Comments on the Sony Hack

I don't have a lot to say about the Sony hack, which seems to still be ongoing. I want to highlight a few points, though.

  1. At this point, the attacks seem to be a few hackers and not the North Korean government. (My guess is that it's not an insider, either.) That we live in the world where we aren't sure if any given cyberattack is the work of a foreign government or a couple of guys should be scary to us all.

  2. Sony is a company that hackers have loved to hate for years now. (Remember their rootkit from 2005?) We've learned previously that putting yourself in this position can be disastrous. (Remember HBGary.) We're learning that again.

  3. I don't see how Sony launching a DDoS attack against the attackers is going to help at all.

  4. The most sensitive information that's being leaked as a result of this attack isn't the unreleased movies, the executive emails, or the celebrity gossip. It's the minutiae from random employees:

    The most painful stuff in the Sony cache is a doctor shopping for Ritalin. It's an email about trying to get pregnant. It's shit-talking coworkers behind their backs, and people's credit card log-ins. It's literally thousands of Social Security numbers laid bare. It's even the harmless, mundane, trivial stuff that makes up any day's email load that suddenly feels ugly and raw out in the open, a digital Babadook brought to life by a scorched earth cyberattack.

    These people didn't have anything to hide. They aren't public figures. Their details aren't going to be news anywhere in the world. But their privacy has been violated, and there are literally thousands of personal tragedies unfolding right now as these people deal with their friends and relatives who have searched and read this stuff.

    These are people who did nothing wrong. They didn't click on phishing links, or use dumb passwords (or even if they did, they didn't cause this). They just showed up. They sent the same banal workplace emails you send every day, some personal, some not, some thoughtful, some dumb. Even if they didn't have the expectation of full privacy, at most they may have assumed that an IT creeper might flip through their inbox, or that it was being crunched in an NSA server somewhere. For better or worse, we've become inured to small, anonymous violations. What happened to Sony Pictures employees, though, is public. And it is total.

    Gizmodo got this 100% correct. And this is why privacy is so important for everyone.

I'm sure there'll be more information as this continues to unfold.

EDITED TO ADD (12/12): There are two comment threads on this post: Reddit and Hacker News.

Posted on December 11, 2014 at 2:37 PM • 48 Comments

Comments

Jordan BrownDecember 11, 2014 3:06 PM

One thing that really bugs me about the coverage of this attack, a problem with coverage of many similar attacks is what is included in the "cost" of the attack:

http://news.yahoo.com/cyber-attack-could-cost-sony-studio-much-100-225410262--finance.html

Major costs for the attack by unidentified hackers
include the investigation into what happened, computer
repair or replacement, and steps to prevent a future
attack.

Including investigation and repair, sure. But including "steps to prevent a future attack"? If your security is inadequate, that's true whether or not somebody breaks in. The attack just *reveals* the problem. If somebody breaks into your house and steals stuff, I don't think any rational person would include the cost of a new alarm system and new window bars in the "cost" of the burglary.

The costs of an attack should include those costs related to returning you to the state you were in before the attack. Any additional security that you choose to add is your choice. Including the costs to increase security means that the cost of one attack can be inflated to arbitrary levels, because you can always spend more money to defeat a few more potential attacks.

Larry S.December 11, 2014 3:12 PM

These people didn't have anything to hide. They aren't public figures. Their details aren't going to be news anywhere in the world. But their privacy as been violated, and there are literally thousands of personal tragedies unfolding right now as these people deal with their friends and relatives who have searched and reads this stuff.

However, we are ok with the governments getting and reading all that... sigh.

Nate JDecember 11, 2014 3:18 PM

Quick point of clarification. Specifically it was Sony Pictures that was hacked. There are many Sonys. They don't always get along.

Stefan_NoNameDecember 11, 2014 3:48 PM

A quote from a sony cio interview from 2007 regarding security sums up the problem and assures this type of mess will continue...

