I agree with all the points regarding the evidence-less-ness of the IPs used, and I'd even take it further than that. From the article:
> Like I said on Twitter last night, I can see my way to saying that DPRK was behind this. I can use Occams Razor to apply the logic of who had motive, look at their actions on the face of it, and say “most likely” it is them.
I don't know if my brain is stuck on some self-reinforcing loop with this, and feel free to call me Mr. Pedantic here, but I don't think Occam's Razor can take you that far. The simplest-explanation buck stops at "someone who really wanted to hurt Sony"[1].
Given that tons of groups would have axes to grind with Sony (anti-piracy, losing customer data regularly, general "Golliath" image & behaviour), you'd need to have a reason why the simplest choice is NK in particular. I may have missed something, but I just don't see it.
* Would you have needed super-l33t 0-day APT ninja bullfrogs (that only a state actor could have afforded?) No, the reports make it seem that Sony's networks were (still!) much akin to a merry-go-round[2]. So, from a "capabilities" perspective, I don't see a state actor as a more obvious choice than a disgruntled ex-sysadmin + his friends.
* Would NK have any motive to deny involvement? By my read of their past PR patterns, they'd own it loud and clear ("we own you with nuclear, we own you with cyber! fear us, fear us").
[1] Could still be someone counting on one of the side-effects of this FUD shitstorm. That's what our favourite razor "rejects".
[2] "But it is moving! Nobody will be able to get on or off while it is moving. It have perfect securities."
The utility of Ockham's Razor in an argument is simple: if the best argument you've got to distinguish two or more propositions based on the evidence is Ockham's Razor, you don't have an argument and you aren't using the evidence.
This is because Ockham's Razor says nothing but: "The proposition with the highest prior plausibility has the highest posterior plausibility after updating based on evidence that increases the plausibility of all propositions about equally."
"When you hear hoofbeats think horse not zebra" simply reflects the fact that horses are--all else being equal--more likely than zebras, and hoofbeats are just as good evidence for zebras as horses. They do nothing to differentiate between the possible explanations of the hoofbeats, so you go with the prior.
The "simplest" explanation in Ockhamian terms--if it means anything at all--is just the proposition with the highest Bayesian prior. This doesn't mean it's wrong to use Ockham's Razor, but it also isn't right, and if it's the best argument you've got then you need a better argument.
Your reduction of the Ockhamian "simplest explanation" to "someone really wanted to hurt Sony" is a lovely example of this principle, and makes explicit that the evidence fails to differentiate between the minions of the twit in charge of North Korea and the minions of various other malicious organizations around the world. I was disappointed with the Ockhamian post-script to the article, as the actual analysis is making precisely this point.
I can see that there would be other groups that don't like Sony, and would be interested in hacking them, but why would any of them (other than NK) target "The Interview" in particular? Maybe that was a smoke screen, but that seems elaborate. Unless you're Kim Jong-un, the subject matter is pretty tame. (IE: not likely to rile up other domestic groups of crazy).
I agree the evidence is weak, though. Probably not smart of the US government to publicly point fingers at this stage.
> On December 1st, NBC News aired a segment reporting that the FBI were investigating the breach and the possibility that North Korea was involved. While this may sound far-fetched at first, North Korea has a clear motive in attacking Sony.
That was the first NK link.
> (December 8) Unlike previous disclosures that were straight-forward, this group of files comes shortly after the appearance of a Pastebin link (now 404) that purports to be from the GOP, and gives a reason for the attacks on Sony Pictures, linking it to the now controversial movie, “The Interview”. There is speculation that the new announcement may not be authentic as it did not get sent out via the previous channels, and suggests an almost afterthought of blaming the movie for their actions.
That was the first time the GoP (if that was them in the first place) mentioning any of this.
Two likely possibilities (imho):
* Someone else did it purporting to be them, and the GoP didn't deny it for the extra lolz (+ it didn't hurt their cause/objectives)
* They did it themselves to reinforce the media frenzy (by that time, the NK link was almost presented as a fact in many media sources)
Think about it this way: If this is an independent group of hackers, completely unrelated with any states (through funding or otherwise), through the NK link they "leveled up": Convincing the World that this was NK, we're in cyberwar, the world is ending (etc) far outweighs "hacked Sony for the nth time".
