Redditor does the research behind the Sony Pictures hacking scandal.
December 21, 2014 5:55 PM   Subscribe

Redditor CSMastermind composes an epic timeline of the Sony information breach. Well sourced, and in laymans terms.

"George Clooney is apparently the only person working with or for Sony that understand information security"
posted by butterstick (94 comments total) 49 users marked this as a favorite
 
I've heard that much of this information was available because an IT director was comprised apparently he had no background in IT and was actually a marketing exec who reached the position (and thus higher salary) through corporate politics. You can see for example is was good at naming files.
Wow, just wow..
posted by fullerine at 6:03 PM on December 21, 2014 [47 favorites]


Metafilter: and for those of you listening in…i’m the son of a news man…everything will be double sourced…so come on with your lawsuits…fuckers…
posted by michaelh at 6:06 PM on December 21, 2014 [8 favorites]


well, you don't just attract an internationally acclaimed human rights lawyer who's worked for the UN with just your good looks you know.
posted by cendawanita at 6:24 PM on December 21, 2014 [11 favorites]


I've actually been following along with this much more epic and less biased one (IMHO) by security guys over at Risk Based Security.

They point out, for instance, that there's no indication that the "passwords" folder was actually a single folder at Sony. It's entirely possible, for instance, that the hackers did a text search for "password" and put all the resulting files in one place for easy consultation. We know they've reorganized the folders and files to some extent.
posted by BlackLeotardFront at 6:44 PM on December 21, 2014 [26 favorites]


Thanks for the second source, BlackLeotardFront. Both are excellent summaries. Makes you wonder what official journalists are doing. I fear the mainstream press is too busy going on about North Korea and Movie Freedom and the security press is so underfunded it can't do this level of synthesis.
posted by Nelson at 6:46 PM on December 21, 2014 [1 favorite]


I was kind of hoping Sony was hacked through holes opened up with the Sony rootkit.
posted by Poldo at 6:51 PM on December 21, 2014 [19 favorites]


Poldo: "I was kind of hoping Sony was hacked through holes opened up with the Sony rootkit."

That would have been epic!
posted by InsertNiftyNameHere at 6:56 PM on December 21, 2014 [1 favorite]


Long term I think three things are going to come out of this event.
  1. Companies are increasingly realizing how dangerous bad security is. This attack is close to the "cyber Pearl Harbor" people have been going on about for years. Even worse, Sony has been a victim of this kind of attack for years now; see previous hacks against PSN, etc.
  2. Sony is going to suffer a lot from the leaks. The emails that have come out very bad for them.
  3. Cyberwarfare. Fuck if I know whether North Korea is actually involved or not. It's possible but it seems unlikely to me. But I'm no expert. FBI has come out pretty strong claiming the link, including characterizing the evidence they have. Add this on top of known China espionage and sabotage and the general escalation of conflict between nations in the commercial + online sphere is terrifying. Particularly since the US has no credible cyberdefense agency. (Shame about NSA hacking American companies, isn't it?)
The bit about some movie release being delayed or cancelled is a sideshow. Giant multinationals being dismantled from the inside is big, bad news. Doubly so if it's a state-sponsored attack.
posted by Nelson at 6:57 PM on December 21, 2014 [3 favorites]


I wish the president would have stayed out of armchair consulting for Sony. It's beneath the dignity of the position.

In other words it stuns me that no one even bothers to pretend any more that there is any separation between government and corporations. Apparently the former will always be there for the latter with a helping hand when it can be politicized as an "us vs. the baddies" thing (or alternately an "us vs. impending doom" thing).
posted by sylvanshine at 7:21 PM on December 21, 2014 [6 favorites]


They also quietly cancel "Pyongyang" another comedy starring Steve Carell. Produced by company New Regency and directed by Gore Verbinski, the story is based on a graphic novel and follows a Westerner that is accused of espionage in North Korea

What?!? This is the first I heard that they were making a movie adaptation of Pyongyang. Who know if it would have been good or not, especially considering that the blurb is not really what it's about, but a great book and something I would have definitely watched.
posted by thecjm at 7:41 PM on December 21, 2014 [3 favorites]


Knowing how badly large organisations do internal anytthing, the Sony story has not to date produced antyhing that's surprised me. It could have been the North Koreans, it could have been an ex-employee with a grudge and some friends, it could have been the people in the flat above me. Until there's a really solid piece of evidence that implicates a group unambiguously, we're deep in circumstantial mud - and I can't really use the strength of the FBI's statements as much of a lead. Security services do confident and wrong for all sorts of reasons.