"The cost to harden the legacy database against a possible intrusion could come to $10 million, he says. The cost to notify customers in case of a breach might be $1 million. With those figures, says Spaltro, “it’s a valid business decision to accept the risk” of a security breach. “I will not invest $10 million to avoid a possible $1 million loss,” he suggests."

http://www.cio.com/article/2439324/risk-management/your-guide-to-good-enough-compliance.html

Dan AndrewsDecember 11, 2014 3:55 PM

Ok, why is everyone missing the obvious!

http://www.justice.gov/usao/iln/pr/chicago/2014/pr0616_01.html

In June of this year the FBI locked up a hacker who team was associated with Sony hack of 2012.

http://securecommunication.blogspot.com/2014/12/is-team-ghost-shell-behind-sony-attacks.html

Here is my thoughts. It might be Team Ghost Shell, it might be a new Team Ghost Shell. However, it appears this team is highly sophisticated. While some people think they are trying to make an example of Sony, I think this organization is taunting the FBI. Basically showing the world, you take a hacker, they take a whole corporation.

Again, personally, I have not seen a crew this well organized and discipline since TGS. That being said, I could see a possible member of the original crew working with the Koreans. Almost an enemy of an enemy is my friend. Remember, the arrest was in June, the letter from North Korea to President of US was in July.

It is my belief that whatever hack team plotted the revenge tactic made the decision that if they go under the guise of N Korea patriotism, it would throw off the trail,

Follow me on twitter @knoxcounty

Ken WestinDecember 11, 2014 4:08 PM

Just thought I would point out that there is no proof or evidence provided that Sony is initiating a DDoS attack from AWS. That came from a blog post by Re/Code...who were also the folks who perpetuated that North Korea was behind the attack. Their source they say are "people close to the matter" but no evidence has been provided to back up the claims. Amazon has refuted the allegation that AWS services are being used by Sony for DDoS attacks.

NobodySpecialDecember 11, 2014 5:24 PM

So don't store this stuff.
Internal email that doesn't flag as need-to-keep, eg by cc'ing a specific accounting/HR/FDA archive account should be wiped regularly, why do you need 3year old chat emails about where you are going for lunch.

ApplesDecember 11, 2014 5:55 PM

"They sent the same banal workplace emails you send every day, some personal, some not, some thoughtful, some dumb. Even if they didn't have the expectation of full privacy, at most they may have assumed that an IT creeper might flip through their inbox, or that it was being crunched in an NSA server somewhere."


"the same banal workplace emails you send every day"

Is this blanket assumption as surprising to anyone else as it is to me?

Where has it truly become okay to use employer systems for personal emails such as gossiping about colleagues (HR doubtless would be alerted in some companies), looking for Ritalin (on work computers??), paying credit card bills, and so on. I don't think I know a corporation where employees are not warned not do this, told that it is misuse of employer resources, and that everything will be screened (not by an IT 'creep') but for such things as accidental or deliberate release of proprietary information, communicating with fired employees about how they're going to set up in business together and steal customers (have actualy seen this!), sending corporate information (sales figures) to addresses outside the company, and so on, and that therefore everything should be regarded as indefinitely retained, as non-private and that personal use should therefore kept to a minimum.

I'm truly amazed. I can't decide whether I'be been missing out on something or not.

GodelDecember 11, 2014 5:55 PM

According to Ars Technica they had passwords stored in txt and doc files, encrypted files with the passwords included in the file names, unencrypted staff medical reports, and unencrypted files of their five latest big blockbuster movies.

How the hackers got in is mostly irrelevant compared to the obvious incompetence of keeping all this stuff unencrypted, unpartitioned and on a web facing system.

BTW, here's a new wrinkle: 'Tal Klein, vice president of strategy at Adallom, told Ars that starting yesterday, “all of a sudden we saw files matching the SHA1 signatures of the Sony torrents starting to be populated across all the torrent sites.” He said that the files were intelligently designed to have the same signature as the GoP file torrents—unlike earlier opportunistic attempts by malware distributors who packaged malware using the same filenames used by the GoP file dumps.'

It's surmised that the seeder simply lies about the SHA signature rather than faking a complete new file with a hash that matches.

http://arstechnica.com/tech-policy/2014/12/sony-fights-spread-of-stolen-data-by-using-bad-seed-attack-on-torrents/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+arstechnica%2Findex+%28Ars+Technica+-+All+content%29

AnuraDecember 11, 2014 6:05 PM

@Apples

I used to work for a SaaS provider for Ecommerce software, and I was surprised to see that the busy days for online ordering was not weekends, but week days, and that most of the orders came in during the middle of the day. This indicates that a statistically significant number of people do a bulk of their online shopping while at work.

