Further Evidence Pointing to North Korea as Sony Hacker

The FBI has provided more evidence:

Speaking at a Fordham Law School cybersecurity conference Wednesday, Comey said that he has "very high confidence" in the FBI's attribution of the attack to North Korea. And he named several of the sources of his evidence, including a "behavioral analysis unit" of FBI experts trained to psychologically analyze foes based on their writings and actions. He also said that the FBI compared the Sony attack with their own "red team" simulations to determine how the attack could have occurred. And perhaps most importantly, Comey now says that the hackers in the attack failed on multiple occasions to use the proxy servers that bounce their Internet connection through an obfuscating computer somewhere else in the world, revealing IP addresses that tied them to North Koreans.

"In nearly every case, [the Sony hackers known as the Guardians of Peace] used proxy servers to disguise where they were coming from in sending these emails and posting these statements. But several times they got sloppy," Comey said. "Several times, either because they forgot or because of a technical problem, they connected directly and we could see that the IPs they were using...were exclusively used by the North Koreans."

"They shut it off very quickly once they saw the mistake," he added. "But not before we saw where it was coming from."

Here's the full text of the FBI director's remarks. More news stories. Commentary from Just Security. Slashdot thread. Hacker News thread.

EDITED TO ADD (1/10): Marc Rogers responds. Here's a piece:

First, they are saying that these guys, who so were careful to route themselves through multiple public proxies in order to hide their connections, got sloppy and connected directly. It's a rookie mistake that every hacker dreads. Many of us "hackers" even set up our systems to make this sort of slip-up impossible. So, while its definitely plausible, it feels very unlikely for professional or state-sponsored hackers in my books. Hackers who take this much care when hiding their connections have usually developed a methodology based around using these kinds of connections to hide their origin. It becomes such common practice that it's almost a reflex. Why? Because their freedom depends on it.

However, even if we take that to one side and accept that these emails came from North Korean IP addresses, what are those addresses? If they are addresses in the North Korean IP ranges then why don't they share them? If they are North Korean servers, then say so! What about the possibility that this attacker who has shown ability and willingness to bounce their connections all over the world is simply bouncing their messages off of North Korean infrastructure?

Finally, how do they even know these emails came from the attackers? From what I saw, the messages with actual incriminating content were dumped to pastebin and not sent via email. Perhaps there are messages with incriminating content -- and by this I mean links to things only the attackers had access to -- which they haven't shared with us? Because from where I am sitting, it's highly possible that someone other than the attacker could have joined in the fun by sending threatening messages as GOP, as we have already seen happen once in this case.

EDITED TO ADD (1/12): The NSA admits involvement.

Posted on January 9, 2015 at 6:24 AM • 58 Comments

Comments

mbJanuary 9, 2015 7:06 AM

Why couldn't the "Guardians of Peace" use a proxy in North Korea to cast suspicion on the North Koreans? That would seem easy enough.

Jean MeslierJanuary 9, 2015 7:45 AM

@mb

The answer according to the Just Security article Bruce linked is that North Korea has very few web connections, and most of them are under government control, so it would be difficult to hijack them.

I'm not in a position to comment on the technical merits of this explanation. My layman's interpretation is that the internet in North Korea is so limited that external traffic of the requisite scale through North Korea would have had to raise alarm bells. In this case, either 1) they knew what was happening and chose not to stop it or 2) they had no idea what was happening, and would have panicked and "flipped the switch" a la Egypt.

NineFiveOneJanuary 9, 2015 7:56 AM

@Meslier, read carefully.

"The hackers slipped up and failed to cover their tracks with proxy servers when sending threatening e-mails to Sony employees. The IP addresses of the alleged members of the Guardians of Peace, which claimed responsibility for the hack, traced directly back to ones “exclusively used by North Koreans.”"

What they claim is that the group the claimed the responisbility for the hack has used North Korean IPs.

They did not:
- Claim that the hack originated from NK IPs.
- Claim that the Guardians of Peace and the hacking entity is the same group.

MeeeJanuary 9, 2015 7:59 AM

Unfortunately the FBI lost all its reputation and I is a well known for for making evidence up and lying just to have a case against some one/country. So I don't trust them even if they say they have captured ip-addresses from North Korea! That is the price you pay when you lied once!

ArchonJanuary 9, 2015 8:02 AM

From Just Security: 'That’s a sober reminder. Assuming the validity of Mr. Comey explanation, the perpetrators of the Sony Hack, and perhaps others like them, are less likely to be “sloppy” in the same way again.'

Yeah, it's unfortunate that there's not some quantity, built up by past integrity and forthrightness, that a government or government agency could lean on when it needs people to accept something on inadequate evidence. Because if that existed, I'm sure the FBI would be all over it.

