Many people suggest that startups not over-optimize on issues like security and performance when it's not their core business.
The same could be said of Sony: empathize a little with them. Sony Pictures pays a lot of creative people. Maybe they should have seen the hack coming, but like the PSN outage this story will be maybe a paragraph in a Wikipedia article years from now. Even one great film could be watched by people a century from now, and I respect that their priorities are around figuring out economically viable filmmaking, not I.T.
The film industry regards Sony Pictures as the major studio that still takes risks on edgy comedies and dramas. They are known to respect directors more than the other majors.
Gawker will surface their ridiculous PowerPoints which truthfully exist everywhere. Or journalists will scandalize the executive pay and severances, nevermind that Nick Denton's and Anna Wintour's paychecks and perks are probably far more offensive.
But I don't mean to engage in whataboutism. In fact I mean the opposite: Just because some tech companies care a lot about security doesn't mean everyone should.
Sony Pictures has an operating income (revenue minus expenses) of $501 million per year. They can afford to pay creatives, but they can't afford to pay for a few more security engineers?
Look, I get the creative field costs a lot of money. But Sony Pictures was paying $454,224,070 http://fusion.net/story/30850/ in total salaries as of May.
Even hiring 5 more security engineers would have gone a long way. That's $1 million if we assume a $200k salary for good security engineers. A drop in the bucket for Sony Pictures.
I personally could do a lot with 5 security engineers.
Exactly. Let's not engage in this faux polemic about art-v-practicality. Sony are not mumblecore aesthetes from Bushwick. They are a megalith that should have their security locked down hard. Sorry you got owned, but seriously get with consensual reality: hackerfolk tend to hate owners of Big Content like you. Should have seen this coming ...
> They can afford to pay creatives, but they can't afford to pay for a few more security engineers?
So how do you measure their risk and the probability of being damaged? Serious security experts are STILL trying to figure out how to calculate these things. Insurance companies still have trouble "properly" pricing cyber insurance. The insurance companies are doing it, but they are way behind their ability to price for other forms of disasters.
So how much should they spend towards cyber security? How far off are they from that amount? We don't know. (well maybe we'll know from the leaked documents).
You do that through a Security Risk Assessment. There are plenty of models (e.g. Octave) out there to help a security engineer conduct a Risk assessment on an organization's infrastructure. Moreover, a Security Risk Assessment is very strongly suggested by any Security Compliance Program that deals with sensitive information.
This dump clearly shows personally identifiable information, something that would be easily classified as sensitive (e.g. SSNs). I'm very sure Sony Pictures classified their leaked movies as sensitive since it would cause massive financial loss (which happened) if it was stolen.
If anybody was doing a Risk Assessment, protecting this critical part of the infrastructure would have been number 1 on the list.
Hackers are even claiming that a physical door with access to the sensitive environment was left unlocked. That's security 101!
Sony has a culture problem: if it is not a Japanese initiative, it doesn't happen. Unfortunately, the Japanese web executives are at least 10 years behind on Silicon Valley, on knowledge and vision. For as long as there isn't a Japanese security expert, born in Japan and groomed at Sony, Sony will continue taking these types of blows.
you are talking about human problems. people clicking links. people typing their passwords into foreign web forms.
software engineers wont magically fix executives handing over credentials to hackers.
if you were designing a network and interface to access your files, maybe you could design it without resorting to passwords, but that wasn't practical in sonys case.
maybe they could have designed their network to notice the data leaving, but again, the hackers could always find a way to win. (physical infiltration of the company and a verizon hotspot?)
> software engineers wont magically fix executives handing over credentials to hackers
and all those important files were just lying around
You can't project a film without a dedicated digital link to Sony's servers in London authorising it. For some movies they send personnel to your cinema to record the audience with IR cameras. For some movies you are not allowed to let the staff watch the film for free.
> and all those important files were just lying around
That's it. Whether a designer was comprised through a phishing attack or a physical door with access to the sensitive environment was left unlocked, there were clearly no controls in place to manage all the files just laying around like money under a mattress.
If they can find the money and staff to implement securing third party cinemas to prevent copyright infringement by members of the public, perhaps they should spend a few dollars to secure their own premises.
People in cinemas with cameras are physically detectable.
Network attacks on infrastructure and/or exfiltration by rogue (or rouge) elements within your own workforce are vastly more difficult to detect. Not impossible, but they involve both violations of trust and allegiance, and plausible cover under other activities.
Though, once you're aware of / suspect such exfiltration, there are generally a limited number of places to look for suspects / points of access.
I should have made more of the fact that to screen the movie on your own projector you have to have a dedicated ISDN line to Sony in London which authenticates your machine with an online DRM system.
