Reflecting on the historic pantsing that some North Korean hackers gave Sony Pictures, I think some could fairly describe it as the best possible thing to happen right now. And by ‘some’ I do not mean Sony’s competition. You can bet their own schadenfreude is heavily tempered by a frantic code brown review of their own data security. Rather I mean experts like Richard Clarke who have been screaming, begging and tearing their hair out about digital security.
When you think about how many ways that a hostile power, or a hostile group of teenagers with a laptop, can screw with us the main question about a digital 9/11 is when and how bad.
As it turns out the answer is now and pretty bad, but importantly not the end of the world. A company lost money and a lot of people got embarrassed. Blackmailers got what they wanted, which will no doubt encourage underpowered states to screw with big powers more in the future. But in the end no one died, even if a few sys admins probably wish they had. Overall I think people will eventually look back and feel very, very lucky that it shook out that way. Let me lay out my thinking.
By now it should be clear that most of our digital infrastructure has shit security. College compsci majors can usually red team their way into our electrical grids. Lockheed might put up a fight (the Chinese get through anyway) but 2014 taught some hard lessons about how most companies neglect their computers. Sony’s admins basically kept an unencrypted folder titled ‘everyone’s password’. Target stepped on a rake and Home Depot protected customer data like your great-aunt protects her AOL account. It is not terribly gratifying when you give up begging her to use something more challenging than ‘password1’ for the eighty seventh time and the next day she ‘donates’ $42,000 to a teenager in Sevastopol loses the payment and personal information of every goddamned customer for the last six months.
You could ask, why should the Sony hack do any good? Earlier breaches did not persuade Target to overhaul it security and the Target disaster somehow failed to dislodge Home Depot’s head from its ass. I think it has a lot to do with who got hurt. The earlier breaches embarrassed Target and Home Depot and pissed off shareholders, but aside from sacrificial scapegoats in mid-management the breaches were mostly a customer problem. That let businesses regard these things coolly, from a risk-reward perspective. In broadest terms you could describe the hacks as someone else sneaking in and shearing some more wool off of the sheep.
Sony more or less inverted that story. Some customers got fleeced, for example I might avoid the Playstation Network for now, but that does not begin to describe what happened to Sony. Instead of sneaking in an open barn door and making off with livestock in the dark, North Korea made a public spectacle out of Sony’s humiliation. They screwed with employees’ computer monitors. They released emails, scripts, drafts, planning documents, IT records and anything else they could find on Sony’s hard drives. Nobody likes having their private business written on a banner pulled behind a slow-flying plane, and I imagine it comes as an especially rude shock to corner office executives long used to lavish deference and (limited) untouchability.
When you are humiliated, more than anything else you want the story to fucking please go away already. Sony for example sent some very expensive lawyers on a futile quest to get the press to leave this story alone. Yet the story just. will. not. die. In part this has to do with Sony being an entertainment company. We Americans go embarrassingly gaga for stage managed little news bites about our favorite celebrities and the films they make, so we have no defense against all that stuff shooting unedited out of a fire hose for everyone to consume all at once. What’s wrong with the next Bond movie, what might happen to Spider-Man, what do Sony employees think about Adam Sandler? (not highly.) You have an academic look at one of the larger businesses in entertainment, suddenly rendered completely transparent. You have the national security angle for us policy wonks. Then you have the safety versus freedom angle about releasing the movie, a tough call that I would not necessarily second guess. You never know how much more damaging material they might have held back as a threat. The disaster has an absolute, seemingly bottomless wealth of story hooks.
It all adds up to an astonishing ordeal for Sony: a public humilitation and a financial disaster that just drags on and on, exposes and hampers their long term business plans and then, adding insult to injury, Sony becomes the goat for pulling the movie. Put me in the place of a senior executive at some other business or utility and I will do two things, basically right away. First I will look hard at who I might piss off and how I can avoid it. Like that reaction or not but you better learn to live with it. Power has moved around some since days when America’s most dangerous neighbors were Canada, Mexico and sharks. Nowadays the walls around your castle are only as secure as a password, and most passwords are shit. Nobody with a corner office and a Bentley wants to sacrifice himself for your principles.
However, I also find it pretty damn self-evident that we have entered a bull market for computer security. Nothing bumps security up the cost-benefit ledger like this seemingly neverending public ruin and humiliation of a company that probably did a better job at securing its networks than you do. After all, you can’t please everyone all the time. Stepping lightly earns some peace of mind but people sleep a lot better when they don’t have to. For that reason I suspect, and by that I mean I desperately hope, that Sony will provide that extra psychological nudge for people who run things from radio stations and online stores to airports and electrical grids to spend a little more resources red teaming their network security. The next time someone puts that kind of effort into attacking a network they could have more in mind than a dumb movie.
