
Sony Got Hacked Hard: What We Know and Don't Know So Far - SoftwareMaven
http://www.wired.com/2014/12/sony-hack-what-we-know/
======
doctorpangloss
Many people suggest that startups not over-optimize on issues like security
and performance when it's not their core business.

The same could be said of Sony: empathize a little with them. Sony Pictures
pays a lot of creative people. Maybe they should have seen the hack coming,
but like the PSN outage this story will be maybe a paragraph in a Wikipedia
article years from now. Even one great film could be watched by people a
century from now, and I respect that their priorities are around figuring out
economically viable filmmaking, not I.T.

The film industry regards Sony Pictures as the major studio that still takes
risks on edgy comedies and dramas. They are known to respect directors more
than the other majors.

Gawker will surface their ridiculous PowerPoints which truthfully exist
everywhere. Or journalists will scandalize the executive pay and severances,
nevermind that Nick Denton's and Anna Wintour's paychecks and perks are
probably far more offensive.

But I don't mean to engage in whataboutism. In fact I mean the opposite: Just
because some tech companies care a lot about security doesn't mean everyone
should.

~~~
akshatpradhan
Sony Pictures has an operating income (revenue minus expenses) of $501 million
per year. They can afford to pay creatives, but they can't afford to pay for a
few more security engineers?

Look, I get the creative field costs a lot of money. But Sony Pictures was
paying $454,224,070
[http://fusion.net/story/30850/](http://fusion.net/story/30850/) in total
salaries as of May.

Even hiring 5 more security engineers would have gone a long way. That's $1
million if we assume a $200k salary for good security engineers. A drop in the
bucket for Sony Pictures.

I personally could do a lot with 5 security engineers.

~~~
basch
you are talking about human problems. people clicking links. people typing
their passwords into foreign web forms.

software engineers wont magically fix executives handing over credentials to
hackers.

if you were designing a network and interface to access your files, maybe you
could design it without resorting to passwords, but that wasn't practical in
sonys case.

maybe they could have designed their network to notice the data leaving, but
again, the hackers could always find a way to win. (physical infiltration of
the company and a verizon hotspot?)

~~~
SixSigma
> software engineers wont magically fix executives handing over credentials to
> hackers

and all those important files were just lying around

You can't _project_ a film without a _dedicated digital link_ to Sony's
servers in London authorising it. For some movies they send personnel to
_your_ cinema to record the audience with IR cameras. For some movies you are
_not allowed_ to let the staff watch the film for free.

~~~
dredmorbius
How much of that is really security vs. excercising power and control over a
market?

~~~
SixSigma
If they can find the money and staff to implement securing third party cinemas
to prevent copyright infringement by members of the public, perhaps they
should spend a few dollars to secure their own premises.

~~~
dredmorbius
People in cinemas with cameras are physically detectable.

Network attacks on infrastructure and/or exfiltration by rogue (or rouge)
elements within your own workforce are vastly more difficult to detect. Not
impossible, but they involve both violations of trust and allegiance, and
plausible cover under other activities.

Though, once you're aware of / suspect such exfiltration, there are generally
a limited number of places to look for suspects / points of access.

~~~
SixSigma
I should have made more of the fact that to screen the movie on your own
projector you have to have a dedicated ISDN line to Sony in London which
authenticates your machine with an online DRM system.

You also have to give them a share of your ticket sales, provide sales figures
and you cannot offer discounted tickets for concessions or special offers.

~~~
dredmorbius
I understand.

Much of that is effectively exercising control over the market venue though.
The studio gets to specify which facilities do or don't meet the standards
required to show their content. To that extent, the technical restrictions are
less about keeping the content from being pirated (there are plenty of other
leak channels, typically pre-release review copies, which have their own copy
controls, yes), and far more about keeping cinemas beholden to the studio
vassal lords.