You also have to give them a share of your ticket sales, provide sales figures and you cannot offer discounted tickets for concessions or special offers.
Much of that is effectively exercising control over the market venue though. The studio gets to specify which facilities do or don't meet the standards required to show their content. To that extent, the technical restrictions are less about keeping the content from being pirated (there are plenty of other leak channels, typically pre-release review copies, which have their own copy controls, yes), and far more about keeping cinemas beholden to the studio vassal lords.
Security is multiple layers. A phishing attack (as you described) should only gets you 1 layer deep, it shouldn't give you access to everything. You still need to bypass the rest of the controls to get the delicious sensitive data. With a leak like this (100 TB of sensitive SSNs, Salaries, and Movies leaked), there clearly weren't very many controls, if any.
I think you're thinking too much about UX, Passwords, and phishing links when you're forgetting all the other layers that a usable security environment can provide without the needs of passwords (e.g. authorization control, segmented file servers for each department). A security engineer can definitely create a very safe and secure environment WITHOUT negatively impacting the usability, experience, or workflow of the creatives working on their designs and art.
Let me rephrase the question here, we could either spend $1m on some gobbledegook that those fast talking nerds saying we need, or we could get bigger bonuses. We worked hard and bonuses would be tangible, when asked about how we will know if $1m expenditure a year is working fast talking nerds talk even more quicker about something that amounts to 'nothing bad will happen'.
We are arguing here from position of knowledge that guys who make these decisions likely do not have. Should they have it? Probably not, but they definitely should listen to someone who knows and who can present solid risk/cost/benefit analysis that they can understand.
I completely agree with you that they should know what they are doing and make robust decisions. But when you are at the top, and you tell board what is going on, and you define what it means to be a professional the line blurs. It is very easy to omit certain tail risks by simply not knowing and not taking time to know about them.
The most recent google hack [1] wasn't actually a Google hack. It was just a combined list of various email/password dumps of various hacked webservices over the years. That all ended in @gmail.com
My account was included yet my password was 18 months out of date.
Google was hacked quite as hard? You mean, where all their employee SSNs were posted online, along with their technology roadmap? No, sorry, I don't remember that.
Many people suggest that startups not over-optimize on issues like security and performance when it's not their core business.
And that's a fucking stupid thing to say in those cases, so it's a fucking stupid thing to say here.
Things like security and performance should be given. This is akin to arguing that small restaurants shouldn't care about food safety, or that small construction firms shouldn't worry about building codes. If you ignore these things, you'll fuck it up and people will get hurt.
Did Sony fail to meet a competent standard? The fact that they got hacked is not sufficient proof they failed that standard. "Competent" does not mean invulnerable.
The exfiltration of 100TB of data from systems across their entire organization suggests so.
On a 100Mbit/s pipe that would take something like 3 months of full saturation to get that amount of data out. Realistically, we're probably talking about a hack spanning nearly every one of their systems for upwards of a year.
> Things like security and performance should be given. This is akin to arguing that small restaurants shouldn't care about food safety, or that small construction firms shouldn't worry about building codes.
No, it's completely different. Food safety and building codes is akin to good software engineering; on the other hand, security against hacks is more like a restaurant protecting you from a third party poisoning your food, or a building withstanding planes crashing into it. Most building and most restaurants don't offer such protection.
If we're talking about security and a small restaurant, it would be more like the restaurant never bothering to lock its doors after hours, having no security cameras, and not bothering to put its money in a safe place, leaving it out in the open to be stolen.
this entire thread of conversations is a joke. Do you know more about this breach than what was written in the article because they clearly state they don't know exactly what happened. Which isn't to say that Sony doesn't know more but from details released how can you know anything about what Sony does or doesn't do security wise that they should have been?
Like literally the first rule of Security is that as the person trying to defend, protect, secure something you are always at a disadvantage. Of course Sony has money to hire top notch Security Engineers to protect their interests and I'm sure they do but like anyone else they can be beat.
This is all not even accounting for the security black hole that is user idiocy, or the fact that the article makes several references to potential inside help.
In short Sony's past exploits don't give them a ton of credit but it's also a bit ridiculous to go from they could have done better to where this whole thread went.
* Of course Sony has money to hire top notch Security Engineers to protect their interests and I'm sure they do but like anyone else they can be beat.*
Maybe they do; I don't know. That's not really relevant to the point which I'm making, which is more along the lines of:
"Disregarding security as a startup because it's not a 'core competency' is ill-advised. History suggests that you're likely to be compromised, and it causes harm not only to your business, but also to your users, and is absolutely irresponsible."
Secondly - Did you see the words over optimize? There is certainly such a thing as too much optimization in terms of security. Would you hire police men to patrol your kid's lemonade stand startup? No.
