Good Article on the Sony Attack

Fortune has a three-part article on the Sony attack by North Korea. There's not a lot of tech here; it's mostly about Sony's internal politics regarding the movie and IT security before the attack, and some about their reaction afterwards.

Despite what I wrote at the time, I now believe that North Korea was responsible for the attack. This is the article that convinced me. It's about the US government's reaction to the attack.

Posted on September 28, 2015 at 6:22 AM • 42 Comments

Comments

Paul RenaultSeptember 28, 2015 8:12 AM

Uh, can you really trust what's printed in the New York Times?

They have been co-opted by the US government before, lots of times. And have repeatedly been chastised about it, and have repeatedly promised to never do it again... And yet we have, quoting from the linked-to NYT article: "... according to the officials and experts, who spoke on the condition of anonymity about the classified N.S.A. operation."

Chastisements:
https://theintercept.com/2015/07/21/spirit-judy-miller-alive-well-nyt-great-damage/
http://www.nytimes.com/2013/10/13/opinion/sunday/the-public-editor-the-disconnect-on-anonymous-sources.html
http://publiceditor.blogs.nytimes.com/2013/10/03/an-unacceptable-headline-atop-a-questionable-article/

NYT mea culpa:
http://www.nytimes.com/2004/05/26/international/middleeast/26FTE_NOTE.html

It's as if the editors and most/all of the reporters at the NYT have the memory retention of a killer wasp (as mentioned in 'The Selfish Gene').


GreenSquirrelSeptember 28, 2015 8:27 AM

I still remain very, very sceptical about the attribution of the Sony hack to the Evil North Korean Ninja Cyber Warriors....

To much of it seems "wrong" and the claims are, largely, sort of self-contradicting. Even if we take everything the government has said here at face value, it is weak evidence and implies that not only are the NorKs not able to counter this (or use non attributable devices) but that the NSA were aware but allowed the attack to happen.

Given the state of Sony's security and its general approach to spending on security, it is just as likely that a 15 year old bedroom hacker breached the network and everything else we see is just smoke and mirrors to save face.

SJSeptember 28, 2015 10:30 AM

I find one detail of the article odd.

There's more than a little discussion about a film depicting assassination of a national leader (both in the Fortune article and in their reporting of intra-Sony-Pictures emails).

Somehow a film from 2006, entitled Death of a President, is entirely forgotten.

It's apparently not mentioned intra-Sony before the release of The Interview, and it's not been mentioned yet in the Fortune article.

Harry FergusonSeptember 28, 2015 10:50 AM

Would agree with @Paul Renault.

Two words: Judith Miller.

Perhaps our fearless tech luminary forgot how then Director of the CIA spokes of intelligence "slam dunks" regarding Iraq or how former Secretary of State Colin Powell dished out those ridiculous photos of mobile weapon labs.

To express faith in anything anonymous govt. officials tell us is not the hallmark of a critical thinker.

"The department does ***not*** engage in economic espionage in any domain, including cyber."

https://www.washingtonpost.com/world/national-security/us-spy-agencies-mounted-231-offensive-cyber-operations-in-2011-documents-show/2013/08/30/d090a6ae-119e-11e3-b4cb-fd7ce041d814_story.html

I rest my case. Really Bruce, this is disappointing...

d33tSeptember 28, 2015 11:04 AM

Hmm, when you get words like NSA, Obama, Clapper, Comey, New York Times et al in the same article, Lies, Lies and more Lies is really all I'm reading.

Also: "Mr. Obama is cautious in drawing stark conclusions from intelligence, aides say."

When has Barack Obama ever been cautious about his speech, especially when presented an opportunity to tell more lies? (or "drawing stark conclusions") I will admit, that all of the statements I have heard him utter going back to well before he was elected president, are carefully engineered to mislead (cautious?).

Also, I don't consider Sony an American (US) target. A foreign target on US soil maybe. They are also a very well hated company. Hated by legions of many. North Korea is also widely despised by many. The United States is also hated by many throughout the galaxy these days. (thanks to several of the Bush ilk, NSA and CIA .. I know redundant)

The way things went down in this operation, it appears to have been a well planned setup to get several targets at one time (or get them to get each other). China and North Korea in some part depend on food that comes from the US. Specifically Hollywood (California). If the US is the target, where is the strategy in attacking your picnic basket? Sort of like a "false flag lite" maneuver.

This cover story rehash, looks like an attempt to use a scandal that has moved out of public attention to justify future moves against both China and North Korea. Maybe they'll figure out some way to incorporate blame directed at strong encryption, narcotics and handguns too? Sony does feature all 3 often in violent, espionage packed block busters.

None of these people (agencies, countries, corporations) has a shred of credibility now. All just my opinions, and they were quite different 34 years ago. The truth has set the bull free.

Clive RobinsonSeptember 28, 2015 1:12 PM

@ Bruce,

There has been no evidence presented that is in any way credible or for that mater meets the minimum requirment of evidence at any level that it was North Korea.

Further it has been shown how easy it would be to fake much better evidence against North Korea.

For a country that lacks anything in the way of operating systems and applications similar to those used by SPE you would have to ask where the North Korean's got the "expertise" from.

South Korea has been known to blaim every high tech attack on North Korea, including sophisticated and artfull attacks against GPS.

Something does not add up, either North Korea has a sophisticated cyber team trained to very high levels or they do not.

If they do then they would have easily been able to attack in a way that would have caused even more harm and considerably more embarrassment to SPE to the point they could have put them out of business, all without any traceability.

The level of attack and the way things became released still is a much stronger pointer that it was an insider or recent insider, settling score against rather obnoxious, arrogant and not overly bright senior Managment. SPE had been hacked several times and failed to take any real increase in security measures prior to this attack. Since it and the senior managment became a laughing stock they have taken action to try and shut the stable door. From an insider security perspective, this attack achieve the start of what needed to be done.

Thus without credible evidence to the contrary --which the NYT does not give-- my penny is still on an insider or recent insider directly or indirectly, to settle scores.