Anwar al-Awlaki in paradise with 72 fat cop fake hookersJanuary 9, 2015 8:15 AM

Whoops, looks like somebody got under Comey's skin, which is already inflamed by furious application of his Opus Dei whippy thing for bullshitting Baby Jesus and the Pope and getting caught. Check out stereotypical dumbshit-cop persona Mike Chase trying to push Bruce around.

If this keeps up the FBI goons will have to extort some double-secret evidence out of a corny Korean informant!

http://whowhatwhy.com/2013/06/23/was-tamerlan-tsarnaev-a-double-agent-recruited-by-the-fbi/

So, 씹덕, watch out for fat ugly hookers, it might be Patrice Comey trying to save her man's career with awkward clumsy 작업!


wiredogJanuary 9, 2015 8:24 AM

I wonder how many people reading this blog accept the USGs insinuations that an Islamic group called Al Qaeda was responsible for the 9-11 attacks. Or even truly believe those attacks happened. Maybe it was all faked. A false flag operation.

YouuJanuary 9, 2015 8:33 AM

"Unfortunately the FBI lost all its reputation and I is a well known for for making evidence up and lying just to have a case against some one/country"

(1) Too bad you don't bother to provide any specifics beyond that vague assertion.

(2) Therefore you will never, ever believe any reports form the FBI, ever? How silly.

obladeeJanuary 9, 2015 8:42 AM

This isn't classified sigint. It's an obvious part of the attack. If they had this IP information, they should have released right away. This does not look like a good faith effort to be transparent with the security community. This is not communicating with the public. The second their case was challenged, they should have produced this information. Hell, they should've produced it publicly with their first report on the attack. You don't publicly accuse a nation state of an attack without giving solid evidence.

This kind of incompetence and arrogance is unacceptable from a group we taxpayers spend so much on and entrust with the most important responsibilities of government.

TimJanuary 9, 2015 9:13 AM

Comey lamented elsewhere that we are very cynical post-Snowden, but really that only applies to teenagers. Anyone older has been cynical since the dodgy dossier in the runup to GW2 or since Irangate, or since Watergate (those are only the highlights, and perhaps people older than me can extend the list further back). With that in mind, any public statement by a government agency is sure to be subjected to baloney-shaving.

For example WRT IP addresses, does "exclusively used by the North Koreans." mean the same as "North Korean" (i.e. addresses subject to NoKo governmental control), and "exclusively available to the North Koreans"?

Of course in a public statement Comey can't stand there rattling off what amounts to a court filing, but since he's stated his awareness that his remarks will fall on cynical ears, a little extra i-dotting and t-crossing might blunt my baloney shears.

Carlo GrazianiJanuary 9, 2015 9:32 AM

The phrasing on IP addresses is strangely circumspect: "IP addresses that tied them to North Koreans," and "the IPs they were using...were exclusively used by the North Koreans." Not, mind you "IP addresses on networks located in North Korea."

Comey appears to be saying the IP addresses involved correspond to machines known to be under NK control, but not on NK terrirory. Compromised? Bulletproof hosting? In any event, this phrasing begs the question, even positing that the Norks have used those IPs, how do we know that only the Norks use them?

My take: As an eminent former DCI once said, "It's a slam dunk" (not).

MeeeJanuary 9, 2015 9:37 AM

@Youuu

""Unfortunately the FBI lost all its reputation and I is a well known for for making evidence up and lying just to have a case against some one/country"

(1) Too bad you don't bother to provide any specifics beyond that vague assertion.

(2) Therefore you will never, ever believe any reports form the FBI, ever? How silly."

Use Google for 1) ! I you look up false evidence on Wikipedia they have an extra paragraph for one case called "The FBI Scandal in which "the FBI forged evidence. Here only for you Sir:
https://en.wikipedia.org/wiki/False_evidence
If you want more try google.com

On 2) I will believe in reports in which there is actual evidence! Real evidence and not somebody telling me they have evidence! Saying that you have an ip-address is no evidence! I can say that there is a god and here the bible is my evidence. And don't call me silly, show some respect!

keinerJanuary 9, 2015 9:47 AM

Uuuuh, here we have it, the smoking gun, let'S smoke em out! The only end of the the world the US have NOT yet started world war III, now it'S high time to get some cruise missiles in the air!

Go for it, economy will grow for another 6 months or so!