Yeah but this was clearly UNDER optimized for the security of 100 TB of SSNs, Salaries, and Movies leaked. All of which is classified as sensitive (i.e. anything that can be considered a financial loss to the business).
2) The bandwidth required to move all of that before sony noticed
This [likely] wasn't some script kiddie that exploited some obvious security hole. Of course their security was under optimized. Every single theft in the history of time has been a result of "under optimized" security.
Figure a hacking group is a dozen people. That's ~8.3T per person to stash. I know plenty of folks with that kind of storage lying around, it doesn't seem insane that folks deep in infosec might have even more idle capacity.
Alternatively the first newegg hit for a 6T hard drive is $300 even. That's 17 of them so $5k plus shipping. Either add in a chassis with enough slots or enough smaller machines to distribute it so say double to $10k or less than $1k per person.
Or even lazier, to store all 100T on S3 for a month and pull it back out is ~$12k, again maybe plus a bit for an EC2 instance to do the shuffling. Again, ~$1k per person.
And of course if you're a hacking group the chances that you've got root on some small business servers scattered around the world are probably a bit better than zero.
When it comes to start-ups it's not stupid - it's wise. The food safety analogy is inappropriate. Security is about risk management. Low risks do not justify high expenses.
When it comes to a company with hundreds of millions in revenues, however, they have clearly underestimated the risks and have been irresponsible.
I would say even the food safety analogy is appropriate. Sure, food safety is important; that doesn't mean you have to spend hundreds of millions of pounds in "food safety researchers" who will conduct rigorous scientific experiments to find out the best ways to limit the spread of germs and implement them, an in-house doctor with medical supplies who will treat customers that get food poisoning, etc.
It just means there's a minimum, a bar, that they shouldn't go below. Everyone has a different bar, but most people generally agree on things like don't pick up food off the floor, don't leave things open or out, put things in the right places, make sure you wash your hands, etc. (I am not a food safety expert).
Of course, for a startup, it depends on the product or service they're offering. A startup payment processor should be very security conscious, as the stakes are high. A movie logger should have the bare minimum that all startups should have, i.e. strong encryption, basic security protocols, etc.
> I would say even the food safety analogy is appropriate.
I think it's NOT appropriate. Of course, in the end, it's a matter of value: Do you value your health equally with your digital privacy, your money, etc.? If 'yes' then the analogy yes, if 'no' then it doesn't. I don't so, to me, it doesn't.
At my previous job, I made $25k less per year than the idiot who nearly exposed us to RFI risks before I looked over his code.
Developers are developers. If you're going out of your way to hire extremely untalented people, because they're cheap, you're going to get owned.
If you're hiring people who understand their own craft, you can get a junior developer for under $70k and a senior for under $100k. Unless you're in SF in which case multiply everything by 2 or 3.
A start up is like a restaurant with 2 doors into the kitchen. 1 door from the outside, 1 door for servers to enter/exit.
In a restaurant the workers can easily spot problems. And if someone walks in usually you kick them out, or lose a batch of food. The cost is much smaller than hiring 2 full-time bouncers.
If, however, you now have a giant catering hall with 50 entrances to the kitchen and hundreds of people there, security / bouncers are necessary.
The problem is how to go from one to the other, and not realize you need security when it is too late.
I empathize with them not at all. I know how much Sony pays their high level security folks, it's a laughable amount and there is no possible way they could retain anyone even remotely qualified for those roles. If you do your best and get hacked, I'll empathize. If you deprioritize security to an extreme degree and get hacked I won't feel sorry for you.
I think fraction of their executive bonuses would be quite enough to fully fund a fairly decent security effort. If security were designed into their processes, it would probably cost much less.
If the 100 TB figure is correct, this has been going on for some time - it takes time to steal that much data in a way that does not raise a bunch of red flags. If the red flags weren't there to be raised or they were and were ignored, well... at least their executives got their bonuses.
Also, in the interest of fairness, while this malware attack seemed to be directed to Windows machines, a dedicated enough intruder would have developed attack strategies for any platform.
A "fraction" of a bonus. Let's assume their bonus is a paltry 100k. A good infosec pro expects on average to be making at least 200k, so you have already blown out your budget. You can take a swing at hiring a consultant, but that gets you 5 weeks at around 70k, so you are eating a huge chunk of your fractional bonus budget.
Consultants don't really work for systemic problems like this though. Sony has cancer. They need empowered specialists to come in and tear out and then replace. These are both technical and managerial problems that exceed the capabilities of your average defcon attendee.
I disagree with both the approach you have taken here in envoking executive pay envy, as well as the substance. Security is hard. Practicing good security is expensive. You don't get to throw a couple of hundred grand around once and call it good. It is an ongoing and expensive investment.
