xnull1guest's comments

I seem to be in the minority on Hacker News, but as someone in the professional computer security field I know that any company or state/department/organization can be hacked by a motivated attacker. In the case of SONY, the attackers were able to enter the network through spearphishing emails - something that essentially no investment in security is going to prevent. The malware similarly could not have been detected, as signatures for this specific compilation were not known.

I have a hard time blaming the victim of a cyber attack that would have been practically impossible to prevent. I agree that SONY made bad decisions with regard to its hording of unnecessary data, but also recognize that this is hardly unique to SONY and not standard advice given by security professionals (it should be).

Norms are important so that you can accuse 'groups with no morals or ethics' of doing something wrong. Norms may only discourage and not prevent behavior but without norms its difficult to find common ground for behavior that may otherwise be chalked up to 'culture' or 'tradition' or 'nature'.

We can't really know. There is no way to be perfectly certain.

That said one can apply an Occam's calculus using whatever information and reasoning you do trust. I personally trust that, whomever the #GOP was, they were motivated by SONY's role in developing "the movie of terrorism". This seems to me to be consistent with what the group published and with their 'Christmas surprise' showing collaboration between the State Department and SONY on the development of the movie related to its diplomatic value - something I don't think the NSA or allies would do. So I think the group had NK sympathies in mind. Granted, this doesn't rule out attribution to other states or hacktivists who hold these sympathies.

Thank you again for your reply. I am aware of the confusion regarding PRISM and its 'vernacular' use to encompass the activities from other disclosed programs in addition to confusion about its particular details.

In your haste I'm afraid you may have drafted a response that is not on the topic of its parent, though this is okay since it appears the conversation found a natural and agreeable conclusion.

The norms in question are those of cyber attacks. This includes but is not limited to intelligence operations. The SONY attack, for example, was not an intelligence operation. The downing of the Syrian airforce was not an intelligence operation. Nor was Stuxnet or the the Georgia cyberattack.

Norms are important because they are precursors to law (in this case international law). Norms create ground upon which a country can accuse another, a ground upon which you can achieve consensus among many parties, and norms set expectations of behavior that if loosely followed every country can benefit from.

Thank you for mentioning international cyber operation norms. This is the center of US international cyberpolicy efforts. Ontologies describing categories of cyber operations often place destructive attacks like the one against SONY into a category of its own and these are usually considered fair only in very particular scenarios of provocation.

An addendum here regarding 'free speech'. There is some question about The Interview being a propaganda effort on behalf of the US State Department (which was given a preview as early as July) since #GOP released emails where CEO Lynton discusses the effects of the ending with RAND Corporation strategist and nuclear deterrence specialist Bruce Bennett and Lynton confirmed analysis of its effectiveness with Senior State Department officials. (It also doesn't help that the script writer was asked specifically to consider changing his character from an anonymous leader of NK to Kim Jong-Un).

The sophistication of the attack is pretty questionable IMO. The malware used can be purchased by anyone on the black market and had been used before by Iranian hackers in 2012. Furthermore, spearphishing emails were used to get inside the network. Furthermore, how would sophistication be evidence against a State actor with (a reported) 7,000 personnel?

I similarly don't see the risk (and collateral damage) v. reward pan out. Plus there are so many legitimate cyber attacks against the United States, it would seem like a waste of resources. And it doesn't seem to me like the NSA would so joyously release the Lynton/Bennett/State Department emails. If they wanted to paint NK in a bad light this would seem so counter to that goal.

Interesting. I had thought it was common knowledge at this point that the US regularly hacks and is hacked by other nations.

I think the biggest splash this article may have is added narrative supporting the truthiness of USG attribution to NK - something that seems to be held in high doubt by a large percentage of the technical crowd (but that I think seems pretty reasonable).

I absolutely believe that attacks are used as conveniences to justify legislative wishlists, but question whether such things are planned in advance like you are suggesting or are opportunistic responses to actual events.