Clyde Tolson's tender ruby orbJanuary 9, 2015 10:04 AM

FBI's medium-term problem is recruitment. For years they've been scraping the bottom of the barrel for lawyers too slow to chase an ambulance and accountants who can't get real jobs. They got a brief boost from cyber-hype and the dotcom bust, as a safe way for creeps to feel like big shots. But technically competent IT people are telling them to pound salt. No one with options will work for a Stasi staffed with losers, blackmailing people to act out fake crimes. So when something complicated happens, they have to send some helpless chump to beg CIA for help. CIA rubs their hands with glee and feeds the poor sap a crock of ridiculous career-ending war propaganda. He gets canned in disgrace, but not before CIA gets extra budget and headcount to meet the deadly threat. It's a grand American tradition: sacrificial virgins Tom Thurman, Spike Bowman, Aaron McFarlane, and now, Comey.

Uncle ScroogeJanuary 9, 2015 10:49 AM

The conference Bruce mentions is the ISSC 2015 conference. I heard the FBI director's (James Comey) speech in person. In addition, over the course of 3 days, I heard the Director of National Intelligence (James Clapper), and the NSA/Cyber Command leader (Admiral Michael Rogers)echo the message: The North Koreans did it. The government is presenting a very united front on this answer. I predict the North Koreans will be much more clever and hire someone to carry out the attacks for them. Attribution will only get harder in the future.

Sachtleben, FBI! Drop the Pants!January 9, 2015 11:32 AM

Thanks for the inside dope, Uncle Scrooge! What fun, now they're making Rogers burn some cred! They haven't really made him lie through his teeth yet. Clapper's got no cred left, after lying to congress and totally getting away with it, he's officially full of shit to the hairline, so to speak, so it's no skin off his nose. Operation BOZOHONKHONK is proceeding according to plan! After the climactic intelligence failure gets revealed, it will all be back under the CIA Director just like in the good old days! Then the spooks can all quit and go to Booz Allen and make 10 million a year on MIPRs.

vas pupJanuary 9, 2015 11:48 AM

@Tim:"[most of] the public statement[s] by a government [LEA/Intel] agency is sure to be subjected to baloney-shaving." Tim, I added something inside as I see it.
See, when your day-by-day job is using as a tool lie to the suspect, defendant; entrapment - you name it, your personality is changing as well. Personality spreads through all your social roles including outside direct work responsibilities. That is objective trend. Trust but verify should be used in reverse order: Verify first, then trust.

JustReadingJanuary 9, 2015 12:08 PM

if they are so sure why did not they stop it? Why Americans pay taxes to fund these ridiculously expensive spy programs if they can not stop that afterwards they are "so sure" about? After this bluff the credibility will definitely tainted.

And on another note, what shall Iran do? Germany? Brazil? The whole Globe to "retaliate" on millions of compromised devices by the State is now retaliating?

Gerard van VoorenJanuary 9, 2015 12:33 PM

@ JustReading

And on another note, what shall Iran do? Germany? Brazil? The whole Globe to "retaliate" on millions of compromised devices by the State is now retaliating?

That remark reminds me of the 1982 Siberian pipeline sabotage [1].


Revenge for that, ... I should say ... "Proportional Actions", how would that look like?


[1] http://en.wikipedia.org/wiki/Siberian_pipeline_sabotage

nonsenseJanuary 9, 2015 1:00 PM

, I heard the Director of National Intelligence (James Clapper), and the NSA/Cyber Command leader (Admiral Michael Rogers)echo the message: The North Koreans did it.

You don't say. All together. Acting as one. Hmm.... yeah.

There's enough documented American history with all three agencies misleading voters for some geo-political goal. Their words don't make NK more or less likely. It also fails to explain the scale of the data transfered.

Sounds like they want a war. In lieu of a war, more sanctions.

MattJanuary 9, 2015 1:04 PM

On the flip side, maybe it was the North Koreans all the time. The FBI KNOWS this because the FBI / CIA / NSA has been watching this attack traffic for months. Unfortunately they are not allowed to say this because doing so would indicate they were spying on US
companies on US networks within the US. (though everyone knows they do this already)

They also cant say that they saw this in progress because they would be liable for not notifying Sony that an attack was occurring.

If this IP address is really one used by the North Koreans, dont you think the NSA would have been monitoring it all the time, looking at all the network traffic, not only that from Sony.

The NSA probably knew about the attack once it started. If not, what good it is to tap the entire Internet all over the globe?

Stephanie E. BorJanuary 9, 2015 3:07 PM

I appreciate reading this commentary on the evolving North Korea/Sony hacker security situation. Bruce, I am curious of your thoughts on how this story is influencing American's trust and perceptions of international relations? I know you have spoke about this topic before (https://www.schneier.com/news/archives/2012/04/cybersecurity_scient.html) and it would be great to hear your opinion concerning this topic.