> A "fraction" of a bonus. Let's assume their bonus is a paltry 100k. A good infosec pro expects on average to be making at least 200k, so you have already blown out your budget.
I agree with your overall point, but the first page of the leaked salary list alone has something like $35M worth of bonuses. Say the high-level execs are the only ones sacrificing their pay, and the 'fraction' of bonuses was 20%, you'd have $7M annually to spend on infosec -- in addition to all of the money they're already spending (and apparently wasting). This would pay the salaries of ~30 top-notch security people.
Ostensibly, executive bonuses in publicly traded companies are tied to actions that are a proxy for increasing shareholder value. Massive damaging hacks are not good for shareholder value.
In any case, it was just a comparative point, they clearly have the cash flows to hire competent security staff without impacting others' pay if they so desire.
In any case, thanks to the leaked information, it should be easy to tell exactly how much Sony paid the people who are responsible for this mess.
Security is hard, but this looks like a lot of low hanging fruit being picked effortlessly. My bet is that just a tiny bit of effort would have made the intruders work much harder.
100TB? Seems more likely nobody noticed a team carrying out some thirty-five 3TB external drives. If their network was able to maintain operations while somebody sucked out 100TB of data through their gateway, I'm impressed.
Any serious operation dealing with the amount of media (images, videos, various editing files, etc) that Sony was is going to have very fat pipes. They probably moved upwards of a few TBs a day.
> Many people suggest that startups not over-optimize on issues like security and performance when it's not their core business.
> The same could be said of Sony:
How so? The whole point of saying it about startups is that they are startups.. they have severely limited capital and resources and need to optimize for growth/revenue/continuing to exist.
This does not apply to Sony. If you are storing medical records and SSNs and you are multi-billion dollar company; there is no viable excuse that looks anything like, "uhh.. yeah well we are really just an entertainment company."
No one suggests that startups not over-optimize on security or performance because these are not their core business. They suggest that they don't optimize for them because they have extremely limited resources compared to big corporations like Sony.
It doesn't matter how much time a startup spends on security and performance if they never find product-market fit and get to the explosive growth phase. Once they do however, this is when they need to raise real money and start addressing these "non-core" issues as well.
Sony is not a startup, is not resource constrained, etc. There's absolutely no reason to empathize with them.
> The film industry regards Sony Pictures as the major studio that still takes risks on edgy comedies and dramas. They are known to respect directors more than the other majors.
I'm not in touch with the film industry, so could you link me to a discussion about this somewhere? I find the idea of Sony taking risks hard to reconcile with the mess that was "The Amazing Spider-Man 2", but as I only know the comic book fan side of things I could use some extra background.
Thing about that is, the movie business is all about risk deference sometimes: making a dumb obvious move now, so you can afford to take the bigger risk later.
And remember too that while the sequels of both SM film series have been largely crap, the originals were big risks in some respect. The first Spider-Man gave a massive budget to a director largely known only for low-budget shlock, and the ASM reboot meant deciding only a few scant years after the last one to completely dump and start over a franchise that was circling the drain.
I once asked a lock pick artist what lock I should get for my house. They pointed out that if you have something valuable in your house, do you want to protect it with a 50 dollar lock or a 250 dollar lock. Basically they should have had better security; and I can bet they will spend the money for proper security now that they got owned so well.
It's a great time to be working in the security field today.
Yep. And it misses the simpler solution of not having things in your house that are worth stealing. Sure, TVs, laptops, etc., but those can be stolen anywhere. Eliminating cash and jewelry from your home can make that $50 lock the right trade-off.
> do you want to protect it with a 50 dollar lock or a 250 dollar lock
It's not obvious to me that the $250 lock actually performs better in any relevant way. You might trust the guy, but when I'm hearing an anecdote second-hand I want to hear something more convincing than "trust the price".
Which is very much the problem -- it's quite hard for security non-experts to distinguish between good security and security theatre.
"It's changing our business," says one producer of its impact on Hollywood. "From now on, money and time will be allocated by studios to deal with this full-time."
...as it should have been already, given how big and how valuable a target these companies are.
> "It's changing our business," says one producer of its impact on Hollywood. "From now on, money and time will be allocated by studios to deal with this full-time."
Shame that most of Sony's Finance and HR are blaming the IT department - so bloody typical!
I worked in an IT department for a communications company that worked with AT&T where, at least once a month, I would find a different way to suggest to a different team lead to check out EMET in case we ever got targeted.
Even though I am a massive supporter and advocate of whistle-blowing and leaking (in the public interest), the state of a lot of the journalism around this is appalling - esp the Gawker article. (Though the Wired one is pretty responsible in fairness.)
