

More from the Sony Pictures hack - rolux
http://fusion.net/story/30850/

======
aaron695
This article isn't great. The data is from Sony. I guess if fusion is a news
site they need to 'confirm'. But it's impossible for the data to be anything
else. I've never seen one faked spread sheet, let alone millions.

The leaked data so far is in a 35 gig multipart rar. The list of files only(No
directories or metadata) is 400meg -> 1 gig uncompressed. Both are on PB.

The NK angle seems to be there was Korean comments in the malware. But there's
also a theory it was insiders angry about the restructure.

The hackers were using the Sony PlayStation network to seed these latest
torrents. IE they still had some control days later.

This sort of thing is pretty hard to stop. Security kills productivity, you
won't be rewarded for lowing output with no proof you didn't anything useful,
that's the nature of the issue.

Limits on stolen data in the old days was more about getting it out, not
security. With the huge pipes in and out these days this will become more
common. The only thing stopping people doing this everywhere currently is they
can't be bothered.

[edit] This is also a good lesson on why you should never put anything in
writing you don't want everyone to know.

~~~
nkozyra
> This article isn't great.

Could have stopped there. This is just a list of a couple of key points in the
data with pretty banal reactions. And if it's the most interesting parts of
the data then it's not all that exciting.

Just feels like someone wanted to strike while the iron was hot.

------
kyboren
China, Russia, Iran--now _North Korea_ is the "cyber boogeyman"? Attribution
is an incredibly difficult problem. Color me skeptical. Does anyone know where
the rumors of North Korean direction started?

Any explanation below seems more likely to me than it really was a North
Korean operation (yes, pure rank speculation):

1) it was made up by Sony to make them look somehow less incompetent†,

2) it was made up by some media organization to drive clicks, or

3) the initial investigation revealed suspicious activity from IPs in/linked
to North Korea--which could, among other explanations, just mean the attacker
owned their boxes and launched attacks from there

† ...And boy does their image need improvement! The attackers were supposedly
able to exfiltrate a rumored 100TB of extremely-sensitive corporate data
before anyone noticed?! After the rootkit fiasco, the epic SOE break-in, and
now this--I can't imagine anyone wants their data anywhere _near_ Sony's
networks (nor, perhaps, Sony's software anywhere near _their_ networks).

~~~
smtddr
So, I'm totally with you on all these foreign-boogeyman stories but this one
is a bit different:

[http://www.bbc.com/news/world-asia-30283573](http://www.bbc.com/news/world-
asia-30283573)

 _> >"When asked if it was involved in the attack a spokesman for the North
Korean government replied: "Wait and see."_

EDIT: To be clear, I am aware NK likes to look tough and can totally be taking
credit for something they did not do. It's just that ominous replies like this
spokesman gave makes it appear slightly less boogeyman'ish as compared to how
the media loves implicating China & Russia in every cyber-attack story without
bothering inform the general public about stuff like proxies.

~~~
aaronem
Consider the amount of time, money, and effort North Korea has invested in
presenting the image of a rabid dog to foreign policymakers, in hopes of
improving that nation's ability to maintain its sovereignty against the
threats it perceives from all sides, and particularly from the United States.
Given that, what else would you expect? Honesty?

~~~
dasil003
Yeah, think about it. Who benefits from the idea that North Korea is behind
this? _Literally everyone_.

Hell, they could even have contributed by donating VPN capacity to leave the
tell-tale footprint or whatever without providing any of the actual talent to
pull off this operation.

------
elseless
After what Sony did to Geohot, I must say that I have zero sympathy for them
(as an organization) here. Obviously, the leak of personal data (SSNs, etc.)
is a different story.

~~~
akersten
See also their rootkited CDs [0]. They lost my respect a long time ago.

[0]
[http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootki...](http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal)

~~~
click170
I'm right behind you in boycotting anything Sony.

It raises the question though, what would it take for a company with a
reputation as tarnished as Sony's to earn back your respect and patronage?

For me, the answer to that is not only maintaining a history of not attacking
your customers (rootkit in CDs), but would also require an established track
record of going above and beyond what other companies do to respect customer
privacy.