JonKnowsNothingJanuary 9, 2015 4:01 PM

Even if the FBI could prove how many angels dance on the head of a pin, I wouldn't believe them. If you haven't lived long enough to know now, you will soon enough.

Their motto:
If it didn't happen - make it up. If it happened - cover it up.

You can see the 3Letter Guys working over time between the NKorea IPs and the Charlie Hebdo (Paris) shootings. The blood isn't even dry yet from horrendous incidents in Paris (Charlie Hebdo) and the agencies are already beefing up "The Story".

MI5 wants MORE powers - they have everything they want now - hard to imagine what else they "need" but "you can never have enough security" it seems.

ht tp://www.theguardian.com/uk-news/2015/jan/08/mi5-chief-charlie-hebdo-attack-paris-andrew-parker
(url fractured to prevent auto-run. remove the space from the header)

They also want to make sure the encryption doesn't get a toe hold on anything. That there's only 1 unbroken version of encryption left seems to be a sore point.

ht tp://www.theregister.co.uk/2015/01/09/mi5_boss_surveillance/
ht tp://en.wikipedia.org/wiki/Alan_Turing
(url fractured to prevent auto-run. remove the space from the header)

MI5 is just livid over the Snowden Effect and you will notice a very distinct lack of coverage of such issues in British Papers - including the Guardian which has gone dead silent. The UK has loads of brandy-new anti-privacy and surveillance powers specifically to prevent the publication of "un-approved news" regardless of the source, country of origin or documentation. Australia passed the same legislation for 2015. Based on USA legislation but without the, now-defunct, aspects of the US Constitution to worry about.

Joe HillJanuary 9, 2015 4:06 PM

"Unfortunately the FBI lost all its reputation and I is a well known for for making evidence up and lying just to have a case against some one/country"
(1) Too bad you don't bother to provide any specifics beyond that vague assertion.

Why what's this? A story right out of yesterday's paper ...

Convicted ‘eco-terrorist’ freed amid claims FBI hid evidence

http://www.sacbee.com/news/local/crime/article5641188.html

Sancho_PJanuary 9, 2015 6:45 PM

So Russian spies found the thumb-drives Clapper lost at at the garage and attached them to the hotel’s network?
Nice.

65535January 10, 2015 6:53 AM

@ JonKnowsNothing

'MI5 wants MORE powers - they have everything they want now - hard to imagine what else they "need" but "you can never have enough security" it seems… They also want to make sure the encryption doesn't get a toe hold on anything. That there's only 1 unbroken version of encryption left seems to be a sore point.’ - JonKnowsNothing

Yes, it looks like a well choreographed excuse to expand spying and defeat encryption.

We are now hearing calls to instate CISPA [which shields companies form liabilities while handing over customer data in bulk to the government]. This is a huge expansion of State Surveillance and should not be allowed.

‘The Sony hack, however, was severe enough for the Obama administration to consider it a "serious national security issue" on Thursday.’ –zdnet

http://www.zdnet.com/article/white-house-wants-congress-to-revisit-controversial-cispa-style-cybersecurity-laws-after-sony-attack/

[Pushed by Admiral Michael Rogers and Dutch Ruppersberger D-M.D.]

"I believe to be successful, we ultimately have to provide the corporate partners that we would share information with some level of liability protection." — Vice Admiral Michael Rogers, March 2014

http://www.zdnet.com/article/congress-nudged-by-nsa-nominee-to-revive-cispa-as-intelligence-reforms-take-shape/

“…perhaps Ruppersberger could explain how CISPA would have prevented the Sony Hack? Of course, he can't, because it wouldn't have helped.” – Techdirt

https://www.techdirt.com/articles/20150108/16595129639/hey-everyone-cispa-is-back.shtml

BlueLightMemoryJanuary 10, 2015 6:03 PM

Comey said. "Several times, either because they forgot or because of a technical problem, they connected directly and we could see that the IPs they were using...were exclusively used by the North Koreans."

In this case regarding the North Koreans, I really don't believe Comey's simplistic explanation of how the FBI determined it was the North Koreans doing the hack on Sony. Comey, I'm calling you a liar. You're a disgrace.

GreenSquirrelJanuary 10, 2015 7:04 PM

I am confused.

People who make a living out of security appear to be taking these comments as actual evidence. The US has some of the best security people in the world yet....

And he named several of the sources of his evidence, including a "behavioral analysis unit" of FBI experts trained to psychologically analyze foes based on their writings and actions.

This really isnt evidence. Criminal Minds is a great TV show, but on the whole this is snake oil.

He also said that the FBI compared the Sony attack with their own "red team" simulations to determine how the attack could have occurred.

Also, not evidence. This is dangerously close to "circular reporting" in that the red team do what you think the enemy will do, so if you think the enemy is the enemy you think it is, your red team will do what happened. This is a dangerous mistake for intelligence and security professionals to make.

