Monday, January 05, 2015
He's So Ronery
"Data made flesh in the mazes of the black market."
~ William Gibson, Neuromancer
Sometime last September, to add to what was already a fairly stressful month, I received a text message from my bank inquiring about some charges that had been made to my credit card. Once I got on the phone with a representative, I was asked if I had spent a few thousand dollars the previous evening at a nightclub in Sofia, Bulgaria. I told them that I hadn't, and that I was furthermore upset that I hadn't even been invited. Two large dropped in a dump like Sofia – it must have been quite the party. The bank made me whole again, but I was left to wonder, like so many other people these days, about the inscrutable question of how my card had been procured and deployed with all the instantaneity allowed by today's global flow of money and data – concepts that are becoming increasingly interchangeable or even undifferentiated. In all likelihood, neither I nor the bank will ever know what happened, and the event was written off simply as a cost of doing business.
This event reproduced itself more recently on a much larger scale. What has become known as the "Sony Hack" is continuing to reverberate across several worlds: computer security, entertainment and even foreign policy, to name a few. Much of the conversation seems to be concerned with the whodunit aspect of things: Who could possibly have had the skills and chutzpah required to not only spirit away approximately 100 terabytes of information of every stripe from underneath the multinational's nose, but then also proceeded to wipe much of the data from the network itself? Even though the breach was noticed on November 24th, it's a good bet that Sony itself still hasn't assessed the full extent of the damage. While things are nowhere near to shaking out, let's consider some of the consequences that have so far followed the smashing of this particular piñata.
Fast forward about, umm, fifteen minutes after November 24th, and we already had our culprit, which could be no one other than North Korea (I guess Iran got a bye because we need them right now in order to fight Islamic State). I find it challenging to believe North Korea was involved. Eleven years ago, Kim père didn't seem quite so phased the last time a Hollywood satire "took him out" – is it possible that Kim fils is such a thin-skinned grasshopper?
Seriously, though, a good reason to be wary of the whodunit parlor game is the sheer paucity of real information. As with Edward Snowden's NSA leaks, we only know what has been released so far, the odd communications of the hackers responsible, and, to a much lesser degree, what has been divulged by those directly affected (for a fairly disinterested view, check out Bruce Schneier's postings, especially here and here; the mark of a true authority is the ability to remain undecided). Without a doubt, it's been a feast for anyone interested in anything that Sony Pictures produces, or the position that it generally occupies in our culture. For one thing, the leaks have provided a delightful opportunity for tut-tutting the casual racism, sexism, ageism and general backstabbing that still seems to constitute the lingua franca of the entertainment industry – and probably many other industries, were their kimonos to be opened as well. And however the hack was conducted, corporate infosec has yet again been revealed as the emperor with no clothes. Given the breaches we have experienced in the past few years (for example, 70 million credit cards stolen from Target almost precisely a year earlier), this comes as no real surprise, either.
What's more interesting are the consequences for US and North Korean gameplay. This event has provided exactly the right fuel for the brinksmanship that both sides have excelled at for decades. Even if the DPRK had little or no hand in the hack, the US gets to tighten the screws with additional sanctions, this time attempting to target the country's (admittedly very real) cyberwarfare capabilities. For its part, the North Korean propaganda machine will scale fresh heights of shrillness and maybe fire another missile or two into the sea, giving it a higher ledge from which the international community will eventually have to talk it down with concessions. Kim Jong-Un now has even more and better reasons to consolidate power. Also, the DPRK's offer of a joint investigation into the actual culprits, which the US was bound to turn down, was pretty clever. Everyone gets to pull a few treats from the piñata once it's been cracked. It's easy to imagine Kim Jong-Un popping up a fresh batch of popcorn in his underground lair and kicking back to the movie that's now unfolding.
Which brings us to the elephant in the room, also known as "The Interview". We, or at least some of us, have been put in the awfully strange position of striking a blow for freedom by watching a Seth Rogen movie. As is well known, the Guardians of Peace (the group taking responsibility for the hack, not to be confused with the Burundian militia of the same name, although that would set a new bar for globalization) made enough threats that the film was initially pulled from theaters. The ensuing "free speech" backlash saw criticism from President Obama all the way to feel-good author and astute businessman Paolo Coelho, who bizarrely offered to buy the distribution rights for $100,000. The film was subsequently set up for online distribution, then gingerly released through a few independents and small chains. This led to the next unanticipated consequence: we suddenly had a real-world case study for digital distribution of first-run films.
As Paul Tassi correctly noted, this was far from a perfect case, since the release was, to put it mildly, chaotic. Nevertheless, marketers will be reading these tea leaves carefully. 2014 ended with box office receipt down 5.3% from the previous year, and studios will be redoubling their efforts to make sense of the continuing fragmentation of the distribution and payment landscape. If "The Interview" is the canary in the coal mine, the outlook isn't good. Budgeted at $44m, as of Tassi's December 29th article it had only take in $15m in online revenue, and by January 4th it had taken in almost $5m in physical box office sales.
