Lessons from the Sony Hack

Earlier this month, a mysterious group that calls itself Guardians of Peace hacked into Sony Pictures Entertainment's computer systems and began revealing many of the Hollywood studio's best-kept secrets, from details about unreleased movies to embarrassing emails (notably some racist notes from Sony bigwigs about President Barack Obama's presumed movie-watching preferences) to the personnel data of employees, including salaries and performance reviews. The Federal Bureau of Investigation now says it has evidence that North Korea was behind the attack, and Sony Pictures pulled its planned release of "The Interview," a satire targeting that country's dictator, after the hackers made some ridiculous threats about terrorist violence.

Your reaction to the massive hacking of such a prominent company will depend on whether you're fluent in information-technology security. If you're not, you're probably wondering how in the world this could happen. If you are, you're aware that this could happen to any company (though it is still amazing that Sony made it so easy).

To understand any given episode of hacking, you need to understand who your adversary is. I've spent decades dealing with Internet hackers (as I do now at my current firm), and I've learned to separate opportunistic attacks from targeted ones.

You can characterize attackers along two axes: skill and focus. Most attacks are low-skill and low-focus -- people using common hacking tools against thousands of networks world-wide. These low-end attacks include sending spam out to millions of email addresses, hoping that someone will fall for it and click on a poisoned link. I think of them as the background radiation of the Internet.

High-skill, low-focus attacks are more serious. These include the more sophisticated attacks using newly discovered "zero-day" vulnerabilities in software, systems and networks. This is the sort of attack that affected Target, J.P. Morgan Chase and most of the other commercial networks that you've heard about in the past year or so.

But even scarier are the high-skill, high-focus attacks­ -- the type that hit Sony. This includes sophisticated attacks seemingly run by national intelligence agencies, using such spying tools as Regin and Flame, which many in the IT world suspect were created by the U.S.; Turla, a piece of malware that many blame on the Russian government; and a huge snooping effort called GhostNet, which spied on the Dalai Lama and Asian governments, leading many of my colleagues to blame China. (We're mostly guessing about the origins of these attacks; governments refuse to comment on such issues.) China has also been accused of trying to hack into the New York Times in 2010, and in May, Attorney General Eric Holder announced the indictment of five Chinese military officials for cyberattacks against U.S. corporations.

This category also includes private actors, including the hacker group known as Anonymous, which mounted a Sony-style attack against the Internet-security firm HBGary Federal, and the unknown hackers who stole racy celebrity photos from Apple's iCloud and posted them. If you've heard the IT-security buzz phrase "advanced persistent threat," this is it.

There is a key difference among these kinds of hacking. In the first two categories, the attacker is an opportunist. The hackers who penetrated Home Depot's networks didn't seem to care much about Home Depot; they just wanted a large database of credit-card numbers. Any large retailer would do.

But a skilled, determined attacker wants to attack a specific victim. The reasons may be political: to hurt a government or leader enmeshed in a geopolitical battle. Or ethical: to punish an industry that the hacker abhors, like big oil or big pharma. Or maybe the victim is just a company that hackers love to hate. (Sony falls into this category: It has been infuriating hackers since 2005, when the company put malicious software on its CDs in a failed attempt to prevent copying.)

Low-focus attacks are easier to defend against: If Home Depot's systems had been better protected, the hackers would have just moved on to an easier target. With attackers who are highly skilled and highly focused, however, what matters is whether a targeted company's security is superior to the attacker's skills, not just to the security measures of other companies. Often, it isn't. We're much better at such relative security than we are at absolute security.

That is why security experts aren't surprised by the Sony story. We know people who do penetration testing for a living -- real, no-holds-barred attacks that mimic a full-on assault by a dogged, expert attacker -- and we know that the expert always gets in. Against a sufficiently skilled, funded and motivated attacker, all networks are vulnerable. But good security makes many kinds of attack harder, costlier and riskier. Against attackers who aren't sufficiently skilled, good security may protect you completely.

It is hard to put a dollar value on security that is strong enough to assure you that your embarrassing emails and personnel information won't end up posted online somewhere, but Sony clearly failed here. Its security turned out to be subpar. They didn't have to leave so much information exposed. And they didn't have to be so slow detecting the breach, giving the attackers free rein to wander about and take so much stuff.

For those worried that what happened to Sony could happen to you, I have two pieces of advice. The first is for organizations: take this stuff seriously. Security is a combination of protection, detection and response. You need prevention to defend against low-focus attacks and to make targeted attacks harder. You need detection to spot the attackers who inevitably get through. And you need response to minimize the damage, restore security and manage the fallout.

The time to start is before the attack hits: Sony would have fared much better if its executives simply hadn't made racist jokes about Mr. Obama or insulted its stars -- or if their response systems had been agile enough to kick the hackers out before they grabbed everything.

My second piece of advice is for individuals. The worst invasion of privacy from the Sony hack didn't happen to the executives or the stars; it happened to the blameless random employees who were just using their company's email system. Because of that, they've had their most personal conversations -- gossip, medical conditions, love lives -- exposed. The press may not have divulged this information, but their friends and relatives peeked at it. Hundreds of personal tragedies must be unfolding right now.

This could be any of us. We have no choice but to entrust companies with our intimate conversations: on email, on Facebook, by text and so on. We have no choice but to entrust the retailers that we use with our financial details. And we have little choice but to use cloud services such as iCloud and Google Docs.

So be smart: Understand the risks. Know that your data are vulnerable. Opt out when you can. And agitate for government intervention to ensure that organizations protect your data as well as you would. Like many areas of our hyper-technical world, this isn't something markets can fix.

This essay previously appeared on the Wall Street Journal CIO Journal.

EDITED TO ADD (12/21): Slashdot thread.

EDITED TO ADD (1/14): Sony has had more than 50 security breaches in the past fifteen years.

Posted on December 19, 2014 at 12:44 PM • 86 Comments


John NavasDecember 19, 2014 1:10 PM

Shame on you, Bruce. This was a cyber-attack, not a "hack". You of all people should know the difference. That the media often misuse the term "hack" doesn't make it right.

David PenfoldDecember 19, 2014 1:25 PM

"This was a cyber-attack, not a "hack"

If penetration tests are part of ethical hacking, I guess targeted attacks can be considered hacking too. I'm not sure the distinction is as defined as you say.

Chris GomezDecember 19, 2014 1:56 PM

I have no problem believing this attack was sophisticated and targeted. Some entity was determined and they wanted it bad. But since it doesn't really require a government level of funding or expertise to be determined, I am going to remain skeptical that this should be referred to as an act of war or some mastery of cyberwarfare by a government. There are plenty of actors who have the expertise and just need the determination, and they would be able to accomplish this kind of attack on most corporations. Corporations have a hard time understanding the problems or the risks, and have a hard time understanding that they don't need to ascertain they are a target. They are a target.

As more information becomes available, I would expect Mr. Schneier to caution the media and the world to take a "evil bogeyman" approach that would lead people to believe they are safe because they wouldn't rile some nation to attack them. There will be plenty of attacks by curious and reckless teenagers in their homes.

John CemDecember 19, 2014 2:00 PM

The highly biased media would have more credibility if they didn't pretend that any joke being made about Obama is automatically racist, or any criticism against a woman is automatically feminist, because behind this dishonest tactic lays the aim to censor legit criticism. In the long run, this only makes the problem much worse as it doesn't get corrected, and make opponents take more extreme positions.

Then again, we're talking here about corrupt and self-righteous people wondering why they got attacked by hackers.

Bob S.December 19, 2014 2:05 PM

I find it difficult to give Sony much sympathy, a multi-national company, based in Japan, that gave us the corporate rootkit in 2005 over a bunch of songs.


Yet, the President is preparing a "proportionate" response as if .gov itself was the target. But, it wasn't. If this is "cyberwar" apparently we are all for it because we are ready to join the fight even though we weren't the target. Seems to me, this is Japan's fight.

Oh well, any war is a good war for the USA military-corporate megalith.

Also, American feigned outrage doesn't work on the rest of the world I'm sure, because our NSA has done and continues to do the same or worse daily.

I see the internet, the "good" internet we all knew for awhile, self-destructing before our very eyes. I would not be surprised for people to speak in past tense of the net in a very few short years?

How many of you listen to AM radio anymore? Why?

Timm MurrayDecember 19, 2014 2:09 PM

I'm guessing that whatever upgrades they made in response to the PlayStation attacks were focused on that particular division. All large companies have a great deal of internal segmentation, and Sony has long been a particularly notable example.

Janet MernerDecember 19, 2014 2:25 PM

I have never seen a computer system that has no vulnerabilities. Software is written by humans, Computer's and Electronics's are designed by humans. Human make mistakes; Even if the system was designed by a computer and software, a human designed the original system.

Mistakes are how computer black hats are able to get in. If a computer is attached to a public network it is vulnerable. The only way to protect a system is to have one point of access and use a combination of Intrusion Detection Systems and a human operator babysitting the system.

Even then someone could still get in.

TobyDecember 19, 2014 2:25 PM

As far as the Sony example is concerned, this doesn't sound right: "We have no choice but to entrust companies with our intimate conversations: on email, on Facebook, by text and so on."

For this we do have a choice and a good one: Don't use your company network for private communications. That's what smartphones are for. Of course those accounts are vulnerable, too, but much less likely to be target of a focused attack.

