Category: Security

Sony Hack Should Give Us Pause

No matter who or what is behind the hack on Sony Pictures, it’s really bad.  The lead theory, though it begs many questions, is that the North Korean government initiated the attack and subsequent mass data dump of sensitive information along with five unreleased feature films.  The rationale I heard proposed this morning on NPR is that the attack might be retaliation against Sony for the premise of a Seth Rogan vehicle called The Interview, in which a pair of hapless reporters who’ve gained access to Kim Jong-un are asked by the CIA to assassinate the North Korean leader.  Not known for their taste in screwball comedy, the North Koreans issued a statement calling the film itself an act of terrorism, and then Sony got hacked.

Some of the data released by the hacker(s) is of dubious value.  Like the email exchange between Sony Pictures co-chairman Amy Pascal and the CEO Kazuo Hirai of Sony Corporation about the manner in which Kim Jong-un’s head is depicted exploding at the end of the film.  The exchange, thanks to Rogen’s responses, is a little bit funny, though I don’t think Sony Corp weighing in on this one project is a particularly intriguing revelation from the leak.  No doubt, the headline is worth a few thousand clicks, so what the hell.

Other data released by the hacker(s) is not so innocuous.  A lot of it was highly sensitive material, including emails, marketing plans, and payment processing information pertaining to both famous and not-so-famous people who have worked for the studio.  According to multiple reports, sensitive information such as social security numbers may have been compromised for individuals who have worked for the studio anytime in the last ten years, thus creating a bait ball that would be attractive to any sharks out there looking for opportunities to conduct identity theft.  And just in time for holiday shopping!

The Sony hack ought to be disconcerting to, well, anybody who has ever worked for any company either as an employee or a contractor.  If that’s not you, no worries. While this attack may indeed have come from North Korea, it as admittedly hard to say whether that scenario is better or worse than if it were committed by an entity like Wikileaks or just some highly-skilled teenager with a random beef against Sony.  It’s a bit like trying to parse the difference between an act of terrorism in the name of Islamic jihad and an act of terrorism in the name of just being the local sociopath. After all, the digital age has spawned quite a few home-grown anarchists who like to arbitrarily vent their self-righteousness on large corporations. They’re smart enough to encode a major security breech, but too stupid to realize they’re jeopardizing the security of regular folks like freelance contractors who’ve done jobs like build sets or haul cables for Sony projects. If this same kind of hack, for instance, had targeted GM, I suspect it would be the lead story on cable news.

What concerns me about this story is that, whether the perpetrator of a hack like this is a rogue state like North Korea or a lone hacktivist, the real casualty of all this remote-control retaliation might be free speech.  Consider this:  the likelihood that any movie producers, especially major ones, are going to produce any films mocking the prophet Mohammed is actually very low.  I’m not saying we’re in need of such a thing, but I bring it up because the calculus applied in considering a lampoon of Mohammed includes serious consideration that one might incite real violence perpetrated by extremists who’ve proven they posses nothing we call humanity.  And that’s not good for free speech in a pure sense, though such assessments are made all the time with regard to potentially hazardous material.  Still, the Sony attack reveals that in our increasingly interconnected world, we are all potentially vulnerable to forces that would silence one form of criticism or another.  After all, it’s almost de rigueur now that if a woman publicly expresses a feminist thought, she’s going to receive death and rape threats through social media; and some of these incidents have included release of information that has led to real-world stalking and physical assaults.

If the investigation proves that Sony’s attacker really was the government of North Korea in retaliation for the film The Interview, that’s a fairly impressive amount of damage being done by an otherwise largely impotent state.  Will it make producers and executives skittish about green-lighting certain material in the future that might garner a similar attack?  If so, where does that logic lead when some of the most skilled code-writers in the world live right here in the U.S., some of them working in very large, very wealthy corporations?  What if Seth Rogen’s next picture shows Mark Zuckerberg’s head exploding?  (Really, Seth, what if?)  Because my personal gut feel is that this was not the work of North Korea but was more likely someone with a personal gripe or a generalized love of vandalism.  Is it farfetched, therefore, to imagine someone within, say, Zuck’s world exposing Rogen and/or his colleagues to a similar retaliatory assault on their privacy and, by extension, their security?  Maybe.  But a great deal of evidence suggests that the moral barriers which prevent people from committing violence or vandalism or classic forms of extortion appear to break down somewhat when the weapons are a keyboard a few lines of code.

The EFF assumes the worst – of everyone else.

“Speaking of shotguns,” a Chilean idom I learned from an old school friend to describe an abrupt change of subject, I came across this article from NBC News about a new report on the Theft of American Intellectual Property, which covers issues to do with serious cyber-espionage threatening both national security and economic interests of the United States.  Apparently, the report raises the prospect of using certain defenses, including watermarking data, tracking unauthorized access, and even “boobytrapping” likely hackers with malware that locks up their computer systems.  I haven’t read the report and am no expert in any of the technological remedies described, but near as I can tell, the story has very little to do with entertainment media producers and the DMCA.  Nevertheless, Corynne McSherry, Intellectual Property Director of the Electronic Frontier Foundation couldn’t resist the opportunity to change the subject and monger a little fear.

