I work in VFX, and its a little bitter sweet to see Sony entertainment on its knees.
First, various people like sony have been forcing VFX houses to go through draconian security changes to stop this kind of threat. (supposedly because one of us leaked expendables 3, despite none of us having the complete movie or sound)
These rules include three separate zones, of which only one has access to the internet. All USB storage is disabled. All internet access must go through a terminal server. (all our phonehome services for disks now don't work)
All data must go through a purgatory like intermediate stage, for the data ops guys to move out to the "outside" zone, for upload to studios.
We then have monitors to look at the data flow, to see if wierd stuff is happening.
So if they'd followed the MPAA's own advice none of this would have happened, unless of course it was an inside job. Which in my mind there is little doubt.
I can confirm this is industry wide when dealing with the big movie companies. I work in the big data industry and we have several of those clients under the MPAA and have had to go through multiple security audits just for their business.
What kind of security things do they require? Stuff like using two factor authentication? (Not storing passwords in a spreadsheet would also be good, but they clearly don't require that ;)
Oh no, they require that. but thats difficult to enforce.
Strick AD password, account lockouts after n attempts, password rotations every 90 days.
The internet must have an air gap between it and the "production" network. So that means internet in terminal server clients. (we used to be able to get away with VLANs, and just have a clientside VM on a different VLAN)
No automated mechanism to move data between the "production" network and the outside world. Any data that needs transporting must be accounted for (and that's literally terabytes a day.)
You are assuming Sony really cared about MPAA's advise.
My bet is that while Sony was forcing other vendors to follow draconian security measure, they themselves had very lax security. Keeping SSN of 3000+ employees in a non-encrypted excel file?
That alone tells me Sony didn't have tight enough security, hence hack by outside (teenagers or N Korea) is more likely.
Things like this happen all the time, where a big company/org tells vendors to follow some rules while they themselves ignore them. All the time.
Naa, Sony couldn't give a shit about security, it was a cost that they thought wasn't worth bearing. Its the same as any other company.
The problem is that a lot of the first release stuff came from HR. As we all know HR types rarely understand computers, let alone security. Even if they had a password repo that was super secure, it would be easier for them to share a spreadsheet, so they'll do that instead.
For all we know, Sony could have had fairly tight security. From my understanding there were hefty ACLs to stop various sides of the business talking to each other. Yet these were still breached, for a long time and lots of data seeped across.
The way the malware was written, and the actions of the hacker(s) leads me to suggest that this was an inside job. It is very had to sneak out large amounts of data, and fiddling with change control whilst not being detected is very difficult. Unless you know how to imitate the normal ebb and flow of work life.
The problem SPE have now is that they'll have to throw away everything and start from scratch. All previous data will have to be quarantined, all infrastructure from the server, switches, printers to the workstations will have to be disposed of. Why? because there is no way of proving that there isn't any malware still embedded.
This has happened at plenty of places!
Ever worked on a Marvel film? They're insane about security - only certain parts of the studio are actually allowed access to that show's dailies, assets, etc.
We did image processing for movie applications many years ago. The studios sent armed guards with the data tapes. They had instructions to remain with the tapes until the job was done. That often meant 16 hour days. Intimidating but a rather false sense of security. I am sure they are far more sophisticated today.
Whilst I agree that following security best practices is important, I think you miss the point of my post. WE are implementing the rules they drew up. From what I can see they did not.
Your melodramatic announcement of no longer participating in HN discussions directly contradicts your desire for reason to prevail over sensationalism.
This may be true, but #2 and #4 are pretty weak explanations.
#2: There's no such thing as "Traditional Korean" (just South Korean, and North Korean), so saying that they don't speak "Traditional Korean" in NK is pretty severely misunderstanding the language. The Korean locale/encoding is very easily changed as a setting, obviously, but it's also possibly used by NK hackers because it would let North Koreans type in Korean. Saying "North Koreans don't speak the same kind of Korean as spoke in South Korea, and thus wouldn't have a Korean locale set" is kind of like saying "Americans have their own dialect of English as distinct from the British, so they probably will not have any English-language keyboards."
#4. Doesn't the fact that the hack seems to be for retribution and not for personal gain precisely fit the motives of a propaganda-oriented country? Would you expect a dictatorship that works on propaganda and political influence to really negotiate some sort of deal with Sony?
My bet is that it's some mercenary hacking group hired by NK, not necessary a state-sponsored thing but by a few high-up individuals within NK --- but not by North Korean hackers themselves.
Yeah, the "Traditional Korean" bullshit totally destroys the article's credibility. What's the alternative? Simplified Korean? Somebody's confusing Korean with Chinese here.
The author also suggests that North Korean material is likely to contain Chinese; this is also bullshit. As part of its ultra-nationalistic ideology, North Korea has been trying for decades to purge their language of loan words, including Chinese. On the other hand, (Traditional) Chinese letters are routinely found in many South Korean publications even nowadays.
Besides, no modern operating system even supports the ko_KP locale, so anyone in Pyongyang who wants to use foreign-made programs will have to resort to ko_KR. For all we know, the hacker could have been a South Korean teenager with Japanese citizenship living in Hong Kong or whatever.
#5 is a contradiction of #1.. If someone's already pretending that the hack was perpetrated by DPRK then #5 would have been their primary pretend reason.
>Doesn't the fact that the hack seems to be for retribution and not for personal gain precisely fit the motives of a propaganda-oriented country? Would you expect a dictatorship that works on propaganda and political influence to really negotiate some sort of deal with Sony?
So, like US agencies pretending to be North Korea?
At some point, somewhere, someone will posit that "it's all the US' fault!".
This doesn't necessarily mean it's not true, but in certain cases, like the fall of the Roman empire, the evidence is probably kind of weak, unless your alien friends have let you in on the existence of a CIA time machine.
You guys can downvote all you want, but the law is true. Get a big enough discussion on any political topic, and someone will explain how the US is the root cause of whatever problem.
>This doesn't necessarily mean it's not true, but in certain cases, like the fall of the Roman empire, the evidence is probably kind of weak, unless your alien friends have let you in on the existence of a CIA time machine.
The evidence for covert operations is by definition weak.
The historical precedent though of other acts (that have been verified or been unclassified) in the past 60 years, speaks volumes...