***Update***
From the comments.
My day job is network security. Sony is not going to be the wakeup call, because others will simply think they’re different, and it can’t happen to them.
It will take either a major months-long disabling attack on an electrical or water grid, or a major attack on a financial system (you wake up and your bank account, and a few million others, are zeroes) for companies and citizens to finally take this shit seriously.
Hell, even the basic lesson from the Sony hack – that YOUR email can be read by someone/anyone other than the intended recipient – has not gotten through the heads of any users I’ve talked to recently.
Sigh. Gonna start huffing glue early today.
srv
Obama can’t even win a virtual war.
This is what happens when you turn government agencies designed to protect us from foreignors into domestic spying factories.
Gordon, the Big Express Engine
This post made me think of this:
http://m.youtube.com/watch?v=7htBb-w9fNw
CONGRATULATIONS!
My day job is network security. Sony is not going to be the wakeup call, because others will simply think they’re different, and it can’t happen to them.
It will take either a major months-long disabling attack on an electrical or water grid, or a major attack on a financial system (you wake up and your bank account, and a few million others, are zeroes) for companies and citizens to finally take this shit seriously.
Hell, even the basic lesson from the Sony hack – that YOUR email can be read by someone/anyone other than the intended recipient – has not gotten through the heads of any users I’ve talked to recently.
ETA:
@srv: It ain’t Obama. Alone among the digital nations, the United States takes the best and brightest hackers, the ones who smoke dope in their parent’s basements, the guys with proven track records of being able to attack things and defend against counterattacks, and does their best to put them in jail and then bars them from ever working for the government.
So we end up with an all-goody-goody, mostly Mormon government workforce whose main qualification for digital security is forwarding bulletins from other equally clueless government agencies to each other. They’re so shitty nobody even bothers to hack them.
skerry
Quoting Robert Reich:
Belafon
The internet was designed to be open.
No system’s (natural or man-made) perfect, and attackers will always have an advantage – otherwise the flu would not exist – but we’re purposing the internet for something it wasn’t designed to do.
And capitalism was never going to be prepared for this. Paying for security costs profits, and raises the price on TVs and game consoles.
KG
so, this is interesting… Oklahoma and Nebraska have filed a lawsuit, in the Supreme Court, against Colorado over Colorado’s weed legalization. The Supreme Court is a court of original jurisdiction for disputes between states, but they rarely actually act on that jurisdiction. But what’s funny to me is that Nebraska and Oklahoma are invoking the Supremacy Clause, saying that federal laws making weed illegal trumps Colorado’s law. There is irony there, states that have spent the last six years screaming “FEDERALISM” to undermine federal law regarding health insurance are now arguing “SUPREMACY CLAUSE!” to support federal law.
CONGRATULATIONS!
FWIW, FBI protestations notwithstanding, this attack was almost certainly not from North Korea. Just saying.
eemom
Fuck Sony, and its film, and for that matter, fuck this whole cybersecurity sideshow. Read this.
JGabriel
Tim F. @ top:
Thus birthing a new business aphorism: When you’re an entertainment company, beware of becoming the entertainment.
Belafon
@KG: I believe that would be “State’s righs for me, not for thee.”
KG
@skerry: Sony Pictures is actually an American subsidiary of Sony (which is a Japanese corporation), not a division. A “division” is part of the same company, a subsidiary is a separate company where the parent company owns at least a controlling interest of the company. So, Sony Pictures is an American company, and more importantly, the hack can be damaging to the wider economy because it provides a template for later attacks. Not to mention the fact that it sets a bad precedent if the hack was done by another country when it comes to nations seizing or otherwise disrupting the property of citizens in another country.
Belafon
@JGabriel: You would think an entertainment company would understand the Streisand effect.
Edited, wrong word
John Dillinger
@CONGRATULATIONS!: I also question whether NK could do this on its own. The scarier notion is that there are free agents out there who would take money from NK to do this. I also want to see a comparison between money spent at Sony on e-security versus executive bonuses over the years.
joeshabadoo
Nothing is going to change because of this. Unless it is an almost guaranteed threat the money simply won’t go there.
Personal humiliation for the boss won’t mean dick except for potentially more security on their personal shit.
Amir Khalid
@skerry:
If North Korean hackers can attack a Japanese corporation, they can surely attack an American one. It’s not altogether inconceivable they might decide that, say, the F-35 programme isn’t fucked up enough and fuck it up some more for Lockheed Martin.
MattF
I had a problem a few days ago getting a ‘direct access’ connection to a financial account because the password I wanted to use was too long. Just think about that. A bank has implemented a policy of rejecting long passwords. So, no– I don’t think our security problems are anywhere near solution.
gene108
@CONGRATULATIONS!:
My wild, wild guess is they threw some (relatively) big bucks for a hacker in some country, which actually has modern computer infrastructure to do this attack.
