Tag Archives: society

The Scary Thing About the Sony Incident Isn’t North Korea

By now, almost everyone is familiar with the attack on Sony and the fallout that ensued over the Christmas holidays. The data exfiltrated from Sony’s digital coffers included all sorts of intriguing tidbits to keep drama flowing over the holidays, such as: studio execs’ hatred for Adam Sander, allegations of abuse on the set of American Hustle, possible racism towards Denzel Washington (who they can continue casting as much as they like as far as I am concerned), and George Clooney not actually being a cyber security expert, but playing one on TV.

With this kind of dirt kicked up in the wake of the Sony attack, it would be easy to think this attack to be the work of an overzealous fan of TMZ rather than that of a hostile nation that enjoys threatening the United States with nuclear holocaust on a semi-regular basis and whose usual work looks more like this. Indeed, it would be tempting to think the Sony attack more along the lines of digital mischief than international espionage, until the apparent motivation of the attack became seemingly clear – stoping the release of the Sony film, The Interview. 

The Interinterview searchview, as most knowis a fairly juvenile film sporting lack-luster reviews (53% on Rotten Tomatoes) in which the CIA approaches two reporters to assassinate Kim Jong-un. One can see in the Google search trend graphs that, when compared to other Christmas release films, The Interview was not faring well even after the initial data loss, and search interest was flat when compared to interest in Unbroken and from last year’s The Wolf of Wall Street. Thanks to the Sony cyber attack coupled with “terrorist threats” against theaters, release cancellation, and finally a selected release in mostly smaller theaters, The Interview went from a film that seemed to be dead on arrival to a film that not only had a pulse, but to a film in which there was actually a fair amount of interest.

Now, I am not willing to go so far as to suggest that the Sony attack was a planned public relations stunt as has been suggested by many. Make no mistake, Sony has suffered as a result of the data that has been leaked.  Some of that has been in the form of lost or diminished value of intellectual property (specifically related to pre-release films that were stolen and posted online). Other losses cannot be quantified, particularly those with respect to lost good-will in working relationships that comes with the airing of dirty laundry. Though the PR stunt theory is intriguing, I cannot see Sony going that far simply to save one floundering film, and would be the Hollywood version of cutting off the nose to spite the face.

Nevertheless, this creates a context in which it becomes easy to see potential motive for other parties to be involved, and where others may have more to gain from Sony’s embarrassment than North Korea. This seems to be bolstered by the fact that many in the security community are seeing evidence that the exfiltration of data may have been an inside job. Bruce Schneier has a good article sifting through some of the various viewpoints as well as a previous article discussing some of the possible attribution scenarios, for those who are interested in delving further. The technical details of who attacked Sony are really beyond the scope of my concern at the moment.

The primary fact of interest is that despite the FBI’s continued insistence that North Korea is directly responsible for the Sony attack, many very capable members of the information security community are not thusly convinced (including this shredding of the FBI’s initial statement). Put another way, we have a very big problem with attribution. We think we know that North Korea is responsible, but do we really trust the FBI’s determination both in light of previous intelligence failures in recent American history and in the face of so much skepticism from within the information security community?

This might not be such a big deal… yet.

President Obama, despite some rather harsh rhetoric, has been pretty emphatic that (assuming you buy the North Korean involvement in the first place) this is not an “act of war,” but instead an act of “cyber-vandalism.” This, I believe, is the most alarming thing about the Sony attack and its attribution to North Korea, whether right or wrong. We are now making judgments about whether or not cyber attacks on corporations constitute acts of war.

Fortunately, the President’s position on this question seems to be reasonable, but there are two things to consider. First, we must consider that the next attack may not be so easy to dismiss. A major cyber-attack on military systems, some government systems, and possibly some civilian infrastructure (like power generation) could create legitimate pretext to launch military operations in real life. Secondly, we must also consider a changing political environment and that the next President of the United States might have a lower threshold for what constitutes an “act of war.”

It may well turn out that North Korea is indeed responsible for the attacks on Sony. Then again, it may turn out that North Korea is a scapegoat and that The Interview has been nothing more than a red herring for garden-variety cyber-punks.

What is certain is that we really don’t know who is responsible, and with the rhetoric swirling the Sony attack that is a scary thing. Not so much because the rhetoric is dangerous in this particular case, because North Korea and the U.S. are both given to hyperbole when addressing one another. No, what is scary is that is that we seem to lack the ability identify cyber-attackers with a high degree of certainty, and eventually this will be a problem when the inevitable day comes that Americans are gearing up for a war that began with a digital Pearl Harbor. When that day comes (and it will) we have a responsibility to be certain we are gearing up for war against the correct guilty party. Proper attribution becomes imperative when the stakes are nothing short of war.

Featured Image: Collage of American and North Korean flags (Wikimedia Commons) and Promotional Artwork for The Interview (Copyright, Sony Pictures; use believed to fall under Fair Use Doctrine).

Twitter Snooping and the Ethics of “Opting”

I was reading an article on Naked Security earlier about  updates Twitter is making to its mobile applications, on various platforms, that might be alarming to some people, depending on just how much personal data you’re comfortable having mined by social media companies.

Apparently, Twitter is preparing to rollout  “app graph,” their term for what is essentially a list of all of the applications installed on your mobile device.  “App graph,” according to Twitter, is intended to provide additional data to “deliver tailored content that you might be interested in.” Reading between the lines, that means refining targeted advertising in Twitter.

One might be tempted to ask why targeted ads are critical to Twitter, and the answer, quite simply, comes down to a matter of cash.

More specifically it has proven difficult for Twitter to monetize 140 character messages, particularly in the face of less-than-expected user demand. This reality becomes evident in Twitters’ quarterly financial statements that demonstrate large GAAP losses despite increased revenue. For example, in 2014 Twitter has posted losses ($132 million in Q1, $145 million in Q2, and $175 million in Q3) that has sent TWTR south from a 52-week high of $74.73 to a Dec 2 close of $38.91 (that’s nearly a $23 billion loss in market capitalization).

Twitter clearly needs to turn around its losses, and it has two ways to do that. The first option is to increase the size of its user base, and App Graph may be somewhat helpful on that front by improving Twitter’s out-of-the-box experience, but that approach has limits. The second way is to take a page from Google’s playbook and focus on increasing the reliability of its targeted advertising (hence raising its value).  App Graph, seems to be an attempt at laying the groundwork for option two.

I go through the pains of pointing all of this out to drive home the point that, in the digital world,  privacy is intrinsically linked to a company’s financial performance (and this isn’t just true for Twitter), and it can be tempting for corporations to abuse the privileged trust that users bestow upon them.

I’m not saying that’s the case with Twitter. In fairness, Twitter indicates in their support document that App Graph will provide a notification to users when the feature goes active, so it isn’t as if (at least if the feature works) Twitter is completely “putting one over” on its users.

I do think it is a good time to start asking ourselves about the ethics of the industry’s current “opt-out” model for introducing new features that may potentially share private data. Where is the proverbial line in the sand?