Let's put it this way: countries with global reach, and interests in controlling the whole world, especially areas with natural resources, trade ways and such, are not that many. Even less have worldwide operations, tons of equipment and expertise, the most well oiled armies/agencies in the world, and a historical penchant for messing outside their borders (e.g. http://en.wikipedia.org/wiki/Mohammad_Mosaddegh )and crude propaganda (e.g. http://en.wikipedia.org/wiki/Operation_Mockingbird ). And even fewer believe in things like "Manifest Destiny" or that they are the model country for the world (hardly any European country believes such crap, besides maybe Germany, and that didn't turn out that well for them).
I don't think NK is one of them. It might qualify for some stuff (dellusion, crude propaganda, but then again noone outside their borders believes it), but it hardly qualifies for others...
Like North Korea are a bunch of innocent boy scouts? Just because the US does dirty stuff doesn't mean that all dirty stuff is per force carried out by the US.
It seems that you are putting your conclusions ahead of the few known facts.
They are developing a nuclear weapon and have the fifth largest army in the world (even if it is not the most modern). They also have limited support of China. Most of the peole may be poor in this country, but I would not considered North Korea as a state with limited means.
No, it's just a third world country, with limited means.
The military budget of North Korea is estimated to be around $10 billion USD. It has a million active troops, 6,600 tanks, 700 MLRS, 460 fighters, and so on.
The country is perilously poor. Many people starve. But the means are there for an operation like this, especially if sponsoring foreign groups, if the motivations allow.
And to counter the growing narrative that the NK thing came out of nowhere as a convenient excuse -- the country was very offended by this movie six months+ ago, long before the hack, to the point of threatening military retaliation if it was released. Engaging in or hiring hacking groups to put the pain to Sony seems entirely within the realm of the possible, though threatening actual terrorism is a bridge too far, and overplayed their hands if they were involved with that.
The budget figure is probably BS. Their whole GDP is about 12 billion USD in toto -- and they give around 10-15% of state expenditure to the military budget (the peak was 30%, according to wikipedia, back in the seventies).
But even that figure ($10b) is comparable to places like The Netherlands, Quatar or Poland (hardly forces to be reckoned with), and 1/3 of what South Korea spends:
All military figures are BS. North Korea has 1,000,000 active member troops. Canada has 68,000 active member troops.
North Korea has more of everything than Canada, including aircraft, boats, and even nuclear weapons.
Canada spends $23 billion per year.
And as to forces hardly to be reckoned with, if you're talking in a convention war with the US or something, sure. To put that into contrast with hacking Sony, though, is utterly ludicrous. The latter could likely be achieved paying a group less than it costs to operate a single fighter aircraft for a year.
While North Korea does have enough capacity for trouble, your figure of "6,600 tanks" etc. should be taken with a big grain of salt. Those tanks are ancient.
This is how the world works. Everyone pretends that the US only is the problem and says 'well it's the US so we can't do anything' but in reality the entire West acts as one. I mean what are you going to do hate the entire West?
Iceland, the Netherlands, Switzerland and Norway all said they'd consider his asylum request if he made it from their soil, as their laws require.
We don't have to go far to find examples that disprove your "West acts as one" assertion. This is a thread about North Korea, so I give you Hans Brix (or Hans Blix if you prefer), and the failure of the USA to secure a UN resolution in 2003. The USA couldn't even convince France or Germany that the Iraq invasion was justified (let alone wise). If it wasn't for Tony Blair the list of US allies would have been very very thin indeed.
I think that you have a different definition of "acts as one" than most people. Most "Western" countries have extradition treaties. Even if they didn't, it is known that the CIA operates within their borders, even if they don't like it.
Also, there are plenty of non-Western countries were Snowden wouldn't go too. I'm pretty sure that had he remained in China, he wouldn't be in as good of a position as he is now. Is China part of the "West" that "acts as one?" Hardly.
European governments did not say you are welcome to come but the CIA still might get you, they said he is not welcome. The longer Europeans pretend that their governments are not complicit the easier it is to keep the status quo.
Saying "I don't want to deal with this issue" is also different from saying "I am acting in concert with you, we are part if a hive-mind that speaks with a single voice, and 0 dissent," which is what you originally implied (and held up the treatment of Snowden as 'proof' of).
(Except maybe to its own people -- but that's their internal politics, not for foreigners to judge, especially since they are so selective about which countries they judge cough SA cough)
>Except for shelling SK every once in a while, testing nukes, threatening SK with total devastation
They are two countries that used to be one and had a civil war. What do you expect? Flowers and cakes?
How about countries that non only test, but have actually used nukes in wars (2 of them, on civilians), as well as countries that regularly invade other countries, including countries that have nothing to do with them (e.g. Korea itself, Vietnam, etc)...
I don't know, is the death penalty also something to judge?
Even executions of teenagers in places like Texas?
We sure don't have those were I live.
Maybe the greatest incarceration rate in the world?
...that part of it is even run for profit?
...and that's also predominantly for black people?
Or how about seggregation (until the sixties !!!! and de-facto even now)?
Or abducting people and taking them to a remote non-legal prison -- without a trial or anything? And then torturing them for years.
How about one of the most ruthless and anti-democratic police force this side of a dictatorship? One that can kill you just because you got out of your car when they stopped you? (!!!)
How about talking the land of native americans? To the point that they've been reduced to live in "autonomous" shitholes?
Should some third country have invaded to put an end to those?
(Haven't even mentioned the huge abuses of foreign policy, because this is about internal stuff).
Yes, and I say this as an American who does still love his country, faults and all. Judge away, we have much to improve upon. Now do I have your permission to judge one of three most violent and rotten regimes in the world?
Anyway, why would you think I'd consider those to be beyond the judgment of foreigners? Or are you just seizing the moment to make a sarcastic comment without regard to people's actual thoughts on the matter?
Kindly refrain from blaming me for the attitudes of my countrymen when I don't share said attitudes. I am an individual, not to be characterized purely by the actions of the nation of my citizenship.
According to your logic all of the black people in South Africa supported Apartheid because the people in power supported it.
Please realize that when you are having a discussion with actual people, railing against things that "the US" thinks is pointless (because most people recognize that countries don't have a singular hive-mind), and you paint yourself as a troll.