@CONGRATULATIONS!:
Don’t know, if this is true or urban legend, but I thought those guys got jobs with private companies to internet security, once they got out of jail.
CONGRATULATIONS!
@John Dillinger: I believe that information was released after the attack by the hackers. I do know for certain that Sony’s budget for security is far smaller than it should be for a business whose assets are all digital, and that pleas to increase that money have been met with a resounding “fuck off”.
Probably they needed the money for Adam Sandler’s private jet. Paid for by Sony. Jesus, what a miserable joke of a company.
gene108
@MattF:
I bet there’s a substantial number of folks, who cannot keep track of their long passwords and will be calling customer service for password resets, since they also cannot remember their security questions to reset their passwords on-line.
EDIT: Bank will waste its customer service resources on password resets, rather than on actual bank related matters that might generate revenue.
Gin & Tonic
a company that probably did a better job at securing its networks than you do
Probably not. Sony has been known to be incomptetent at best, and bad actors at worst, going way back.
cmorenc
Perhaps the biggest threat to digital security in any organization is the understandable inclination of so many folks to choose easily hackable passwords, because they’re so much easier to choose and remember than longer, more randomized ones. It can be a challenging art to come up with passwords that are both sufficiently random and yet easily memorable.
CONGRATULATIONS!
@gene108: Not with a criminal record.
Gin & Tonic
@MattF: Not that I’m recommending them for this or any other reason, but HSBC uses two-factor authentication for its consumer accounts.
JGabriel
The Atlantic via eemom:
Umm … is that North Korea or the US they’re talking about? While there’s plenty of sheer evil to criticize in North Korea, I’m not sure we Americans are in a position to criticize anyone’s else’s conspicuous consumption while others go hungry. It just looks a little hypocritical. Of course, we’re not in a position to criticize anyone over torture anymore either …
kindness
I loved Spaceballs. Kinda reminds me of what I expected The Interview to be. Stupid and funny.
MattF
@JGabriel: But North Korea has a ruling dynasty! That’s as politically backwards as you can get, right?
Lavocat
@CONGRATULATIONS!: Yeah, I’m not buying North Korea either. Looks more like a false flag operation by the Chinese or the Russians. Shit, at this point, knowing how amoral, unethical, and nihilistic the CIA/NSA/etc. have become, I wouldn’t put this past America’s own various agencies as some sort of sick way to beta-test corporate readiness to defend against hackers, while pointing the finger at The Regular Suspects. It’s all good.
Tree With Water
It’s a crazy world. Seventy years ago during WW2, Sony was (probably) a pillar of Imperial Japan’s war machine. A war machine then in occupation of all Korea. Today, its misfortune is construed by some as being no less than an incipient assault on the vitals of American national security. Banzai!
Villago Delenda Est
I don’t know about Sony worldwide, but Sony’s American operations are run by serious MBA fucktards who frankly have demonstrated that they do nothing but consume oxygen and return nothing.
Villago Delenda Est
@MattF: Well, yes, very politically backwards. See Bush Crime Family for details.
Tommy
Somewhat off topic, but I think both interesting (I hope) and funny at the same time. One of the tech geeks/VCs I follow on Twitter this morning said:
Of course, he was talking about PS3s/PS4s gaming consoles. I am a Sony “guy” and I also have two Sony Blu-ray players hooked up as we speak. You can stream to them as well. Look I bought a lot of Sony “gear” since I got my first Sony CD player around 1985. Parents paid a ton (I think around $900) for it, and it still WORKS. Never had a SINGLE problem with any of their products from CD players to laptops, gaming systems, speakers, receivers. Heck my PS2 is both still hooked up and functional.
I always thought their mid-level stuff, not the lowest of the low (and they are making some pretty cheap shit these days) was like a “poor rich man’s A/V gear.” Not great, but good quality for the money paid.
Outside of the fact their IT infrastructure is crap, I can’t believe they backed down. I mean come on “the communist terrorist have won.” Not sure I will buy much more of their stuff.
My move had started before this. Last laptop. Sony. New laptop Samsung. Last DVD player Sony. Newest Samsung. Samsung via my phone and tablets have shown me they can fill the “void” left by Sony. BYE!!!
MattF
@Villago Delenda Est: Well, they do emit carbon dioxide. That’s something.
Woodrowfan
@kindness: ahah, so YOU’RE THE ONE! :)
Lee
I agree that it takes a large and/or persistent attack to make any company take notice of their network security.
I work for a telecom company that is a subsidiary of very large, old Japanese company. We have constant attacks from China. Not too long ago we had a department set up an unsecure femtocell. They used that to attack our network and brought everything to a screeching halt. Luckily they we not able to carry out large amount of data the same way they gained access (not sure why).
