Goosebumps: A Scary Sony Story

Can we bring the discussion of the Sony hack back to earth?

It’s a hack.

Somebody hacked into the Sony Pictures Entertainment computer network in Hollywood, and released to the public a treasure trove of confidential information. Everything from embarrassing emails to forthcoming movie scripts was dumped out in public. This is an embarrassment for an international (Japanese-American) media corporation and a bunch of celebrities. It may be a violation of intellectual property rights, and personal privacy rights, and common courtesy. It may be condemnable on any of those grounds. But it is not “terrorism” or “cyberwar.” It’s a hack.

It is, furthermore, a rather ordinary and foreseeable kind of hack, despite the Sony cybersecurity guy’s insistence that: "This attack is unprecedented in nature. …an unparalleled and well planned crime, carried out by an organized group, for which neither [Sony Pictures Entertainment] nor other companies could have been fully prepared,"[1]  To which one security expert, known as "The Grugq," says: “Bullshit.” Malware for such attacks can be purchased on the Internet.  A similar attack struck 30,000 computers at Aramco in Saudi Arabia and at banks and media companies in South Korea. 

In fact, Sony itself had been hacked in 2011, forced to shut down its Online Entertainment and PlayStation Networks for weeks.[2]  In a previous security audit, Jason Spaltro, Sony’s Executive Director of Information Security, was warned about the company’s cyber vulnerabilities, with an emphasis on its lax password practices (simple nouns, passed around in plaintext documents), with the blunt admonition: “If you were a bank, you’d be out of business.” To which Spaltro replied: “If a bank was a Hollywood studio, it would be out of business.”

Nice comeback line for a sitcom character, Jason.  For a bank, a studio, or any other kind of business, not so much.  Spaltro went on, digging himself further into the hole of classic myopic accountancy: “it’s a valid business decision to accept the risk [of a security breach].…I will not invest $10 million to avoid a possible $1 million loss.”[3]  [No, it’s not a line from a screen play, but it’s gonna be. I can’t make this stuff up.]

So, as one independent security researcher points out, Sony’s goal "is to save face, to their investors, to their employees, to their partners. To protect their image, they need this to be an unpreventable, incredibly sophisticated attack." By way of covering its own ass, it’s in Sony’s interest to make this into the work of an international evil genius­, against whose wiles no mere mortal international media-technology conglomerate could possibly have defended itself. It’s not in our interest to buy this crock.

Now it’s true that, like any other hack, this is an event of cyber consequence. It highlights the vulnerability of all the sensitive information that is now automatically and casually stored in cyberspace. It underlines the need for every organization and individual who wants to protect their private data to take much more seriously the need for a strict security and cryptographic protocols. This is, indeed, a new and permanent problem of the cyber world in which we all live, and on which we all depend. This hack demonstrates that Sony Pictures, like many other businesses, did not take that problem seriously enough. Still, in this regard, there is nothing here that is “unprecedented” or “unparalleled,” and certainly nothing that has anything to do with “national security,” or “terrorism” or “warfare” of any kind. 

It’s extortion. It’s sabotage. It’s extortion and it’s sabotage.

Here’s where the story develops from run-of-the-mill cyber criminality into something more nefarious, of greater public interest, and having really nothing to do with the cybersphere.

These hackers are not whistleblowers motivated by their civic duty to expose important information of political consequence to the public.  Here (from Mashable) is the first email, sent on November 21^st to Amy Pascal, Chairman of Sony Pictures Entertainment Motion Pictures Group, which she apparently neglected to read:

We've got great damage by Sony Pictures.

The compensation for it, monetary compensation we want.

Pay the damage, or Sony Pictures will be bombarded as a whole.

You know us very well.

We never wait long.

You'd better behave wisely.

From God'sApstls

At this point, it seems a relatively simple hold-up: Somebody feels that Sony pictures did them wrong, and they’re going to make the company pay—in money. Someone the company “knows very well.” (“Bombard” does not read as referring to actual explosives.)

Sounds like Sony is about to get hit with a ransomware or blackmail attack like that which forced Nokia to pay millions of euros to protect the source code of its mobile operating system—with the twist that these guys seem to have a personal grudge against Sony.[4]  This would be specifically a cyber-blackmail. But no ransom amount is specified.