And perhaps most importantly, Comey now says that the hackers in the attack failed on multiple occasions to use the proxy servers that bounce their Internet connection through an obfuscating computer somewhere else in the world, revealing IP addresses that tied them to North Koreans.

Close to evidence but not actually believable.

This would work for me if:


  • It had been announced early on without being draped over the snake oil crap first.

  • It can be demonstrated that these URLs were not spoofed or evidence of a hop - give than so many other IPs were discounted as this - its a bit like saying "hey, look, they used 2000 IPs but 10 were French, they must be the ones which weren't spoofed or used to pivot the attack"....

  • We can see that the ONLY way to use those IPs in the manner detected is to be a North Korean Uber Hacker for the Government

  • That these hackers are simultaneously super skilled enough to pwn Sony (following all previous news releases about how skilled they were, how unstoppable etc) but were also script kiddie enough to not mount all attacks via a jump box.

On the positive side, at least we are getting some information now - even if it isnt very comforting.

Sancho_PJanuary 10, 2015 7:22 PM

@ GreenSquirrel

Let’s assume the reported IP is true ( ! assume, not evidence) because he said it.

But where is the connection to the NK regime’s involvement?

Clapper probably used that very same IP when visiting NK.
Is that any hearsay or even "evidence"? Was it him?

Clive RobinsonJanuary 10, 2015 9:00 PM

@ Greensquirrel,

Whilst it might look like "we are getting some information now", I don't think it's relevant let alone attributable.

Let's put it this way "words" are just sound waves, they only have power in others minds if they hear them and comprehend them correctly, otherwise they are just noise. Humans however don't like noise our brains create patterns from it and act on these invented patterns even though they are not real. Thus what the brain thinks it hears might not have been what was said [1], it's why over 90% of verbal communications acts like error correction for the 5% or so that is the information to be communicated.

From similar visual effects, it's safe to say that any pile of random bits of information can be put together in the minds eye so that to that mind it makes sense, even if it's actually garbage.

The problem is if their brain turns it from noise to random words and phrases and writes them down, the next mind in line reads those words and phrases and fills in blanks etc and turns them into sentences, and the next brain puts them together as a communication[2].

Only it's not real information it's made up from people wanting to see something that is either not there or something else entirely. Which falls prey to "confirmation bias" issues. If you look at the phrasing used to present this information you know it's just more word games and probably not reality.

It's why I always try to sanity check any interpretation against raw intel where I can. And although I doubt very much we will get the raw intel, I am still seriously doubtfull about what we are being asked to have faith in.

Afterall we have to consider the old "one man's meat is another man's poison". That is 'is it an accidental mistake by the hackers' or 'a deliberate mistake' to cover tracks etc.

The little that has been said of the time line suggests that if it's a single group of hackers who ever they are, are oportunistic in nature, grabing what they can to further their cause or hinder investigators. We might also be dealing with more than one group of hackers with different aims and objectives, if this is the case as some have suggested, then this new information could be a product of confusion in investigators minds.

The other thing to consider, is this is by no means the first movie depicting the NK leadership in a bad light for crass humour, how did NK behave before, and in what way is it different...

As presented it's not realy information that can be said to be valid, it has to many invalid assumptions behind it, and has all the feeling of an "effect" being badly argued back to an assumed "cause". Which is why I'm sticking with the more likely "insider / ex-insider" seaking retribution for now, simply because there is nothing of sufficient merrit to say otherwise, and yes I know you cannot use Occam's razor on humans, but likewise you cannot build castles in the air, made of pink sugar and pixie dust, which is what this information reads like.

[1] The old joke of "Send three and fourpence I'm going to a dance" heard on a field telephone instead of "Send reinforcements I'm going to advance" being just one example.

[2] This is how "Chinese whispers" form.

Bruce SchneierJanuary 11, 2015 9:39 AM

"I appreciate reading this commentary on the evolving North Korea/Sony hacker security situation. Bruce, I am curious of your thoughts on how this story is influencing American's trust and perceptions of international relations?"

I honestly have no idea. My impression is that most everyone in the US has accepted the FBI's statements at face value. It's only us computer-security people that are skeptical.

SoWhatDidYouExpectJanuary 11, 2015 10:32 AM

This was also noted elsewhere:

Since the original announcement indicated that "evidence" was a state secret, and now such "state secrets" are being revealed, wouldn't this be considered a crime?

Since the new release of information only occurred AFTER pushback by the community, shouldn't that release just be considered PR in an attempt to keep down the hue and cry?