MarketsCantFixDecember 19, 2014 2:28 PM

To suggest that markets cannot fix this issue is ludicrous. Information is not property and therefore the usual approach to "theft" does not work - only cryptography works and you know it. The fact is that governments are making the market not work by inventing things like "cyber-crime" and "cyber-fraud". If companies had to fend for themselves and not rely on the government to make it all go away then maybe they find that suddenly real security makes sense.

JCCDecember 19, 2014 2:29 PM

With Sony in particular, it's important to remember that Sony itself is a huge mega-conglomerate, with diverse systems and security policies, corporate IT management, and so forth. Sony Pictures has little to do with Sony Music, except name and the fact that employees might get discounts on CD's. SOE and the PlayStation Network were more connected, by virtue of the fact that SOE used to *run* the PlayStation Network before there was a divesture into a separate unit.

Still, the lessons for the internet are:

1) stop blaming "Sony" generally for what one music unit did 10 years ago
2) SMSS/SNEI and SOE have learned quite a few lessons from the PSN incident; but customer billing data (PCI) and HR / corporate email are very different, even within the same company
3) Sony Pictures was not prepared for this kind of advanced threat (obviously) -- I'm not sure any of the studios would have been
4) A major company with thousands of employees personal/intimate/eomployee lives' at stake (a major internal factor, believe me) is effectively being extorted by a thinly-veiled operation of a major foreign power.

WRT #4, the "hack" is just the method. Cyber-extortion or blackmail might be one way of categorizing it, but with the more recent threat of violence (and given the scale of the impact -- this isn't a single person being attacked here), I see no reason not to refer to it as cyber-terrorism. Cyber-terrorism doesn't have to mean it's a shut-down-the-infrastructure style of attack.

/former SOE employee

Roger A. GrimesDecember 19, 2014 2:29 PM

Let's not get hung up on technical terms. Hack is pretty inclusive. Calling the cyber maliciousness done to Sony part of a hack, is technically true. Plus Bruce is writing to a general audience where hacking is more generally understood. We really don't know enough details to classify this attack as a particular type of attack. We don't even know if the original group, which asked for money and didn't mention the film issue, is even responsible for the later releases or what their original intent was. But we do know hacking was involved.

Green SquirrelDecember 19, 2014 2:30 PM

Hmm. I like this article but I am still intrigued by the automatic acceptence or idea that Sony hack "had to be a nation state therefore north Korea."

Look at all the published information, Sony's security was shockingly bad. It hovers around the type of systems you would expect to see about 15 years ago. Their patching appears to be intermittent, ineffective change control and nothing resembling incident detection or response tooling.

While this would have been SuperNinjaCIANSAGCHQ attack standards two decades ago, times have moved on.

Teenagers with kali, metasploit and a bit of spare time can walk through this sort of set up - and frequently do.

While it might be good damage limitation (and insurance compliance) for Sony to keep crying that the hackers had god like abilities and could never have been stopped, I really dont believe from anything I've seen published around this.

However, if Sony was subjected to high skill attackers then they really need to do the rest of the world a favour and explain how they got so comprehensively pwned so everyone else can learn from their pain.

But, as I said, I havent seen this yet.

ned_flandersDecember 19, 2014 2:30 PM

C'mon Bruce, we have many options outside Google and Apple services. Get a static IP address, NAT/FW with pfSense and then your personal stuff stays a little more personal.

I run services for extended family and myself on an eeebox and it's never busy enough to warrant going to more powerful hardware. The firewall actually consumes more power than the eeebox.

Separately, you'll notice we haven't heard a single word about Sony's IT vendors and all of their 'secure' enterprise software. Lots of Big-IT people reviewing their contracts and running for cover!

ned_flandersDecember 19, 2014 2:49 PM

Give me a break JCC.

Even if we were to believe Sony's wacky story blaming North Korea, their infrastructure was a joke to the point it takes days to move terabytes of data and apparently no one had any awareness at all.

The "Please! Think of the innocent employees!" routine is a fail. Entertainment is a distribution/copyright cartel and the high school antics exposed by the hack prove it. Sony is already on the litigation offensive again.

Are there some innocent employees? Sure. Lots. But the corporation's officers/C-level folks have earned everything that has happened to the Corp.

AnuraDecember 19, 2014 2:53 PM

@Green Squirrel

The situation appears to be that the attackers have blackmailed Sony Pictures into cancelling "The Interview" - there is no other reason why the attackers would have cared about that film had it not been because it depicted the death of Kim Jong-un. It was either one of two things: North Korea, or people pretending to be from North Korea.

Bruce L.December 19, 2014 2:56 PM

"...We have no choice but to entrust companies with our intimate conversations: on email, on Facebook, by text and so on..."

"...And we have little choice but to use cloud services such as iCloud and Google Docs..."

Bruce, I beg to differ. You might have done better to qualify both statements with 'For those not running their own servers.' After all, such concerns are a big part of the reason we have things like OwnCloud, PHPbb and others.

I'd never try to claim that self-hosting (essentially, you run all your own servers and become your own ISP) is a cure-all for this (or any other) type of security woes. It requires considerable knowledge of computers, networking and non-Windows OS's to properly implement. It also requires (usually) a business-class connection, with static IP's, from your upstream provider.

However, I will say I feel a lot better knowing I have 'root' in terms of what's running on my mail server, what's going out of my web server and what my DNS boxes are doing.

And no, I've chosen not to do Facebook, Twitter or any other kind of social networking. I want to hang on to whatever bits of privacy I can still manage, thank you (and I don't give a flying overripe banana what Larry Page thinks).

Keep the peace(es).

bitstrongDecember 19, 2014 2:59 PM

And don't forget the opportunistic "experts" who always know AFTER the attack that security was subpar. Given the benefit of others' analysis, sitting in my little office, I can declare after the fact there was something, anything, that could have been done better. Then I look like a genius and everyone but me is an idiot. That's journalism.
As far as I'm concerned, if you can't exactly predict an attack then you don't know anything.

ned_flandersDecember 19, 2014 3:06 PM

Bruce L,

Running your own services doesn't require a business class network connection. I do just fine with 256k up/1.5 down. To be clear, I'm hosting email, owncloud, some ssh and some personal http stuff. No, I can't stream movies from my house, but that's not my expectation.

Keep in mind an eeebox is doing all of server-stuff, and there's plenty of resource overhead for 6 users.

AnuraDecember 19, 2014 3:14 PM


Storing passwords in plaintext is an egregious violation of everything we have known for decades. This is a lesson that has been learned and relearned so many times that there is no excuse. As someone who has worked in IT, my experience is that it's easy to find weaknesses in security, but it's difficult to get the resources dedicated to fixing them. Being secure costs more, and most companies do not put a high priority on security.

MarkHDecember 19, 2014 3:15 PM

For me, the big take-home message is on economics.

Famously, organizations are usually reluctant to spend money on security; the return on investment is impossible to quantify with any accuracy. If the vault door were 40% thinner, how many more dollars would the bank lose in the next ten years?

Now, private industry has had its infosec counterpart to a nuclear power plant core meltdown.

Probably, Sony is losing something on the order of 100 million USD on "The Interview".

Considering the damage to prospective and in-process projects consequent to the disclosure of internal information (what in my kind of business would be called trade secrets), the associated financial losses might be in the tens of millions, or even hundreds of millions.

Now that Sony has set the horrible precedent of pulling its movie in reaction to a vague anonymous threat of violence, the movie industry in general will be looking over its shoulder and vetting all sorts of projects for years to come.

I invite you to take a few minutes, to consider how many recent US movies might plausibly be interpreted as offensive to:

• North Korea
• Islamist movement in general
• Iran
• [insert favorite "scary" ethnicity here]
• Russian Federation
• Christian religious extremists
• Islam in general
• white supremacist movements or parties
• other far-right extremist groups
• People's Repblic of China

However we might assess the probability that any of these "offended" entities would use the threat of terrorism as a tool of censorship (semi-deniably, like the Sony attack) ...

... the decision makers in the entertainment industry would probably judge that at least some of them have a realistic potential to carry out actual violence.

I can't imagine any way to calculate economic (and much more importantly, cultural) cost of terror-induced self-censorship. But I think it likely to be enormous.

So now, when decisions must be made about "how much to spend on security?" ... we have a large-loss example to use as a benchmark.

RileyDecember 19, 2014 3:17 PM

Bruce - excellent piece, and I couldn't agree more that Sony made it too easy, which shouldn't be the case after 3 other major breaches suffered in the last 4 years.

We learned a lot from the Target breach, they were upfront & took responsibility (although crucified by the media, to the point that no other company will take that path now). Target vowed to make the changes to combat a repeat occurrence - and they didn't take any shortcuts on this path, with removing a number of Leaders, adding the CISO & many other talented experts and allocating a very significant budget across the board for cyber security, privacy, and information protection. Sony seems to be more focused on being offensive, deflecting the attention...and waiting for breach #5.

MarkHDecember 19, 2014 3:31 PM

@bitstrong, who wrote "if you can't exactly predict an attack then you don't know anything."

Let me explain why this shows a fundamental misunderstanding of security.

In order to "exactly predict an attack," it is necessary to know every potential attacker, and the capabilities, intentions and detailed plans of each potential attacker. In general, it is infeasible to acquire such complete knowledge.

If the staff of an armored car company (valuables transport firm) habitually leaves its vehicles unattended at insecure locations while loaded with cash, I can predict that its losses are likely to be greater than an armored car company that adheres to standard security protocols. This is not an exact prediction of attack, but it is security knowledge: sound and useful in practice.