At any rate, there is not a word in here about The Interview or any other movie, no hint of a demand beyond money, and absolutely nothing to suggest this has anything to do with North Korea or its government.  Indeed, the hackers’ self-identification as “God'sApstls” argues quite strongly against any such connection.

Here’s the hackers’ next message, which popped up on Sony computer screens on November 24^th:  

Hacked By #GOP

Warning:

We’ve already warned you, and this is just a beginning.

We continue till our request be met.

We’ve obtained all your Internal data, Including your secrets and top secret [clip]

If you don’t obey us, we’ll release data shown below to the world.

Determine what will you do till November the 24th, 11:00 PM (GMT).

At this point, the hackers have changed their name from God'sApstls to Guardians of Peace (GOP). They’ve also pasted their message over a graphic that’s the cover art of a children’s book by the very popular American author, R. L. Stine, who’s known as the ”Stephen King of children's literature," and whose best known series is called “Goosebumps.”[5] Still, not a word about The Interview or North Korea.

They continue to refer to unmet demands that have never been specified, but they have already started to post sensitive Sony information. They seem to be moving very quickly into full sabotage mode against Sony, and in the next few weeks they make no serious attempt to arrange a monetary ransom. If they were playing for money, they had the goods, and could have worked, and made out like, the Nokia cyber bandits. Now, however, “Lena,” a self-identified spokesperson for the GOP, contacted the tech press, saying: "I'll tell you this. We don't want money. We want equality. Sony left their doors unlocked, and it bit them. They don't do physical security anymore."

So, they are now the GOP, focusing on “equality,” and indicating they “had physical access to the network in order to accomplish their aims”—as many tech experts suspect.[6]

With all the shifting discourse, still no Interview or North Korea.

At this point, as they rolled out more and more embarrassing Sony documents, the GOP was still in the realm of cyber-extortion/sabotage against a private company. As the plot thickened, of course, they did change the target to The Interview.

As security expert Marc Rogers points out (echoing the observations of Kim Zetter in Wired, among others)[7]:

The attackers only latched onto “The Interview” after the media did – the film was never mentioned by GOP right at the start of their campaign. It was only after a few people started speculating in the media that this and the communication from DPRK [North Korea] “might be linked” that suddenly it became linked.

That much is indisputable. Rogers goes on to speculate:

I think the attackers both saw this as an opportunity for “lulz” and as a way to misdirect everyone into thinking it was a nation state. After all, if everyone believes it’s a nation state, then the criminal investigation will likely die.

In fact, someone claiming to represent the GOP contacted Salted Hash, another cyber-security organization, to insist that the GOP is “an international organization …not under direction of any state,” and that:

Our aim is not at the film The Interview as Sony Pictures suggests. But it is widely reported as if our activity is related to The Interview. This shows how dangerous film The Interview is. The Interview is very dangerous enough to cause a massive hack attack. Sony Pictures produced the film harming the regional peace and security and violating human rights for money.[8]

So The Interview is not the target, it just represents everything that’s wrong (“harming the regional peace and security…for money”) with the target (Sony Pictures), or something like that.

It’s not as if any purported statement or representative of the GOP can be taken at face value. There’s a lot of confusion, or perhaps misdirection, here, and certainly no concern for the hobgoblin of consistency. Because then the GOP, or someone claiming to be the GOP, directly targeted The Interview, making ominous-sounding threats about the “bitter fate” awaiting everyone who sees the movie:

We will clearly show it to you…how bitter fate those who seek fun in terror should be doomed to.
Soon all the world will see what an awful movie Sony Pictures Entertainment has made.
The world will be full of fear.
Remember the 11th of September 2001.
We recommend you to keep yourself distant from the places at that time.
(If your house is nearby, you’d better leave.)[9]

Kind of cagy, this discourse. Can they really not write in coherent English? Is the “bitter fate” for those “who seek fun in terror” (not the GOP) to “see what an awful movie Sony Pictures Entertainment has made,” a movie that will fill the world with fear? Or is the reminder of 9/11, and the warning to keep one’s distance, really an implied threat to blow up theaters? If it’s a joke, it’s a bad one. It would be hard for theater owners to ignore the implied, murderous, threat.