Further the attack also turned a film that was reputed to be a compleate rotting turkey into rather more of a box office taker than it would otherwise have been. The fact that the story about NK and this festering mess only happened some time after the original attack and appeared to start with US Journos not the attackers leaves a big big question mark hanging in the air.

Something smells distinctly fishy, and it's not the smell of Squid in a NK processing plant...

So untill firmer evidence comes to light, I'm going to stick to the "follow the money" technique and that lands me back at SPE's door which ever way you follow it...

I'm sure others will disagree --as is their right-- but they need to present a much better argument than "I've been told by some government blowhard who is not prepared to provide facts or face up honestly to what they allegedly claimed".

It seriously worries me just how far the US Newspapers have fallen in standards, they publish nonsense and pretend it's news...

Further I would take a serious look at those in senior positions in the NYT especialy the back ground of a UK ex-pat, and also the actuall origins of that "stay afloat" Mexican money...

Who?September 28, 2015 1:29 PM

From the New York Times:

according to the officials and experts, who spoke on the condition of anonymity about the classified N.S.A. operation.

Staff of one of the most secretive agencies in the world talking to a newspaper about a yet-classified operation? Without taking extra-paranoid opsec measures? Without leaving the country forever? Without even hidden the fact they are officials and experts?

Sorry, I do not buy it either.

It looks more like the NSA attacking Sony while saying "look, it is happening! the bad guys are here. we need more legal powers, our budget must increase."

albertSeptember 28, 2015 2:37 PM

Good comments so far...

I'll summarize a few problems with this:

1. It's the NYT, proven by its recent history to be a media outpost of the State Dept.

2. "...largest destructive attack against an American target...". It's a freakin' MOVIE COMPANY!. AshleyMadison ruined more lives, and the OPM incident was much more serious, and Sony probably made more money because of it.

3. DPRK must always be seen as the primary bogeyman.

4. Proof by proclamation is no proof at all. It's propaganda, masquerading as security theatre, masquerading as news.

I'd be very surprised if NK did this. Surely they know about the Streisand Effect. I think someone hacked Sony (not renowned for their security), and the IC decided to take advantage of the situation. It's also a dumb move the attribute any attack to anyone, other than anonymous hackers. How many corporations do nothing about their computer security, then piss and moan when they get hacked? Telling a state actor, 'we know you did it', informs him of your attribution skills, but reveals your lack of security protections. What is the end game? Warn 'em, then bomb 'em? A devastating computer infrastructure attack would be much more destructive to us, than to NK.

It's so much BS. Somebody explain to me why this is so earth-shaking, because it you think it's something, you ain't seen nothin' yet.

Excuse me while I don't believe anything the IC, the POTUS, or the USDoS says*.

................
* refer to the fable of The Boy Who Cried Wolf

. .. . .. _ _ _

ErikSeptember 28, 2015 3:27 PM

Sadly, I have to agree with most of the comments above. The NSA has shown on multiple occasions that it's willing to put out bald-faced lies for political purposes, and the New York Times has an inglorious history of printing stuff that's just rank propaganda. Neither source has so much as an ounce of credibility with me anymore, and I used to be one of the True Believers...

albertSeptember 28, 2015 6:18 PM

@Erik,
The MSM is run by the Corporate Elite, in a symbiotic relationship with the military/government complex. It's like a dog with two tails and no head; either tail can wag the dog.

The 56920,32€ question is: Where can you get the facts? The US/EU MSM is out. It takes years of research to read reports and evaluate their accuracy based on unfolding history. Then you get a list of sources who seem to be reliable. For example, IIRC, Knight-Ridder was the alone in the US MSM to actually question the reasons for invading Iraq. The problem is, you don't know until it's too late. Best keep your super-sceptic hat on, and a box of Mortons by your side:).

. .. . .. _ _ _

Sancho_PSeptember 28, 2015 6:23 PM


I stand with Bruce.
Some points that convinced me NK must be the attacker:

1. The have a motive:
Following the “American Dream” Sony strived hard to please NK’s supreme leader, Kim Jong-un, by their decorous, pleasing and tactful masterpiece.
Yet this blockhead didn’t understand and took it as offense.

2. National security’s impotence:
They were vetting NK’s evildoers since years and there were warnings, but they slept behind the wheel. Anyway, they couldn’t have done anything because unfortunately they had to riddle IT security for the sake of global surveillance.
Don’t blame them for inactivity, defense is impossible nowadays.

3. NK’s superior cyber expertise:
NK has invented Windows and the Internet, US only have second hand knowledge.
NK has better public education, clearly they have more and better experts.
Because of their flourishing economy they have more budget at hand than the US.
Sure NK can fly below the US radar.
(please, more taxpayer money for the ODNI’s intelligence, hint - hint)

4. The NYT, the American gov mouthpiece, the APravda, wrote it:
They cited anonymous officials, speaking in anonymity about classified evidence they have heard of by top secret *classified* speaking in anonymity about *classified* cyber *classified* unofficially *classified* very hard facts.


5. The POTUS is convinced, too:
For sure he knows, he’s got all their intelligence - he doesn’t fail - Bush!
However, ”I guarantee you we will win if we have to.”
(me, now standing, plays the national anthem, the right hand up …
- No, at the temple, of course!)

***
There’s only one sour point to the story:
I have a friend who heard about a senior intelligence official, who was speaking on condition of anonymity because he was not authorised to discuss the matter publicly, and confirmed that during the dinner Gen. Clapper had in Pyongyang with his counterpart some USB flash drives disappeared from his hotel suite.
Allegedly the drives contained Sony access pwds and were intended to “lubricate” Clapper’s negotiations with NK.
- But I Am Skeptical.
Just saying what was said …

a simple planSeptember 28, 2015 7:25 PM

Before I sully my mind with "the facts," I'll float the idea that the whole reason for the idiotic film was to provide a pretext for a false- or non-flag attack for which North Korea could plausibly be blamed. Who knows what's still being played out in the shadow regions.

Now, to read the article!

