
N.S.A. Tapped into North Korean Networks Before Sony Attack, Officials Say - sciurus
http://www.nytimes.com/2015/01/19/world/asia/nsa-tapped-into-north-korean-networks-before-sony-attack-officials-say.html
======
chroma
> Mr. Jang said that as time went on, the North began diverting high school
> students with the best math skills into a handful of top universities,
> including a military school specializing in computer-based warfare called
> Mirim University, which he attended as a young army officer.

I realize I'm not engaging the core topic being discussed, but stories like
this are why I'm surprised people like Will Scott haven't gotten in trouble.
(I don't want to single him out, but he's the best example I have at hand.)
For the past two years, he's gone to North Korea to volunteer teaching
computer science.[1][2] At best, his students' skills will be wasted on some
silly Android apps praising the supreme leader. More likely, these students
will go on to make software for less-than-ethical purposes: wargame
simulation, nuclear explosion modeling, missile guidance systems, or
network/server subversion.

I'm not saying this software shouldn't exist, just that the world would be
better-off if the DPRK had more difficulty writing it. And I'm surprised the
State Department hasn't fined or revoked the passport of any American who has
aided the DPRK in this manner.

1\.
[https://news.ycombinator.com/item?id=8869265](https://news.ycombinator.com/item?id=8869265)

2\.
[https://news.ycombinator.com/item?id=6829558](https://news.ycombinator.com/item?id=6829558)

~~~
toufka
That is a very scary argument. To deny education because it could be used in
ways you may not like is a very unfortunate position to take. Education is
likely the only way a system like North Korea's will ever fall short of a
militarized take over - another horrible fate to wish on those same people.
And were it to fall, an education is all that would permit their survival in
the world at large. To deny individuals a modern education is a particularly
cruel punishment - maybe more so to punish those who would wish to educate.

~~~
chroma
I agree that it's a scary argument. That's why I was careful in how I put it
forth. The problem is that many skills are dual-use. At some point, a
threshold is reached where a student is more likely to use the knowledge to
harm than to help. This threshold depends on the skill and the student.

To use a hypothetical: Would you condone someone teaching particle physics in
North Korea? How about biology? Chemistry? Turbine engineering? Teaching any
of these would probably increase North Korea's ability to threaten and harm
its people and the rest of the world. It's sad that this is the case, but it's
hard to argue otherwise.

Unfortunately, I seriously doubt education will help free North Korea. If you
read the stories of defectors, you'll find that almost everyone in
universities is indoctrinated. Also, because of how people are encouraged to
report each other, no underground network of dissenters can exist. Even if 90%
of North Koreans wanted to overthrow the government, anyone who voiced
dissidence to a few friends would likely be reported and thrown in a prison
camp (if not outright executed), along with their family. It doesn't take much
to control many.

I really wish it was as easy as, "Education is good." But there can be dire
consequences to actions, even ones as typically benign as teaching others.
It's important to have a finely-tuned sense of ethics, otherwise we risk
harming people who we mean to help.

~~~
kimjonsegfault
What's scary is the level of your indoctrination. North Korea has been
surviving decades in almost complete world isolation, because it opposes
capitalism. It's not mordor, it's a society with a structure that is not
compatible with western capitalism. Everything you think you know about has
been filtered to hide any positive aspects of such a society and to exacerbate
the negatives. This was done to Vietname, to China, USSR. This was done to
Obama during the healthcare "debate".

North Korea has withstood decades of economic isolation, and yet it lives and
its people live much better than citizens of Somalia and other great
capitalist nations, not that anyone would let you know. You're not freeing
North Korea by isolating it and starving it, you are killing it, and the
people. You say it doesn't tame much to control many, but this applies to the
West as much as it does anywhere. You have a set of values, and you are in
harmony with enough people, you can work for them, with them. The same applies
in North Korea, and USSR (where I'm from). The country is a single company,
the CEO might be eccentric, but people do have jobs, work hard, have
education, healthcare and believe in communism. What they don't have is
Hollywood, McDonnalds and Fox News. And this is why you want to "free them".
They have nuclear weapons not because they are evil, but because they know
what US does to countries people like you believe need to be freed.