Unless Sony has shown to be doing something malicious (which I don't think it has - other than some horrific Adam Sandler movies recently), then the angle of mining the data just to create click-bait headlines is particularly infuriating.
Yes, it is right to report such a large cyber intrusion in the public interest, especially if people's data has been taken (and Sony already had this problem occur before - so it is worth pointing out that they had a chance to tighten up security) but trawling through the internal data of an innocent private company and exposing it online, just to gossip, is particularly poor journalism. Having worked with a lot of media, you can be sure they rightly wouldn't be too happy if people did that to them - just for kicks.
During/after the recent leak of celebrities' private photos, the condemnation was swift and serious. People can see how that directly applies to their own life, they wouldn't want their photos out there like that.
But when it's a company -- it's apparently OK to just look through all their shit. It's already publicly available anyway, so what's the big deal?
> Who knew that Sony’s top brass, a line-up of mostly white male executives, earn $1 million and more a year?
is just take advantage of a difficult moment and increase the `hate`.
I don't get why this could happen on magazine like Wired...
Reading comments on the article seems that statement is pretty unfair.
I didn't check myself because I think reading those informations is bad as the hack itself, however the author who did that can also feel free to judge others.
I definitely think that it's useful to point out the over-representation of white and male voices in powerful positions (which seems particularly relevant in big media corporations, since it's such a cultural driver), but in this case it's kind of stuck in there without any follow-up or relevant thesis.
But, yeah, it's definitely silly that the top comment is just complaining about that sentence.
Yes, because privileged white guys, right? Would you feel the same if it was a minority instead? Would it even be noteworthy? Could we even have this conversation if it was a cabal of religiously exclusive peoples? That's right, only white guys are privileged, not minorities who have actual legislative privileges. One is evil, the other is supposed to be socially rewarding, but guess what, many see it for what it is; inconsistent dogma for the over-socialized.
To be frank, it's a stupid lede anyway. It's not like people would be surprised that the CxOs for an entrenched, major company like Sony would be highly-paid and white males. It's basically the default assumption for that demographic.
This is the sort of trite, self congratulatory "socially conscious" type of comment that is appearing all over the place. What does it have to do with Sony getting hacked? Nothing really. It does reveal the personal sentiments of the author somewhat, and also your own. Did the comment help anybody? I doubt it. Other than stoking resentment what possible purpose could stating that the executives were "overwhelmingly white males" possibly have?
I was under impression that identifying the inequality among upper management at Sony Pictures was at least part of the reason for the early release of that specific document. i.e. that point, was the point and should probably be in the opening of any reporting. Call it a low blow, call it whatever you like, I just don't think any female / non white guy would appreciate how belittling your comments are.
But them I am kind of biased since the whole ghotz debacle. Suck fony and all that. (yes I know this is sony pic, not sony)
> It's the typical diatribe from this demographic that wants to add this to every conversation whether it's relevant or not.
One difficulty is that people who are not affected by it do not notice it and they don't think it's a big deal. It doesn't register that the star of almost every movie is a white male.
It's human nature to be lost in our own perspectives; it's why it's so important to make an effort to imagine walking around in other people's shoes: If you are a minority or a woman, you are faced with this discrimination everywhere. Every time you turn on the TV, walk down the street, at work, in social situations, dating, at the restaurant; when you read a history book, in the news (e.g., recent police discrimination issues), when you look at our government, when the camera at the football game picks out the young hot white women in the crowd, etc.
If bringing it up all the time makes you uncomfortable, maybe that's a good thing. If it seems like the issue comes up a lot, maybe that speaks to the enormity of the problem.
> It doesn't register that the star of almost every movie is a white male.
> If bringing it up all the time makes you uncomfortable, maybe that's a good thing.
It doesn't make me uncomfortable. I know it's an attack on a perceived villain, but in a "subtle" way. It's not subtle, it's completely transparent.
It's all about dollars. The industry thinks it'll make more money pushing white male/female stars. The racists are the movie going crowd voting with their dollar bills, and not the industry.
It doesn't make me uncomfortable that the majority of popular music is geared towards teenage white girls, because that's the market they want to capture. That's where the money is. Is that racist or ageist? No. It's marketing.
Often times these folks in charge are not only white males, but Jewish white males, which makes them a minority group as well. But that's not always pointed out.
"White" has been used as a common term for a race longer than anyone living has been alive, so, no, I don't think anyone alive could miss the days when "white" wasn't a race.
People can, I suppose, miss the days when "white", as a term for a race, had almost exclusivey positive connotations when used by anyone with any influence in society and pine for the days when white privilege was so strong as to be virtually unquestioned, but you shouldn't mistake missing that for missing "white" not being a race.
In a history of American cities, I read that the Polish, Irish, Italian, German, etc. identities shifted to 'white' around the 1930s or 1940s (my memory is a little hazy).
