Ricochet is the best place on the internet to discuss the issues of the day, either through commenting on posts or writing your own for our active and dynamic community in a fully moderated environment. In addition, the Ricochet Audio Network offers over 50 original podcasts with new episodes released every day.
Can You Make Even the Slightest Sense Out of the Sony Hackers Story?
As you may have guessed from the headline, I sure can’t.
I mean, obviously, some very sophisticated hackers at work. Obviously, a complex operation. Not hard to see why someone might think it would be amusing, useful, or highly lucrative to hack that target.
But the idea that the North Koreans are behind this — and the point of this is to get Sony to pull a movie that sounds like a dumb-but-standard-fare Hollywood treatment of North Korea — does that make the slightest bit of sense to you?
I know I’ve offered to be your guide to all things foreign policy, but I can make no sense of this. Even if what I’m reading does seem to add up to “That could even, possibly, conceivably, be what’s going on.”
I mean, say you’re a North Korean lunatic. Wouldn’t you be just slightly more concerned at this point by the unlikely rise to power of Ashton Carter, America’s all-but-for-the-formalities Secretary of Defense? Of whom the most notable thing that may be said or — at least — the only interesting thing he’s ever said, is:
Therefore, if North Korea persists in its launch preparations, the United States should immediately make clear its intention to strike and destroy the North Korean Taepodong missile before it can be launched. This could be accomplished, for example, by a cruise missile launched from a submarine carrying a high-explosive warhead. The blast would be similar to the one that killed terrorist leader Abu Musab al-Zarqawi in Iraq. But the effect on the Taepodong would be devastating. The multi-story, thin-skinned missile filled with high-energy fuel is itself explosive — the U.S. airstrike would puncture the missile and probably cause it to explode. The carefully engineered test bed for North Korea’s nascent nuclear missile force would be destroyed, and its attempt to retrogress to Cold War threats thwarted.
I’m just trying to put myself in those shoes. I’m trying to figure out why the new Secretary of Defense of the United States — a country that can, actually, do precisely this — is not my bigger concern than making sure The Interview gets cancelled.
Can’t seem to do it.
The only thing I might conclude is that North Korean lunatics are, truly, lunatics and that no game theory — however conceived — applies here, as all such theories assume at least some degree of rationality in the actors involved. If so, Ash Carter is quite right about launching a preemptive strike.
Yesterday would have been better, for sure, but today is still better than tomorrow. Because if this is really what we’re dealing with, “not one second more” is the only conclusion I can logically reach.
Published in Foreign Policy, General
One more thing . . . one more reason I think this is a domestic affair is the choice of GOP as the hacker name. Granted, the hacker claims it stands for “Guardians of Peace”–a group no one’s every heard of before. (Uh, what kind of Peace are you Guarding hacking an entertainment company?) But we all know who else is the GOP, right? I have to believe this is some kind of insider, nerdy, ironic, funny-to-the-hacker-community joke. A joke that I don’t think would have much meaning to a hacker outside the USA. Does the average North Korean know the Republican Party is called the GOP? I don’t think so.
Furthermore, there seems to be a lot of over-compensating in the hacker’s message. “Guardians”–plural. “If you don’t obey US (plural), WE’LL (plural) release data shown below to the world.” I should also say: “shown” is a unique word in the English language. I think most people who speak English would write that sentence, leaving it out by putting a “the” before “data”. Using “shown” sounds to me like somebody who’s trying to sound intellectual and official because “shown” isn’t a word you’d usually put in a threatening email.
This seems like a singular person who is trying to seem bigger than he is. I should add: The above message is kind of tame, considering it may have come from North Korea, isn’t it? I would expect a message from the Norks to be something like, “If you don’t obey us and give all praise to our Dear Leader by destroying your propaganda films, a thousand dragon strikes from the sky will rain down on your decadent capitalistic pig nation.”
The whole thing sounds like an American individual who’s trying to make it sound like the hack was committed by a sophisticated network from somewhere else. By the way, the Hollywood Reporter by interviewing security experts has come to the same conclusion.
Forgive me, but, no: the hacker community has an unbelievably robust reputation economy. See Masters of Deception (1995!) for more info.
Unbelievable.
The code has Sony internal server names and user credentials. This all but rules out a single actor or even a small independent team (infiltrating Sony wouldn’t be cheap), unless the single actor were internal and, crucially, had access to the credentials in question.
The “experts” interviewed by the Hollywood Reporter need to turn in their shingles.
Let me speculate on the differences. I think you’re right, that a difficult project like building a nuclear bomb, which North Korea has accomplished, is very different from a difficult (but cf. Gödel’s Ghost) project like hacking into Sony.
I think the difference is that the hacker subculture is largely individualistic. Hackers certainly do collaborate sometimes, but I get the impression that a lot of the work is solo. While the difficult jobs require skill, that skill can be learned in one’s spare time, as a hobby. You don’t need to get a graduate degree in computer engineering for this. Furthermore, it’s a high-risk, high-reward activity, and the reward is also to the individual—usually the glory and bragging rights.