You can lock down your large IT structure, if you do it in a quasi-Stasi way with very active groups looking for trouble and corporate paranoia making sure all your teams do not know what each other is up to. It worked for Bletchley Park it works for Apple. It certainly hasn't been the case for a few places I have knowledge of, where the malevolent insider or the hapless spear-phished dupe can get access to all manner of things just by asking the right electronic question. (One case in point - a corporate fax gateway sat on a print queue sending and receiving PDF attachments. The queue was public, and got cleared out once or twice a day by a cron job. If you sat there and looked at the queue every few minutes, you found out that nearly every accounts department in the corporates with which your corporate did business didn't trust email, but did trust faxes. Or another, where the internal email system was so crippled by inbox size limitations that an ad-hoc FTP system put in place by an exasperated department had been adopted by just about everyone. It was the only way to make workflow flow, and the IT department knew that trying to shut it down or rein it in would incur instant wrath and stop a lot of things from working. Trying to adopt sane IT security in such situations is extremely difficult and costly, but you don't need to be a state actor to spot and exploit this sort of insanity...)
posted by Devonian at 7:45 PM on December 21, 2014 [7 favorites]


Is Sony backing down because of fears of terrorism, or because of fears of more leaks? The narrative, I know, is terrorism. My suspicion is they didn't want any more emails about Leo or Angelina to come out. Losing one film, no big loss. Losing all of their senior management and producers could put a real crimp in their business model.
posted by karst at 7:46 PM on December 21, 2014 [2 favorites]


sylvanshine: "In other words it stuns me that no one even bothers to pretend any more that there is any separation between government and corporations."

A foreign government (apparently) doxxed thousands of US citizens and threatened to kill US citizens if Sony took a particular course of action. To pretend that this is an issue that only affects corporations is, itself, stunning.
posted by Bugbread at 7:48 PM on December 21, 2014 [18 favorites]


Is Sony backing down because of fears of terrorism, or because of fears of more leaks?

If it's fear of more leaks, they're morons. There is no way the filched information isn't going to be made public eventually. All they can do by negotiating is to delay it. Whoever the 'hackers' are, that is all the leverage they have over Sony. They aren't going to give it up.
posted by Kadin2048 at 8:01 PM on December 21, 2014 [1 favorite]


This really irks me for some reason, so I might as well lay it out here.

The company that's recently been hacked is Sony Pictures Entertainment, formerly Columbia Pictures Entertainment until its purchase in 1989 and renaming in 1991. It is a subsidiary of Sony Corporation of America (SCA), itself a subsidiary of the Japanese Sony Corporation.

The Sony rootkit (circa 2005-2007) was an ill-considered DRM attempt introduced by Sony BMG Music Entertainment, a joint venture 50% owned by Sony Music Entertainment (formerly CBS Records until their purchase in 1989 by SCA and renaming in 1991).

The Playstation Network, breached in 2011, was built and operated by the Japanese company Sony Computer Entertainment.

These are separate companies. They do not share staff. They do not share executives. They do not have their roots in a common corporate culture. They do not have a single IT department serving all of them. They share a name and a parent company, which is apparently quite content to let them run their businesses without much direct intervention.

Trying to construct a narrative through-line with previous events from other companies named "Sony", as some have done, is difficult to support. Suggesting that the SPE hack is some sort of karmic balancing for previous internet-related fiascos from separate companies is ill-informed sneering.
posted by figurant at 8:14 PM on December 21, 2014 [54 favorites]


If it's fear of more leaks, they're morons. There is no way the filched information isn't going to be made public eventually. All they can do by negotiating is to delay it. Whoever the 'hackers' are, that is all the leverage they have over Sony. They aren't going to give it up.

Why would they? If you have what it takes to make the monkey dance, then why not make it dance until it passes out?

The really sad thing about this is that Sony has so screwed people over in the past that no one has the least shred of pity for them.

(And I am writing this on a PC connected to a 31" Bravia for a monitor...)
posted by Samizdata at 8:16 PM on December 21, 2014 [1 favorite]


Both of the timelines linked in this post are shit because they're leaving out essential information, namely that the hackers tried to extort Sony for money on November 21, 3 days before the first publicly acknowledged attack.
posted by clockworkjoe at 8:20 PM on December 21, 2014 [2 favorites]


This is completely off topic but I wanted to mention the through these emails we learned that George Clooney is apparently the only person working with or for Sony that understand information security.

can anyone explain what this means?
posted by Bookhouse at 8:25 PM on December 21, 2014 [3 favorites]


That's exactly what I was about to ask.
posted by ocherdraco at 8:26 PM on December 21, 2014


A foreign government (apparently) doxxed thousands of US citizens and threatened to kill US citizens if Sony took a particular course of action. To pretend that this is an issue that only affects corporations is, itself, stunning.

The entertainment industry is also a pretty big segment of the US economy.

