Anonymous Vs Sony : Word By Word Q/A b/w Reporters and Sony during Conference !
Q. The accuracy of approximately 10 million credit flow
A. There is no firm evidence of leakage. Cannot say wether a leak or not. There is no report so far.
Q. prospect of resuming services.
A. We want to restart the service country/region base. Basically approx within a week schedule. (a week from today?.. previously we heard about same "a week matter..)
Q. How was it the effect to the business so far?
A. Cannot tell it yet, many things to handle one at the time.
Q. What was the condition when you firstly sense the trouble?
A. Hacking with the high skill technique was undergoing, was confirmed. But we still dont know data was stolen / taken
Q. Why did you announce privacy data was stolen then?
A. The possibility existed, what/when/how was it still under investigation. account numbers is between 7700000 to 7800000 accounts plus there are double accounts.
Q. What was your damage report and what is the legal actionyou took?
A. Basically SNE is business foundation in US, reported to FBI and asked for investigation. It's still under investigation so cannot make more commane on this. (.. this part is the right thing to do..)
Q. Was there any security vulnerability was used as the attack vector?
A. There was a well-known vulnerability which we(SNE) did not even know it exists in the system (this could be a web base kinda vulns...)
Q. The attacked server was what kind of server?
A. If we answer it you will questioning us deeper more, so the answer is no comment. (.. politics... politics..)
Q. You guaranteed the credit card reissue procedures for each account?
A. Privacy Protection Law is differed in each region, so it depends on area.
Q. Information Disclosure for this incident was very slow, do you recognize it?
A. we did the internal hacking announce, shutdown the system, requesting investigation, shutdown was also done in steps,..in order to disclose, firstly the current data need to be analyze, was huge, the time was taken more than expected. (... looks like they don't know where to start..)
Q. Any relation with the previous hacking incident with the current one.
A. Currently we are not in the condition to decide it yet..
Q. Do you know what is the target of the current intrusion incident?
A. Whe have no idea why they attack our network, and what is the purpose/target of it.
Q. Are the passwords encrypted?
A. We made the intrusion prevention system as security therefore the password was not encrypted.
Q. How about the current damage in network strategy?
A. As a long-term response to this matter, we will fix strategy both short-and-long-term security vision of the network service. NGP and roadmap at the moment is unchanged.
Q. The currently registered account which needed to be deleted by users, how will you follow?
A. We will follow it right. One by one.
Q. How about the users which will not/dont/cant change the password for later, you will provide the action from the PSN system?
A. We will announce the request to reset the password for all PSN users. Wether system will perform some action aor not we will confirm it.
Q. How about the future hacking and cracking things?
A. We will provide PSN with much better platform which including the 3rd party collaboration for the future.
We won't forgive the customazation/modification in our product.
Sony: "The password was not encrypted, BUT protected by HASH"
(...hashes... my password only protected by hashes.....good lord..)
Q. Do you know the risk of the current incident will be happened, but WHY you keep continuing service? What will be your plan?
A. We will keep on continuing protecting the user's privacy. So we took this hard lesson and supprting it accordingly.
Q. Why there is the different time lag regarding to the official blog announce between the international to Japan one?
A. Between area/country the announce/communication way is differences, that was why.
Q. About the PS3 Root Key Cracking
A. For the security purpose we cannot comment much now, but, basically we will deal with it in business(or can be asumed as legal) basis.
Q. For the compensation you said you will consider to launch free download contents campaign, But what about the FINANCIAL GUARANTEE for the compensation?
A. We guarantee the privacy of the credit card users, we also guarantee for the loss related to the service shutdown, if there is loss related to the card being used then we will guarantee and support it case by case.
Q. What about your Risk Management responsibility?
A. First thing that has ot be done is to bring back the market trust to the SONY product/service.
(...which that'll be he hard part to do I guess....)
Q. You explained before that you protecting systems with the best, but in the end why you can get hacked?
A. We did the best we think for the security system. You may say that we were weak, but we WILL improve it.
Q. SONY is Japan office too, why you did not eve cal to Japanese Police due to this incident??
A. There is no prejudice matter in it, the request for investigation was conducted to many countries authorities, not only to Japan.
Q. Until 20th there is no such announce from your side! Why? In the future what will you do about this miss?
A. Due to the after-intrussion we were busy focusing the monitoring. The vulnerability was discovered at the same time too.. Can not support efforts to accelerate the cycle for everything at the same time, as soon as we sure than we announce.
(...in a very diplomatic way to say.. this part needs my energy to make english corrent nuanse ..)
Q. Currently, how many PS2 and PS3 market share? How many users is actually exist now?
A. We don't have the latest data yet, we will reconfirm and inform later.
Q. While you released the information about the priacy stolen on 27th, why you DID NOT make the press conference at that time??
A. The privacy leak possibility existance was clarified on 27th we made the announce of it in - the same day by blogs, we are doing the press release today as per scheduled in the internal roadmap.
Q. You have FW and IPS yet the attack bypassed it, how? and why?
A. Firewall couldn't detect it as intrusion, it looks as the normal data-transaction, looks like it was the regular commands process between clients-servers.
Q. How about the disclosure of the logs?
A. It is currently under investigation, we have nothing to inform at the time being. regarding to the result it will bring possibilities which will effect the time line. So ..No comment for now.
Q. Until now was there any kind of similar intrussion before?
A. There was not anything like this. for this kind of intrusion this is the first time.
Q. How about the firmware the current security?
A. We will improve it.
Q. Back to the incident compensation matter, how much do you plan to pay to every users?
A. No such hard evidence for the privacy leak even until now, so we cannot response to your question, however if there is any financial damage occurred we will handle it case by case.
Q. It was detected that the user agreement rules has be changed in 28th, why was it?
A. The system itself is not user's base registration system like software does, so basically there's no such of user's agreement scheme that you assume. But we are-considering the procedure for cancelling the user registration for the current special case.
Q. Is not the matter of the Credit Card got stolen, above it, what do you plan for your PRIVACY LEAK incident?
A. If THERE IS ANY DAMAGE reported about this, we will start to deal with it, so far there is no report no claim come to us about this leaking matter.