-wise. By stealing a PS or the SD card/USB drive, he would get a single unit of data. To achieve the same amount of damage where thousands of customer data records have been compromised, he would have to steal thousands of consoles. And we didn't even touch the subject of encryption and password-to-unlock-info. Which can be implemented sensibly on a console, too, if you make the "password" simply a sequence of controller commands, similar to old fashion cheat codes (I guess everyone remembers up up down down left right left right B A start).
***** The point is that by hacking a console, I get ONE set of information. By hacking the server, I get MANY. The effort necessary to harvest identities from different consoles is simply way higher, presenting a much higher obstacle to a potential attacker. Such an attack could only be pulled sensibly with an automated attack that abuses some security hole in the general setup of the console, which depends on people actually being online in the time frame between the exploit being found by the attacker and the security hole being patched by the console maker. In a nutshell, any attack that has to target consoles rather than a controlling server will net the attacker much fewer data sets.
+0x777 I don't think the burden of hacking individual devices is as onerous as you are making it out to be. More difficult, yes, but only trivially so. Currently we have: Step 1: Hack the Network Step 2: Profit. In your scenario, that would become Step 1: Hack a Console Step 2: Hack the Network Step 3: Traverse the network and use the method from Step 1 to hack any consoles connected to that network Step 4: Profit. As others have said, you don't make it easy by storing that information in plain text like Sony did, but if the information is going to be stored, the location really doesn't matter from a hacker's PoV.
Ed Harris There are a few things that would mitigate and limit the efficiency of such an attack against consoles vs. an attack against a server. 1) Only online consoles at the time of the attack would be affected. Whereas data in a server is (or rather, pretty much has to be for sensibly operation) online 24/7, the data on your console is only available to anyone trying to attack you while your console is online. This is usually only during the times people are actually using them and playing games, which would limit the amount of affected people by such an attack. 2) The data on the console can be stored in encrypted form and require you to enter a "pass phrase" with your controller (think old time cheat codes) before it can be transmitted, or it could be stored on an external thumb drive altogether that you have to plug in physically to enable the transmit of the data. This would actually limit the attack window to the few moments when you actually wish to use your credit card to buy something.
Which assumes that attack can only happen once or all that machines need to be compromised simultaneously. In a distributed scenario, a hacker could as easily design their attack such that data retrieval delayed until a critical mass of machines was infected. If data the storage method is bad, the location doesn't matter. Security through obfuscation is no security at all.
A better statement: "PSN shouldn't store _some_ of my data." On Wii U, I always chose the option to _not_ store my card number. This because I wanted it to be more annoying to buy things, to limit how much I purchase online. I hope Nintendo now haven't stored my card number anyway, so it isn't available to be leaked out.
The reason why the PSN can't track you through IP address is because IP addresses aren't always right in terms of location. For example, my IP address will tell you that I live in Spokane, WA, when I really live about 200 miles away from Spokane.
Main reason, people can router their IPs, through VPNs, and other techniques in order to hide their real location. But when you request a prove of the address you reduce the chances of someone giving an incorrect address.
AWFULLY SUSPICIOUS KNOWING ABOUT VPNs GUYS! ... and that's exactly why the professional scene has yet to integrate a solution to this well. Even in 2018 only some websites actually bother to circumvent VPNs themselves... ... point is, there will always be a way and until the majority of people understand this... AAA is doomed.
I know I'm a year late to this conversation but thats not true (And your comment has 50 likes). IP addresses are very accurate in terms of location if you have the correct technology (Or you just contact the ISP). I'm sure that if you use some website for tracking an IP the most you could get that would be reliable is the country, but if you know what your doing someone could easily get your info from an IP.
4:10 "Services we desire" I do believe I saw the Internet Explorer logo tucked in there, and feel deeply hurt that you would think any of us might actually willingly use it :(
We use Internet Explorer to download a better browser, and then forget it exists. We only use it again when we need to redownload said other browser if it does anything really bad/BSOD-inducing.
+Darel Halgarth not agreeing or disagreeing but businesses and schools use it simply because it is guaranteed to work with programs designed for windows, which they all use, and it is unlikely to cause any problems with other programs. The fact that EVERY other browser works 300x better in every way 99.99% of the time is not really enough. At least that's the rationale I've always heard :/
Omega Xicor After some research I also discovered that apparently it's easier to control what students can see and block specific sites with internet explorer. I would've thought you could do that with other browsers too, but supposedly not to a large enough extent?
You know what the best solution is? Saving your personal info should be possible, but it shouldn't be mandatory. IF a lazy person trusts PSN, they should be able to say "store my data for the next purchase", and a paranoid person should say "never store any of this data".
napstrike except psn really can't work without it. If you said payment information then i would say yeah ok but still doesn't excuse it but there is a lot that doesn't work without it. They have to know eehat country your in cause of legal and licensing issues, they need to know some information for identifying identify when contacting them and lots of other.
other online services do work without it. Steam does. Many online retailers I can also choose to have this information saved to my profile for ease of use or to have to enter it every time. PSN just...didnt.
well yes, some do most definitely and the reason for that is cause in the UK collecting personal information for people under 13 years of age is illegal and every UK citizen can legally have their information deleted by a company. it is much simpler to just not require it for everyone than to have multiple systems in place. the reasons a lot of companies require is for web security, if you send an email you must be able to prove who you are so they ask you questions like name, address and date of birth but they can't ask it if they don't know themselves. so by making this optional, it makes it so much harder to keep things secure. on top of that, no company is allowed to let minors view adult content without asking for at least your age in any country, as a result, you can't buy say GTA off steam or even look at their forums without at least giving your date of birth. so as I said there are a lot of things that don't work without it.
NiteOwl what legal reasons a company is bound by is another topic for another day. PSN was not the first data breach. Nor were they the first to be shown they store intimate data in plain text. They did and did not offer the user an ability not to have it stored which is just malicious and ignorant.
You shouldn't track location by IP. I live in Northern Ireland, but my IP tells sites I'm anywhere from the isle of Man to Liverpool to Dublin, I've never seen an IP tracker that has gotten my location right.
ElNamano I have to disagree with you there. I do realize that there are people in your predicament. However, these are very rare and platforms should at least have a default+a bit of insurance to make sure your location seems legit.
Am I remembering this correctly: once the security was bypassed, the customer data was all stored as plain text, completely unencrypted? Was that this incident? That is what the security folks call "failing badly". A system that "fails well" contains the damage when it fails: they got in the door, but each room is also locked, and valuables are locked up and hidden. If anybody who can defeat the front door gets all the goodies in the house, your security was designed by someone who was overpaid.
I think we should have a choice on if we want our data stored. I want to be able to choose between convenience and safety. I keep GPS turned off on my phone and tablet and I can't think of any rational reason other than "people can find me when I don't want to be found," but it should still be my choice.
TL;DR: I laughed when EC said "we're not dumb". Collectively "we" are dumb. Long: Yeah, unfortunately, the Extra Credit guys got a few things wrong this episode. They mention "TRUST" but you see Appl getting away scott free (and EC even defends them without the full picture): There's one thing with downloading a collection of access points that's in the area you're in -- Reporting in 24/7 for ads, making available to all apps (this was a bug, but a bug that existed for over 4 years), and having an opt-out that was completely off the device (on a webpage) without informing anyone is not building "TRUST". More egs: Render a full desktop webpage downloaded over a 3G connection on a 250MHz processor in 4 seconds without a "speed not real"? Learn a guitar by having a voice assistant that was already available on the store that worked even with the original i Phone but magically now only the the 4? Wanna sell US-only band LTE tablets in UK? (I could go on with outright lies, not just withholding info like Sony did) Just google "no reasonable person would believe our commercials" - that's right, you can find what I mean without specifying a company! This is exactly why Sony did what they did - and you know what? The two aforementioned companies still sell like crazy because nobody actually cares enough to inconvenience themselves or worse, doesn't know about it or is misinformed about it - the effect on their bottom lines for people outraged is a rounding error to them.
Sadly, that's not the case. You can be as paranoid / proactive all you want, but how can you tell if an app author is sending telemetry anywhere? For example, websites you visit likely contain tracking services (install Ghostery and see who's watching your habits). With websites, you can analyze the code pretty easy as it comes through HTML and strip things out - but once you get into Executable territory, it becomes 10x harder - especially if the platform doesn't normally allow access to the binary.
What I was referring to are the tracking cookies. By default, you have no idea you are being tracked by a 3rd party. Logging in to ANY service that has that cookie even once can attach your personal info to your browsing habits... ... all without your knowledge, because the website authors placed said ad services on their website.
You can use a proxy/VPN/TOR to route your traffic via a computer on the other side of the world. And IPs aren't completely precise when it comes to locations.
For physical connections you can find the country it belongs to with publically available information. Have a search for country IP blocks. After that it becomes a lot more variable. The next point you could get it down to is ISP as the country blocks are divided among them. I don't know if you could get that information, but I think I recall being able to. After that you'll need information the ISP can't share. They'll have the address for whoever used the address at a specific point in time.
