Not only does this pdf contain zero information, there is no reason for it to be in PDF format.
I have to imagine that the few people who voted it up thus far did so while avoiding actually loading a PDF, but assuming that it has some substance: I mean...it's a PDF. Surely it must be full of rich graphics and charts, right? Nope, several paragraphs of text.
This is standard for cryptome. Honestly I don't know why they do it that way. I do not think there is a good reason. It might be because they don't want content crawled or something (does that reason even make sense - probably not...)
The PDF however, contains a bunch of information. I would read what it links to.
As peeters said, most organizations rely upon the historical volume of emails to operate effectively. This isn't a simple solution.
Add that a narrative around this story is that the hackers "spear phished" an IT admin. This is incredibly difficult to defend against for any organization (seriously -- for all of the browbeating against Sony on here -- it's all so simple -- I would argue that there are zero organizations that would withstand a concerted, targeted attack. Most would fall in a day). Not only did they purportedly co-opt a privileged account, they then sat on it for months.
Over months they could have changed policies, retrieved backups, and on and on.
When blaming Sony, everyone needs to remember that Snowden, a Dell contractor working at the NSA with limited access, took the King's Ransom from what is assumed to be the pinnacle of computer security and awareness.
...who are pandering to a crowd, and based upon essentially no information at all, but just the same sort of "I think" gut feeling notions that we see on HN. While there should always be questions about government honesty, it's rather incredible how far people will reach to find to clutch onto something that backs whatever their initial knee-jerk opinion was, seen throughout the comments here.
Quite a few comments are among the "they're making this up to go to war", which is simply incredible: Are people so far out of the loop on world players or current events? The US in no universe will launch a military action against a rogue, shells-pointed-at-Seoul, nuclear armed nation because they hacked Sony. That premise alone is simply absurd.
Is the US trying to isolate North Korea? They're already completely isolated. I mean...do people understand the situation North Korea is in, and the complete lack of tools to deal with this? The US gains literally nothing pointing the finger at North Korea.
It wins a few more points in the "you need to give up more of your privacy so we can protect you" campaign when we could be talking about "nation-state cyber-war" rather than a "Target-like hack" by hackers nobody knows or cares about. North Korea is an "iconic enemy" people can rally against.
They gain HEAPS pointing at North Korea. They can say that it shows the threat that the US has from other countries on a hacking front, and that they need more funding around a cyber defense initiative. IT can't be - oh anonymous (or some group like them) since no one will take it as seriously.
They want to point at a country that will say "damn straight we did it" even if they didn't (North Korea is perfect!)
No matter what you believe, some group just caused massive damage to Sony. If the US was looking to justify "cyber defense" spending, how would a rogue group not be a bigger threat? A rogue group better fits the terrorism narrative that has justified much of the last decade's military and intelligence spending. You're reaching.
China is busy providing all that justification, which is why Cybersecurity is getting massive military investment already. Sony being hacked is nothing, in terms of national security, compared to what China is getting up to.
They can say that it shows the threat that the US has from other countries on a hacking front
There have been attacks on the US government IT infrastructure. Stolen designs and files from military contractors. Attacks on energy and distribution systems. Attacks on the banking system.
On the grand hierarchy of attacks, this is really, really low. I mean, given the severity and regularity of attacks against things that really, really matter, no the US certainly didn't need this to justify anything. The concern is very real, and significantly more important than some Sony Entertainment emails or movie leaks.
The US in no universe will launch a military action against a rogue, shells-pointed-at-Seoul, nuclear armed nation because they hacked Sony. That premise alone is simply absurd.
I agree that it is absurd, but Washington seems to be talking up that premise.
Obama Vows a Response To Cyberattack on Sony
WASHINGTON — President Obama said on Friday that the United States “will respond proportionally” against North Korea for its destructive cyberattacks on Sony Pictures, but he criticized the Hollywood studio for giving in to intimidation when it withdrew “The Interview,” the satirical movie that provoked the attacks, before it opened.