I'mNotSureWhoIWantToBeYet
@Lavocat: Meh.
Reuters
It doesn’t take much for a country to be good at cyber, if it wants to be…
Cheers,
Scott.
geg6
@CONGRATULATIONS!:
Please, feel free to tell us all who it almost certainly was then.
Villago Delenda Est
@skerry:
We should protect all Mammon worshiping entities, everywhere on this planet.
JGabriel
@Villago Delenda Est:
That’s not fair. Serious MBA fucktards don’t just consume oxygen. They steal too!
Belafon
@Tommy: Right now, Samsung is eating everyone’s lunch.
Valdivia
lol Obama just totally mocking Politico at the Press Conference.
Love that he is out of fucks to give.
Lee
@Lavocat:
The last rumor I heard was that they had a large layoff of IT people over the summer & one of them left a backdoor operational.
Tommy
@cmorenc: Social engineering is #1, #2, #3 and you could go on and on. Easier to get into a system by that method then brute force attack or hacking. Once in, well ….
Now I am not saying stupid passwords are not an issue. Of COURSE they are.
I’ve worked with a few top-level info security firms and they are not fearing of direct attacks. They worry about “social engineering.” That the executive assistant of a senior level person is “gamed” to give out some info. That info is used to move up the ladder.
Then access to the system. Once in, well gosh knows what will happen.
Amir Khalid
@Tree With Water:
Sony was actually not part of the Japanese war machine. Per Wikipedia, it was founded in 1946, and originally made transistor radios and tape recorders.
esc
My husband works in security for a large corporation. It was shocking to me when he started because it is a huge business handling an enormous number of transactions at locations all over, but they have very, very few full time staff of their own. It’s his job to prod the people who have been contracted to do the real work into actually doing what they are being paid tens of millions of dollars to do and to know when they are totally full of shit (which is all the time). It has been enlightening to say the least. He won’t let me use anything but cash at Home Depot even now if we’re together.
srv
@JGabriel:
TIL. How could anyone be against dolphinariums?
JohnC
@Tree With Water:
Sony was founded in 1946, after the war ended.
gene108
@JGabriel:
Going hungry in North Korea is a fucking improvement of orders of magnitude over where they were in the 1990’s, when people fucking STARVED TO DEATH!!!
You know why more people didn’t starve to death? The USA sent in grain shipments and other food stuffs, that were often pilfered by the North Korean Army to be sold on the black market or for their own personal use…WHILE PEOPLE STARVED TO DEATH!!!
The only reason North Korea is even able to feed its people is because of international charity, but they still spend money on launching intermediate range missiles, a nuclear weapons program and other shit that does most folks no good.
The U.S.A. is much better than so many places in the world, which is one reason so many people still want to immigrate here every day of every year.
Sometimes I think there’s a kernel of truth, when right-wingers accuse liberals of being America haters. There’s no fucking way America, warts and all, is even in the same galaxy of reprehensible behavior as North Korea.
drkrick
@joeshabadoo:
I wouldn’t be so sure. I was working at a Federal agency in 2001, and while the list of potential projects, security and non-security related, didn’t change much in mid-September of that year, the ordinals on the priority list sure did. After this, there’s no question of a direct threat.
But it’s also true that Sony Pictures was known to be pretty slipshod about IT security. Although Lockheed Martin has been hacked, not all defense contractors have been. It’s a little like the old story about the bear: unless there’s specific motivation, you often don’t have to be impervious to hacking, you just have to be noticeably harder to crack than other potential targets
Bill Arnold
@cmorenc:
Passphrases are better but are hard to type.
My employer (large corporation) has been tightening the security screws for the last couple of years. In general it’s a good thing, though it can cost time (sometimes easily an hour a day navigating security barriers e.g. when working with a couple of VPNs in a path, etc.). FWIW, the computer/network security people appear to have access to the ears of the top management.
beth
Interesting that all the journalists the President has called on in this press conference have been women. We’ve come a long way baby.
Lavocat
@Lee: Now THAT would be some funny shit that – if made into a movie – I would pay to go see. Of course, that person would probably be looking @ a lifetime inside a Supermax.
However, as and for a working title, let’s call it “The Payback”. Works for me.
tybee
@Tommy:
yup, passwords are much more likely to be given up voluntarily than “guessed” by brute force attacks.
Tommy
@beth: Darn right. You go ladies! Now just let us pay you* the same and get the heck off your bodies and focus on things you might care about. But wait on one thing, that rape thing and the fear to report. We need to correct that yesterday.