To give an example from history, the Army and Navy commanders at Pearl Harbor in December 1941 didn't know the specific intentions, plans and dispositions of Japan's Navy. However, they did know that British carrier-launched planes had devastated Italy's Navy at anchor at the Taranto naval base a little more than a year previous. Historians have long suggested that these US commanders could have taken better precautions against attack from the air, based on this knowledge ... without exact prediction of an attack.

It isn't necessary to know everything, in order to know something.

AlanSDecember 19, 2014 3:44 PM


"For me, the big take-home message is on economics."


"Being secure costs more, and most companies do not put a high priority on security."

Agreed. I took that to be one of the points of the author in the first link I posted above, that discusses the drawbacks of Sony making their new CISO (back in 2011) subservient to the CIO.

AnuraDecember 19, 2014 3:50 PM

A little anecdote about how seriously some places take security:

A company I was with a couple of years back was doing a webex with the CTO (IIRC) of a company that was doing a presentation on their software. Several times during the presentation, the CTO switched to an Excel spreadsheet that listed all of their logins and passwords for various internal and external websites and services. If one shady person was on our team, they could have taken a screenshot and done serious damage with it.

Many companies just don't take security seriously, and it's a scary and depressing state of affairs. This would have been solved by something as low cost and simple as a utility like Password Safe or KeyPass.

GweihirDecember 19, 2014 4:15 PM

Hi Bruce,

how do you know this were "high-skill" attackers? To me it seems that grabbing terrabytes of data is something strictly reserved for medium-to-low skilled attackers, as the risks of detection are very high. With the reputedly abysmal state of IT security at Sony, even lower-skilled people that would blunder about by grabbing everything they can get their hands on would have a good chance of success. Maybe your journalist background did run away with you there and this is an over-dramatization?

Unless this was indeed NC, I am not even sure this was very targeted. Got any details that show this? It would not be the first time that medium-skilled non-targeted attackers made off with the crown jewels of some company that really messed up its IT security and then later made it appear as if they were really kings of the net. Remember Lulzsec? They attacked a bunch of companies, would fail in most cases and get in in some. Then they claimed they did targeted attacks against exactly those where they had been successful. This is just a plain-old, well-known self-aggrandizement strategy.

As to the claims by the FBI, my take would be that the FBI is clueless and helpless and is trying to project an aura of competence and skill by selecting the one thing everybody is thinking and which has the added benefit that NC is not going to be able to do a credible refutation. Of course, now they have to make sure they do not catch the actual perpetrators, unless they can be sure this was indeed NC behind it or at least they can "parallel-construct" a credible connection.

WhitDecember 19, 2014 4:38 PM

The skill level of the hackers is known because they left their toolkit behind. An extensive analysis of its methods, capabilities and signatures has been released. One would expect Bruce has been looking through that toolkit well before the public release of the analysis.

GodelDecember 19, 2014 4:51 PM

@Anura " there is no other reason why the attackers would have cared about that film had it not been because it depicted the death of Kim Jong-un. It was either one of two things: North Korea, or people pretending to be from North Korea."

Those two categories could encompass everyone on the planet. The initial demands from the hackers were all about money. Nothing about the movie or anything political were mentioned until after it all blew up.

To me it looks like Anonymous-style Hacktivists coupled with a breathtaking bunch of incompetents and surrender monkeys at Sony Pictures.

Chris SDecember 19, 2014 5:14 PM

@Whit - my reading is that the toolkit left behind was just some framework and the wiper that clobbered desktops and servers. This was apparently well-targetted malware, demonstrating good knowledge of the network.

It is much less clear how the initial intrusion happened, how the attackers gathered their network knowledge, or how that many terabytes of data headed out of a network without the network owners realizing something was going on. That alone allows at least some inference of skill level.

tom sawyerDecember 19, 2014 5:19 PM

to respond to john navas' comment, you are over the top for splitting atoms when saying hack and cyber attacks should be used in the correct description. what exactly occurred? they gained unauthorized access to the network and made off with data. does it really matter if a script kiddie, skilled hacker or criminal organization got the data and caused the public embarrassment? I don't know too many c level care who did it or if they came in with a 0 day exploit WHEN IT FIRST HAPPENS. this is still new, changes will come and at that point they want more details so the problem does not occur again. criticizing anyone for using hack as opposed to cyber attack is completely unnecessary. the end of the book does not change, they got data they should not have and caused public embarrassment.

bruce, the post was very insightful and gave details on the incident. the organization I am responsible to protecting I'm sure will have some question I will be referring back to this back up my points.

Robert T EachusDecember 19, 2014 5:33 PM

I have to strongly disagree with any concept that the response should be left up only to Sony & Japan. There are a few factors that require a United States Government response. First the servers were located in the US. Second the acts were done with blatant disregard for the safety, health and privacy of American citizens. Third the terrorist threats referencing 9/11 type attacks. Fourth the US government is responsible for providing economic protection of the US economy. Fifth a blatant disregard for US and international law. Sixth it was a foreign government behind the attacks. A lack of a strong response would invite future attacks of the same style. I say cruise missiles... and investigate Sony for possible charges. You didn't think I was a Sony fan did you? I just like being American, free... and protected from terrorist attacks(threats).

AnuraDecember 19, 2014 5:41 PM


Feel free to educate us, otherwise you are not really contributing anything to the discussion.

jaycee331December 19, 2014 6:06 PM

Excellent article. Except two statements that are troubling me. In my mind they encourage this popular defeatist attitude that the cloud is here and we can't avoid it. This simply isn't true.

"We have no choice but to entrust companies with our intimate conversations: on email, on Facebook"
Of course we do. Don't use Facebook. I don't and never will. Email? a local POP3 client is far safer than a Webmail service because POP3 doesn't leave mail on the server once it's collected. OK it's vulnerable whilst passing through but that's a world apart from keeping years of email history in a webmail account.

"And we have little choice but to use cloud services such as iCloud and Google Docs"
Why is this little choice? I don't use either.

In fact I go to great lengths to avoid anything cloudy like the plague, because I have no reason to trust a free unwarranted service. Seems everyone is trying to give me free cloud storage nowadays. My ISP, Symantec, Microsoft Onedrive, man even the latest Cyberlink PowerDVD, Google Drive, Dropbox. It's getting ridiculous. My data would be spread all over the planet if I was stupid enough to use half of these things. BUT THERE IS ALWAYS A CHOICE NOT TO. The more this is widely understood the better IMHO.

Clive RobinsonDecember 19, 2014 6:33 PM

I suspect the people behind it are not state level attackers, plain and simple, and that the unspecified threats is more likely to be misdirection than North Korea. If it is state level it would be more likely to be a state other than N.Korea running a "red flag" op, of which South Korea, the US or possibly China would gain benifit.

My guess is there is a disgruntaled employee involved, possibly one who knows the internal system rather well, but may now be an outsider due to being laid off etc.

The releasing of the internal petty emails has little or nothing to do with "stopping the film" but every thing to do with revenge. Further an insider or recent insider would know that shifting the vast quantities of data would not trigger an alarm, something a real outsider would probably not know.

Oh and those that think Sony are going to lose money on not releasing the film, think again... Not only is it likely to be insured against as a risk, it's also tax deductable, and from what has been said about it the film is not realy time sensitive, so like the "clockwork orange" it could sit on the store room shelf for a while and eventually be released with much greater box office pull than it would have had. This "hack" is giving the film advertising that money alone could not buy...

As somebody above noted the FBI is the fly in the ointment, they have made or been a party to a number of realy ill advised comments that are not supportable based on what is now publicaly known. Thus the FBI may not catch the actual attackers for "political reasons" which leaves the film in limbo.

Thus I'm going to wait in a very relaxed way to see what happens.

SkepticalDecember 19, 2014 6:47 PM

Very thoughtful essay.

It is worth noting that while this attack damaged Sony far more dramatically than might quieter cases of commercial espionage, those quieter cases constitute in sum damages many, many times what Sony suffered here.

But this case will likely invite a different type of US response because of two distinguishing features: (1) it attacked Sony to silence an act of expression, and (2) having made on the attack in the cyber-domain, it then threatened further violence in the form of a physical attack.

Freedom of expression is at the core of America's civic religion. It is the most protected American freedom, and it intertwines with many other values, with many other traditions and ways of life, to in part constitute and define our national identity.

It is something, therefore, which is close to the heart of what American national security policy is meant to protect and defend. While this was an unusual attack upon a single company tied to a single movie, and not indicative of a serious threat to the core interests described above, it does nonetheless implicate and damage that interest, and a response must be undertaken.

How to respond in a way that advances US national security interests is a difficult question. The response should be proportional - the attack was not upon all speech, but upon a single company due to the nature of a particular movie - and ultimately Sony did not have to acquiesce to cancelling the film (I'm puzzled that they did so, given that the damage was already done). Likewise the response should not force the other side to escalate further.

With those considerations in mind, the US should adopt a two-pronged response.

First, to the extent it can do so without compromising sources or methods, it should pursue this as a criminal case, indicting those who played a role. The matter should be used to further develop a rule-governed US response to state-sponsored attacks on private entities, whether for the purpose of commercial espionage or for political intimidation.

Second, it should pursue a proportional, covert response. It should occur in a manner that will allow North Korea to keep the matter quiet, but enough news of the result should be leaked by the US to allow the rest of the world to surmise that the US undertook the response. The intention is to walk a fine line between the desire to avoid forcing North Korea to escalate and the need to signal to other nations, and to domestic companies, that the US will exact a price for any such attacks.

BuckDecember 19, 2014 7:48 PM

@Bruce et al.