So the world should ignore an oppressive and violent regime? The world should ignore a government who threatens pretty much everyone who disagrees with them on an almost daily basis? A country which antagonizes it's neighbors via its military and nuclear missile testing?
You're either mad with hate of the US or just legitimately out of your mind.
There is something big that was not pointed out in this article. Whoever did it got paid to do it. This is not a simple case of revenge of a nerd, nor is it a case of "your political movie is offensive."
Someone hates Sony / SPE, and paid for the attack.
How did I come to this conclusion?
1. No matter how mad you are, being angry is not enough fuel to collect 100tb of data and then leak it out in 25gb chunks. You need motivation to continue, and money is that motivation.
2. While company security is terrible everywhere, and with enough work anyone can be hacked, it takes a measure of skill and careful planning to pull off a hack like this. This is a not a "we got lucky" hack. It was planned carefully.
3. The amount of data, and the selection of which data gets released when, as well as the difficulty overall of the operation, says to me that multiple people were involved in the hack.
A reason why it isn't North Korea:
If it was ( either intentionally or accidentally ) it is in NK best interest to either claim responsibility and embrace it, or to prove they didn't do it. They have done neither. This implies that they can't prove they did or didn't do it, because nobody under NK government control was involved.
A sysadmin could have collected this data over a long period of time and dumped it on some lulz h4xors who are having the time of their life sizing it up in increments and writing trollish press releases.
There's really no need for anyone to have get paid in this scenario. I'm not saying it isn't possible, just that it isn't necessary to explain what happened.
The disgruntled employee is really the "husband did it" in murder investigations. It's so common you have to investigate it by routine every time. They probably don't have enough audit data to track the leaker, or they would already have done it.
They have the malware and the malware basically wrecked all of Sony's Entertainment. The reason why everyone keeps saying it was a disgruntled employee was because unless someone spent a lot of time gathering information on Sony's IT infrastructure, unless you didn't in which case you would need intimate knowledge of the infrastructure.
The timeline for North Korea doing this or hiring someone to do this is off. They would've had only 3 months to put together the project.
They are split up into categorical sections of what data was released and/or each release serves a purpose ( a pst mail dump )
They are all compressed using rar files. Rar releases are trademark of scene releases. This was done by professional hackers who have been around long enough to stick to using rars...
I don't advocate downloading the releases so I can't really say much about the contents of the files themselves, only regarding the directory structure, since the file listings of some of the releases were publicly released online by infosec pros.
> it is in NK best interest to either claim responsibility and embrace it, or to prove they didn't do it.
I'm not following. Taking responsibility would mean a massive violation of international and domestic laws and probably more sanctions. It would shame Chinese leadership, yet again, that their vassal state is a reckless danger to the world.
Disproving its not them is kinda tricky. What data has been shared with them. How could you really disprove anything?
Yes to the degree that they know something about it. If the perpetrators are not in NK or working for them, then I don't see how NK gov. could prove they didn't do it.
That is, the best NK could do to prove they aren't to blame is by outing someone within and claiming it wasn't an operation condoned at higher levels.
It would be a win win for them then. They can say "yeah we hate the movie and dislike the US. Yes we told some people to try and hack and shame the US. No we didn't know or approve of them accomplishing it by trying to ruin SPE." They could avoid starting a war that way, but still gain "credit". Also they would look good by publicly saying "yeah this was bad; we would never officially approve of what was done".
My question back; if they weren't involved, how could they possibly prove they didn't do it?
Your psychoanalysis makes sense in the world of corporations and individuals. But in the world of geopolitics, personal feelings don't matter.
This is North Korea telling the world "We still matter. We may not be able to fight you directly, but we can still hurt you."
> 1. No matter how mad you are, being angry is not enough fuel to collect 100tb of data and then leak it out in 25gb chunks. You need motivation to continue, and money is that motivation.
By leaking the data in a slow trickle, they keep the hack in the news. This attack was designed to get maximum attention in the press, because the more we talk about North Korea, the better for them.
> 2. While company security is terrible everywhere, and with enough work anyone can be hacked, it takes a measure of skill and careful planning to pull off a hack like this. This is a not a "we got lucky" hack. It was planned carefully.
You're right, but think about the kind of hack you could perpetrate if you had a $1 million budget to hack a company. You'd probably buy exploits and malware off the black market, modify them for your purposes, scout the network, then trigger your plan into action. Which is exactly what happened here. It's not like NK are cavemen beating rocks together; they are at least as competent and technically advanced as Russian organized crime syndicates (in fact, my hunch is that NK hired Russian hackers to either train their people or carry out the attacks).
> 3. The amount of data, and the selection of which data gets released when, as well as the difficulty overall of the operation, says to me that multiple people were involved in the hack.
I disagree; the data released was designed to cause maximum embarrassment (and media coverage). The hack itself was not incredibly sophisticated - it's not even as complicated as the Home Depot credit card hacks, and not even remotely in the same league as something created by a skilled state actor like Stuxnet.
> A reason why it isn't North Korea: If it was ( either intentionally or accidentally ) it is in NK best interest to either claim responsibility and embrace it, or to prove they didn't do it. They have done neither. This implies that they can't prove they did or didn't do it, because nobody under NK government control was involved.
They can't outright claim they did it; because that would be an act of aggression. They left a trail of breadcrumbs long enough to tie it to them, yet still have enough plausible deniability that countries who want to believe them because they have an ulterior motive against the US can do so. For example, Russia never admitted they shot down an airliner despite damning evidence to the contrary - who you believe simply depends on what side you support for geopolitical reasons. Realpolitik at its finest.
I agree with you in the sense that it could be NK due to the fact that it was clearly a well funded operation.
Also, my final point is rather weak and ignores the possibility that NK wanted to do it and wants to be able to deny they did it also.
I still doubt it is NK for many different reasons. Another one to throw on the pile is due to the threats of violence if the movie is released. Terrorists don't threaten and then back off, they simply commit the actions without giving you a chance to stop. Eg: If it was NK, they would say "In return for creating this movie, we are going to do X". Of what benefit is it to NK to not deliver on their threats?
Is it established at this point in time how the entire attack was accomplished and exactly what taken was taken? I think not. Avoiding detection for so long while actively exploiting a system is no small thing.
