The GOP hack: making Kim answer for Sony’s 10-year online war

theinterview-rogen-franco

***

Sony Pictures, the White House and the FBI should get a medal for the greatest political marketing triumph of 2014.

kimjungununiformAfter the horror show following the November 24 hack of Sony Pictures by the Guardians of Peace (GOP), America rallied behind Washington’s theory that Sony was the hapless victim of a Cold War cyberattack. Kim is certainly an easy guy to dislike and no friend of the Americans – no friend of anybody but Kim for that matter. (He comes by it legitimately. His dad and predecessor once had an actor hired to play grandpa Kim Il-sung in a movie role, for which the actor underwent plastic surgery to more closely resemble a Kim; once the shoot was over, the actor was shipped off to a concentration camp.)

The triumph of Cold War marketing over any hint of Sony’s bad behavior is all the more remarkable given the nasty quarrels that have embroiled US stakeholders, press and critics of all stripes. Not to mention the fact that as recently as New Year’s Eve, cryptographer Bruce Schneier and others were still casting doubt on the official claim that the hack was carried out by the Kim regime.

_____________________________________________________________________________

Lining up for The Interview as an exercise in patriotism

“The fact that they’re showing this movie shows that America still has a backbone regardless of the critics,” said Jay Killion, a golf pro who caught a screening at Tower City Cinemas in Cleveland.

Once they got tired of being told the studio heads and their A-listers are a bunch of backstabbing egomaniacs, the American public rallied in droves to Washington’s anti-Korean jingoism. By Christmas Day, The Interview could be seen at over 300 US locations and from several online distributors. According to the NY Times, many of the folks who came out for a look were motivated by more than a one-month buildup of curiosity. In fact, whether The Interview was even moderately entertaining was often beside the point:

“As moviegoers lined up at the 331 scrappy, independently owned theaters that played The Interview on Christmas, it was obvious that many, like Ms. Paredes, 28, were there to make a political stand. They turned out in red, white and blue attire. At one theater in California, a ticket taker dressed up as ‘Uncle Sam-ty Claus.’ A manager at Cinema Village in Manhattan introduced the film by reciting ‘America,’ also known as ‘My Country ’Tis of Thee’.”

Whatever you may think of the real movie, it’s hard to imagine even Rogen and Franco concocting a comedy of errors as lurid as what we’ve seen in the past month – not just from Sony Pictures Entertainment (SPE), but the White House, the FBI, the other Hollywood majors, the MPAA, America’s cultural elite and, of course, the media. The narrative threads that have developed in the wake of the attack would make an even more outrageous movie, complete with salacious gossip, moral cowardice, grandstanding, geopolitical tensions, hopeful redemption and sheer stupidity. 

sony-hack-2

Sony’s network security was laughably incompetent

But for all the rich dialog that has come out of the hack, one thread has been conspicuous by its absence: the role played by Sony’s own behavior in both the November hack and in the long series of battles the company has waged with hackers that began a decade ago. Let’s start by dispensing with any idea that Sony was a hapless victim in the November attack…

“For days the episode was viewed inside Sony as little more than a colossal annoyance.” —NY Times, Dec.30

It may look all too easy to blame the victim here, especially when there’s so much schadenfreude to be had from the gossipy stories about the punk-ass rich and famous. But from a technical perspective, Sony was very much the author of its own misery. As Bruce Schneier wrote in a blog post on Christmas Eve (Did North Korea Really Attack Sony?):

“The attackers seem to have been good, but no more than that. Sony made its situation worse by having substandard security. [Moreover,] Sony’s reaction has all the markings of a company without any sort of coherent plan. Near as I can tell, every Sony executive is in full panic mode.”

