The FBI told their story about North Korea attacking Sony. Before we retaliate, read what they didn’t tell you.
20 DECEMBER 2014
Summary: The government blames North Korea of the Axis of Evil for the attack on Sony, a claim quite like the bogus claims of the past we so credulously believed. No matter how often they lie to us, Americans believe what the government tells us. They lie, we believe, their lies are exposed — rinse, repeat. It makes us easy to govern, incapable of self-government, and quite different than our skeptical unruly forebearers. We can do better. This is a great day to begin. Read this and decide for yourself.
This is the most complete collection of information I’ve found on this story. I’ll update as new articles appear. Second post in this series; see links to the others at the end.
Contents
- Articles questioning the FBI’s story
- About the attack
- Dissenting voices to the official story
- Remember this before you believe
- Major media see the story
- For More Information
(1) Articles questioning the FBI’s story
.
While most journalists report official government statements, and cite only approving voices, there are a few who quote dissenters. We should pay attention to these few, considering the long list of government lies attributing evil deeds to designated foes. Learning from experience is the beginning of strength.
While most journalists report official government statements, and cite only approving voices, there are a few who quote dissenters. We should pay attention to these few, considering the long list of government lies attributing evil deeds to designated foes. Learning from experience is the beginning of strength.
- “Sony Pictures hackers say they want ‘equality,’ worked with staff to break in“, Jacob Kastrenakes and Russell Brandom, The Verge, 25 November 2014 — An interview with the hackers. Ignored by journalists; blockbuster news if true.
- “Sony Hack: Studio Security Points to Inside Job“, The Hollywood Report, 3 December 2014
- “North Korea Almost Certainly Did Not Hack Sony“, Kim Zetter, Wired, 17 December 2014
- “Reaction to the Sony Hack Is ‘Beyond the Realm of Stupid’“, Jason Koebler, Motherboard, 17 December 2014
- “Why You Should Demand Proof Before Believing The U.S. Government On North Korea and Sony“, Jeffrey Carr (cybersecurity expert, CEO of Taia Global, Wikipedia bio), Digital Dao, 17 December 2014 — Excellent background on the cyber-intel agencies and their vendors, and the dubious past of cyber-attack attribution.
- “Why the Sony hack is unlikely to be the work of North Korea“, Marc Rogers (of web-traffic optimizer CloudFlare), 18 December 2014 — 1st of 2.
- “US reportedly blaming North Korea for Sony Pictures hack. But why?“, Graham Cluley, 18 December 2014 — Repeats points made elsewhere.
- “Sony, the DPRK, and the Thailand – Pyongyang Connection“, Jeffrey Carr, Digital Dao, 19 December 2014 — The story becomes more complex.
- “North Korea Hacked Sony? Don’t Believe It, Experts Say“, Paul Wagenseil, Tom’s Guide, 19 December 2014
- “Sony hack was the work of SPECTRE“, By Robert Graham (CEO), Errata Security, 19 December 2014 — A logical alternative analysis shows the weakness of the FBI’s case.
- “How the FBI says it connected North Korea to the Sony hack — and why some experts are still skeptical“, Christina Warren, Mashable, 20 December 2014
- “Lets blame our perennial adversary!“, the grugq (bio here; his website), undated — The attacker has strong media skills.
- Update: “Fauxtribution ?” at Krypt3ia (pseudonomeous hacker), 20 December 2014
- Update: Comment by Marcus Ranum, e-security expert (bio here) & on the FM website’s team of authors, posted at Free Thought Blogs, 21 December 2014
- Update: “Why I *still* dont think it’s likely that North Korea hacked Sony.“, Marc Rogers (of web-traffic optimizer CloudFlare), 21 December 2014 — 2nd of 2, with more detail.
- Update: “Sony hacker language“, Language Log, 21 December 2014 — Linguistic analysis of the hackers’ writing.
I sifted through these articles, each linking to other sources, and assembled the this summary. I believe it shreds the FBI story; at the very least it destroys the certainty about the attackers’ identity. Read and decide for yourself.