*I am 45. Four of my five bosses have been women. And by bosses I mean they owned the company I worked for. d
Roger Moore
@Tree With Water:
Don’t say “probably” when it’s easy to look up. A quick check on Wikipedia shows that Sony was founded shortly after WWII.
Villago Delenda Est
@Roger Moore: Mitsubishi, on the other hand, WAS a pillar of the Imperial Japanese war machine.
srv
Why don’t you liberals start a Boycott Regal movement?
Bill Arnold
@Lavocat:
I’m buying North Korea. It’s hard to tell from the details provided in the press but I’m guessing that Sony Pictures was unusually porous due to egos, not spending enough on security, etc, and that the attack was probably not especially sophisticated.
Villago Delenda Est
@gene108: If the 1% of the US thought they could get away with starving people for their personal profit, they would.
Belafon
@srv: That’s pretty easy: The ones near me closed.
Bill Arnold
@esc:
I slipped and used my debit card rather than cash or credit card at a Home Depot, just days before the security breach was announced. Saw the breach announcement on the hacker boards and I went to the bank that day and got new a new ATM card/pin. Very irritating.
D58826
It’s probably going to take a greater level of government/private sector co-operation and regulation. It will also take greater government and private sector spending All of which are anathema to the GOP/free marketeers so not much will change. Newtie is running his mouth about an act of war but he also wants to reduce the size of government to what can be drowned in a bath tub. You can’t have it both ways even though talking out of both sides of your mouth seems to have no downsides for the GOP.
Cervantes
@gene108:
One of them received tenure at MIT less than twenty years after perpetrating his hack.
eemom
@JGabriel:
um, I’m the last person to be an apologist for the US, but North Korea is really in a class by itself. Read the article, and its links.
Facile comparisons like yours, like that POS film, trivialize the unspeakable horror of that place.
Tommy
@srv: I did (many years ago), of all movie theaters, when I realized if I waited 9-12 months I could OWN the same movie for less on DVD by a few factors then I paid for the ticket, a soda, and popcorn.
I often joked I lived my movie life a few months, or even a year behind. Why I have 500 DVDs in my house and I went to see like three movies in the last two decades. You saw the movie, I own it.
Roger Moore
@Tommy:
The problem for that is that Sony is not at all monolithic as a company. For example, the branch of Sony that makes image sensors has long had a better relationship with Nikon than they have with their own camera division, with Nikon getting customized versions of their sensors that perform better than the ones in Sony cameras. More to the point, there’s been a long-term dispute between Sony’s hardware and entertainment divisions about DRM and other technical attempts to protect copyright. There’s no guarantee that Sony Pictures will want to deal with the Playstation people as part of a content delivery system.
gene108
@Villago Delenda Est:
And yet, we’ve made changes to how we operate as a society that keeps that from happening.
North Korea not so much…
VFX Lurker
The act of pulling films under outside pressure predates Sony.
Cervantes
@Tree With Water:
Well, it was founded after the war ended. One of the founders came from a long line of soy-sauce makers. The other worked for a company that developed film (as in movies). Both founders had served in the Japanese armed forces during the war.
Chris Gerrib
I’m head of the IT department at a community bank, and what bothers me about the Sony hack is nobody is telling me how the hackers got in. I can find out a lot about the malware used to wipe data (it’s off-the-shelf) but the information I need is not available.
What I have seen is that the hackers were in Sony’s network for some time, which also concerns me. Again, I don’t know what signs (if any) Sony’s network people saw to tell them that somebody was snooping around.
Roger Moore
@tybee:
Or recovered through password recovery systems intended to help people who can’t remember 14 characters of random gibberish that has to change every 3 months. Passwords are simply not a good way of protecting information against a motivated attacker; computers are simply better at cracking passwords than people are at generating and remembering them. We really need some kind of two-factor authentication.
NonyNony
@srv:
Don’t need to – the Regal Cinemas around here have shut down because they couldn’t compete with the other chains.
sm*t cl*de
This is what happens when you turn government agencies designed to protect us from foreignors into domestic spying factories.
What srv said in the first comment. What you need is an agency tasked with helping US businesses and govt. departments improve the security of their communications and information storage… providing unbreakable encryption, that sort of thing. You could call it the National Agency for Security or something like that.
Gin & Tonic
@Cervantes: The Morris worm wasn’t really a hack.
Lee
@Chris Gerrib:
I’m not in security, but the security guys sit right around me and we kibitz.
The best things you can do are:
Keep everything patched
Close off all ports that you don’t explicitly need.
Run Anti-virus and anti-malware on every machine (even servers)
Gin & Tonic
@sm*t cl*de: The shame is, they used to do that sort of thing.
tybee
@Roger Moore:
i disagree. a 10 or 12 character password that is changed every 90 days or so combined with account lockouts for 3 to 5 missed password attempts is a damn tough thing to break. do the math on a brute force attack. now add in a lockout for an hour after every 3 wrong guesses. it ain’t gonna get broken in your life time.
unless some idiot gives out not only their password but their account name due to some socially engineered phish.