Obama and the Democrats would also lose a lot of face and goodwill amongst the talking heads and campaign financier crowd if he didn't indicate he had a major industry member's back. And considering the industry member owns television channels that host political ads...
posted by sebastienbailard at 8:46 PM on December 21, 2014


Am I taking crazy pills or is it not completely obvious that the whole reason American authorities will refuse to refer to this and just about any other incident as "cyber warfare", but will instead insist on discussing vandalism and terrorism, is because stuxnet is a much more serious case of cyber warfare and they do not in any way want to establish any precedents concerning how a nation can legitimately respond to a military attack of this sort?

I'm just kinda surprised that I haven't seen anyone mentioning that in the course of the media coverage. We're the ones who have actually destroyed another country's military assets via a cyberattack. We're going to continue exploiting the Unfrozen Caveman Lawyer "computer-based attacks are a frightening and confusing, novel and unfamiliar circumstance which can't be evaluated in any normal context of aggression or warfare!" reaction as cover and as a way to maintain a degree of latitude, and Republicans and friends are going to keep milking the ability to publicly claim that Obama and his party are soft on Iran and soft on defense, knowing the administration can't advertise the fact that the U.S. has committed an act of war against Iran, just as the Romney campaign claimed during the 2012 Presidential election.
posted by XMLicious at 8:50 PM on December 21, 2014 [23 favorites]


XMLicious - for real, what did you say there?
posted by ashbury at 8:58 PM on December 21, 2014


can anyone explain what this means?

Well, it's what one hopes for when considering reasonable standards for those self-selected to recieve mefi membership.

That, and $5, same as in town.
posted by mwhybark at 9:05 PM on December 21, 2014


There have been numerous state sponsored attacks against US corporations that would fall under digital warfare. Notably, Boeing got hacked, but otherwise there have been targeted attacks against financial, energy, defense, etc sectors, as well as the government itself. So I don't see the US avoiding it because the sword of Stuxnet is hanging over their heads.

Inside the professional community there is considerable skepticism that North Korea is actually behind the attack. I don't have any experience with attribution or forensics so I don't have a personal opinion on the matter, but the general consensus is the FBI "could not properly attribute who made their Egg McMuffins in the morning" as someone put it on twitter. From friends who work there, as well as recent press releases about reforming their hiring practices, I gather their drug policies (7 years from last use) compared to everyone else in the sector (2 years) has given them a real lack of talent. Additionally, pretty much everyone in the business hates the FBI because they throw 0days at media pirates, which people view as in very poor taste.

This timeline was missing a few things, notably a link to the presumed US CERT report about it. The entire situation is kinda weird to be honest. You have groups like the Russian Business Network -- Do they do things on the behest of the Russian Govnt? Sure. Are they part of the Russian Govnt? ehhhh? If the RBN hacked Sony, would we attribute it to the Russian Govnt? I honestly don't know. Furthermore, can we really expect organizations like the New York Times to have good enough security to resist the Chinese Govnt? These are all questions that kinda need answers to be hammered out for them, and all this is made dramatically more complicated by the fact that no one trust the FBI at all.

One last comment on the whole situation -- if the attacks originated inside NK (as in, they were launched from inside NK proper as opposed to the North Koreans contracting out the Russians or Chinese) then attribution becomes dramatically easier. There is literally zero chance that every packet that goes in or out of North Korea doesn't have people looking at it. However, this would be a different group than the FBI, so who knows?

Basically there are a lot of questions and not a lot of answers currently. It would be wise of everyone involved to let things settle a bit before trying to figure out what actually happened. I think this is a bit of where the vandalism vs hackattack comments are coming from.
posted by yeahwhatever at 9:10 PM on December 21, 2014 [7 favorites]


The Clooney reference for those asking.
posted by butterstick at 9:10 PM on December 21, 2014 [8 favorites]




The bit about some movie release being delayed or cancelled is a sideshow. Giant multinationals being dismantled from the inside is big, bad news. Doubly so if it's a state-sponsored attack.

THIS.

Imagine instead of a ransom demand and a "HEY LOOK WHAT WE DID!!?!" leak, someone gained this level of access somewhere like Sony and stayed quiet about it. Covered their tracks. Then lurked for months or years doing damage to the company.

- A few delayed or missed emails here and there to scuttle a major deal.
- An occasional leak that doesn't give away the hack (i.e. email from an employee) at a time to do serious damage, like when a big movie release is happening or a big stock movement.
- A few strategic leaks sold under the table to competitors.
- Access to private emails with other companies leading to hacks at other companies.
- Access to company-owned media like Facebook and Twitter, to post things that cause PR disasters. Forge a few emails to make them look like the work of a misguided employee.
- Using insider information to get good employees to leave the company -- or to recruit them for a competitor.
- Using insider information gained from the hack to invest and make a profit on the company's stock or related stocks.