------
mintplant
An article on _The Hollywood Reporter_ has some more information on this,
including perspectives from sources elsewhere within the industry:
[http://www.hollywoodreporter.com/news/sony-hack-studio-
secur...](http://www.hollywoodreporter.com/news/sony-hack-studio-security-
points-753509)

 _" It's changing our business," says one producer of its impact on Hollywood.
"From now on, money and time will be allocated by studios to deal with this
full-time."_

...as it should have been already, given how big and how valuable a target
these companies are.

~~~
msantos
> _" It's changing our business," says one producer of its impact on
> Hollywood. "From now on, money and time will be allocated by studios to deal
> with this full-time."_

Shame that most of Sony's Finance and HR are blaming the IT department - so
bloody typical!

 _" Everyone’s looking to the IT department to say, ‘How did you let this
happen?'" said one employee in Sony Pictures’ finance department."_
[http://fusion.net/story/31116/inside-sony-pictures-
employees...](http://fusion.net/story/31116/inside-sony-pictures-employees-
are-panicking-about-their-hacked-personal-data/)

~~~
gadders
I work in an IT department. Pretty sure IT Security would be the
responsibility of somebody here.

~~~
sarciszewski
I worked in an IT department for a communications company that worked with
AT&T where, at least once a month, I would find a different way to suggest to
a different team lead to check out EMET in case we ever got targeted.

It got ignored.

If they ever get hacked, I won't be surprised.

------
secfirstmd
Even though I am a massive supporter and advocate of whistle-blowing and
leaking (in the public interest), the state of a lot of the journalism around
this is appalling - esp the Gawker article. (Though the Wired one is pretty
responsible in fairness.)

Unless Sony has shown to be doing something malicious (which I don't think it
has - other than some horrific Adam Sandler movies recently), then the angle
of mining the data just to create click-bait headlines is particularly
infuriating.

Yes, it is right to report such a large cyber intrusion in the public
interest, especially if people's data has been taken (and Sony already had
this problem occur before - so it is worth pointing out that they had a chance
to tighten up security) but trawling through the internal data of an innocent
private company and exposing it online, just to gossip, is particularly poor
journalism. Having worked with a lot of media, you can be sure they rightly
wouldn't be too happy if people did that to them - just for kicks.

~~~
serve_yay
During/after the recent leak of celebrities' private photos, the condemnation
was swift and serious. People can see how that directly applies to their own
life, they wouldn't want their photos out there like that.

But when it's a company -- it's apparently OK to just look through all their
shit. It's already publicly available anyway, so what's the big deal?

------
DAddYE
Opening an article these days with:

> Who knew that Sony’s top brass, a line-up of mostly white male executives,
> earn $1 million and more a year?

is just take advantage of a difficult moment and increase the `hate`.

I don't get why this could happen on magazine like Wired...

Reading comments on the article seems that statement is pretty unfair.

I didn't check myself because I think reading those informations is bad as the
hack itself, however the author who did that can also feel free to judge
others.

~~~
rsingel
Oh, no! Pointing out that a corporate power structure is overwhelming white
and male is so unfair to those that are white and male.

I used to be this author's editor and that lede is very Wired.

Sad to see this "tone policing" comment is the top-voted comment on this
thread.

~~~
lkbm
I definitely think that it's useful to point out the over-representation of
white and male voices in powerful positions (which seems particularly relevant
in big media corporations, since it's such a cultural driver), but in this
case it's kind of stuck in there without any follow-up or relevant thesis.

But, yeah, it's definitely silly that the top comment is just complaining
about that sentence.

~~~
patronagezero
Yes, because privileged white guys, right? Would you feel the same if it was a
minority instead? Would it even be noteworthy? Could we even have this
conversation if it was a cabal of religiously exclusive peoples? That's right,
only white guys are privileged, not minorities who have actual legislative
privileges. One is evil, the other is supposed to be socially rewarding, but
guess what, many see it for what it is; inconsistent dogma for the over-
socialized.

------
Danieru
"Or that the company spent half a million this year in severance costs to
terminate employees?"

That's not much. Is Wired trying to make me think that is a lot? Or are they
trying to play it against the salary figures? Considering they spent valuable
words in the first sentence to make it clear that the top brass is "mostly"
white males I get the impression the comparison was supposed to mean
something.

~~~
foldor
Actually the "mostly white males" comment struck me as an interesting side
note. Sony is a Japanese company, so for it to be run by "mostly white males"
is something that seems noteworthy in itself. Though I doubt that's what they
were going for when they wrote that.

~~~
RaptorJ
Not Sony but Sony Pictures Entertainment which is an american subsidiary.

------
ck2
Not knowing anything about it did not stop every damn "news" channel from
saying "oh North Korea did it" then added at the end "but there is no proof".

How can "news" call themselves news if all they do is speculate. Granted it
wouldn't be entertaining if all they said was "Sony got hacked and we don't
have any details" but that is why news is called news.