What you did‘nt mention about that private data is that companies that collect our data mostly also sell our data, wich leads to us not being the customer, but the product
The reason your location via IP address isn't be figured out is because most people have a dynamic IP (It changes every x amount of does). If you put your IP into a database, and tried to log back in a few months later. Chances are, you aren't going to have the same IP. Plus, it's fairly easy to spoof your ip address.
It dynamically changes through a range of IP's that belong to your ISP. EG (not actual stuff) 1-5 is Aus 6-15 is USA 16-20 is Canada Your ip may change between 6 and 15 every time you log on, but its still a USA ip address.
Rewatching this just reinforces the fact that Sony hasn't improved all that much in how they handle change and the honesty needed when they work with their customer/user base. The ps4 recently got an update which has changed/caused a problem with the way the profile system functions. I discovered this while attempting to transfer save data from one ps4 to another via thumb drive. On one ps4 I had a profile set up with a psn account all ready to go, but no data. On the one with data, I had a profile, but no psn account connection. I figured it wouldn't be that hard to take the time to slowly type in all necessary info using the on screen keyboard, dual shock, and patience to be able to transfer the data. I thought it was silly that I needed to be logged in for data transfer via a USB drive, instead of the paid for service, but I was willing to put up with it anyway. Lo and behold, when I tried to log in, it *insisted* that I had to make a new account entirely. What? When was this? Why is this? After accidentally blowing away my data (no realization it was attached that heavily to the profile itself) and doing some digging, this is what the latest system update did, and no, they didn't tell anyone about it.
Why couldn't the console have stored that information? Keep it securely locked up in some part of the hard drive (taking up barely any space) and transmit it to the network when it's requested.
I'm not sure if there are any legal restrictions to using IP info, but I do know a few things: First, the IP the internet sees is designated to your modem by your ISP, or in some cases based on a server your ISP routes all your traffic through; depending on how that is set up it could mean it reports another zip code or even another state because of cost-saving shortcuts. Some ISPs are better or worse about this than others, but the point is unless you connect to the internet via a privately maintained server this could easily confuse matters. Secondly, it is pretty easy to fake an IP address via proxy servers, VPN's, and probably a few more methods where you basically bounce the internet off another server, making it look like that's where you are. When regional laws are involved, I think this could become a pretty big problem.
It would be awesome if you added in the video description when this episode was first aired. It would give us an idea of where to look for it in PATV to look for discussions, outtro song or previous and next episodes.
We use IP location lookup on our website to show your closest store and I'd say it's right about 80% of the time and that's in Canada where every person has their own internet side IP. In countries that were later to get internet they don't have enough IP addresses to do that. Add in that those address pools shift between ISPs (even across countries) as they buy and sell address blocks and it makes it not reliable enough for legal reasons even before you have people actively working around it.
And that is why I don't use facebook. The service doesn't justify the privacy loss. If I ever get a comment on that, I'll forward them to this video. Thanks a lot for making all of your videos, keep up the good work!
Something funny i know is that PSN can't find your house through postal codes in Canada (or the US I think) but in Japan it knows exactly where you are and has a button that you click and it fills it in for you
That would only work if their router was wireless. Although it's possible to get the location of where a person may have been based on their public IP address simply because that IP address is usually unique to the rest of the internet (or at least for that household in most cases) and that information has to be kept with the internet service provider in order for the internet service provider to route traffic you request to your house (and then to your computer). But then there are VPN's.
I don't know if it is the same thing but VPN programs can be used to fake your location based on the location set in the program, that's a reason to not trust on the ifnormation given by the network.
Microsoft did the same promotion thing with the red ring of death problem, sending you free gold subscription but if you had already had gold when it happened it only made up for the time lost while it was being repair
the reason why IP address validation wouldn't work is that an IP address can't tell you much with certainly. if you look at my address, it will tell you I'm in San Francisco. I'm not, that's just where my VPN server is, for example. there is a loose correlation between IP addresses and their users, but it's not quite enough. it's evolving legal case law that an IP address isn't enough information to tie activity to a subscriber in many copyright infringement cases.
Heh, I just found it slightly ironic that the last two sentences of this video was: "It's arrogant to think we're always going to come back" "See you next week!" Ohhh, so you're thinking we're gonna come back, eh? Haha, just teasing. I'll be back of course. In fact, I'm going to watch it now.
Here is something humorous, before the PSN hack happened, my mom had her info saved on the PS3. I bought a substantial amount of DLC for a game. My mom found out and deleted her saved info. When the event of the hack occurred (which was a few days after the release of Portal 2), I had coincidentally saved my mom's bank account thanks to me buying some games without her permission.
A good deal of this data can be held locally, and that which can't can be remotely encrypted with a private key, so they can't read the data. There is really very little data that companies actually need to hold on to in readable form.
Thinking about this now. Why can't those details be stored locally (credit card info, address etc.) and we choose to hand them to Sony and then they can run the card and give the goods. To us it's already inputted, Sony doesn't have to store it locally because the card doesn't belong to them. Of course you'll have to input everything if you clear the cookies or local data, but that's normal.
As much as "Don't put anything on the internet that you don't want the world to know,'' was hammered in to me when they started teaching me about using computers back around the late 90s; and how much networks run similar messages in their advice-for-kids plugs during commercial breaks I've got to ask: Where the hell did some of these people learn about the internet?
This all happened long enough ago that I might be mis-remembering details, but as I recall this wasn't the first time Sony got hacked. Their corporate computers had been hacked several times, each time getting valuable booty, and the security flaws in the PSN were well known to them. IF the above is true, ... well, it isn't quite leaving the key in the door, but it is a case of choosing not to have adequate security because it would cut profits.
As someone who uses PSN cards to add funds to my account, I don't think I was affected much. And yes, Sony should've offered its users maybe 10 free games, to be selected at the users' discretion, whether the game was a 10 dollar PS1 classic or 100 dollar deluxe or complete edition of a game (with all DLC included); that would've won over a whole lot of customers.
"Arrogance to think that we'll always come back". This got me thinking, I really do know people who will come back regardless of what Sony does. Fully functional adults who have been on the receiving end of this breach, but will still excuse and DEFEND Sony's actions. I'm interested in seeing a future topic on the mindsets of gamers of a particular console, to be specific, if this breach had occurred on XBL, what could possibly be the reaction from gamers and Microsoft? Imagine if it was Nintendo?
Well, if they want to come back, then they should. I mean, when someone does something bad, some people will be inclined to believe them, and others won't. People have unique motivators and priorities. Expecting all people to have the same reaction to ANY given event is madness. The good news is, you don't need everyone to agree, and honestly, it seems unnecessary. When companies mess up it affects their profits, people get fired, and all sorts of messiness ensues. Trust me, companies do not intentionally screw over their customers, at least the smart ones don't. As the video mentions, the really successful companies are the ones which establish a positive relationship with their customers, and better fit their needs. I mean, that is why we go to companies, to have our needs satisfied. Whichever does that best is the one that gets the $. What is happening is people are learning that there are factors besides the quality of the games and hardware that contribute to if you do business with companies, and a good number of customers have decided that privacy is a factor. But, on the other hand, some people don't mind. It is perfectly acceptable for people to decide what level of privacy they want for themselves. The reason you don't like people defending Sony is because you feel like other people are fine with the way they treated you personally. The best way to get rid of the rage factor, is to realize that people can only excuse themselves. Nothing a fanboy says changes the fact that you have not forgiven Sony for any way they have wronged you, and if your expectation is that everyone do the same, take my word for it, that is madness.
LunaLuckyLight Personal Opinion: Sony can do stuff, but won't do stuff for the simple fact that OTHERS haven't proven it an effective avenue yet- thus won't take the risk. They are a game company in the "me too" factor. Its not worth it, day after day customers will have to sacrifice more for less in return. (sure there are "comforts", you may love your ps4, but why?) Nintendo pulled their own trick with one of their recent releases. "Mario and luigi dream team" was toxic (opinion) and no one should buy it new, if at all so they can get a chance at a refund. (Watch the extra credits on tutorials) The game's a chore wrapped up in an insult. "People will be held responsible so let it go"? Your business is your business- where you put your money is your concern and if you "let it go" just because a company "sorta reacted" or even "overreacted" to a failure and the end result isn't satisfying- where does that leave you? In regards to luckylunalight: I'm not talking about "people" here, that's vague to assume what "most people" want. (skinner box effect exists after all) So let's talk about our own experiences here, since that's what we have true authority over. What muck are you willing to wade through to get the experience you want? For the record, the reason I don't like anyone defending companies. In Sony's case, they held sensitize info and blotched it up trying to cut corners. That's just one of the many things Playstation users are willing to overlook, interestingly enough, if one of Sony's other customers- let's say camera users don't like their propaganda there are results: suddenly all DSLR cameras opt out for SD card support instead of memory sticks, maybe the Vita will...oh nevermind then. Things like the "Wii U" (as it is) and the Vita memory card are just testaments to "excusable" actions and if gamers don't like it "they should just grow up" eh?