Mike in NC
This time of year is, of course, especially bad for identity theft. I’ve twice had a bank account hacked into and a lot of money stolen electronically.
Grumpy Code Monkey
Here’s the problem as I see it:
1. Internet protocols are not secure. They weren’t designed to be. We keep bolting on security at the application and transport layers, but that functionality really needs to be in the network layer, all the way down to the hardware.
2. A lot of Internet infrastructure is built on the C programming language, which doesn’t protect against people looking at or poking memory that doesn’t belong to them; this makes C programs fast (among other benefits), but it also makes them prime targets for malware. Everything from the Morris worm back in ’88 to the Heartbleed bug this past year have exploited the same goddamned weakness in the language.
3. Most network security practices rely on human (specifically end-user) behavior. This is pretty much a recipe for failure. We need to migrate as much of that upstream from the user as possible.
Of course, none of that can be fixed without basically rebuilding the whole internet from the ground up. I know there are experimental networks being used that address some of these concerns, but switching the world over to new networking protocols and applications will be painful.
We need to bake security into the hardware and the tools, not just the applications.
boatboy_srq
@MattF: Too long; uses complex (i.e. non-alphanum) characters; etc etc. We are only as secure as our providers allow us. Banks, utilities, ISPs – all have constraints that keep user passwords far simpler than anyone in security thinks is minimal.
THIS is why every time I hear how The Cloud is the Next Great Thing for IT, I shudder.
Chris Gerrib
@Lee: Which we do.
The problem is, I don’t know if Sony was doing all of that stuff and got beat by really good hackers or if Sony was just half-assing it and got the results you’d expect. In this case, it’s easy to assume that “we (my company) won’t get hacked like that.”
JohnK
Max just called. He wants you to take him and Sammy for playtime in the park where they can chew ears and grab some tail.
Tommy
@Chris Gerrib: I don’t mean this to be rude, but they would they? Not there jobs.
tybee
@boatboy_srq:
amen.
Villago Delenda Est
@gene108: The 1% is working on it. See the brothers Koch, for example.
The evil is there. It’s just held in check…for now.
Chris Gerrib
@Tommy: It may not be their job, but part of getting people to get serious about security is pointing out specific gaps in security coverage.
Bill Arnold
@Roger Moore:
This is true, but people can manage passphrases. Would need to be generated, else people would make a sport of using mangled quotes. I can remember e.g. happyoatmealcamelparty22.
kc
I wish some of these hotshot hackers would go after some of the financial actors who are screwing American citizens into the ground, instead of some inconsequential entertainment assholes, or a bunch of actresses taking selfies.
CONGRATULATIONS!
@geg6: I do not know, as Sony, for some reason, hasn’t been at all forthcoming with their data. The axiom “always look inside first, especially at anyone who has left in the last year” has rarely steered me wrong.
I don’t believe it was North Korea simply because not one piece of evidence has been provided to back the accusation. If it was, they could easily provide such evidence.
Not only that, but it’s an explanation that gets Sony off the hook for a lot of liability.
Howard Beale IV
@CONGRATULATIONS!:
Here’s the scary part: There’s really only two security paradigms: Unix and Windows (I’m ignoring the mainframe as it’s footprint is very small, and its outer edge is Unix-based anyway.)
Even worse-security was never built-in from the start but was bolted-on.
The lessons of Multics were never learned.
Lavocat
@Bill Arnold: Let’s say that you’re correct. If so, I think the PERFECT proportionate response would be to turn loose upon North Korea some highly-specific malware (read: Stuxnet) to target their various ballistic missile projects, thereby paying them back in full for the cyber-attack by also pro-actively shutting down their other noxious, proto-nuclear program. Kill no one while potentially saving millions of lives down the road. Sort of a thinking-man’s revenge.
I also find it rather chilling that this is what war is now like in the 21st century. And, make no mistake, despite the fact that anyone has yet to be killed or maimed, this looks to me to be war by any other name.
sm*t cl*de
identity theft
I hate that phrase. It generally means that a bank’s money has been stolen and they are trying to re-define the fraud as your problem, and your responsibility to stop it happening again.
Tree With Water
@Cervantes: Thanks for the interesting information. That’s why I wrote ‘probably’, because I knew I didn’t know. The fact it was born and prospered in postwar Japan, which lay absolutely shattered by that war’s end, must be an amazing story in its own right.
Mike J
@Howard Beale IV:
ITS solved one problem Multics had by adding the KILLSYSTEM command. Took all the challenge out of crashing the machine.