I don't doubt that the attack could have been done by NK, in fact it is likely that it was funded by NK. What I doubt is that it was done ( the actual hackers ) by anyone who agrees with NK politics. This seems strongly to me like work for hire by digital mercenaries. Whoever did it seems to be just following instructions rather than thinking. Eg: Go steal all their data and dump it to the world.
As others have pointed out, there are many other more selfish things that could have been done with the data than dumping it to the world.
Making threats and backing off of them is NK's entire MO. They threaten to crush the imperialists and reunite Korea on pretty much a monthly basis. In fact, the entire threats and appeasement model is pretty much how they approach international relations. They developed nuclear weapons in order to get more international aid in exchange for halting their nuclear weapons program. They launch missiles over Japan to antagonize the west into thinking they're a big threat.
And the method of attack has been pretty well established: they somehow obtained access to the network (likely by buying stolen credentials off the black market) and used some 0-day exploits (also likely purchased off the black market) to gain access to core IT systems. They then figured out where the data was, hauled it off over a weekend, then pushed out malware over NetBIOS that wiped the PCs.
And it's not about being selfish: it's about North Korea improving their standing in the world political order through a show of force. Realpolitik is the way international politics works: morality and truth go out the window, and it's purely about who has power and the will to wield it. By staying in the news, NK is controlling the US media cycle in the same way that an invasion of Ukraine does. In fact, there's probably been more discussion of this hack than of the Ukraine conflict, so I'd say it accomplished its goal.
Military history doesn't cover cyberwarfare. We're in uncharted territory here, and NK knows it wouldn't last long in a real war. So they want to get as close to war as they possibly can - classic brinksmanship tactics. But if the line is fuzzy and undefined, they're probably right to be cautious.
Sounds more like calculated BS to make a backwards country in the middle of nowhere sound like a credible threat to anything...
Then you have all the movies and tv series, which, without any hint of irony, show "spies" and the like from such countries, operating in the US (and with full teams and equipment), even infiltrating the secret agencies and such.
So you have uneducated people from rural fly-over country that cannot even pin-point Germany on the map, believe what they see in those series, not as an actual fact, but as something that could potentially happen or is credible. (Just imagine what the kind of people who think evolution is bad for school curriculum believe about foreign countries).
To convey the BS-detection levels a European feels, consider a report were Inuits are the major threat and Inuit operatives are preparing an attack on the US, hacking networks, and the like... Or maybe Mexico, or Canada... (This BS doesn't work as well when it's about a place you know, that you might have visited and that's close to home, right? Whereas anybody can imagine any kind of BS for some remote third world place with 1/1000 the resources).
(Of course there are people that watch non-ironic action movies were the President bare-handedly fights the bad guys http://en.wikipedia.org/wiki/Air_Force_One_%28film%29#Plot !!! We might watch them for the special fx and action scenes in Europe, but we call them typical hollywood BS and use huge tons of irony about them).
I've stopped watching shows like Homeland, Person of Interest, 24 (only saw like 3 seasons), etc a while ago. The level of US propaganda in them made them unbearable to watch.
Homeland was pretty subversive in its first season, I mean, up until Brody decided not to blow himself and the rest of the high-ranking officials up in that bunker it was a pretty bleak affair: a decorated US marine, now a politician, who decides to kill the VP of the United States and a couple of other generals, you don't usually get that in block-busters. Afterwards, and especially starting with season 2, it did indeed become a propaganda thingie.
Otherwise you're completely spot on. As a film junkie it really bothers me that our generation doesn't have its "Apocalypse Now", "The Deer Hunter" or "Rambo I - First Blood" (whose director has just been interviewed in the latest Cahiers du Cinema issue), it's all white-washed, depressing propaganda. There are a few exceptions here and there (De Palma's "Redacted", Bigelow's "The Hurt Locker", partially), but otherwise we're treated not as adults, but as kids who need to be told "nice" stories about what's really happening around us.
How is Person of Interest propagandized? The first couple of seasons are about a secret government program designed to spy on everyone in the world, a black ops unit that assassinates American citizens, and a group of corrupt NYPD officers. The later seasons don't have much at all to do with the government.
Except the major theme was if it was a closed system vs. an open one. The machine in the show would probably be constitutional given that it goes to a significant length to protect people's privacy.
spoilers...you obviously haven't been watching this season homeland. The cia is backing a known taliban "terrorist" and the US is made to look weak, disjointed, and behind the ball.
Which is still a classic old Hollywood BS distortion.
The US hasn't been "weak" compared to anything since the USSR collapsed, and probably not even when it existed.
The US shown as "weak, disjointed, and behind the ball" is the classic tactic to show that some lame figure is a "credible enemy", so that any pre-emptive attack or move is justified -- since we're talking about "capable enemies" that could really damage the country.
It's akin to putting a gun on the hands of some black kid the police shot, to make him look more threatening that he was.
> Sounds more like calculated BS to make a backwards country in the middle of nowhere sound like a credible threat to anything...
Except it's an established fact that North Korea has considerable cyberwarfare capabilities, nothing that needs to be fabricated either with this hacking or in pop culture.
Who would do this and for what reason? The CIA can be batshit insane, but nobody ever would sign off on making millions in damage to a movie company to make an already evil country look more evil.
Your post is 90% "murricans are dumb" and 10% baseless accusations.
I have a theory that even the movies and shows which don't have rather obvious nationalistic, patriotic, or propaganda agendas have essentially deranged most Americans' minds to a point where they / we make decisions and support things based on a false, delusional set of parameters. Junk in, junk out.
Just earlier today I had a client asking me about the Sony breach, and I laid out all the reasons I didn't think North Korea was actually behind it -- nor did Schneier.
Then just a few hours later the New York Times came out with an article claiming that they have information from some Washington sources that it has been confirmed to be North Korea. I checked the author bylines, because Judith Miller and the NYTimes, and David E Sanger I could see being politically motivated to make a case like that on some pretty flimsy evidence, but Nicole Perlroth has good tech journalist creds.
So, I dunno. Looks like it might be North Korea after all.
At the moment, I figure there are three scenarios, and none of them are really wonderful to think about:
1. It's China, working through or with North Korea. They certainly have the ability (and in some cases, insider information), and they've been waging a network and technology-based conflict around the world for years now. But, in the past, they've been carefully diplomatic about managing relations between North Korea and the rest of the world; it doesn't make sense for them to suddenly paint a huge target on NK's back, and China's past exploits have been kept pretty quiet. I don't understand why they'd want this one to be big and public.
