
Comments on the Sony Hack - CapitalistCartr
https://www.schneier.com/blog/archives/2014/12/comments_on_the.html
======
steven2012
I wish people would stop calling this a hack. It's not a hack, it was a
cyberwarfare. I know someone who was working on the team trying to recover
from this attack, and Sony Pictures is basically fucked. Their IT
infrastructure has been utterly destroyed, meaning they can't even pay their
employees, pay their vendors or take orders from customers. They don't even
want to use computers anymore, people call and text now to avoid any sort of
central infrastructure that can be hacked. They had to switch to all-manual
processes, and it will take months or likely years before their infrastructure
is back within some sort of semblance.

But by then Sony Pictures as an entity may no longer exist. From all of the
emails being released ridiculing their own talent, to their employees having
their privacy destroyed and financial accounts hacked, who could work for this
company again?

The thing this attack does is raise the bar as to what to expect. The worst we
had heard until now was credit cards being stolen for quick gains, maybe some
business secrets being stolen. But in my mind it started with lulzsec a couple
of years ago where the attitude was for anarchy and cyberwar. But if the new
trend is for companies to get destroyed, then cybersecurity will go to the
next level where every company has to assume if they get hacked, they will get
destroyed, so it becomes probably even more critical than other business
processes.

~~~
grecy
> _to their employees having their privacy destroyed_

I'm always shocked at how concerned Americans are about the big bad wolf that
is "identity theft". Is it really as bad as everyone thinks?

In all honesty, when your info gets leaked, don't you just cancel every credit
card and bank account, get a new SSN, change your drivers license number,
change your phone number and a few other numbers and move on with your life?

Is it honestly much different than losing your wallet full of cards? (which
must happen to tens of thousands of people in the developed world daily)

Does anyone have direct experience on what "identity theft" is actually like?

(Honest question, I'm not American and I don't understand why it's such a big
deal)

~~~
steven2012
It is virtually impossible get a new SSN number. Even if you can prove your
identity is stolen and your SSN is being used frequently, you still can't get
an SSN.

I'm a victim of identity theft, and it really sucks. It completely fucks up
your credit, and the credit agencies really don't care about trying to correct
it. It took me several years (admittedly a few extra years because I gave up
until I bought a house) to get it corrected. And even now, the "identify
verification" services that the 3 credit companies offer is fucking me because
it contains old data from my identity thief, so I can't get some credit even
though my credit is outstanding.

So, no, it is not as simple as cancelling your credit cards.

~~~
grecy
Thanks for the post - I've never had information from someone that it actually
happened to.

So, did you actually have to pay lots of money for the crap the thief bought
on your credit? or did you just wind up with a crappy credit rating but no
debt?

And are you saying the extent of it is you wind up with bad credit for a
really long time and _that_ is what makes it so bad/scary/life altering?

In all honesty, why are people's lives tied so heavily to some credit score?

~~~
rjaco31
'Murica

------
smacktoward
This is the angle on the Sony hack that I find most interesting/troubling/etc.
(from [http://www.washingtonpost.com/blogs/the-
switch/wp/2014/12/05...](http://www.washingtonpost.com/blogs/the-
switch/wp/2014/12/05/why-its-so-hard-to-calculate-the-cost-of-the-sony-
pictures-hack/)):

 _Jason Spaltro, then executive director of information security at Sony
Pictures, called it a "valid business decision to accept the risk of a
security breach" in a 2007 interview with CIO Magazine, adding he would not
invest "$10 million to avoid a possible $1 million loss."_

So basically their thinking was that getting hacked was just the cost of doing
business. Of course, they are now discovering that the cost of a really
serious hack is much higher than they thought it was.

Which makes me wonder if, at some point, we're going to have to have some kind
of controls on who can legally hold personally identifiable information on
their systems and who cannot. Right now pretty much anybody can, regardless of
whether they're competent enough to protect it. And as a result there's a huge
volume of critical information out there stored on systems that are either
poorly secured or whose admins have decided, like Sony's, that the ROI on real
security is too poor to justify having any, which creates a target-rich
environment for hackers to take advantage of.

Attaching serious liability to holding data on systems that aren't secured, or
requiring proof of competency/minimum-acceptable-effort in order to avoid
such, might shift the ROI calculation on security enough to convince even
idiots that it's worthwhile; or, at least, that it's better to outsource
holding the data to someone who knows what they're doing (and is willing to
back that up by accepting liability) than it is to keep everything in-house on
a dusty Windows NT4 box under someone's desk and just cross their fingers.