(2) About the attack
.
Hewett Packard posted an excellent summary of the attack and North Korea’s capabilities and possible role. See their August 2014 report about North Korea’s cyber capabilities. They discuss the Chongryon, a group of North Koreans in Japan who run its some of its most important cyber and intelligence programs.
Also see the detailed analysis posted by Risk Based Security.
Why does the government tell us so little of the evidence? Some speculate that the NSA provided much of the evidence, but they’re keeping this SIGINT secret (e.g., Nicholas Weaver at Mashable). That’s logical. The pseudonymous but well-known information security expert going by the handle “the gugq” agrees: “I’ll accept the Feeb’s answer, I just don’t believe they’ve shown their work. Mostly because it’s not their work, they just copied from NSA.” As you see below, after more thought he became more skeptical. So should you.
History suggests skepticism about these stories, given the history of US government and its corporate allies exaggerating the power of designated US foes. The Soviet Union was ominous superpower until it collapsed after years of internal rot (unnoticed by our lavishly funded intel agencies). Brian Honan (info security expert; bio here) reminds us of the 1998 “Solar Sunrise” attack by Iraq on US Army websites? US Deputy Defense Secretary John Hamre said it was “the most organized and systematic attack to date” on US military systems. A massive multi-agency task force eventually arrested 4 teenage boys. See the details here.
(3) Dissenting voices to the official story
(a) The best summary I’ve seen in rebuttal to the FBI’s story — Excerpt from Marc Rogers’s article (red emphasis added):
- (1) The broken English looks deliberately bad and doesn’t exhibit any of the classic comprehension mistakes you actually expect to see in “Konglish”. i.e it reads to me like an English speaker pretending to be bad at writing English.
- (2) The fact that the code was written on a PC with Korean locale & language actually makes it less likely to be North Korea. Not least because they don’t speak traditional “Korean” in North Korea, they speak their own dialect and traditional Korean is forbidden. {details and cites follow}
- (3) It’s clear from the hard-coded paths and passwords in the malware that whoever wrote it had extensive knowledge of Sony’s internal architecture and access to key passwords. … Occam’s razor suggests the simpler explanation of an insider. It also fits with the pure revenge tact that this started out as.
- (4) Whoever did this is in it for revenge. The info and access they had could have easily been used to cash out, yet, instead, they are making every effort to burn Sony down. {explanation follows}
- (5) The attackers only latched onto “The Interview” after the media did – the film was never mentioned by GOP right at the start of their campaign. It was only after a few people started speculating in the media that this and the communication from DPRK “might be linked” that suddenly it became linked. I think the attackers both saw this as an opportunity for “lulz” and as a way to misdirect everyone into thinking it was a nation state. After all, if everyone believes it’s a nation state, then the criminal investigation will likely die. …
- (6) Whoever is doing this is VERY net and social media savvy. That, and the sophistication of the operation, do not match with the profile of DPRK up until now.
- (7) {B}laming North Korea is the easy way out for a number of folks, including the security vendors and Sony management who are under the microscope for this. …
- (8) It probably also suits a number of political agendas to have something that justifies sabre-rattling at North Korea …
- (9) It’s clear from the leaked data that Sony has a culture which doesn’t take security very seriously. …
- (10) Who do I think is behind this? My money is on a disgruntled (possibly ex) employee of Sony.
Rogers’ follow-up post provides more detail, and with analysis even more critical of the FBI story. His conclusion:
We don’t have any solid evidence that implicates North Korea, while at the same time we don’t have enough evidence to rule North Korea out. … calling out a foreign nation over a cybercrime of this magnitude – something serious enough to go to war over – should not be taken lightly.