Dirk PraetSeptember 28, 2015 7:54 PM

@ Clive, @ Bruce

There has been no evidence presented that is in any way credible or for that matter meets the minimum requirement of evidence at any level that it was North Korea.

I don't see any compelling evidence either, just a James Bond scenario.

Sam WitwickySeptember 28, 2015 8:27 PM

I keep telling you guys it wasn't North Korea!
You act like you don't know anything about the Decepticons.

KarlSeptember 29, 2015 12:48 AM

I never believed N. Korea was behind the Sony hack, and I still don't believe it. My gut feeling about this hack being about the LuLz is as good as any other so-called evidence I've seen.

Honestly. I'm sure N. Korea has bigger fish to fry than Sony Pictures. What a waste of national resources!

SchneierOwnedSeptember 29, 2015 2:28 AM

You all here seem to miss the point. Except @Wyatt.

We should rather discuss whether Bruce has just shown his blackmail/warrant canari or not. And try to guess who might be the culprit.

65535September 29, 2015 3:10 AM

+1 Paul Renault

The NYT cannot be trusted.

@ d33t

“…when you get words like NSA, Obama, Clapper, Comey, New York Times et al in the same article, Lies, Lies and more Lies is really all I'm reading.”

Yes, that is the way if feel.

Now, I really don’t know who pull-off the Sony attack. But, my hunch is that it was an insider - or a group of disgruntled insiders who did the actual dirty work.

Could NK have influenced those insiders? Yes. Could another group who were in competition with Sony influence said insiders? Yes.

In fact, I sense Sony has made a list of enemies that would trail sparks like a wheel with no rubber.

PeterSeptember 29, 2015 5:19 AM

Talking about whether or not the Sony hack was North Korea is like talking about whether it was a red fox or a grey fox or a brown fox after all your chickens are gone. It's interesting and academic but ultimately doesn't change what we have to do: secure our vulnerable chickens against *all* foxes (even though some of the foxes are helping design the chicken coop).

HenrikSeptember 29, 2015 5:48 AM

I'm not convinced, because nothing that I've seen has changed. The best I heard was the FBI said it was NK, and, although there may have been new developments, I've heard little of them (nor have I looked for them). That said, I think looking at it critically as Bruce did was the best way of dealing with it.

Patrick G.September 29, 2015 8:25 AM

For me it's totally unclear if it was a false-flag operation (US? South Korea? Rogue Hackers? Spectre?) or a hack by North Korea. Since it's all part of the global spy & propaganda game for the parties involved, why should we assume anything said or written is the truth or even close?

P.S.: The more they talk, the less likely it is they tell the truth.
Or so someone said, and it strikes me as odd that the US government agencies were so quick to comment, are so vocal in this case and media contacts got fed so much "insider info" without any agency protesting.
That alone should spark some doubts in my opinion.

IanLBSeptember 29, 2015 8:42 AM

So I attended a security conference earlier this summer, and there was this one very interesting presenter who used to work for Mandiant. At one point, he mentioned the Sony attack (which Mandiant investigated) and how NK was behind it. Without any hint of doubts.

I don’t think my professional network is especially extensive. I’ve worked in the industry for a little more than 15 years now, so I think I’ve been around. And I heard over the last months confirmations of NK involvement from various people I have absolutely no reason to distrust, nor do I believe they are compromising their integrity for the benefit of the US government grand strategy.

Looking at all (well, close to all) the answers here, I see a massive number of people calling shenanigans. There seem to be a general mistrust of anything related to the government; if they have been shown to lie in the past, than somehow it follows that this is a lie too, and we’re all such a bunch of fools to believe otherwise (Bruce Schneier being first in line as it appears). What especially surprises me is how widely accepted this conspiracy narrative seems to be entrenched, not only with a few random commentators, but pretty much everyone. It almost feels like anything related to information security should be politicized nowadays.

Maybe I’m a fool. Maybe I should mistrust my colleagues and instead trust the Internet which seems to have the answers for everything.

Or then, maybe most people around here simply don’t really know what they are talking about, putting instead their trust on a few internet commentators who may not be more knowledgeable, but who are so very happy to fuel the FUD train.

I honestly don’t know what else to say. I think there’s a big cultural issue with how the information security field is being commented, and that the whole question of NK and Sony is only scratching the surface of the problem. And I think we’re doing ourselves a huge disservice that ignoring this cultural issue any longer.

Kim Jong-unSeptember 29, 2015 8:44 AM

It was me already. I'm still pissed at Sony for making it impossible to boot Red Star OS on Playstations.

SchneierOwnedSeptember 29, 2015 9:59 AM

@IanLB "Maybe I should mistrust my colleagues and instead trust the Internet"

You got that point wrong. Maybe Bruce should have quoted people from his professional network, instead of quoting the NYTimes.

Gord WaitSeptember 29, 2015 10:57 AM

Doesn't infiltrating a country's intelligence service computers constitute a cyber attack?
Don't get me wrong, North Korea is in a truly awful state, but it seems a bit hypocritical to get all bent out of shape about their computer hacks when they were victims of a US computer attack..

John BSeptember 29, 2015 12:06 PM

You're still relying on the US government to give you the truth.
Why would NK bother with Sony? Why waste resources on something like this?

albertSeptember 29, 2015 12:33 PM

@Patrick G.,
It was KAOS.
.
@IanLB,
You want something to believe in. You pays yer money and you takes yer chances. With the exception of actual disinformation agents, 'the Internet' is mostly BS and opinions, some true, some not. The IC has wide and deep connections everywhere, and you seldom get accurate information from them; you get what they want you to get and so do your colleagues.
...................
I can't blame anyone for their distrust of the mil/gov/ complex. The old joke about how to tell if a politician is lying, may be true for the IC apparatchiks. I'll say it again: It's a FREAKIN' MOVIE COMPANY! It's not the end of the world.
.
I hate to say this, but it's not the ICs job to 'protect' us from 'cyber' attacks. The military can protect us from physical attacks; that's what they are set up for. Neither they, nor the IC, can protect us from terrorist attacks (which should be viewed as police responsibilities). Computer security begins at home.
.
I believe our infrastructure is much more susceptible to a hack attack than even Sony was, and that it won't take a state actor with millions of won to do it.
.
Personally, I don't give a RSA about Sony or AshleyMadison. They are the canaries in the coal mine.
.
. .. . .. _ _ _

Nick PSeptember 29, 2015 1:53 PM

@ IanLB

Sony shows recurring pattern: Government makes claims, backlash happens, and what should people think of this?

