[zaroth]

Sony CEO Michael Lynton says Sony still wants The Interview to be seen and is considering their options. Those include DVD and Blu-ray home video, YouTube, VOD, and other digital platforms but “there has not been one major VOD distributor, one major e-commerce site that has stepped forward and said they are willing to distribute this movie for us.” [1]

Hackers to Sony: We'll stand down if you never release the movie.... "Now we want you never let the movie released, distributed or leaked in any form of, for instance, DVD or piracy. And we want everything related to the movie, including its trailers, as well as its full version down from any website hosting them immediately." [They] warn the studio executives that, "we still have your private and sensitive data" and claims that they will "ensure the security of your data unless you make additional trouble." [2]

Imagine Sony putting it on BitTorrent with a pre-roll asking viewers to donate money to a charity of their choice through a micro-site they setup to track how much has been given. Or something.... This is actually a moment in history where Sony could truly shine.

But back in reality, whatever is in those held-back stolen docs, they probably need time to prepare for the fallout. If they can stall the remaining doc release by stalling the movie release, they can buy themselves some time. In the meantime, the audience for the film is growing daily, but I think will peak and fall if they wait too long.

[1] - http://deadline.com/2014/12/sony-president-obama-the-intervi...

[2] - http://money.cnn.com/2014/12/19/media/insde-sony-hack-interv...

[jarcane]

Sony owns several digital release platforms.

If they want this movie out, they could make it happen tomorrow.

This is just PR speak. They might cave and release anyway, but Lynton's statement is deliberately weak and duplicitous, once again attempting to deflect all blame from themselves rather than admit to any mistake on their part.

[zaroth]

I'm not sure they are in complete control, although it's a great image of master manipulation to imagine they are. I'm waiting until I really understand the whole story to start assigning any blame.

I'm more interested at this point in figuring out what this means for the future. Do we live in a world now where state-actors will target specific companies and basically try to rip them to shreds and extort them? Now I'm supposed to personally defend my company and my network against state-sponsored targeted persistent threats?

It should be possible to lock down individual machines which aren't ever supposed to be networked. That's hard enough. I'm personally of the belief that any networked device is ultimately hack-able up to the physical constraints of the network. It's all about how much it will cost an attacker to gain access, and how much they can steal once they get it.

If governments start routinely sponsoring these attacks, I'm very concerned the cost-levels we impose today are 5 - 6 orders of magnitude too low, and the network bandwidth 5 - 6 orders of magnitude too high, to deter these types of attack.

[ikawe]

The state has targeted lots of private conpanies for decades, offering the advice to American companies as a competitive advantage.

This is different from states trying to explicitly destroy another company, but the bottom line is the same: you need to include state actors in your list of potentially hostile attackers, same as any black hat.

[srj]

For probably most nations the "state-actors" part is irrelevant as they have no magic hacking method not afforded to anyone else. The exceptions are nations host to companies that supply hardware and software to be backdoored.

This whole thing has been blown out of proportion.

[thefreeman]

The thing is that from what I can tell this attack is not even in the same order of magnitude as the state sponsored attacks you are referring to.

I haven't found a good write up on the attack, however my understanding is it was mainly due to Sony's lack of security and not the prowess of the hackers.

This was something like SQL Injection and non password protected excel files with employees social security numbers. The state-sponsored APTs you are talking about are hundreds of millions of dollars worth of custom software engineering.

However I agree with your general premise that another government essentially blackmailing one of our private companies is worrying.

[tmzt]

Whatever else there is one thing I'm sure of: we won't let any facts get in the way of Cybergeddon 15.

[tripzilch]

I'm assuming there's all sorts of dirt in that stolen data. Whoever has it, has Sony by the balls.

I'm not blaming Sony for bad security, because as was stated elsewhere, spear-fishing of IT-admins is incredibly hard to protect against. However, depending on how bad the dirt is (and every big corporation probably has a bunch of rather smelly skeletons in the closet), some of that blame may lie with Sony. But if that is so, getting hacked just means they didn't get away with whatever incriminating stuff is in that data.

[k-mcgrady]

>> "Sony owns several digital release platforms."

Which ones?

[mparlane]

PSN for starters.

[jarcane]

And Crackle.

[bigtunacan]

I was thinking the same thing. While I don't believe it is well known, Crackle is available to most platforms.

[palmer_eldritch]

If they released it today on that platform, it would be well known in a matter of hours.

[k-mcgrady]

I don't know much about PSN but is it restricted to Playstation owners?

[jarcane]

PSN is just the Playstation-targeted wing of their Sony Entertainment Network, which is cross platform: https://en.wikipedia.org/wiki/Sony_Entertainment_Network

They have the means and the platform. Blaming it on others when they have their own internal platforms is blatant blame-shifting and nothing more.