Nuclear engineering is much more of a group activity, and it requires years of advanced, time-consuming education. The payoff is to the group—the nation—not to the individual (although in a Western culture, you’d still get some bragging rights, money, and fame). It is a coordinated activity that depends on the guided work of a group of skilled engineers. It’s the kind of thing that Communist societies at least think they excel in. (I don’t believe their management skills are as good as ours, but group activities are one category of the few things they can pull off at all.) Furthermore, while a Communist society has little reward for individual creativity, I think that even nuclear engineering problems can be solved by less creative people, given a longer amount of time.*
Gödel—I think you mean to cite K.C. in comment #32, not me.
I somehow suspected you’d know the answer to that or at least be able fully to convince me you did.
Yes, if “team of a half a dozen people” could do it, and if it’s really not that hard to do–and I reckon you’re almost certainly right about the general attitude toward software security; I mean, that would conform to my “lived experience” as they say–then at least the idea’s plausible.
By the way, I’ve noted that the people who take this stuff seriously and know a great deal about it are exactly the sorts of people who would think, “I prefer to be a bit anonymous, at least. The people running this show seem to think they can ensure that, but quite obviously they’re totally incompetent, so I’ll fix this problem.” And the way they “fix it” could sometimes result in some technical anomalies of the variety I note in your posts. But that might be a bit conspiratorial–hey, a decade in Turkey will do that to you–and besides, you’re blown; I reckon I know full well who you are.
It’s an odd sort of hiding when I link to some of my public work.
The embarrassing truth is I used to be here under my real name, found myself in a thread with a few participants that got out of hand (which I judged by asking myself “How would I feel if Peter Robinson read this?” and came up with “ashamed”), and changed my handle in a fit of that embarrassment. Time has mellowed its sting somewhat.
If you want confirmation, follow the links. I’m the guy in the videos. :-)
GG,
I am inclined to look at it your way. Also, I found the “Operation Mincemeat” article very informative. This was definitely high stakes game theory. The Germans once stung stayed bluffed. I would think too much “following orders and loyalty to the Fuhrer” and not enough independent analytical thinking. Certainly cyber-warfare would also be a perfect candidate for a game theoretic approach.
What concerns me though is the ‘Snowden’ factor. Young cyber-punks may think of themselves as sophisticated because they can hack but international politics at the governmental security level is not for fools. Snowden didn’t like Putin so much once he got to know him. I suspect that a cyber-punk stupid enough to get involved with the North Koreans wouldn’t like Kim very much once he got to know him either. That’s assuming he was still alive after he got to know him.
Regards,
Jim
Forgive me, but yes – just because some hackers solicit attention doesn’t mean they all do. And considering the subterfuge undertaken by military hackers, I’d say the more serious damage is inflicted by people who wish to remain hidden.
Yeah, I needed no confirmation. I’d love to be able to say I figured that out by means of a home-made, whipped-up, neat-o hardcore LFG-method-based distributional-semantic modelling tool that allowed me to make testable predictions based on your prose and then confirm them with properly gathered empirical data, but I actually did it with the old “That sounds like something [REDACTED] might say,” method. (Point in favor of Chomsky? Maybe) Then I was confirmed when you, you know, linked to your work.
Doesn’t mean you guys don’t like to do freaky things to be sure you’re precisely as anonymous as you wish to be at any given time x, or that you’re always rational about this–yes, even you. So even that admittedly, I’ve been excessively Turkified, my asking myself that question still makes sense.
I’m afraid it is, actually. At least that’s what my study of the Senate report thus far is causing me to conclude.
Touché, and my apologies for the unwarranted snark. I know what at least one New Year’s resolution will be.
You say “tomato;” I say “tomato.”
I’m quite flattered you have any idea, distinct from my shamelessly plugging my own work, who Paul Snively (let’s not be coy, shall we?) is.
The OSS took enormous advantage of the German penchant for formality, protocol, seals and stamps, etc. One enterprising agent in a bind behind enemy lines falsified a counterfeit document by rolling a hard-boiled egg over the stamp on a legitimate one, then rolling the egg over the counterfeit, transferring enough ink to be successful. When the Germans weren’t suspicious enough, they weren’t nearly suspicious enough. When they were suspicious, they were paranoid. Thank G-d.
All warfare is information warfare. Now contemplate what that means when we have the equivalent of a five-six-year-old supercomputer on our desk—heck, on our lap on an airplane or at a café in Sri Lanka—and a fully current supercomputer cluster anytime we have an internet connection and are willing to pay instance spot prices.