Nick PDecember 11, 2014 7:23 PM

@ Apples

"Where has it truly become okay to use employer systems for personal emails such as gossiping about colleagues (HR doubtless would be alerted in some companies), looking for Ritalin (on work computers??), paying credit card bills, and so on. "

I agree. I caught this immediately and wondered why we're even discussing this? If their personal email accounts were intercepted, then the points are valid. If it's company email, why the hell are they sending stuff through accounts even lay people often know might be monitored? Even most people I've worked with would've told that to their friends face-to-face or a text at worst.

hoodathunkitDecember 11, 2014 8:23 PM

The solution for the studio is not cheap, but very clear:
1) dump about $5-$10 million into IT security. Banks' or jewelers' assets are physical and need enhanced and expensive physical safeguards, Sony's products are digital and need extra-special and expensive safeguards.
2) Anonymously release a moderate resolution version of the original version* The Interview into torrent. That will inhibit future hacks like this one. NK does have an extremely competent cyber-squad, and Occam would indicate NK is responsible either directly or by bankroll. If NK did it the loss of face will discourage them from a repeat. On the longer shot that NK did not do this their cyber-folks can pass the appropriate info to NK's other 'assets' to liquidate the possibility of a repeat. Sony has lost enough already that the release of a non-DVD version won't hit the bottom line any more than what has already happened, and it will send ripples through the underground; NK will not take it sitting down.

*Not the toned down post-July version. Sony needs to reach for "outrageous".

Nick PDecember 11, 2014 8:44 PM

@ Bruce

re hackers loved to hate

They actually had a love-hate relationship with Sony due to the PS3. The PS3 had the Other OS feature that made Sony uniquely hacker-friendly compared to other console makers. People could get a relatively cheap device with a Cell processor to hack around on. I've seen boards with one Cell processor cost $10,000+. A major Linux distro was also targeted to it. Sony talked about this stuff like it was something they believed in and would keep around.

Then, they canceled it arbitrarily and tried to lock down the platform for profit. This had to be at least as aggravating as the rootkit because Sony gave the middle finger to all the hackers that invested in PS3's success & bragged about their support of hackers. At this point, Sony was saying they'd have to hack them to get the full potential of their boxes. Plenty of effort was directed at PS3 and PSN for this purpose. Both ended up being compromised, with the PSN hack showing Sony didn't care about security at all. (No firewall or patches? huh?)

So, they had a chance to make up for the rootkit scandal and try to do at least the commercial minimum on security (eg firewall, a few patches). They didn't even do that. They got hit. And attackers seeing results that shocking and amazing just gotta do a bit more. It would surprise me if Sony wasn't hit again if only because they're still assholes that put as little effort as possible into protecting their users/customers and now employees. And I say that as a person that was once a huge Sony fan.

heylook the data meters off the chartDecember 11, 2014 8:55 PM

Nobody noticed that 100 TB, yes T. of data was moving thru the pipes? Really? My isp sneezes at 100GB, im sure this HUGE spike of data caused someone to sit up. It's not like they got all this in just a few min, or even overnight.

W. RussellDecember 11, 2014 9:09 PM

@Dan Andrews

Interesting theory about Team Ghostshell...I had forgotten all about them until I read your blog. They did seem a cut above most of those skiddie groups like anonymous, and it seems like the FBI and media downplayed them quite a bit.

David RobertsonDecember 11, 2014 9:33 PM

@Jordan Brown
If somebody breaks into your house and steals stuff, I don't think any rational person would include the cost of a new alarm system and new window bars in the "cost" of the burglary.

Welcome to the US Congress! Bend over! :)

VolkerDecember 11, 2014 9:41 PM


  • More and more human beings have access to your data

  • That's a fact. It doesn't matter if they are allowed to do so or why they do it

  • It only needs one person to publish your data worldwide

  • Imagine being naked. Everyone sees you. This is real. Now.


I am still trying to figure out what this really means for me, my family and the people around me. Scary - as is all unknown.


I also took the liberty to translate your post to German.