Has there ever actually been an idealistic assault against a pharmaceutical company, or is this simply a hypothetical example?

DougDecember 19, 2014 9:27 PM

which villain do we put the tag on ?
my guess is all of them.

@ Clive

I don't think sony will make any money out of this either. Any large impact on sony will also send a ripple effect thru the entire japanese financials. This is more like a state-sponsored assault on another nation.

Nick PDecember 19, 2014 9:37 PM

@ Bruce

Great essay and analysis. I'm with others critiquing the 'no choice' part. Even lay people have many choices of services, products, or strategies to use with varying risk. That they might not have the qualification to evaluate them would be a legitimate issue. Plus the general insecurity of the market, especially so called IT Security market. You can reduce risk, though, with the simplest route using end-to-end protected tech (or text messages at the least) for conversations, sandboxing/HIPS on endpoints, disk encryption, air gapping, and so on. Definitely network monitoring by professionals if it's a business we're talking about.

I'm also glad you reiterated the point I often make that markets can't fix it. This should be reiterated by every TV figure in INFOSEC, with examples when challenged. The economics straight up cause the insecurity at the technical level. It would take another Computer Security Initiative with government subsidization of reusable core technologies and protocols that shift burden away from developers. Not there yet.

@ Sebastian

Great catch! Those people have plenty motive and opportunity. Yet, The Guardian reported some good evidence that the attackers were Korean and probably North Korean. Could be South Korean activists along the lines of Anonymous or North Korean state hackers. Insiders you mention might have even worked with them and wouldn't necessarily know they were dealing with North Korea.

@ Timm Murray

That's true that they are different divisions. However, every company with assets to protect should've been doing so by now. The reason being there's a new breach in the news about every... week? Month? Sony Pictures had money, secret arrangements, legal schemes, and I.P. in their possession. A simple question of "do we want this stuff in hackers' hands?" should've given all the motivation needed for a solid security practice. Instead, they had management to technicians at about 5 to 3 at one point. Another time (per Sebastian's link) they cut out about their whole IT function to squeeze more profit out of their operation ($200-300 mil).

That they wouldn't spend even $500k a year to protect hundreds of millions says what we need to know about their risk management tradeoffs. Or lack thereof.

@ Green Squirrel

Exactly. Another Sony group, PSN, was running a massive online service with no firewalls and hadn't patched for six months. They just don't care. That's why the damage was so severe compared to others.

@ bitstrong

"And don't forget the opportunistic "experts" who always know AFTER the attack that security was subpar."

And don't forget the quarter earnings-driven executives who ignore advice of security experts over and over leading up to the breaches. And lay off their IT people for the same reason. And get breached massively.

@ Buck

"Has there ever actually been an idealistic assault against a pharmaceutical company, or is this simply a hypothetical example?"

Among others, Kevin Trudoe's Natural Cures social engineering attack against their customer base and revenue stream? ;)

I'm not sure of ideological. The most serious attack I've heard of was the infiltration of the warehouses at several cities with alarms bypassed and millions of dollars in lost merchandise. Maybe ten times that much but I don't have the link anymore.

EmDecember 19, 2014 10:38 PM

Firstly, film companies have long histories of being threatened with attack due to unpleasant films, but to my knowledge they have never pulled a film due to this ongoing reality. Secondly, to pull a film can only do horrendous damage to the already tarnished brand, not the smartest "publicity stunt" as some would believe. So why "pull" this film over a data breach - big companies are and will be frequently attacked?? It can only encourage more attacks. Well, here's my latest conspiracy theory. This whole thing is a smokescreen. In reality when the robbers got the loot, they got lucky. Emails detailing the relationship between Sony and government agencies, and how their technology, most likely the Xbox is being (mis)used in collusion with these agencies. It sounds like Sony execs are stupid enough to leave paper trails. A massive media distraction like this locks down the discussion to a freedom of speech issue. From a fiscal perspective it's better for Sony to be humiliated as cowards than be confirmed as another branch of the NSA. Now if Wikileaks gets their hands on the emails first, the government can say they were fabricated by NK, and of course NK must be guilty because of the movie, right? I doubt this breach was US based though. The chances of any extant domestic radicals being able to do any real damage is a thing of the past. IMO Anonymous are ancient history and currently being operated by the FBI as a way to press-gang would be hackers into a nice little government salary. This is either coming from Eastern European, African or Middle Eastern entrepreneurs. The BRIC coalition may be funding them to some degree, but if they're smart they're keeping them at arms length and just paying for the intel. Putin seems particularly smug this week, given the recent destabilization of his currency (the gift of Soros past no doubt) now seems abated. We'll see what that other coded Greek gift to Putin, this time from Cameron, means in the near future perhaps - unless it was a Trojan Horse of course, of course. Wonder if he'll regift it to Cuba. It's all obviously been enough to freak out the Sauds, who traditionally blame Iran for everything, but that tribe has never understood archeology or geology for that matter. Oh what a tangled web.

FigureitoutDecember 19, 2014 11:38 PM

Bruce RE: "no choice but to use cloud services and facebook"
--Like jaycee331 has said and many others will too, that's bull. One still "has" to use them but can separate their comms they really care about from the comms they don't as much. If no one in the communication is willing to bring up the "awkward moment" of suggesting they move to more secure comms, then it's on par as unsafe sex. Conversing w/ "sluts" that don't take precautions puts you at risk, not to mention the "STD's" they bring w/ them ie: the malware in their computer. And again this goes back to basic OPSEC and a mindset of physically separating data streams, and even personalities...I'll keep repeating that some basic OPSEC by a lot of people could go a real long way to making malware work harder and wiping disks, reflashing firmware, swapping computers and using unconventional comms that work. In a sense people need have multiple roles that are ready to overtake and undertake actions of "digital mitosis" (importantly, off line and using stone-stepped measures to build new media to continue bouncing around).

As always, the choice is theirs. And "securing the network" has become so out of control and untrustworthy you almost have to assume every file has a malware and operate that risk out if you want confidential comms.

Nick P
glad you reiterated the point I often make that markets can't fix it
--Yeah except the market hasn't had a fair shot as the gov't intrudes in it way too much. How many people and existing and nonexisting businesses has the gov't destroyed (even when essentially working for their benefit developing secure tech). Not to mention that the market for secure tech still isn't there so businesses don't push for it. Blaming that on businesses being cheap is bull b/c customers still aren't demanding it; gov't is doing the same thing using contractors on the cheap and even going COTS and pushing all this money to China, it's the same idiots at the top making these decisions, not small/medium size business owners. What we need is gov't and all the lazy legalistic attackers and analysts to go do something productive and use their own brain besides merely watching people's porno habits and stealing others' work.

Note I'm not one of those guys that says markets can do no evil, nor that an unregulated market is where we need to go. Never, in fact it can be argued there has almost always never been a truly "free market", there's always been either a gov't or mafia shaking people down for taxes and telling what we can and cannot sell.

I also say that I worry a lot about where I'm working at now, given we've had physical attacks (the contractors get a key to the building and get to "really know the place" well..), suspected malware, worse which I won't talk about, and even a lightning strike recently. An attack revealing coworkers email gossip wouldn't matter but attacking certain computers would hurt the business severely. As a newbie dev I feel out of my place trying to enforce some basic OPSEC in development and removing wifi and making sure people keep their internet PC's and dev PC's physically isolated at least. It's probably going to take a disaster until that changes though.

But bringing in the same gov't that exists now, w/ all its abuses made public and those we can only imagine exist yet they "took care of the victim", the same people, and expecting them to push secure tech. people can trust is laughable in its own right.

Open source by small groups and individuals linked by common goals and internet scattered all over the world, w/ its imperfections, is main hope I hold onto. And in some respects, it's working...

Target EmDecember 20, 2014 2:09 AM

@ Em

Great post.

"So why "pull" this film over a data breach - big companies are and will be frequently attacked?? It can only encourage more attacks."

Weeks ago if naybody told me this film was going to make norht of $100M, I'd say they are smoking something hot. Putting otu something funny out and about NK's top man is also not high on the priority list of Sony's top brass. Why risk losing good money after bad money? pulling the film was a no brainer.

Brian BartlettDecember 20, 2014 2:38 AM

The evidence that the FBI is citing are of known quality and by this I mean since these were used in prior attacks does not necessarily mean that the North Koreans are the ones using them now. While my skills are rather rusty, one of the things that anyone that works either side of the cyber-security world would want is prior art. I wouldn't be rather surprised if there weren't trading of these tools, it's just good sense no matter who you are or where you practice.

Roger A. Grimes covered the other observation that I had which is that it need not be one coherent group acting here. The long term APT "hack" could have been performed by the initial team which also exfiltrated terabytes of information which was followed later on by some hacktivists who may or may not have been armed by the initial group. This would have the advantage of masking, if not obliterating, the evidence of the first group.

OleDecember 20, 2014 2:40 AM


"And "securing the network" has become so out of control and untrustworthy you almost have to assume every file has a malware and operate that risk out if you want confidential comms."

Internet was never designed to ensure complete privacy and security. It was designed to be open and resilient, without anonymity.

Prinz Wilhelm Gotha Saxe CoburgDecember 20, 2014 3:37 AM

I got a shock reading the Slashdot post relating to this: for a moment I thought it read "Hackers Used Navy "SMB Worm" Attack Against Sony".

Which kinda raised a question that's been hovering (hoovering?) around my mind for the last few days: What is the possibility that some of the tools used in the attack were actually TLA-sourced? I mean, we know some things about the NSA, for example: that they have actively developed network penetration tools and equally actively, bought them Off-The-Shelf; we know they have also actively worked to compromise network security; we know their OpSec is what Rube Goldberg and Heath Robinson's love-child would look like.

