Hacking to some real experts at it means a good thing of creativity, but to most people hacking is a malicious security breech.

The website for Deus Ex: Human Revolution from developer Eidos has been compromised and all details stolen. For a while some epeen (ego) was on display which is reproduced below:

“Owned by Chippy1337”. I shudder at the leetspeak I really do, even if it is a front. It would appear Anonymous is not that united and I have seen this kind of politics played out before.

What hackers have done with all this activity is expose just how weak some corporations security defences are. Millions trust these companies with details and it would appear many companies are not worthy of that trust.

It looks like the long PlayStation Network (PSN) outage is starting to affect retail. Naturally sales of point cards are down, this is to be expected. But the shift seems to be deeper. Cancelling PlayStation 3 (PS3) game preorders and trading in PS3 consoles for Xbox 360s or nothing.

Amazing. Who would have thought hackers would end up supporting Microsoft?

Looks like the First Person Shooter (FPS) crowd who like to play online are leading the move to dump their PS3 consoles for the XBox which makes sense.

Security is never guaranteed but that doesn’t mean there’s no difference between security. Two ongoing problems in security are the system weaknesses and password failure. System weaknesses are ongoing and why you are encouraged to keep your software up to date especially if it’s exposed. System weaknesses are always being fixed as they are discovered.

Passwords are a more static problem. We are encouraged to use strong passwords with numbers, letters and characters as well as upper and lower case. Avoid the more obvious words and things like birthdays. Use a separate password for each account. Keep them long and renew them from time to time.

There are two major problems with passwords which means I see a day where they are inadequate to security. One is that there are so many. So very many that people are slowed down retrieving or remembering them. Many people use some form of password store or write them down somewhere which is a security issue in itself. The other problem is that brute force style attacks are getting stronger and may one day overwhelm us with needing 128 bit passwords which really enters the realm of silly.

So what security will replace passwords?

Thanks to: RPS and GamesonNet

The PlayStation Network (PSN) which provides online and multiplayer services for Playstation console users has been down for over a week which is remarkable in itself.

The problem has been due to an illegal intrusion onto their systems commonly referred to as hacking. This happened between April 17 and April 19, 2011. One might leap to the idea that Anonymous is responsible but they have denied involvement. The real perpetrators are as yet unknown but may be brought to light by the security experts.

Sony just released information on just what kind of details were compromised. These include:

• Name
• Address (city, state, zip)
• Country
• Email address
• Birthdate
• PlayStation Network/Qriocity password and login
• Handle/PSN online ID

It is also possible that the following has been compromised:

• Profile data, including purchase history and billing address (city, state, zip)
• PlayStation Network/Qriocity password security answers
• Credit card details

It’s quite a lot of detail and if you are a victim of this I would strongly suggest you look to your own security especially if you use your PSN password elsewhere. Be aware of scams that might crop up and if you’re worried about your credit card take action on it.

This is a very long outage with potentially serious consequences for their customers so I don’t think this is going to do Sony’s image any favours. It seems Sony have done what they can to deal with it but that of course doesn’t remove what happened. They claim some services may be restored in a week, so this is going to be a long haul.

Update 28 April 2011:  Didn’t take long for a class action lawsuit to pop up.  Looks like Sony are taking advantage of the downtime to rebuilt their network for better security too.

The games digital download site Steam has just pushed through their new security feature; Steam Guard

In a nutshell, Steam Guard prohibits your Steam account and therefore your Steam Games from use on computers other than your usual one(s). For many Steam gamers who only use the same systems, this can be a useful security feature so long as your email account is not compromised as well. Steam Guard can be overridden via email or deactivated for those who roam too much for this to be workable.

It does not use Intel’s identity protection.

I looked but haven’t spotted any serious drawbacks to this feature. For most Steam users the feature will work automatically.

I’m sure I’m not the only one struggling with the maintenance of an enormous internal database of passwords. Well… enormous by human standards.

I don’t know about you but I have passwords for a gaggle of online games, passwords for even more social networking sites like Twitter and Facebook. Some for Linux and Windows Admin. There’s forums, emails, the ISP, my host, MSN, Google Everything, the banks, wikis, everywhere you turn they want your details and a login.

As they say; “Please sir, may I be excused? My brain is full.”

Of course, the main reason for passwords is to provide a barrier to the hoi polloi which they have oh so graciously allowed you to get past. More and more often, especially nowadays, it is an excuse to grab your details for marketing.

Have you come across this scene before? Upon revisiting a website you joined oh a few months ago.. or something.. to check up, you have to enter your username and password… and you stare. Now whatwasitagain? Something with a ‘t’? Did it begin with an ‘s’? Oh I can’t even remember the username…..

It is here you go for the backup plan. Maybe, god forbid, you shared the password with actual humans and ask them whatiswasagain. Perhaps you trawl through an army of emails, a little black book of supa sekrit passwords. Failing that there’s always the dreaded ‘forgot your password’ link.

I’m sure most readers here know the importance of relatively long complex passwords. Which means upper and lower case, numbers, as well as avoiding common words, girlfriend’s names and your date of birth.

There are solutions to this dilemma of course. All of them half baked.

1. You can use one of the plethora of software password (and often form) automaters. Kubuntu has one builtin called kWallet. Meh. Many internet toolbars also have one.

Of course the problem with this is you often need a master password, though one is better than many, need to very much trust the software, and toolbars are often not high on the trustworthy scale. There’s also the possibility that you might loose access to it for some reason and there goes all your access to everything else.

2. Most browsers have a password storage system similar to the above which is probably not terribly secure from any perspective but I suspect used heavily, especially for passwords which aren’t too important.

3. Some people use a ditty. It can be as silly as you like as long as it results in a complex password. Let’s see if I can make one up on the fly.

‘we All 8 more icecream when 3.’ which would go as wA8micw3. Which is probably ok. Don’t use this example. Really.

The extended problem is that instead of passwords cramming up our internal database we’d have a plethora of ditties instead. It’d be enough to turn you into Patsy Biscoe.

4. A fairly new and very hopeful idea of OpenID. Basically this involves registering yourself under OpenID standards. Much like a software password automater, you then have a master password to access it. You then get your OpenID which is effectively a website address. To use it you simply pop the OpenID into the login for your desired website and it then talks to the OpenID where you give it access to the details you want

There are quite a few benefits. You’re less likely to loose access to your OpenID, you don’t have to enter a username and password, just the OpenID. OpenID can give your details with your permission to an enabled website during a registration which makes for fast and easy signups.

The other interesting thing is that you may already have an OpenID if you use one of the many social networking sites such as Myspace, Google, Blogger or Flickr. For OpenID is a standard usable by anyone and you can even host your own OpenID if you know a bit about webhosting.

The main problem is that not all websites with passwords are OpenID enabled.

So there’s no easy way out but there are things that can help. There’s also a silver lining to all this technochange, we’ve had a significant reprieve from the telephone number database required in the past thanks to phone memory. Of course, then loosing the phone can mean social disaster.