Chris AbbottDecember 11, 2014 9:52 PM

@Apples:

I agree, you never put stupid shit in writing let alone over work e-mail. But, people still do it.

@heylook the data meters off the chart:

That among other things (ridiculous security fail) is why there's probably some job openings at Sony's IT Dept.

What needs to happen is this:

Everyone needs to use PGP RSA-4096 for all e-mails, period.

Important data like that HAS to be encrypted. If the movies and other things on their network were encrypted and the keys were on an air-gapped machine, they wouldn't have suffered millions in damages.

We live in the Wild West of the Communications/Information Age. Crypto and other infosec measures are the rifle that protects you from bandits and wild animals...

JeffDecember 11, 2014 10:59 PM

@hoodathunkit

I'd a larger percentage of Banks' assets are digitized compared to Sony Pictures. Don't confuse Banks with jewelers. :)

Ole JuulDecember 11, 2014 11:33 PM

As Jordan Brown (comment near top) points out, the claimed costs of fixing security breeches often includes the purchase of a lot of extras - eg. a new upgraded security system. This is similar to house insurance where some people are prone to making hugely inflated claims. In that world it is considered fraud. Why is that not the case here?

daveDecember 12, 2014 12:43 AM

"I'm sure there'll be more information as this continues to unfold."

There's a striking irony to all of this.

kruemiDecember 12, 2014 1:21 AM

Getting hacked is one thing. There is probably always a way into any network that is not completely isolated.

But that a this gave the hackers acces to all the data (including the private keys/certs to sign software as sony corp.) is really surprising to me.

Is this just raw incompetence by sony? Or are other companies sloppy like this as well? Especially Sony has already been hacked and know that HAckers are targetting them!

Security is hard! But a company like sony should be able to get it right. And it seems that they failed on every level. On every songle level!
They did not enforce data protection practice by empleyees. They had insecure IT, they had unencrypted important data...

Is there anything they could have done wrong that they did not do wrong?

WaelDecember 12, 2014 1:29 AM

@Stefan_NoName,

A quote from a sony cio interview [...] "The cost to harden the legacy database against a possible intrusion could come to $10 million, he says. The cost to notify customers in case of a breach might be $1 million. With those figures, says Spaltro, “it’s a valid business decision to accept the risk” of a security breach. “I will not invest $10 million to avoid a possible $1 million loss,” he suggests."
What a naïve thing to say! What is the probability of a "possible security breach"?

1- He compared the cost of a single incident to the cost of fixing the root cause. He ignored the cumulative effect[1]. So that's the cost of one incident, and he refused to fix the root cause. He should expect another incident, and another, and... The question becomes: Which is less costly, $∞ or $10 Million?

2- He applied an acceptable cost/risk formula to the wrong business model. It's not a secret that some industries have different risk tolerances; some can tolerate 10% fraud, some can tolerate 20%, while others can't tolerate more than a part per million.

3- Comparing the cost of fixing a problem to a breach is only a first order model. Other factors must be considered in a more refined model such as reputation, business loss, and long term adverse effects in addition to possible domino effects (harmonics, so to speak) :). He ignored that, and used the first term of the series, again, so to speak. Turns out it's unacceptably inaccurate in his case.

[1] So an idiot was taking a lesson in parachuting and was given an altimeter. He was told to open his parachute when the dial reads 400 meters. He jumped off the plane and kept an eye on the device... 1000...700...600 He says to himself: Better prepare now... Altimeter reached 400 meters. He thought nah, it looks a bit too far, I'll wait a bit. 200..100...50... He says hmmm maybe I'll wait a little more. 40...30...10...5...4...1 Now he looks at the Altimeter and thinks: fu**k it, it's just one meter! I'll just jump it off!

KarellenDecember 12, 2014 3:42 AM

"Specifically it was Sony Pictures that was hacked. There are many Sonys."

Tough shit. If the many Sonys want to reap the benefits of brand recognition and cross-brand promotion across multiple divisions, they have to take the down sides too. If they don't like that, they can stop calling themselves "Sony".

Clive RobinsonDecember 12, 2014 4:00 AM

@ Wael,

So an idiot was taking a lesson in parachuting...

This is what most C-level and above excs do --supposadly-- at the direction of the share holders, who can sue if they don't.