I'd be absolutely amazed if this isn't already happening somewhere, and it should be the big story.
posted by mmoncur at 9:59 PM on December 21, 2014 [10 favorites]


XMLicious - for real, what did you say there?

In 2010 a sophisticated computer worm we call stuxnet rendered nonfunctional one-fifth of all of the nuclear centrifuges in Iran, devices that are used to refine uranium. News sources today attribute the attack to be the result of cooperation between the U.S. and Israel.

My knowledge of diplomacy and international law is limited but I don't think the U.S. and Israel have faced the same repercussions they would have if they'd used conventional military methods to destroy the same government assets in Iran - it seems as though accomplishing the same thing through bombing or physically infiltrating and sabotaging would've resulted in a need to defuse a war.

And just in general, given our precocious intelligence services you'd kind of expect that whatever set of actions may count as "cyber warfare", the U.S. has probably been doing it longer and more intensively than other countries.

So I am saying that I think our government probably wants "cyber warfare" to remain a vague and ill-defined concept for as long as possible, and thereby would want to avoid naming anything done to the U.S. as an act of "cyber warfare" lest our response establish precedent for what we'd regard as a valid retaliation for an attack. When "cyber warfare" becomes a recognized and defined aspect of war and fits into the other conventions of war, we may be held to account for past actions and our options for future use of cyberattacks may become constrained.

Then again, we and other nations have appeared to get away with doing things like shooting down the civilian airliners of opposing nations and all sorts of other stuff, so maybe the repercussions of attacks that only damage and destroy materiel are less severe than I'm expecting, no matter how provocative those attacks look.
posted by XMLicious at 10:06 PM on December 21, 2014 [20 favorites]


XMLicious - thanks. The first one sounded like tinfoilhatism but this one was much more cogent and makes far more sense to me now. That's an interesting theory that seems like a valid piece of the crazy puzzle of domestic and world politics.
posted by ashbury at 10:20 PM on December 21, 2014


There have been numerous state sponsored attacks against US corporations that would fall under digital warfare. Notably, Boeing got hacked, but otherwise there have been targeted attacks against financial, energy, defense, etc sectors, as well as the government itself. So I don't see the US avoiding it because the sword of Stuxnet is hanging over their heads.

Yeah, but in any of those cases has the U.S. government formally identified the attack as an act of war against the U.S. and claimed that hence it serves as justification for a retaliatory use of force? That's how some people (including some Congresscritters) are calling for the SPE hacks to be treated.
posted by XMLicious at 10:21 PM on December 21, 2014 [2 favorites]


It's probably a good thing that the USA is not defining this as a casus belli, an act of war. We don't actually want any more wars at present, thankyouverymuch.
posted by Joe in Australia at 10:34 PM on December 21, 2014 [2 favorites]


yeahwhatever: "I gather their drug policies (7 years from last use) compared to everyone else in the sector (2 years) has given them a real lack of talent"

I'd say having a drug policy of > 1 hour would cause a significant lack of talent.
posted by wcfields at 11:02 PM on December 21, 2014 [2 favorites]


Right. XMLicious, why exactly do you think this should be tagged "[any sort of] warfare"? What is the upside, exactly? Let's strip out the "cyber-" aspects and the North Korea angle for a moment and hypothesize that, say, Mercedes stole some data from Cadillac. Released internal correspondence, torpedoed next year's model, the whole bit. Certainly that would be corporate espionage, definitely a crime, but why would you (or any of us) be motivated to label it as "warfare," cyber or otherwise? Are we really gearing up to initiate a military attack against Germany, or against Mercedes specifically, over that sort of thing? Really?

I consider the present situation to be on par with that. I don't agree with it, I think it's terrible and criminal (and I hope The Interview is released, even if it ends up being a shitty movie), but I think comparing it to "warfare" or "an act of war" is hyperbolic, irresponsible, and not supported by the facts.
posted by Joey Buttafoucault at 11:08 PM on December 21, 2014 [1 favorite]


It's probably a good thing that the USA is not defining this as a casus belli, an act of war. We don't actually want any more wars at present, thankyouverymuch.

Wait until Abbott Credlin has a word in Obama's shell-like.

Australia has always had, in the words of Phillip Adams, "the greatest enthusiasm" for the United State's wars. And I can just see the Opposition cutting a war Government a lot more slack than Abbott's has had recently.

hyperbolic, irresponsible, and not supported by the facts

Didn't stop W/Cheney/Rumsfeld. I hope it stops Jeb.
posted by flabdablet at 11:28 PM on December 21, 2014


IT Security Questions for PRISM? Is that the NSA backdoor?
posted by crapmatic at 11:39 PM on December 21, 2014


I don't really have particular opinions on those questions, JB; I think probably between the history of the 20th century, computer security and vulnerability, and drones we probably should junk our entire vocabulary for aggression, use of force, and conflict—which are currently basically "Great Powers" era stuff from the 19th century—and start over, anyways.