Its true that before then, Polish, Irish, Italian (German not so much, AFAIK, but possibly) were ethnic identities often viewed as distinct from -- and frequently discriminated against by -- the dominant white-identifying group (in the same what whites of Hispanic origin have continued to be since), but white racial identity existed before then.
"Or that the company spent half a million this year in severance costs to terminate employees?"
That's not much. Is Wired trying to make me think that is a lot? Or are they trying to play it against the salary figures? Considering they spent valuable words in the first sentence to make it clear that the top brass is "mostly" white males I get the impression the comparison was supposed to mean something.
From another article I saw [1] it appeared that there was half a million spent in severance for a single employee. Others were listed as well, in 100k range, and the article author left out the names of the employees.
Actually the "mostly white males" comment struck me as an interesting side note. Sony is a Japanese company, so for it to be run by "mostly white males" is something that seems noteworthy in itself. Though I doubt that's what they were going for when they wrote that.
Not knowing anything about it did not stop every damn "news" channel from saying "oh North Korea did it" then added at the end "but there is no proof".
How can "news" call themselves news if all they do is speculate. Granted it wouldn't be entertaining if all they said was "Sony got hacked and we don't have any details" but that is why news is called news.
The North Korean theory seems silly. In fact, it's exactly what I might say publicly if I were Sony and I wanted to try and turn lemons (being hacked) into lemonade (free buzz about an upcoming movie). The movie Kim Jong-un doesn't want you to see!
In the end, I doubt there was any hacking involved at all: a disgruntled employee leaked documents. Perhaps Sony forgot to disable someone's password after giving them the axe.
Except for the part where a flaming skull abruptly appeared on the screens of all the employees, forcing everyone to go home? How much more "hack" can you get?
I doubt that Sony has ruled out the possibility of it being an inside job, or done with the help of someone who has knowledge of their network and systems, but it's still very possible this was the work of outsiders.
Unfortunately we'll probably be left guessing as to how this hack happened and how long it went on, since Sony is not likely to ever release that information even if they figure out the cause.
If they did it on purpose it's even sillier. They may think that it would be cool to say they "got hacked by a state" especially if it's related to an upcoming movie about it, but to me it seems like amateur hour at Sony if they got hacked by North Korea, a country not exactly known for its advanced technology and high computer usage.
North Korea as a country might be behind the technological curve, but several reports indicate the the North Korean Army cyber warfare division is pretty well funded and advanced. There is a huge divide between the day to day realities of the average NK citizen and the realities of the upper echelons.
Who makes up the cyber-warfare division? If I traveled in time back to 1850 with a billion dollars worth of gold bullion, I couldn't hire a single black hat with it. So a few kids of the party elite get to go to nice schools abroad - where are the rest coming from?
Or does DPRK have a shit-hot education system in spite of literally other thing about the country being godawful and totally backwards? If so it's the first I've heard that.
If you think about it, DPRK can afford to send hacker-to-be's to top engineering programs in Europe and the United States, and then bring them back to NK as blackhat hackers.
The current leader went to boarding school in europe - and enjoyed the privileges awarded in that social circle. Corruption doesn't always make logical sense, nor is it limited by morality!
A very simple idea. Find bright kids. Send them overseas to the US primary education system. Their parents stay behind in NK and are bound to the society in NK - the kids need to perform well in school in order for the government to keep giving the parents a reasonable life.
Upon graduation from primary and secondary school in say, California, the kids enroll and try as hard as they can to get into Stanford. Graduate from the CS department, get a phd doing original work in encryption algorithms, and then when they are adults, they return to NK knowing that their parents had a good life b/c of their hard work.
Now you get some nice black hat hackers!
Basically this is how Kim Jong Il created a new young dictator willing to threaten nuclear war. I don't doubt their cyberwarfare division is run in a similar way.
North Korea is nothing like the 1850s. The elites have access to all the technology you and I have, as well as all the latest textbooks and scientific publications, mainly via imports from China. Even people outside the power structure are exposed to computers in school and many can buy computers and radios on the black market.
North Korea, like South Korea and many of its neighbors a have tradition of putting a lot of weight on basic education and kids there compete for top grades and positions in special advanced schools.
As to the cyber warfare divisions. According to reports, kids as young as 12 who show aptitude for mathematics are selected for rigorous advanced computer schools. Those that pass go on to study computer science at special universities. The top graduates each year then get selected for a 5 year intense military training course, which includes studies in Russia or China. Getting selected for the cyber warfare unit is apparently one of the most prestigious military postings in NK and comes with lots of perks, so the competition to get in is fierce.
