Whose Hack Is It Anyway?

It’s pretty clear that the Sony Pictures hack was neither an act of war or particularly belligerent. As Marc Rogers of CloudFlare and DEF CON notes, finding out who performed a hack, even one as ham-handed as this one, is difficult. Hackers with any sense use proxies and attack soft targets. But once they’ve attacked and dumped their goods, it becomes nearly impossible to follow them back to their dens, whether that is in Atlanta or Pyongyang. Rogers writes:

Digital forensics is nothing like what you see on TV – on so-called cyber-CSI shows, the investigator types in a few magical keystrokes and evidence comes flooding out of the completely unlocked computer. A few more keystrokes and a magical graphical app “backtraces” the perp all the way to his house switching on his webcam and locking his bedroom door.The reality is far less sexy.

In short, no one, not even the FBI, can know who did this.

What do I think happened? I think some lulzsec-style hackers found a way into Sony Pictures. They stole gigabytes of data over a long period of time and decided to embarrass Sony Pictures, presumably because they could. As the chunks came out, Snowden-style, they realized they had a lulz goldmine. The news media was eating this garbage up, ourselves included. What exciting news! Angelina Jolie! Some crappy Candy Land movie remake! Hollywood petulance writ large! Variety probably had it’s biggest traffic month in its history simply based on “reporting” culled from email.

Despite the Snowden-style leaks, these documents aren’t particularly exciting or important. In fact, as we learned from a Sony employee, Sony was all but begging for a penetration test. Their infrastructure was apparently years out of date and any IT department that actively allows all of its email to be sucked out of various servers is an IT department that’s out to lunch. The FBI blaming this on a nefarious enemy far away is excellent Christmas gift for Sony Pictures C-level staff.

After the leaks grew in popularity the ancillary issues suddenly popped up – “911 style” bomb threats, attacks on PSN, and general panic – the need to pin this on a culprit grew greater. The hackers, for lulz, claimed to be North Korean. Many security experts have already debunked that theory. In short, this is a game of “hey guyz, lets hack Sony” gone horribly right. Everything the hackers wanted – fun, attention, and effervescent trolling – came true. It’s like an pyromaniac lighting a pile of leaves on fire and burning down a neighborhood. The glee – and damage – is complete and terrible.

Hacks are rarely as exciting as they appear in Sony Pictures films. There are no multiple-monitored workstations where Hugh Jackman breaks cryptographic codes while being pneumatically serviced. In fact, most hacks are nameless, faceless, and seemingly victimless. They happen in the shadows, performed by folks who want to experiment or steal. That these quiet hackers struck a cultural nerve was sheer dumb luck and they are milking our gullibility all the way to the proverbial bank. If we discover, however, that North Korea does have a hacking arm so culturally savvy as to understand the import of emails between spoiled movie producers then perhaps we’ve considerably underestimated the hermit kingdom. I doubt it.