~~~
logn
WSJ has some reasons to suspect North Korea:

[http://online.wsj.com/articles/more-signs-north-korea-may-
be...](http://online.wsj.com/articles/more-signs-north-korea-may-be-behind-
hacking-of-sony-pictures-1417467267)

But I think most of the media pretty much just reads the news, press releases,
and their social media feeds to write their articles.

------
nostromo
The North Korean theory seems silly. In fact, it's exactly what I might say
publicly if I were Sony and I wanted to try and turn lemons (being hacked)
into lemonade (free buzz about an upcoming movie). _The movie Kim Jong-un
doesn 't want you to see!_

In the end, I doubt there was any hacking involved at all: a disgruntled
employee leaked documents. Perhaps Sony forgot to disable someone's password
after giving them the axe.

~~~
higherpurpose
If they did it on purpose it's even sillier. They may think that it would be
cool to say they "got hacked by a state" especially if it's related to an
upcoming movie about it, but to me it seems like amateur hour at Sony if they
got hacked by _North Korea_ , a country not exactly known for its advanced
technology and high computer usage.

~~~
dagw
North Korea as a country might be behind the technological curve, but several
reports indicate the the North Korean Army cyber warfare division is pretty
well funded and advanced. There is a huge divide between the day to day
realities of the average NK citizen and the realities of the upper echelons.

~~~
deciplex
Who makes up the cyber-warfare division? If I traveled in time back to 1850
with a billion dollars worth of gold bullion, I couldn't hire a single black
hat with it. So a few kids of the party elite get to go to nice schools abroad
- where are the rest coming from?

Or does DPRK have a shit-hot education system in spite of literally other
thing about the country being godawful and totally backwards? If so it's the
first I've heard that.

~~~
leoc
Apparently North Korea has fairly substantial IT (and animation) outsourcing
businesses: this paywalled A¢M article
[http://cacm.acm.org/magazines/2012/8/153816-inside-the-
hermi...](http://cacm.acm.org/magazines/2012/8/153816-inside-the-hermit-
kingdom/fulltext) claims 10,000 workers in IT outsourcing. The great majority
of the population may be living as peasants, but that's not the case
universally.

~~~
dagw
Just found a link to the other article I read on the subject.
[http://h30499.www3.hp.com/hpeb/attachments/hpeb/off-by-on-
so...](http://h30499.www3.hp.com/hpeb/attachments/hpeb/off-by-on-software-
security-blog/388/2/HPSR%20SecurityBriefing_Episode16_NorthKorea.pdf)

It focuses more on cyber warfare, but does cover quite a bit about CS
education in North Korea.

~~~
leoc
Very interesting, thanks.

------
johngd
Anecdotally, I knew some guys who worked at (or with?) the global security
division at Sony US HQ.

The story went that each of the Sony subsidiaries[1] had their own security
division that was largely autonomous for reasons of politics and budget, of
course. Each part of the company had different vendors, different policies and
procedures, and different philosophies on how security should be implemented.

When they would all send their representatives to have a global security pow
wow, however often it happened, it ended up like an episode of game of
thrones.

[1]
[http://en.wikipedia.org/wiki/Sony_Corporation_shareholders_a...](http://en.wikipedia.org/wiki/Sony_Corporation_shareholders_and_subsidiaries)

~~~
drivingmenuts
> The story went that each of the Sony subsidiaries[1] had their own security
> division that was largely autonomous for reasons of politics and budget, of
> course. Each part of the company had different vendors, different policies
> and procedures, and different philosophies on how security should be
> implemented.

And they could centralize all of that and ... it still wouldn't solve the
problem. You'd have a single point of failure that might still leave them with
their pants down at the end of the day.

Some days, you just can't win. You can have the smartest people (they probably
didn't), the best hardware and software (ditto) and you're still gonna get
punched in the junk.

~~~
johngd
Absolutely. I think it is a very difficult problem to solve as companies grow
larger and larger and rise to behemoth proportions all while trying to tackle
something that is relatively new (the security concerns of today, as opposed
to say the 80's,90's,2000's when Sony didn't have to be as competitive in the
products that they offered) and typically expensive (for a company Sony's
size) where funding for these things seem to be viewed in terms of $ now,
instead of potential $ later.

------
dbcooper
Re/code is claiming that Sony will officially name North Korea as the source
of the attack:

[http://recode.net/2014/12/03/sony-to-officially-name-
north-k...](http://recode.net/2014/12/03/sony-to-officially-name-north-korea-
as-source-of-hack-attack/)

Sony Pictures will officially name North Korea as the source of a hacking
attack that has exposed sensitive files and brought down its corporate network
last week, two sources close to the investigation tell Re/code. An
announcement could come as soon as today.