Apparently North Korea has fairly substantial IT (and animation) outsourcing businesses: this paywalled A¢M article http://cacm.acm.org/magazines/2012/8/153816-inside-the-hermi... claims 10,000 workers in IT outsourcing. The great majority of the population may be living as peasants, but that's not the case universally.
Doubtful. Several still-in-theater or unreleased movies are apparently up on torrent sites from this hack. I don't think that they would do this just to promote another film...
The "state sponsored" line was about a form a data recovery sabotage used. Seems an insider would have a similar desire to hide tracks. Blame the "mysterious outside forces" is always the kneejerk tho.
Anecdotally, I knew some guys who worked at (or with?) the global security division at Sony US HQ.
The story went that each of the Sony subsidiaries[1] had their own security division that was largely autonomous for reasons of politics and budget, of course. Each part of the company had different vendors, different policies and procedures, and different philosophies on how security should be implemented.
When they would all send their representatives to have a global security pow wow, however often it happened, it ended up like an episode of game of thrones.
> The story went that each of the Sony subsidiaries[1] had their own security division that was largely autonomous for reasons of politics and budget, of course. Each part of the company had different vendors, different policies and procedures, and different philosophies on how security should be implemented.
And they could centralize all of that and ... it still wouldn't solve the problem. You'd have a single point of failure that might still leave them with their pants down at the end of the day.
Some days, you just can't win. You can have the smartest people (they probably didn't), the best hardware and software (ditto) and you're still gonna get punched in the junk.
Absolutely. I think it is a very difficult problem to solve as companies grow larger and larger and rise to behemoth proportions all while trying to tackle something that is relatively new (the security concerns of today, as opposed to say the 80's,90's,2000's when Sony didn't have to be as competitive in the products that they offered) and typically expensive (for a company Sony's size) where funding for these things seem to be viewed in terms of $ now, instead of potential $ later.
Sony Pictures will officially name North Korea as the source of a hacking attack that has exposed sensitive files and brought down its corporate network last week, two sources close to the investigation tell Re/code. An announcement could come as soon as today.
Details of what Sony and the security firm Mandiant will announce are still being finalized. But the sources confirm that North Korea will be named as the source of the attack.
A Sony spokeswoman declined to comment on the timing or the news, but said “The investigation continues into this very sophisticated cyber attack.”
"Harming the regional peace and security and violating human rights for money". Interesting. The focus on this film and these supposed ideals make it sound very regional. I'm not saying it's North Korea, but it's someone in the region. Assuming the "purported hacker" actually had something to do with it.
None of the "leaked" data is that interesting. Some executive pay info is in SEC filings. Talent pay is usually known in Hollywood. Leaking the script of Annie? That's a remake; we know how it comes out.
The real question is, what did the attackers change? Did they add some phony businesses to accounts payable, or initiate financial transactions?
There's a lot to be said for making backups to write-once media.
"Pastebin—the unofficial cloud repository of hackers everywhere"
Are they referring to "http://pastebin.com/" ? if so is it really "the unoffical cloud repository of hackers everywhere" ? Is it really used often by hackers?
I thought reddit and 4chan are the more popular places to dump illegally gained information.
Every password dump, claim of responsibility for a hack, etc. I have ever seen has been on pastebin.
I suspect this is just because it'a a highly-visible, non-sketchy domain name that provides free, scalable hosting of text that can be used anonymously without much effort.
I am not a sysadmin or network security guy, so I have to ask: how could hackers siphon as much as 100 terabytes of data from Sony's network without being noticed? Shouldn't they have indictors to see their bandwidth was running dry? If so, did the GOP do it slowly to avoid drawing attention?
Although it's possible to monitor bandwidth use pretty closely, none of the companies I've worked for ever did that unless we where having problems.
All the "hackers" have to do is copy the date in a matter that does not cause obvious problems. For example, as you said, do it slowly, or do it at night when "nobody's" using the network anyway.
So. Sony America suffered an outage on the Playstation Network due to a hack in 2011 causing 171 million in damages (that's the official figure, who knows how much the lost goodwill cost them ongoing). After that if they did not make cybersecurity priority number 1 then they deserve what they've gotten. Fool me once, shame on you; fool me twice, shame on me.
Effectively, Sony Computer Entertainment and Sony Pictures Entertainment are about as related as Virgin Airlines and Virgin Mobile. Think of Sony (and any conglomerate in general) not as a parent company per se, but more like a VC firm or a majority-shareholder mutual fund; the executives of the Sony conglomerate don't really have any more insight into the component companies than those companies' other shareholders do. The only way business-process insight is going to be spread between the component companies is if the executives of one happen to read the trade press of the other.