I really do hope that the FBI's "secret" evidence was quite a bit more substantial than this. I'd like to know what it was—it's really irrational to accuse someone, especially the North Korean government, and with no one to verify their claim, the FBI does not seem smart. Of course they may have no secret evidence at all and are making this up which is much, much, worse.
As someone who's attended classified FBI infosec briefings in the past (nothing related to this hack), my opinion is that they probably have very substantial evidence.
So, so far we've seen 0 actual proof that NK is behind the Sony hack, big allegations from the US government, NK which wants to be included in the investigation and the US which doesn't want NK included in the investigation.
NK isn't the most reliable entity, but it's at least strange that NK would go "come here and see if we did it", and US is like "Uh no, we already know you did it!" when its evidence doesn't look so solid.
I of course have no idea what the real answer is, but if you play out the hypothetical this is hardly a paradox.
NK hacks Sony.
US uses technique x to attribute the attack to NK.
In the course of a shared investigation NK learns what technique x is.
NK changes their future operations to counter technique x.
The US loses the ability to use technique x to attribute attacks.
You have no idea how they obtained whatever evidence they have. The source(s) may very well be classified, in which case they _cannot_ share any of it. NK spys, wire taps, etc. None of this could be disclosed.
I wish I knew too, and Im not trying to convince you to blindly trust them (because I don't either), but you have to at least acknowledge the fact that they may very well have "something to lose".
My wife was in the Navy for six years and had a relatively high security clearance for an enlisted member. More than once she knew far more about a situation than was being reported on the news.
With the present level of trust in the U.S. government, especially with respect to "cyber" behaviors, it seems ill-advised to publicly announce an intention to retaliate based on "trust us, we have proof it's them but we won't tell you what it is". It's right up there with "we have proof Iraq's got WMD's but we wont tell you what it is". Whether it's true or not, the point is they don't have the brownie points right now to be able to say that and be believed.
Agreed, but I'm not sure they have much of a choice.
Let's assume that the Fed is telling the truth and that they do in fact have hard evidence. As they have not presented this evidence, we have to conclude that it is classified. So, they cannot present the raw intel, but they also cannot step back and do nothing as this is a hot, national issue which is now about more than a security breach at a movie company.
So, they come forward with the accusation and assure the public that a "proportional and appropriate" response will be dealt.
Of course, this scenario paints the best possible picture of the Fed. It may or may not be the case. However, short of evidence which in no way compromises a classified source, it would be their only option.
I just don't see the motive behind framing NK for this. Given, I/we don't typically have a clue about what actually goes on at this level of international relations, but there is no obvious motive at present time.
I don't disagree with anything you've said, and I don't think I really have any significant difference of opinion on the matter as a whole either. I'm just pointing out what seems to be an unfortunate hole they've dug for themselves by undermining their own trustworthiness - or perhaps a hole some agencies have dug and others are now falling into.
And to be clear, I don't think they've sunk so low that "the FBI is framing NK" is anything but a garden variety conspiracy theory at this point, but "the FBI is rushing a very complex analysis under heavy political pressure" is plausible to me, as is "the FBI has strong evidence that they are not willing to show us".
Ultimately, assuming they do have classified evidence, there's also a cost-benefit consideration to be made - it doesn't have to be a given that they can't release it. I don't think this describes the present situation, but depending on the scale of the response a situation calls for, compromising one or two classified methods or sources in order to get public support for the appropriate action may be the lesser of two evils.
But you don't have to see proof, and it is no one's burden to convince you. The US is not trying to prosecute North Korea in court. This isn't an amendments issue. And despite the ridiculous recurring claims, the US is not using this as a context of war.
"NK which wants to be included in the investigation"
It is incredible that people are actually falling for this. North Korea said "let us in on the investigation or we will attack you". Who is going to say yes to this, even if one were so naive as to think the request were truthful (which it most certainly is not). It amazingly achieved its goal, however.
If this 'event' is used as a pretext for a field test/shakedown of the growing cyber arsenals[sic], i bet we are going to wish we asked for more proof.
It's going to suck if the internet becomes a state sponsored battleground. gods know we fight enough on the grounds of personal preference and loose affiliation.
Why do you decided if I need to see proof? The US is not yet trying to prosecute NK. Of course the US won't prosecute NK for hacking some servers, but it is actively swaying the general opinion on NK. (Not that it was that good anyway)
If anything this is a reason for the US to increase spending by the NSA and make a nation wide firewall. takes off tinfoil hat
The US shouldn't attempt to convince their citizens of anything before attacking another country?
