
Analysis of some of the IP addresses in the Sony hack - gokhan
http://krypt3ia.wordpress.com/2014/12/20/fauxtribution/
======
yourad_io
I agree with all the points regarding the evidence-less-ness of the IPs used,
and I'd even take it further than that. From the article:

> Like I said on Twitter last night, I can see my way to saying that DPRK was
> behind this. I can use Occams Razor to apply the logic of who had motive,
> look at their actions on the face of it, and say “most likely” it is them.

I don't know if my brain is stuck on some self-reinforcing loop with this, and
feel free to call me Mr. Pedantic here, but I don't think Occam's Razor can
take you that far. The simplest-explanation buck stops at "someone who really
wanted to hurt Sony"[1].

Given that tons of groups would have axes to grind with Sony (anti-piracy,
losing customer data regularly, general "Golliath" image & behaviour), you'd
need to have a reason why the simplest choice is NK in particular. I may have
missed something, but I just don't see it.

* Would you have needed super-l33t 0-day APT ninja bullfrogs (that only a state actor could have afforded?) No, the reports make it seem that Sony's networks were (still!) much akin to a merry-go-round[2]. So, from a "capabilities" perspective, I don't see a state actor as a more obvious choice than a disgruntled ex-sysadmin + his friends.

* Would NK have any motive to deny involvement? By my read of their past PR patterns, they'd own it loud and clear ("we own you with nuclear, we own you with cyber! fear us, fear us").

[1] Could still be someone counting on one of the side-effects of this FUD
shitstorm. That's what our favourite razor "rejects".

[2] "But it is moving! Nobody will be able to get on or off while it is
moving. It have perfect securities."

~~~
overgard
I can see that there would be other groups that don't like Sony, and would be
interested in hacking them, but why would any of them (other than NK) target
"The Interview" in particular? Maybe that was a smoke screen, but that seems
elaborate. Unless you're Kim Jong-un, the subject matter is pretty tame. (IE:
not likely to rile up other domestic groups of crazy).

I agree the evidence is weak, though. Probably not smart of the US government
to publicly point fingers at this stage.

~~~
yourad_io
The leaks started on November 24.

> On December 1st, NBC News aired a segment reporting that the FBI were
> investigating the breach and the possibility that North Korea was involved.
> While this may sound far-fetched at first, North Korea has a clear motive in
> attacking Sony.

That was the first NK link.

> (December 8) Unlike previous disclosures that were straight-forward, this
> group of files comes shortly after the appearance of a Pastebin link (now
> 404) that purports to be from the GOP, and gives a reason for the attacks on
> Sony Pictures, linking it to the now controversial movie, “The Interview”.
> There is speculation that the new announcement may not be authentic as it
> did not get sent out via the previous channels, and suggests an almost
> afterthought of blaming the movie for their actions.

That was the first time the GoP (if that was them in the first place)
mentioning any of this.

Two likely possibilities (imho):

* Someone else did it purporting to be them, and the GoP didn't deny it for the extra lolz (+ it didn't hurt their cause/objectives)

* They did it themselves to reinforce the media frenzy (by that time, the NK link was almost presented as a fact in many media sources)

Think about it this way: If this is an independent group of hackers,
completely unrelated with any states (through funding or otherwise), through
the NK link they "leveled up": Convincing the World that this was NK, we're in
cyberwar, the world is ending (etc) _far_ outweighs "hacked Sony for the nth
time".

Qutoes from: [https://www.riskbasedsecurity.com/2014/12/a-breakdown-and-
an...](https://www.riskbasedsecurity.com/2014/12/a-breakdown-and-analysis-of-
the-december-2014-sony-hack/)

------
0942v8653
I really do hope that the FBI's "secret" evidence was quite a bit more
substantial than this. I'd like to know what it was—it's really irrational to
accuse someone, especially the North Korean government, and with no one to
verify their claim, the FBI does not seem smart. Of course they may have no
secret evidence at all and are making this up which is much, much, worse.

~~~
LunaSea
Apparently they have weapons of mass destruction too.

/s

~~~
fpp
said the Kuwaiti nurse
[https://www.youtube.com/watch?v=LmfVs3WaE9Y](https://www.youtube.com/watch?v=LmfVs3WaE9Y)

~~~
brazzy
Um, nope.

[https://www.youtube.com/watch?v=vC4m6BB2gZ4](https://www.youtube.com/watch?v=vC4m6BB2gZ4)

~~~
classicsnoot
Implying no agreement or dissent, can you give another source besides RT? This
station is dubious at best...

~~~
mikeyouse
It's pretty well known that NK is testing nuclear weapons:

[http://en.wikipedia.org/wiki/2013_North_Korean_nuclear_test](http://en.wikipedia.org/wiki/2013_North_Korean_nuclear_test)

(Unless I misunderstood your question)

------
NietTim
So, so far we've seen 0 actual proof that NK is behind the Sony hack, big
allegations from the US government, NK which wants to be included in the
investigation and the US which doesn't want NK included in the investigation.

I'm having this strange feeling of déjàvu....