Wolfgang Amadeus The Wii U is a short term solution to one of the problems of the Wii, and that is piracy, I think they forgot they needed games and thought 3rd party would help them out if they had an HD console. Smash bros will save them and then its that same bleakness that plagued the Wii.
1:56 OMG That is definitely a reference to StarCraft BroodWar, where Narud is a Terran who has his allegiance with The Swarm, backstabbing his fellow terrans and plunging the Korpulu sector into one of their darkest wars. And Narud isn't done with The Swarm either...
I'm pretty sure it's due to the relative ease of using proxies to mask IPs and cause false flags to show up. I mean, granted, it'd be REALLY difficult and expensive to get a console to get a proxy'd IP, but it's theoretically possible so a lot of lawyers get stingy.
Ip adresses often don't have the right location. Usually the location of an IP adress is the location of the ISP you are using. In my case on the other side of the country.It does work however for mobile phones in a lot of cases.
Extra Credits 3:11 They're not reliable enough. For example: if you use a proxy*, then the location would be wrong. *I'm not entirely sure if it is possible to connect your PS3 via proxy.
Locating a physical position using IP is not possible most of the time due to the IP that is seen on one end might not correspond with the actual network that the other end is on. For example, The user could be connected trough one or more proxy servers. Might be connected to a WAN which can be huge. The adress might even be divided into subnetworks. Even if it was a direct connection the exact position would have to be checked with the internet provider which have personal info aswell
While I do agree that it would be annoying to have to rekey in all of my information over and over again, I do feel as if we should at least be able to choose whether or not our personal information is shown. For myself, I'm extremely paranoid and it always is a bit of a reassurance when my private information is safe, as if someone does access some of it, then I could have real physical threats to my safety.
Sony's used game policy for the PS4 is the same as Microsoft's: The publisher or developer get to decide whether you can trade games..which means, in order for the PS4 to sustain that kind of system, it too will likely have an internet requirement.
In fact IP's are just misleading because they have literally nothing to do with physical location. There is just some overlapping between who owns those adresses and where they put them on the world. or simple: Things IP's have to do with: -legal stuff(mostly ownership) -network stuff(mostly "arbitrary" technical stuff) Things they dont have anything to do with: -locations -actual physical devices
In some countries, you don't have a permanent IP address. Why? I don't know, the best I could figure out, is they might be resetting servers or whatnot. Every day at the same time, I get disconnected from the internet for a second, and then I have a new IP address when it's back on. Now, I'm in no way an expert on the subject, but that might be the reason.
The fact that your IP refreshes every time you re-connect doesn't matter because your ISP's IP address is static...ish. Its a rather complicated system but in the end your ISP is given a range of numbers by the IANA (Internet Assigned Numbers Authority) which is an international governing body that allocateds IP addresses fromt he pool of unallocated addresses. Your IP is likely a sub-net IP given to you by your ISP. The only real reason I could see why not using IP addresses to geo locate someone is because it's relatively easy to circumvent the geo-location system using an IP proxy or tunnel. That routes all your traffic through a third party and makes the destination server believe you are located at the same place as your proxy server. Most of these services allow you to pick what country you would like to be hosted from, England, the USA, Canada, Germany, Sweeden, Switzerland, China. It's a common means to bypassing regional locked content on many sites.
Sedsibi It's also possible to get an IP address from an ISP in another country. Don't ask me the technical details, but a friend of mine was playing games with me seemingly connecting from Turkey - while sitting in Germany.
Yea, that's via a proxy or tunnel. Your computer sees his "IP" as where ever the proxy is located and saying he is playing from. I use them whenever I have to travel to countries with high levels of internet censorship.
Being someone who graduated in electrical engineering and specialized in computers and networks I do know the reason regarding your issue of checking who you are by your IP address. There happen to a few of them so let me list them off: 1) Each country is allotted a certain range of IP addresses for ISP's in that country to use (Presuming we are talking the current popular standard IPV4 and not IPV6 which is mentioned later). While this isn't really an issue since it helps narrow down to which content they are in, it doesn't tell you EXACTLEY which Province/state they are in. 2) Once you know where in the world it is, you then have to track it through various routing paths and junctions to find out which ISP it belongs to. 3) The other issue is that once you manage to find where they are and which ISP they are with, your problem becomes finding out the IP address of that person as the ISP's have a User Confidentiality Agreement with their clients that they cannot disclose who they are, what they do with the internet or what their current address is. This is usually why higher level of government officials usually come in as to pressure and persuade them to divulge the information they need. 4) Lastly on a restart, power failure or on a timer, your modem's IP address from the ISP will change. This also means that unless you have a paid arrangement with your ISP for a static (aka: not changing) IP address then you cannot expect to rely on it to be a constant marker like a house address. However, this is also changing with our evolving needs and technology. With the world's internet using up almost all of the allocated IPV4 addresses (Asia's already used theirs completely), the need for a new IP addressing scheme which we will not run out of in human existence came into creation IPV6 (340 undecillion addresses, and yes that is a real number in the magnitude of 10 to the power 36). It is one which has easier ways of telling which ISP the address belongs to and which user it will belong to, as the internet on IPV6 will essentially be one big single network with ways of sub networking and protecting it so that people don't have access to where they shouldn't be. It also makes it so that the IP address of a device wouldn't need to change as often as it does or even at all.
Honestly, I think the attack was a good thing overall. Not in the sense its "DOWN WITH THE MAN!", but in customer relations since. Other companies have been hacked ever since, and they've been more up front to their customers of when they've been hacked.Vale with Steam and Cryptic/Perfect World are some examples.
there's an easier solution the lack of security at sony. i have a ps3. there's zero personally identifiable information on my sony account(except perhaps my external ip address, if they store it without telling you). got a disposable email address just for that. i buy those money cards with cash, so not even that transaction can be traced. so no credit card info either. and i can buy my games electronically. when they hacked into sony's poorly defended servers, i was not worried. i was just slightly amused at the lack of security.
sabin97 He also pointed out phone GPS. I actually have it turned off and have refused to install more than a couple apps *because* they have demanded my location info. They don't need this, and I don't need GPS enough to warrant Powers That Be knowing my every move. Heck, I turn off mobile data because some apps like Facebook love to point out where I am through that - which is privileged info, far as I'm concerned. There are benefits to interconnectivity, but there are simple steps that are on the *user* for risk mitigation. Next time you go to the gas station, go inside and pay credit with the cashier instead of at the pump - that kills one of the biggest risks of credit card fraud by spending one minute and a little human interaction.
Righteous001 yeah i'm paranoid about that too....if i'm installing an app and i see any permision that it doesnt really need, i dont install it...fuck them!
As a person who frequently plays online games on my consoles, I've learned a few 'tricks' that I probably can't discuss here. Though in my adventures I've learned that it is possible to mask your IP addresses on consoles, as well as computers. Though in that sense, IP addresses are often unreliable in nature. You can easily track down an IP to a city, but often times if the person lives in a small town their IP addresses will point to a major city within the same state or province the individual lives in, making the location of the individual unknown. By asking the player for their information they are basically tracking you by your own will, unless you were to falsify that information, which will lead to a ban if your account is ever looked into. It's not about the fact that they can or can't track people through their IP, it's the fact that in some situations, it's more reliable to just ask the player. At least that's what I figure is the reason.
3:11 They want you to confirm that you are where your IP says you are, using a proxy I could easily give another IP address and the company that assumed that was my actual location would be the one breaking the law, not me. If I confirm that I do indeed live there, than at least the company has done "due diligence" in ensuring that the law wasn't broken.
IP address to localisation accuracy is terribly inaccurate unless your using ipv6. plus with the heavy use of VPN's and proxies it would cause too many issues with localisation accuracy.
In South Africa you have to give permission to banks, phone companies and other institutions to pass on your info to third parties. That still does not stop many of them from doing so.
Actually, they don't have to store that information. There is such a thing as password hashes, and they could very easily be applied to this situation. It allows for them to check if your login credentials are valid, without them knowing it. Most major companies use these, and if Sony wasn't, then they didn't use because of convenience to the consumer. They did it to keep information on you. Look password hashes up. Although governments wanting that information is a little more difficult to get around the company.
With the Internet Protocol (IP) Address thing, they would have to triangulate your location using the radio waves coming off of your router (not computer/console) which we, right now, do not have that kind of technology to start using on anything but government business if we even have it, so until then we would have a ~20 meters(?feet?) diameter around the angle at which the "waves" hit the satelite. (gravity bends space, fyi, & a wave is a particle without mass, specifically a photon)
ip address locationing is very flawed. my ip in my home wifi network actually seems to change my location based on where i sit down with my laptop. it is generally somewhere at least halfway across the state, but its never even in the same city on opposite ends of my house. the closest ive seen it come to finding my location would put me in a city about 30 miles or so from the small town that i live 15 minutes away from.