2. It actually is North Korea. We've been led to believe that they exist in a technological dark ages of sorts, with most of their infrastructure relying on technology that would horrify the average HN user. They're certainly belligerent enough, but now suddenly we find that they have not just the technology to pull it off, but also the talent? How does that kind of talent even develop under a strictly regimented government like North Korea's? What kind of ability do they actually have?
3. It's neither North Korea nor China. This is the most disturbing one to think about; now that the NYTimes and Washington are involved, it smells a bit like the kind of political maneuver with propaganda that we saw in the run-up to the Iraq war. At the moment, this is still really feasible, and it makes me wonder what Washington's motives might be.
Only time will tell for sure, I guess. Whoever is actually behind this, they won't be able to stay quiet forever.
> 2. It actually is North Korea. We've been led to believe that they exist in a technological dark ages of sorts, with most of their infrastructure relying on technology that would horrify the average HN user. They're certainly belligerent enough, but now suddenly we find that they have not just the technology to pull it off, but also the talent? How does that kind of talent even develop under a strictly regimented government like North Korea's? What kind of ability do they actually have?
See, this really isn't the case, and why most people believe this is beyond me, when a google search would suffice. I'm not criticizing you, actually, just pointing out that there's an incredible amount of misinformation out there about North Korea. Look at these photographs of a technology trade fair in Pyongyang this summer, for example:
Most telling, IMO, is that a 32G usb is being sold for USD20, where at the time of writing, the same product was nearly USD16 on Amazon US. That's a remarkably low markup for a product, especially for one in North Korea. Also considering that it's a high volume, low price product with so little of a markup makes me think that other technologies must be very available and accessible, and that NK is hardly the technological dark ages that popular discussion has us think it is.
Of course, this all isn't to say that NK performed the hack, but I hardly think that a lack of infrastructure would really be the barrier if North Korea really wanted to train a cadre of hackers.
Indeed. Don't forget the currency is the won, not US dollars. Foreign currency in a communist country is most likely very hard to get (at least in East Germany it was).
if North Korea really wanted to train a cadre of hackers.
They've done this -- they have an elite military-hacker unit called Bureau 121 of about 1800 people, as described by a defector in a recent Reuters story I quote in my comment above:
Man, they are RIGHT next to China where this stuff is manufactured and available for a lot less USD than the US pays. You want markup, just look at New Zealand.
I always figured at least a little of that was propaganda of sorts, but there was also the occasional "I visited DPRK and took these surreptitious shots of what I saw" article that seemed to substantiate it.
According to the military community, NK/China relations are strained at the moment. In that case I would be surprised if they worked together on such a high-profile hack.
"North Korea is even angrier, and very shaken that a retired Chinese general said publically that China would not come to the aid of the current North Korean government if the government collapses or starts a war. China often makes official announcements via public 'comments' by retired senior government or military officials. This makes it easier to, if need be, back off from the new policy. China has not backed off this one. China is telling North Korea to do what China wants or else.
China wants work on North Korean nuclear weapons stopped. China apparently promised to be useful in the UN if North Korea resumed the six nation talks over North Korean nuclear weapons."
This is an article reporting on government officials' claims that the attack comes from NK. The credentials of the reporters (especially their "tech journalist" credentials) hardly matter. The NYTimes isn't endorsing this position, it's just reporting that government officials say it, and it'd be pretty stupid of the NYTimes to just make it up. I don't understand why you suspect a conspiracy, especially based on such little info.
With regard to point 2, remember that this is the country that built a nuclear weapon and launched an object into orbit (with some dramatic difficulties on the way). If the NK government wants to get something done, especially something militaristically, they do it.
One possibility I've heard aired on Twitter, which I find somewhat disturbing (it's telling of my current distrust of state actors that I even consider this highly paranoid scenario a possibility), is that this will be used as a sort of digital Pearl Harbour to justify hardening laws against hackers, security researchers, etc. Of course, the two aren't really related, and in fact security researchers and hackers increase the security of the US against such things, but that hasn't stopped the lawmakers before.
> > justify hardening laws against hackers
> Seems far fetched as North Korean hackers are about as far away as you can get from US influence and power.
The concern that they'd state would be local hackers working for or with those elsewhere for what-ever reason (payment, disenfranchisement with local policies, ...) or just doing it "for the lols".
The potential knee-jerk hardening of laws in response to this sort of thing is not specific to this case: it could equally happen in response to any other very public exploit. The same for the more insidious "we've been waiting for an excuse to..." hardening of laws, for a more paranoid view.
Why do you think that? I don't see any reason to believe that based on my albeit superficial search so far.. In fact though, I see oddly coincidental and potentially biased 'creds' in her LinkedIn profile, etc. ('Her 2014 Times profile of security blogger Brian Krebs has been optioned by Sony Pictures.' https://www.linkedin.com/in/nicoleperlroth ).
Genuinely curious though if she is unbiased or if maybe she should be checked against.
I wouldn't have been disappointed to see a mention of the business she has with Sony Pictures in the article she wrote about Sony Pictures, in the interests of full disclosure.
Well, I did pretty much the same thing, but ignored LinkedIn -- she did an interview with Krebs, but I also saw a series of other tech-related articles with a security focus. At the least, I didn't see an obvious political bias.
I also try to be careful not to dig too deeply into the backgrounds of people writing articles I disagree with. Seems like a dishonest thing to do.
Looking at a page that was intentionally made public by the author for the purpose of displaying non-sensitive/work related information (linkedin) is in no way "digging too deeply"
"We've been led to believe that they exist in a technological dark ages of sorts"
They have very publicly show capability to launch long to medium range ballistic missiles and they have an active nuclear weapons program. I'm not directing this at your entirely, but I'm surprised how many people thing don't believe they lack the technical capacity for computer warfare.
I don't think anyone believes North Korea lacks the capability to execute on information freely available from the internet, or to launch Russian missiles for that matter.
What they do lack, apparently, is the ability to run a country that's not an oppressive shit hole.
As to point 2, here[1] is a fairly complete report musing on the technological and cyber warfare capabilities of the North Korean Military. Not that I think they did it, but they certainly might be capable.