Whoever they are, whatever their intentions, and however shrewd their discourse, with this intervention the hackers did, indeed, move from sabotaging a private media company to sabotaging the public realm of cultural expression. No matter how stupid and objectionable a movie may be, no one should be threatened with physical harm for seeing it. Not funny, not cool, not “lulz.”

What they have also done, however, is to move the game out of the realm of cyberjinx. The hack is a cyber-event; the bomb threat isn’t. This threat has nothing to do with “cyber-warfare” or cyber-anything. It is just a plain old bomb threat. Unlike the data dump, it signifies nothing particularly dangerous about computers or cyberspace or the internet or email. Emailing Sony this message, or posting it on the internet, is no different from calling Sony on the phone and reading the message. It poses exactly the same problem. Anybody—via telephone, text, email, or skywriting—can make a bomb threat.

If it was a bunch of hacktivists who did this, even hacktivists with a grudge against Sony, they should recognize that they abandoned anything having to do with cyber talent when they essentially called up the school the morning of the test with a bomb threat.  For the rest of us, let’s, please, not imagine that making a threat via email means there’s some kind of “unprecedented” evil cyber-danger lurking everywhere that requires a whole new apparatus of policing—i.e., government surveillance and control of the internet. Nobody’s going to blow up the movie theater with a “cyber-bomb.” This has to be evaluated and investigated like any other bomb threat.

Starting with questions like, you know: Is there anyone who poses a serious threat to bomb the school this morning? Or, Are there 18,000 North Korean sleeper cells ready to blow up every movie theater in the US? Is there some reason to place the whole damn country, and everyone’s mind, on a war footing?

The GOP has demonstrated its ability to steal documents from computers; they have demonstrated no talent for building or placing bombs. Someone who had planted a stink bomb in one movie theater, or ten, or 18,000, and then called or emailed Sony threatening to really blow them all up next week would have a lot more credibility in that regard than the GOP has by dumping Amy Pascal’s email. And there would be nothing “cyber” about it.

[UPDATE: As if to emphasize their own flakiness, the GOP has now given Sony permission to release the film—with their specified edits!][10]

We don’t know who did it.

Of course, there’s always a reason to place the whole damn country, and everyone’s mind, on a war footing. In fact, placing the whole damn country on a war footing is the reason, in large part, for the media’s existence.

Thus, North Korea did it.

Do not get me wrong. The horrors of the Korean war and American policies therein and thereafter notwithstanding, the North Korean regime is terrible, and Kim Jong-un is probably a narcissistic lunatic. After all, it’s a regime that keeps its population of a constant war footing, invented torture tactics (that other countries have recently come to use), is always threatening to attack other countries, and may someday actually do so (as other countries often do). North Korea’s reputed cyber operations unit, Bureau 21, may be responsible for this hack.  I don’t put anything past them.

Then again, I don’t put anything past anybody. I do not take the word of the North Korean government, and I do not take the word of the United States government.  After the Gulf of Tonkin, Iraqi WMDs, Syrian chemical weapons, Russian BUKs shooting down a Malaysian airplane (to name only the most recent packs of lies), anyone who simply accepts the US government’s assertion that something is true is a stubborn sucker. Unfortunately, the American press and media, across the mainstream spectrum, fall in that category. It is truly amazing how the American regime’s patently mendacious narratives about Syria and Ukraine, for example, are accepted as unquestionable truth, become fixed assumptions, as will, I expect, the now-official story that North Korea is to blame for the Sony hack.

Let’s see: The North Koreans suggest investigating this attack jointly with the United States, and the US government responds that North Korea must first admit its guilt. Verdict first, trial afterwards. And nobody at the media tea party notices.

But, but, the FBI says…  The FBI? You mean the organization that absolutely positively identified the anthrax killer – twice, getting it wrong both times?  That hasn’t been able to solve that crime after 13 years?  The FBI that, by its own admission, has “mishandled, mislabeled, and lost…nearly half the pieces of evidence it reviewed” in “every region of the country”? That FBI?[11] Should I accept that, after a few weeks, this FBI solved the extremely difficult problem of definitively identifying the source of a computer attack designed by very clever hackers using source code that can be bought on the Internet?  Until the FBI has revealed its evidence, and I see analyses by independent computer security specialists, I will not.