It’s bad enough the studio blew off warnings from its own consultants about vulnerabilities in their firewalls and other devices several months before the November attack. But that wasn’t the half of it. Where did the geniuses running Sony’s network store thousands of the studio’s administrative and personal passwords? In a folder labelled… “Password”! As Buzzfeed reported, the passwords not only had signs pointing to them, in case a hacker was having trouble finding them; the passwords themselves were also an object lesson in how not to mount a good IT defence.

sony-passwords-folder.001

~~~

Valuable lessons about security swallowed by political noise

Whoever was behind the attack, we know the hackers proceeded in two distinct, well conceived stages. First they bust into Sony’s network and stole 100 terabytes of data (100,000 gigabytes, roughly all the contents of 100 desktop computers). They then did something that showed even more evil genius. The hackers put all those terabytes up on Pastebin and left it to the US news media to do the really dirty work: publishing Sony’s most sensitive, embarrassing information all over the Web.

michael-lynton-sonyInstead of questioning whether Sony management had been derelict in exposing so much confidential information, the FBI and the White House went to a great deal of trouble to argue that the perps were sponsored by North Korea. They couldn’t seem to decide whether the hack should be labelled an act of cybervandalism, cyberwar or cyberterrorism, which left President Obama struggling to position the affair in a way that would sway the public’s attention. Yet by December 24, even the NY Times was reporting doubts about the origins of the attack: New Study May Add to Skepticism Among Security Experts That North Korea Was Behind Sony Hack.

Meanwhile, after a few days of hand-wringing over the immediate turmoil, the interested parties couldn’t wait to rip out each other’s throats.

Sony was attacked for withdrawing its movie from circulation by a lot of different parties, including President Obama, who said at his December 19 press conference that Sony had “made a mistake.” Obama blamed Sony not for its negligence over how the hack happened, but for its betrayal of patriotic free expression. The reaction around Hollywood was famously unpleasant, as was the outside commentary. In an unusually acerbic column in the NY Times, media columnist David Carr denounced Sony and the media for their bad behavior, saving his worst for the other studios and the MPAA:

“If you are looking for courage on the lots of Hollywood, probably best to pack a lunch. Other studios were content to watch Sony dangle, saying nothing for fear that they, too, would end up on the Guardians of Peace’s naughty list. The Motion Picture Association of America, which represents the film industry, went into witness protection when the crisis erupted, with a spokeswoman telling Deadline, a trade website, on Dec. 11, ‘We have no comment at this time. We are not involved.’ ”

(I note in passing that the GOP helped confirm an even more obnoxious piece of news about the MPAA, which thinks taking control of the Web and suspending due process would be just fine if that helped in its battle against piracy. I’m referring to the Hollywood plot in the works for over a year to pound an insufficiently deferential Google into legal submission and revive the worst features of the Stop Online Piracy Act at the state level.)

The origins of Sony’s war with the hacking community: the 2005 rootkit scandal

To get a sense of why Sony was to a large degree the author of its own misery, we have to go back to 2005, when Sony’s music business was still run in partnership with BMG.

Sometime in early 2005, Sony Music did something truly outrageous to millions of the CDs its own recording artists were distributed on. That was the heyday of DRM (digital rights management) when the four major music labels still thought they could defeat piracy if they put enough kids and grannies in jail (now it’s three: Sony, Warner and Universal).

RootkitRevealer

The rootkit Sony put in millions of CDs was hidden from users and devices, just like the malware used by criminal hackers who steal money and identities

Some sociopath at Sony decided it would be a good idea to infect their CDs with what’s known as a “rootkit.” In plain English, that’s an undisclosed and almost untraceable kind of malware that Sony deliberately intended to load into its customers’ playback devices, including end-user computers. Sony’s engineers designed this rootkit to defeat all attempts to identify and remove it, without any regard for their customers’ welfare – much like the ransomware, keylogging and malvertising software that criminal hackers use to steal money and identities.

Why would one of the big-four music labels do such a thing? Because their executives felt consumers should be required to pay any price in order to save the company’s IP from copying and piracy. The rootkit itself was in fact a kind of wrapper for the DRM software Sony wanted to deploy around the world (known as Extended Copy Protection), but without any public discussion, compromise or reckoning of the third-party costs.

mpaa-logoIf that sounds a lot like what the MPAA is doing right now in Los Angeles and in statehouses across the US, well, it is. Ruin your computer? Ruin your Internet? Ruin you in court? Sony Music and Sony Pictures belong to the selfsame school of business strategy, in which everybody but them gets to make sacrifices (as the recent hack confirmed, Sony Pictures is working with the MPAA and the other majors on the next secret assault on the open Internet).