Regarding encryption bans I've mostly seen justification referencing the Charlie Hebdo attacks (which are assuredly not a false flag).

Personally I believe that North Korean sympathizers were behind the SONY attacks given a number of pieces of evidence, but most heavily the #GOP leaks of emails detailing SONY collaboration with the US State Department and RAND Corporation that point toward The Interview being a strategic diplomacy product.

Certainly false flag operations are a tactic that has seen reliable and regular use, especially in counterintelligence. But what purpose exactly would a false flag operation against SONY serve? Definitely not as a pretext to take action against North Korea - the US could much more easily justify actions against NK than it has many other nations in its history.

We know that the NSA tapped into computer systems and the backbone of essentially every country on Earth - I don't see how NK would have somehow been excluded.

What's interesting is what information the New York Times includes that is not covered in the NSA document, presumably from unidentified officials and former officials.

The document on Der Speigel speaks primarily about taking copies of intelligence from SK hacking efforts against NK and also taking copies of intelligence from NK hacking efforts that had in turn been hacked by SK (and in turn by NSA - "fifth party collection").

The document mentions the NSAs unwillingness to rely on intelligence filtered through so many third parties and made efforts to establish its own foothold.

Essentially none of the article is backed by the document as a first source and must have come from the unnamed sources.

Thanks. From what I can tell you agree with:

> there is no encryption for there to be escrowed for large or critical parts of the infrastructure

That is to say that TLAs get access to records before encryption is ever applied to them (I would tend to agree with this) thus obviating the need for escrow. Laws requiring key escrow, then, become red herrings to the larger discussion about the legality of access.

I personally would classify 'partnerships' under extralegal pressure. Under this interpretation you do seem to agree with the GP comment - though I would understand if one were to argue that for some important semantic reason I asked the question with the wrong word. I would probably agree that 'partnerships' are only a strict subset and not synonyms for extralegal pressure.

It does appear that there are partnerships with some digital corporations and that PRISM is a program for corporations that resist 'partnered' access to records. Given the history of telecoms and their development of partnerships, current development of partnerships in our industry and known applications of extralegal pressure in our industry, we ought to be especially watchful.

I agree with the author that in the short game not providing your own accounts is attractive. However in the long game it doesn't look so good. Unfortunately there are problems with using federated auth everywhere.

* It's a single place for a compromise to occur - the devastation of a serious identity provider hack completely upends the security of huge swaths of the internet in a single shot

* Breaks in fedauth protocols and implementations, similarly, presents a large auth crisis for the entire Web

* It's a single place for legal or extralegal pressure for governments to access services and data on behalf of everyone

* It creates market friction. If federated login had been around in large numbers when Myspace was the big social platform we'd still be using Myspace for the sheer reason we need it to vouch for our identity. It makes the big fedauth players 'too important to fail'

One should consider options carefully and determine whether a good user experience can be offered without further centralizing the Web.

- The malware used by the group had fingerprints and components of known Iranian, Korean and Russian malware and is a package sold on black market forums.

- The malware used was nearly identical to the that used by the Iranian group who attacked the Aramco oil company in Saudia Arabia in 2012.

- Linguistic analysis of the communications by #GOP suggest a native Russian author.

- SONY had given the US State Department a preview of The Interview in July 2014 (after the Mundt-Smith anti-propaganda law was immolated) and SONY was contracting with RAND Corporation specialist Bruce Bennett, a specialist on nuclear deterrence (NK is a nuclear state) and North Korea.

- Leaked emails with Bennett have him discussing the effectiveness of the movie to cause instability in North Korea.

Now McAfee is claiming the group had anti-trust motivations?

The SONY hack gets more and more interesting.

> somebody should tell Obama

Oh he knows. Lip service to the public about terrorism is just that.

> Is anyone going to attempt to argue that encryption facilitates more fraud than it prevents?

No idea.