We already sort of do this sort of thing for financial information, via PCI;
but the universe of "data that could do serious damage if it got loose" is
much larger than that which PCI covers, as this hack demonstrates. So I wonder
how many of these types of giant hacks people will be willing to accept before
they start calling for some kind of protection.

~~~
debacle
I think the only thing you can take from that is that Jason Spaltro is an
idiot. When you have a billion dollar company, there's no such thing as a
million dollar loss. Even the Sony Exchange address book is probably worth
millions to the right people.

~~~
toomuchtodo
> Jason Spaltro, then executive director of information security at Sony
> Pictures, called it a "valid business decision to accept the risk of a
> security breach" in a 2007 interview with CIO Magazine, adding he would not
> invest "$10 million to avoid a possible $1 million loss."

Who even hires these people?

~~~
AceJohnny2
People who don't know better, who's expertise is in other fields?

~~~
toomuchtodo
This is an exec though! If you're hiring for that position you either:

* know what you're doing with regards to hiring

* don't know what you're doing, and deferring to someone competent to make that hiring decision for you

I know understand why I'm not a CEO.

~~~
AceJohnny2
Alternate proposed requirements:

* an inflated sense of your own value

* competent enough to make other people believe it

Or, as hga proposed:

* be a useful mark to take the fall when it comes

------
click170
I have no sympathy for Sony, but I feel deeply for the honest people who are
just trying to earn a living working there. More so after reading about how
some of them were openly complaining internally about things they saw as
problems - many of these people were trying to make the company better from
within.

I'm torn. On one hand, I want to see Sony the company suffer, but it still
feels unfair to attack and expose the people who work there - the folks who
are just trying to pay their bills.

I wonder at what point it becomes necessary for a person to judge the risk
that joining a company with a questionable history will have on their privacy
and personal security. I think the sad fact is though, in all likelihood Sony
didn't have especially poor security, they likely had moderate to good
security but failed when facing a persistent threat. I get the impression many
other companies (large to small) would have failed a lot sooner.

Is there _anything_ employees can do to protect themselves from these kinds of
breaches? Is the answer to sue our employers who fail to protect this info?

~~~
VieElm
> I have no sympathy for Sony, but I feel deeply for the honest people who are
> just trying to earn a living working there.

I don't understand this statement. Sony is not a person, it's a company
comprised of the people who are earning a living working there. This is true
from CEO down to the temp workers. Did you mean just the executive team? The
employee roster in any company is a state that is constantly shifting as
people leave and join new places. There has been a lot change in who works at
sony since 2005. Do you have no sympathy for the people who did not leave
after 2005? Do you have no sympathy for new executives? Like what are you even
saying? Maybe you just dislike all executives and managers.

~~~
dhm
I suspect what he is saying is that people who probably had no visibility into
the state of the Sony's security and certainly had no ability to influence it
are unfortunate victims here. While security is difficult to measure and
therefore difficult to manage and improve, it remains the responsibility of
executives to allocate resources against that problem and it is they who
ultimately bear the majority of the blame when the security posture falls
short.

~~~
click170
This.

IMO the higher up the chain you are, the more responsibility you have to
secure the systems you are responsible for.

I feel like it's a perceived lack of accountability (from the perspective of
the hackers) of the executive team that leads to these kinds of leaks. When
they feel they aren't seeing justice - as defined by them - then I think
they're more motivated to do something about it themselves.

------
scotty79
> That we live in the world where we aren't sure if any given cyberattack is
> the work of a foreign government or a couple of guys should be scary to us
> all.

Actually that's absolutely awesome. Especially in the light of what Assange
recently wrote: [http://www.nytimes.com/2014/12/04/opinion/julian-assange-
on-...](http://www.nytimes.com/2014/12/04/opinion/julian-assange-on-living-in-
a-surveillance-society.html?_r=0)

 _I am more impressed with another of his oracles: the 1945 essay “You and the
Atomic Bomb,” in which Orwell more or less anticipates the geopolitical shape
of the world for the next half-century. “Ages in which the dominant weapon is
expensive or difficult to make,” he explains, “will tend to be ages of
despotism, whereas when the dominant weapon is cheap and simple, the common
people have a chance ... A complex weapon makes the strong stronger, while a
simple weapon — so long as there is no answer to it — gives claws to the
weak.”_