~~~
chongli
Yes, and European fascism was okay because the trains were always on time.

~~~
kimjonsegfault
North Korea is not a fascist or nationalistic regime. And it's only been
turned into a concentration camp by the West through sanctions. It's not even
any more antithesis to democracy either. The party members are elected. The
institution members are promoted by performance like anywhere else. The
'supreme leader' being some sort of a Sauron is a fantasy. Since you're
comparing to Nazi Germany, you should also know that Hitler wasn't some sort
of a god who bent everyone to his will. He was a leader of a party and a
movement with the fascist ideology. Please don't equate Nazism and Communism.

~~~
iliis
You know that North Korea has actual concentration camps, right?
[http://en.wikipedia.org/wiki/Hoeryong_concentration_camp](http://en.wikipedia.org/wiki/Hoeryong_concentration_camp)

~~~
kimjonsegfault
Unfortunately, every country has prison colonies. USA has more than anyone,
including abroad. You choose to believe 'Database Center for North Korean
Human Rights' from which this article is sourced, that it seeks to publicize
the truth and isn't funded by CIA. I believe otherwise, after comparing
activities of human rights organizations in countries all over the world. It
makes me quite sad that the human rights cause and genuinely well meaning
people are used to further US imperialism.

~~~
unprepare
>after comparing activities of human rights organizations in countries all
over the world.

Is this comparison available for us to view?

------
shutupalready
> General Clapper praised the food; his hosts later presented him with a bill
> for his share of the meal.

Not only are they evil, but they're _cheap_ too.

But the fact is that the hosts would have billed for the meal because the U.S.
government _asked_ to be billed.

The USG requires that officials traveling on business not accept gratuities,
gifts, dinners, or anything above a certain value (which is about US$100 -- it
gets adjusted for inflation, so it might be higher today).[1]

There is an exemption to allow acceptance of gifts of travel expenses of more
$100 when officials travel outside the United States on business, but only if
"such acceptance is appropriate, consistent with the interests of the United
States, and permitted by the employing agency".[1]

In this case, General Clapper and his staff probably didn't want to deal with
the question of whether it was "appropriate" or deal with reporting
requirements, so they just asked for the bill. Or, their North Korean hosts,
knowing U.S. policy, were proactive in making up a bill.

Either way, the NYT article should have mentioned the USG policy. If they
can't get that little thing right, it makes me wonder about the accuracy of
the rest of the article.

[1]
[http://www.gpo.gov/fdsys/pkg/USCODE-2010-title5/html/USCODE-...](http://www.gpo.gov/fdsys/pkg/USCODE-2010-title5/html/USCODE-2010-title5-partIII-
subpartF-chap73.htm)

~~~
donohoe

        they can't get that little thing right, it makes 
        me wonder about the accuracy of the rest of the article.
    

Given they got a small detail correct like the persons present was Gen.
Clapper inclined me to trust the accuracy of the rest of the article.

Same logic?

~~~
shutupalready
No it's not the same logic.

If a 1000-word article had 50 misspelled words, would you then say that it was
a pretty accurate because it was 95% correctly spelled?

No, you'd be horrified. Things like spelling, grammar, and basic facts (the
capital of a country, USG policy on gifts, etc.) should be close to 100%
correct. That's a lower bound to be taken seriously.

------
sandworm
Anyone else notice this:

"We realized there was another actor [South Korea] that was also going against
them [North Korea] and having great success because of a 0 day they wrote. We
got the 0 day out of passive and were able to re-purpose it. Big win."