Above I was just expressing thoughts on causes for some of the word choices coming from the White House on this SPE hacks issue, rather than recommending any particular nomenclature. It just seems relevant when the news shows are flipping back and forth between some people talking about vandalism and terrorism and some people talking about war.
posted by XMLicious at 11:43 PM on December 21, 2014


I still have internet PTSD when i see the words "reddit" and "research" in the same sentence from the boston bomber thing. ugh.

IT Security Questions for PRISM? Is that the NSA backdoor?

Yea, there's nothing else i can think of. wtf?
posted by emptythought at 12:10 AM on December 22, 2014 [1 favorite]


The Risk Based Security timeline is excellent, although it loses several points for using the dread term 'reached out'.
posted by GallonOfAlan at 1:41 AM on December 22, 2014 [1 favorite]


This was excellent. Thanks for posting it.
posted by Tell Me No Lies at 2:21 AM on December 22, 2014


The compensation for it, monetary compensation we want.

So Sony was hacked by Yoda?
posted by chavenet at 2:58 AM on December 22, 2014 [4 favorites]


Has anyone linked to this port scan of North Korea's network yet?
posted by Catblack at 4:30 AM on December 22, 2014 [3 favorites]


Sony leaks reveal Hollywood is trying to break DNS, the backbone of the internet

DNS is a weak point in the internet. It will be replaced in time, and the time will be sooner rather than later. Centralized services are too tempting a target for bad actors, and that includes governments and multi-nats.
posted by Slap*Happy at 5:41 AM on December 22, 2014


The entertainment industry is also a pretty big segment of the US economy.

It's cultural mass far exceeds the actual economic impact of the industry. The film industry itself is only about 90 billion dollars world wide.

Apple, Intel, and Google together made more last year than the entire film industry is worth.

Google could buy studios to get the MPAA to leave it alone - MGM for example, is only worth about 2.5 billion - Google made 33 billion in gross income in 2013.
posted by Pogo_Fuzzybutt at 6:25 AM on December 22, 2014 [3 favorites]


> That screenshot alone. Holy God.

At least I had the sense to name mine pwd.txt. (The sticky note under my keyboard has no name.)
posted by jfuller at 6:53 AM on December 22, 2014




The film industry itself is only about 90 billion dollars world wide.

And US broadcasting revenue is over 120 billion a year, and growing, perhaps totaling over 200 billion combined.
posted by Brian B. at 7:28 AM on December 22, 2014


Suggesting that the SPE hack is some sort of karmic balancing for previous internet-related fiascos from separate companies is ill-informed sneering.

Ill-informed sneering being, of course, something the dickheads responsible for the SPE breach would never dream of indulging in.
posted by flabdablet at 7:40 AM on December 22, 2014


I'm just trilled that the Sony leaks revealed that Hollywood is trying to break DNS again, giving Google the standing to attack the Mississippi Attorney General directly for conspiring with the MPAA. It's even funnier if it's North Korea accidentally defending the internet. lol
posted by jeffburdges at 8:08 AM on December 22, 2014 [2 favorites]


At least I had the sense to name mine pwd.txt.

Surely this will be enough to nudge people toward KeePass and similar software?

Perhaps not.
posted by flabdablet at 8:15 AM on December 22, 2014 [1 favorite]


KeePass and similar "encrypted password store" tools are a good idea. I use them and would encourage others to consider doing so. (I specifically like KeePassX.) They make it simple and convenient to use strong passwords, and to use a different password for every network resource that requires one.

But remember they are another line of defense, not complete safety. If you run KeePass on a compromised machine, an attacker could (for instance) capture your master password with a keylogger, or pull decrypted cleartext out of the memory of the running KeePass process.

Had everyone at Sony been using such a tool (and using it according to best practices), I think the attackers would have gotten less than they did, and gotten it more slowly. But given that the attackers were apparently able to execute arbitrary code on a lot of machines, I do not think they would have been stopped by it.

Please practice defense in depth.
posted by sourcequench at 9:06 AM on December 22, 2014 [1 favorite]


It seems to me human vulnerabilities are just as likely to be exploited as network vulnerabilities. Couldn't a foreign intelligence agency pretty easily place someone inside an IT dept. and just have them dump a whole bunch of stuff onto USB drives a la Snowden?

If the US is fully confident that N Korea is responsible, the best response would be to just put more effort into exposing and prosecuting their internal human rights violations, and finding more ways to get North Koreans access to outside information and media.