[jusben1369]

Are those platforms able to withstand the traffic and interest that an event like this will trigger?

[s_q_b]

I heard a Sony executive on NPR today say "If and when this movie is released... Let me stop, when this movie is released..." Sony Pictures clearly intends for the film to be seen, but they need a distribution partner.

[organsnyder]

I'd interpret that exactly to the opposite: They're not sure if they're going to release it, but they want to put on a brave face and say that they will.

In reality, they're probably all scared shitless. If all of their employees' personal info has been compromised as reported, I can understand that they'd be worried about the possibility of someone getting hurt. Even a minor, harmless event could lead to bad press. Of course, no one believes that NK actually has the ability to inflict physical harm outside of their own country, but I can understand the Sony executives' hesitance to put that to the test.

[berdario]

> Of course, no one believes that NK actually has the ability to inflict physical harm outside of their own country

I wish. They're definitely capable of inflicting physical harm outside of NK. Just the first link that comes to my mind that has already been shared here:

http://www.gq.com/news-politics/newsmakers/201306/kim-jong-i...

It's not so unusual for a Korean to be in Japan, and NK can surely provide falsified documents to "prove" their agent is actually from SK (NK and SK, aside from minor differencies, even speak the same language, so how would you tell them apart?)

Granted, their ability to move in the US might be severely smaller than their ability to move inside Japan. But you only need a person or two with an handgun to scare the living hell out of the media/country/people who worry about such things

[s_q_b]

North Korean and South Korean dialects are very different, but you are correct in that they are adept at sneaking agents into Japan. But they threatened "9/11 style" attacks on movie theaters, of which they are certainly not capable, especially if the movie goes straight to VOD.

I think there's an argument going on between Sony Pictures and Sony Japan over the release, and that right now everyone is sitting on their hands waiting to see how the U.S. government responds. But since there's already screener copies out there, I would put money on the movie seeing the light of day.

[jschwartzi]

Why doesn't 2600 defuse the threat by hacking the hackers? I realize this is just a publicity stunt for them but if they're serious about demonstrating that not all hackers are evil as they say then they could try to substantiate the other group's claim regarding Sony's data. It would be a pretty good stunt a-la Sneakers if they did.

[Malician]

Doesn't the assumption that the movie release even matters assume North Korean culpability in the attack (debated in other threads?)

If NK is not responsible, it really doesn't matter whether the movie is released. In this scenario, the hackers could easily leak the movie themselves under someone else's guise, providing an excellent excuse to continue their campaign of pure damage toward Sony Pictures. (Assuming they even bother.)

[vidarh]

No, it assumes that the the persons behind the attack cares whether or not the movie is released.

While you wouldn't think so, the North Korean regime does actually have (a few) supporters outside of North Korea. There are always someone who wants to believe that all the bad stuff is invented by regime opponents, regardless which regime you're talking about.

[lucozade]

I don't think so. There have been explicit threats against the cinemas if it's released. As such, it's pretty much beholden on the U.S. gov and Sony to assume it's a terrorist threat and act accordingly.

That's somewhat orthogonal to whether or not NK is behind it but the possibility of a nation state being involved must affect their calculations.

[rblatz]

If all it takes is anonymous vague threats on the Internet to stifle free speech, then we may as well just give that right up. We no longer deserve it.

[tehansen]

its time we all realize that we are all responsible for where exactly "reality" is at. I'll pay them 1BTC if they let this happen... https://twitter.com/hansent/status/546273749163466753

[logn]

"Now we want you never let the movie released, distributed or leaked in any form of, for instance, DVD or piracy. And we want everything related to the movie, including its trailers, as well as its full version down from any website hosting them immediately."

If only we had passed SOPA and CISPA, we'd be so much safer right now.

[zaroth]

If anything I think this shows how poorly the US Gov is prepared for cyber-warfare. The last decade was no cake walk, but the next decade will truly be eye opening.

The FBI told Sony they didn't know if the theaters were safe. Seriously, WTF are we paying them for if they can't tell us, with absolute certainty, that our theaters are safe from terrorist attacks on Christmas. That's not very comforting...

So what I'm hearing is, we have no confidence in our national defense, and no ability to prevent, mitigate, or even simply deter these increasingly brutal cyber-attacks... Yeah, actually the last thing I'm worried about right now is CISPA. Like it or not, network defense just became a national security prerogative.

OK, so that's the counter-argument right? So this has been very well played and I don't see how you derail it now.

[sokoloff]

The FBI told Sony they didn't know if the theaters were safe. Seriously, WTF are we paying them for if they can't tell us, with absolute certainty, that our theaters are safe from terrorist attacks on Christmas.

Are you kidding me? You expect that if the FBI can't say with absolute certainty that all 40K screens in the US are absolutely safe from terrorist attack on Christmas that they've somehow failed us?