I mean, Obama has straight up said that he plans to attack NK. At least to me that seems a very reasonable interpretation of the fuzzy political language of: "we'll have a response at a time, place and method of our choosing".
I don't dispute that NK comes off loopy. Or that a joint investigation seems unlikely. That doesn't automatically follow that the FBI report is faultless though.
I mean, Obama has straight up said that he plans to attack NK.
He said absolutely no such thing, and it is rather incredible if people think this. The US has warned that they will respond, which will end up being a complaint in the UN.
Just to be clear, North Korea regularly warns the US of nuclear annihilation, imminent attacks, and so on...and people think the thing that will put the US over the top is a minor Sony hack?
North Korea has a history of only threatening violence, but the United States has the history of following through. The last time the US said it would respond "at a time and place of its choosing", I believe it decided to invade Iraq and Afghanistan, did it not?
What honest person interprets "response" as anything but "attack"? Seriously?
I didn't mean to imply that there'd be a body count attached to the "response" BTW. That's (hopefully) far-fetched. But an attack in the same way that hacking some computers and releasing some embarrassing information is an "attack"? Absolutely.
Isn't that the entire point of the quote? (And yes, I reproduced Obama's words pretty faithfully I believe. They were playing on repeat on the radio.)
I mean, if you don't think "response" means "attack" in a gimmicky "cyber-warfare" way, what does it mean? A strongly worded letter?
If I run over my neighbor's cat, and he says to me: "I'll respond all right. At a time, place and method of my choosing." Any rational person would have to interpret that as an explicit threat of an impending attack.
Just because politically it may be weaseled out of does not mean it's in any way ambiguous in delivery or intended reception to Joe the Plumber.
The analysis is interesting, but I don't understand how it undermines the FBI's claims. He looks at each IP and exclaims, "This could have been used by anyone!" But we already knew that, didn't we? The claim is not that these IPs are used exclusively by North Korea. The claim is that there is a suspicious overlap between the IPs used in this attack, and others used by North Korea in the past. If these were the only bad actor/compromised IPs out there, then maybe this would not be so surprising. But there are many many of them, so it would be coincidental, to say the least, if this attack and prior North Korean attacks just happened to use the same IPs, if North Korea is not involved (or, another possible explanation, if the same tool is not involved as in prior attacks by North Korea).
It is even more than that, the FBI PR quote that this is based on is the following:
"For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack."
Firstly, this isn't a statement of evidence, it is an generalized example of the type of evidence the FBI apparently has. Given the lack of any further clarifications on this statement, I don't see how you can make and presumptions as to what the actual evidence is. there just is not enough data here.
Secondly, the statement is carefully worded to say that the C&C IP's have communicated with known NK infrastructure. This is massively different than saying that the C&C IP's are associated with NK infrastructure. What the FBI is saying is that they have been able to apparently collect evidence that shows NK was communicating with the C&C IP's, presumably while the attacks were going on. With what we know about the state of internet surveillance, is it really that unrealistic to think that US SIGINT is collecting every single packet that transits known KN networks? Seems right in their wheelhouse.
Point is, the FBI aint telling us squat about what evidence they may or may not really have. Maybe this is because they are making the whole thing up, or maybe it is because they just don't want to tell us how much evidence they got, and how they got it.
The nature of the Internet is that many resources will be used globally. It should not be surprising that a few well-known open proxies would be used by bad actors of any nationality - the fact that (Nation State X) was accused of using (globally accessible resource Y) in the past does not in any way mean that resource Y is used ONLY by State X, so the use of resource Y is quite, quite unsuitable as a means of identifying anyone.
I think what we would need to know, in order to determine the strength of this evidence, is how many total IPs North Korea is known to have used in previous attacks, and how many total were used in this one. I.e., how closely correlated is prior NK use with an IPs use in this case.
If only a handful were used on both occasions, and the overlap is significant, then we have some fairly interesting evidence. But if, on one of more occasions NK used hundreds of IPs, and there are a handful in common between those two sets, then there's really nothing to see. I've had the impression it was the former, but perhaps I'm mistaken. Does anyone have an answer?
Have all of those IP addresses published as related to the hack been marked as dirty by Spamhaus e.a. before or after the hack - dates shown in the post are 20-Dec etc - after the hack was published.