North Korea's internet appears to be under mass cyber attack
posted by Golden Eternity at 9:10 AM on December 22, 2014 [2 favorites]


@AmbassadorPower: "Historic mtg of #UNSC on #DPRK human rights abuses reflects growing consensus that actions pose a threat to international peace&security"
posted by Golden Eternity at 12:22 PM on December 22, 2014


These are separate companies. They do not share staff. They do not share executives. They do not have their roots in a common corporate culture. They do not have a single IT department serving all of them. They share a name and a parent company, which is apparently quite content to let them run their businesses without much direct intervention.

Sure, but it's not like hacker groups care. Somebody who wants to be able to brag that they helped "hack Sony" isn't going to give a shit about the fact that SPE doesn't share an IT department with the same Sony that brought us the rootkit. They just want to fuck some shit up that has the Sony name on it. If SPE happens to be the softest target with that name, they're the ones who get hurt.

Sony might want to reconsider its "brand the universe" philosophy. If they had Playstation Inc., separate from Columbia Pictures, separate from CBS Records, then it'd be a lot harder for someone to play connect-the-dots from the rootkit to the gaming DDOSes to the SPE information theft. And shitty things that one subsidiary does wouldn't reflect as poorly on other companies.

Conglomerates that take the Berkshire Hathaway approach (toss the new name in the small print under the old name) don't run the same risk that Sony does.
posted by Kadin2048 at 12:57 PM on December 22, 2014 [1 favorite]


If NK is really behind this whole thing, and I still feel a bit skeptical about that being the case, then I would be proud and impressed if that cyberattack was orchestrated by us.

Perfectly proportional response, shows we are capable of playing that game as well or better than the hackers, despite the relative stupidity of Sony's security practices.

More importantly, no young person had to go spend months away from their families and get shot at or suffer a traumatic brain injury in a military response. That would just be another exercise in, sorry to be so blunt, dick-measuring bluster at the expense of innocent people's lives.
posted by misha at 1:04 PM on December 22, 2014


It's kind of dumb to do now. NK and China may find a way around the attack, nullifying its use if/when there is a more real threat.
posted by Golden Eternity at 1:32 PM on December 22, 2014


Kadin2048: "Sure, but it's not like hacker groups care."

Figurant's comment was directed at the MeFites in this thread conflating the two companies. Whether or not hacker groups care is only pertinent if your position is that the hackers are MeFites reading this thread.
posted by Bugbread at 2:35 PM on December 22, 2014


How do you figure that's a proportional response? The original target was a corporate entity, the retaliation target is an entire country.

Without endorsing any response for this particular attack, especially since the connection to NK is still a bit nebulous, it's pretty well-understood that attacks on corporate entities can hurt nation states economically. I don't think Sony being embarrassed and losing some revenue for a mediocre film falls into the category of massive economic loss that could hurt America, but certainly if a foreign country were orchestrating larger attacks on U.S. companies and hurting those companies' positions relative to foreign competitors, one could make a case that the government has a duty to protect its own economic interests.
posted by tonycpsu at 3:33 PM on December 22, 2014 [2 favorites]


South Korea's Nuclear Plant Operator Has Been Hacked
In a particularly ominous message on a hacking site, Lim told CNN that the group responsible for targeting the nuclear operator said, "if they don't stop the operation of the nuclear power plant, they will destroy it." 

According to Lim, the attack on the nuclear operator could indicate a pattern. First, North Korea carries out an attack on South Korea, before staging a more refined attack abroad against the US. 
posted by Golden Eternity at 10:36 PM on December 22, 2014


There is an article On The Security of Password Manager Database Formats by Paolo Gasti and Kasper Rasmussen that analyzes what bits of the header each password database stores unencrypted, apparently they all leak too much data except Password Safe.
posted by jeffburdges at 12:10 AM on December 23, 2014 [6 favorites]


what the fuck kind of nuclear plant can you even hack like that?

no, i mean, i've worked at a freaking coffee roasteria and even if you broke in to the network it's not like you could connect to the computers that controlled the roasters... because they were airgapped.

the only things you should be able to hack a nuclear power plant and access are the phone records and the bosses spotify offline cache. if that isn't just a bunch of posturing and flexin, something is seriously wrong at a base level here. I've seen many much less critical setups, where if the computer running C&C software/with access to the PLCs/etc got rooted it could cause serious damage... well, that was an offline machine. There would be a second online machine(or third, or whatever) on that desk and you had a human acting as a meat firewall between the two.