It's a weird situation. I still don't have a fully-formed opinion on it: just different points that I keep in mind in these discussions. I think it's a good, default position for people to be extra-skeptical of pronouncements that call for action on U.S. government's, public agenda. Particularly if it involves the military or their cyber capabilities. The reason is not that they "have been shown to lie in the past." It's that they and the media systematically, consistently deceive the public on certain topics to promote an impression and (they hope) results that the public wouldn't otherwise support.

The Iraq situation was a good example of this. Here's a few things we saw:

1. The U.S. government using forged intelligence data, imagery, and media to support their claims about WMD's. Many of these were easy to spot. People should be tried for treason when media reports it all.

2. Most of the U.S. media, with occasional exceptions, pushed the false information as truth and often cited anonymous sources to further back it. So much for trials. That obvious BS even amateurs debunked was pushed by most media outlets is the worst part and worth remembering: only could've been done on purpose for whatever benefits the organizations received from cooperation.

3. The U.S. mainstream media un-objectively embedded journalists with U.S. troops and largely presented the government's side of what was going on. Foreign media painted a different picture. One notable case, Dora Farms, had most U.S. media reporting on a 100% leadership strike on a palace. BBC sent cameras there to check to find the palace still standing, holes in ground nowhere near it, and lots of dead and/or traumatized children. I can only recall two outlets here contradicting the claims. Such events showed majority were propaganda outlets at least for some topics.

4. In the fall-out, the media covered failures but refused to dig into hard questions that could've led to arrests, terminations, etc. It's almost as if, just as in No2 and No3, they were aiding the activities of the corrupt politicians and military.

These should've already given Americans reason to stop trusting... anything those media outlets say on topics involving U.S. military and politicians. You can't even do "trust, but verify" on sources that unreliable or complicit: must be "distrust, then optionally verify." Latter part is because the rate of false claims in mainstream media on that topic was so high that few have time to separate wheat from the chaff. So, it was rational and sensible to dismiss such organizations entirely until they clean up their act. I did that to Fox during Bush/Cheney administration. Seeing them argue in a trial for right to lie to their viewers cemented that.

So, fast forward a bit to post-Iraq. The media's new bad guy is The Evil Hackers, esp China and North Korea. They're talking cyber-attacks, cyber-defense, cyber-walls, cyber-9/11's... more use of word cyber than any information security (INFOSEC) type I know. Anyway, INFOSEC pro's know that preventative measures, monitoring, & recovery procedures are the main solution to hacker threat. All one can do aside from using paper and memory for secrets. ;) U.S. government knows this, too. So, they should be pouring billions into INFOSEC improvements and training to get a good baseline deployed as wideley as possible.

Instead, we see U.S. government promoting widespread surveillance of Americans, backdoors into all our systems, less rights for us, less accountability for them, cyber-armies, Internet kill switches, and so on. Most media outlets repeat this endlessly and have "experts" to suggest need for same stuff despite it contradicting decades of wisdom in proven methods to reduce hacking risk (i.e. apply INFOSEC). Contractors like Booz that stand to make billions in "cyber" contracts also pushed that nonsense and still do. One hack after another occurs, almost always due to poor INFOSEC, with U.S. government and obedient media pushing surveillance and cyber weapons as the solution rather than INFOSEC. Same pattern as Iraq on a new topic where key players benefit financially and politically on a path that's bad for our country while ignoring real solutions.

The same situation happens with NSA surveillance pre- and post-Snowden. That time the leaks made more obvious the lies of both U.S. government and media. That foreign media would publish many of the capabilities forced U.S. media to cover them more specifically than they might have. They still seemed to do damage control by avoiding efforts to convey just how much risk there was (eg J Edgar Hoover comparison) and avoiding hard questions. Relevant here was NSA via BULLRUN program, etc spending $100-200 mil a year to secretly weaken American security products and standards across the board for surveillance purposes despite this increasing damage foreign attackers can do across the board. If INFOSEC was the right solution, is U.S. government's secret war on it the cause or a major factor in devastating attacks like Sony's? They and Cyber Command were also shown to be covertly attacking China, North Korea, etc. Might our covert cops on these foreign countries cause blowback where their hackers hit us hard and should we stop doing that? These are obvious questions for anyone whose read the Snowden leaks but the mainstream media did little to nothing in that area. Still don't.

So, now we get to the Sony hacks. We see Sony get smashed in a way that looks like when Anonymous hit HBGary Federal except on overdrive. Poor INFOSEC is the cause again with insider risk due to lay-offs and vicious management. Consensus theory is external attack with possible inside help. We see U.S. government instantly claim guilt for NK along with need for cyber-military action. This supports their anti-NK and pro-cyber-attack agendas, which have had much disinformation in past. The media and everyone jumps on bandwagon without any fact-checking or real journalism just like they did with Iraq and cyber-everything. The main source is secret, the corroborators are all anonymous, and nobody should ask any questions. Journalism at its finest...

So, there's a clear pattern of deception for political/military/financial agendas and media cooperation with that deception going back decades. It got stronger in past decade. The Sony/NK situation contains all key elements of this pattern. So, the rational approach is to distrust by default the mainstream position, dismiss any secret/anonymous evidence, see stories like this (or Norse) that provide data on each side, carefully make an opinion, and revise it if necessary as new data comes in. And factor that into both your media outlets of choice and your vote if political corruption is involved.