You can't check you location via IP address because VPNs exist. If i want to make it look like I'm playing in Russia today, Brazil tomorrow, and Mexico on Thursday, I am completely capable of doing that from my studio apartment in Chicago. Its not hard either. I'm a lawyer, like most lawyers, I know very little about how most technology actually works. Theres not really a legal reason they can't use IP addresses, except for the practical one that its very easy to circumvent any regional laws if you choose to verify that way.
if i had to guess i'd say the risk with verifying by ip is that it would be easy to VPN a fake IP. for example as a canadian i used to get american netflix by signing in with my xbox using a US vpn, then they started verifying location with credit cards, meaning you could no longer just hook up a VPN and get american netflix, netflix realised people were doing this, meaning they were breaking very strict canadian broadcasting laws and new they were at risk for the legal trouble because its easier to sue a single corporation then 200 000 users.
They can't track you by ip because of the fact that there are so many devices connected to the Internet now that permanent ip addresses are only reserved for buisinesses. Most houses use subnetting to preserve a constant, reliable connection to the internet. Also, dhcp is also available, meaning that ip addresses are assigned to each device electronically, and can change. All of this ends with ip addresses not being a very reliable way to track an individual device.
While this year's attack is very different from the 2012 attack I hope Sony handles this one better. It's not their fault. It will always be easier to break things than to build them. But many of their customers are quite angry at their lack of cyber security.
Multiple reasons you cannot use Ip address to track location. 1. It can be spoofed. This is often what VPN & Proxy service providers will do. 2. Location via IP isn't reliable, as you can have multiple computers run using the same ip. See NAT. www.openbsd.org/faq/pf/nat.html
As a whole it is not unprecedented the amount of change civilization goes through in such a short time now. But as individuals we all go through massive amounts of change our whole lives no matter when we were born. If it was not for each person being born, growing up, raising a family, growing old, and dying then we probably wouldn't even see the amount of change civilization goes through because a world full of 500 year olds wouldn't put up with it.
Ok after further research it is just saying that third parties can pull a sim city or project 10 dollar. the PS4 will not phone home so no the console will not be online necessary however some games may.
Why cant they get your location from your IP: the IP only gives you the ISP or Proxy location, unlike satalites which use a triangulation system to figure out your location, so they are rather different systems, You can get the ISP to give you their location but it is a lot of hassle and a lot of ISPs wont give out the information without a warrent.
There are online services that can easily track the IP for free, and they're completely legal. Sometimes the information is screwy, but if you get a warrant on that IP (which after this happened, you should be able to do easily) you can find out exactly who purchased the IP.
The free month subscription wasn't an upsell it was a direct reimbursement due to the length of down time of the network had age up their subscription period and people prepay for the time.
Wow, I was rather blind to most of this. All I remember is saying, "no way, a free game!" and enjoying Infamous for the next month. Ignorance is bliss! :P
basing someones location might not work to well considering one could use a VPN to change there IP address although I suppose this could be done with the current system as well to by pass the leagle issues in your location.
About the location based on IP, well Dan, because IP is not fixed. IP's can change can if you need to keep track of where which IP address is given out at a certain moment, that would be a hassle. Also, VPN's exists, that mask your IP to an IP on another location. There are various reasons why it can't work 100% of the time. IP Addresses aren't like house addresses. It's highly unlikely when 192.168.0.1 is my IP, my neighbor has 192.168.0.2. Also, different ISP have different addressing blocks and other rules about privacy and protection of their servers... It would create a big headache to make everything work.
What Sony SHOULD have done from the start of this is simply BE HONEST about what happened… I don’t want a company storing my data if they aren’t going to be honest with me if they get hacked…. I do blame Sony for the bad PR that their unwillingness to tell customers what happened caused, but I don’t blame them for getting hacked…
I remember receiving in my mailbox a free magazine with a demo CD from sony without having asked anything. That was in... wait... 1996? 1997? And then... there was a shift, and their PR got worse and worse. I guess the 2big2fail virus hits them all at some point.
Especially in the wake of target and other company systems being hacked and credit card information being compromised, we have to realize that these systems will get hacked every once in a while. While it is up to the companies to try and minimize these occurrences, customers have to accept this will occasionally happen, and deal with the temporary setback maturely. You run the risk of your car being stolen anytime you aren't in it, the only way to not have your car stolen, is to not have one. It is the same with credit cards and personal information like this. You run the risk of it being stolen by simply having it.
I don't think private is the right word for it. For everything online, nothing is private because, as it says in the video, everything is about you is stored. I believe the right word for it is security. Think of Facebook or any social media site; they store everything you post - even if it's "private" - and everything you stay with. You only believe that posts are "private" because they are secure and no AVERAGE user can view them. My second uncle has a great view on the internet which is kinda appropriate, which is "Don't do anything on the internet that you don't want your mum to look at.", but apart from mum, you replace it with people or large companies and say they're inescapable. That would have to be security, not privacy.
Old video and old issue, but why don't you store the data (encrypted of course) on the device itself and have the service pull from whatever information you have saved on the device?
Sweet Cal Lightman (Tim Roth) Lie to me* has his picture show up in this episode along with some of the science of the show, Happy fanboy is happy. Other than that great episode as always guys, but I have one question that has always been bugging me is all the content strictly James' work or does Daniel and Allison chip in some thoughts.
It's not just a matter of being hacked. How the data was got is important. Notice that the data, including passwords, were not encrypted. They were stored as plaintext.
Interesting, i haven't switched on the PS3 since the PSN hack. bought games for it, but never got over how long it took to recover, or saw a reason to play console games, or buy the PS4.
"YOU DIDN'T EVEN GIVE ME _FINGERS!"_
I lost it at that point.
I had to pause... rewind... and said: "that is *_SO_* meta"... then continued watching without another word.
@@youtoober2013 same man, same
What time?
"It is arrogant to think we are always going to come back. See ya next week!"
I know, those two statements are made in two totally different contexts. I found it funny though.
Well, I do have a security background, work at a rather large CERT, so maybe I'm qualified to answer the questions presented.
First of all, identifying the location of an IP address is of course possible. With some minor errors, sometimes, but in nearly all cases it's usually accurate. Though it is far from certain that this IP address identifies the location of a customer. It is fairly trivial for anyone with at least a passing knowledge of networking to configure a system in such a way to act as a proxy and hence make them appear to come from wherever this computer is located. Since it's also rather easy to rent a box in a server farm somewhere on this globe, this would allow someone to hail from wherever they want to. And that in turn might create a legal problem with local laws, where such a setup would allow people to buy games that were banned by their local government, which in turn could mean bad press or even a sales ban for the company involved if it gets out. The core of the matter is that if YOU identify your user by his IP address, YOU are responsible if it is wrong (even despite your user deliberately and with ill intent "displaced" himself to another country). If HE makes a false claim when choosing his country from your list, HE lied to you and you're in a legally far better position.
So the "why don't you use my IP to see where I come from" question is more a legal than a technical one.
This said, there is still no reason for Sony or any other company to store all that information. Every modern console has a built in mass storage system, either in the form of a HD or memory cards. The data in question is hardly large and would take up trivial amounts of storage space. So there is no need to enter it every single time you wish to use it, your console could store that information and transmit it if needed.
+Christen Edmundson I have to admit I don't exactly know which of two possible scenarios you are referring to now, either the physical theft of the console or the storage medium, or hacking a console as it is online. I will try to answer both.
As for the hack of a console (i.e. hacking the consoles rather than the storage center): It is likely that this would be easier. It is likely that the console does not have the same level of security in place that a data center has that has to conform to the PCI-DSS requirements (and storing CC data, they have to conform to that). So yes, hacking a console and getting the data from that console is probably a far easier scenario for a potential attacker. But in such a scenario he only gets one single point of data, one CC info along with the personal data of one person. A mass hack, i.e. executing a hack on multiple IP addresses in the hope to catch a PS connected to it, will likely yield far fewer personal data records than the server hack, because it will only affect systems (and hence users) that happen to be connected to the internet at the very moment of the hack. Anyone offline or not playing at this time would not be affected, and it is likely that such a hack will not go unnoticed by Sony and security researchers (I cannot go into detail here, but mass hacks are terribly noisy). You would simply get a lot less data by hacking consoles.
As for the physical theft of the devices or the storage media, it is even worse for the thief, effort-wise. By stealing a PS or the SD card/USB drive, he would get a single unit of data. To achieve the same amount of damage where thousands of customer data records have been compromised, he would have to steal thousands of consoles.
And we didn't even touch the subject of encryption and password-to-unlock-info. Which can be implemented sensibly on a console, too, if you make the "password" simply a sequence of controller commands, similar to old fashion cheat codes (I guess everyone remembers up up down down left right left right B A start).
***** The point is that by hacking a console, I get ONE set of information. By hacking the server, I get MANY.
The effort necessary to harvest identities from different consoles is simply way higher, presenting a much higher obstacle to a potential attacker. Such an attack could only be pulled sensibly with an automated attack that abuses some security hole in the general setup of the console, which depends on people actually being online in the time frame between the exploit being found by the attacker and the security hole being patched by the console maker.