Hacking is a cheap weapon with no answer to it, what was proven over the
recent years and therefore it is democratizing force for good against the
tyranny of the powerful.

~~~
mpyne
> Hacking is a cheap weapon with no answer to it

Hacking _does_ have answers (things like DDoS are harder to defend against
though).

However, those answers tend to require significant resource investment (formal
verification, use of software engineering processes that are cost-prohibitive,
etc.). The evil despots and states are much more likely to be able to bring
these resources to bear if need be than the common people.

After all, think back to when cheap weapons were available to all about
equally and there weren't much better weapons available even to the rich... it
was awful. You couldn't even go from one city to the next without being preyed
on by "highwaymen".

Seeing the same thing happen on the Internet (where skilled hackers and _not_
"common people" are really in charge) doesn't seem to be as uplifting to me as
it seems to be for you.

------
santacluster
> They just showed up. They sent the same banal workplace emails you send
> every day

Yeah, no, I have a bit of a problem with this. There is a lot of stuff coming
out of this hack that should never, ever have been on corporate IT systems in
the first place. Stuff that doesn't come out of regular HR data where people
should have a reasonably expectation of privacy and security, but stuff people
have put there themselves.

And I don't think this should ever be considered normal behavior, to use
corporate IT systems to store such private data.

Yes, these people are victims, but I think it sends the wrong message to say
that their own role in this was completely normal behavior. It should be
possible to be critical of this without drifting into blaming the victim
territory, and I'm kind of missing that from the whole Sony hack discussion.

~~~
cyorir
I had an internship at a company where all email was scanned, labeled, and
encrypted based on the type of content in the email. Access to email was
restricted when not using the corporate network. The information policy was
strictly enforced; no personal emails on the network, except when work is
affected (ex: "my relative is getting married, so I'll miss the meeting"). The
net effect of the company's measures would have protected employees from the
situation Sony Pictures employees find themselves in; unfortunately most
companies are not so stringent, so they are vulnerable like Sony Pictures.

I think that, yes, people should not expect privacy on a corporate network,
and yes, people should distinguish corporate from private email. However, the
employee's attitude is impacted by the corporate attitude, and many companies
are not nearly as strict as they should be with information policy.

------
joshstrange
Am I blind or does the article linked in relation to the DDOS attack by Sony
not mention DDOS at all?

I found did this: [http://www.zdnet.com/article/sony-strikes-back-at-data-
thiev...](http://www.zdnet.com/article/sony-strikes-back-at-data-thieves-
tackles-torrent-downloaders/) and this: [http://www.zdnet.com/article/amazon-
denies-sony-counterattac...](http://www.zdnet.com/article/amazon-denies-sony-
counterattack/) that mentions the DDOS attack.

~~~
jamesbrownuhh
Also, am I blind or can ZDnet honestly not tell the difference between their
headline saying that Amazon denied AWS was being used by Sony in a DDOS, and
Amazon's actual statement saying that such an attack was "not currently
happening" ?

I am not currently asleep. That does not mean that I was not sleeping earlier,
or that I have never, ever slept.

~~~
bashinator
"We are not currently tapping Angela Merkel's cell phone, nor will we going
forward."

I think the press takes a pass on the obvious follow-up question because they
want to be invited back in the future.

------
RexRollman
Considering that they spread a Windows rootkit and screwed people over in
regards to PS3/Linux, I consider this corporate karma.

~~~
EpicEng
I'm pretty sure Sony pictures had nothing to do with running Linux on your
PS3, but regardless, many people being hurt here are just regular employees,
not executives who made the decisions you/we don't like.

~~~
throwawayaway
the entertainment arm is dominant. to protect the content, they strongarmed
the hardware arm. they had everything to do with it.

~~~
EpicEng
That's a pretty specific claim. Do you have some sort of citation or insider
information to support it, or are you just making assumptions?

~~~
throwawayaway
PS: the majority of the income comes from the games, because developers must
pay Sony to publish a game on their platform. Sony also develop and sells
their own games and services.

Sony Pictures: part of the same org.

i am just making assumptions that because content is where the money is, they
call the shots.

this is my peeve with the entertainment aspect of sony:

[http://www.scribd.com/doc/22131876/Underground-Resistance-
vs...](http://www.scribd.com/doc/22131876/Underground-Resistance-vs-Sony-BMG-
tobias-c-van-Veen)

i think they make great hardware, but boy do they know how to alienate people.

------
nostromo
Is it legal to DDOS websites that are hosting your stolen documents?

It seems like vigilantism that sets a bad precedent.

------
influx
What's most surprising to me about this attack, is the journalists who are
digging through this illegally gotten material and then creating stories and
spreading the details even further.

That doesn't strike me as the right thing to do.

~~~
k-mcgrady
It's interesting that this is treated differently the the celebrity photo leak
earlier this year. In both cases personal, private information has been leaked
(photos, emails) but for some reason it's ok to post the emails on legitimate
news websites.

~~~
totony
I would argue that this is a very bad analogy. One is only a photo of yourself
(okay, in a setting you might not like, but still just a picture), while the
other is something someone can use to _fuck you up_ : put you in financial
trouble, break your credit, your name (see other posts in this thread). This
is in _no way_ like leaked photos.