NSA learned of a 0-day exploit being used by South Korea (not five eyes) and
re-purposed it. They had knowledge of an exploit in the wild. Did they share
this with anyone in order to close this security flaw? They exploited it. This
is not a case of the NSA developing an exploit in house. They took this from
the wild. This would seem to confirm suspicions that NSA is/was willing to
allow active 0-days to fester, leaving the general public exposed.

~~~
redstripe
Are you suggesting the NSA should be a government funded QA department for
large corps and open source?

For commercial software the companies who are not finding these bugs on their
own are to blame. For open source, the cheapskates who mooch free software
without contributing are too blame.

~~~
sandworm
Yes and no. They are tasked with protecting national security assets within
the US, most of which rely on commercial systems. When they find a dangerous
flaw in those systems, especially one loose in the wild, they are to help fix
it. To not fix it is to leave US systems at risk.

"in almost all instances, for widely used code, it is in the national interest
to eliminate software vulnerabilities rather than to use them for US
intelligence collection" ( quote from the 2013 panel report, not wired.)

[http://www.wired.com/wp-content/uploads/2014/04/White-
House-...](http://www.wired.com/wp-content/uploads/2014/04/White-House-NSA-
Panel-Report-2013.pdf)

~~~
csandreasen
Not all 0-days affect national security assets. Heck, I'm sure there's plenty
of software out in the world that isn't even used in the US at all.

------
xnull1guest
We know that the NSA tapped into computer systems and the backbone of
essentially every country on Earth - I don't see how NK would have somehow
been excluded.

What's interesting is what information the New York Times includes that is not
covered in the NSA document, presumably from unidentified officials and former
officials.

The document on Der Speigel speaks primarily about taking copies of
intelligence from SK hacking efforts against NK and also taking copies of
intelligence from NK hacking efforts that had in turn been hacked by SK (and
in turn by NSA - "fifth party collection").

The document mentions the NSAs unwillingness to rely on intelligence filtered
through so many third parties and made efforts to establish its own foothold.

Essentially none of the article is backed by the document as a first source
and must have come from the unnamed sources.

~~~
Alupis
I believe the reason this is "a big deal" is due to how the average US citizen
reacted over the recent Sony Breach and the US Government's blame of NK (I
might add with no supporting evidence, most industry professionals in high
doubt, and even some security companies providing evidence to the contrary of
statements by the government).

The average US citizen was outraged that some other government would have the
audacity to hack anything in the US. This article's goal seems to be to point
out that the US Government is hacking _all_ other nation's governments,
including NK. (pot calling the kettle black)

~~~
GabrielF00
To be fair, there were other issues involved in the Sony hack that are not
present in NSA spying.

\- The North Koreans attempted to impose a heckler's veto on speech by private
citizens of the United States.

\- The Sony hack had direct and very visible consequences for Americans
(economic consequences, release of personal data like salaries and health
information, embarrassment of people by releasing private communications).

It's entirely possible to take the position that countries are going to engage
in espionage, but that there should be norms about how intelligence services
behave. Right now we're all trying to figure out what those norms are.

~~~
wavefunction
I hold Sony primarily responsible for the release of private data, due to
their ignoring basic security practices. Why are health records stored on Sony
Pictures servers along with everything else? Why were data silos and graduated
access not in place? I never see any of these corporate officers held to
account for their decisions to not spend resources for security. The only
people I have any measure of sympathy for are the rank-and-file employees
caught in the middle of decisions made by well-compensated executives who
never have to face the consequences of their disregard for anything other than
themselves and their own compensation.