They'd have failed us if they could state that with certainty, IMO. Because either they don't know what certainty means, or they'd have frivolously wasted such a massive amount of money securing a soft and nearly useless target. What's next? Food courts? Mall parking lots?

Society simply cannot afford to provide absolute certainty, nor would I want to live in a world where that was the goal. Imagine the surveillance effort and intrusion into your personal life that would be needed to prevent you from carrying out an attack at a time and place of your choosing that the media would call terrorism. Now multiply that by 300 million people. You'd likely need over half of the population to be trusted and in law enforcement and you still wouldn't have certainty...

[zaroth]

You're right. The bit about 'absolute certainty' was hyperbolic on my part. How about this though;

You think it's too much to ask for the FBI to be able to stand up and say that this particular threat of violence, which feels like little more than chest-pounding script kiddies, is not credible?

My initial reaction was the physical threat was little more than a joke. The FBI and Homeland Security do need to be able to give proper guidance on credible and non-credible threats, and I think in this case in particular, it's a good example of something which I really would have hoped they could have explicitly labeled as non-credible.

Or to state it another way, if the accepted reaction is that we actually have to treat threats like this as credible, if attackers start spamming these threats are we just supposed to shut it all down?

What companies are looking for is a liability shield, and a public reassurance that they can use as a backstop for disregarding the threat. Otherwise they have no choice but to cave-in. So I think we depend on the FBI in specifically these cases to provide that level of assurance.

[s_q_b]

DHS has stated that they do not believe these to be "credible threats."

[uxp]

I somewhat feel for many of the theater owners in this case. After the Dark Knight, some tried to sue the theater because they "didn't prevent it" from happening, so something like that. The theater's defense was that they had no prior knowledge. With our litigious nature here in the US, having a vague threat that the theater might be attacked, they could lose that defense.

I agree with your premise though: there is no possible way for society to have absolute certainty of the validity of something so vague as the threats issued. To cave to those demands is absurd.

(full disclosure: I work for a company that owns a large number of theater screens, though not within that department. These are my personal views.)

[themartorana]

"...what are we paying them for..."

This is an argument that frustrates me. I don't mean to directly imply that parent feels this way, but there is this idea that our government can provide true assurances of our safety. But in a free society (or any) that's just not true.

This idea isn't helped at all by the government pushing that they can, if we just hand over one more freedom, or give up one more bit of privacy.

There is nothing that can guarantee safety from violence. Nothing. The FBI, NSA, etc., when not spying on us for no reason do seem to keep us safer than we might be without a degree of diligence. Police forces do seem to, in general, care for public safety. But of course the FBI can't guarantee that tens of thousands of theaters are completely safe from violence - and to think otherwise is to be permanently afraid, and to always be looking to Big Brother to assail your fear.

http://www.vice.com/read/fearing-fear-itself-666

[zaroth]

I agree, I went too far with 'absolute certainty'. I think a better way to reason about what are we paying them for is my response to @sokoloff above.

[remarkEon]

Ehhh I'm not sure I agree. I think Cyber-warfare could be called "silent War", or at least "War with a lag". It's certainly possible, given what we know re Snowden about the capabilities of the NSA et al, that we've responded already and we haven't (or won't) see the results, at least not in the near term and probably not as spectacular as a successful Drone strike on a military compound.

Having spent time deployed, I think a lot of Americans might be conditioned to seeing immediate(ish) responses to threats via Drones, SEAL team 6, Ranger Regiment, whatever. The nature, and future, of Cyberwar is something that's fundamentally different from what we've seen broadcast on CNN over the last 13 (soon to be 14...15...) years. A response to North Korea (though I'm not truly convinced that they're the lone perpetrators) might not be something that pops up in The Situation Room with Wolf Blitzer or trends on Twitter.

[zaroth]

"Administration officials said President Obama’s national security team is considering a range of options to retaliate against those responsible for the cyberattack on the movie studio" [1]

I agree it's very early days. I think what I'm fixating on is that we now live in a world where the US government needs to formulate a response to a business hacking. I mean, not a civil but actual military response.

I think this is a reality that even the Top 1% of commercial networks are simply not prepared for. There won't be any lag when more crucial services come under attack.

White House homeland security and counterterrorism adviser Lisa Monaco: As the volume, frequency and intensity of cyberthreats increase, Monaco’s biggest fear is intrusive threats turning destructive. She called cyber “one of the gravest national and economic security threats we face.” [2]

[1] - http://www.washingtontimes.com/news/2014/dec/18/white-house-...

[2] - http://www.fedtechmagazine.com/article/2014/12/white-house-w...