I just don't buy it. It was a far-fetched scenario in the first place. 99% of the time if they didn't steal money it's just some people doing it for the lulz. Of course they'll pretend to be North Korean. That's the funniest explanation.
Yeah, I can imagine the hackers releasing a torrent of the interview on the date it was supposed to be premiered before Sony got on their knees. With a simple message accompanying the movie: "lulz, trolled u".
But getting hacked by a couple of kids or a disgruntled employee sounds like you may have not taken good care of security, whereas getting hacked by a sophisticated, evil commie cyberarmy is something you could not have avoided. Who cares that, by saying the latter, Sony is fueling the war machine.. I really hope that your scenario turns out to be true.
It's a plausible explanation. However, I wonder if the lulz is really worth the risks they're taking with something of this scale. Even for a reckless person.
At last some sane analysis that doesn't involve "terorists" or similar bullshit. Though I find 5 ("The attackers only latched onto “The Interview” after the media did – the film was never mentioned by GOP right at the start of their campaign. It was only after a few people started speculating in the media that this and the communication from DPRK “might be linked” that suddenly it became linked. ") contradicting to 2 ("<...> the code was written on a PC with Korean locale & language"). Anyway, I would bet my money on the insider too -- the low sophistication level of malware combined with excessive knowledge of internal infrastructure speaks for itself.
What kbart means is; if the DRPK/Korea link came later this flies against the fact that before anything else it was compiled on a PC with Korean locale.
That still doesn't present a contradiction. The post says that they didn't latch on to "The Interview" until after the media linked it. That doesn't mean they weren't doing things to make people think it was coming from Korea.
Could have been an inside job, but I wouldn't dismiss the possibility of some kind of extreme social engineering, where an outsider gained trust and was able to glean a lot of the information you mention through non-technical means.
Reposting from another thread because it's more relevant here:
Here's something I am curious about: if this was NK and it is in response to The Interview, how did they get so deep so quickly? Other state sponsored hacks seem to span multiple years with multiple iterative hacks that get deeper into the target, but The Interview only wrapped shooting a year ago and wasn't really publicly known until mid 2013.
I think he meant that the malware that was used was pretty advanced and the information that was hard-coded would've taken a lot of time to gather. The movie's premise was only publicly announced last June.
Why don't other attacks act as a litmust test here? One person opening an email doesn't open up access to every system and all the data in one fell swoop. Ok an email was opened. And then... It takes time to go from one system to the next, so why did his happen so fast?
It doesn't take time once you get Domain Admin, and there is no indication of how fast it happened. I've seen companies lose DA, and therefore their entire enterprise, in hours. You can then push malware to everyone on the domain.
Hearsay alert: Sony was penetrated by several independent parties, in 2013, and at least one of the penetrating parties used the access for financial gain.
It's hard indeed to believe that anyone raised and living in DPRK would get the skills, technical and social, demonstrated in this hack. But it's not impossible that such a non-Korean person has been funded and helped by DPRK, either before or after they've started gaining privileged access to Sony's network.
So sure, that's not done by North Korean hackers, but it's not excluded that it involves North Korean money.
I guess a strong clue will be to see if Sony's nightmares calm down after they've scrapped the Interview, as allegedly expected by the hacker. I'd rather bet on a bounty hunting follow-up, _a la_ 419Eater, which I confess I'd find extremely entertaining.
Just because 90% of the country is technologically impaired doesn't mean they can't do this. This would be like saying the USSR couldn't go into space because they still did agriculture using horses.
NK has made their own Linux distribution, and they made nuclear bombs. Being able to hack isn't out of the question.
It's more the sociological Internet-savvyness which strikes me as unlikely than the technical feat. Besides, we don't know the relative importance of computer hacking skills vs. social engineering vs. victim incompetence in the breach's success, although we know that all three were required to make this possible.
It's not that far fetched. Even shitty countries can and usually do have programs to train a small subset of the population at the world level if that's necessary to achieve some goals of the rulers.
I remember watching a documentary where they toured North Korea. They went into the computer lab at their university, trying to show off how they were keeping up with technology. All of the people in there were just staring at the screens. I don't think they had internet access or any of them knew how to use a computer, it was just a façade. The one person they spoke to had no idea what he was talking about and looked kind of terrified.
They went into the computer lab at their university
That's civilian; the military is a whole 'nother story:
From a Reuters story about the Sony hack [0]:
Military hackers are among the most talented, and rewarded, people in North Korea, handpicked and trained from as young as 17, said Jang Se-yul, who studied with them at North Korea's military college for computer science, or the University of Automation, before defecting to the South six years ago.
Speaking to Reuters in Seoul, he said the Bureau 121 unit comprises about 1,800 cyber-warriors, and is considered the elite of the military.
"For them, the strongest weapon is cyber. In North Korea, it’s called the Secret War," Jang said.
One of his friends works in an overseas team of the unit, and is ostensibly an employee of a North Korean trading firm, Jang said. Back home, the friend and his family have been given a large state-allocated apartment in an upscale part of Pyongyang, Jang said.
This is a very naive view of a nation state, do you really think there aren't agent of the state in other countries that fit in so perfectly you wouldn't be able to recognise them?
They have a few theoretical physicists (one that I know of) working on string theory, so I wouldn't be surprised if they had a few computer scientists as well. Hacking into a computer system is not exactly rocket science.
> just how did whatever Data Loss Prevention (DLP) solution that Sony uses miss terabytes of data flying out of their network? How did their sophisticated on-premise perimeter security appliances miss such huge anomalies in network traffic, machine usage or host relationships? How did they miss Sony’s own edge being hijacked and used as public bittorrent servers aiding the exfiltration of their data?
In my experience, nobody takes DLP seriously, except maybe [some] government. It's more of a "At least we know about this issue; nobody feels like dealing with it, so just flag it and continue as normal." In fact, almost all DLP and similar systems i've seen were intended to only record violations so they have evidence to litigate with later.
> It’s clear from the leaked data that Sony has a culture which doesn’t take security very seriously. From plaintext password files, to using “password” as the password in business critical certificates, through to just the shear volume of aging unclassified yet highly sensitive data left out in the open. This isn’t a simple slip-up or a “weak link in the chain” – this is a serious organization-wide failure to implement anything like a reasonable security architecture.