In a nutshell, any attack that has to target consoles rather than a controlling server will net the attacker much fewer data sets.
+0x777 I don't think the burden of hacking individual devices is as onerous as you are making it out to be. More difficult, yes, but only trivially so. Currently we have: Step 1: Hack the Network Step 2: Profit. In your scenario, that would become Step 1: Hack a Console Step 2: Hack the Network Step 3: Traverse the network and use the method from Step 1 to hack any consoles connected to that network Step 4: Profit. As others have said, you don't make it easy by storing that information in plain text like Sony did, but if the information is going to be stored, the location really doesn't matter from a hacker's PoV.
Ed Harris There are a few things that would mitigate and limit the efficiency of such an attack against consoles vs. an attack against a server.
1) Only online consoles at the time of the attack would be affected. Whereas data in a server is (or rather, pretty much has to be for sensibly operation) online 24/7, the data on your console is only available to anyone trying to attack you while your console is online. This is usually only during the times people are actually using them and playing games, which would limit the amount of affected people by such an attack.
2) The data on the console can be stored in encrypted form and require you to enter a "pass phrase" with your controller (think old time cheat codes) before it can be transmitted, or it could be stored on an external thumb drive altogether that you have to plug in physically to enable the transmit of the data. This would actually limit the attack window to the few moments when you actually wish to use your credit card to buy something.
Which assumes that attack can only happen once or all that machines need to be compromised simultaneously. In a distributed scenario, a hacker could as easily design their attack such that data retrieval delayed until a critical mass of machines was infected. If data the storage method is bad, the location doesn't matter. Security through obfuscation is no security at all.
3:48 "Where do we draw the line? When isn't the service good enough for the privacy we lose?" - Facebook, Facebook is that line.
No no, Facebook has crossed that line a long time ago. They are way beyond the line.
@@thereal_morxy49 Facebook roared over the line on a motorbike and are headed to the getaway ship at full speed.
"Now that the whole PSN mess is (mostly) wrapped up" he said, in 2012... :)
A better statement: "PSN shouldn't store _some_ of my data."
On Wii U, I always chose the option to _not_ store my card number. This because I wanted it to be more annoying to buy things, to limit how much I purchase online. I hope Nintendo now haven't stored my card number anyway, so it isn't available to be leaked out.
The reason why the PSN can't track you through IP address is because IP addresses aren't always right in terms of location. For example, my IP address will tell you that I live in Spokane, WA, when I really live about 200 miles away from Spokane.
also vpns could be factored in making the ip inaccurate
Main reason, people can router their IPs, through VPNs, and other techniques in order to hide their real location. But when you request a prove of the address you reduce the chances of someone giving an incorrect address.
AWFULLY SUSPICIOUS KNOWING ABOUT VPNs GUYS!
... and that's exactly why the professional scene has yet to integrate a solution to this well.
Even in 2018 only some websites actually bother to circumvent VPNs themselves...
... point is, there will always be a way and until the majority of people understand this... AAA is doomed.
I know I'm a year late to this conversation but thats not true (And your comment has 50 likes). IP addresses are very accurate in terms of location if you have the correct technology (Or you just contact the ISP). I'm sure that if you use some website for tracking an IP the most you could get that would be reliable is the country, but if you know what your doing someone could easily get your info from an IP.
4:10
"Services we desire"
I do believe I saw the Internet Explorer logo tucked in there, and feel deeply hurt that you would think any of us might actually willingly use it :(
We use Internet Explorer to download a better browser, and then forget it exists. We only use it again when we need to redownload said other browser if it does anything really bad/BSOD-inducing.
And schools willingly use it for some uncanny reason.
+Darel Halgarth not agreeing or disagreeing but businesses and schools use it simply because it is guaranteed to work with programs designed for windows, which they all use, and it is unlikely to cause any problems with other programs. The fact that EVERY other browser works 300x better in every way 99.99% of the time is not really enough. At least that's the rationale I've always heard :/
Omega Xicor After some research I also discovered that apparently it's easier to control what students can see and block specific sites with internet explorer. I would've thought you could do that with other browsers too, but supposedly not to a large enough extent?
+Darel Halgarth
Not even, my schools all had Chrome or Firefox. Fuck IE.
I like the artist's depiction of his lawyer friends.
well boo hoo
@@loganbuckeye11 What?
You know what the best solution is? Saving your personal info should be possible, but it shouldn't be mandatory. IF a lazy person trusts PSN, they should be able to say "store my data for the next purchase", and a paranoid person should say "never store any of this data".
napstrike except psn really can't work without it. If you said payment information then i would say yeah ok but still doesn't excuse it but there is a lot that doesn't work without it. They have to know eehat country your in cause of legal and licensing issues, they need to know some information for identifying identify when contacting them and lots of other.
other online services do work without it. Steam does. Many online retailers I can also choose to have this information saved to my profile for ease of use or to have to enter it every time.
PSN just...didnt.
well yes, some do most definitely and the reason for that is cause in the UK collecting personal information for people under 13 years of age is illegal and every UK citizen can legally have their information deleted by a company. it is much simpler to just not require it for everyone than to have multiple systems in place. the reasons a lot of companies require is for web security, if you send an email you must be able to prove who you are so they ask you questions like name, address and date of birth but they can't ask it if they don't know themselves. so by making this optional, it makes it so much harder to keep things secure. on top of that, no company is allowed to let minors view adult content without asking for at least your age in any country, as a result, you can't buy say GTA off steam or even look at their forums without at least giving your date of birth. so as I said there are a lot of things that don't work without it.
NiteOwl what legal reasons a company is bound by is another topic for another day.
PSN was not the first data breach. Nor were they the first to be shown they store intimate data in plain text. They did and did not offer the user an ability not to have it stored which is just malicious and ignorant.
But they have to remember that you chose the latter choice.
You shouldn't track location by IP. I live in Northern Ireland, but my IP tells sites I'm anywhere from the isle of Man to Liverpool to Dublin, I've never seen an IP tracker that has gotten my location right.
glitchsmasher to add to that. If a person is skilled enough, they can reroute their IP so it looks like it came from somewhere else.
glitchsmasher also ip addresses change often
Zombakia2 Yes, if you don't have business-grade internet you probably have a dynamic IP.
ElNamano I have to disagree with you there. I do realize that there are people in your predicament. However, these are very rare and platforms should at least have a default+a bit of insurance to make sure your location seems legit.
Am I remembering this correctly: once the security was bypassed, the customer data was all stored as plain text, completely unencrypted? Was that this incident?
That is what the security folks call "failing badly". A system that "fails well" contains the damage when it fails: they got in the door, but each room is also locked, and valuables are locked up and hidden. If anybody who can defeat the front door gets all the goodies in the house, your security was designed by someone who was overpaid.
Those lawyer friends are awesome. A man, a cat in a suit (Sparrow?), and a Beholder with a tie? Epic!
I think we should have a choice on if we want our data stored. I want to be able to choose between convenience and safety. I keep GPS turned off on my phone and tablet and I can't think of any rational reason other than "people can find me when I don't want to be found," but it should still be my choice.
I can't change that post anymore, but I do have 2 android devices, so I do have a choice and I'm happy with that.
TL;DR: I laughed when EC said "we're not dumb". Collectively "we" are dumb.
Long:
Yeah, unfortunately, the Extra Credit guys got a few things wrong this episode.
They mention "TRUST" but you see Appl getting away scott free (and EC even defends them without the full picture): There's one thing with downloading a collection of access points that's in the area you're in -- Reporting in 24/7 for ads, making available to all apps (this was a bug, but a bug that existed for over 4 years), and having an opt-out that was completely off the device (on a webpage) without informing anyone is not building "TRUST".
More egs: Render a full desktop webpage downloaded over a 3G connection on a 250MHz processor in 4 seconds without a "speed not real"? Learn a guitar by having a voice assistant that was already available on the store that worked even with the original i Phone but magically now only the the 4? Wanna sell US-only band LTE tablets in UK? (I could go on with outright lies, not just withholding info like Sony did) Just google "no reasonable person would believe our commercials" - that's right, you can find what I mean without specifying a company!
This is exactly why Sony did what they did - and you know what? The two aforementioned companies still sell like crazy because nobody actually cares enough to inconvenience themselves or worse, doesn't know about it or is misinformed about it - the effect on their bottom lines for people outraged is a rounding error to them.
If you don't want to store your information on some server then don't use that service. Little bit harsh but I guess that will be used in future.
Sadly, that's not the case. You can be as paranoid / proactive all you want, but how can you tell if an app author is sending telemetry anywhere?
For example, websites you visit likely contain tracking services (install Ghostery and see who's watching your habits). With websites, you can analyze the code pretty easy as it comes through HTML and strip things out - but once you get into Executable territory, it becomes 10x harder - especially if the platform doesn't normally allow access to the binary.
What I was referring to are the tracking cookies. By default, you have no idea you are being tracked by a 3rd party. Logging in to ANY service that has that cookie even once can attach your personal info to your browsing habits...