I have to take issue with "norms" for intelligence services as well. These are
groups with no morals or ethics, what makes you think they would ever adhere
to any sort of "norm." These are criminals and criminals do not adhere to
norms imposed from anyone other than themselves.

~~~
xnull1guest
I seem to be in the minority on Hacker News, but as someone in the
professional computer security field I know that any company or
state/department/organization can be hacked by a motivated attacker. In the
case of SONY, the attackers were able to enter the network through
spearphishing emails - something that essentially no investment in security is
going to prevent. The malware similarly could not have been detected, as
signatures for this specific compilation were not known.

I have a hard time blaming the victim of a cyber attack that would have been
practically impossible to prevent. I agree that SONY made bad decisions with
regard to its hording of unnecessary data, but also recognize that this is
hardly unique to SONY and not standard advice given by security professionals
(it should be).

Norms are important so that you can accuse 'groups with no morals or ethics'
of doing something wrong. Norms may only discourage and not prevent behavior
but without norms its difficult to find common ground for behavior that may
otherwise be chalked up to 'culture' or 'tradition' or 'nature'.

~~~
Alupis
> but as someone in the professional computer security field I know that any
> company or state/department/organization can be hacked by a motivated
> attacker.

You seem to give Sony too much credit, and also forget that they had a file
server with open internal access which had a directory called "Passwords"
which contained a plain text file with all the credentials to their internal
servers.

That's something I'd expect to see at some small business with no professional
IT on staff... certainly not from a multi-billion dollar company with
thousands of employees and a full-time professional IT staff.

Sure, the attackers may very well have spearphised their way inside, but once
inside, they didn't have to go through any of the normal hassles of island-
hopping with more exploits, etc. They just logged in like they belonged.

Motivated attacker or script-kiddy, once inside, Sony made it awfully easy.

~~~
xnull2guest
> You seem to give Sony too much credit, and also forget that they had a file
> server with open internal access which had a directory called "Passwords"
> which contained a plain text file with all the credentials to their internal
> servers.

FWIW this is my experience with multi-billion dollar companies with thousands
of employees and full time professional IT staff.

Perhaps we can get other security professionals to chime in.

Once you get a foothold in a corporate environment, it is the unfortunate
truth (I'm sure others will back me up here) that it is very easy to move
around without 'island hopping with exploits'. For the most part, pivoting by
passing-the-hash will work for 99% of networks.

It is also my understanding that the malware that was purchased for this
compromise had the capability to persist across the network, to exfiltrate
data, and to sabotage computers.

------
GabrielF00
This is the second NYTimes article I've seen that has suggested that the NSA
was collecting information on a group while that group was planning an attack,
but that the collection or the analysis was not sufficient to stop the attack.
(The other article was on the Mumbai terrorist attack).

This is interesting and you could look at it a number of different ways:

\- Collecting data is one thing, but understanding what it means is incredibly
challenging and the NSA might not be doing a great job.

\- Even when they can't prevent an attack, there is still value in having this
data so that they can attribute the attack and understand something about the
motives and methods of the attackers.

~~~
mc808
\- Or "national security" doesn't mean what normal English-speaking humans
think it means. The hack was no threat to the reigning industrial/government
structure or the dollar.

------
lucb1e
Might be me, but I'd be surprised if they hadn't. They hacked so many
countries including China[1], Mexico[1], Belgium[1], Syria[3], Iran[4], etc.
(after saying that a digital attack is an act of war[2]). I don't remember
each and every leak and I don't feel like looking up everything, but they seem
to have targeted loads of people in various countries. I doubt North Korea
(which is not even an ally) is the exception.

[1]
[https://en.wikipedia.org/wiki/Tailored_Access_Operations#Kno...](https://en.wikipedia.org/wiki/Tailored_Access_Operations#Known_targets_and_collaborations)

[2]
[https://en.wikipedia.org/wiki/Cyberwarfare_in_the_United_Sta...](https://en.wikipedia.org/wiki/Cyberwarfare_in_the_United_States#Cyberattack_as_an_act_of_war)

[3] [http://www.theverge.com/2014/8/13/5998237/nsa-responsible-
fo...](http://www.theverge.com/2014/8/13/5998237/nsa-responsible-
for-2012-syrian-internet-outage-snowden-says)

[4] Stuxnet [http://rt.com/news/snowden-nsa-interview-
surveillance-831/](http://rt.com/news/snowden-nsa-interview-surveillance-831/)

~~~
GabrielF00
I don't believe that the US has ever said that "a digital attack is an act of
war". The quote that you linked to says that the United States reserves the
right to respond militarily to "hostile acts in cyberspace" if it exhausts all
other options and judges the costs of action to be greater than the costs of
inaction.

The statement is not saying that any cyberattack is an act of war, it is
saying that the United States might treat certain attacks as the cost of doing
business but that other attacks might require a military response, depending
on the specifics of the incident.

