
FBI Director: Sony’s ‘Sloppy’ North Korean Hackers Revealed Their IP Addresses - headcanon
http://www.wired.com/2015/01/fbi-director-says-north-korean-hackers-sometimes-failed-use-proxies-sony-hack/
======
SwellJoe
I want to believe. But, there's such a history of deceit from our government,
when there is a political motivation. I honestly don't understand why they'd
be lying in this case...but, well, Iraq and years of torture at Guantanamo
didn't really make sense to me, either. I don't _think_ there is anyone
gunning for war with North Korea (well, Northrup Grumman and Halliburton
probably are, but I don't believe our state is entirely owned by the defense
industry anymore, as it was during the Bush years). So, what's the motivation,
if the FBI _is_ misleading people?

The thing is, I'm entirely willing to believe North Korea would _like_ to have
this kind of capability, and if they do have this kind of capability (which
they might), I'm entirely willing to believe that they would use it broadly
and aggressively. North Korea is led by angry, crazy, people. But, the early
communication about the attack does not match that of a nation state, and
there's no reason for them to have tried to pretend to be a random blackmail
organization that I can imagine.

In short, an IP is not a smoking gun. I worry that the FBI is taking advantage
of people's lack of understanding of technology in order to push a story that
is politically convenient, but factually shaky. I mean, I hope they aren't
intentionally misleading people, I just don't necessarily trust that they
wouldn't if there were motivation to do otherwise.

~~~
Rooster61
I don't think the motive would be to start a war with DPRK. What I am afraid
of is the use of this incident as "evidence" that our nation needs more
"cybersecurity". This could help pass legislation previously blocked by
congress due to insufficient evidence. There isn't much of a leap from
declaring war on terrorism to declaring war on cyberterrorism, and we all know
how that went.

I know my tin foil hat is showing, but it's a creepy possibility nonetheless,
and is in no way distant from Washington's past antics.

~~~
shillster
Tin foil hat or wool over your eyes... Its one or the other.

~~~
knd775
Eh, not really.

------
ddod
Could someone explain how they would know that the IP "used exclusively" by NK
wasn't a proxied IP but in fact the "real" source IP?

Personally, I think just mentioning that part of the evidence came from the
Behavioral Analysis Unit proves that NK's ties to this are definitely shaky.

~~~
drzaiusapelord
Funny, when the IP addresses weren't NKorea, as earlier highly voted HN
articles have told us, it was proof that it wasn't NKorea. Now that they do,
its somehow further proof that it wasn't N Korea.

I understand knee-jerk anti-US comments are karma gold here, but I don't think
you guys realize how ridiculous you sound to the rest of us. I think its
pretty difficult to arm-chair analyze this stuff and come out with a
definitive answer, especially considering a lot of this stuff will never be
declassified, but the Alex Jones-like conspiracy thinking here really brings
the discourse down to a reddit-like level.

Purely from an Occam's razor perspective, the country that attacked this film
and warned of consequences if released-- consequences that actually happened,
is probably at fault here. This analysis of how it must have been anyone but
NKorea, especially considering NKorea's reputation, is highly questionable to
the unbiased observer.

~~~
politician
First, mentioning Occam's Razor isn't really helpful in realpolitik
discussions and certainly not helpful in discussions involving DPRK since they
are well-known irrational actors. Occam's Razor only states that the scenario
with the fewest assumptions is likely correct. That isn't really useful when
your scenario involves an unpredictable state actor.

Second, if you need to set up a fall guy, then implicating a nation state as
historically secretive, aggressive, and isolated as the North Koreans is
actually a pretty good idea.

"Do something bad and blame the weird kid" isn't a new idea.

I don't know who did it, but both arguments seem plausible.

~~~
woodman
The assumption that the DPRK is an irrational actor would actually be handled
just fine under Occam's Razor, it is simply an additional variable in the
hypotheses.

------
rilita
"They revealed their IP address"

How many technical experts do we need to explain that IP address is not proof,
especially when many random IPs and proxies are involved.

Suppose I am a hacker who wants it to seem like NK did it. I use a bunch of
random proxies, and I use a couple machines IN NK that I previously hacked
into. ( adding time delays to all commands I send to these ) I do stuff
through these machines a bunch, making sure to connect to them and setup all
the seeming commands ahead of time, and I let it happen. -wham- "proof" that
I'm from NK and am an idiot suddenly realizing I forgot to use the proxy.

I agree with the hackers. FBI are idiots. ( not the first time I've noticed
they are idiots either; they also were very stupid when dealing with myself as
a hacker imo )

~~~
cpeterso
Exactly. How does the FBI distinguish between a hacker in NK and a hacker
going through a proxy in NK?

------
roywiggins
I assume they're this confident because the NSA is snaffling up every 1 and 0
that comes in and out of NK. It would explain both their confidence and
reticence to explain why.

~~~
esmi
There are also nontechnical ways to attribute the attack to North Korea. For
example a human informant inside North Korea which they did not want to reveal
could provide quite solid information.