Eh, if I am a majority shareholder then I will read the riot act to the company I hold a majority in after they lose $171M on shitty security. Also, http://www.sony.com/SCA/who-we-are/our-businesses.shtml lists all these so there is some cohesion. AFAIK there's no such Virgin supercompany.
Richard Branson is Virgin's sole-proprietor supercompany. :)
But yes, that's true—the investors would be mad at SCE. But would that, in turn, make them think of pulling aside SPE to give them the same talk? SPE isn't even doing anything involving running a public-facing web service; why would the investors presume they'd be at risk? It'd be like YCombinator calling in all their current batch of startups to give them a lesson on finances because one of them screwed up their bookkeeping.
>It'd be like YCombinator calling in all their current batch of startups to give them a lesson on finances because one of them screwed up their bookkeeping. //
If they "screw up" was criminally negligent and had a cost of the order of $100s of millions I could certainly see YC doing that, couldn't you?
Virgin Group Ltd. is the "supercompany", but you are right that there's a big difference: Virgin Group owns the brand, and holds positions in many Virgin companies, and majority positions in some, but many others have been divested entirely and uses the brand solely under license.
Security means security against the state actor threat. We got a foretaste of it because North Korea's head of state has strange priorities, but there's no reason a hack like this wouldn't be launched in a trade conflict, for example.
We created a security environment that prioritizes surveillance over security, especially in creating a market for zero-day exploits. That's a market that might exist without the US as a buyer, but the size and value of that market is dominated by US spending.
We would not tolerate the development and auctioning of weaponized disease microbes. But we funded a similar market that threatens our technology infrastructure.
It's Sony Pictures Entertainment that got hacked, not Sony. They're completely separate companies, yet the media fails to recognize that. Very annoying and confusing, it's almost deliberately.
> It's Sony Pictures Entertainment that got hacked, not Sony. They're completely separate companies, yet the media fails to recognize that.
Sony is a very large conglomerate: while it would be incorrect to say that, say, Sony Computer Entertainment (the subsidiary that runs Sony's video games operations) got hacked, Sony Pictures Entertainment is a wholly-owned subsidiary of Sony Entertainment, Inc., which is itself a wholly-owned subsidiary of Sony Corporation.[1] It's as much "Sony" as any of its other subsidiaries.
BS. We heard the same lame excuse when the Sony-BMG rootkit debacle took place. You want to use the name "Sony" for positive publicity and goodwill? Then you take the negative publicity along with it.
A bunch of Amazon EC2 machines that were also running web sites seemingly part of the Sony Playstation network were seeding the torrent for a day or so after the leak:
"Completely separate companies" is overstating it a bit. Operationally separate business units of the same company might be closer to the mark. Their "About" page doesn't even try to describe them independently, saying only that "Sony Pictures Entertainment (SPE) is a subsidiary of Sony Entertainment Inc., a subsidiary of Tokyo-based Sony Corporation." And the footer links directly to sony.com.
There was a resource file included with Korean language strings. That either got there because the developers were Korean or as a false flag since malware doesn't otherwise need multilingual support.
There are some comments over at reddit suggesting this is a huge deal internally. There are teams that are just not showing up for work because all the systems are down.
My friend got doxxed from this. SSN, passport, hiring agreements, everything. This hack basically dumped every single document Sony had out on the web.
Or you never pay for it and no one ever hears about it and everyone is sleeping like babies. Or you pay for it now and later, because you know, security is hard and crackers have the upper hand. The possibilities are endless and nuanced!
You'd think they would've learned a thing or two after they were made the hackers' pinata the last time around. Sony continues to come up as the poster-boy company for weak security.
The only difference between Sony and any of a dozen different financial services companies is that Sony has better name recognition and so is a bigger target.
Your title to that post was bad, you misspelled Sony and editorialized the title: "Sonny just got hacked!". And whether a post is successful or not can be a bit random.
> Now we all do, since about 40 gigabytes of sensitive company data from computers belonging to Sony Pictures Entertainment were stolen and posted online.
The same could be said of Sony: empathize a little with them. Sony Pictures pays a lot of creative people. Maybe they should have seen the hack coming, but like the PSN outage this story will be maybe a paragraph in a Wikipedia article years from now. Even one great film could be watched by people a century from now, and I respect that their priorities are around figuring out economically viable filmmaking, not I.T.
The film industry regards Sony Pictures as the major studio that still takes risks on edgy comedies and dramas. They are known to respect directors more than the other majors.
Gawker will surface their ridiculous PowerPoints which truthfully exist everywhere. Or journalists will scandalize the executive pay and severances, nevermind that Nick Denton's and Anna Wintour's paychecks and perks are probably far more offensive.
But I don't mean to engage in whataboutism. In fact I mean the opposite: Just because some tech companies care a lot about security doesn't mean everyone should.