So, what to believe? Top theories here are (a) NK w/ inside help or (b) hackers w/ inside help that knew how easy it would be to shift blame to NK. Could go either way. The one thing the data makes clear is that the real reason for the damage was (surprise!) horrific INFOSEC. Good INFOSEC might've caught the leaks early while blocking much of the damage. Great INFOSEC, although inconvenient and costly, might have prevented most of it entirely. The U.S. government's malicious intent or incompetence becomes more clear in the contrast between their response and the obvious solution. Their response was same dragnets, secret programs, and military action. The obvious solution was better INFOSEC. Supporting the damage was that most of private market relies on shoddy INFOSEC and doesn't do better. The resulting combo was a 1-2 punch that made the simple attack devastating rather than a nuisance.

The takeaway: a commercial sector and secret agencies pushing weak INFOSEC hard across the board is the real problem. The U.S. government's and media's schemes to push political and financial agendas everywhere is another problem. The Sony situation illustrates the first perfectly while maybe the latter. Regardless of which theory is true, the solution is to have market and government to put billions into stuff that improves INFOSEC baseline instead of what reduces it. The was the solution in 1970 when the Ware Report demonstrated it clearly, that was the solution after many subsequent breaches, it was the solution for Sony, and it's still the solution now before next one. Everyone should start improving INFOSEC posture on their own with whatever help they can find. Clearly, the U.S. government and media aren't going to be of any help: the opposite is in their best interests it seems.

IanLBSeptember 29, 2015 2:57 PM

@Nick P: your post is too long for me to address all your points, but I’ll still do it for a few of them, if only to express how much your experience is far and away from mine.

“I think it's a good, default position for people to be extra-skeptical of pronouncements that call for action on U.S. government's, public agenda”

What kind of agenda is the US pushing with regard to NK? How was the hack used to push this agenda? The only reason people have been talking about it is because Sony is an highly visible corporation. Nobody believes NK is a major player in the state sponsored attack game. So what’s the big deal? Only the people who are absolutely adamant that it CANNOT be NK sponsored, people who seem to have no relation whatsoever with the investigation, make a huge deal about it. The rest of the security community has moved on a long time ago. All I see is a massive kneejerk reaction, and the only reason I can explain it is the fact that a lot of people here are ready to massively politicize anything because they are so used to.

You mention the Iraq situation: why? How is this relevant? So, because medias mislead the public over something 15 years ago, every time the media speaks again it’s also a lie? Even when it implicates different administrations, different services within the US? Even when the lie has let to no reaction against NK from the US? Why would the US even bother framing NK over something like that when they don’t even bother reacting to much bigger threats from the same country? Why spend so many paragraphs on this? It makes absolutely no sense.

Same thing with the reference to the NSA domestic surveillance programs. Why even mention this? How is this relevant to anything? So, because the NSA lied about it, they automatically are lying about anything else remotely involving information security? What about Mandiant? Are they lying too?

When I see so many people mixing all these issues in some big rants, I don’t see people understanding any of these problems, I see people conflicting their fears and apprehensions over things they don’t fully understand.

If there are such a big and massive conspiracy, a deception “going back decades”... why am I not being involved? I’m a corporate security manager at IT company with a world wide presence, before that I’ve work in the utility and financial industry – why did I never noticed it? I worked with some people from the NSA and other security organisations, some of them are family, why aren’t they involved?

It all goes back to this simple point: why is my experience as security professional, and the experience of every other security professional I have worked with over the years, so different from the experience of people on the Internet? Why do people directly handling this shit during their day job aren’t seeing the huge conspiracy, but somehow the internet commentators make huge links between Iraq, the NSA domestic surveillance, and the Sony hack?

You say that we should “trust but verify” and remain skeptical if we can’t, but that’s not what the people answering Schneier are doing – they are actively calling the whole deal a “false flag”. They are actively saying this story is false BECAUSE of the government or NSA involvement, because a “mainstream media” is reporting it. And anyway, who here is even in a position to “verify” anything regarding the investigation? We can’t. So what’s the point in bringing this standard?

You say:

“They're talking cyber-attacks, cyber-defense, cyber-walls, cyber-9/11's... more use of word cyber than any information security (INFOSEC) type I know. “

I’ve NEVER seen any information security professional being bothered with that word. NEVER. The absolutely only place where this seem to be an issue is on the Internet. So again, I just don’t get it.

Either for some reasons I can’t understand, my professional experience and the professional experience of literally even colleagues I’ve ever worked with has been a big farce and we’re just hopefully naive about information security matters even though we are dealing with these things every single days.

Or

Most people here aren’t really infosec professionals, or vastly overstate their involvement in the field, and are spouting heavily politicized opinions because they truly believe they are right and relevant. And if it’s the case, then it means the information security field as a HUGE communication and education problem, because we can’t afford to have conspiracy-driven opinions being considered as gospel by so many people on a blog like Schneier’s. This is a recipe for disaster.

Anyway... I’m done here.

Clive RobinsonSeptember 29, 2015 4:44 PM

@ Gord Wait,

Don't get me wrong, North Korea is in a truly awful state, but it seems a bit hypocritical to get all bent out of shape about their computer hacks when they were victims of a US computer attack...

Now take the next logical step, even a brain dead defence lawyer would make as argument in either pre-trial or court...

If the US are inside NK systems, and those systems were claimed by the US to make the attack against SPE, what level of independence is there?

That is could the US have,

A, Made the attack themselves.
B, Planted evidence on the systems.

At which point it means any evidence the US produces is "fruit of the poison vine" and thus irrevocably tainted beyond use.

Sancho_PSeptember 29, 2015 5:34 PM


@IanLB

You claim to have “professional experience” (and question it of others).
Now most experienced technicians are very careful to judge on the first apparent “fact”, say an error message, or the memory of an operator what he/she saw caused the issue. Technicians are skeptical due to their experience, investigation and proof is their job.

But in this case there is absolutely no such “fact”, nada, only hearsay.
And the source for that hearsay is not trustworthy (sorry to say) seen from history.

So how is your professional experience helpful to decide in this case?
Because someone knew the IP range of NK?