~~~
personZ
But you don't _have_ to see proof, and it is no one's burden to convince you.
The US is not trying to prosecute North Korea in court. This isn't an
amendments issue. And despite the ridiculous recurring claims, the US is not
using this as a context of war.

"NK which wants to be included in the investigation"

It is incredible that people are actually falling for this. North Korea said
"let us in on the investigation _or we will attack you_ ". Who is going to say
yes to this, even if one were so naive as to think the request were truthful
(which it most certainly is not). It amazingly achieved its goal, however.

~~~
ssmoot
The US shouldn't attempt to convince their citizens of anything before
attacking another country?

I mean, Obama has straight up said that he plans to attack NK. At least to me
that seems a very reasonable interpretation of the fuzzy political language
of: "we'll have a response at a time, place and method of our choosing".

I don't dispute that NK comes off loopy. Or that a joint investigation seems
unlikely. That doesn't automatically follow that the FBI report is faultless
though.

~~~
personZ
_I mean, Obama has straight up said that he plans to attack NK._

He said absolutely no such thing, and it is rather incredible if people think
this. The US has warned that they will respond, which will end up being a
complaint in the UN.

Just to be clear, North Korea regularly warns the US of nuclear annihilation,
imminent attacks, and so on...and people think the thing that will put the US
over the top is a minor Sony hack?

~~~
throwaway751822
North Korea has a history of only threatening violence, but the United States
has the history of following through. The last time the US said it would
respond "at a time and place of its choosing", I believe it decided to invade
Iraq and Afghanistan, did it not?

------
pdabbadabba
The analysis is interesting, but I don't understand how it undermines the
FBI's claims. He looks at each IP and exclaims, "This could have been used by
anyone!" But we already knew that, didn't we? The claim is not that these IPs
are used exclusively by North Korea. The claim is that there is a suspicious
overlap between the IPs used in this attack, and others used by North Korea in
the past. If these were the _only_ bad actor/compromised IPs out there, then
maybe this would not be so surprising. But there are many many of them, so it
would be coincidental, to say the least, if this attack and prior North Korean
attacks just happened to use the same IPs, if North Korea is not involved (or,
another possible explanation, if the same tool is not involved as in prior
attacks by North Korea).

~~~
jamesbrownuhh
The nature of the Internet is that many resources will be used globally. It
should not be surprising that a few well-known open proxies would be used by
bad actors of any nationality - the fact that (Nation State X) was accused of
using (globally accessible resource Y) in the past does not in any way mean
that resource Y is used ONLY by State X, so the use of resource Y is quite,
quite unsuitable as a means of identifying anyone.

~~~
pdabbadabba
I think what we would need to know, in order to determine the strength of this
evidence, is how many total IPs North Korea is known to have used in previous
attacks, and how many total were used in this one. I.e., how closely
correlated is prior NK use with an IPs use in this case.

If only a handful were used on both occasions, and the overlap is significant,
then we have some fairly interesting evidence. But if, on one of more
occasions NK used _hundreds_ of IPs, and there are a handful in common between
those two sets, then there's really nothing to see. I've had the impression it
was the former, but perhaps I'm mistaken. Does anyone have an answer?

------
fpp
Have all of those IP addresses published as related to the hack been marked as
dirty by Spamhaus e.a. before or after the hack - dates shown in the post are
20-Dec etc - after the hack was published.

~~~
emcrazyone
Everyone seems too focused on source IP address which any solid IT person can
tell you can be hijacked. Even the phone home IPs can be obfuscated but it
seems awfully suspicious they all belong to net blocks going to NK if I'm
understanding things.

~~~
jamesbrownuhh
But according to this, all the phone home addresses are generic open proxies
that have been well publicised across the Internet and already abused for
quite some time. None of the proxies listed appear to be in NK, and (to date)
no evidence that NK IP addresses were on the other end of those proxies at the
time.

It's a bit like saying "the attackers used malware which made DNS queries via
the IP address 8.8.8.8, which has been used by NK in the past" \- if anyone
were really building a case on that key evidence, they should prepare to be
laughed at.