Deliberately avoiding specific discussion of what kind of steps he was planning against the reclusive nuclear-armed state, Mr. Obama said that the response would come “in a place and time and manner that we choose.” Speaking at a White House news conference before leaving for Hawaii for a two-week vacation, he said American officials “have been working up a range of options” that he said have not yet been presented to him.
One thing I would like to know, is if this whole thing was perpetrated by the North Korean state because of the potential offence to North Korea from showing their leader being killed, why has the scene of their leader being killed been leaked by the hackers and is now posted all over reddit? That really makes very little sense.
Military action is not the only form of proportionate response. The US has been involved in sanctions based diplomacy against NK for years now around the nuclear programme. The State Department aren't idiots, any form of military action against the North runs the risk of full scale war breaking out.
It conditions the population against North Korea. Not saying that that's what's happening right now, but it's kind of our MO. We target a specific place for ulterior motives, generate public animosity among our population of morons who couldn't find X country on a map if their lives depended on it, then we put on the squeeze in order to illicit a reaction, and then when a certain action happens we can manufacture into an excuse for military action, we take military action. And then we proclaim how innocent and unwillingly we were dragged into something we had been gunning for even before the last war we were engaged in was over.
What would the ulterior motive be for taking on the cost of a war against NK? They have little to no oil or other super-valuable commodities as far as I know, so there's little financial motive. They're a risk to their neighbors but are not a credible global threat, and they're less likely to attack the U.S. than more dangerous and ideologically fervent enemies like ISIS.
They're more of an annoyance than anything else. The strategy so far seems to have been to wait it out and hope their crazy cult-regime finally collapses. I don't see any reason anyone would want to expedite this unless they thought there was a clear and present danger of NK escalating in both belligerence and power in the near future. I can imagine the former, but not the latter.
The value of NK isn't anything internally intrinsic; the main reason it has "survived" with its current and past leadership is that it is a buffer between the "West" and China. And previously it was seen as a buffer between Japan (and also the US) and Russia; Stalin was the one who authorised the Soviet invasion of Manchuria in the very last days of WWII. Russia's leadership at the time remembered Russia loss of face (and territory) to Japan in 1905; remind you of current day invasions and annexations with ruminations of nationalism?
The Korean War was in many ways similar to a "more power" version of Ukraine today.
NK may be a sideshow as far as a lot of interested parties are concerned. The benefit (if you can call it that) is that the presently-tapering security contractor gravy train gets a new shot in the arm, the Feds have a chance to set up "partnership" agreements with any number of tech firms that they just alienated during the NSA fiasco, and a much higher level of generalized network surveillance becomes a thing that plenty of companies start thinking they want.
I obviously don't know the story behind this. The point is, there are plenty of opportunistic and self-serving domestic interests who probably don't either but can nevertheless turn this hack into a very beneficial event, regardless of who did it. From their perspective, NK being the source is actually the best-case scenario.
Punishing defiance can be an ulterior motive. When the mafia send someone in to break the shopkeepers fingers they often risk their guy getting arrested, etc. losing more than the shopkeeper is worth. They still go through with it because that shop isn't the only thing in the balance, it's about keeping all the other shops scared and maintaining "credibility." You can hear war mongering politicians talk about "credibility" and "credible threat of force" all the time.
It would drain China's resources and focus, Russia's for that matter too. But, again, I said that I don't think that's what's happening with NK. NK is even too much of a pandora's box of crazy that I think will only be set off as a last ditch effort against, mainly, China. I see it as kind of a bomb that is surgically attached to China, which we can somewhat easily figure out how to set off if we so desire.
Drug running, counterfeit currency production, kidnapping foreign citizens, nuclear testing and producing nuclear capable missiles and testing them in provocative ways.
Plus their prison camp system, internal mass famines, brutal authoritarian dictatorship.
If they are wrong, then they take a hit to their credibility. The Republican Party would pounce on this and never let up. It would not look good in the public eye if the government's cybersecurity apparatus – which the president just spent the past year and a half defending – fingered the wrong country behind an attack.