But it appears we will never know the source of their confidence.

------
AlyssaRowan
I've said my piece about attribution already. There's no new evidence I've
seen (and there is not likely to be). I remain sceptical: Comey and especially
Clapper aren't exactly what I'd call reliable sources. But they seem to have
made their minds up, and that argument just goes round in circles. (The amused
may wish to check out [http://sony.attributed.to/](http://sony.attributed.to/)
and reload the page a few times.)

I'm concerned about where this rhetoric is heading, for several reasons. One
reason is that I _know_ this evidence absolutely can be faked: one
particularly good tool to fake it is called QUANTUMSQUIRREL. They aren't the
only people who can build tools like that: doesn't even take a high budget.
And the same people who built QSQRL, have built other systems which
automatically respond with high-budget malware when they think they're being
attacked.

I think we all know what happens in that endgame: the only winning move is not
to play. But numerous countries, and non-state actors, are already playing it
- if the FBI is to be believed, even psychotic despotic ones with relatively
small budgets.

I want to get off Mr Comey's wild ride; but how? Technically, we can build
stronger network protocols, write bug-free software... every bit as hard as it
sounds, but we can try our best.

What can we do politically? Given how incredibly dangerous this could get,
perhaps a treaty banning 'cyberwar' or 'cyberespionage' would be a good idea.
(While we're at it, can we ban the use of 'cyber'? It sounds utterly
ridiculous.) But the intelligence and law enforcement agencies already doing
this would get very pouty at the prospect of their toys being taken away.

It's all very disappointing. Anyone got any bright ideas?

~~~
tmzt
There have been discussions of treaties banning "cyberwar" already. It seems
counterproductive. I assume it would be preferable to someone in Seoul that
they were attacked through digital means than with conventional weapons. They
might lose access to their bank accounts for a while, but they won't have
their homes destroyed or family killed.

Asymmetric warfare of all kinds has two sides to it, it's part of the
definition of asymmetric. The low capability party has to attack
asymmetrically, but the high capability party can respond with much greater
and effective force. In most cases, we are the high capability party.

This "new" concept of cyber-warfare is really a way of saying conflict through
the use of digital networks, but in a way that is distinguishable from
network-centric or electronic warfare which are two different things. It is
also asymmetric in the sense that it enables a low capability party to attack
a high capability party with a much small investment than a strategic attack
through other means would require. (Leaving out "terrorist-style" attacks
using small arms or devices for the moment, which are not usually strategic.)
It also means that a high capability party may not have an adequate defense
against this type of attack, no matter how much they might invest in
passive/defensive security. One weakness in enough systems is enough to
massively increase the effectiveness of the overall attack.

To respond to your second point, the overuse of "cyber-" is nauseating, and I
personally restrict it to the use I mentioned earlier which is a means of
differentiating it with network-centric or electronic warfare.

A financial institution issuing press releases talking up their "cyber-
security" means as little their marketing copy mentioning their use of
"industry-grade SSL encryption." A proper disclosure would get into password
policies for internal systems as well as customer accounts, what hashing
algorithm they use to protect customer account passwords in their system, and
other details that would give testimony to their capabilities in securing
their own systems.

This is somewhere where Google and Chrome can do a lot of good, giving us more
than EV certificates and use of higher bit and stronger hash algorithms on CA
certs as feedback in the browser. The next step could be a (cryptographically)
signed affidavit of the internal security measures in place, which could be
scored and used as a part of the determination of what feedback to show in the
browser UI.

It might also make sense for Chrome to conduct a rudimentary scan of the home
router for these kind of obvious issues, or maybe for Google or someone else
to offer an inexpensive secure router, though too many of these are provided
by the ISPs now.

Anyway, I'll leave it the cyberexperts to share their cyberknowledge about
cyberwarfare and cybersecurity about how to prevent cyberviruses and other
malware to those of us who are less cybersavvy, or, in the words of more than
one newscaster, barely know how to turn on their computer.

------
tokenadult
I thought about prior plausibility of the statement that actors for the north
Korean regime would lack technical chops, and then I remembered the first
north Korean nuclear weapon test.[1] A source I remember looking up after
reading a Hacker News comment a year or two ago points out that the explosive
yield from that test was very small, and I see that the Wikipedia article on
the topic[2] reports the issue that way. Sometimes the north Korean regime
intends to do something skillfully but screws up. I sure wouldn't want to be a
smart person living under that regime, and there may be either intentional
sabotage of some of their efforts (this has happened in plenty of other
dictatorships before, by deeds of dissenters) or the best people they can find
to carry out their hacks are not very 1337 hax0rs.

[1] [http://www.nti.org/country-profiles/north-
korea/](http://www.nti.org/country-profiles/north-korea/)

[http://www.nytimes.com/2006/10/09/world/asia/09korea.html](http://www.nytimes.com/2006/10/09/world/asia/09korea.html)

[http://www.theguardian.com/world/2006/oct/09/northkorea](http://www.theguardian.com/world/2006/oct/09/northkorea)

[2]
[https://en.wikipedia.org/wiki/2006_North_Korean_nuclear_test](https://en.wikipedia.org/wiki/2006_North_Korean_nuclear_test)

------
xnull1guest
Regardless of whether FBI is lying (I believe they are telling the truth in
broad strokes) here are reasons to implicate NK (when both Russian and Iranian
signatures were present the malware):

\- Instability in NK means instability in China

\- NK is a nuclear power and rapidly rising as a country on the world stage
(according to CIA director Panetta)

\- Russia's sharing of hypersonic missile technology with North Korea
heightens already mounting global nuclear tensions

\- Temporary division of Korea was set up by US and allies as a result of WWII
- it was slotted for reintegration within a few years but Cold War tensions
blocked cooperation between the nations required to achieve this; meaning:

a.) North Korea has never been recognized by the US as a 'legitimate' state to
begin with

b.) The Korean War was fought for and activity in the area continues to be of
proxy interest to greater geopolitical goals

\- Cooperation between SONY, RAND corporation and the State Department on the
development of "The Interview" (and the gutting of the Smith-Mundt Act at the
time this cooperation began) lends favor to the narrative that the film is a
"Diplomacy Product" of the US State Department and that North Korea was the
target to begin with

\- The United States is engaging in a mammoth amount of effort to establish
international norms for cyberattacks and needs to show proactivity in this
area