If in fact the spooks have a solid case, they should reveal EVERYTHING about it. If any retalitation was attempted, they should say NOTHING. What has been said so far (by the powers that be) is generally not in our best interests.

hoodathunkitJanuary 11, 2015 10:54 AM

"I honestly have no idea. My impression is that most everyone in the US has accepted the FBI's statements at face value. It's only us computer-security people that are skeptical."

That's because (generally) the FBI has real-world, real people experience and what you call computer security people have only desktop experience. It's fine and dandy to nitpick and armchair quarterback, but boots-on-the-ground beats hindsight every time.

In crime, like ANY breakin, robbery, or murder case, there is seldom certainty; the US standard for it's own citizens is the extremely liberal 'beyond a reasonable doubt'.

For international relations the world's standard has always been more toward 'preponderance of the evidence'; ie more than 50% probability, if that. The naysayers can always show some doubt, but none have shown a coherent alternative to the US government's conclusions.

Nick PJanuary 11, 2015 11:18 AM

@ SoWhatDidYouExpect

Publishing the full data might tip off the opponents on their sources and methods. Neither intelligence agencies nor law enforcement will typically do that. That's why I'm pushing for a trusted third party to vet the evidence at the least.

@ hoodathunkit

I think the "revenge by laid off employee" alternative is actually a strong alternative. It explains many of the facts of the case. Lay offs included IT staff and by management that bragged about how they skimped on security for profit. This scenario has precedents. A variant of it has one or more insiders working with Korean hackers in it for the lulz. Probably met them surfing hacker forums for revenge opportunities. Hackers already hate Sony in general and would jump at an opportunity to teach it a lesson given the employee's new information. This scenario has plenty of precedents.

So, we have the government narrative based on secret evidence plus two, reasonable alternatives based on published evidence. I only act on evidence I can evaluate so I'm going with latter until government allows their evidence to be vetted somehow. Plus, they're stoking cyberwarfare with this as an example and we have a lot more to loose if that gets popular.

GreenSquirrelJanuary 11, 2015 1:12 PM

@Bruce

I honestly have no idea. My impression is that most everyone in the US has accepted the FBI's statements at face value. It's only us computer-security people that are skeptical.

I think you've hit the nail on the head here.

It appears that the vast majority of the population of the world have taken the FBI's comments at face value, but the vast majority of people who work in technical security roles haven't.

This is interesting on so many levels.

If nothing else, it highlights the fact that the information being provided is being provided for a specific purpose, and impressing security types isn't that purpose.

However, on a lighter note, if I was ever hiring US security professionals, I can now be reasonably sure that if they have FBI on the resume/CV, then I'd have to doubt their abilities....

GreenSquirrelJanuary 11, 2015 1:21 PM

@hoodathunkit

That's because (generally) the FBI has real-world, real people experience and what you call computer security people have only desktop experience. It's fine and dandy to nitpick and armchair quarterback, but boots-on-the-ground beats hindsight every time.

Erm, what?

Did I misread this?

There is a reasonable chance that at least half the people involved in discussions on this blog have significantly more "real-world" experience of dealing with computer attacks, hacking attempts and other remote-access mischief carried out by a whole range of threat actors from stereotypical snotty teenagers with metasploit to criminal groups so well funded they put most governments in the shade.

The attribution problem with internet based attacks is not addressed by having experience in talking down a bank robber holding the teller hostage.

The reality is that people with experience in this sort of activity are the ones saying they doubt the FBI claims. The people with no experience other than watching police procedural shows on cable TV have accepted it at face value.

For three months now, the FBI has been part of the "manhunt" into the people who hacked the celebrity iTunes accounts and leaked personal photos. There is no indication that they have been able to even hint at which country the attack came from and this is very much a script kiddie type assault on a system with some excellent logging.

Funny how quickly they can track down UberSkilled Nation State hackers but failed to get anywhere with the 4Chan script kiddies...........

GreenSquirrelJanuary 11, 2015 2:46 PM

@Clive

That is 'is it an accidental mistake by the hackers' or 'a deliberate mistake' to cover tracks etc.

I think this is one of the more interesting bits I'd like to know more about. What is there that made the FBI decide this/these IPs were the real ones and all the rest just smoke and mirrors?

The cynic inside me says they dont.....

I know you cannot use Occam's razor on humans

I still try though.....

:-)

uh, MikeJanuary 11, 2015 4:47 PM

On a lighter note, you know how you can push crayfish around in the dark with a flashlight? Someone is doing that with the spooks.

BlueLightMemoryJanuary 11, 2015 6:03 PM

"That's because (generally) the FBI has real-world, real people experience and what you call computer security people have only desktop experience. It's fine and dandy to nitpick and armchair quarterback, but boots-on-the-ground beats hindsight every time."