Jeffro
Just going to chime in and say I that I love, LOVE, Demotivators and have for a long time. The best one is “Sacrifice” – a picture of a Mayan temple at dawn with the phrase, “All that we ask here is that you give us your heart”.
I have “Compromise” in my office, too!
Jeffro
@eemom: Or read “The Orphan Master’s Son”.
Howard Beale IV
@Mike J: At least Multics had a long operational life. Last Multics instance went off line back at Ford in the mid 1990s.
\f
lou
The senate had the opportunity to force businesses and industry to upgrade their security and guess who put the kabash on that?
And judging from the headline, the news industry shows its sucky tendency to not understand “filibuster.” I’ll be willing to bet they’ll suddenly have an epiphany once the Republicans are in charge and Dems try to block things.
There would be a wee bit of schadenfreude that Lieberman was screwed over by BFF John McCain, but this could be really dangerous to the nation. The Senate report was pretty frightening.
Mike J
@lou: The EFF was against that bill. That, combined with the fact Lieberman wrote it, means it probably really, really, really sucked.
Mnemosyne (iPhone)
@Bill Arnold:
Also the fact that it was an attack on a Japanese-owned company and not a US-based one. If nothing else, it kills two birds with one stone and embarrasses both the US and Japan in one step.
Tree With Water
@Mnemosyne (iPhone): Which goes to show some asians are wilier than others, I guess.
D58826
@lou: Staples is reporting a security breach affecting a million or more customers. Of course we would not want to burden corporate America with additional regulations as the GOP stated in the linked article.
Mike in NC
@Jeffro: I also really enjoy those posters, though I’m pretty sure 90% of the managers I ever had would ban them from the workplace.
Mike G
In which case, the vast majority of corporate America is like swiss cheese.
You can’t teach anything to people who are paid huge amounts of money to uphold the conceit that they know everything and never make mistakes.
Howard Beale IV
@boatboy_srq:
+1
Cervantes
@Tree With Water:
Complicated story — the war cleared the field, in some ways — but yes, certainly impressive.
mclaren
@CONGRATULATIONS!:
Then you’re a scammer and you need to get your ass fired, fast.
There will never be any “months-long disabling hacks” on power grids or any other delusional nightmare scenario dreamed up by con artists like you to squeeze cash out of gullible corporations and government agencies.
The entire cybersecurity field is a 100% scam, right up there with the non-working explosives detectors bought by the TSA and then warehoused when it was shown they didn’t work.
You and con artists like you need to be flushed from American society like waste. You’re the IT equivalent of Wilhelm Reich’s orgone energy or the Dianetics scam.
Ignorant incompetent clowns like the above poster foolishly and cluelessly conflate cyberwarfare ( a 100% fraud, no such thing exists, it’s all fantasy and national-security-hype bullshit) and cubersecurity, which basically amounts to avoiding embarassing info leaks and financial data breaches.
Incidentally, all financial data breaches have very little affect. Banks that get hacked to the tune of “millions of credit card numbers” merely deactivate the numbers and issue new credit cards. It’s a non-issue.
But you’d never know that from the hysterical ridiculous post made by our resident con artists, the “cybersecurity day job” clown.
Source: “The Great Cyber-Warfare Scam”, 20 Feburary 2013.
The only difference this time? Instead of the usual breathless hysteria blaming the People’s Republic of China, this time we get breathless hysteria blaming the North Koreans. The plain fact of the matter is that no one knows who did this hack. Since the FBI said it was the North Koreans, that means that whatever else we can say about this incident, it was certainly not perpetrated by the North Koreans. Probably some 14-year-old kid, but at this point, no one knows.
We now return you to our regularly schedule idiocy and hysteria designed to turn Americans into pants-wetting babies eager to hand over their tax dollars and all their civil rights to incompetent sociopaths like Dick Cheney who promise to “keep America safe.”
mclaren
@kc:
This never happens because there are no “hotshot hackers.” There are no imaginary legion of North Korean computer geniuses sitting up illuminated by their LCDs late at night feverishly working to destroy America’s infrastructure. They don’t exist. It’s all a bullshit fantasy dreamed up by the cybersecurity industry to extort dollars from gullible corporations in a bad economy.
These hacks are all perpetrated by teenagers and that’s why they always target the same ridiculous targets: actresses’ nude selfies, unproduced scripts from Sony, and other trivia.
Cervantes
@mclaren:
Chinese involvement and Russian involvement have been suggested as well.
Nothing has been confirmed, of course.
Cervantes
@Gin & Tonic:
If you were on the MIT campus on November 2, 1988 and still don’t think what Morris did was a hack, then so be it.