Details of what Sony and the security firm Mandiant will announce are still
being finalized. But the sources confirm that North Korea will be named as the
source of the attack.

A Sony spokeswoman declined to comment on the timing or the news, but said
“The investigation continues into this very sophisticated cyber attack.”

~~~
rconti
"Harming the regional peace and security and violating human rights for
money". Interesting. The focus on this film and these supposed ideals make it
sound _very_ regional. I'm not saying it's North Korea, but it's someone in
the region. Assuming the "purported hacker" actually had something to do with
it.

------
Animats
Are their backups OK? That's the only real issue.

None of the "leaked" data is that interesting. Some executive pay info is in
SEC filings. Talent pay is usually known in Hollywood. Leaking the script of
_Annie_? That's a remake; we know how it comes out.

The real question is, what did the attackers _change_? Did they add some phony
businesses to accounts payable, or initiate financial transactions?

There's a lot to be said for making backups to write-once media.

------
Illniyar
"Pastebin—the unofficial cloud repository of hackers everywhere"

Are they referring to "[http://pastebin.com/"](http://pastebin.com/") ? if so
is it really "the unoffical cloud repository of hackers everywhere" ? Is it
really used often by hackers?

I thought reddit and 4chan are the more popular places to dump illegally
gained information.

~~~
nostromo
Very common.

[https://www.google.com/search?q=pastebin.com%20email%20and%2...](https://www.google.com/search?q=pastebin.com%20email%20and%20password)

~~~
Illniyar
Don't they have some kind of policy to get rid of these things?

~~~
rjaco31
Why would they?

------
jfmercer
I am not a sysadmin or network security guy, so I have to ask: how could
hackers siphon as much as 100 _terabytes_ of data from Sony's network without
being noticed? Shouldn't they have indictors to see their bandwidth was
running dry? If so, did the GOP do it slowly to avoid drawing attention?

~~~
spacemanmatt
For a network the size of Sony's, it seems like that volume should be
relatively easy to smuggle out. Maybe not all at once, right?

~~~
gizzlon
If my math is right, it would take ~120 days at 10 MB / second.

------
chx
So. Sony America suffered an outage on the Playstation Network due to a hack
in 2011 causing 171 million in damages (that's the official figure, who knows
how much the lost goodwill cost them ongoing). After that if they did not make
cybersecurity priority number 1 then they deserve what they've gotten. Fool me
once, shame on you; fool me twice, shame on me.

~~~
derefr
Effectively, Sony Computer Entertainment and Sony Pictures Entertainment are
about as related as Virgin Airlines and Virgin Mobile. Think of Sony (and any
conglomerate in general) not as a parent company _per se_ , but more like a VC
firm or a majority-shareholder mutual fund; the executives of the Sony
conglomerate don't really have any more insight into the component companies
than those companies' other shareholders do. The only way business-process
insight is going to be spread between the component companies is if the
executives of one happen to read the trade press of the other.

~~~
chx
Eh, if I am a majority shareholder then I will read the riot act to the
company I hold a majority in after they lose $171M on shitty security. Also,
[http://www.sony.com/SCA/who-we-are/our-
businesses.shtml](http://www.sony.com/SCA/who-we-are/our-businesses.shtml)
lists all these so there is some cohesion. AFAIK there's no such Virgin
supercompany.

~~~
derefr
Richard Branson is Virgin's sole-proprietor supercompany. :)

But yes, that's true—the investors would be mad at SCE. But would that, in
turn, make them think of pulling aside SPE to give them the same talk? SPE
isn't even doing anything involving running a public-facing web service; why
would the investors presume they'd be at risk? It'd be like YCombinator
calling in all their current batch of startups to give them a lesson on
finances because one of them screwed up their bookkeeping.

~~~
pbhjpbhj
> _It 'd be like YCombinator calling in all their current batch of startups to
> give them a lesson on finances because one of them screwed up their
> bookkeeping._ //

If they "screw up" was criminally negligent and had a cost of the order of
$100s of millions I could certainly see YC doing that, couldn't you?

------
venomsnake
I love the fact that salaries have gone public. That should lead to some very
amusing inter company drama.

------
Zigurd
Security means security against the state actor threat. We got a foretaste of
it because North Korea's head of state has strange priorities, but there's no
reason a hack like this wouldn't be launched in a trade conflict, for example.