Honest people usually have a gut feeling for fairness, which translates to our justice system as “innocent until proven guilty”.
It means the accused has a standing, there are facts - and a judge.
This may explain why many simply can’t hear unsound accusations.
They want their leaders to be straight, honest and fair.

Also most “experienced” people (not necessarily experts) have learned that it’s much better to shut up then to utter unprovable allegations.
(read unprovable = classified, top secret, not for the plebs)

They eagerly want their leaders to behave matured, not like kids.
They want them to react properly (e.g. looking for and acknowledging their own faults) and not to blindly retaliate, probably against the wrong one.

So you are right when you feel a psychological motivated (but not your “politicized”) backslash here.

Congratz for the rest of your rant, it easily surpasses @Skeptical’s reasoning.

Nick PSeptember 29, 2015 5:47 PM

@ IanLB

"The rest of the security community has moved on a long time ago. All I see is a massive kneejerk reaction, and the only reason I can explain it is the fact that a lot of people here are ready to massively politicize anything because they are so used to."

Most of the security community doesn't study government disinformation or media complicity. They would've looked up a few trusted sources as your original post suggested, read what they said, look at some data, optionally looked at sources with a dissenting opinion, and made a decision. A more important measure is whether people who had rational, dissenting views based on the data changed their mind. Bruce is in that camp and did. I don't know about the others. My own opinion includes NK scenario and one very similar. If anything, the official story came closer to us with implications of insider help in recent report: most of us here thought disgruntled insiders as culprit or aid were likely.

Far as the skeptical reaction, I explained why. I'll hold off on elaboration as you made more points.

"Even when the lie has let to no reaction against NK from the US?"

Whether a lie or not, the U.S. did deliver a reaction. They did these: public condemnation that might affect future negotiations with NK or others; hit specific organizations and individuals with sanctions; probably behind the network outage given their comments alluding to other responses that wouldn't be public. The U.S. reacted for sure with NK's financial system, defense and intelligence organizations being the target.

"Same thing with the reference to the NSA domestic surveillance programs. Why even mention this? How is this relevant to anything? So, because the NSA lied about it, they automatically are lying about anything else remotely involving information security? What about Mandiant? Are they lying too?"

A source is giving you big information justifying sanctions, putting a country on terrorism list, and possibly a cyberattack. This could create a response from that country. You have to decide if you want to (a) believe that source's claim or (b) support it. The first step is assessing the source's credibility esp on similar matters (eg military, espionage). The examples I gave do that in a way that shows a consistent pattern of deception and media complicity with these same organizations leading up to this year with known-false claims like "going dark" due to encryption and lies about NSA programs' legality. Would the organizations that still mislead us for political or military agendas still do that again in a similar space? High risk there.

Note: You say questioning the integrity of a low-integrity source makes "absolutely no sense." I say it's common sense to think a con artist might lie to you. Anyway, it's also standard procedure for intelligence analysts too. I'm just applying their techniques to their claims. Result is a highly-unreliable source that sometimes gives good information that's currently giving information that has significant chance of being true by fitting specific, data points but competes with similarly good claims by more honest sources. Naturally, I stalled at two potentials (one NK) without more data or sources.

"I’m a corporate security manager at IT company with a world wide presence, before that I’ve work in the utility and financial industry – why did I never noticed it? I worked with some people from the NSA and other security organisations, some of them are family, why aren’t they involved?"

You're not the lead decision-maker of an intelligence or military organization. Data flows up, decisions and their justifications flow down. Long ago, Pentagon Papers showed that the whole Vietnam War ran on lies with the truth being imperalist activities that went back 50 years and resulted in the trouble there. Despite everyone involved, from intelligence people to media to solders, so few people knew the big picture in detail that U.S. investigators narrowed suspects down to 3 people almost immediately after publication. Plenty of insiders, like Karen Kwiatkowski, later informed the public of the efforts to produce and push false intelligence during Bush administration. The leakers under Obama administration showed systematic subversions by NSA with many partners and whatever labor $200+mil buys.

Most people, even in those companies & agencies, were unaware of what was going on via need to know and TS/SCI classification. Just talking about it was a potential felony. Given what's in the leaks, there still had to be be hundreds, maybe thousands, that knew pieces of what was going on from their roles. Yet, only one person published evidence of all of it with maybe a half dozen leaking about a few, specific issues. So, there's your ratio of those who are unaware of the truth to those that keep it secret to those that pubish key details. Ratio is actually similar to Vietnam and Pentagon Papers revelations despite time passed & all the changes since then. There's important lessons to learn there in human nature, willingness of companies + government to deceive, and how easily they do it in normal case with few people whistleblowing.

"Why do people directly handling this shit during their day job aren’t seeing the huge conspiracy, but somehow the internet commentators make huge links between Iraq, the NSA domestic surveillance, and the Sony hack?"

You handle attribution/analysis of NK attacks, offensive cyber-espionage, and decision-making for military commands day to day? You might be uniquely qualified to assess this. Otherwise, your job experience in regular INFOSEC has nothing to do with this situation except maybe the following: you recognized and attributed North Korean attacks on the job with ability to assess current data; evaluating Sony's INFOSEC practices based on available data. You can probably handle the second part, maybe the first. Past that, you're operating on 3rd-party claims with little data to use and little bearing to your INFOSEC job. Just like the rest of us.

"but that’s not what the people answering Schneier are doing – they are actively calling the whole deal a “false flag”."

That's what some people are doing. I'm not in that camp as we'd need evidence to justify that claim and I haven't seen it. The data was a ransom, then an attack typical of hacker gangs when no security exists, the vid/language clues pointing to North Korea, a level of access that might indicate insiders, and then claims from government based on secret evidence. So, the discussion and thinking went along paths including each of these.

That said, there is a subset with a "resist and conspiratorialize anything government does" mindset. They mostly stay on infowars.com etc to get daily doses of nonsense, but some similar comments show up here. I doubt anyone here (outside that crowd) would disagree that they exist, are foolish, and should be ignored. They mostly showed up after Snowden leaks because Bruce was one of the people hosting the slids. Very small percentage of comments before that. I wrote it off as it's an open, security blog on the Internet so you see that stuff too. (shrugs)

"And anyway, who here is even in a position to “verify” anything regarding the investigation? We can’t. So what’s the point in bringing this standard?"

