See, I usually avoid discussing purely theoretical IT issues on this blog. It’s more important to me that I stick to practical matters which actually help people out. The Internet is full of theoretical discourse (to give it a very charitable name) and, especially in the open software community, good practical system administration information is often very hard, if not impossible, to come by.
So my previous post regarding the proportionate response to North Korea assumed, of course, that North Korea is actually involved in the attack against Sony. I, along with the seeming majority of the IT security community, was initially skeptical that such a backwards little nation which is so often full of empty, hyperbolic threats actually struck out at Sony. I realized that this fact isn’t exactly easily discernible to readers of my blog since I hadn’t posted anything on the subject aside from the last post discussing a potential response to NK. Any of my life’s usual interlocutors would have a very different picture of my position on this subject than a reader of my blog, so I thought that probably needs some changing.
Determining North Korea’s involvement in this whole security debacle is (obviously) a hard call to make without knowing the specifics. Sure, North Korea is every bit as laughably backwards a nation as one might expect a little tyrannical despotism to produce, but it’s quite possible that Sony didn’t exactly make it difficult for the hackers (and judging from the quantity of files sitting on their file servers with “password” in the name of the file, it certainly looks, again, downright shameful for Sony’s IT department). On the other hand, North Korea is not exactly a country of action when it comes to its silly political posturing which forms such a crucial portion of its brutal totalitarianism. The message of the hackers has been muddled and strange as well, and the response from North Korea has been inconsistent. It seems no one, the hackers included, knows how to deal with the attention this issue has given to whomever the perpetrators actually are.
This article, by Marc Rogers of CloudFlare, is a little egotistical and a good example of the security community swinging the pendulum back way too forcefully. The title is way too strongly worded, for instance, but the article points out to the discerning reader the central problem with the current issue: we don’t have enough information to make a good decision, and it doesn’t seem incredibly likely that the FBI has enough information either.
Despite the skeptical opinion of our government and its law enforcement agencies which is so in vogue among IT security professionals (and not for terrible reason, I might add), I have been kinda giving the FBI the benefit of the doubt. I hope they have way more evidence than they have brought to light (as they seem to imply) because what they have revealed is every bit as weak as the article by Mr. Rogers claims.
So, I’d like to get back to more important matters, such as dealing with the new Fedora 21 product environment and the AMD Catalyst driver, but I thought that since I opened up this can of worms, however briefly, I’d like to make it clear that I am not simply operating off of a forgone conclusion here, and it is really important that America does not operate off of such a conclusion either. I really hope the FBI knows what it’s doing, ’cause those totalitarian bastards over in NK don’t need any exaggeration of their capabilities on their side.
Of course, even if they didn’t hack Sony, I’d probably still stand by my idea for the proportionate response. It seems a reasonable thing to do to a totalitarian regime of such horror regardless of any recent attacks they may or may not have perpetrated.
Check out this very nice summary of the entire incident over at riskbasedsecurity.com. It makes very clear that Sony’s data security policies are either not being followed, not being enforced, or simply not being. There are huge troves of sensitive information stored in plaintext all over Sony’s systems. Whatever the ultimate reason for this, Sony’s IT department has been shamed by this attack about as severely as is possible. What a travesty. This is perhaps the worst information systems attack any organization has suffered in history.
Check out this story at ZDNet for a little more evidence from the FBI. Sure, someone could’ve proxied through North Korea or something, but given the country’s networking infrastructure…probably not. Hopefully they have even more evidence up their sleeves which they don’t want to reveal that they can obtain, like some chatter among North Korean officials regarding the incident. My guess is that they do.