The likeliehood that other TLA's network penetration tools have likewise wound up in Third-Party hands? Extremely likely.

I also smell an Ems Telegram in the US govt's facile assumption of North Korean guilt without proof r argument. I am NOT in favour of Star Chamber verdicts, let alone Star Chambers. We know what the Star Chamber verdict against Iraq led to: I think we know what the current Star chamber verdict against North Korea is likely to lead to.

IvoDecember 20, 2014 5:03 AM

One thing I don't understand in this context is, how it was possible to download umpteen TB data, and this unseen?
Even by very fast lines, this needs a lot of time in my opinion.
On my computers I look at the network monitors, and the few viruses that I've found in the last 15 years, I found through the observation of the network monitor because I discovered strange downloads/uploads.

GabrielDecember 20, 2014 7:46 AM

Thanks Bruce for this insightful essay, as usual.

In a classical investigation, the "follow the money" approach often works out. Since the FBI has some convenient "clues" North Korea is behind the attack, nobody will try to push the investigation further: in whose interest is it?

An analysis on what North Korea's government opinion could be:
- The release of "The Interview" serves its own propaganda, as it confirms the message officials spread internally: the USA are trying to tame North Korea, to kill its leaders, etc. The release could help the regime to stay in place as it is the only one able to stand up to the USA.
- On the other hand, taking credit for the hack could be seen as geopolitical / diplomatic victory.

From the perspective of a so-called "security solutions company":
- Such a hype means big business in the months to come. A large company being hacked, getting lots of attention and releasing gossip-prone information is the perfect advertisement to sell new security products, reports, organizing symposiums, getting state funding etc.
- Combining this with ghosts from the cold war is also a nice occasion to pass some new cyber-security laws, to create some further military cyber-warfare units and to equip them with the latest toys, etc.

There lots of young people pissed off by the actual neo-liberal world, and soviet communism can appeal to them as they never lived it. Groups of such people, spread around the world, are likely to launch an attack seemingly in North Korean interests. The malware used, as far as I understood it, is not comparable at all with government-grade stuff. It is not modular, uses hard-coded target names, does not use the now usual container architecture, is not encrypted, etc. As Bruce wrote, this level of sophistication is not necessary at all to tear down a huge company, as security is a hard thing. As North Korea denies being responsible for the hack, I am sure they would have obfuscated the sources at least a little better.

Nick PDecember 20, 2014 8:22 AM

@ Figureitout

Why markets are to blame for these hacks

The markets have had plenty of opportunities. They occasionally try. Burroughs had superior security architecture early on. IBM tried with System/38. Intel tried with 432, BiiN, and recently Itanium. KeyKOS did on IBM's own hardware. There were numerous machines in the 70's and 80's. The 90's gave rise to VAX VMM, LOCK, Boeing SNS, XTS-400, Trusted Xenix, Diamondtek LAN, and GEMSOS. More recently, we have the EAL6+ separation kernels with associated software, Sentinel's HYDRA web server/firewall, Secure64's SourceT on Itanium, and so on. How many of these products have you even heard of past my posts on this blog?

Vast majority of companies didn't even try to make something secure. A number of them were happy to lie to customers to generate revenues with a false sense of security. (IBM and Apple come to mind.) The few that produced better things ran into a market that wanted cheap, fast, backward compatible machines. Result: market kills off the better product. Intel deserves credit for repeatedly trying with varying levels of compatibility: epic loss on 432 APX, around a billion dollars lost on BiiN, and hundreds of millions invested in Itanium's superior architecture. And Itanium is being ignored by market because other chips are as fast and have reliability features. Wait, what about its security features? Nobody cares except Secure64 that builds on them.

So, I always blamed consumers and businesses on demand side for the problem. They don't spend extra on quality in most cases. Sometimes, it doesn't cost anything extra but they'll still avoid it to keep doing whatever they've been doing. The businesses are so focused on maximizing profit that many won't even give a dollar to projects like Linux or Apache their profits depend on. Much less spend hundreds of thousands extra for secure machines. With demand side like this, the suppliers had no choice but to cut security to deliver the kinds of insecure crap that people wanted. This also had features, cost, and time to market benefits over secure development processes.

Note: Only semi-exception I know is IBM i series. The System/38 was commercially successful. However, market trends forced IBM to switch from capability secure hardware to a POWER processor without that security level. Then integrate with open standards (often insecure & inefficient). So, System/38 is still around in IBM i but it barely counts given the changes.

LennonDecember 20, 2014 10:45 AM

@Gabriel, "In a classical investigation, the "follow the money" approach often works out. Since the FBI has some convenient "clues" North Korea is behind the attack, nobody will try to push the investigation further: in whose interest is it?"

Money is a logical conclusion here because the attack was neither for fame nor did it push an ideal. If NK really wanted to take revenge for production of the film, they could have had the two actors assassinated in some way instead, which would have been the stronger message. As far as NK sympathizers, sorry but why would anyone tired of pseudo-democratic dictatorship opt for true full-blown dictatorship? that makes no sense at all.

Michael BradyDecember 20, 2014 11:29 AM

My favorite Tweet on the subject:

"Zach Holman @holman · Dec 17
Really wanted to see The Interview. Bummer. Now it’s going to be locked away in Sony’s impenetrable data centers forever."

DanielDecember 20, 2014 2:13 PM

There is an aspect of this situation that Bruce and others are overlooking. That is the habit of media companies of releasing creative content early under the guise of being hacked. Maddona is the latest so-called victim


and there is a lot of speculation that her's too is a fake hack.

Now, given the scale of what happened here I am not suggesting that Sony faked their hack. What I am suggesting is that media companies have a vested interest in less than ideal security because "getting hacked" is an effective means of product placement.

So I think that Sony bears a much greater burden than some other big companies do. When you play with fire, don't complain when your fingers are burned.

Green SquirrelDecember 20, 2014 2:30 PM

Two more issues spring to mind on this:

1) On the economics front: If the US Government is prepared to "respond" on behalf of a private company (in this case a US subsidiary of a Japanese company) then you have pretty much undermined any incentive to pay for actual security. Much cheaper to sit back, get hacked, claim on insurance and let the Gov't deal with it.

2) The FBI appear to have settled the investigation as being UberSecretSuperH4xOrs from North Korea on the basis of some very basic mistakes. This lacks internal consistence and, from personal experience, the FBI appear to struggle to identify the country of origin when it comes to very basic, low-skill attacks. The idea that super skilled hackers are so slapdash that they leave a bit arrow pointing back to Pyongyang seems a bit difficult to swallow.

Obviously it is possible that there is some secret knowledge underlying this, but without it, the claim seems weak.

It is also interesting that NK has decided to "assist with the investigation."

albertDecember 20, 2014 3:56 PM

Generally thoughtful comments by mostly all.

I always have feelings of doubt whenever I read stuff like this. Even Bruces well-written blogs. (Bruce, your readers don't cut you a lot of slack, but I think you appreciate that).
We never seem to have enough trustworthy information. On anything. The FBI said? Seriously? Sony said? C'mon. Does anyone think we're going to get accurate information from the US gov't on North Korea? The same question can be asked regarding Sony Pictures (the rootkit came from them). BTW, Sonys problems seem to be concentrated in their media divisions.
Get your salt shakers ready.
I consider these possible but unprovable scenarios, in no particular order:
1. Someone in the USGOV decided the films release would not be appropriate at this time, and Sony disagreed.
2. North Korea decided to try to block the release, for whatever reason.
3. A Sony competitor orchestrated it.
4. Sony orchestrated it.
5. Sony-hating hackers did it.
The most that can be hoped for is a probability assessment. Logic and reason have left the room.
I gotta go...

Nick PDecember 20, 2014 4:31 PM

@ Daniel

There's good press, bad press, and some in between. Companies like Sony don't like bad press. That they their operation was shredded by hackers is very bad press that does more than embarrassment: it can effect the firms bottom line in a big way. It also can decrease trust for those doing business with Sony given their breach was much worse. So, I don't think they or any Sony-friendly media partners want this in the news.

However, thinking along your lines, it would benefit them to hype up the North Korea part in the press. Shifting the situation from "we were reckless" to "it was a nation throwing everything they got at us" might get them less judgment from the masses. They might think that any company can cave if a whole country and their hackers were after them. I rarely watch U.S. media so I can't test my theory to see if the reports focus more on the source of hacking than the hack.

Note: One thing that throws noise into the data is that the U.S. govt organizations would be hyping it up as well for their own benefit. News would be more likely to focus on the North Korea angle for them. So, my theory might not be testable at all in this case given there's already a source of the same behavior.

65535December 20, 2014 5:48 PM

“My guess is there is a disgruntaled employee involved, possibly one who knows the internal system rather well, but may now be an outsider due to being laid off etc.” –Clive

That is my thought also. Such an employee would have the means [hacking tools] the motive and opportunity to damage Sony if laid-off.

Further, North Korea has a fairly large animation industry that could be hurt by US firms canceling contracts and moving to South Korea. If North Korea was caught and sanctioned by US companies there would be considerable financial damage. That’s not to say North Korea would decline credit for the attack – NK may actual enjoy taking credit for it.