We can in several ways. First, we look at the data without any official claims best we can to derive likely hypothesis directly from it. Second, we compare the official claims to the data and to our own to spot obvious issues. Third, we look at the reliability of the sources in similar, prior situations to determine weight that should be applied to their claims. Such approaches led to early criticisms of official story and alternative hypothesis with plenty of precedents. Past that, we can't verify anything because it's all corporate and national secrets.

"I’ve NEVER seen any information security professional being bothered with that word. NEVER. The absolutely only place where this seem to be an issue is on the Internet. So again, I just don’t get it."

I've heard plenty. The term itself doesn't bother people so much as how it's typically used: pushing FUD or bullshit proposals. Nice article here. Real-world, security pro's say computers or online services are compromised due to security flaws. They say the solution is (insert good security practices). The U.S. government and media, on other hand, endlessly talk about cyberspace, cyberweapons, cyberattacks, building cyberdefenses, cybercommands, and so on. All of it usually supports the militarization of the Internet, offensive capabilities, surveillance capabilities, legislation that empowers them, etc. instead of what solves the problem (INFOSEC).

Viewers outside the profession might think there's a whole war going on that requires special, cyber-everything and a surveillance state. Reality: it's just hacking with some better hacking that both require good security practices, investments across the board in IT to improve baseline, no cyber-weapons, and local or corporate monitoring rather than mass surveillance. I'm surprised you haven't noticed this trend in government and media presentations. Unless media had an agenda, their reporting on the solution to all of this would consistently match security pro's claims albeit dressed up for lay people. It doesn't.

"Either for some reasons I can’t understand, my professional experience and the professional experience of literally even colleagues I’ve ever worked with has been a big farce and we’re just hopefully naive about information security matters even though we are dealing with these things every single days."

I can't repeat it enough: the skills and background to assess information security matters has nothing to do with secretive organizations making claims based on secret analysis and how media handles it. You and your pals have probably been doing the real thing, seen the real thing, and so on. So, to illustrate the difference, when is the last time you or your collegues suggested the solution to a business's risk was national surveillance, espionage against foreign countries, or developing/deploying "cyber-weapons" against them? Or did you give them the advice security pro's give about protecting their endpoints, consistent patching, monitoring, recovery procedures, crypto, etc? You know, the things that work that real security pro's promote and schemers with an agenda actively disrupt.

Giving you the benefit of the doubt in thinking that you went with second option: better INFOSEC. The option that got the least attention from U.S. government and media outside the part where Sony failed.

" it means the information security field as a HUGE communication and education problem, because we can’t afford to have conspiracy-driven opinions being considered as gospel by so many people on a blog like Schneier’s. This is a recipe for disaster."

That I totally agree with. Good news for you is that: (a) Schneier's blog isn't representative of the norm, sometimes good and bad; (b) the opinions of most experienced people range from the official story to one similarly supported by data with precedents. Also, I brought up their schemes just for source assessment but based two hypotheses on the data. And all of those views were expressed, discussed, peer reviewed, etc right on Schneier's blog in prior entries.

So, that worked in practice. That many ultra-paranoids showed up with unjustified speculation is just an artifact of it being an open, security forum. They're recently a huge chunk of *vocal* readers but I doubt from years reading here that they represent most of the silent ones. Just a informed guess on that, though...

WaelSeptember 29, 2015 5:51 PM

IanLB,

your post is too long for me to address

Yea it is, but for @Nick P it's quite normal. Here is the one minute and 43 second short version

So, because medias mislead the public over something 15 years ago, every time the media speaks again it’s also a lie?

It's a matter of eroded credibility... Time to build some trust.

IanLBSeptember 29, 2015 6:53 PM

@Sancho_P

Fair enough. Reading my post again I don't like my tone. Should have been less callous. My apologies.


@Nick P

Won't answer your entire post, I understand many of your points. Honestly I don't work in incident remediation anymore, but I work with the people who do, so I don't want to misrepresent myself. But I'll only say this, because it may be a cause of our divergence:

From a defensive point of view, the line between state-sponsored attacks and those of criminal groups (for example) has blurred. The same people deals with both, they don't have security clearances, and they have access to commercially-provided intelligence regarding the APT groups involved. APT are close to common now, and all the big IT companies are almost hacked routinely (but we don't hear about the majority of them). What the NSA is saying about the Sony hack isn't different than what the private industry is saying (or at least the people I spoke too). The former has access to more information, but they rarely share it, so it's not like the industry is relying on it.

DanielSeptember 29, 2015 7:11 PM

"From a defensive point of view, the line between state-sponsored attacks and those of criminal groups (for example) has blurred."

This is true but what is important is that we are responding to these blurring of lines by our attackers by blurring our own lines--blurring the distinction between government and corporate interests, blurring the distinction between the military and civil law enforcement, blurring the distinction between state and federal government. We are responding to the blob by becoming a blob ourselves.

That's exceptionally dangerous. First, it is dangerous because it makes the distinction between attacker and defender difficult for the average person who doesn't really care if his data was leaked from Ashely Madison by the NSA, the North Koreans, or the Pope. When it's gone it's gone. Second, it's dangerous because it is our democratic structures that are one of our key moral selling points. We can look an North Korea and say, "we are not like you" but when we blur those lines we begin to look a lot like North Korea or Iran where all those lines are blurred too.

So the underlying problem with your entire thesis is that it boils down to "it's ok when we do it". That resounds very well in arrogance but no where else.

Clive RobinsonSeptember 29, 2015 7:29 PM

@ Nick P,

Clearly, the U.S. government and media aren't going to be of any help: the opposite is in their best interests it seems

Look at it this way, every time it rains chicken little screams "the sky is falling down", everyone panics and runs around demanding that some one should do something... Only they don't, they only demand somebody do something because they read that's what they are supposed to do in a newspaper. The newspaper gets this idea every time chicken little squawks "the sky is falling down", because it sells newspapers and a bigger circulation means more advertising revenue. They proprietor also knows he can do a deal with a politico to print some FUD nonsense that "biggs" the politico up.