~~~
tmzt
I'm not sure whether that statement came from DCI Panetta or the illustrious
KCNA, but "rising on the world stage" sure sounds closer to the latter.

------
timebomb
The FBI has already made it quite clear that they're trying to use these
accusations as evidence that the US needs to be afraid of cyber attacks.

I've seen a lot of people wonder this, but they flat out state in in an
official statement on their website:

"Further, North Korea’s attack on SPE reaffirms that cyber threats pose one of
the gravest national security dangers to the United States."

[http://www.fbi.gov/news/pressrel/press-releases/update-on-
so...](http://www.fbi.gov/news/pressrel/press-releases/update-on-sony-
investigation)

Second to last paragraph, second sentence.

------
kjs3
"Terrorist attack" straw-man used to justify attacking an unrelated state
target we happen not to like. Government officials appearing on complacent
media outlets to beat the drums and persuade the populace that "they have
conclusive evidence" and "retaliation is required to protect the country".

This ended so well last time we did it.

~~~
wyager
Yes, it's funny how it's a "terrorist attack" when a country we don't like
does the same things we do. The most prominent recent example of the US (and
Israel) carrying out an attack like this is Stuxnet.

~~~
mason240
One targeted a civilian organization, the other targeted a government
installation (one could even make the case it was a military target). It's not
hard to understand why some people would give one a "terrorist" label but not
the other.

~~~
xnull1guest
Haven't private corporations been hacked by the US also (Brazilian PETROBRAS)?

[https://firstlook.org/theintercept/2014/09/05/us-
governments...](https://firstlook.org/theintercept/2014/09/05/us-governments-
plans-use-economic-espionage-benefit-american-corporations/)

Given the first Geneva article placing private targets within international
convention if they are of military interest (including media and broadcast
services), and SONY's cooperation with the State Department in producing "The
Interview", might SONY then qualify under international law?

[http://en.wikipedia.org/wiki/Legitimate_military_target](http://en.wikipedia.org/wiki/Legitimate_military_target)

~~~
csandreasen
Petrobras is hardly a private corporation - the Brazilian government is the
majority shareholder[1]. What was done to Sony is entirely different as well -
this was a clear effort to cause damage to them, not a means to gather
intelligence.

Per your own link, broadcast services are only legitimate targets for attack
under the Geneva Conventions if they are of fundamental military importance.

[1]
[http://peakenergystrategist.com/archives/tag/petrobras/](http://peakenergystrategist.com/archives/tag/petrobras/)

~~~
xnull2guest
Petrobras is very close to 50% owned by the public, but okay. There's plenty
of other examples including the IT systems of various private firms around the
world, Stellar, Cetel, IABG, Huawei, Deutsche Telekom, even some multinational
companies based in the US.

> What was done to Sony is entirely different as well - this was a clear
> effort to cause damage to them, not a means to gather intelligence.

100% agree. It is very different and establishing boundaries here is an
important keystone to US cyberwarfare norm efforts. Unlike other posters I
would separate sabotage from 'corporate doxxing' \- Stuxnet then is very
different.

> broadcast services are only legitimate targets for attack under the Geneva
> Conventions if they are of fundamental military importance

Which depends on the perspective - as the State Department was involved with
SONY in the development of "The Interview" and the US is well known for
international propaganda, I could well understand if another nation state
considered the private company partners to be an extension of fundamental
military importance (and certainly the US considers it a keystone of
international efforts and calls it "Psychological Warfare").

------
jdalgetty
Do we believe this?

------
Zigurd
Well that would make it a slam dunk.