This is a very good point. It looks like all of these were only listed after they became public as part of the attack. So it's not like they were known bad IPs before.
Everyone seems too focused on source IP address which any solid IT person can tell you can be hijacked. Even the phone home IPs can be obfuscated but it seems awfully suspicious they all belong to net blocks going to NK if I'm understanding things.
But according to this, all the phone home addresses are generic open proxies that have been well publicised across the Internet and already abused for quite some time. None of the proxies listed appear to be in NK, and (to date) no evidence that NK IP addresses were on the other end of those proxies at the time.
It's a bit like saying "the attackers used malware which made DNS queries via the IP address 8.8.8.8, which has been used by NK in the past" - if anyone were really building a case on that key evidence, they should prepare to be laughed at.
I am fairly certain this will raise the ire of many people, but as i am stuck watching TV news [1/10 do not recommend] i feel it must be discussed. The discussion in the mainstream appears to have moved past the 'if/maybe' stage and plowed directly into the 'wail/punish' stage. I am growing slowly yet certainly more livid as i a watch a lawyer for Sony laud the FBI's technical acuity as he states declaratively that this is a de facto assault on the US Gov't., the Economy, and the American way of life. I thought Sony was a Nipponese Corporation. I thought private property was the responsibility of the party that owns it. I am not trying to sound like a Truther loud mouth, but tis whole thing just screams False Flag. The way the US Govt is acting, you would think the power grid had been seriously compromised. Who, specifically has been harmed by this intrusion, and to what extent were they harmed?
What's the betting that the FBI's "similarities in specific lines of code" is similarly weak and so generic as to be rather less than the smoking gun that they seem to think it is?
If it really was North Korea, wouldn't they need a shedload of help from China?
I mean it is inexpensive to develop an exploit hacking team but they would need training and the only two obvious sources would be China and South Korea and I cannot imagine south korea doing it willingly.
This all reminds me of how in 1993 that TV show seaquest was predicting countries assassinating other "elite hacking teams" - seemed crazy then.
> For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.
The biggest surprise was the IP address traced to NY. Why wouldn't the FBI seize this system?
If some unwitting 3rd party was hacked and used in a crime, you can't just go over to their house or business and "seize" their property.
When the criminals on cops run through your back yard, do the cops turn the inside of your house into a crime zone? Obviously, no. Even if the bad guy runs inside your garage, they are not confiscating your car, lawn mower, etc.
Contrary to popular belief on HN here, police / FBI don't just seize everything whenever they want. It requires warrants and probable cause. Good luck getting a judge to sign a warrant to seize a victims computer...not going to happen.
An IP address associated with a cyber attack, is more like someone stealing your car and using it to hit a bank than someone running through your backyard to escape the cops.
And if someone went through your backyard or your garage while trying to escape from the police, the cops might want to look in your backyard or garage to see if the 2 Kg of heroin he was supposed to carry or the gun he used to shoot at them while fleeing didn't end up there.
Here are Sony's options on Nov 3, 2014
Open Interest for Puts is in Magenta
Note that the $17 Strike for January has an Open Interest of 17.6K
http://i.imgur.com/OmglyLl.png
Here are Sony's Options on Nov 25, 2014, the day after the hack.
Note the same $17 put has actually lost a little Open Interest. No conspiracy here.
http://i.imgur.com/dCRcvX9.png
Caveats:
This was done with the US traded instrument (SNE). I don't have access to the Japanese exchange.
Open Interest is reported after the day it is generated and reflects the secondary market of the previous day.
A non-sequitur for sure, but the volume of - often declassified - such acts from the U.S. government often makes it hard to dismiss conspiracies out of hand.
Operation Northwoods is often cited because of how impossibly evil it is - that it was dismissed by the president should be noteworthy less for its dismissal and more for the fact that it made it to the president's desk.
There are obviously others, like the Tuskegee syphilis experiment, for example, that demonstrate that large agencies sometimes work outside the boundaries of logical, empathetic human response.
I will not comment on the latter 2, but operation Northwoods is a reasonably scary precedent.
The important fact is not that Kennedy rejected the proposal but rather that it made it through the higher levels of command at all. What happens when the US has a president that is not so adverse to carrying out false flag attacks on it's own and other neutral actor's citizens.
Edit: What about Iraq wars. Iraq always was like "okay you can look wherever you want". Iraq had nothing to do with so called Al-Qaeda. Neither with mass destruction weapons.