Purely as a thought experiment, what would it take for you to reevaluate your
stance on Sony?

~~~
akersten
I kind of see two separate questions here, so I'll answer both.

> [The breach] raises the question though, what would it take for a company
> with a reputation as tarnished as Sony's to earn back your respect and
> patronage?

Certainly it's a hard problem for companies to assure users that their privacy
is being respected, their data is safe, and their products are wholesome. The
common response involving phrases like "we are working closely with law
enforcement"[0] might assuage most laypeople, but this canned answer is not
satisfying for the technical crowd who understand how challenging infosec is.

Unfortunately, operational security is a critical aspect of respecting
customer privacy, and the bar is not very high at many companies where the
standard response is anything less than rebuilding from the ground up.
Obviously, most companies do not do that, even after a severe intrusion. That
is not practical unless your infrastructure allows (cold backups, all
workstations are thin clients or easily flashed, etc.), so there's really no
way to go "above and beyond" other companies in that aspect.

So really, what we are left with is: since we can't trust any given company to
have complete omnipotence and control over its network, especially where many
networks may be covertly compromised[1], what is a company to do from a PR
perspective in order to assure users that doing business with them is no more
harmful than doing business with another company?

If I were faced with this question in a vacuum, I would have to concede that I
couldn't fault Sony for having been hacked - it could happen to any company,
respectable or not. But we're not in a vacuum.

> [Sony's past behavior] raises the question though, what would it take for a
> company with a reputation as tarnished as Sony's to earn back your respect
> and patronage?

Sony is actively hostile to the consumer[2][3] and operationally negligent[4].
Full stop. Quite frankly, these behaviors are inexcusable and it would take a
massive organizational change for me to even consider patronizing Sony[5].
Their attitude towards their customers is completely orthogonal to how a
company should behave - at this point, it's not constructive for me to rant,
so I will spare the rest of my opinion. But when a company is inevitably
compromised and realizes it needs to regain the trust of its customers and
partners, its past will precede it, and in this case Sony's past precludes
forgiveness.

[0] [http://www.businessinsider.com/sony-execs-hack-response-
empl...](http://www.businessinsider.com/sony-execs-hack-response-employee-
memo-2014-12)

[1] [http://arstechnica.com/security/2014/12/critical-networks-
in...](http://arstechnica.com/security/2014/12/critical-networks-in-
us-15-nations-completely-owned-by-iran-backed-hackers/)

[2]
[http://en.wikipedia.org/wiki/OtherOS](http://en.wikipedia.org/wiki/OtherOS)

[3]
[http://en.wikipedia.org/wiki/Sony_Computer_Entertainment_Ame...](http://en.wikipedia.org/wiki/Sony_Computer_Entertainment_America_v._George_Hotz)

[4]
[http://en.wikipedia.org/wiki/PlayStation_Network_outage#Unen...](http://en.wikipedia.org/wiki/PlayStation_Network_outage#Unencrypted_personal_details)

[5] I feel that your question may be hitting on "what exactly would that
organizational change have to be?" \- if this is the case, I couldn't tell
you. I have no idea who calls the shots at Sony, but a good first start would
be to replace them. I'd also like to see more companies active in areas where
they contribute to open-source ecosystems, have bug bounties, encourage
tinkerers to hack on their hardware and developers to modulate their software,
the list goes on. Really, the answer could be the same as the answer to "What
makes Mozilla different from Sony?", but my answer is starting to read more
like a stream-of-conciousness than a coherent response, so I'll stop here.

------
jfmercer
Weak article. I'd like to see a link to a _thorough_ analysis of the leaked
data.

~~~
egypturnash
According to the top comment on this post at the moment, a file that is
nothing more than _a list of all the files in this dump_ is about one gig,
uncompressed.

I think a thorough analysis of this is going to take a while.

------
danso
I couldn't tell from the OP and the previous story it linked to: is the
spreadsheet of salaries and personal data straight from Sony's servers? Or is
it a cracked database file that the hackers took time to convert to XLS for
easier dissemination? I'm guessing the former, since the screenshots show the
kind of spreadsheets that are lovingly hand-formatted and curated by the
people tasked to maintain them.

It's kind of a fascinating look at how data is clumsily handled within
corporations. I mean, how do they keep everything synced between the sheets
that contain salaries/benefits, severance actions, etc.? ( _shudder_ )

~~~
wellsthrowaway
> It's kind of a fascinating look at how data is clumsily handled within
> corporations. I mean, how do they keep everything synced between the sheets
> that contain salaries/benefits, severance actions, etc.? (shudder)

Email, of course!

~~~
CedarMadness
Companies love to use sharepoint for this. There's decent integration with MS
Office, but it's still huge pain to use. Usually it involves multiple full
time sharepoint "developers" to make it do what you want.

------
sonyh
I wish the private keys used by the ps4 are part of the leak. Would seem only
right after Sony's behavior when it came to Geohot.

------
calbear81
I'm surprised that Sony didn't increase their defenses when North Korea first
warned them months ago as they were promoting the new movie "The Interview".
Given that North Korea can be a credible threat, it would have made a lot of
sense to beef up security or at minimum increase monitoring.

------
hamitron
out of sheer curiosity, does anyone have the pastebin link for this? I know it
was taken down, but I'm hoping the Barbara Streisand Effect has taken place.

~~~
Buge
Here's the link (down)
[http://pastebin.com/jncFTMJZ](http://pastebin.com/jncFTMJZ)

Here's an archive of it
[https://archive.today/wqbRP](https://archive.today/wqbRP)

------
mark-r
So the _average_ salary was $119K? I'd love to know what the median is, the
average is probably highly skewed by a few big numbers at the top.

~~~
searine
Yeah, and I'd like to see what the average salary for VFX artists are.