The part of the joke that's wrong is "I'll just jump it off", when the altimeter gets to 1000 meters thy jump ship with their golden parachute and let the other rats take the fall...

The reality of this jump before it goes bad policy is that when execs that are not owners or founders don't jump ship half way through, you have to start asking why. If people had done this with Enron or any of the to big to fail organisations a lot less people would have been hurt, and a lot less fraud commited.

GreenSquirrelDecember 12, 2014 6:04 AM

Despite some of the comments above, I dont think this is nation-state hacking and I think Occham's razor would support that.

The state of Sony's security is pitiful. We know of examples such as passwords in plain text and given the size of the organisation it is likely that there are countless entry and exit points into the network with almost no monitoring. It will have a large user base with a distributed endpoint client system (and countless "artistic" types who have BYOD something random into the network), so I fail to see any reason for this being a sophisticated attack.

Also, to pick up some of the comments above:

1) most employees in most companies use email to communicate with their coworkers. For decades now, people have used this as an informal tool so even official messages will be surrounded with social discourse pre-amble/post-amble. The days of corporate email being for 100% official information died with the Y2K bug.

2) Likewise, most modernised employers have at least a tacit understanding that employees will use corporate assets to do personal admin tasks. It makes sense for most businesses and it keeps people working for longer because there is no "popping out to the bank" type activity. This isnt tolerated in the factory environment at some organisations, but these are very much a minority now.

3) If the organisation is set up to chuck huge datasets around, 100tb wont be noticed. I've worked in a lot of places which wouldnt blink at this going over its network in the course of a day - the only risk would be if it was a spike on one pipe. If the attackers were slightly patient and hid it amongst other big data splurges, it wouldnt be noticed.

bitstrongDecember 12, 2014 6:52 AM

@Godel
That bell doesn't ring anymore. A report from Venafi shows keys and certificates were stolen, so what if some stuff wasn't encrypted. In fact that was why they were told to pull the plug. Hackers were in the network long before the attack surfaced. Once keys are compromised encryption does more harm than good.

wumpusDecember 12, 2014 9:14 AM

While the DDoS might be pointless, Sony has also created plenty of false torrents or possibly just false servers for real torrents.

A naive look at the bittorrent spec seems to imply that Sony is simply trying drown out other clients with the correct data. It appears that correctly written bittorrent clients will simply ignore any data from Sony (because the data doesn't have the hash it claims), but if Sony is buying more servers from Amazon (or elsewhere) than clients are successfully downloading their movies, this will presumably work as pirates get tired of trying to get a download and fall off the network. Of course, any client that isn't sufficiently careful about bad files will make Sony's work much easier.

(There's also the issue about SHA1 being weak. I doubt Sony has the time to create a hash collision, but that would pretty much kill the torrent right there. Would it take a much larger array of Amazon servers to find a collision than to overwhelm a bittorrent swarm?).

DanielDecember 12, 2014 1:16 PM

@wael and others

The problem here is the same problem that has existed in economics for centuries and that's the problem of accounting for externalities--a poster in the Hacker News thread gets this exactly right. What that poster misses, however, is that viewed in a meta way everything in the universe can be seen as an "externality" over some amount of space-time. It then becomes a line drawing exercise as to what data is included in the cost/benefit calculus. The fundamental problem with this line drawing exercise is that it is very easy to skew the criteria so that it produces a predetermined conclusion. On the surface the criteria looks neutral but it is not until one begins to closely examine the pattern of what is left in and what is left of the cost/benefit analysis that the bias becomes apparent.

So my view is that it's dangerous to think about privacy in the way that business and economics thinks about privacy. Privacy is a fundamental right, being in business is not. If a company can't afford to protect privacy then it can't afford to be in business.

BahhDecember 12, 2014 3:28 PM

Maybe next time around employs will start using SMIME or OpenPGP/ PGP to encrypt their stuff on e-mail's.

Maybe everyone has it's own computer is better and more secure... because diversity makes it a lot difficult to jump around the all network! Yes, people will get infected for sure! But if IT people starts giving people formation and everyone uses different operating systems and security programs a all in one attack will be close to impossible. At least it will make infecting everything, close to impossible!