Hoodathunkit, you sound like an FBI employee, are you?

It really doesn't matter if you are or not because your comment made me laugh. The first thing that came to my mind when I read your paragragh was that the real world experience of the FBI is lying and trying to cover-up the extent that the FBI spies unconstitutionally on American citizen's internet activity. I also can't help but be amazed at the real world experience of the FBI in letting fast and furious, contempt of Congress Holder continue to get away with his crimes.

SoWhatDidYouExpectJanuary 11, 2015 6:19 PM

@NickP:

Your comment implies the recent spook revalations are simply PR to hoodwink the populace. We need to consider that the spooks DON'T have full data to push and it is all politisized PR. AFter all, we shouldn't be publicly involved, since it cam be considered a Sony of Japan issue. If we stay silent, they don't know what we know and are unable to judge our abilities or react intelligently. We want them to talk be we shouldn't.

KurtJanuary 11, 2015 6:19 PM

GreenSquirrel,
"It appears that the vast majority of the population of the world have taken the FBI's comments at face value, but the vast majority of people who work in technical security roles haven't."

I think it's safer to say most population of the world don't give a f*ck or they are way too accustomed to typical bullsh*t stories from above (ex. Ferguson as a bad example). These type of stuff also become memes and it grows (cumulative?.)

ConsiderITJanuary 11, 2015 6:27 PM

I don't have time to read through all these comments, but what I see so far, from many of you, does not bode well.

Some of these comments lead me to believe that a portion of our infosec community is filled with conspiracy theorists. That scares me. Those are not the kind of people that industry and government need in charge of the increasingly vital interconnected infrastructure that powers huge portions of our daily lives. Take a step back, remove yourself from the situation, and evaluate it without bias, considering only what you can verify. It would help if you had a modicum of understanding concerning international relations & geopolitics. I am not a specialist, and would never claim to be an expert.

What I do know; there are 17 organizationw that make up the US Intelligence community. Most of you are probably only familiar with three. Seventeen, each responsible for their own respective field. Details are rightfully classified, but the disclosed budget accounts for salaries of 100,000 people. This is a very low number, when we recognize the vital nature that contractors play. The US Intelligence machine is an unstoppable force when it gets rolling. The FBI is a vital member of that community, and their statement is:

"An intelligence-driven and a threat-focused national security organization with both intelligence and law enforcement responsibilities, the mission of the FBI is to protect and defend the United States against terrorist and foreign intelligence threats, to uphold and enforce the criminal laws of the United States of America." Being well known and operating primarily on US soil, their presence is more visible. They make more public statements, and are responsible for gathering evidence for criminal prosecutions. They are highly effective on their own.

The point of this post though, is to remind all that the FBI is not alone in this investigation. The entire intelligence community is involved, and specialists from the private sector. Intelligence fusion and cooperation between agencies, as well as help from allied counterparts in foreign countries has improved our intel capabilities exponentially.

If the FBI is making this accusation, it is NOT without merit. Technical analysis of the attack will be combined and cross checked with human intelligence gathered by the CIA overseas, signals intelligence by the NSA, etc.

There is a lot at play. Have your opinion, but respect the intelligence community, here and abroad.

Bottom line: You simply don't have the access to form a valid conclusion. All the technical ability doesn't mean shit versus global intelligence. End of story. I respect opinions, hey that's why people do what they do; to protect your rights. You repay them by blasting their loyalty, skill, and credibility on the internet. Ungrateful pricks.


This is only directed at the offensive & uneducated people whose posts did nothing to contribute to the conversation and everything to remind us that many of you don't deserve the rights and lives you have. Show some respect.

Had to get that off my chest.

Nick PJanuary 11, 2015 7:09 PM

@ ConsiderIT

It's actually worth considering that they might be full of it or simply mislead by hackers because it's happened before. Those hackers were barely trying, too. All of your post about them working hard to protect us and being trustworthy was disproven by the Snowden leaks among other things. In fact, they were working closely with NSA in secret to insert weaknesses in our entire infrastructure and poison security solutions while publicly telling us they were trying to protect us from adversarial hackers. In English, they said they were doing one thing for one reason and were secretly using their LEO power to do the opposite for slightly different reasons. Far from conspiracy theory, this is a fact in documents the U.S. government acknowledged as authentic.

So, they're not the kind of organization you speak of at all. They're an organization led by deceitful politicians whose agents are a mix of people protecting us from real threats, people prosecuting harmless people breaking rules, and people who protect their political agendas. I appreciate the portion of the FBI personnel who protect us from criminals. Unfortunately, I don't know if they're the source of this information or if it's from the others. Additionally, their prior screwups in similar situations plus an agenda promoting cyberwar mentality makes me concerned for potential bias.

