In Sony Pictures Demands That News Agencies Delete ‘Stolen’ Data I wrote in part:
The bitching and catching by Sony are sure signs that something went terribly wrong internally. The current circus is an attempt to distract the public from that failure. Probably a member of management with highly inappropriate security clearance because “…they are important!”
Inappropriate security clearances for management to networks is a sign of poor systems administration. I wonder when that shoe is going to drop? (emphasis added)
The other shoe dropping did not take long! Later that same day, Sony employees file a suit largely to the same effect: Sony employees file lawsuit, blame company over hacked data by Jeff John Roberts.
Jeff writes in part:
They accuse Sony of negligence for failing to secure its network, and not taking adequate steps to protect employees once the company knew the information was compromised.
The complaint also cites various security and news reports to say that Sony lost the cryptographic “keys to the kingdom,” which allowed the hackers to root around in its system undetected for as long as a year.
That is the other reason for the obsession with secrecy in the computer security business. The management that signs the checks for security contractors is the same management that is responsible for the security breaches.
Honest security reporting (which does happen) bites the hand that feeds it.
Just so you know, before I signed off for the day, the following appeared in the New York Times: U.S. Links North Korea to Sony Hacking by David E. Sanger and Nicole Perlroth.
There is one tiny problem with the story:
It is not clear how the United States came to its determination that the North Korean regime played a central role in the Sony attacks.
Buried about half-way down in the story.
Sanger and Perlroth report no independent confirmation that what was told to them by unnamed sources is true. Unnamed sources from an administration that has repeatedly demonstrated its willingness to lie, cheat, even murder, in the pursuit of some secret agenda.
Broadcasting re-edited broadsides from a group of known liars without independent verification of the claims is a disservice to the reading public. With the U.S. government, I would require two independent sources of confirmation before reporting their claims at all and then with a caution about the government’s reliability.
Update: In Sony hack: White House views attack as security issue, the BBC reports the White House refuses to confirm if North Korea is responsible for the attack on Sony. Private FUD and public denial?
At least the BBC offers these options under Four possible suspects in the Sony hack:
- A nation state, most likely North Korea
- Supporters of North Korean regime, based in China
- Hackers with a money-making motive
- Hackers or a lone individual with another motive, such as revenge
Whatever the “factual” outcome, the North Korean 9/11 on Sony has already passed into folklore for computer security discussions, at least at the policy level. What failing policies will result, like those following 9/11, such as useless operations in Afghanistan and Iraq, remains to be seen.
Update:
Jody Westby’s Instead Of A Real Response, Perennially Hacked Sony Is Acting Like A Spoiled Teenager is as instructive for potential hacking victims as it is amusing. A joyful read for the holidays and counter to the gloom and doom folks selling less than stellar cybersecurity services.