I agree both might be troublesome, but the level of this leak is incredibly
worse.

------
pistle
The messages from GOP seem more like desperate attempts to not sound like
English first kids. It's awkward in places where maybe a translator service
would use the wrong word, but with language structure for sentences that would
not come from such a tool.

Someone wouldn't structure sentences as they do AND make word mistakes like
they do. The structure is too "good" to make mistakes on terminology. It's
like a bad Chinese accent in a cartoon.

~~~
justaman
GOP are South Korean hackers.

And I base that on absolutely nothing.

------
Scramblejams
I don't see how this sort of thing can be realistically prevented with today's
software. I just don't. Yes, the damage can be limited through better IT
practices, but at some point everyone needs to have access to their relatively
recent email and access to their files germane to their projects, and that
need won't go away. And as long as our laughably porous networks and operating
systems and application software can be penetrated at will by a targeted
attack, those emails and files will be vulnerable.

We need to start over. From the kernel on up. Until then, all we can hope for
is band-aids like Qubes. And after we get there, we'll mostly have the
hardware to fear. Not sure how addressable that part is, but it would be
better than where we are now.

~~~
perlgeek
> We need to start over. From the kernel on up.

We need to start over. From the language that the kernel is written in, for
starters.

Doing it all in C sounds like a rather stupid idea, because we tried that
already.

I have high hopes that Rust, and the language that it will inspire, will be a
big help here.

(Yes, I know, you probably can't write the whole kernel in a memory-safe
language, but I guess at least 95% of the current linux kernel could be.
Probably 99% or more).

~~~
Scramblejams
Yes.

There need to be wholesale architectural changes as well. If there's a
convincing argument that a monolithic kernel can be made secure, I haven't
seen it. Device drivers are simply too dangerous to be running in kernel
space, for example, along with much of the rest of what we usually get in the
kernel (filesystems, TCP and UDP stacks, etc).

No binary should ever be run without the kernel imposing an appropriately
restrictive set of policies on what it can do.

And there needs to be more sophistication in approaching how applications
work. For example, a good argument can be made that binaries shouldn't be
allowed to open their own file handles under most conditions. Your word
processor shouldn't be the one putting up an open dialog and opening anything
you point to in your directory tree because that's how it can be talked into
dumping your entire home directory to a foreign server. It should have to ask
the OS to put that dialog up, and then accept the file handle(s) it's handed
by the OS.

And then there are protocols that are broken by design, which we haven't even
touched on.

Everything, from top to bottom, needs to be rewritten with security in mind.
Not sure how that could realistically happen, unfortunately.

------
spacefight
I really have no idea why they keep unreleased feature films not on an
airgapped network before the release date.

~~~
mprovost
There are a lot of other companies that need access to those films. For
example, the people doing subtitles, or printing the film, or doing digital
distribution. I doubt the systems that stored these movies were hacked
directly, but once the password files leaked out from the main attack they
were simply downloaded from their distribution servers. That's why there
haven't been any leaked work in progress films, because they are being worked
on from airgapped networks. It's only when a film is close to release that it
is put on a system connected to the internet so that it can be distributed to
partner companies.

~~~
waterlesscloud
I wonder. Dailies get passed around to execs, so you'd think those would have
been stolen as well. Maybe Sony has a system for that that's airgapped, but I
kinda doubt it.

------
BillFranklin
Another reason for companies to start using zero-knowledge systems
[http://www.theguardian.com/technology/2014/jul/17/edward-
sno...](http://www.theguardian.com/technology/2014/jul/17/edward-snowden-
dropbox-privacy-spideroak)

------
eyeareque
I feel bad for the sony employees that are affected.. but I can't help but
think that attacks like this just give me more job security.

------
Michaelbellamy
If companies like Sony would hire seasoned engineers like me, instead of new
young college graduates then they would never be hacked.

------
hisabness
where can one read these emails?

------
debacle
No one should have any expectation of privacy for anything they put on the
Internet. Privacy is something you have to work for, and unless you have those
controls (PGP, encryption at rest) in place, privacy doesn't exist. Even if
you have those things in place, your privacy is only as strong as the privacy
of the people you are communicating with.

We should work towards strong privacy as a default, but the service delivering
targeted ads is not incentivized to protect your privacy.

~~~
click170
What about privacy when applying for a job?

When I apply for a job, I'm not putting my content online. But that's all the
Sony employees have done, and now they're directly in the crossfire.

~~~
freehunter
And a lot of this wasn't even "online", where online is defined as "internet-
facing". Once someone it in your network, it doesn't matter what is internet-
facing anymore.