This is all large organizations. All of them. As one previous manager so eloquently put it: "There are too many security violations for us to fix; all we can do is prioritize and go after the biggest fish." The only places that take security seriously are places that hire BOFH-quality security nazi managers.
> Who do I think is behind this? My money is on a disgruntled (possibly ex) employee of Sony.
I wanted to comment on these exact same things, e.g. "nobody takes DLP seriously" and "this is a serious organization-wide failure". You have done a nice job highlighting them. Unfortunately your comments are buried in the middle of a very long discussion.
In general, in the numerous discussions I've read so far, people are much more focused on this breech itself, not on the root causes nor how to prevent these types of breeches in the future.
North Korea doesn't need amazing elite hackers to pull this off. That debate precludes a simpler explanation that maybe they just paid an insider $500k to install some software and dump some files. If the FBI has found such an insider then maybe that is the evidence of NK involvement.
This all seems too political to me. I suspect the blame on North Korea is really a fishing line to upset the real person's ego to hopefully get some sort of lead.
While I don't doubt North Korea's technical ability I sincerely doubt this is a real motive to attack Sony. Something screams ex-contractor to me and planting evidence to come from NK seems like a plausible avenue to avoid being caught.
Yep, I concur. There is nothing I've seen about this with any particularly strong tie to DPRK at all. Sony has pissed off enough people, internally as well as externally, that it could plausibly be pretty much anyone. And they have I think the worst reaction to it I've ever seen.
If anyone wants to learn anything from this: don't use P@ssword1 as a password. If you've got that down, you're already better than the Sony studio.
Since when does it take more than a month to find the origin of an attack? We've seen the capabilities of the NSA, and I'd bet they've already made grounds infiltrating NK computer networks in the past. If the perpetrator was sloppy (e.g. forgetting to use a VPN once or something), it would make it even easier.
As you said, NSA may have infiltrated NK computer networks, which means NSA and other organizations which had infiltrated NK computer networks can use compromised computers in NK as tools for hacking activities, hiding their real identities. Considering many other possibilities like this, it is hard to trace the real origin of the attacks.
I would place my bet on the individuals with access to the trove from the Playstation Network hack.
It's odd how the epic Sony Playstation Network hack from a few years back doesn't get discussed much in relation to the current hack. A signature of lulzsec strategy from that era was the staging of information gained from one intrusion to go deeper. So the passwords and information found through one intrusion was utilized to span out and find intrusion into other networks, in other companies or institutions. And this fermentation process before the release of hacks was in the order of months or longer. We know from that episode that Sony's network was penetrated deep. It would be foolish to not consider if much of that information didn't remain "in play" for future staging. But it seems everyone (meaning the FBI and Sony, the stakeholders in the prior attack) thought the case was closed when Lulzsec was no more.
If I am right (and it is really not clear that I am), and the data from the Playstation Network hack was at play, then there are two very interesting things to note: 1. the attackers chose to devoid themselves of even the anonymous brand. Action without brand takes intrusion as protest to a whole new level. 2. The FBI's official finger pointing to north korea shows how far behind they are in adapting to the new world and makes me wonder what future trolling still await us.
Didn't North Korea publicly denied their involvement? And America businesses are believing NK is willing to go to war by attacking Americans on America soil because of a movie?
The film and television industry is in the business of suspending disbelief. And they are no more immune to believing their own BS than any other industry.
I have no trouble believing that studios and theater chains think themselves to be so important that nations would go to war over them. As a whole, they are the least closely connected to reality of any business sector that I know about.
If Best Korea didn't retaliate over Team America: World Police, I think The Interview is probably safe.
For a country with a wrong sense of grandeur, constantly showing off their military, it would be much more consistent to claim responsibility as a proof of their power.
And America businesses are believing NK is willing to go to war by attacking Americans on America soil because of a movie?
North Korea has repeatedly threatened nuclear war over the most banal thing. Of course it is usually treated rather lightly, but the country does have nuclear weapons.
"The truth is, America's commitment to free speech is dwarfed by our commitment to capitalism. Seth Rogen can stand in his house and say anything he wants about Kim Jong-un – but Sony has the choice to fund him, and even if it agrees, AMC can still pull the plug. The corporation, not the individual, has always had the power to decide what movie is a thoughtcrime. We're just only now visibly seeing the suits flex their clout. Despite everything, Pascal at least had the courage to greenlight a comedy about a sitting dictator. Will she be the last studio boss who can make that claim?"
I wouldn't be surprised if it turns out that the hacks or threats weren't conducted by NK, or by NK alone. This movie is in fact a threat to a particular regime in NK, but it's also a blanket threat against all totalitarian regimes (and corporations), and there are plenty that would be upset about that.
I've been scouring Hollywood for movies that appeal to mass social, political, or economic change that don't portray the instigators as crazed violent goonies. There are none in recent memory. The ones that do strike a chord become wild blockbuster hits and their motifs enter our collective consciousness as light-sabres or guy fawkes masks, but they are the rare ones. You don't find much of them in Hollywood because Hollywood does not instigate change.
On that subject, I've been pretty hopeful due to the success of The Hunger Games: it's a blockbuster about fighting the system. Whether the western viewers realize Panem is a great portrait of west superpowers is another question.
A note: just because there aren't brutal violations of human rights in a country it does not mean people aren't fed misinformation and propaganda campaigns. This whole NK ordeal seems like something Goebbels couldn't ever dream of.
At some point Americans will have to accept that they are fed piles of propaganda and they commit brutal violations of human rights.
European countries, too, though to be fair most of their brutal violations of human rights tend to be through aiding the USA in setting up secret torture prisons and ferrying people to them.
2 years after Fight Club's (soap and Meatloaf) story of crazed terrorists destroying towers to reset the economic system, some crazed terrorists did exactly that.
Imagine what would happen if a likable character who isn't a crazed terrorist assassinated a political figure on the big screen and became a hero. Good feels all around, nothing wrong with killing a totalitarian leader, right?
I'm reading cnn report that quotes someone who says we underestimated N Korea's cyber attack ability.
Well, I think that's STUPID to say.