(b) From the Mashable article (links added):
Jeffrey Carr, cybersecurity expert {see Wikipedia} and CEO of Taia Global, is one of the skeptics. He told Mashable that “one of the biggest mistakes is that because an attack can be traced to the North Korean Internet that somehow means it’s the North Korean government. That’s a false assumption, because the North Korean Internet is basically provided by outside companies, in this case a Thai company. Nothing presented excludes alternate scenarios, so why jump to the most serious one?”Carr notes that it appears the FBI is getting most of its intelligence from private security companies, without vetting or verifying that information. He added: “The White House is now getting ready to take some kind of action, as if it’s a sure thing that the North Korean government is involved. Meanwhile you have the hackers who actually are responsible laughing because this is the most epic false flag ever.”
(c) More from Jeffrey Carr, from his Digital Dao articles:
Is North Korea responsible for the Sony breach? I can’t imagine a more unlikely scenario than that one, and for many of the same reasons that Kim Zetter detailed in her excellent article for Wired. {December 17}
There is a common misconception that North Korea’s ITC is a closed system therefore anything in or out must be evidence of a government run campaign. In fact, the DPRK has contracts with foreign companies to supply and sustain its networks. … For the DPRK, that’s Loxley, based in Bangkok. The geolocation of the first leak of the Sony data on December 2 at 12:25am was traced to the St. Regis hotel in Bangkok, an approximately 13 minute drive from Loxley offices.This morning, Trend Micro announced that the hackers probably spent months collecting passwords and mapping Sony’s network. That in addition to the fact that the attackers never mentioned the movie until after the media did pretty much rules out “The Interview” as Pyongyang’s alleged reason for retaliation. If one or more of the hackers involved in this attack gained trusted access to Loxley Pacific’s network as an employee, a vendor, or simply compromised it as an attacker, they would have unfettered access to launch attacks from the DPRK’s network against any target that they wish. Every attack would, of course, point back to the hated Pyongyang government.Under international law, “the fact that a cyber operation has been routed via the cyber infrastructure located in a State is not sufficient evidence for attributing the operation to that State” (Rule 8, The Tallinn Manual). (December 19}
(d) From the grugq’s post (bio here; his website):
This is a media blitz campaign by a group that is steeped in Internet culture and knows how to play to it. They can manipulate it to maximum effect. This is definitely far more sophisticated than the usual rhetoric from North Korea. … To handle this sophisticated media / Internet campaign so well would require a handler with strong English skills, deep knowledge of the Internet and western culture. This would be someone quite senior and skilled. That is, I can’t see DPRK putting this sort of valuable resource onto what is essentially a petty attack against a company that has no strategic value for DPRK.
(e) Robert Graham (CEO of Errata Security) provides another perspective at their website. Here are two excerpts.
While there may be more things we don’t know, on its face {the FBI press release is} complete nonsense. It sounds like they decided on a conclusion and are trying to make the evidence fit. They don’t use straight forward language, but confusing weasel words, like saying “North Korea actors” instead of simply “North Korea”. They don’t give details.The reason it’s nonsense is that the hacker underground shares code. They share everything: tools, techniques, exploits, owned-systems, botnets, and infrastructure. Different groups even share members. It is implausible that North Korea would develop it’s own malware from scratch. (19 December 2014)
My story … better explains the evidence in the Sony case than the FBI’s story of a nation-state attack. In both cases, there are fingerprints leading to North Korea. In my story, North Korea is a customer. In the FBI’s story, North Korea is in charge. However, my story better explains how everything is in English, how there are also Iranian fingerprints, and how the threats over The Interview came more than a week after the attack. The FBI’s story is weak and full of holes, my story is rock solid.I scan the Internet. I find compromised machines all over the place. Hackers have crappy opsec, so that often leads me to their private lairs (i.e. their servers and private IRC chat rooms). There are a lot of SPECTRE-like organizations throughout the world, in Eastern Europe, South America, the Islamic world, and Asia. At the bottom, we see idiot kids defacing websites. The talented move toward the top of the organization, which has nebulous funding likely from intelligence operations or Al Qaeda, though virtually none of their activities are related to intelligence/cyberwar/cyberterror (usually, stealing credit cards for porn sites).My point is this. Our government has created a single story of “nation state hacking”. When that’s the only analogy that’s available, all the evidence seems to point in that direction. But hacking is more complex than that. In this post, I present a different analogy, one that better accounts for all the evidence, but one in which North Korea is no longer the perpetrator. (19 December 2014)
(f) From the Tom’s Guide article:
“There’s no evidence pointing to North Korea, not even the barest of hints,” Robert Graham, CEO of Atlanta-based Errata Security, told Tom’s Guide. “Some bit of code was compiled in Korea — but that’s South Korean (banned in North Korea, [which] uses Chinese settings). Sure, they used threats to cancel The Interview — but after the FBI said they might.”