Not true. Can you imagine the economic impact if this stands as a case study on how lax security standards could be at large, trusted private institutions? That all it takes is one pissed-off employee with a cursory background in computer security to cause billions of dollars in damages and rampant fear?
It's much easier to address public fears with an easy scapegoat than to owe up to the overall frailty of network-driven industry. Could you imagine the cost of creating "the TSA of networks belonging to important private entities?"
Part of me does wonder whether we're headed in that direction. See: Rainbow's End, by Vernor Vinge.
What is the equilibrium in a world where state funded actors can anonymously attack major companies / infrastructure components? I am not convinced that is possible for a Sony to secure itself to such a level that it will not be vulnerable to attacks by state actors.
That's exactly the issue. There are lots of people who can imagine that. They can also imagine corporate boards having a much harder time saying no to them in an environment that the Feds have described as dangerous. If nothing else, not (literally) buying into the scare opens companies to even more expensive liability.
oh if it were Russia I am quite sure the current Administration would waste no time exposing them. The level of disrespect shown towards with both official and unofficial comments borders on undiplomatic by most counts.
It matters little because the big issue here is that a group of cyber terrorists have effectively shut down a major corporation and most western countries are just standing by. if that is not green lighting future copy catting nothing I don't know what is.
The President should screen the film at the White House and allow it to be distributed to the armed forces
...who are pandering to a crowd, and based upon essentially no information at all
References?
What I remember is a well-argued article pointing to many parts of the hack that would seem to disqualify North Korea - for example the use of a (South) Korean language locale which North Koreans would in fact not normally be able or likely to use, broken English with little relation to how North Koreans would speak, etc.
Now, North Korean could be making a careful effort to impersonate Western hackers making a crude effort to impersonate North Koreans. But that's kind of reaching and there's a bit more than no evidence.
"What I remember is a well-argued article pointing to many parts of the hack that would seem to disqualify North Korea"
That article was a classic case of "assume the end result, and then make everything you've heard...including indirect, second-hand rumors, fit the mold you've set". You probably saw that "analysis" on here, and it was quite soundly destroyed as being largely ignorant.
Further the whole "that bad English doesn't fit how I think bad English should look" is...well it's preposterous. The article also uses a ridiculous email exchange which could be anyone as proof -- again, fitting the mold.
There is literally nothing in that, beyond some person's subjective take on how a person might mangle English (this is one of those classic claims that assumes some grand conspiracy...but that the conspirators were too dumb to get the basic stuff right), that is based upon legitimate analysis.
We're gradually seeing HN comments on world events veer into conspiro/4chan /pol/ territory. It's sad but I think inevitable with anonymous discussions.
Most posters on hackers news, it seems, rejected the idea that the Sony hack was done by North Korea or any easily determined actor.
The US government now has an official conspiracy, that the attack was the work of the government of North Korea. Just because that is conspiracy theory doesn't make it wrong but I and many people still doubt it.
You are replying to an attack on the common dubiousness of many hn posters to the North Korea theory. The attack seems to involve the idea that doubting the US government conspiracy theory has to be, itself, some other kind of more dubious conspiracy theory, when it is actually the belief that there's no evidence in that direction and plenty of evidence away from that direction.
literally nobody has said that, all that most people have said is that if you're going to accuse another nation of an act of "cyberwar" at least provide proof. Is that too much to ask?
"Opportunities to get backing for war are rare, and so there is good reason to think that the government would try to capitalize on them."..."USS Maine, anyone?"..."Queue an invasion of North Korea."
Literally quite literally doesn't mean what you apparently think it means.
And the general conspiratorial narrative is that the US is trying to blame a blameless North Korea to achieve...something. Not sure what.
"And the general conspiratorial narrative is that the US is trying to blame a blameless North Korea to achieve...something. Not sure what."
To assume the US Government's PR team won't use anything/everything to reinforce, reiterate or bolster it's own agenda is just idiocy. There are far too many examples throughout history where it has.