Understand that the FBI has not convinced the tech world. (See the links below for details.) Here’s Marc Rogers again, after carefully analyzing the FBI’s statements:

There is NOTHING here that directly implicates the North Koreans [emphasis in original]….

We don’t have any solid evidence that implicates North Korea, while at the same time we don’t have enough evidence to rule North Korea out. However, when you take into consideration the fact that the attackers, GOP, have now released a message saying that Sony can show “the Interview” after all, I find myself returning to my earlier instincts – this is the work of someone or someones with a grudge against Sony and the whole “Interview” angle was just a mixture of opportunity and “lulz”….

The evidence used to attribute a nation state in such a case should be solid enough that it would be both admissible and effective in a court of law. As it stands, I do not believe we are anywhere close to meeting that standard.[12]

So, sure, maybe North Korea did it.  Hey, maybe Bureau 21 was coordinating a sophisticated computer attack with its network of saboteurs and assassins in the United States, with deadly real-world consequences.  You know, like the United States did when it deployed malware that sabotaged nuclear fuel processing plants in Iran (threatening whole regions with radiation poisoning), in coordination with its ally Israel’s campaign of methodically assassinating scientists. Now that’s cyber-, et. al, warfare!

[Is it not astounding that, after that, and after the revelations about US cyber-snooping on China and everyone else, the US government can get all up in high dudgeon about alleged North Korean cyberjinx, not only demanding confessions of guilt from the North Koreans, but asking China to help discipline them?  Is it not astounding that nobody in the media notices the irony?]

Or maybe it was a bunch of wild and crazy kids from Ukraine or Portlandia.  Or the Man from U.N.C.L.E.  Fact is, at this point, nobody knows who hacked Sony Pictures.  And anybody who tells you they do is lying.

Me, I’m thinking Bureau 21 probably wasn’t all into goofing around with “God'sApstls,” the GOP [!], Salted Hash, and the Stephen King of children’s books.  I’m going with Marc Rogers in thinking that the whole Interview/North Korea meme is best understood as a “lulzy” Red Herring—or, more appropriately in the context, a McGuffin.

Let’s recognize what’s going on here: Only North Korea, or some similar villainous enemy of the US, fills the whole frame nicely – absolving Sony of any responsibility for avoidable security lapses and reinforcing the “terrorism” fear-mongering that is now the prime narrative of the US government and media. That’s why the assumption of North Korea guilt will persist. That beast needs to be fed.

It’s just a comedy!

Let’s notice something else that hasn’t been very well publicized: The Interview was a government-vetted cultural production and a tool to promote assassination. The nastiest version of the scene where Kim Jong-un is killed by blowing up his head was explicitly lauded by American intelligence professionals because it might inspire Kim’s actual assassination.

Really. According to a report in the Daily Beast, Sony screened a rough cut of the film for at least two government officials “before moving ahead.” They loved it, seeing it as “useful propaganda against the North Korean regime.”  Beyond that, there was the specific question of the assassination ending.[13]

Some Sony executives were skittish about showing the assassination of a sitting head of state, and they were eager for opinions on that ending. There was even a “creative battle” between the execs and Seth Rogen, who had agreed to compromise his adolescent narcissism creative integrity in the face of pressure from the adults in the room who were concerned about the politico-ethical implications Philistine suits who had no respect for said creativity. Said Seth, in a painful compromise: “We will make it less gory. There are currently four burn marks on his face. We will take out three of them, leaving only one. We reduce the flaming hair by 50%.”

However, when Bruce Bennett, a senior RAND Corporation defense analyst, was shown the cut, he advised Sony CEO Michael Lynton that, since the disappearance of the North Korean regime was the desired outcome, and since:

the assassination of Kim Jong-Un is the most likely path to a collapse of the North Korean government …a story that talks about the removal of the Kim family regime and the creation of a new government …will start some real thinking in South Korea and, I believe, in the North once the DVD leaks into the North (which it almost certainly will). So from a personal perspective, I would personally prefer to leave the ending alone.

Later in the day, Lynton told Bennett that a U.S. government official endorsed his assessment of the film:

“Bruce – Spoke to someone very senior in State (confidentially),” wrote Lynton. “He agreed with everything you have been saying. Everything.”

