Sony's Private Key Files

texastoby
texastoby
Community Member

Maybe a discussion for the Agile blog, to talk about what we can do to be safe(r) with situations like the one Sony has found itself in. As far as I've read, they haven't revoked the certificates of their potentially compromised key files, possibly opening up users of their software to attack. With so much of our lives dependent on how others take care of our data (Apple, Google, Amazon) it almost seems dauntingly hopeless to stay ahead of trouble these days, secure passwords or not.

Comments

  • RichardPayne
    RichardPayne
    Community Member

    It's generally best to include a link to what you're talking about to avoid confusion.
    Are you talking about the incident from 3 years ago or is this something new?

  • texastoby
    texastoby
    Community Member

    Sorry I didn't add any links. Here's one and here's another.

    I don't know anything about Sony three years ago.

    Maybe it's all overblown, I don't know.

  • RichardPayne
    RichardPayne
    Community Member

    If I've read it correctly then there's really not a lot we can do in situations like this other than avoid using Sony services until they've revoked and re-issued keys.

  • prime
    prime
    Community Member

    So is there anything I can reason about these certificates? I really don't understand this part at all. Is it something like a certificate that lets my computer know it's a trusted program to download? So of these hackers have the ones that Sony has, people will download stuff they think it from Sony and it can be malware?

  • RichardPayne
    RichardPayne
    Community Member

    @prime, possibly although the linked article didn't seem to mention code signing keys. It appeared to be mostly remote access authentication keys controlling access to Sony's business systems. Let's just hope that their SSL keys weren't compromised.
    Hard to rule anything out though without more info.

  • Without knowing exactly what was stolen it is difficult to speculate what possible damage there could be in the fallout of this attack. There are already reports that Sony's stolen certificates are being used to validate malware:

    That said, if you don't use Sony software, or software claiming to be from Sony, I haven't seen reports of other difficulties for end users. Difficulties for Sony? Yes. Difficulties for you and I? Not as likely.

  • RichardPayne
    RichardPayne
    Community Member

    That said, if you don't use Sony software, or software claiming to be from Sony, I haven't seen reports of other difficulties for end users. Difficulties for Sony? Yes. Difficulties for you and I? Not as likely.

    Remember there's also the potential that malware could be distributed via the PlayStation Network so it's not necessarily just Sony software, although granted, it is a Sony platform.

  • Excellent point. :)

This discussion has been closed.