Whether or not that means that this investigation is a farce, is another question.
My hangup here is that the DPRK historically provides absolutely no shortage of excuses for the US to grandstand, but with the occasional exception of them shelling some South Korean island or kidnappings a tourist, they are usually (publically) ignored. Niche news websites about North Korea will talk about the crap they do or say weekly, but you usually only see US government officials and mainsteam US media piping up once or twice a year.
Its not like the US has to manufacturer an excuse to complain about them. There is an abundance of genuine North Korean antics to choose from if they want to.
> The US gains literally nothing pointing the finger at North Korea.
The US gains quite a lot by pointing fingers at a bad guy. This bad guy happens to be North Korea. Anything just to keep the public distracted and the media happy to report something else but CIA torture.
"The US in no universe will launch a military action against a rogue, shells-pointed-at-Seoul, nuclear armed nation because they hacked Sony."
Is that your gut feeling? :p I understand it's backed by strong arguments but so were (some) security professionals opinion. They might give updates after the FBI's communiqué and are aware of the limitations of their argumentation. That being said I do share your opinion on the matter...
EDIT: elaborating...
EDIT 2: Not sure why I'm getting downvoted. No matter how much I believe US won't go to war there is always a possibility I could be proven wrong. I don't think security professionals analysis was based on "no information at all" (think things we know about North Korea), no more than the analysis we have about US not going to war.
(I guess to add on to yours and the previous posters' comments...)
Even if it wasn't North Korea, the U.S. still gains nothing from this except for maybe making NK look even worse.
And the U.S. might make some stupid political decisions, but there's a difference "ill advised" decision and a flat-out stupid decision. Going to war with NK would mean South Korea getting attacked by NK. Would the U.S. risk that?
I honestly do not think so, because it'd signal the end of the U.S.' diminishing credibility in the global sphere. Nobody wants to be friends with a country who'd willingly throw a friend under the bus simply because another country (which has very few friends) hacked into one of millions of corporations in said country.
If the U.S. and USSR could go years without nuking each other, I believe the U.S. has enough restraint to not launch (enough of) an attack on NK that would provoke a NK response towards their southern neighbors.
In fact, if anything, the following quote indicates an insider is just as likely to be the source
The common narrative in discounting any involvement of North Korea is that they're too famished and uneducated to perform such an operation. Your angle is that the attack isn't sophisticated enough?
The evolving story is that a single IT worker with significant right grants was targeted by the group, and once that single user was exploited, their privileges were used to compromise the network. If you have the privileges of a superuser, your attack doesn't need to be sophisticated.
And ultimately this is exactly how I would expect these sort of attacks to go, especially when hitting targets in free and open nations. Why go through the trouble and effort of trying to winnow in from the outside when you can just exploit the kink or vulnerabilities of individual people -- who you can now discover via LinkedIn -- and then work your magic from the "inside". Sending out a group policy to disable all security software is a couple of lines. This "virus" seemed to be a simple efficiency measure, as with those rights they could do pretty much everything, though mass malice would probably be too labor intensive minus some helpful tools.
The defense against this is of course that even admins should have limits on their access and flags on their activities. Of course, the admins are the ones who normally implement this, so...
Most people I've seen question the North Korea angle absolutely acknowledge that they have the capability to do things like this. They usually argue that this does not fit the style and MO of a state sponsored attack, that The Interview was never mentioned by the hackers until after the media starting running with the story, and that there simply isn't enough public evidence to justifiably attribute it yet, among other things.
More importantly, who else could the USG blame? China are somewhat too important a "partner". Venezuela, well Chavez "happened to die". Cuba, friends again. Iran, bringing them slowly in from the cold. Russia, well...
It would have been more convenient for the USG to blame ISIS but nobody would believe that.
I still don't buy the N.Korea angle. They would just love the propaganda. They are quite happy to provoke the US with missile tests publicly, you don't think a hack like this they are going to want to keep quiet?
