Sony: Bad Security and Stupidity

For months now, I have been receiving email statements from Sony Entertainment showing my recent purchases and activities. The email address belongs to me, but the Sony user ID, payment method, and activities do not. These mails were coming about once a week and were starting to become quite annoying. 

After some quick investigation, I determined that this was not spam, or identity theft (at least not mine), but a case of stupidity where someone had registered my email address with their Sony account.

Due to Sony not verifying email addresses before allowing customers to continue registration and purchases, I have been receiving months of unwanted and unwarranted mail from them. 

For months, I have been trying to remove my email address from this account. I tried contacting Sony support, but this seemed to only be available to logged in users. I tried emailing support@, spam@, and abuse@, and to report this as abuse of my email address, but received bounces. 

Finally, all of this annoying spam, I decided to see if I could just log in and try to remove myself from this account.

I went to the login screen, but I didn't know the password. So, I decided to try resetting the password. Since my email address is the one on file, I should theoretically be able to use this page to submit for a password reset and receive a password reset link.

If worked! Sony sent the password reset link to my email address.

I clicked the link, which took me to a password reset page. However, before getting to the form to reset the password, I was challenged with a birthdate verification check. This was good, but maybe not as foolproof a security method as one would think.

That said, it did have me stumped and quite frustrated. I thought I might just give up on the password reset and just live with the onslaught of spam. I didn't really have any options other than to start marking them as spam or creating a filter to bounce them back to Sony. This would probably just create an endless loop of bounced email messages and not really solve the problem.

So I tried entering in some random dates. All failed. Then I thought, maybe if I repeatedly enter wrong dates, it would trigger something and lock the account. That would be good because at least someone would take notice and maybe do something with the account. So I went about entering random dates, hoping this slow and manual dictionary attack would set off some alarms. It didn't. I must have tried 20 or 30 variations, but nothing triggered. It just kept prompting me for more tries.

Then I was looking at the user ID... (example only) sonyuser1225. Hmm... 1225... That kind of looks like December 25th. But who would be stupid enough to use their birthdate in their user ID?! Well, unfortunately, this is not uncommon and given that this user was oblivious enough to register someone else's email address and continue to use it blindly for months,  chances seemed high that this was *the* birthdate.

So I tried Month: 12 Day: 25. But then what to enter for a Year? Well, considering he's using a Playstation to stream media and play games and that he is clearly... Let's call this 'naive' to put it very mildly... I made the assumption that he was born between 2001 and 1995.

So I just worked backwards until I hit the right number and... Bingo! I was presented with the password reset form. I quickly entered something snarky as the password as the new password and hit submit. After submitting the form, I was redirected to the Sony account home screen.

And from there, I had easy access to anything in the account. Full name, billing address,  and billing name. Credit card was not fully visible, which is good practice, but with the credit card registered, it would be very easy to go on a little shopping spree on his behalf. But as annoyed as I was about some idiot using my account and Sony's belligerence with account management, I would never stoop that low. I was in for one purpose only - to remove my email address and end this abuse of my email address.

But back to the job at hand. I mozied over to find the profile where I could edit and remove my email address. But before I did, I stumbled upon this notice:

Great, so at least Sony is aware that the email address has never been verified. But how could they continue to let this person use an unverified account? That is ridiculous! They should lock the account until verified to prevent these kinds of issues due to accidental, malicious, or just plain stupid mis-use of email addresses. 

Anyway, mission accomplished within just a few minutes and I was out. No need to linger or abuse my temporary access privileges. The only damage caused is that the user is now effectively locked out - and rightly so. They and/or Sony needed to take notice of the account anyway. I was the victim and my email address and inbox were being abused. My account is now out of the picture, and the user has a chance to clean up their debacled account and register an email they legitimately own. 

Well this experience highlights a few important lessons:

- Users should never use identifiable or easy to guess information in your username

- Providers should  have checks in place to prevent this in their forms

- Users should never register an email address that isn't theirs (It's really not that hard to get this right)

- Providers should request the email twice as confirmation in their forms to rule out typos

- Providers should email users a verification link and require they click on it before enabling services on an account

- Providers should always provide a way for users to easily contact them, report abuse, or report misuse of accounts or other personal information

- Providers should detect when a user authentication fails continuously and either lock out the user or prompt for a 2-factor auth method

Sony currently has a lot security problems to fix, many of which are far more serious than this. But proper email and account management should definitely be added to their list. 

And while I felt slightly shady about having to go about it in this way, I felt that I was left with no choice given that I couldn't contact anyone at Sony and couldn't be fully certain that this account wasn't somehow mine until I logged in and verified the details. So I've documented this here to leave as an example and offered these lessons learned to help others improve their practices, both for users and for service providers.

Note: You should also be slightly impressed that this whole process and the writing of this article were done on a mobile device.

Album Review: Smashing Pumpkins - Oceania

Before I get into this, I must point out that I am a huuuge Smashing Pumpkins fan. So with that comes a highly critical opinion.

Smashing Pumpkins' newest album, Oceania, is a mish mosh of classic Pumpkin sounds put to meaningless lyrics and forgettable tunes. There is hardly a single identifiable melody on the entire album making it only passable as background noise. The opening track, Quasar, sounds like a desperate attempt at bringing back the Smashing Pumpkins sound, but the result is rushed and crammed with noise.

The songs are choppy and unbalanced. Many of them sound as if they were recorded in isolation, with different instruments played at different times, and the vocals added well after. Unfortunately, the nostalgic sounds of Billy Corgan's voice are lost into what feels like bad karaoke.