... all without your knowledge, because the website authors placed said ad services on their website.
You can use a proxy/VPN/TOR to route your traffic via a computer on the other side of the world. And IPs aren't completely precise when it comes to locations.
For physical connections you can find the country it belongs to with publically available information. Have a search for country IP blocks.
After that it becomes a lot more variable. The next point you could get it down to is ISP as the country blocks are divided among them. I don't know if you could get that information, but I think I recall being able to.
After that you'll need information the ISP can't share. They'll have the address for whoever used the address at a specific point in time.
I'm sorry, I know there are actual matters here, but "YOU DIDNT EVEN GIVE ME FINGERS" just got me
Your IP address can be changed to really anything you want. For a while my computer appeared to be in Antarctica.
Were you tho?
What you did‘nt mention about that private data is that companies that collect our data mostly also sell our data, wich leads to us not being the customer, but the product
The reason your location via IP address isn't be figured out is because most people have a dynamic IP (It changes every x amount of does). If you put your IP into a database, and tried to log back in a few months later. Chances are, you aren't going to have the same IP. Plus, it's fairly easy to spoof your ip address.
It dynamically changes through a range of IP's that belong to your ISP.
EG (not actual stuff)
1-5 is Aus
6-15 is USA
16-20 is Canada
Your ip may change between 6 and 15 every time you log on, but its still a USA ip address.
Rewatching this just reinforces the fact that Sony hasn't improved all that much in how they handle change and the honesty needed when they work with their customer/user base. The ps4 recently got an update which has changed/caused a problem with the way the profile system functions. I discovered this while attempting to transfer save data from one ps4 to another via thumb drive. On one ps4 I had a profile set up with a psn account all ready to go, but no data. On the one with data, I had a profile, but no psn account connection. I figured it wouldn't be that hard to take the time to slowly type in all necessary info using the on screen keyboard, dual shock, and patience to be able to transfer the data. I thought it was silly that I needed to be logged in for data transfer via a USB drive, instead of the paid for service, but I was willing to put up with it anyway. Lo and behold, when I tried to log in, it *insisted* that I had to make a new account entirely. What? When was this? Why is this? After accidentally blowing away my data (no realization it was attached that heavily to the profile itself) and doing some digging, this is what the latest system update did, and no, they didn't tell anyone about it.
Why couldn't the console have stored that information? Keep it securely locked up in some part of the hard drive (taking up barely any space) and transmit it to the network when it's requested.
+SlightlyNotorious When your console breaks down or you use another console...
you get screwed
+Lance Lindle Lee I don't see how that's true at all. Simply put it on removable storage.
+Schmelon But then what if that storage drive fails?
+Nat Varmac what if Sony get hacked into?
+SlightlyNotorious As the PS is connected to some network, is possible to hack it.
I'm not sure if there are any legal restrictions to using IP info, but I do know a few things:
First, the IP the internet sees is designated to your modem by your ISP, or in some cases based on a server your ISP routes all your traffic through; depending on how that is set up it could mean it reports another zip code or even another state because of cost-saving shortcuts. Some ISPs are better or worse about this than others, but the point is unless you connect to the internet via a privately maintained server this could easily confuse matters.
Secondly, it is pretty easy to fake an IP address via proxy servers, VPN's, and probably a few more methods where you basically bounce the internet off another server, making it look like that's where you are. When regional laws are involved, I think this could become a pretty big problem.
It would be awesome if you added in the video description when this episode was first aired. It would give us an idea of where to look for it in PATV to look for discussions, outtro song or previous and next episodes.
"You didn't even give me fingers!" lol
We use IP location lookup on our website to show your closest store and I'd say it's right about 80% of the time and that's in Canada where every person has their own internet side IP. In countries that were later to get internet they don't have enough IP addresses to do that.
Add in that those address pools shift between ISPs (even across countries) as they buy and sell address blocks and it makes it not reliable enough for legal reasons even before you have people actively working around it.
And that is why I don't use facebook. The service doesn't justify the privacy loss.
If I ever get a comment on that, I'll forward them to this video.
Thanks a lot for making all of your videos, keep up the good work!
Something funny i know is that PSN can't find your house through postal codes in Canada (or the US I think) but in Japan it knows exactly where you are and has a button that you click and it fills it in for you
That would only work if their router was wireless.
Although it's possible to get the location of where a person may have been based on their public IP address simply because that IP address is usually unique to the rest of the internet (or at least for that household in most cases) and that information has to be kept with the internet service provider in order for the internet service provider to route traffic you request to your house (and then to your computer). But then there are VPN's.
I don't know if it is the same thing but VPN programs can be used to fake your location based on the location set in the program, that's a reason to not trust on the ifnormation given by the network.
Microsoft did the same promotion thing with the red ring of death problem, sending you free gold subscription but if you had already had gold when it happened it only made up for the time lost while it was being repair
the reason why IP address validation wouldn't work is that an IP address can't tell you much with certainly. if you look at my address, it will tell you I'm in San Francisco. I'm not, that's just where my VPN server is, for example. there is a loose correlation between IP addresses and their users, but it's not quite enough. it's evolving legal case law that an IP address isn't enough information to tie activity to a subscriber in many copyright infringement cases.
Heh, I just found it slightly ironic that the last two sentences of this video was:
"It's arrogant to think we're always going to come back"
"See you next week!"
Ohhh, so you're thinking we're gonna come back, eh?
Haha, just teasing. I'll be back of course. In fact, I'm going to watch it now.
I can't stop watching these videos
Here is something humorous, before the PSN hack happened, my mom had her info saved on the PS3. I bought a substantial amount of DLC for a game. My mom found out and deleted her saved info. When the event of the hack occurred (which was a few days after the release of Portal 2), I had coincidentally saved my mom's bank account thanks to me buying some games without her permission.
A good deal of this data can be held locally, and that which can't can be remotely encrypted with a private key, so they can't read the data. There is really very little data that companies actually need to hold on to in readable form.
Thinking about this now. Why can't those details be stored locally (credit card info, address etc.) and we choose to hand them to Sony and then they can run the card and give the goods. To us it's already inputted, Sony doesn't have to store it locally because the card doesn't belong to them. Of course you'll have to input everything if you clear the cookies or local data, but that's normal.
As much as "Don't put anything on the internet that you don't want the world to know,'' was hammered in to me when they started teaching me about using computers back around the late 90s; and how much networks run similar messages in their advice-for-kids plugs during commercial breaks I've got to ask:
Where the hell did some of these people learn about the internet?
This all happened long enough ago that I might be mis-remembering details, but as I recall this wasn't the first time Sony got hacked. Their corporate computers had been hacked several times, each time getting valuable booty, and the security flaws in the PSN were well known to them.
IF the above is true, ... well, it isn't quite leaving the key in the door, but it is a case of choosing not to have adequate security because it would cut profits.
You cannot locate someone by their IP, there are plenty of services that can change your ip and/or even MAC-address
for example: proxies, VPNs etc.
As someone who uses PSN cards to add funds to my account, I don't think I was affected much.
And yes, Sony should've offered its users maybe 10 free games, to be selected at the users' discretion, whether the game was a 10 dollar PS1 classic or 100 dollar deluxe or complete edition of a game (with all DLC included); that would've won over a whole lot of customers.
"Arrogance to think that we'll always come back". This got me thinking, I really do know people who will come back regardless of what Sony does. Fully functional adults who have been on the receiving end of this breach, but will still excuse and DEFEND Sony's actions. I'm interested in seeing a future topic on the mindsets of gamers of a particular console, to be specific, if this breach had occurred on XBL, what could possibly be the reaction from gamers and Microsoft? Imagine if it was Nintendo?
i imagine it would be roughly the same (you can't reason with a fanboy, after all)
Chris Combs
The sales of the Wii U say otherwise, though smash bros might change that.
Well, if they want to come back, then they should. I mean, when someone does something bad, some people will be inclined to believe them, and others won't. People have unique motivators and priorities. Expecting all people to have the same reaction to ANY given event is madness. The good news is, you don't need everyone to agree, and honestly, it seems unnecessary. When companies mess up it affects their profits, people get fired, and all sorts of messiness ensues. Trust me, companies do not intentionally screw over their customers, at least the smart ones don't. As the video mentions, the really successful companies are the ones which establish a positive relationship with their customers, and better fit their needs. I mean, that is why we go to companies, to have our needs satisfied. Whichever does that best is the one that gets the $. What is happening is people are learning that there are factors besides the quality of the games and hardware that contribute to if you do business with companies, and a good number of customers have decided that privacy is a factor. But, on the other hand, some people don't mind. It is perfectly acceptable for people to decide what level of privacy they want for themselves. The reason you don't like people defending Sony is because you feel like other people are fine with the way they treated you personally. The best way to get rid of the rage factor, is to realize that people can only excuse themselves. Nothing a fanboy says changes the fact that you have not forgiven Sony for any way they have wronged you, and if your expectation is that everyone do the same, take my word for it, that is madness.