What chicken little the newspaper and politico don't want to draw attention to is horace the horse. Because he's seen it rain so often he knows the sky is not going to fall in, further after observing things for years he knows that nice grass grows after it rains, where as no grass grows when it does not rain. Thus horace knows not only is the sky not going to fall in but it's actual good for everyone.

But as has been noted before "it's bad news that sells most often" and politicos don't say "how nice it is that everything is good in the world" because "good news makes them look pointless".

@ IanLB,

The are two take aways from the SPE attack,

The first is SPE had a bad record not just for InfoSec but just about everything they touched.

The second is that nobody should expect their accusations to be taken seriously unless they can provide evidence not supposition.

So far it's all supposition and accusations and no evidence, let alone credible evidence.

Thus you have to ask why the US President is making world wide public accusations without evidence, that is "What is in it for him?"...

After all without real evidence he is going to look kind of silly to third party countries. If he knew he could not present the evidence then he would be better to say nothing publicaly.

And that's the rub, he's made a public accusation and declined to back it up. Thus you might think he was briefed with "hear-say, presented as facts" and later was told "the facts are suppositions or worse not true".

The argument put forward that "presenting evidence would reveal capabilities" is rather silly because the initial accusation did a huge chunk of that, so that horse has bolted on capabilities.

So as far as it goes, the US President has made a prat of himself over it and many people in third party countries know it.

The fact that many US people believe the NK did it without a shread of real evidence speaks volumes about their belief systems... and does not bode well for future international relations, especially with the war hawks wanting to "take it kinetic...".

Dirk PraetSeptember 29, 2015 7:31 PM

@ IanLB

So, because medias mislead the public over something 15 years ago, every time the media speaks again it’s also a lie?

It was actually the US and UK governments lying and most mainstream media blindly parroting that lie. And they're still doing it on a daily basis. The real question you need to ask yourself here, Ian, is to which extent you are willing to question what your government and media are telling you.

You probably don't read Xinhua, Russia Today or Russia Insider. Besides offering a completely different view on what's happening in the world - which sometimes is interesting and refreshing - they are also pretty biased and in essence parroting the party line of their respective governments. What you need to understand is that Fox and other Murdoch media in the West are doing exactly the same thing.

That's not conspiracy theory, that's just the way it is. As to the SPE attack, I can only repeat what others have said: none of the evidence presented sofar either by the USG or Mandiant would hold up in a court of law, unless of course it would be a secret court with non-adversarial procedures. Which does not inspire a lot of trust or confidence, especially when the accused is a nation state known to be on your governments sh*t list of countries requiring regime change.

Nick PSeptember 29, 2015 8:35 PM

@ IanLB

Now that part of your position makes more sense. The risk at that point becomes whether (a) the initial determination of North Korea for an attack profile is correct, (b) the tracking remains so, (c) nobody else knows about it, and (d) that one was used against Sony. If all were true or done right, then NSA or any commercial vendor could have a strong attribution to NK. If (c) isn't true, then the attribution becomes weaker as misdirection is common and some groups would know how to do it. There's risk in (a), (b), and (d) as well.

So, the real question is "How reliable is attribution in a situation like this if the attackers are sharing tools and maybe hackers? And how reliable is that if even pirate sites scapegoat NK enough to halfway trick news agencies?" Well, odds are good enough that main theory is one of my two top ones. Enough error, esp with scapegoaters, that another party was the attacker. I think these attributions will only get harder as we see more mercenary action in this field and possibly with release of Hacking Team's tools as well.

@ Wael

Haha. I don't follow most politicians but few have said it so well. Great example.

@ Dirk

Another nice summary of key points. A talent I'm long overdue for developing although I thought this one could use some specific details.

@ Clive Robinson

Well-put. Yes, the sensationalism factors into the incentives. The more negative or just eye-catching stuff always gets higher ratings. So, a selection bias occurs to go for plenty of that and even invent it where necessary. Fox built an empire on that trick and others. Then, other mainstream media companies started copying its methods in their own style. Reliability is down so far that we have to work to avoid deception even in routine articles.

Btw, aside from that link, I wonder if anyone has compiled a full list of media tricks on all sides with examples. My old list of disinformation tactics had some, Manufacturing Consent mixes some with lots of theoretical stuff (unnecessary), the above has some... would be nice to have them all in one place.

name.withheld.for.obvious.reasonsSeptember 29, 2015 11:38 PM

@ Nick P

I believe your Occam's Razor statement is right on, let me summarize:

1.) InfoSEC; Use of robust design methods and practices to produce reliable and predictable computational and data-based products. Securing bounded networks and systems to defeat overt attacks and rapid recovery and reaction support.

2.) U.S Cyber Policy; The covert use of cyber-domain codes/methods in order to subvert existing platforms for complete USG surveillance, posture responsive behavior to support hardware up into the meat-space, targeting (including lethal force) and compromising suspected villains/perps.

Item one defines a more engineered approach while the second is a more militaristic model. I see a lot more people victimized by the latter approach. The former approach would require a mature and educated populace, the latter--not so much.

I am not making a qualitative statement, just an observation.

name.withheld.for.obvious.reasonsSeptember 30, 2015 12:21 AM

@ IanLB


Most people here aren’t really infosec professionals, or vastly overstate their involvement in the field, and are spouting heavily politicized opinions because they truly believe they are right and relevant...

I suggest that under your compliance model(s) (assuming your shop is certified ISO-15408/27000) a mirror may be employed to ascertain the subjective nature of your comments.

Sancho_PSeptember 30, 2015 6:09 AM

@IanLB

No problem. I got so many wounds because of being impulsive but still can’t control myself ;-)

TõnisSeptember 30, 2015 6:55 PM

That anyone still believes "official" versions of events or anything else the US fedgov says just makes me tired.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.