(g) Update: Comment by Marcus Ranum, cyber-security expert (bio here) and on the FM website’s team of authors.
The movie angle only cropped up 3 days into the attack, at which point the attackers latched onto it like a bunch of gamergaters who’d found another excuse for misogyny. Prior to the movie angle, there was no North Korea evidence, then it starts popping up.The malware used is not specifically North Korean. It’s run of the mill stuff using techniques that were notoriously used in the ‘shamoon’ attack against Saudi Aramco (does that make it Israeli?). The “common elements” the FBI boneheads are talking about is the disk wipe module, which is the most popular scriptable disk wipe; I’ve used it myself. Please, nobody point the finger at me for this attack in spite of the “common elements”This bears all the hallmarks of a bunch of sociopathic American hackers; more like something from the former “anti-sec” crew than anything state-sponsored. I’m guessing the FBI doesn’t want to talk about those “common elements” because anti-sec was being run by the FBI when they attacked Brazilian police and oil exploration assets.If we ever find out who’s behind it, my money is on some badly adjusted American nihilists in the 20-30 year old unemployed trouble-maker or “security consultant” demographic. These attacks are not sophisticated; what makes them so bad is that they got a very deep foothold in Sony before they started causing trouble, and Sony’s infrastructure was deeply compromised. Most American companies, attacked in a focused manner, would fall just like Sony has.
Marcus sent me a follow-up note:
The attacks almost certainly (in my mind) are the work of some American sociopaths, probably guys pretty much like the antisec crew (which was led by an FBI informant). The tools in use are irrelevant; it would be like saying “the attacker used a gun, which points at Germany because it was an H&K” or “the attacker used a gun, which point to the US because Americans are gun nuts”.The Korean in the malware comments appears to have been planted there as a deliberate red herring; it’s google translate quality. It would be like saying that”это фигня” shows I’m a KGB agent.
(h) Others experts have expressed skepticism, but with no details. Such Brett Thomas (CTO of internet services provider Vindicia; his bio):
.
Another cautionary note, by Sean Sullivan (security advisor to Finnish internet security firm F-Secure):
Another cautionary note, by Sean Sullivan (security advisor to Finnish internet security firm F-Secure):
Update: Robert M. Lee (Co-Founder at Dragos Security LLC , First Lieutenant USAF – cyberspace Operations Officer; bio here):
(4) Remember this before you believe
.
The aide {Karl Rove} said that guys like me were ”in what we call the reality-based community,” which he defined as people who ”believe that solutions emerge from your judicious study of discernible reality.” I nodded and murmured something about enlightenment principles and empiricism.He cut me off. ”That’s not the way the world really works anymore,” he continued. ”We’re an empire now, and when we act, we create our own reality. And while you’re studying that reality — judiciously, as you will — we’ll act again, creating other new realities, which you can study too, and that’s how things will sort out. We’re history’s actors . . . and you, all of you, will be left to just study what we do.”— Karl Rove, as quoted in “Faith, Certainty and the Presidency of George W. Bush” by Ron Suskind, New York Times Magazine, 17 October 2004
(5) Some in the major news media see the story
.
Some journalists mix a few skeptical notes to the song played by the government and their journalist supporters. New articles after December 23 appear at this post.