~~~
lisptime
or they did:

[http://www.nytimes.com/2011/06/01/us/politics/01cyber.html?_...](http://www.nytimes.com/2011/06/01/us/politics/01cyber.html?_r=0)

~~~
GabrielF00
That article is saying the exact same thing that I'm saying.

------
Estragon
Typical for the NYT to bury the strong countervailing evidence against the
official war-mongering story in a couple of paragraphs 2/3rds of the way
through the article.

    
    
      Still, the sophistication of the Sony hack was such that many experts
      say they are skeptical that North Korea was the culprit, or the lone
      culprit. They have suggested it was an insider, a disgruntled Sony
      ex-employee or an outside group cleverly mimicking North Korean
      hackers. Many remain unconvinced by the efforts of the
      F.B.I. director, James B. Comey, to answer critics by disclosing some
      of the American evidence.
      
      ... it would not be that difficult for hackers who wanted to appear to
      be North Korean to fake their whereabouts.

~~~
comex
Typical for Hacker News posters (in general) to dislike the United States
government so much that, despite having complained and worried and speculated
about the sophistication of the NSA's online snooping for the last year in a
half, they assume that the government couldn't possibly have obtained any
evidence they didn't want to release to the public, instead trusting the high
certainty of experts who have decided that it couldn't have been North Korea
because the Korean region setting is for the South Korean dialect or the
writing didn't have the right 'Korglish' errors or other such trivialities
(those are both actual points that have been made).

It's not as if the claims in this article that the U.S. has successfully
penetrated North Korean networks (to the extent they exist, anyway) should be
any surprise; it would be highly surprising if they hadn't. One might imagine
that while the North Koreans are not super advanced, they know enough about
how to analyze and remove malware that it might be better to stay vague, even
at the cost of appearing less credible, rather than disclose specifics of what
communications you're able to intercept. Yet surely, just because the finger
is pointing at one of the usual enemies, it must just be warmongering rather
than reflecting reality.

(Yes, yes, WMDs in Iraq. It is certainly possible that the U.S. really is that
incompetent and/or hawkish. I just don't think it's very likely.)

~~~
Estragon
> Yes, yes, WMDs in Iraq.

The USG has lied like a rug about the causus belli and operations of most of
its major military adventures since WWII.

If they had convincing evidence of NK involvement, they would find a way to
share it without further compromising the collection method. Since the Snowden
leaks, every non Anglo Saxon government in the world has had to assume the NSA
has its hand up the ass of its IT infrastructure.

------
snissn
Gulf of Tonkin. Iraq having WMDs. It's important to hold governments to a very
high standard in matters like these.

------
timmytokyo
According to the article, NSA noticed the first spear-phishing attacks against
Sony in September. Yet they didn't realize admin credentials had been stolen
until much later. Nor did they seem to notice terabytes of data being
exfiltrated out of Sony. Fishy story.

~~~
sandworm
Why would they notice terabytes leaving Sony? It's a motion picture studio.
They surely have piles of film-related data flowing constantly in and out of
all sorts of places. And it's not like the hackers sent it directly to
Pyongyang.

As a member of the MPAA, probably the most hated organization in the history
of the internet, I'm surprised that Sony wasn't under constant phishing
attack. Given their total lack of internal security, I would have thought some
angry filesharers would have broken in long ago.