Whether the defensive tools mentioned in the article are sound remedies or not for protecting data like military or trade secrets from mostly Chinese hackers seems of little interest to McSherry who prefers to vilify copyright holders and the DMCA.  “The potential for abuse is extraordinary” McSherry says. “The long and shameful history of the Digital Millennium Copyright Act file takedown abuse teaches us that intellectual property owners cannot be trusted with the enforcement tools they already have  we should hardly be giving them new ones.”  The “long and shameful” true history of the DMCA is how utterly useless the mechanism is for rights holders to protect their works.  Many creators have demonstrated over and over again that the DMCA notice and takedown procedure is spitting in the wind for even very large, well-funded producers, and completely hopeless for independent and smaller rights holders.  Meanwhile, it is the industry that funds the EFF, who have made sure that DMCA remains a fly swatter in a storm of raptors.  And that’s bad enough, but to add insult to injury, McSherry sticks this fact in a paper bag and lights in on fire on our doorstep when she says the DMCA has a “history of abuse” by rights holders.  And one reason we can know she’s full of it, is the flimsiness of the cases her own organization chooses to take on as exemplary of this so-called abuse.

As described in this post and in the supporting post from Copyhype, the EFF stands on very shaky ground in its attempt to position a typical DMCA error as willful abuse in the case of Lenz v UMG.  To paraphrase Terry Hart, if there is such rampant abuse, why is this the best case the EFF can produce?  Is it perhaps because the headline “Prince sues grandmother” is too good a rabble-rousing opportunity to pass up?  And while McSherry carelessly lumps all rights holders into a single group and accuses them a priori of abusing tools most of them, like me, have never heard of, the total number of infringements against rights holders at this moment remains in tens of billions per day.

Publicly promoting the assertion that if rights holders had better tools to protect their intellectual property that abuse will naturally increase is insulting, irresponsible, and naive.  For one thing, most rights holders are in the business of doing something like making movies or building new energy systems; and the cost of protecting against attack is just that — a cost and a distraction from the core enterprise. In other words any business from a TV network to a shoe manufacturer wants to spend as little time and money on counter-theft as possible.  It would make just as much sense for McSherry to say that because Macy’s has video cameras throughout the store, false accusations of shoplifting are going to be out of control.

Interestingly enough, there is an omnipresent video case a bit like this in the UK, in which an innocent man, Eoin McKeogh, would like a video removed from YouTube that defames him as a cab fare deadbeat and resulted in the kind of cyber-bullying mob that is SOP at this point. I can’t say I’m surprised that defendants Google & Facebook haven’t voluntarily helped this young man clear his name, and it looks like they will only do so if ordered by the court. It’s almost as though we could say these tech companies’ absolutist defense of their technologies is, I don’t know, like an abuse of this young man’s civil rights or something.  But of course, these are tools, right?

It is the nature of even the best-meaning organizations to occasionally identify somewhat thin evidence of the general problem they’re committed to solving.  But in the relatively short time I have paid attention to the EFF, I find them usually unbalanced and often hysterical. It’s more than okay to raise a yellow flag and ask whether or not a security measure or legal remedy might adversely affect civil liberties? But it is rare that I read anything coming from this organization that has even a hint of the humble inquisitive or an acknowledgment that indeed creative rights holders, let alone other enterprises, have any problems worthy of concern in the digital age. As such, I find McSherry’s ham-handed, opportunistic attack on rights holders more or less business as usual.  The EFF claims to protect our rights in the digital age, but who protects our rights from the digital age?

Sunday Thought Exercise – M.A.D.ness or no?

18th Century German illustration of Moloch.

I know it’s a day to relax, enjoy a late-morning cup of coffee, and perhaps forget about the troubles of the world, so I hope you’ll forgive me for asking you to think about nuclear weapons.  This article from 2009 has stuck with me ever since I first read it.  Not only is it an interesting analysis of global stability vis a vis nuclear proliferation, but it raises a sociological or philosophical question or two.

In short, the fact remains that, while we view atomic weapons as terrible things, no two nuclear-armed countries have ever gone to war, not even conventional war, since the bombings of Hiroshima and Nagasaki. In grade school, we learned the somewhat counter-intuitive concept of Mutually Assured Destruction with regard to the U.S. and the Soviet Union, but as Jonathan Tepperman points out in his article, the principle has worked globally for over sixty years. Rather than support or criticize Tepperman’s article, I find myself asking the science fiction writer’s question.  Assuming we take the oft-used premise of an alien civilization analyzing the human race as a whole, what does this global, atomic stalemate say about us?  Does it imply that we must invent machines that supersede own humanity, even to the extent that we must hold a gun to our own heads to make ourselves behave?  

Why do I ask on this particular blog?  Because the relationship between Man and his machines is part of examining the “digital utopia.” For those who don’t follow these issues, the ideas, politics, and sensibilities of many leaders in Silicon Valley extend way beyond the matter of how to get more gadgets and apps into our hands. As we experience a period of upheaval in many political, economic, and social systems, there is an unmistakably technocratic drumbeat out there to which the next generation is plugged in  and tapping its feet.  This is a subject that will be examined in detail in future posts, but for now I invite your responses to the above question.