I'd be satisfied if they showed their evidence (under NDA) to GAO or an independent group of INFOSEC experts that each side favors. The reviewers would also have a list of potential concerns (esp common attribution errors). If reviewers agreed with FBI's analysis, I'd call it proven beyond a reasonable doubt and go with it. Otherwise, they might be supporting the militarization of the Internet with more dubious claims like they've done in the past.

WaelJanuary 11, 2015 7:26 PM

@ConsiderIT,

You simply don't have the access to form a valid conclusion.
It's all speculation. I don't remember anyone saying "This is what happened". And that's to be expected when facts are not available.

a portion of our infosec community is filled with conspiracy theorists. That scares me.
That's jUst Freakin' nOt true! Boogie boogie.

TakenJanuary 11, 2015 8:28 PM

Doesn't Sony have a log of what was downloaded when at at what speed that can conclusively determine if it was an insider or a hacker?

Actually SkepticalJanuary 12, 2015 12:35 AM

@Nick P

Thank you for the excellent response to ConsiderIT. I would only emphasize your point about the nature of this quasi-anonymous forum.

Based on what we now know post-Snowden, we must all take anything coming from - even a multitude of commenters - as quite possibly a state funded miseducation campaign. It seems an easy and obvious enough technique to "shape the human terrain" to throw a few contractors at the task of, as best they can, eloquently and insightfully take the best positions of their political and philosophical opponents, and then mix in some inflammatory trolling. I'm pretty sure that much of cybersecurity in the years prior to Snowden's whistleblowing, was basically the result of a bunch of sockpuppet accounts ensuring that any acurate public forum discussions on cybersecurity were directed in ways that would maximize their overall tactical advantages. Even Corbet over at LWN is publicly lamenting 'sockpuppet' commenters these days. Look at how little journalistic investigation has gone forward - even if just getting on-the-record non-denial denials - relating to the NSA's 'deconfliction units' tasked with ensuring that government actors in public forums didn't accidentally troll one another, instead of non-government targets.

Seriously ConsiderIT, if you are not just a sockpuppet, can you not see how Nick P's answer, and the parts I've highlighted specifically, are not valid reasons for you to realize your rant was perhaps misguided and/or misplaced?

Wesley ParishJanuary 12, 2015 12:46 AM

Not good when a government relies on the credulity of its poplace rather than its own credibility.

"They told me I was gullible, and I believed them!"

Nick PJanuary 12, 2015 11:43 AM

@ Actually Skeptical

You're welcome. The other angle is something we should consider. However, we can't know for sure whose sockpuppets and whose giving their individual opinion. The media problems mean a lot of people genuinely believe the programs are necessary, the government is behaved well-enough, corruption is at a minimum, and so on. Just look at the polls on various issues: the other side is far from single digit percentage.

ConsiderIT's post indicates he or she fully supports the law enforcement and intelligence community. This might indicate right-wing politics, being employed by them (not as a sockpuppet), having friends/family in those fields, believing what they see on crime/intelligence-related TV shows, being a sockpuppet, and more. Many inspirations are possible for such a post. Declaring it a sockpuppet, talking about psy ops, etc serves no purpose in convincing that commenter or like-minded readers.

So, instead, I look at the points made. I try to understand them and their underlying assumptions. Then, I challenge both with hard evidence that attempts to show the commenter the reality of the situation. I might leverage that to justify different view points other commenters and I are pushing. This has led to success in cases where the person wasn't a diehard believer in what they promoted. Those people are now more cautious about claims based on secrets by scheming organizations.

So, that's why I do it this way and that's why you'll rarely see me accuse someone of sockpuppetry if NSA/FBI/CIA are the issue. I was more likely to do that when Bruce doghoused a company for BS security. The sockpuppets came flowing in to troll him in such an obvious way you were almost guaranteed to be right if you made an accusation. Plus, the Moderator would point out the fools often used the same IP's. Lol.

Rain, RainJanuary 12, 2015 3:31 PM

I wonder if Sony stands to benefit by having this classified as an attack by a state. I seem to recall that President Bush first referred to the 9/11 attacks as an "act of war," but then backpedaled, at least in part because insurance coverage for the Twin Towers explicitly excluded damage caused by acts of war. It seems likely Sony didn't have much if any applicable insurance coverage. Would an "act of war" designation, even if not a formal declaration, be useful to Sony in defending against employee or shareholder lawsuits?

JardaJanuary 16, 2015 6:08 PM

And where is the line between badly masked and well spoofed ip address?

Americans, please, take to the streets and force the government to dissolve FBI. They are a bunch of expensive and useles bumpkins.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.