Given that the film had the sort of PR any flack would give a right arm for, why such a poor showing? Let's not forget that while some of us outsmarted the terrorists by streaming the film in our homes, others perhaps took the whole striking-a-blow-for-freedom concept a bit too far, since almost as many people illegally downloaded the film. Had the film gone into wide release on Christmas Day, as was originally intended, Tassi quotes source that believe it would have made its entire budget back in the first weekend. A $7 streaming rental – even less, if split among a roomful of friends – is not going to do a declining industry any favors. The model is clearly in need of further tweaking.
So who should we be listening to as we attempt to disentagle the mess that is the Sony hack? To me, one of the main assumptions that requires unpacking is the idea that there must be a single group behind this, motivated by a single purpose. There is an astonishing menagerie of actors within hacking culture who opportunistically form temporary, anonymous groups for the achievement of some more-or-less identifiable goal. Even Anonymous – perhaps the best-known of these – could not resist getting a piece of the action, as per the below message posted on PasteBin on December 19th:
We know that Mr. Paulo Coelho has offered Sony Entertainment a sum of $100,000 for the rights of the movie; where he shall then be able to upload the movie onto BitTorrent. Obviously, you shall not be responding to his generous offer - so please respond to ours with a public conference, we wish to offer you a deal... Release "The Interview" as planned, or we shall carry out as many hacks as we are capable of to both Sony Entertainment, and yourself. Obviously, this document was only created by a group of 25-30 Anons, but there are more of us on the internet than you can possibly imagine.
What's a poor CEO to do? One group of hackers breaks the piñata open while another demands that you go about your business like an honorable corporation. In an age where we are way past the idea of accountability, there really isn't pleasing everyone, or anyone, any longer. (A further irony is that PasteBin was one of the anonymous sites where the Guardians originally dumped the contents of C-suite mailboxes, payroll lists and other goodies. There is no technology whose blade cuts only one way.)
We have to begin from a different point of view – that of the forces arrayed against the information systems of any organization. These systems are constantly being prodded and jerked around from the outside by anyone with an internet connection and the ability to fill in a website name. And because you have to trust your employees somewhat, these same systems are always already compromised from the inside. A group on the outside may have the expertise but only idle malice in mind, while a disgruntled insider might have the motivation, but lack the tools to do truly widespread damage. Even if the two manage to find one another, the coherence of the act is still disputable. In a very real sense, it is only the act of observing the event that allows for this probabilistic wave function of motivation to collapse into a stable agenda. Given the current lack of information, it is easy to forget that we are just reflecting back to ourselves the narratives that we have already accepted, eg: North Korea is bad; hackers are terrorists; employees cannot be trusted. Whichever one you believe in the most is your explanation to the Sony hack.
I came to this conclusion after reading some analyses performed by infosec firms, Since their bread and butter is protecting corporations like Sony from just these sorts of situations, they have rushed in to make sense of the situation. With the FBI tight-lipped about what they know, these players are one of the only sources of – if not accurate then at least interesting – third-party information concerning the hack. And since their business depends on their credibility, they are perhaps the least incentivized to sensationalism.
Curiously, I cannot find a single infosec firm that pegs North Korea, certainly not directly. These firms' knowledge of hacking tools and culture makes it clear that malware, techniques and virtual points of reference like IP addresses are often and easily traded, imitated or faked. This of course does not completely discount the idea of DPRK involvement, but it makes proving it much more difficult. Hence the argument for an opportunistic alliance. One of them, Norse, has been developing the disgruntled-insider theory:
At the center of Norse's findings is Lena, a woman who had worked for Sony for 10 years in a senior technical position until she was laid off in May during a corporate restructuring. "Lena had the technical knowledge to facilitate the type of attack Sony had, which is why… she remains a person of interest," Norse's Stammberger says. "There are other individuals as well. There's a pretty short list of specific individuals, and we know their names, addresses, and nationalities. They seem to have some connection to this incident."
If accurate, "Lena" might be the closest thing to a smoking gun that anyone will be able to find. Norse briefed the FBI for three hours last week on their findings, but the agency remained mum on what they know. Nevertheless, it is worthwhile to look at the agency's exact words: "The FBI has concluded the government of North Korea is responsible for the theft and destruction of data on the network of Sony Pictures Entertainment." Crucially, this does not mean that they participated in the hacking of the network, from the inside or the outside. In fact, if you were to go to PasteBin and download some Sony executive's emails and then delete them, you could be accused of exactly the same thing.
Could it be that the entire foreign policy kerfuffle is based on an ill-considered or, worse, opportunistic reading of what the FBI said? Or is the agency providing the White House with a face-saving out if it is revealed that the DPRK was hardly involved? These are difficult questions that may never be wholly resolved. But in the meantime, no matter who swung the bat, there's plenty of candy for all the kids, so why ruin a good thing while you've got it?
As for that night club in Sofia where my credit card got taken for a wild ride, I did a little extra research. I found out from friends of friends that it's a small place that, more likely than not, is used as a money-laundering front. It turns out that the party I imagined – sleazy Eastern European gangsters in track suits, snorting coke off of strippers' fake boobs – never happened. How disappointingly appropriate.
Posted by Misha Lepetic at 12:45 AM | Permalink