Ah, the creative process! 

That is, prior government review to get advice about how best to tailor a film to the US government’s foreign policy objective of promoting the “collapse” of the North Korea regime, and the assassination of the North Korean head of state as the best way to engender that collapse. Every self-regarded “independent, creative artist” in America—including every one associated with The Interview—would, I suggest, not hesitate to call such a production, coming from a disfavored country, “government propaganda.”

Substitute the United States for North Korea and Obama for Kim, and tell me how crazy the North Korean reaction to this film is. Tell me how crazy the GOP is for saying Sony is “harming the regional peace and security…for money.” I don’t think Americans are in a position to make too many high-handed judgments about who’s crazy and who’s not.

The Interview is not “just” anything. It’s a complicated cultural production, part adolescent comedy, part government propaganda, all potential profit. As with any other film, everything about it involves complicated political and economic calculation. As former Sony executive Mitch Singer remarked: “There’s all kinds of censorship that goes on all the time.  China being the number two box office country in the world now, I guarantee you big mega-hits are not going to be critical of China because they economically need that market.”[14]

Indeed, we won’t see Li Keqiang’s head exploding anytime soon, no matter how repressive his regime is or how funny Seth Rogen thinks the shot would be. Nor would Seth Rogen or Amy Pascal, who both signed on in support of the Israeli slaughter in Gaza last summer, ever think Benjamin Netanyahu’s exploding head would make for good, clean American fun.

The Interview is also another example of close Hollywood-intelligence-government cooperation in film production, the likes of which we have seen recently in Zero Dark Thirty and Argo—“just” entertainment that just happens to reinforce, through accidentally-on-purpose cooperation, the dominant US government narrative about who’s crazy and what’s funny.

Of course, The Interview isn’t going to change any regime. In my book the great crime of the GOP hackers is that they’ve turned what’s probably stupid, adolescent trash into a focus of cultural discussion—because it is important that people not be threatened for seeing movies. It’s only withholding the movie that makes it seem an object of cultural importance, and keeps us talking about it.

Call me irresponsible, but considering everything soberly, and accepting the fears of the theater owners, I think, for all our sakes, that Ms. Pascal should make her wager and post the damn movie online, where everyone can properly ignore it—as god, if s/he existed, would surely intend.

---

[1] Don’t believe the hype: Sony hack not ‘unprecedented,’ experts say

[2] Sony pays high price for ignoring its past - LA Times

[3] Your Guide To Good-Enough Compliance | CIO

[4] BBC News - Nokia ‘paid blackmail hackers millions’

[5] R.L. Stine: “I love killing teenagers” - Salon.com

cool to know that RL Stine's cover illustrator is still getting work from Hacked By #GOP. pic.twitter.com/gHUGvOMmyr
— Keaton Savage (@keatonsavage) November 24, 2014

[6] Hackers suggest they had physical access during attack on Sony Pictures | CSO Online

Why the Sony hack is unlikely to be the work of North Korea. | Marc’s Security Ramblings

A Breakdown and Analysis of the December, 2014 Sony Hack

Here’s Caroline Baylon, a British cyber security expert, at

North Korea probably not behind Sony Pictures hack, says cyber security expert - video | Technology | The Guardian

[7] Why the Sony hack is unlikely to be the work of North Korea. | Marc's Security Ramblings

The Evidence That North Korea Hacked Sony Is Flimsy | WIRED

Paste #6875 | Zeropaste

[8] FBI memo warns of malware possibly linked to hack at Sony Pictures | CSO Online

[9] Sony hackers threaten terror attacks against people who see The Interview in theaters | The Verge

[10] Hackers tell Sony “The Interview may release now”—with edits | Ars Technica

[11] FBI’s genetic tests didn’t nail anthrax killer, GAO says | National Security & Defense | McClatchy DC

FBI evidence often mishandled, inquiry finds - Nation - The Boston Globe

[12] Why I *still* dont think it’s likely that North Korea hacked Sony. | Marc’s Security Ramblings

[13] Exclusive: Sony Emails Say State Department Blessed Kim Jong-Un Assassination in ‘The Interview’ - The Daily Beast 

[14] Former Sony executive responds to Obama criticism | MSNBC