Keeping things on topic financial fraud, insider trading, etc is an example where strong encryption does complicate the state's ability to enforce and investigate illegal activity. The purpose here is to draw from a well of motivation other than oft cited but never seen use of encryption in 'terrorism'.

The government's fear is that ubiquitous access to these tools will deprecate the executive branch. All tools from nuclear enrichment to hammers to animal husbandry have noble and malicious potential. Encryption is no different. The executive branch's job is to allow the noble purposes and to discourage, prevent, investigate and indict the malicious.

From the perspective of the executive, encryption presents a serious hurtle to the pursuit of the malicious.

Yet disagreements between the public and the executive about the the scope and breath of executive practices along with the US incarceration rate, of legal exceptionality of the rich and powerful, and general unease with current power structure coupled with traditional mythical US values means that the public would like guarantees about their ability to communicate without being searched.

The US public wants its cake and to eat it too. Secure and private communication for the masses that can not be intercepted. But it wants the executive branch to be able to enforce the law and to investigate broadly.

The executive branch has made many proposals to this middle ground: the clipper chip and key escrow, proliferation of weak cryptography and the use of third party doctrine as a buffer zone mechanism all represent compromises the executive branch has made.

What it comes down to is that the US public does not trust the executive branch not to abuse a middle ground - it points to historical and current examples of extralegal abuse - and in general feels that its government represents their interests but only after compromises with other 'more important' interests (international and domestic elite).

That is to say that the current state of "front door" encryption is a compromise made by the executive but one that the public does not trust.

Yet the public still wants law enforcement to be able to investigate insider trading.

So the government is in a bind. The government is justified to the people by its ability to enforce the laws of the land - if it can't, even for technical reasons - it will have difficulty seeming justified. The government's solution is to invoke the boogieman. 'Terrorists' will get you if we don't compromise. 'Pedophiles' will get your kids if we don't compromise.

But no, it's not about terrorism - it's that the government does not know how it will be able to stand up to proper strong cryptography in the case of true and perceived malicious use.

Freedom is like a dove, yadda yadda.

Encryption is like osteoporosis.

> Right. I find it hard to believe that Obama and Cameron are going to take away our encryption and someone convince our adversaries to abide by those rules.

Entirely. Historically this has been achieved by subversion of cryptographic methods, consumer products and standards and misinformation about security margins. It has made legitimate strong cryptography hard to come by but not specifically illegal. It is likely to become more and more difficult to perform this sort of influence now that the cat is out of the bag.

This is sort of off topic, but it is amusing.

I would guess that it is a combination of:

- A deemphasis of poetry and literary studies in the concept of being educated and cultured

- The rise of writing staff and PR professionals in the practice of engaging with the public

- The relative lack of importance writing has today compared to newer picture and video delivery (media is message, etc)

- Inherited nostalgia for forms associated with 'classic' art styles

It is not about terrorism - it is that technology like this threatens the current level of the capability of the state to enforce its laws. Imagine instead the use of encryption among the financial elite to conspire to defraud speculation markets or manipulate stock prices. Or enemy states using encryption to thwart espionage attempts. Or insurgents and soldiers engaged with US troops around the world to organize efforts to put up resistance.

Remember that Julius Caesar famously sought to make pen and paper illegal because he saw such low barriers to fast potentially secret communication a threat to Rome's security.

I know of no case reasonably called terrorism where encryption played a role in thwarting intelligence efforts.

> I suppose if we make it illegal, the terrorists will just have to make do with weak encryption.

When encryption is outlawed, only outlaws will have encryption.

This kind of "privacy" (lack of the existence of institutionalized absolute compelled disclosure to law enforcement and along with broadly cast suspicion less search) was once called liberty and freedom by American mythological forefathers.

Oh certainly. State sponsorship of terrorism is regular practice.

https://en.wikipedia.org/wiki/United_States_and_state-sponso...

Most bad drivers I know are convinced they are 'good drivers'...