“The art of Korean Animation, or Han-guk Manhwa Aenimeisyeon (한국 만화 애니메이션), has gone from hand-held flip books in early times to studios that produce most of the work for major American animation companies and collaboration/minor contribution contract for Japanese animation companies… While it is mostly firms in South Korea that contract with Western studios, some of the work is reported to be subcontracted to North Korea as well… As far as OEM is concerned, the likes of Rough Draft Korea (RDK) keep on landing new contracts which have seen Rough Draft perform the manual work on over 45 popular "Western" cartoon titles over the last 16 years...” Wikipedia


AttaniDecember 20, 2014 6:10 PM

Interesting comments. More so than Twitter babble. Since we are throwing around all sorts of theories, how about this one - the MPAA has been trying to get certain laws passed but keep coming up against powerful public and Silicon Valley resistance. They have someone hack Sony in a big way so that they can gain sympathy towards their anti-piracy laws. Little do they know that Sony has in their system powerful information against the MPAA.

Personally I think some kid did it cause, what the hell, it's Sony, everyone's favorite hack.

AttendeeDecember 20, 2014 6:48 PM

@ 65535, "That is my thought also. Such an employee would have the means [hacking tools] the motive and opportunity to damage Sony if laid-off."

How hard is it to track down disgruntled ex-employees? there are only so many of them. If it were such a person who committed this, HSAs of the free world would have him burning on a stick by now.

@ Attani, "Since we are throwing around all sorts of theories, how about this one - the MPAA has been trying to get certain laws passed but keep coming up against powerful public and Silicon Valley resistance."

Apparently all theories fly, but I suspect HSAs are reading with a grin as they have circumstantial evidence pointing to possible culprits. Of these corps SPE certainly fit the bill because although it claims to be an American victim, in reality its financial mishaps are probably felt on foreign soil.

@ albert, "We never seem to have enough trustworthy information. On anything. The FBI said? Seriously? Sony said? C'mon. Does anyone think we're going to get accurate information from the US gov't on North Korea? "

Dont' see any reason to trust any comments about on-going investigation, especially there are no proofs presented despite Commander-in-Chief's rally talk. The entertainment divisions of Sony seem to be fairly autonomous from their parent Japanese conglomerate. Until we see leaked designs of sony's products surfacing on the net, I dont think it's fair to call sony out on being security inept. It's more like the fault of a single division.


FigureitoutDecember 20, 2014 8:16 PM

Nick P
--Nope that's just your perspective, I have mine. The market doesn't exist in a vacuum. Actions by gov't do have an impact and most importantly the "chilling effect" which stops others considering secure product development from even starting. Weakening of standards, actually attacking our own companies, etc. Disgusting traitors leaving it's citizens vulnerable for Intel that can be made to garbage easy.

Agree to disagree and I wont touch any product backdoored by them.

Nick PDecember 20, 2014 9:14 PM

@ Figureitout

The government certainly has an effect. They've dictated higher assurance a few times: Ada language mandate, Computer Security Initiative, SKPP, DO-178B, etc. For voluntary stuff, the market always responded by producing the opposite of what the government demanded: insecure, cheap, good looking, mass market garbage. Under CSI, only around 7 secure products were produced despite government giving financial incentive to all and subsidization to others. About 7 out of hundreds to thousands of software vendors. The DO-178B mandate, on the other hand, got all kinds of software analyzed, tested, and certified. Because it was forced and for very specific criteria.

So, only a handful in an entire market will produce a highly secure offering even if the government is promoting high security, giving out tools to build it, and promising money in return. If the government isn't, such companies stay rare with often unevaluated black boxes and most just go out of business over time. Far as mandates, there's not going to be an EAL6 mandate for COTS software unless someone invents tools that do all the heavy lifting for about any real world app.

So, market can't be relied on. They didn't do it with all the financial and technical help in the world from the government. They didn't reinvigorate high assurance as a response to Snowden leaks: just added features to regular products on low assurance platforms. Market overall is still doing what it's always done. So, we've had time to test my theory and so far market has failed the test. It will take some very clever business or marketing innovation to get a secure product to succeed in the market. I'm betting on appliances as being easiest route.

Note: Doesn't stop those rare few from trying. Rockwell Collin's recent paper on their new whole-system EAL7 development process claimed verification activities were only 5% of the project's cost. If EAL7 is at 5%, then EAL5-6 should be a lot easier to justify far as financial arguments.

AnuraDecember 20, 2014 10:36 PM

@Nick P

Are you familiar with the project management triangle? The gist is that you can do it fast, do it cheap, or do it right, and you can pick 2 out of 3. Most companies I work with choose cheap and fast. So while the actual costs for EAL7 verification might not be high, the development that is required to put out a good enough product to pass validation is more than most businesses want to spend.

I've never been through any high assurance development process, but even the basic stuff can go a long way and are often neglected. Just code review, unit tests, and documentating requirements/changes for the sake of QA would have greatly improved the quality of some of the projects I have worked on but they decided to run things as light as possible in the name of speed and cost cutting.

MikeADecember 20, 2014 10:36 PM

Has there been any explanation of the "evidence" against NK (not NC, BTW, as one commenter wrote. I know they are still miffed about the War of Northern Aggression, but really?), specifically why badly translated Korean points to them, or particularly the bit about "software that only runs on Korean computers"? Say what? I know there was a long-ago web-server exploit that used a quirk of the Bulgarian Windows code-page to pervert sanitizing in CGI calls, but never heard of similar stuff for Korean. Also, what stops me from simply picking Korean as my default language on any system (other than I can't read or write it)?

Brings to mind the American cigarette butts and wrappers scattered around the Nazi automated weather station in the Canadian Maritimes. "Yeah, had to be Yanks, just look at those fags".

Clive RobinsonDecember 20, 2014 11:47 PM

@ Nick P, Figureitout,

I have said --as have others-- for quite some time that an unregulated market is a "race for the bottom". This is based on what we see happen in practice not the theory so beloved by libertarians that originates from economists who get funded by such people.

Whilst this did not realy matter half a century ago as governments used regulation to keep foreign manufacturing out, it started to fail as a policy forty years ago when the vastly reduced costs of electronics made meeting different countries specs in one product cheaper than manufacturing a different product for each country.

This now has the unfortunate side effect that if the US mandates a "back door" in a class of product then all countries get the backdoor. This is most usually achieved by calling it a "safety feature" and perhaps the best example is GPS trackers in mobile phones, which the likes of Google and Co have lept upon to gather as much data as possible about people using their services.

It can be seen from this that regulation can be both good and bad, and as such the libertarian argument that "ALL regulation is bad" is wrong. It's not the regulation that is bad, because as with technology it is agnostic, it's not even the intent of the regulation that is the determinant, but the use to which the results of the regulation is put.

Unfortunatly when new regulation is imposed it almost always introduces an initial cost, and this is usually seen as being a handicap and thus gets fairly vigorously opposed. However it has often been found that the initial cost is much smaller and shorter than portrayed by the neigh sayers and shortly there after profitability is actually increased because of the increase in utility the regulation has caused.

Thus one indicator of if a regulation is going to be of benifit is it's effects on utility of the product. If it increases utility then it will almost certainly increase overall profitability (and thus tax base). Thus although putting a GPS in every smart phone is bad for security it did increase the utility of the product and thus increase profitability via new markets.

So utility alone is not going to be a measure for regulation to increase security. And this is where the problem is, security does not increase profit in an easy to see way, it's easier to see how it might stop losses in a particular set of circumstances. Thus it is seen by those of a short term nature to be an attack on todays profit for something that's not going to happen today...

Historicaly the solution to this is via insurance, you pass regulations to make it mandatory to trade. Unfortunatly this is usually a very expensive solution and tends to badly distort the market as it becomes an overly expensive secondary tax not an incentivisor to innovation (it's why the US has about the highest health care costs per head of any western nation).

Thus another method of market regulation is via liability legislation, if "your aircraft falls out of the air you get sued out of existance". As has been seen with the likes of petrol tanks in cars this can be a very slow and expensive way to effect change, and can currently be avoided altogether by "licencing T&Cs".

In the physical safety and security markets one soloution that has some effect is "ratings" by independent test houses. Whilst these can be gamed by manufactures they do have the general effect of raising standards by giving consumers more information by which they can make "informed choice".

Thus regulations that mandate more information by which consumers can make informed choice might be the first step in the right direction for security. This would enable insurance companies to set minimum standards which in time would improve the markets by market forces. The problem is the speed of change and complexity of ICT components is currently faster than any suitable standards test cycle can keep up with...

LiLiDecember 21, 2014 12:21 AM

People. Wake up, they are liars
It isnot the Koreans hacking and I can prove it
Listen here, these guys are frauds, the Feds,BILDERBERGS, G 8, dragons white and red, bush, Clinton's, Anonymous hackers and all the ones I named all along are big liars

Let me tell you the truth about SONY HACKING STORY

since they rob all my transactions, clients, commissions all I do, as I informed you many times.
my computer was new and because they broke my wifi light and I was not able to connect it, I sent the computer to Sony to be fixed! I was in Florida and sent it to Sony California To be fixed and when Sony opened my computer on their premises, they got infected.

My computer is the P SERIES and all can be verified with Sony and obviously my hard drive which recorded all of their moves

Sony did not want to hear when I told them that they are the ones and stole trillions and trillions from me and trillions and trillions from other brokers.
It was too much for them and now they come out with this movie.

What happened? The hackers bought Sony? And they again are trying to pull a dirty misleading trick by accusing the Koreans?????

Are you surprised?

They need to be jailed

We had enough of the liar thieves

Investigator of investigators, judges, the ones that will help us to do something about this fraud so we can have a decent life

My number. 1 438 939 4380

God has His plan and has His anointed that will bring us deliverance from this atrocious abuse on us and our children.