~~~
emcrazyone
Thanks @jamesbrownuhh where did you get that detail about the phone home
proxies?

------
classicsnoot
I am fairly certain this will raise the ire of many people, but as i am stuck
watching TV news [1/10 do not recommend] i feel it must be discussed. The
discussion in the mainstream appears to have moved past the 'if/maybe' stage
and plowed directly into the 'wail/punish' stage. I am growing slowly yet
certainly more livid as i a watch a lawyer for Sony laud the FBI's technical
acuity as he states declaratively that this is a de facto assault on the US
Gov't., the Economy, and the American way of life. I thought Sony was a
Nipponese Corporation. I thought private property was the responsibility of
the party that owns it. I am not trying to sound like a Truther loud mouth,
but tis whole thing just screams False Flag. The way the US Govt is acting,
you would think the power grid had been seriously compromised. Who,
specifically has been harmed by this intrusion, and to what extent were they
harmed?

~~~
hnnewguy
> _but tis whole thing just screams False Flag_

When you're a hammer, everything looks like a nail.

Sony is trying to blame others for their security incompetence. The US is
posturing with "We don't tolerate this."

Nobody really cares and nobody is going to war because Sony had their emails
and some media stolen.

------
jamesbrownuhh
What's the betting that the FBI's "similarities in specific lines of code" is
similarly weak and so generic as to be rather less than the smoking gun that
they seem to think it is?

------
ck2
If it really was North Korea, wouldn't they need a shedload of help from
China?

I mean it is inexpensive to develop an exploit hacking team but they would
need training and the only two obvious sources would be China and South Korea
and I cannot imagine south korea doing it willingly.

This all reminds me of how in 1993 that TV show seaquest was predicting
countries assassinating other "elite hacking teams" \- seemed crazy then.

------
mootothemax
_See now all of these IP’s could be used by just about anyone_

Doesn't that indicate that they're perfect for (ab)use by anyone, since
they're not linked directly to a single entity?

I don't see why it's outside the realms of possibility that e.g. North Korea
always uses the same pool of "dirty" servers to launch their attacks.

------
nhebb
> For example, the FBI discovered that several Internet protocol (IP)
> addresses associated with known North Korean infrastructure communicated
> with IP addresses that were hardcoded into the data deletion malware used in
> this attack.

The biggest surprise was the IP address traced to NY. Why wouldn't the FBI
seize this system?

~~~
mox1
If some unwitting 3rd party was hacked and used in a crime, you can't just go
over to their house or business and "seize" their property.

When the criminals on cops run through your back yard, do the cops turn the
inside of your house into a crime zone? Obviously, no. Even if the bad guy
runs inside your garage, they are not confiscating your car, lawn mower, etc.

Contrary to popular belief on HN here, police / FBI don't just seize
everything whenever they want. It requires warrants and probable cause. Good
luck getting a judge to sign a warrant to seize a victims computer...not going
to happen.

~~~
palmer_eldritch
An IP address associated with a cyber attack, is more like someone stealing
your car and using it to hit a bank than someone running through your backyard
to escape the cops.

And if someone went through your backyard or your garage while trying to
escape from the police, the cops might want to look in your backyard or garage
to see if the 2 Kg of heroin he was supposed to carry or the gun he used to
shoot at them while fleeing didn't end up there.

------
junto
I seem to remember rumours of huge put options placed against airlines shortly
before 9/11.

The FBI should be looking at similar events for Sony. Greed is always
something that you can count on.

~~~
MichaelRender
Here are Sony's options on Nov 3, 2014 Open Interest for Puts is in Magenta
Note that the $17 Strike for January has an Open Interest of 17.6K
[http://i.imgur.com/OmglyLl.png](http://i.imgur.com/OmglyLl.png)

Here are Sony's Options on Nov 25, 2014, the day after the hack. Note the same
$17 put has actually lost a little Open Interest. No conspiracy here.
[http://i.imgur.com/dCRcvX9.png](http://i.imgur.com/dCRcvX9.png)

Caveats: This was done with the US traded instrument (SNE). I don't have
access to the Japanese exchange. Open Interest is reported after the day it is
generated and reflects the secondary market of the previous day.

------
scardine
My lame cartoon about this affair:

[https://github.com/scardine/random-
writings/blob/master/text...](https://github.com/scardine/random-
writings/blob/master/text3452.png)

~~~
thret
I have many fond memories of the BOFH.