- “Sony Hackers Snooped for Months, Then Planted 10-Minute Time Bomb“, Bloomberg, 18 December 2014 — Focuses on the largest fact inconsistent with the FBI’s story.
- “Think North Korea hacked Sony? Think about this“, PC World, 18 December 2014.
- “What is FBI evidence for North Korea hack attack?“, BBC, 19 December 2014 — They agree with a point Marc Rogers makes above (3.a.7): “{T}he attack being attributed to a nation state rather than an independent hacking group is the one glimmer of good news for Sony.” They quote him: “If it is a nation state people shrug their shoulders and say that they couldn’t have stopped it. It lets a lot of people off the hook.”
- “Security experts: FBI report light on evidence linking North Korea to Sony hack“, Christian Science Monitor, 19 December 2014 — “The FBI statement that linked the Sony hack to North Korea relied on previously released and inconclusive evidence, said many cybersecurity insiders.”
- “These experts still don’t buy the FBI claim that North Korea hacked Sony“, Los Angeles Times, 21 December 2014.
- “Did North Korea Really Attack Sony?“, Bruce Schneier (CTO, security firm CO3), The Atlantic, 22 December 2014 — “It’s too early to take the U.S. government at its word”. The reasoning at the end by Allan Friedman (GW U’s Cyber Security Research Institute) makes zero sense (accusing the wrong party does not “serve as a warning to others that they will get caught if they try something like this.”)
- “Was North Korea behind the Sony hack? Not all experts agree.“, Christian Science Monitor, 22 December 2014 — “Some cyber specialists aren’t convinced that North Korea was the culprit. One critic calls the the FBI’s evidence ‘weak’ and ‘at best, speculation.’ Others back the FBI claims.” Pro-FBI article pretending to be skeptical.
- “These Cybersecurity Experts Still Don’t Think North Korea Hacked Sony“, Buzzfeed, 22 December 2014 — “BuzzFeed News talks to cybersleuths who remain unconvinced of the FBI’s assertion that North Korea was behind the hack.”
This isn’t from a major publication, but still interesting. Good analysis but the title doesn’t match the text: “The Moral of Sony? Stop Doing Attribution“, The Security Ledger, 19 December 2014.
Here’s a fascinating dissection of an early New York Times story about the hack, by the pseudonymous “Jericho”: “Anatomy of a NYT Piece on the Sony Hack and Attribution“, 19 December 2014. It shows the skill journalists use to create the shiny narratives that package information for us.
(6) For More Information
.
(a) Other posts in this series:
- Another day, another campaign of fearmongering in America: North Korea’s cyberattack on Sony., 18 December 2014
- The FBI told their story about North Korea attacking Sony. Before we retaliate, read what they didn’t tell you., 20 December 2014
- Why do we believe, when the government lies to us so often? When we change, the government also will change., 22 December 2014
- See how the news shapes our beliefs about the North Korea hack, 23 December 2014
- Marcus Ranum explains a major challenge of cyberwar: About Attribution (identifying your attacker).
(b) All posts about cyberwar, cybercrime, and cyberterrorism.
(c) Posts about propaganda and information operations run against us. Never forget or forgive, just learn from this history.
- Successful propaganda as a characteristic of 21st century America, 1 February 2010
- A note about practical propaganda, 22 March 2010
- Our leaders have made a discovery of the sort that changes the destiny of nations, 15 September 2010
- The easy way to rule: leading a weak people by feeding them disinformation, 13 April 2011
- Our minds are addled, the result of skillful and expensive propaganda, 28 December 2011
- Understanding our political system: the how-to guide by its builders, 7 October 2012
- We can see our true selves in the propaganda used against us, 14 May 2013
- A nation lit only by propaganda, 3 June 2013
- The secret, simple tool that persuades Americans. That molds our opinions., 24 July 2013
- We live in an age of ignorance, but can decide to fix this – today, 15 April 2014
.
Geen opmerkingen:
Een reactie posten