The rootkit and copy protection software weren’t all you got if you bought a Sony BMG title (remember this attack was launched against their own paying customers, not pirates). The package also contained a proprietary media player that nobody had asked for. And on top of all that, the rootkit was programmed to contact Sony’s servers with information from the customer’s computer – private data about the customer’s listening habits. Sony’s hacking adventure exposed millions of computers to resource-hoggery and various kinds of online malice.

It’s important to understand that what Sony did was unlawful in many international jurisdictions, including the United States. The company committed a computer crime that put it in good company with the outlaw hackers the world is currently condemning for the November hack. In other words, Sony’s little trick caused damage, not just inconvenience. As one commentator put it in the wake of the recent Sony hack:

“[T]he whole debacle managed to piss off the hacker community. The rootkit scandal is arguably the Big Bang moment for Sony’s cybersecurity troubles. Because once you piss off the hackers, they tend to stay pissed off.”

cd-with-sony-rootkit-legal-warning

The rootkit scandal hasn’t slowed down Sony’s stupid behavior

In the decade since the rootkit scandal, Sony has done a very poor job on two fronts: one is developing adequate network security, the other is playing smart with hackers rather than pissing them off.

Sony’s next brawl with the hackers emerged in 2010, when hacking star George “Geohot” Hotz decided to jailbreak Sony’s Playstation 3 platform. The jailbreaking of devices like phones and game consoles is not in itself a malicious act – unlike, say, loading a damaging rootkit surreptitiously into your computer. Jailbreaking is designed to do away with limitations built into an operating system, one of which is to allow DRM to run without interference. Hackers have many different motives for carrying out this kind of reverse engineering, which include getting pissed off when their friends are under attack, as well as reminding content providers that they should be free to use content that is bought and paid for as they see fit.

__________________________________________________________________________

In one 6-month period in 2011, Sony sites and networks were hacked 21 times.

Sony’s legal response to the Geohot Playstation hack, and the related Playstation hacks that followed, was ruthless. In its retaliation, Sony’s lawyers even got a presiding judge to agree that the plaintiff should be given the numeric IP addresses not just of accomplices, but of everyone who had visited Geohot’s website – a piece of punitive overreach that once again kicked up the cycle of hack and counter-attack. It might be nice if those mischievous teenage coders like Geohot just went away. But since they won’t, big corporate targets like Sony have to learn how to deal with them in ways that are not inflammatory or destructive, especially to people who place their trust in them, like retail customers.

Let’s be clear on two things. The first is that Sony has been leaving its worldwide operations exposed for years, with a carefree arrogance that’s hard to understand even from movie and music executives. And second, in doing so, it has exposed many other people to harm and embarrassment in addition to Malibu-dwelling, Maserati-driving media moguls. That number includes millions of subscribers to the Playstation Network, which was hacked again over Christmas, and any other regular citizen who has flipped Sony her credit card information.

sony-tour-rainbow

It’s difficult to confirm how many times Sony has been hacked in the last 10 years, let alone how many people have suffered because of the company’s ineptness. Sony Pictures and many other divisions have customer-facing websites and retail businesses which store sensitive customer information along with corporate data. SPE e.g. has a public site devoted to its studio tour, which features a series of cheerful vignettes about the studio’s storied past. I assume many curious visitors will now think twice before handing over their deets to Sony so they can see where Dorothy followed the Yellow Brick Road and Spider-Man battled bad guys.

History keeps repeating itself

A LulzSec hack that took place in June 2011 exposed not just login credentials and credit card information, but dates of birth and home addresses as well. It also included important administrative data with passwords. The target of that hack was… Sony Pictures no less! The hack was so easy that LulzSec, out of a twisted sense of trying to get Sony to raise its security standards, left the following message:

“Our goal here is not to come across as master hackers, hence what we’re about to reveal: SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?”

Network security is not a popular topic with anybody outside the security community, whether it’s devising strong personal passwords or hardening protections for thousands of employees on an intranet. Good security is hard work, nerdy and expensive – plus it’s an abstraction no one can see or visualize, like a barbed wire fence. For most people most of the time, it’s a lot more convenient to assume nothing bad will ever happen to them on any network, open or closed. While that may be excusable for individual onliners, not giving a shit is entirely inappropriate behavior for what is currently the world’s highest grossing movie studio.

I hope the class-action suits currently being mooted will lead to some justice for individual employees whose lives have been thrown into turmoil by the reckless behavior of their own Supreme Leaders.

D.E.