If nuclear powerplants don't work this way, i want to move to a country that doesn't have them.
posted by emptythought at 4:10 AM on December 23, 2014


despite many glaring typos, this is a decent rundown of some skepticism about the Korea explanation

While I am not convinced either way right now, I think that calling people who question the Korea hypothesis "truthers" is somewhat insulting and uncalled-for, and given the nature of this crime, any explanation is by definition a theory about a conspiracy.
posted by idiopath at 11:37 AM on December 23, 2014


emptythought: stuxnet was sophisticated, and did not spread just by Internet. It infected non-networked machines.

Unless you have no USB ports, or your USB ports were disabled by filling them with epoxy, you would likely have been vulnerable.
posted by idiopath at 11:49 AM on December 23, 2014


Well, here's another item for the timeline:

Sony Pictures moves to release 'The Interview' in about-face
posted by tonycpsu at 2:10 PM on December 23, 2014 [2 favorites]


So Alamo Drafthouse theaters will be showing "The Interview". I'll bet they had to sign a 300-page Release of Liability document for Sony...
posted by oneswellfoop at 2:14 PM on December 23, 2014 [1 favorite]


Sony Pictures moves to release 'The Interview' in about-face

Fanfare post
posted by Jacqueline at 9:50 PM on December 24, 2014






evidence the data was likely copied directly to a hard drive via USB

That would mean a disgruntled employee.
posted by idiopath at 8:51 AM on December 26, 2014 [1 favorite]


odinsdream: yeah, that was sloppy on my part, sorry about that. I should have made it clear that while this information was part of the Sony hack, it wasn't referring to The Interview.
posted by homunculus at 12:04 PM on December 26, 2014


That would mean a disgruntled employee.

the following is a friend of a friend on Facebook:

"In spring of this year, Sony laid off hundreds of their IT specialists. Sony's IT security have been the laughing stock of the cyber security world for years (E.g. this guy at the top stored company employee passwords in plaintext in a folder called "Passwords"), and even after the huge Sony security breach in 2011 costing them $170 M to clean up, they didn't learn. Every major cyber security analyst has come out saying there's no way this is North Korea and that it's probably someone with inside info considering the ways in which the servers were specifically targeted as if they knew where everything was kept.

If we play the game of Who Has The Most To Lose/Gain, it pretty much rules out Sony and North Korea. As Jeff writes earlier, Hollywood is not known for taking risks with investor dollars. The winner would seem to point to the CIA who knew the torture report was coming out near the end of the year and learned from experience that the best way to distract the American public is through the juicy Hollywood stuff and threats to their vague sense of freedom and liberty.

Maybe the CIA contacted one of these disgruntled employees and hired her (the major theory points to a Sony insider they're calling 'Lena'), or more likely, the disgruntled employee had already begun a disruptive hack, the CIA tracked her down, and then threatened her with jail if she didn't do their bidding with the information retrieved.

If you look at the timing of the release of the 525-page torture report on Dec. 9th, you'll see a flurry of weird information release that makes you scratch your head as to why anyone would go to all this trouble just to embarrass Sony's silly little movie. The CIA has often used Hollywood to cover their tracks; I think this is another case of that."

TLDR: disgruntled laid off Sony IT specialist either works with (or is coerced by) the CIA to perpetrate the hack and make it look like the work of North Korea. Why would the CIA do this? To distract us from the torture stuff.
posted by philip-random at 12:44 PM on December 26, 2014 [1 favorite]


As some people have pointed out in the comments of that Gotnews piece, using timestamps to conclude that a specific medium was used for the initial exfiltration from Sony is fraught with peril. The authoritative "Gotnews can confirm..." presentation is way overstated -- all we kinda-sorta know is that someone may have at some point transferred the files across a link of similar bandwidth to a USB 2.0 cable. Beyond that, the piece adds nothing.
posted by tonycpsu at 12:57 PM on December 26, 2014 [1 favorite]


Quite so. It's only slightly more convincing than the FBI's reasoning about IP addresses.
posted by flabdablet at 3:57 PM on December 26, 2014


Sure. There's nothing at all difficult about believing that nobody knows what the fuck they're talking about.
posted by tonycpsu at 3:59 PM on December 26, 2014 [1 favorite]




Wait wait wait wait wait - I'm entirely open to discussion about who did it. Was it a disgruntled employee? Was it North Korea? Was it random hackers? Was it a combination of all three or the unknown unknown we aren't considering?

But "The CIA has often used Hollywood to cover their tracks; I think this is another case of that." is tinfoil hat tomfoolery.