A bitterly amusing anecdote: I remember well reading the handwringing over the Total Information Awareness program, which hoped to be an intelligence analysis tool offering decision support to government anti-terror stakeholders. It was to be based on a database of publicly-available information, six terabytes in size! The horror! I remember thinking: “A quick trip to the Apple Store with my credit card and a few months of evenings and weekends with Managing Gigabytes and Artificial Intelligence: A Modern Approach would get me well within the 80/20 rule for these kinds of projects.” Most people—political journalists in particular—really have absolutely no idea what the threat profile actually is.
Snowden’s romanticizing of non-US regimes will indeed be his undoing, as it was The Falcon and the Snowman’s. The attack on Sony shows no signs of such romanticism, but rather shows a solidly prosaic understanding of the entertainment industry economy and the effectiveness of digital warfare in disrupting it. Nary a “ZOMG! The government does bad [non-CoC-compliant]!” to be found.
The cyber-punk(s) in question didn’t “get involved with the North Koreans.” It’s likely they are State-sponsored—whatever the alternative would even mean in North Korea.
FTFY.
GG,
Interesting. Are you sure that they didn’t recruit somebody inside Sony. Maybe an entertainment industry oriented cyber-punk. Never underestimate the stupidity of the young.
Regards,
Jim
Well, I’d hardly wish you to fail to be flattered. But what the hell do you think’s gonna happen when “Claire Berlinski” spots “a possibly interesting thing” in some “distant part of her cognitive field” when she’s “on a deadline” and should be “working on something else?”
I mean, if it flatters you to be the object of thorough study, and I do mean thorough, just figure out when I’ve got something important due. Drop, say, a yellow handkerchief on my doormat. I promise you: “Why yellow? What does that mean? Whose is it? What precisely led to this happening? What were his motivations? What might the local Préfecture de Police know about the history of yellow-handkerchief dropping in this neighborhood? Might they let me see their archives?” will become questions so much more interesting to me than what I’m supposed to be working on that I will truly convince myself that yes, I need to solve this mystery before I can write another word. And then, of course, I’ll solve it (obviously I will; if I put as much energy into working as I do into avoiding work I’d have solved the problem of cold fusion by now). Then I’ll pitch the story of how I solved it to some editor who will love the idea; then I’ll find myself stuck in just the same place, because now I’m supposed to be writing about that cursed yellow handkerchief–but somehow that’s the last thing I care about anymore. All I want to know is who hacked Sony and why.
All that said, I like to think I would have been curious (and that I would have figured it out just as quickly) even were I not lazy and neurotic, so do feel free to be flattered.
Claire,
One incredible stupidity that makes the Senate Report look especially foolish is the incident with bin Laden’s Currier. The Senate Report claims that this wasn’t due to the interrogations but that the name was already in the files. However, as Mr. Yoo points out, there were thousands of names in the file. The information that specified this to the point of catching bin Laden was obtained by the interrogation.
Either the committee is totally incompetent or it lies like Gruber.
Regards,
Jim
Sure, no. But my assessment is that the person in question would understand that if they’re working for Sony Pictures in Culver City, they’ve made the big time, and engaging in this espionage is the professional equivalent of slitting your wrists.
So I’m just a distraction, a plaything, to you?
I’m fine with that.
Jim #48 – I go for incompetent, as lying takes real skill. Note that Gruber DIDN’T lie, which is exactly why he got in trouble.
…hmmmmm…..What’s it all about?
Ahhh, the old standards never get old.
Regards,
Jim
Dev,
I stand corrected. Actually, I’m sitting. What I think he did was tell the truth about how he lied and pulled the wool over the American People’s eyes.
We should refer to this as a Gruber Canard. You know the way Ponzi is forever linked to Ponzi Scheme.
Regards,
Jim
Did I kill this thread by being impertinent? I hope not. If so, I must apologize.
It’s worse than that, GG. Much worse.
I just didn’t see your response.
However, I think this may safely be blamed on the oddities of the “alert” function here, not my lack of amusement and interest. Or at least, may be rendered reasonably ego-systonic.
Just a question of when.
He was candid when he gleefully rejoiced in getting away with lies (a triumphant exercise of that “real skill” you note).
This shows a common leftist academic mindset. The next time you see a giddy leftist, consider whether s/he is rejoicing in getting away with a lie.
Late-breaking (to me, anyway) news on the actual subject matter of this thread.
I’m going to have to seriously reconsider my “yeah, the Norks did it” stance, although not, I should note, my sincere belief they’re perfectly capable of it (they do, in fact, have a military dept. committed to cyberwarfare, and the whole “they just don’t have the technical capability” cant is so unbelievably naïve it renders me literally speechless).
One thing from the link that deserves quoting in full. It’s point #9.
Keep this in mind every time you hear anything about “this was a sophisticated attack.” It may indeed have been a sophisticated attack—but it need not have been. I’m usually leery of “blame the victim” reporting, but this is an instance in which the victim got down on their knees, bent over, and begged for it. [Possible non-CoC compliant imagery; editors, do your thing.]