LunaLuckyLight
Personal Opinion: Sony can do stuff, but won't do stuff for the simple fact that OTHERS haven't proven it an effective avenue yet- thus won't take the risk. They are a game company in the "me too" factor. Its not worth it, day after day customers will have to sacrifice more for less in return. (sure there are "comforts", you may love your ps4, but why?)
Nintendo pulled their own trick with one of their recent releases. "Mario and luigi dream team" was toxic (opinion) and no one should buy it new, if at all so they can get a chance at a refund. (Watch the extra credits on tutorials) The game's a chore wrapped up in an insult.
"People will be held responsible so let it go"? Your business is your business- where you put your money is your concern and if you "let it go" just because a company "sorta reacted" or even "overreacted" to a failure and the end result isn't satisfying- where does that leave you?
In regards to luckylunalight: I'm not talking about "people" here, that's vague to assume what "most people" want. (skinner box effect exists after all) So let's talk about our own experiences here, since that's what we have true authority over. What muck are you willing to wade through to get the experience you want?
For the record, the reason I don't like anyone defending companies. In Sony's case, they held sensitize info and blotched it up trying to cut corners. That's just one of the many things Playstation users are willing to overlook, interestingly enough, if one of Sony's other customers- let's say camera users don't like their propaganda there are results: suddenly all DSLR cameras opt out for SD card support instead of memory sticks, maybe the Vita will...oh nevermind then. Things like the "Wii U" (as it is) and the Vita memory card are just testaments to "excusable" actions and if gamers don't like it "they should just grow up" eh?
Wolfgang Amadeus
The Wii U is a short term solution to one of the problems of the Wii, and that is piracy, I think they forgot they needed games and thought 3rd party would help them out if they had an HD console. Smash bros will save them and then its that same bleakness that plagued the Wii.
1:56
OMG That is definitely a reference to StarCraft BroodWar, where Narud is a Terran who has his allegiance with The Swarm, backstabbing his fellow terrans and plunging the Korpulu sector into one of their darkest wars.
And Narud isn't done with The Swarm either...
IP Is fairly general in area showing, it most commonly can only show town to get any speed so that it do sent spend minutes pinging the area.
they were also not storing the data correctly.
from a few articles i've read it was unencrypted data in a text file.
I'm pretty sure it's due to the relative ease of using proxies to mask IPs and cause false flags to show up. I mean, granted, it'd be REALLY difficult and expensive to get a console to get a proxy'd IP, but it's theoretically possible so a lot of lawyers get stingy.
Ip adresses often don't have the right location. Usually the location of an IP adress is the location of the ISP you are using. In my case on the other side of the country.It does work however for mobile phones in a lot of cases.
Extra Credits 3:11 They're not reliable enough. For example: if you use a proxy*, then the location would be wrong.
*I'm not entirely sure if it is possible to connect your PS3 via proxy.
What is the name of the Star Trek device you compared to the smartphone?
Locating a physical position using IP is not possible most of the time due to the IP that is seen on one end might not correspond with the actual network that the other end is on.
For example,
The user could be connected trough one or more proxy servers.
Might be connected to a WAN which can be huge.
The adress might even be divided into subnetworks.
Even if it was a direct connection the exact position would have to be checked with the internet provider which have personal info aswell
While I do agree that it would be annoying to have to rekey in all of my information over and over again, I do feel as if we should at least be able to choose whether or not our personal information is shown. For myself, I'm extremely paranoid and it always is a bit of a reassurance when my private information is safe, as if someone does access some of it, then I could have real physical threats to my safety.
Sony's used game policy for the PS4 is the same as Microsoft's: The publisher or developer get to decide whether you can trade games..which means, in order for the PS4 to sustain that kind of system, it too will likely have an internet requirement.
In fact IP's are just misleading because they have literally nothing to do with physical location.
There is just some overlapping between who owns those adresses and where they put them on the world.
or simple:
Things IP's have to do with:
-legal stuff(mostly ownership)
-network stuff(mostly "arbitrary" technical stuff)
Things they dont have anything to do with:
-locations
-actual physical devices
In some countries, you don't have a permanent IP address. Why? I don't know, the best I could figure out, is they might be resetting servers or whatnot. Every day at the same time, I get disconnected from the internet for a second, and then I have a new IP address when it's back on. Now, I'm in no way an expert on the subject, but that might be the reason.
If that were the case in major markets like Europe, Russia, Brazil, or any major part of Asia that could be EXACTLY why.
Sui Suington From Europe: yup.
The fact that your IP refreshes every time you re-connect doesn't matter because your ISP's IP address is static...ish.
Its a rather complicated system but in the end your ISP is given a range of numbers by the IANA (Internet Assigned Numbers Authority) which is an international governing body that allocateds IP addresses fromt he pool of unallocated addresses. Your IP is likely a sub-net IP given to you by your ISP.
The only real reason I could see why not using IP addresses to geo locate someone is because it's relatively easy to circumvent the geo-location system using an IP proxy or tunnel. That routes all your traffic through a third party and makes the destination server believe you are located at the same place as your proxy server. Most of these services allow you to pick what country you would like to be hosted from, England, the USA, Canada, Germany, Sweeden, Switzerland, China. It's a common means to bypassing regional locked content on many sites.
Sedsibi
It's also possible to get an IP address from an ISP in another country.
Don't ask me the technical details, but a friend of mine was playing games with me seemingly connecting from Turkey - while sitting in Germany.
Yea, that's via a proxy or tunnel. Your computer sees his "IP" as where ever the proxy is located and saying he is playing from. I use them whenever I have to travel to countries with high levels of internet censorship.
Data:“hur hur hur“ 🤣😂😆
Being someone who graduated in electrical engineering and specialized in computers and networks I do know the reason regarding your issue of checking who you are by your IP address.
There happen to a few of them so let me list them off:
1) Each country is allotted a certain range of IP addresses for ISP's in that country to use (Presuming we are talking the current popular standard IPV4 and not IPV6 which is mentioned later). While this isn't really an issue since it helps narrow down to which content they are in, it doesn't tell you EXACTLEY which Province/state they are in.
2) Once you know where in the world it is, you then have to track it through various routing paths and junctions to find out which ISP it belongs to.
3) The other issue is that once you manage to find where they are and which ISP they are with, your problem becomes finding out the IP address of that person as the ISP's have a User Confidentiality Agreement with their clients that they cannot disclose who they are, what they do with the internet or what their current address is. This is usually why higher level of government officials usually come in as to pressure and persuade them to divulge the information they need.
4) Lastly on a restart, power failure or on a timer, your modem's IP address from the ISP will change. This also means that unless you have a paid arrangement with your ISP for a static (aka: not changing) IP address then you cannot expect to rely on it to be a constant marker like a house address.
However, this is also changing with our evolving needs and technology. With the world's internet using up almost all of the allocated IPV4 addresses (Asia's already used theirs completely), the need for a new IP addressing scheme which we will not run out of in human existence came into creation IPV6 (340 undecillion addresses, and yes that is a real number in the magnitude of 10 to the power 36). It is one which has easier ways of telling which ISP the address belongs to and which user it will belong to, as the internet on IPV6 will essentially be one big single network with ways of sub networking and protecting it so that people don't have access to where they shouldn't be. It also makes it so that the IP address of a device wouldn't need to change as often as it does or even at all.
Honestly, I think the attack was a good thing overall. Not in the sense its "DOWN WITH THE MAN!", but in customer relations since. Other companies have been hacked ever since, and they've been more up front to their customers of when they've been hacked.Vale with Steam and Cryptic/Perfect World are some examples.
there's an easier solution the lack of security at sony.
i have a ps3.
there's zero personally identifiable information on my sony account(except perhaps my external ip address, if they store it without telling you). got a disposable email address just for that. i buy those money cards with cash, so not even that transaction can be traced. so no credit card info either. and i can buy my games electronically.
when they hacked into sony's poorly defended servers, i was not worried. i was just slightly amused at the lack of security.
You are wise.
Phhase
some might say paranoid....but i feel better if you use wise :)
It's what I'd do if Steam's security was so bad
¯\_(ツ)_/¯.
sabin97 He also pointed out phone GPS. I actually have it turned off and have refused to install more than a couple apps *because* they have demanded my location info. They don't need this, and I don't need GPS enough to warrant Powers That Be knowing my every move. Heck, I turn off mobile data because some apps like Facebook love to point out where I am through that - which is privileged info, far as I'm concerned. There are benefits to interconnectivity, but there are simple steps that are on the *user* for risk mitigation. Next time you go to the gas station, go inside and pay credit with the cashier instead of at the pump - that kills one of the biggest risks of credit card fraud by spending one minute and a little human interaction.
Righteous001
yeah i'm paranoid about that too....if i'm installing an app and i see any permision that it doesnt really need, i dont install it...fuck them!
I see your point. I completely agree with you. I got to learn to not take these things seriously. Thank you.
I love this show so much.