OK, I'm going to go back to watching ARGO now.
posted by incessant at 10:15 PM on December 26, 2014 [6 favorites]


FBI briefed on alternate Sony hack theory

FBI agents investigating the Sony Pictures hack were briefed Monday by a security firm that says its research points to laid-off Sony staff, not North Korea, as the perpetrator — another example of the continuing whodunit blame game around the devastating attack.

posted by chavenet at 3:10 AM on December 30, 2014


More ill-informed sneering
posted by flabdablet at 3:34 AM on December 30, 2014 [2 favorites]


If the FBI, NSA and DoD all say it was the North Koreans, it was the North Koreans. Scratch the polished surface of a "security research firm" and you'll find a black-hat flim-flam man.
posted by Slap*Happy at 8:09 PM on December 30, 2014




A North Korea Watcher Watches “The Interview”

("A so-called "expert" on North Korea watches the Interview" would be a better title.)
posted by Golden Eternity at 8:35 AM on January 2, 2015 [1 favorite]


Slap*Happy: If the FBI, NSA and DoD all say it was the North Koreans, it was the North Koreans. Scratch the polished surface of a "security research firm" and you'll find a black-hat flim-flam man.

You are bizarrely optimistic about security agencies. It's certainly a good idea to be doubtful of the security firm too, since they have their own motivations, but I cannot imagine why you would naively assume that a bunch of agencies with long histories of being wrong or lying are unimpeachable.
posted by tavella at 11:34 AM on January 2, 2015 [1 favorite]


Coincidentally I read 'Nothing To Envy', a compilation of stories of North Korean escapees, a couple of weeks ago (by the author of the above mentioned article). It was absolutely fascinating.
posted by bq at 1:31 PM on January 2, 2015 [1 favorite]


Obama Authorizes New Sanctions On North Korea Over Sony Hack. The NPR radio report I heard also noted that something in the White House statement today suggested that the US was not behind recent outages of North Korean Internet.

I'm still not convinced North Korea is the primary agent responsible for the attack on Sony Pictures, and do not share Slap*Happy's faith in FBI, NSA, or DoD. (Also, did NSA make a statement? All I've seen was FBI.) But it's clear the Executive Branch believes it enough to say it repeatedly and act on the belief. One of the troubling things about cyberwarfare is it's really hard to attribute the source to attacks.
posted by Nelson at 1:33 PM on January 2, 2015


Glenn Greenwald: North Korea / Sony Story Shows How Eagerly US Media Still Regurgitate Government Claims. Righteous takedown of various newspapers reporting the North Korea connection only on the basis of anonymous government sources. Greenwald reminds the reader that the press is supposed to be a skeptical investigator.
posted by Nelson at 7:40 PM on January 2, 2015 [1 favorite]


You are bizarrely optimistic about security agencies. It's certainly a good idea to be doubtful of the security firm too, since they have their own motivations, but I cannot imagine why you would naively assume that a bunch of agencies with long histories of being wrong or lying are unimpeachable.

Because the government's operations are better funded, their investigators more experienced and better trained and they have a much longer and consistent track record than private security firms. Privatization is a right-wing myth, especially when it comes to law enforcement and military matters. The infosec industry has a long and sad history of publicity stunts and contrarian headline-grabbing. None of them have the same gravitas or depth of involvement as, say, UNSCOM or the IAEA. If a credible international or allied military infosec outfit were blowing the whistle, I'd take it more seriously.
posted by Slap*Happy at 7:53 AM on January 5, 2015


The Risk Based Security page that BlackLeotardFront linked to has a new entry today summarizing everything since Christmas.
posted by XMLicious at 9:20 AM on January 5, 2015 [1 favorite]


NSA Played Key Role Linking North Korea to Sony Hack. "This is the first time the agency has made any public statements about its involvement in the Sony hack investigation."
posted by Nelson at 7:39 AM on January 10, 2015 [2 favorites]




I'm keeping an eye on the media for stories originating from the Sony Breach Attribution Generator.
posted by flabdablet at 2:45 AM on January 16, 2015 [2 favorites]


Flabdablet You Bastard. I clicked on your link, and by the time I got to actually reading it I had forgotten the context. "Huh," I thought, "seems reasonable."
posted by Joe in Australia at 11:14 AM on January 16, 2015


If you have any acquaintances who work for the Murdoch press, draw their attention to it and see if anything happens :-)
posted by flabdablet at 5:54 PM on January 16, 2015






N.S.A. Tapped Into North Korean Networks Before Sony Attack, Officials Say. "The evidence gathered by the “early warning radar” of software painstakingly hidden to monitor North Korea’s activities proved critical in persuading President Obama to accuse the government of Kim Jong-un of ordering the Sony attack".

I don't know how much I trust the NYT, they've been used so many times by government agencies trying to create some false case for action. OTOH it's interesting that NSA is allowing this stuff to be attributed to them.
posted by Nelson at 6:16 PM on January 18, 2015


« Older CCR, 'Born on the Bayou', live at Woodstock   |   Freedom is the right of all sentient beings Newer »


This thread has been archived and is closed to new comments