There is no MO regarding an attack from a country like North Korea. That country says bombastic things with regularity, and has seemingly little concern for blowback. How a country like Israel or the United States might do an attack like this has no relevance to what North Korea might do, whether directly or through a hired proxy.
The Interview was never mentioned by the hackers until after the media starting running with the story
Now again, North Korea's words are kind of cheap, but they were talking about as big as you can get before this hack, and then specifically warned Sony to "obey" them. We have absolutely no idea what communications happened between the group and Sony and then law enforcement, so the whole what the media reported angle seems rather spurious. Sony/Law Enforcement, people who know more than us, seem to believe it was related to the movie.
There is no MO regarding an attack from a country like North Korea.
Actually, there is. They tend to huff and puff about American military exercises that occur in cooperation with the Japanese or the South Koreans, or to complain to the UN about various things (e.g.: the CIA torturing people). But their MO, such as it is, is to complain and threaten, almost exclusively. Occasionally they will perform a missile test that causes concern, but those missiles land in the Sea of Japan or some other body of water, not anywhere that causes actual harm.
No, this goes against the DPRK's MO up until now. If they are responsible then it is a shift in their tactics from "loud and threatening, but basically harmless to other nations", to "actively and publicly committing acts of economic espionage." That would be quite a departure for them.
North Korea is suspected in a number of similar attacks. Because really, what is anyone going to do? Attack them? They have nukes. Isolate them? They can't possible be more isolated. Sanction them?
As an aside, the regular threat of using nuclear weapons is an act of extreme violence, and I doubt North Korea's neighbors treat it so flippantly. The threat is unlikely, but extremely real.
Except when wine tasters can't distinguish between red wine and white wine with food coloring
This oft referenced study took oenology students and asked them to use adjectives to describe the odors of the wine. The only wines tested were white...and white with food coloring. It is unfortunate that red wine wasn't actually tested, as it would provide an interesting contrast, nor was taste actually tested at all. So as is all that you can go on is that given what appears to be a red wine, students who presumably have motives other than being entirely straightforward use red wine-type terminology.
It is an interesting study, but is not quite the trump card that so many think it is.
Further, it's a little silly how people are taking products with minor taste differences (most beers, wines, ryes, etc, are made with almost identical processes, yielding close to identical results), and then presuming to claim that the same applies to things that are dramatically different. That someone couldn't tell the expensive wine from the table wine does not prove that someone can't tell a beef burger from a veggie burger.
I don't personally get the RDS value proposition, but how does it lead to vendor lock-in, much less severe vendor lock-in? I don't believe there is really any lock-in whatsoever -- backup your database and move it wherever you want, whether you're running the pgsql, Mysql, or SQL Server variants of RDS.
While of course you're correct, it's a bit like saying "you can just pack up your code and run it somewhere else". If the entire architecture and workflow are based around proprietary AWS tools (Elastic Beanstalk, Elastic load balancers, RDS, Cloud Formation, autoscaling, etc) even if your code is technically portable, you're still suffering from vendor lock-in. Arguably worse than the bad old days of the Microsoft monopoly.
RDS is just a database though. All the standard tools work with it. Unless you start dipping into more exotic services, it's pretty hard to become locked in. EC2+ELB+RDS are fairly independent. Even autoscaling doesn't lock you in.
That said, CloudFormation, SQS, Kinesis, DynamoDB, etc. are all very sticky services.
Where you see 'vendor lock-in', I see the opportunity to leverage somebody else's engineering talent to solve commodity problems that our customers don't pay for.
That's a bit of an extrapolation though, isn't it? Many people simply run VMs that connects to some arbitrary pgsql instance, which might happen to be on RDS if they want to simplify the management of that.
Those VMs can absolutely run almost anywhere, and they can connect to just about any instance of pgsql. I heavily use many services on AWS, but can quite literally move the entirety of it to my own servers, Google, Azure, or elsewhere in very short notice. People can choose to use some of the more unique services, but that is not related to RDS.
This is a pandering article where someone acts outraged to pander to an audience.