3:24 IP address is easily spoofed using a proxy service.
As a person who frequently plays online games on my consoles, I've learned a few 'tricks' that I probably can't discuss here. Though in my adventures I've learned that it is possible to mask your IP addresses on consoles, as well as computers. Though in that sense, IP addresses are often unreliable in nature. You can easily track down an IP to a city, but often times if the person lives in a small town their IP addresses will point to a major city within the same state or province the individual lives in, making the location of the individual unknown. By asking the player for their information they are basically tracking you by your own will, unless you were to falsify that information, which will lead to a ban if your account is ever looked into. It's not about the fact that they can or can't track people through their IP, it's the fact that in some situations, it's more reliable to just ask the player. At least that's what I figure is the reason.
3:11
They want you to confirm that you are where your IP says you are, using a proxy I could easily give another IP address and the company that assumed that was my actual location would be the one breaking the law, not me. If I confirm that I do indeed live there, than at least the company has done "due diligence" in ensuring that the law wasn't broken.
IP address to localisation accuracy is terribly inaccurate unless your using ipv6. plus with the heavy use of VPN's and proxies it would cause too many issues with localisation accuracy.
In South Africa you have to give permission to banks, phone companies and other institutions to pass on your info to third parties. That still does not stop many of them from doing so.
Actually, they don't have to store that information. There is such a thing as password hashes, and they could very easily be applied to this situation. It allows for them to check if your login credentials are valid, without them knowing it. Most major companies use these, and if Sony wasn't, then they didn't use because of convenience to the consumer. They did it to keep information on you. Look password hashes up. Although governments wanting that information is a little more difficult to get around the company.
With the Internet Protocol (IP) Address thing, they would have to triangulate your location using the radio waves coming off of your router (not computer/console) which we, right now, do not have that kind of technology to start using on anything but government business if we even have it, so until then we would have a ~20 meters(?feet?) diameter around the angle at which the "waves" hit the satelite. (gravity bends space, fyi, & a wave is a particle without mass, specifically a photon)
ip address locationing is very flawed. my ip in my home wifi network actually seems to change my location based on where i sit down with my laptop. it is generally somewhere at least halfway across the state, but its never even in the same city on opposite ends of my house. the closest ive seen it come to finding my location would put me in a city about 30 miles or so from the small town that i live 15 minutes away from.
You can't check you location via IP address because VPNs exist. If i want to make it look like I'm playing in Russia today, Brazil tomorrow, and Mexico on Thursday, I am completely capable of doing that from my studio apartment in Chicago. Its not hard either. I'm a lawyer, like most lawyers, I know very little about how most technology actually works. Theres not really a legal reason they can't use IP addresses, except for the practical one that its very easy to circumvent any regional laws if you choose to verify that way.
if i had to guess i'd say the risk with verifying by ip is that it would be easy to VPN a fake IP. for example as a canadian i used to get american netflix by signing in with my xbox using a US vpn, then they started verifying location with credit cards, meaning you could no longer just hook up a VPN and get american netflix, netflix realised people were doing this, meaning they were breaking very strict canadian broadcasting laws and new they were at risk for the legal trouble because its easier to sue a single corporation then 200 000 users.
About IP... You can use a proxy server or send fill in forms through controlling a different computer remotely, which is located somewhere else.
They can't track you by ip because of the fact that there are so many devices connected to the Internet now that permanent ip addresses are only reserved for buisinesses. Most houses use subnetting to preserve a constant, reliable connection to the internet.
Also, dhcp is also available, meaning that ip addresses are assigned to each device electronically, and can change. All of this ends with ip addresses not being a very reliable way to track an individual device.
What Ghibli movie did they use a picture from?
While this year's attack is very different from the 2012 attack I hope Sony handles this one better. It's not their fault. It will always be easier to break things than to build them. But many of their customers are quite angry at their lack of cyber security.
Multiple reasons you cannot use Ip address to track location.
1. It can be spoofed. This is often what VPN & Proxy service providers will do.
2. Location via IP isn't reliable, as you can have multiple computers run using the same ip. See NAT. www.openbsd.org/faq/pf/nat.html
how about the consuls hard disk stores the data
was one of your lawer friends a "beholder (on the drawing)" or did my eyes trick me?
As a whole it is not unprecedented the amount of change civilization goes through in such a short time now. But as individuals we all go through massive amounts of change our whole lives no matter when we were born. If it was not for each person being born, growing up, raising a family, growing old, and dying then we probably wouldn't even see the amount of change civilization goes through because a world full of 500 year olds wouldn't put up with it.
Vendors like Steam give you the option to not store the credit card information, which is the way to go.
In Steam it is an option to not store credit card info. I prefer every time input it myself. Seems, in GOG.com CC information not stored too.
Happy to help. I worked with an internet provider for a while.
Ok after further research it is just saying that third parties can pull a sim city or project 10 dollar. the PS4 will not phone home so no the console will not be online necessary however some games may.
Why cant they get your location from your IP: the IP only gives you the ISP or Proxy location, unlike satalites which use a triangulation system to figure out your location, so they are rather different systems,
You can get the ISP to give you their location but it is a lot of hassle and a lot of ISPs wont give out the information without a warrent.
There are online services that can easily track the IP for free, and they're completely legal. Sometimes the information is screwy, but if you get a warrant on that IP (which after this happened, you should be able to do easily) you can find out exactly who purchased the IP.
The free month subscription wasn't an upsell it was a direct reimbursement due to the length of down time of the network had age up their subscription period and people prepay for the time.
Wow, I was rather blind to most of this. All I remember is saying, "no way, a free game!" and enjoying Infamous for the next month. Ignorance is bliss! :P
basing someones location might not work to well considering one could use a VPN to change there IP address although I suppose this could be done with the current system as well to by pass the leagle issues in your location.
About the location based on IP, well Dan, because IP is not fixed. IP's can change can if you need to keep track of where which IP address is given out at a certain moment, that would be a hassle. Also, VPN's exists, that mask your IP to an IP on another location. There are various reasons why it can't work 100% of the time.
IP Addresses aren't like house addresses. It's highly unlikely when 192.168.0.1 is my IP, my neighbor has 192.168.0.2.
Also, different ISP have different addressing blocks and other rules about privacy and protection of their servers... It would create a big headache to make everything work.
It’s to prevent people using a VPN to circumvent geoblocking.
What Sony SHOULD have done from the start of this is simply BE HONEST about what happened… I don’t want a company storing my data if they aren’t going to be honest with me if they get hacked…. I do blame Sony for the bad PR that their unwillingness to tell customers what happened caused, but I don’t blame them for getting hacked…
I remember receiving in my mailbox a free magazine with a demo CD from sony without having asked anything. That was in... wait... 1996? 1997? And then... there was a shift, and their PR got worse and worse.
I guess the 2big2fail virus hits them all at some point.
Sony knows it isn't "to big to fail" because they are slowly downsizing so they don't fail.
What is the Exact Name of the credits theme because it took me to a song list of like 50 songs
+MystPlayesGames It's written in the end credits on the actual video. "Smooth Criminals" by the Vagrance.
*****
Thx I was looking everywhere
YOU DIDN'T EVEN GIVE ME *FINGERS!!!!*
Oh my gosh xD
Especially in the wake of target and other company systems being hacked and credit card information being compromised, we have to realize that these systems will get hacked every once in a while. While it is up to the companies to try and minimize these occurrences, customers have to accept this will occasionally happen, and deal with the temporary setback maturely. You run the risk of your car being stolen anytime you aren't in it, the only way to not have your car stolen, is to not have one. It is the same with credit cards and personal information like this. You run the risk of it being stolen by simply having it.
I don't think private is the right word for it. For everything online, nothing is private because, as it says in the video, everything is about you is stored. I believe the right word for it is security. Think of Facebook or any social media site; they store everything you post - even if it's "private" - and everything you stay with. You only believe that posts are "private" because they are secure and no AVERAGE user can view them. My second uncle has a great view on the internet which is kinda appropriate, which is "Don't do anything on the internet that you don't want your mum to look at.", but apart from mum, you replace it with people or large companies and say they're inescapable. That would have to be security, not privacy.
Old video and old issue, but why don't you store the data (encrypted of course) on the device itself and have the service pull from whatever information you have saved on the device?
Sweet Cal Lightman (Tim Roth) Lie to me* has his picture show up in this episode along with some of the science of the show, Happy fanboy is happy. Other than that great episode as always guys, but I have one question that has always been bugging me is all the content strictly James' work or does Daniel and Allison chip in some thoughts.
It's not just a matter of being hacked. How the data was got is important.
Notice that the data, including passwords, were not encrypted. They were stored as plaintext.
Interesting, i haven't switched on the PS3 since the PSN hack. bought games for it, but never got over how long it took to recover, or saw a reason to play console games, or buy the PS4.
do u have any idar how to dim down the brightness of my compter, it;s giving me a headag. i have a hp laptop.
They can't track your ip perfectly because there are more devices than individual ip addresses so sometimes it won't be perfect