Their are for sure other approaches (like white lists and so on), but with so many successful attacks in every single company, its hard to imagine that their is a one solution wins it all.

WaelDecember 12, 2014 4:30 PM

@Clive Robinson,

The part of the joke that's wrong is "I'll just jump it off", when the altimeter gets to 1000 meters thy jump ship with their golden parachute and let the other rats take the fall...
Pretty clever. Nothing wrong with my joke -- yours is a different variation, that's all :)They get the parachute because they know at some point someone will push them off the plane (likely during the REM phase of their sleep.)

WaelDecember 12, 2014 5:45 PM

@Daniel,

The fundamental problem with this line drawing exercise is that it is very easy to skew the criteria so that it produces a predetermined conclusion...
Nothing wrong at all with that exercise! Isn’t this how politicians utilize statisticians? Oh, and the mandatory "smiley" so you don't think (god forbid) I "disagree" with you. :)

J.R.December 12, 2014 5:56 PM

The SONY executive said he couldn't justify the expenditure of $10M to save &1M. Wow.

According to the engadget link, three unreleased films were taken and high quality copies released onto the net. Their total value is assessed as less than $10M? Bet they sue for more damages than that if they identify downloaders. What are the fines for downloading single songs?!

According to the same engadget story, the PSN breack cost > $171M and they just settled a related lawsuit for $15M.

Don't corporate accountants factor in something called "goodwill" in assessing corporate worth? One wonders how they will evaluate the goodwill they just frittered away on their next tax statement or shareholder communique? What about the possible/probable damage to those whose social security numbers just got released? To say nothing of everyone who got didded in corporate emails...

SONY's f* everybody but us attitude is why I don't want anything to do with any SONY product. Wouldn't touch any SONY stock with a 10 meter pole.

Nick PDecember 12, 2014 6:38 PM

@ J.R.

The more retarded thing about that statement: how the hell do you spend $10 million securing a database? Trusted Rubix, a XTS-400 guard, medium assurance application servers with security baked in... all cost around a few hundred grand to $1mil for enterprise workload. Homebrew with something like OpenBSD or SELinux can do it for just the hardware cost (tens of thousands). The guy really sucks at ITSEC procurement or INFOSEC in general if he needed $10 mil to secure a database. I'd love to see what he spent on the firewall or users' computers.

Note: Or he's so good at INFOSEC that he got an estimate for a EAL6+ DBMS and properly considered anything less insecure. Jury is still out but I'm guessing he's an overspending manager with no knowledge of real INFOSEC and probably has never heard of a guard.

SteveDecember 12, 2014 6:51 PM

Bottom line: Never put anything in an email (or anywhere else on a computer) that you wouldn't want to see on the front page of the National Enquirer. That goes double for work.

bkd69December 13, 2014 12:30 AM

What I'm wondering is, what's taking so long to get reportage on Sony's Legislative/Lobbying/Public Interest activities?

So far The Verge is the only outlet reporting on that front, on the basis that entertainment products, and business dealings, and the bricolage of employees' daily workdays are all, ultimately, newsless.

http://www.theverge.com/2014/12/12/7384871/why-were-reporting-on-sony-leak-hack-ethics-mpaa

http://www.theverge.com/2014/12/12/7382287/project-goliath

TõnisDecember 13, 2014 10:51 AM

Has anyone suspected the NSA? Perhaps Sony pissed of the NSA (or mattered least to it) and it was deemed time to send a message to all big corporations: you're all vulnerable, so don't cross us!

Nick PDecember 13, 2014 10:59 AM

@ Tonis

They're buddies so no I wouldn't suspect anything. The only time I'd suspect NSA involvement with Sony is if Sony's copyright detection and takedown rate went through the roof in all parts of the U.S. Something Sony couldn't do on their own.

Nick PDecember 13, 2014 11:08 AM

@ Bruce

Found a gem for you in Hacker New's comments: ”documents leaked after the recent attack show the company had just 11 people assigned to its information security team: ‘Three information security analysts are overseen by three managers, three directors, one executive director and one senior-vice president.’”

Eight management personnel observing three technicians protecting tens of millions in assets. Was I.S. dept intended to protect the assets or provide new opportunities to enrich management? Hmm.