We created a security environment that prioritizes surveillance over security,
especially in creating a market for zero-day exploits. That's a market that
might exist without the US as a buyer, but the size and value of that market
is dominated by US spending.

We would not tolerate the development and auctioning of weaponized disease
microbes. But we funded a similar market that threatens our technology
infrastructure.

------
yabatopia
It's Sony Pictures Entertainment that got hacked, not Sony. They're completely
separate companies, yet the media fails to recognize that. Very annoying and
confusing, it's almost deliberately.

~~~
itafroma
> It's Sony Pictures Entertainment that got hacked, not Sony. They're
> completely separate companies, yet the media fails to recognize that.

Sony is a very large conglomerate: while it would be incorrect to say that,
say, Sony Computer Entertainment (the subsidiary that runs Sony's video games
operations) got hacked, Sony Pictures Entertainment is a wholly-owned
subsidiary of Sony Entertainment, Inc., which is itself a wholly-owned
subsidiary of Sony Corporation.[1] It's as much "Sony" as any of its other
subsidiaries.

[1]:
[http://www.sonypictures.com/corp/aboutsonypictures.html](http://www.sonypictures.com/corp/aboutsonypictures.html)

------
debuggerpk
[http://www.theverge.com/2014/12/4/7333263/the-malware-
that-t...](http://www.theverge.com/2014/12/4/7333263/the-malware-that-took-
down-sony-was-written-in-korean)

in the article it says "and the computer that did the compiling was set up to
display its text in Korean characters."

i have a problem digesting this, because as per my experience, the compiler
doesn't leave a trace the native host's display language or does it?

what do you people have to say about it?

~~~
kevin_thibedeau
There was a resource file included with Korean language strings. That either
got there because the developers were Korean or as a false flag since malware
doesn't otherwise need multilingual support.

------
mlrtime
There are some comments over at reddit suggesting this is a huge deal
internally. There are teams that are just not showing up for work because all
the systems are down.

------
post_break
My friend got doxxed from this. SSN, passport, hiring agreements, everything.
This hack basically dumped every single document Sony had out on the web.

------
eyeareque
With security you either pay for it now, or you pay for it later. These
companies who make lots of bad mistakes seem to have opted for the latter.

~~~
dasil003
Or you never pay for it and no one ever hears about it and everyone is
sleeping like babies. Or you pay for it now _and_ later, because you know,
security is hard and crackers have the upper hand. The possibilities are
endless and nuanced!

------
higherpurpose
You'd think they would've learned a thing or two after they were made the
hackers' pinata the last time around. Sony continues to come up as the poster-
boy company for weak security.

~~~
Narishma
That was a different Sony company that was hacked. I don't think they share
much in common except the Sony name.

~~~
LLWM
It was twelve different Sony companies. It was clear that no part of Sony had
any interest in information security.

~~~
tptacek
The only difference between Sony and any of a dozen different financial
services companies is that Sony has better name recognition and so is a bigger
target.

~~~
LLWM
Are you implying that's not an enormous difference?

------
bigtunacan
I'm surprised that after the scandal of the 2011 Playstation Network hack that
security isn't a big priority.

------
talmand
"a line-up of mostly white male executives"

What's the point in such a statement?

~~~
forgottenpass
_What 's the point in such a statement?_

In-group signalling.

------
lurkylurk
with a hack as big as this why hasn't it affected their stock price?

------
martin1975
Smells like an inside job.

------
cheeze
[http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootki...](http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal)

~~~
dagw
Different Sony.

~~~
CamperBob2
Same name, same (lack of) good will.

------
simi_
The compensation levels should't be confidential in the first place. This
policy is only useful to the wrong people.

This is how we get artificially low market rates for developers and ridiculous
amounts of money paid to incompetent execs.

edit: the downvotes are an indication that you deserve your bullshit
laws/status quo

~~~
maaaats
The down votes may not be because people disagree with open salaries, but
because this has no value in the discussion.

------
elnate
Is this a hack of a division of Sony? Because the executive names I found
don't sound white.
[http://www.sony.net/SonyInfo/CorporateInfo/executive/](http://www.sony.net/SonyInfo/CorporateInfo/executive/)

~~~
lkbm
It's Sony Pictures Entertainment, am American subsidiary:
[http://www.sonypictures.com/corp/management.html](http://www.sonypictures.com/corp/management.html)