------
phkahler
If that's true, who's to say our guys didn't launch the attack from their
computers? Why would they even admit to being in there? The NSA doesn't say
anything unless 1) they have to, or 2) they want to. I don't see why they
would make this claim.

~~~
xnull1guest
Certainly false flag operations are a tactic that has seen reliable and
regular use, especially in counterintelligence. But what purpose exactly would
a false flag operation against SONY serve? Definitely not as a pretext to take
action against North Korea - the US could much more easily justify actions
against NK than it has many other nations in its history.

~~~
archgoon
Playing devils advocate here:

<devils advocate>

The NSA is arguably having a credibility problem at home in the US. It needs
to convince the tech industry that there are enemies abroad who threaten their
security, and attacks by nation states (who aren't the US) is something that
is real.

North Korea is a great scape goat. They can deny it all they want, and we
don't care about the diplomatic costs, because it can't get any worse. People
can't demand sanctions, can't demand recall of ambassadors, the only thing
anyone could demand would be going to war with them, but for the most part, we
don't care. They're the crazy uncle of the world stage. So basically, the only
problem would be if the NSA got caught lying about it.

</ devils advocate>

However, getting caught would probably be the worst possible thing for the NSA
(remember, there is likely still a leaker inside); as it would jeopardize the
main benefit from doing this in the first place. So I don't think the risk
versus reward pans out. That said if North Korea IS behind it, the above
motivation for speaking out is still valid.

~~~
xnull1guest
I similarly don't see the risk (and collateral damage) v. reward pan out. Plus
there are so many legitimate cyber attacks against the United States, it would
seem like a waste of resources. And it doesn't seem to me like the NSA would
so joyously release the Lynton/Bennett/State Department emails. If they wanted
to paint NK in a bad light this would seem so counter to that goal.

------
finid
So we hacked them first, now we've imposed a sanction on them for hacking one
of our companies.

Unbelievable!

~~~
enlightenedfool
We can have nukes. You can't. We can violate human rights. You can't. We can
kill your people. You can't kill ours. It's an accepted pattern.

~~~
finid
Meanwhile, we're training "moderate islamist" to fight ISIS. Not too long ago,
groups of earlier "moderate islamist" that we trained joined ISIS.

Someday I hope I wake up from this dream.

------
grecy
In 5 years time when this tit for tat results in some massive disruption in
the US (power outage or something) people are going to be severely angry and
say NK attacked them for no reason, etc. (i.e 9/11)

The US yet again going around the world making enemies, and giving them
perfectly valid reasons to retaliate.

~~~
xnull2guest
In some sense, this has already happened. The US State Department seems to
have been involved, at least to some degree, with the development of The
Interview as a propaganda effort (see the leaked Lynton emails) and this has
upset North Korea, since it knows the movie would get leaked to its people.

The current narrative is that North Korea (or sympathizers) attacked SONY for
absolutely no reason - or that they wanted to silence free speech arbitrarily.

The United States is regularly hacked by foreign states and regularly hacks
them. Hopefully the development of international norms and increased
investment in computer security cools global tensions and prevents the kind of
infrastructure sabotage that would result in human casualties from happening.

------
chippy
Something that probably gets overlooked is that Sony is a Japanese
Corporation, and that the politics between Japan and Korea are often to be
considered.

------
Eye_of_Mordor
Does this mean the NSA hacked Sony (from NK)? Would explain both the 'Sony
internal' nature of the attack and the FBI's assertion that this was 'from
North Korea'.

------
astkaasa
I've read enough comments about "We already knew that blah blah blah ...",
"What's interesting is that blah blah blah ...". Seems that you guys get used
to the reality so fast, the only thing you can do is trying to dig into some
detail about this kind of news and to avoid the discussing about whether this
kind of things is RIGHT or WRONG from the beginning!

I'm planing to watch POI for the second time, may your god bless you American,
and may there be a real-hero like Reese or Carter.

But we all know that most people are just as normal as Lionel, they don't have
the courage to face the problem alone. So let's just wait for your bright
future. LOL