I allow you all to put this worldwide, TRUTH MUST BE SPOKEN

Why should we be trampled and lied to by a bunch of good for nothing losers that can succeed by hacking and robbing the hard work of single moms.

Don't you all agree, it takes low life losers to do such a thing and you know they deserve the guillotine.

We had enough of the mean detestable terrorists because they are the terror
Of terrors, imagine how gross their actions are

They made so much from robbing us they have millions of servers where they host our bank accounts, phones, computers, tvs and are pushing for more control so they are not tried in a court of law.

They should be tried and given the guillotine


CoryDecember 21, 2014 3:59 AM

@ Clive "an unregulated market is a "race for the bottom""

Would you consider a monopoly as an unregulated market? I suppose one can make an argument that monopolies are regulated markets because the monopoly itself regulates it, thus adhering to the race for the bottom statement.

Clive RobinsonDecember 21, 2014 9:15 AM

@ Cory,

It depends more on how you define regulation.

The usual meaning is something external that acts as a governor to provide control or stability to a system. So the thermostat on your home heating is a governor that regulates the boiler / furnace to provide a stable temprature in your house that you and the other occupants agree is comfortable / economic. Without such a device the boiler / furnace would run at maximum or actually run away into meltdown, because few systems are actually "self regulating".

If you think of a market, the first order aim of a supplier is to provide as little as possible for the highest price they can get, thus having maximum profit.

However in the 1700's the nature of the term "manufacture" started to change because of "Pin Makers". The original meaning is "made by hand" and that is exactly what pin makers did, they originaly produced as few as a hundred pins a day each, thus pins were very expensive but of vital importance to most women, which is why the "house keeping" money reserved for the work of a wife was called "Pin Money". However one "workshop master" realised that by dividing his workers to do different parts of the job he could increase the number of pins made significantly. Various figures have been quoted but by also developing tools the number of pins per worker went up to 60,000 a day, thus the cost of pins dropped dramaticaly. The use of such specialised tools that did the bulk of the work became known as machines and the nature of the meaning of "manufacture" changed to mean "machine made".

However as Adam Smith noted the price of a "good" eventually falls due to supply exceading demand at any given price point. This however is tempered by two other mechanisms firstly "total demand" and secondly "zero profit cost of manufacture", which ever is --nearly-- reached first sets the ultimate cost of a good.

These pieces of information can be used to plot a graph with two curves on it which form a "fish eye" and profit is only made inside the eye, and is maximum when the two curves are furthest apart.

Thus it's in a manufacturers interest to limit production to keep at the most profitable part of the curve. However this does not happen in a truly open market, for several reasons. Firstly and usually ignored by economists is the "distance cost" metric, it's why iron production originally congregated around where the richest ore was and the lighter charcoal or coal was shipped in. But it also applies to finished goods which become less profitable with distance to market. Thus two manufactures geographicaly seperated actually have less effect on each other and in essence form individual markets. The lower the cost of an item at market generaly the smaller the area of any given market. However markets are also variable not constant with time, and excess production in one area will either cause a local market price drop, or the manufacturer can ship it to another market and lower the price there. The result of such action is a "race to the bottom", which is percieved as good for the customer even though it actually is not as the end of the eye approaches.

Thus manufactures can and have organised themselves such that they do not poach on each others markets and thus artificialy keep the price high.

This cartel behaviour works untill something effects either the market or the manufacturing of a good. These days we talk of "disruptive inovation" and similar, the original "divison of labour" in pin making was one such.

The interesting thing about disruptive inovation is it "kills competition" and if managed correctly gives a "natural monopoly" in any given area tempered only by the distance cost metric or by new competition using the same disruptive inovation.

One way to stop new competition is by Patent, which gives you exclusive rights for a period of time, and this is what older and slower and less market responsive organisations do to prevent more agile competition entering the market.

However primary patents usually don't earn money or effect the market because they are most often "ahead of their time" and secondary patents which are where the money is, usually need to use other secondary patents, thus are subject to cross licencing. This is usually a cartel or monopoly maintaining practice, where organisations with large patent portfolios allow each other to use their patents without charge, whilst raising a prohibitive licencing fee to new entrants in a market that do not have patent portfolios.

However the patent game is starting to come to an end, because of the likes of patent trolls, which will eventually cause a regulatory change by patent legislation modification. Hopefully in a way that will require more openness on licencing which will reduce the effects of patent portfolio cartels and monopolies.

The thing is that profit and quality usually don't go hand in hand and it's one of the things missing from the eye graph. As was once observed "whilst a ten dollar pair of boots may look good, their carboard thin soles will last only a year, however a fifty dollar pair of boots will last you a lifetime". Quality costs not just because it requires more exacting work and better materials but also because it lowers demand in any given time frame due to the increased longevity of the good produced.

The flip side of this is the less quality that there is in a good the more profit there will be longterm due to the increased demand as goods fail earlier than customers might like.

As I have pointed out in the past "Security is a Quality Process" so security is one of the first sacrafices on the "profit alter".

Back in the 1960's through 80's the only limit on the degrading of quality was "warranty legislation" which caused defective goods to be returned to manufacturers for repair at the manufactures expense. This had two effects firstly it caused a significant loss of profit and secondly caused a landfill issue. The cost of a "return for repair" gets badly bitten by the distance cost metric and as little as 5% returns can remove all profit from the manufacturing. This gave rise to a policy where defective goods were replaced not repaired and the failed items which were often toxic consigned to landfill.

Initialy the problem was addressed by the various British manufacturing associations with the British Standards Institute. They realised that slightly higher front end costs on quality assurance processes significantly cut the tail end cost of defect rectification, not just on warranty repairs but also on production line rework costs. By the 1990's the BSI standards had gone global as what we now call ISO9000. It was also found that such quality processes also worked in other non manufacturing environments.

Sadly the last hold outs on proper quality processes is the software industry, who have a very very small distance cost metric as there are no returns, hence we have "patch Tuesday" etc the cost of which is covered by the much reduced "product to market" times and passing the transportation costs off directly onto the customers. Because of this there is no profit penalty for releasing shoddy goods to customers, and "licencing" side steps most of the consumer protection legislation (so far).

Thus market forces will not provide an increase of quality unless profit can be linked to it. The market it's self will out of "collective self interest" --not cartel or monopoly effects-- fight any such link due to initial loss of profit, even though it has been shown over and over again that it is actually benificial for the market and long term profits. Thus without effective external regulation all markets are doomed to a "race for the bottom" and fairly quick extermination.

This leaves the question of what "effective external regulation" is and as I have indicated earlier the view of government is often not aligned with what the market actually needs and consumers can bare, and as can be seen with the US Health Care system, become excesivly expensive compared to just about any other method.

Nick PDecember 21, 2014 2:21 PM

@ Anura

I forgot about that as it's been so long since I said it in consulting meetings. ;) It's generally true. However, I recall arguing that it is only partly true for the development *process*. Investing some extra dollars and rigor into the process itself can provide a several fold increase in effectiveness. That effectiveness benefits every individual project that leverages such a process. Initial pilots on a manageable project are a good way to convey this and try to sell it on management.

I agree that you can get a lot out of even just a few things. Code review a la Fagan Inspection Process and tool-supported testing (esp fuzz testing) by themselves significantly improve quality in the lifecycle. Together they do even more. DEC essentially did this in their method: build as many features with acceptance tests as possible during one week; tests run in batches during weekend; fix as many problems (by priority) as possible next week; batch of tests run to confirm quality of fixes; repeat. OpenVMS's reliability and performance confirm the process works despite being pretty simple.

Note: I'll add choice of language, libraries, and platform can prevent a ton of problems with little developer effort.

@ Clive Robinson

I agree mandates against specific ratings are the best route. Orange Book worked at least for defense in that products appeared that met criteria. FAA's DO-178B (now C) initiative has been working. Common Criteria worked at least in terms of getting market to add the right features and standardizing evaluation via Protection Profiles for categories of functionality.

I think the first step would be to start with a mandate of things with low cost and high ROI for quality in general. Anura and I were discussing a few. Here's a stab at a mandate that's barely disruptive to market:

1. All included functionality is specified in documentation. (Ex: If the firewall has internal FTP running, this will be mentioned.)

2. There are acceptance tests for every feature and common error condition.

3. Fuzz testing is applied and result in fail-safe.

4. A minimum amount of code review using standardized defect hunting guides.

5. Recovery mechanism for event of failures.

6. Tool to extract internal data to vendor neutral format.

That's for the market in general. This by itself should reduce defects, lock-in, hidden extra features, and all sorts of problems. The security critical market would have extra requirements that start at EAL6 at a minimum and apply to whole system. If something doesn't exist, government funds it's development by academia with practical focus or private sector that intends to sell/upgrade it. The hardware, OS's, libraries, tools, etc will materialize over time as we saw with Orange Book and DO-178B.

One issue, though, is legacy systems. There's a bunch and such a mandate would have to include an exemption for them to avoid loosing most of what runs business and government. The private sector would squeeze as much wiggle room as they can out of that. A potential solution might be to impose a penalty where profits on such solutions are taxed highly until they meet the mandate. However, a tax writeoff is allowed for work that re-engineers those systems to meet the mandate. Overtime, they come into compliance, have legacy functionality, are probably more maintainable, and go back to high profit.