Anyhow, for completeness, note that a jury convicted Morris of violating 18 USC 1030 (a) (5) (A), which statute made it illegal to intentionally access a Federal interest computer without authorization, to alter information in such a computer, and to prevent authorized use of such a computer, thus causing measurable loss to one or more others.
Jeffro
@Mike in NC: True, true. I think at least half of my getting away with it was that most people didn’t get the reference. The other half probably had to do with me being a principal – it was in my office, not the teachers’ lounge, so, a smart principal
mclaren
@Cervantes:
Nothing will ever be confirmed because it’s all horseshit.
What do the experts say about this alleged “North Korean cyberattack”?
“The Evidence That North Korea Hacked Sony Is Flimsy,” Wired magazine, 17 December 2014.
Of course that hasn’t stopped the national security wardheelers and parasites from trumpeting this minor incident as another cyber-9/11:
Source: “Obama Vows U.S. Response to North Korean Hacking Attack on Sony,” Bloomberg News, 19 December 2014.
Yes, Americans have turned to jelly and lost their will to fight global terorrism now that we know Sony executives don’t think much of Adam Sandler’s acting.
U.S. troops will now undoubtedly throw down their weapons and defect to the enemy in Afghanistan, screaming “The Waterboy was a bad film!”
Meanwhile, the president of the United States will surely order stealth B2 bombers to unleash the full fury of American wrath on North korea by bombarding Pyongyang with millions of DVDs of every single Adam Sandler film ever made.
Holy shit.
Am the only person on this forum who realizes this is a complete and utter horseshit example of a gigantic mountain being made out of trivial molehill, a total con job perpetrated by the Washington Beltway Eternal War party (one party with two wings, Democratic and Republican) in order to mooch for more cash for the military-industrial complex and provide a flimsy pretext for bombing yet another helpless innocent third-world country (probably Tierra del Fuego by this time, since we’ve run out of all other real enemies)?
Yes, because revealing all those bad scripts from upcoming Sony films is going to shake American society to its very foundations.
Barricade your windows! Nail your doors shut! Stock up on canned food and water!
There’s going to be pandemonium, people rioting in the streets once they read those bad Sony scripts, I tell you, pandemonium!!!
Gimme a goddamn fucking break.
J R in WV
@KG:
There is also a clause in the constitution that requires all states to give “full faith and credit” to laws and records of the other states:
One way of reading this is to require Nebraska and Oklahoma to respect the right or privilage of Coloradoans to possess and consume marijuana, is it not?!
Enhanced Voting Techniques
@eemom:
and I did
And then the writer goes on to explain that the movie “The Great Dictator” by Charley Chaplin is completely different, because SHUT UP, that’s why. ROFL
That article is so Hipster, it hurts.
They are times when it fills me with rage the intertubes have turned most of the population into a bunch of reptilian hind brain driven louts who would rather die than take a step back and think about anything, (I mean seriously, how does someone maintain full on ‘tard rage while writing a short essay?) other times it’s the best comedy one could ask for.
joeshabadoo
It looks like companies did learn a lesson by the canceled Hollywood projects, don’t make fun of a North Korea. Not the lesson you wanted though.
Bill Arnold
@Mike G:
Not a uniquely American problem.
rusty
@mclaren: There will never be any “months-long disabling hacks” on power grids or any other delusional nightmare scenario dreamed up by con artists like you to squeeze cash out of gullible corporations and government agencies. … The entire cybersecurity field is a 100% scam, right up there with the non-working explosives detectors bought by the TSA and then warehoused when it was shown they didn’t work.
I just switched jobs after working 10 years for one of the largest IT companies – oh what the fuck, it was IBM. I’m not going to preface this by listing any credentials in security because I really have none. But what I do have insight on are customers’ approaches to security and the consultant’s suite of products and services to enable those approaches. From my perspective, I agree with most if not all of what @mclaren is stating. I would offer one extended observation and that is the security game that customers and consultants play seems to mainly involve cover your ass actions. IBM sells and customers buy a suite of products, services, procedures and compliance schemes that allow the customers to pass security audits. If anything ever goes wrong, the customer can always point back to these audits and claim that they did everything right.
Bill Arnold
@Lavocat:
I’m rooting for a KJu sex tape. Sony Pictures can help.
Vanya
Even back in the 1990s we had it drummed into our heads by our bosses that you never put anything in an email you wouldn’t want revealed in public.
Enhanced Voting Techniques
@CONGRATULATIONS!:
Allegedly the passwords were on some unprotected file. Something that obvious and basic wasn’t a corporate policy thing, it was the all to typical lazy half-arsed IT guy who was to busy playing World of Warcraft at work thing. And I will bet dollars to doughnuts that same IT guy was sending out a stream of corporate wide e-mails accusing the rest of the staff at Sony of fucking up on password protecting confidential information.