Many are saying it could be some teenagers somewhere in a basement that pulled this off. And guess what? A nation with 300 million is capable of getting people around some computers to hack. They can develop nukes (or claim to have) and develop short range ballistic missiles. If they are capable of it, they are capable of pulling something off that some teens in a basement do all the time.
And N Korea will do anything to protect the image/status of its fat leader.
In a sense, nothing to see, move on. It's only N Korea.
It's only the stupidity of the leadership at Sony that we underestimated, not keeping up security and then laughable response.
Great article, and a common sense approach to it at last. I can't believe this myth NK is behind it is being perpetuated when facts point to someone with insider knowledge and an agenda.
For those critical of the article, have you any doubt that NK is behind these events? If so, what wasn't mentioned, which is more compelling in your mind?
I believe this article was posted before the flurry of news in the last hour from various credible sources claiming "US government officials" have laid blame on North Korea.
After this, gamergate and the 'trader genius schoolboy with $72 million' people are going to have an even harder time distinguishing between reputable news outlets and the unverified junk people share on Facebook.
There are pretty much no "reputable news outlets" in mainstream media. Everyone has either an agenda, an axe to grind or just want to get more pageviews for ad dollars.
I am not sure how gamergate got thrown in with stories about who the source of the hacks at Sony is, or a story which would have been shown to be false if they had actually bothered talking to any financial people
The article has a really weak grasp of the language situation in the Koreas. Setting aside the conclusion of the article, here is my input on the language-related points (the first two), coming from a South Korean.
I have to say I find point 1 borderline offensive, that the English basically isn't bad enough to be authentic "Konglish". It can't have been written by North Koreans unless you see comprehension mistakes! Does the author know that perhaps counterintuitively, English is the most widely taught foreign language in North Korea? Or is he familiar with the barrage of English-language propaganda put out by the North Korean regime?
I wouldn't describe it as "broken English" either. Stilted and unlikely to have been produced by a complete native speaker, yes (e.g. old-fashioned English subjunctive in "our request be met"), but not ungrammatical. I have no particular trouble believing that it is an earnest attempt by a non-native speaker to write correct English.
Point 2 is the weakest. I have no idea where the author got the notion of North Koreans speaking their own dialects and traditional Korean being forbidden. Korean like any language has regional dialects in both North and South Korea, but the language itself was standardized before the division of the peninsula based on the Central dialect region around Seoul. This dialect region is split between the North and South so that for example the speech in Kaesong, North Korea is similar to the speech in Seoul, but Pyongyang falls outside this and falls into a different dialect region. Nevertheless, because Standard Korean was established before the division, the standard speech in North Korea is also based on the Central dialect. The Standard Korean spoken by someone from the North is not as different from what you would hear from someone from the South as one might imagine, as South Koreans may verify by watching a North Korean news broadcast. There are of course differences in orthography and vocabulary similar to what you would find between the UK and US in English (thus the "helicopter" example supplied by the author), but this has more to do with a natural divergence of the language after decades of forced separation than anything.
The closest thing I can think of to the notion of traditional Korean being forbidden is that North Korea banned Chinese characters from official writing right away, while South Korea didn't go as far but still eliminated Chinese characters from texts used in education. Korean has its own alphabet, but Classical Chinese was the traditional literary language, and Sino-Korean vocabulary (words derived from Classical Chinese) were often written in Chinese characters in a "mixed-script" style reminiscent of Japanese. In both Koreas, the end result was that Korean came to be written purely in the Korean alphabet. In South Korea this was gradual as the mixed-script style held on for a few decades, but by now most South Koreans have been educated writing only using the Korean alphabet. At any rate, Koreans wouldn't be using Chinese characters on computers anyway, North or South, so this is an irrelevant historical detail by now.
What does the author mean by saying that "the code was written on a PC with Korean locale & language"? That the actual coding was done in Korean? What kind of programming language used by hackers is in Korean? I am not familiar with the details of the Sony case so I would like to be enlightened on what the author actually means here.
Locale information includes things like encodings to allow a human language to be stored as data.
It is probably the case that the most common encoding is ASCII, with the most common modern encoding being UTF-8. If you're writing code you don't want traced to a particular language, use ASCII.
You would only need a separate encoding if you were going to be writing the code with special characters. In this case a Korean encoding would only be useful for comments and string literals as most computer languages are ASCII based. Since the messages from the malware are apparently in English, this seems superfluous and more like a sign of a false flag operation. In this context, setting a Korean locale is an unnecessary and ill-advised step that would normally force you to go out of your way to get right.
“In the file we had a line with broken characters. Those characters didn’t render right under any encoding, except EUC-CN [Chinese] and EUC-KR [Korean] … In this case, the readme.txt file could be read fine under either EUC-CN and EUC-KR, which means the file was most likely generated from a computer set in either Chinese or Korean – or the hacker deliberately converted the file (which seems unlikely),” Karpeles said.
I should add that EUC-KR is a South Korean legacy character encoding, but the corresponding North Korean encoding (EUC-KP?) is hardly ever supported so in practice North Koreans would be likely to use EUC-KR.
Bu the US is completely unaffected by this attack. If I was a hypothetical Russian, wanting to run a hypothetical false flag operation to piss off the US, I'd probably target something slightly more vital than some random movie studio.
If I were a hypothetical Russian, I would just crack some bank accounts with my zombie network to launder some Gazprom money, fund anti-fracking propaganda, and donate to anti-fracking lobbyists.
Hypothetically, this is occurring right now, and is less traceable, less newsworthy, and more effective than a loud public attack on a major multinational company. Hypothetically, I could probably keep it up for years before anybody noticed.
Upon browsing a few of these threads tonight, I've realized there is no worse reading than a bunch of tech enthusiasts armchairing about geopolitics. I'm out!
First, various people like sony have been forcing VFX houses to go through draconian security changes to stop this kind of threat. (supposedly because one of us leaked expendables 3, despite none of us having the complete movie or sound)
These rules include three separate zones, of which only one has access to the internet. All USB storage is disabled. All internet access must go through a terminal server. (all our phonehome services for disks now don't work)
All data must go through a purgatory like intermediate stage, for the data ops guys to move out to the "outside" zone, for upload to studios.
We then have monitors to look at the data flow, to see if wierd stuff is happening.
So if they'd followed the MPAA's own advice none of this would have happened, unless of course it was an inside job. Which in my mind there is little doubt.