Wayne LonsteinDecember 13, 2014 5:04 PM

Hopefully, one of the lessons learned is that which is taught by Bruce

"If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology."

I firmly believe all the money in the world won't stop the next hacker, it may only slow them down. What this incident demonstrates is a total lack of preparedness and response plans on the part of Sony.

Lesson learned.

SteveDecember 14, 2014 8:49 AM

@Wayne Lonstein:

I think that epigram could just as well read "If you think technology can solve your any of your problems, then you don't understand the problems and you don't understand technology."

uh, MikeDecember 15, 2014 1:11 AM

I keep recalling the "Compressible Security" option in Exchange.

Good security will protect us from even the NSA. Bad security is a time bomb if you're a big target.

fajensenDecember 15, 2014 6:06 AM

@Clive Robinson:
... and a lot less fraud commited.
The modern economy is based on fraud all the way through leveraging GAAP-rules to "make the numbers" to the more exotic "Level 3 Assets in the OTC market"; fraud is simply a much more efficient business model than the tedious "providing goods and services satisfying customer needs"!

Since fraud is virtually unprovable and the last people punished were from ENRON, fraud is out-competing all other forms of economic activity.

Charles NichollsDecember 15, 2014 4:27 PM

Well, got a few tee shirts in this area, so here's my 0.02. As I'm sure will ring familiar with anyone who's had much to do with corporate IT, security costs money and IT is already the bastard child; and companies by-and-large don't like to spend money on IT, especially something as nebulous as mitigating potential security risks sometime in the future. Is it right? —no. Is it being penny-wise and pound-foolish? -yes.

In any case a lot of the time executives, the group whose data is the most attractive and potentially valuable, don't like to be inconvenienced by the protocols involved in locking down. They like the fact that their password is simple to remember and only 5 letters. After all, what's the risk, they've been using the same password for years. Everywhere. And 2-factor? That's far too intrusive on work flow. Let the peons have to do things like that—if the company really has to blow money on this sort of thing, but they don't have the time to waste. And I'll bet there's more than a few companies with no Disaster Preparedness plan, let alone disaster recovery provisions whatsoever (pesky costs again).

Let's face it: this should never have happened. Heads should roll.

EricDecember 15, 2014 10:57 PM

@fajensen

How do you prove fraud when laws/rules are changed to suit its legality? You can't ever. There are only a few industries that enjoy self regulation.

NileDecember 17, 2014 12:00 PM

I may have said this in the Friday Squid-fishing forum, but actually it's a better fit here... Apologies for the double posting.

The most damaging information that could possibly be extracted from a corporate entity isn't personal data, or unreleased movies, or embarrassing nondisclosure agreements from the legal department. It isn't even even critical IP like source code.

It's financial information that allows the compilation of 'country-by-country' tax accounts.

Here's why: the majority of US corporations play a 'shell game' with their profits, trading across borders into whatever offshore jurisdiction offers low or zero tax. As there isn't any obligation to break out the actual country-by-country profitability and the underlying logic of cross-border transfer pricing - let alone reveal the details of 'financing agreements' that pay excessive interest to 'bomdholders' that are actually wholly-owned subsidiaries in an offshore tax haven - the companies who do it get away with it.

That wouldn't work if (say) the German tax authorities had all the information they required to reconstruct the underlying profitability of Sony's operations inside Germany, and the beneficiaries of all the payments sent offshore.

This is why 'tax justice' and anti money-laundering campaigners are promoting country-by-country reporting.

A multinational corporation the size of Sony generates hundreds of millions of Euros of operating profits inside Germany; I doubt that they pay tens or or even single-digit millions in taxes there.

You can say the same for Microsoft, and Amazon, and Google, and Apple, and probably the major banks.

The American authorities won't take action based on stolen (and therefore inadmissible) information; the United Kingdom and other jurisdictions who seek to profit from tax evasion and money-laundering won't bother; but Germany and other governments in Europe can and will pay serious money for information that allows them to recover unpaid taxes.

Childish and vindictive 'black hats' damage little people by exposing their bank details and medical records: it's futile and fully deserves to be called evil.

I'll believe that there's a serious agenda, and a serious will to hit them where it hurts, when they dig out the financial data and make a corporation pay the tax they actually owe on the profits that they actually make.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.