Firstly, "cyberterrorism" has forever been defined as attacks on computer resources, not attacks on people. If a nation state crippled a business to coerce their actions, that is pretty much spot on with the definition of cyberterrorism.
Secondly, who ever said that such a theater attack would have to simultaneously hit 18,000 theaters? The threat seemed to be that any theater could be at risk. I mean, is ten theater attacks okay? Five? Two? One? Sony and theaters are not the US military or the government. They're a risk abatement private enterprise.
This is a terribly weak article. He redefines existing terminology and then strikes down absurd strawmen to get the cheering crowd to nod along.
To suggest otherwise is to imply that US oil companies were deliberately holding back on potential profits by not pumping at full production prior to 2011
Most wells don't run at full capacity, and absolutely alter draw speeds to maximize the life and economics of a well. With the drop in prices many large energy companies with the ability to weather these drops in price will of course turn down the taps, reserving the limited holds of their wells for when the price returns. If you have n barrels of oil in your well, and you're certain the price will return to North of $100, might as well save them for then.
new discoveries and technology breakthroughs related to shale and fracking
Fracking is natural gas. On the shale side, it's worth noting that we've known about shale and how to extract it for many, many decades. The only reason it came into the forefront is that the price of oil on the global market finally made it economical -- shale oil is estimated to cost from $25 - $95 per barrel to extract and process. So the paradox is that the collapse of the world price puts a serious wrench in the shale oil production, which purportedly is the reason for the price of oil.
Most wells don't run at full capacity, and absolutely alter draw speeds to maximize the life and economics of a well.
This is correct, but only to a point. Many producers still lease land for limited timeframes (some of them do have "until we are done" clauses, but this is not the norm in Eagle Ford). If your lease has two years left and you don't expect the price to rebound for 18 months, it's still in your interest to produce NOW, since horizontal drilling (far more expensive than the fracking) is a capital cost you've already paid that you need return on.
No, it's just a third world country, with limited means.
The military budget of North Korea is estimated to be around $10 billion USD. It has a million active troops, 6,600 tanks, 700 MLRS, 460 fighters, and so on.
The country is perilously poor. Many people starve. But the means are there for an operation like this, especially if sponsoring foreign groups, if the motivations allow.
And to counter the growing narrative that the NK thing came out of nowhere as a convenient excuse -- the country was very offended by this movie six months+ ago, long before the hack, to the point of threatening military retaliation if it was released. Engaging in or hiring hacking groups to put the pain to Sony seems entirely within the realm of the possible, though threatening actual terrorism is a bridge too far, and overplayed their hands if they were involved with that.
The budget figure is probably BS. Their whole GDP is about 12 billion USD in toto -- and they give around 10-15% of state expenditure to the military budget (the peak was 30%, according to wikipedia, back in the seventies).
But even that figure ($10b) is comparable to places like The Netherlands, Quatar or Poland (hardly forces to be reckoned with), and 1/3 of what South Korea spends:
All military figures are BS. North Korea has 1,000,000 active member troops. Canada has 68,000 active member troops.
North Korea has more of everything than Canada, including aircraft, boats, and even nuclear weapons.
Canada spends $23 billion per year.
And as to forces hardly to be reckoned with, if you're talking in a convention war with the US or something, sure. To put that into contrast with hacking Sony, though, is utterly ludicrous. The latter could likely be achieved paying a group less than it costs to operate a single fighter aircraft for a year.
While North Korea does have enough capacity for trouble, your figure of "6,600 tanks" etc. should be taken with a big grain of salt. Those tanks are ancient.
And America businesses are believing NK is willing to go to war by attacking Americans on America soil because of a movie?
North Korea has repeatedly threatened nuclear war over the most banal thing. Of course it is usually treated rather lightly, but the country does have nuclear weapons.
I have to imagine that the few people who voted it up thus far did so while avoiding actually loading a PDF, but assuming that it has some substance: I mean...it's a PDF. Surely it must be full of rich graphics and charts, right? Nope, several paragraphs of text.