While there are a few redeemable songs, nearly all of them lack commitment. There are too many switches in melody, mood, tempo, volume, and even instrumental effects. Not the kind of classic Pumpkins music that people will be rushing to imitate or cover. Still, somehow the album has its place on the great Pumpkin mantle.

I was surprised to see that many of the early reviews on iTunes were highly enthusiastic, with people giving really five stars and stellar comments. Many claimed that the new album signaled a long awaited return of the Pumpkins and that the original Smashing Pumpkins sound was back. One reviewer went so far as to point out how 'it wasn't the train wreck that Zeitgeist was'. This couldn't be more opposite the truth in my opinion. In many ways Zeitgeist was one of their best albums ever and what it had going for it was it actually had real melodies and memorable tracks - songs that people will remember and want to emulate. Oceania, sadly, is mostly forgettable.

Still, as a die hard Pumpkins fan, I bought it and will continue to give it a chance, but mostly in support of the band and everything they've ever done. I hope other Pumpkin fans will do the same.

Skate Sharpening

If you already know all about skate sharpening, you can probably stop reading now. If not, read on for some advice.

Where to Sharpen Skates
The most convenient place to have skates sharpened is right inside the Pro Shop of our home ice, Sharks Ice. But there are plenty of options around the Bay Area:
- Sharks Ice San Jose
- East West Skate Sharpening (Across the street from Sharks Ice)
- Power Play Hockey
- Other ice rinks:
- Sharks Ice Fremont
- Oakland Ice Center
- Ice Center Cupertino
- Ice Center San Mateo
- Nazareth Ice Oasis Redwood City
- Belmont Iceland
- Yerba Buena San Francisco
- Dublin Iceland

When to Sharpen Skates
Its not always easy to know when and how often to sharpen skates, but here are some general rules of thumb:
- When skates have rust spots
- When there are obvious chips, dents, or other damage to the blade
- If the blade edges clearly look uneven or rounded

Here's what a sharp skate should look like: [link]

- The 'Fingernail Test:

This classic test is to carefully and lightly run the edge of your fingernail across different parts of the blade. If it scrapes off, its probably plenty sharp. If it doesn't, its definitely time for a sharpening.

- Lastly, just ask your little hockey player how their skates feel

I hope this helps.

A message on IOS Security

Important message for iPad/iPhone/iPod touch users:
- Update your devices's software
- Don't open PDF's on your device unless you absolutely trust the author
- Be mindful of the web sites you visit

Apple IOS contains some pretty serious vulnerabilities that can be exploited by malicious code crafted into a PDF's as well as web pages. The exact extent of the of the damage made possible by these holes is not widely known, but I have a read that devices can be jailbroken through the browser and have witnessed first hand an attacker taking full remote control of an iPad running IOS 4.3.3.

The latest updates try to patch these holes, but others are often quickly discovered. Stay on top of updates and be smart.

Note the article below is not the latest software update, but has relevance to this type of attack.

http://support.apple.com/kb/dl1358

Radiation Rising

NHK just announced that radiation levels around the Fukushima facility has reached dangerous levels. People living within 20~30 kilometers have been asked to stay indoors and follow radiation exposure safety precautions.

They have also said that Tokyo, Saitama, Chiba, and Ibaraki have all detected higher than normal radiation levels in the air. They say it is not immediately dangerous to humans, citing that it is around the same level as found during the cold war when the radiation levels rose in Japan due to US and USSR nuclear weapons test, which did not pose immediate harm at the time.

Moving on

Dear family, friends, colleagues, teammates, fans, and others,

As many of you know, my family and I have decided to leave Japan to start the next chapter (and the next decade) of our lives in the US. My last day in Japan will be one month from today, December 15.

I'd like to say thank you to Japan, Asia, and everyone that has made an impact on me over the last 11 years. Japan and Asia have become home for me, and even more so for my family who were all born here. It has been a tremendous pleasure and I will be forever grateful. To all of you, until we meet again...

a||en

iPad Wi-Fi + 3G: What exactly will 'unlocked' mean for roaming consumers?

According to Engadget and a variety of souces reporting on the matter, the iPad Wi-Fi + 3G model will come completely unlocked giving consumers the ability to choose the data provider of their liking

In the US, this means an AT&T pre-paid non-contract service, for now. Hopefully, others will follow.

Meanwhile, what does this mean for other markets? Japan for example, has always strictly held to a stance of locking consumers into their devices for multi-year contracts. Will Softbank, who currently operates the iPhone, or NTT Docomo, Japan's largest provider which is rumored to be eyeing this iPad opportunity, follow the AT&T's lead and allow a pay as you go non-contract, or at least non-locking plan for the iPad?

The latest rumors in Japan, more focused on general mobile phone use and unrelated to the iPad, shockingly point to yes. Rumors are that the major Japanese carriers are considering changing the business model to include unlocked phones allowing consumers to compete for their services, rather than the phones they provide. Though one Japanese article mentioned that these companies are feeling pressure from lost business as traditional users are attracted away toward the iPhone, which currently means only Softbank.

Now back to iPad. What I'd really like to know is, as an international traveler, will I be able to buy my iPad Wi-Fi+3G in the US and use it in Japan with a 3G data plan? Or conversely, can I buy my iPad in Japan and use it with a plan from AT&T? Since I'm not really willing to be the guineapig, I guess only time will tell.

Though ultimately, in my opinion, the best option would simply be to allow tethering with the iPhone. Why pay for two plans that do roughly the same thing..