Legacy issue is tricky but I'm sure there's some financial incentive that can solve it. Will take regulation, though. That can go in bad directions. So, I'm keeping the requirements incredibly simple for the first iteration. During that iteration, research can also be conducted into methodologies and techniques that improve on it again with very reasonable cost and consideration for legacy. Legacy might even be treated with separate regs with a cutoff point that says all new software uses new standard and old software uses different standard.

EdDecember 21, 2014 5:24 PM

. We have no choice but to entrust companies with our intimate conversations: on email, on Facebook, by text and so on. We have no choice but to entrust the retailers that we use with our financial details. And we have little choice but to use cloud services such as iCloud and Google Docs.

DO we have little choice? Seems like kind of a dumb broad statement. Don't post intimate anything on the net. Try cash next time. And screw the "Cloud".

Hmmm sounds like choices to me.

CoryDecember 21, 2014 7:20 PM

@ Clive

Thanks it all makes sense to me I think. I want to make the argument that the "pull" in race for the bottom situation must account for monolicity of product. If there is little discernable difference in various runs of a product, for example gold, oil, currency, or corn, then the market must rely on heavy government regulation or cartels to maintain stability. Another argument is that the discernable difference is as much in the manufacturing process as it is perceived.

Take for example wintel laptops. There is very little discernable difference between those sold by various vendors, so the pull is strong. However, products from vendors like Apple in the laptop market defies monolicity. More choice is available for the end user. Thus, market forces are allowed to respond because consumers can discern the difference between Apple and wintel laptops much better than the difference between two wintels.

The perception of difference is where companies are willing to spend on advertising (to educate consumers), branding, quality control, and other bottom line raising expenditures, because they believe that staying away from monolicity is good for the long run in the fight against race for the bottom. The market needs more products to choose from in order to make the case, but governments often seeds to limit that thru regulations or standards bodies. Though government mostly do that for the better of the good, one cannot discount the symbiotic relationship between market and government. An external regulation is most ideal but often they are not entirely separated as technology and expertise serve as the barrier to entry.

I think in reality it is circular as the market can assert some influence in its own governance via lobbying. Thus, we can never achieve true external regulation.

FigureitoutDecember 22, 2014 1:55 AM

Nick P
--You're not catching my drift, which doesn't really matter as market will continue on regardless. Shut down US companies, Chinese and Russian ones will pop up; overtaking the market share.

Note I never said anything against academia, if that's where gov't will push funds to (w/ minimal strings attached..). They usually take funds away from research and back to funding worthless congressmen/women salaries and "market research" or whatever other worthless thing.

And you're nitpicking certain cases and still holding onto grudges which will harm you worse than they already are. It's the f*cking consumers that have to demand security, companies are giving consumers what they buy. Simple as that. So "blame the user" like you always do instead of working w/ them and convincing them why what they want sucks ass and will bring them in harm's way.

Ever look at what computers lots of gov't offices use? It's worse than companies. And they're buying from the companies too now. So they're becoming the "consumers" that still aren't demanding security.

Companies can't just arbitrarily raise taxes on the population like gov't so yeah they need to make some money some way. That's more ethical in my view, don't buy the f*cking product then and cry. And if there's a monopoly, it's an unfair market and that's where gov't steps in (which they fail miserably today, especially in cable/ISP market, letting comcast and NBC hook up; fail all the way to the banks which they bailed out). My state is giving away public services to private companies now like water, parking meters and chunks of road. Back when anti-trust used to be enforced and gov't worked for people, it's when the market worked better. Back when companies were starting to become monopolies and now they are in each market, they essentially become gov't entities or heavy contractors. Feds are giving up war contracts to private war fighters too, yay! Gov't will sell out anyway to someone else, doesn't matter.

Gov't won't sell to everyday consumers, they'll reserve it "for themselves" and to hell w/ everyone else. Also companies have to make their products deliberately weak for gov't or they send people to jail by the butt of a gun; or attack them in their worthless mission. But now the market is going towards consumers like my poor generation and companies are starting to embrace open source, and the engineers working there too.

Clive Robinson
--Never said we don't need regulations, of course we do. Practically never really enforced, check our food supply for examples, and enjoy that "good night" glass of milk w/ anti-biotics and udder pus from cows.

I say a new phrase needs to be made, how about a "backdoor to the bottom"? "A race to the backdoor"? "A backdoor to the race"? "A backdoored race to the backdoored bottom"?--Yeah that one. Backdoor standards, backdoor laws, backdoor everything. Why should companies trust gov't to push regulations that could very well be backdoors into their products, putting their customers at risk and making them look bad when it's gov't's fault?

No trust. Middle finger.

FastLeanSmartDecember 22, 2014 10:18 AM

Fantastic piece, I couldn't agree more that Sony made it too easy, which shouldn't be the case after 3 other major breaches suffered in the last 4 years.

Sancho_PDecember 23, 2014 5:44 PM


Um, I do not feel really comfortable with part of your statement.
The “consumers” do not “have to demand security”, particularly they never will demand security because they do neither need it (my mom chatting with my sister) nor do they know (and do not want to know) the difference to insecurity, you couldn’t explain them either.

Instead they can easily tell you what THEY DO NOT WANT
(sorry for shouting, I guess you have a sister / brother, it’s not an issue of sex):
Anything that is complicated or needs knowledge.

Do not wait for the masses to fight the situation.
Business is your partner.
They need security and confidentiality, they have knowledge (now Sony) and money .
They didn’t really know before, though (in America, I think).

FigureitoutDecember 24, 2014 12:08 AM

--That's OK to disagree w/ me, but your argument didn't change my opinion. Another way to "learn the hard way" is to get their card stolen or internet facing PC's bricked (I have reasons to believe there exist attacks on SATA controller on motherboards which will take many people off line due to reliance on a harddrive, yet I'm writing this on a PC w/ a bad SATA controller lol; will keep using til it dies haha).

Brian Krebs, the journalist who mostly gets his intel from FBI sources, got interested in security when he got hacked. He's made a name for himself in the security field.

My start was pretty weird...can't really pin down when exactly, but once I got Bruce's AC2 book and found this blog it's been downhill since...

Also, if attacks continue like BadUSB which reverse so much convenience of tranfering files and malware keeps getting into computer manufacturers like HP, Dell, Intel, etc., the dev's and engineers will (hopefully) realize enoughs enough and start locking down their environment even better and pushing that out to consumers. At the end of the day, "they're on their own", I guess if they're ok running a botnet thru their PC (framing them in crimes), it's on them. Many times I bet it's b/c they're dealing w/ sh*t like...survival and don't have time and are weakened. We all have points of weakness which can be found w/ a little observation, so attackers likewise can be feeding on one end and getting eaten on the other.

Your last bit, on me waiting for someone else. Preaching to the choir buddy; that train's left the station. I'm not waiting on anyone, that would be Nick P always ALWAYS blaming the public or "the users" he has such disdain for, for not doing things he won't do (telling them to put themselves at risk). I draw parallels to drug cartels making "money mules" & "pushers" take the risk, they're being totally used and abused in the most disgusting ways. That's my beef w/ him. Then kind of writing off as "he's done his part" or even worse taking credit for things he hasn't done. That's where I get pissed.

HoracioDecember 24, 2014 1:27 AM

Sancho_P:"Instead they can easily tell you what THEY DO NOT WANT"

'fraid you're giving general mom'n'pops consumers too much stock. Most consumers won't return satisfaction surveys unless there were candies or some type of sweet tooth involved, or you can bug them so badly they say here have it.

They'll just stop buying, if given better alternatives. You find out when accounting come knocking, as office politics seem to be your thang, or hear it from the top brass himself. Either way, it's a rude awakening for those not strategically planned.

REWDecember 27, 2014 8:33 AM

jaycee331 wrote:

My girlfriend thinks an "always on" cellphone is a choice. She has decided: no. I arrive 10 minutes early at our rendevous, SMS her I've arrived. Five minutes later she arrives. 15 minutes later she calls me where I'm at. She's standing outside in the cold, and didn't see me when she looked inside.... And she's only turned on her phone at the moment she decided to call me.

Many people nowadays will find her choice an odd one. Me included (I'm hoping she's learned something from the 15 minutes in the cold, but I not holding my breath....).

Similarly, others will have grown to depend on services like google docs where you can look at and edit your documents wether you're at work, at home, behind your tablet or on the road with your smartphone....

Those will consider your choice not to use such services "odd".

You can chose not to use technology. Plow the fields with horses and oxen.

There is a choice to ignore technology, but in the end you'll be the one that still lives in the stone age.

FYI: I'm also without facebook and almost without google docs.....

RileyJanuary 26, 2016 5:31 PM

Forgive me for digressing from the main topic. But I am a regular reader of this blog and I want to share an experience everyone here.

I got engaged to Cassie (my ex-fiance) on Saturday, 6th June 2015, we had been dating for about 3 years before then. And since she always had high moral standards and was religious I thought I had I no reason to worry and trusted her completely. However, work took me out of town for about 9 days in November. It was when I was away that a friend casually mentioned that he saw my girl at a restaurant on a dinner date with another dude. I needed some confirmation before confronting her so I started looking for someone to help. I came across a couple of people and I contacted about 3 investigators/hackers. Eventually, ReputableHacker was the only one that could get the job done. He did what he called a Full Fidelity Check on my girl and I had access to all her communication channels (mobile phone, facebook, twitter and email). With that I was able to find out she was sleeping with one of her coworkers. I was devastated and broke up with her. All thanks to ReputableHacker

Contact: reputablehacker@gmail.com to hack/gain access to any mobile phone/device, social media account, email, any website/database, university portal etc.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.