"The guns that we have taken up against Allah's enemy America and its pet rulers and slave army should not be aimed towards children, women and our Muslim people," he added.
I guess the recently setup south Asian chapter of Al-Qaeda is also the US government as well?
Furthermore can you explain to me why Al'Qaeda wouldn't want to attack the US?
Many people around the world believe 9/11 was an inside job, and even that Al-Quaeda, as an organization, was essentially manufactured through the CIA through its control of the American media, as a false-flag pretense for war. Presumably, the Sony hack is the beginning of another such false-flag pretense. North Korea is part of the "Axis of Evil," which is essentially nothing more than the US' own kill list for sovereign nations it doesn't like. One must assume that some sort of war with Iran and North Korea are inevitable, so long as the US has the power to do so.
It's only a non-sequitur if you don't believe the CIA has orchestrated, either directly or indirectly, most major political events around the world in the last 20 years, and nearly every, if not every, war since Desert Storm. Otherwise, the connections are obvious, especially after Snowden.
"Plausible" means "seeming reasonable or probable." I don't think it is plausible at all. I think you meant "possible", but, of course, almost any crackpot theory is "possible".
Is it actually less plausible than the story currently being presented by the FBI and the media?
The US fabricated the case for war against Iraq. There was no yellowcake, there were no WMDs. And it's known that the NSA has programs in play to attempt to influence popular opinion through social media sites, and propaganda. There is at least circumstantial evidence that the US might hack Sony in order to win popular and political support for either a military action against a perceived enemy, or some kind of domestic "security" crackdown, or something which would otherwise be politically unpopular.
The least plausible argument here seems to be the one the US is presenting, and the most plausible is that the US is responsible.
Well, yes, I think it is orders of magnitude less plausible as it is not plausible at all. I am also unaware of any evidence, circumstantial or not, that the US has fabricated the Sony attack. An invented incentive is not motive, which is what I assume you to be referencing as circumstantial evidence.
There has been no talk of military action, nor do I see an upside for the US to undertake any. Basically, your argument is "The US doesn't like NK, so the attack most likely a conspiracy of the US government." Using that line of reasoning I can list off at least twenty other countries who are equally as likely to have pulled off the attack.
Sure, none of us have proof that it was NK, and I have my doubts as well, but expecting the US to hand over all evidence is naive and shows a lack of understanding as to how such evidence may be obtained.
I'd also like to hear your reasoning for the statement:
"The least plausible argument here seems to be the one the US is presenting"
NK is the _least_ plausible explanation? Really? How so? And then:
"and the most plausible is that the US is responsible"
Again, how so? What is the motive hear? You think that the Fed likes the idea of movies being pulled over a vague threat? Honestly, you come off as a complete tin-foil hat wearer and you have yet to provide a compelling argument for such large claims. You obviously don't like the US government, which is fine. They certainly provide enough reason to do so based upon things we _know_ to be true. However, you are making a huge logical leap here and your position is simply intellectually lazy.
> Like I said on Twitter last night, I can see my way to saying that DPRK was behind this. I can use Occams Razor to apply the logic of who had motive, look at their actions on the face of it, and say “most likely” it is them.
I don't know if my brain is stuck on some self-reinforcing loop with this, and feel free to call me Mr. Pedantic here, but I don't think Occam's Razor can take you that far. The simplest-explanation buck stops at "someone who really wanted to hurt Sony"[1].
Given that tons of groups would have axes to grind with Sony (anti-piracy, losing customer data regularly, general "Golliath" image & behaviour), you'd need to have a reason why the simplest choice is NK in particular. I may have missed something, but I just don't see it.
* Would you have needed super-l33t 0-day APT ninja bullfrogs (that only a state actor could have afforded?) No, the reports make it seem that Sony's networks were (still!) much akin to a merry-go-round[2]. So, from a "capabilities" perspective, I don't see a state actor as a more obvious choice than a disgruntled ex-sysadmin + his friends.
* Would NK have any motive to deny involvement? By my read of their past PR patterns, they'd own it loud and clear ("we own you with nuclear, we own you with cyber! fear us, fear us").
[1] Could still be someone counting on one of the side-effects of this FUD shitstorm. That's what our favourite razor "rejects".
[2] "But it is moving! Nobody will be able to get on or off while it is moving. It have perfect securities."