[remarkEon]

I think that attacking businesses and commercial services is fundamentally different from attacking, say, the DOD intranet. But these are philosophical discussions that the American public (not to mention, ugh, Congress) hasn't really thought through critically. It's so difficult to articulate what an appropriate "military" response could/should be. Should we simply reinforce our Cyber defensive capabilities and not respond at all offensively? If the North Korean military (I want to deliberately draw the distinction here between the people of North Korea and the North Korean Regime) launched a physical attack against a US commercial interest how would we respond? I doubt it would be a huge investment in star wars missile defense tech.

So I guess to touch back on the parent thread, it's not that we're not capable of responding...it's that we haven't invested the intellectual capital to formulate what an appropriate response should be.

[zaroth]

Completely agree. "Hasn't really thought through critically" is quite possibly the kindest way to phrase it.

@logn mentioned rallying around this like we did Apollo. It's a grand idea, but I can't say I have any hope that will be the chosen approach.

[logn]

A big military response would just escalate this whole issue and probably encourage more of the same. I don't like how everything gets framed as a military problem these days. I hope that this incident only inspires new standards for business and new shared goals for engineering. We could approach this like the Apollo landing or the cure for cancer and hopefully not like the War on Terror.

[briandear]

An attack, a malicious attack by a state actor, is an attack, cyber or otherwise. What if they hacked a hospital and somehow shut down life support systems, there's little moral difference than if they sent soldiers into the hospital. Whether we like it being framed militarily or not, this IS a military issue (if it's a state actor) as that's the point of the military to defend life liberty and property. However, that being said, this whole situation feels like a false flag to me, so I would suggest a highly considered response. If it is, in fact NK, then a military response is appropriate -- sanctions haven't done a damned thing ever. I am not suggesting carpet bombing the country, but certainly their must be real consequences -- otherwise what's the disincentive to do it again? However, I must reiterate, this smells like a wag the dog or a Gulf of Tonkin type situation. So I honestly feel like the best response now is no response until there is more information. Ultimately though, it's potentially a disgruntled employee, in which case it's a criminal matter as opposed to a national security one.

[unclebucknasty]

>hopefully not like the War on Terror.

Oh, it's coming. The drumbeat has started and harrowing possibilities are being offered. The media will be in full panic mode and billions of dollars in contracts will be awarded soon enough.

There's too much money to be made to resist treating it like the "War on ____".

[srj]

The notion that a computer hacking threat and the threat of physical harm are somehow in the same ballpark is completely without merit and absurd. There's not the slightest evidence that the hackers could physically harm someone beyond the capabilities that any person in this world possesses.

Further the actual damage in this case is quite minor. Some of Sony's private business dealings were made public and some employees were embarrassed, but what other harm could you possibly see? Businesses have been online for 10-15 years now and computer security has improved dramatically over that time. We're not in any new era of capability, though with the amount of hysteria over this we may be in a new one mentally.

The only real threat is in our government marching towards totalitarianism by enacting invasive laws and spying on its populace in bulk. Unwarranted fear likes yours is what enables that.

[logn]

I'm sure this will be the argument in Congress for 2015.

I think these attacks could be reduced by holding companies financially responsible. First, insurers shouldn't be allowed to exclude terrorist attacks in their policies. Second, forcing arbitration or excluding class-action should be unenforceable in a contract. Third, we could establish clearer standards for what constitutes negligence in IT.

edit: And this might be a good time to discuss making software engineers actual licensed professionals and forcing companies to use them.

[zaroth]

It's hard to grapple with, but our systems--our entire network infrastructure--is simply not designed to withstand these types of attacks. It's very safe to assume that you literally cannot protect yourself from this kind of network intrusion. I know it's fun to rail on Sony, and surely they didn't make the hackers job particularly difficult, but victim blaming isn't useful.

I think it's likely that fallout cost from this breach will cost Sony hundreds of millions of dollars. It's almost an existential crisis the amount of damage this hack has done. The information disclosure was complete. The hackers took a scorched-earth policy on the way out. They got hit mind-blowingly hard. I do have sympathy with the house of pain they are in, and I don't think they need any more financial incentive than what they are already looking square in the face.

I don't think the story here is about negligence in IT. Even Google has been hacked very badly in its time. There are two kinds of companies, the ones who have been publicly hacked, and the ones that just haven't discovered it yet.

The real story here is we are seeing an escalation in cyber-warfare. This is not "hacking" in any sense. This is extortion, humiliation, and subjugation. It's very sad to watch.

[connie_lingus]

The FBI told Sony they didn't know if the theaters were safe. Seriously, WTF are we paying them for if they can't tell us, with absolute certainty, that our theaters are safe from terrorist attacks on Christmas. That's not very comforting...

uhhh terrorist attacks and terrorism are, by definition, "not very comforting" and in many ways are impossible to stop, thus the word "terror" that is used so prominently in their constructions.