The average US citizen was outraged that some other government would have the audacity to hack anything in the US. This article's goal seems to be to point out that the US Government is hacking all other nation's governments, including NK. (pot calling the kettle black)

- The North Koreans attempted to impose a heckler's veto on speech by private citizens of the United States.

- The Sony hack had direct and very visible consequences for Americans (economic consequences, release of personal data like salaries and health information, embarrassment of people by releasing private communications).

It's entirely possible to take the position that countries are going to engage in espionage, but that there should be norms about how intelligence services behave. Right now we're all trying to figure out what those norms are.

An addendum here regarding 'free speech'. There is some question about The Interview being a propaganda effort on behalf of the US State Department (which was given a preview as early as July) since #GOP released emails where CEO Lynton discusses the effects of the ending with RAND Corporation strategist and nuclear deterrence specialist Bruce Bennett and Lynton confirmed analysis of its effectiveness with Senior State Department officials. (It also doesn't help that the script writer was asked specifically to consider changing his character from an anonymous leader of NK to Kim Jong-Un).

"Norms" don't necessarily make things objectively or even subjectively better. They just make them standard. Asking for norms will get you absolutely nothing, even if you get what you ask for: They'll just establish what they're already doing as normal, and continue to not tell you about the new things they start doing. Because that's what intelligence is; if they told people what they were doing, for better or worse, people would make it harder for them to do.

Norms are important because they are precursors to law (in this case international law). Norms create ground upon which a country can accuse another, a ground upon which you can achieve consensus among many parties, and norms set expectations of behavior that if loosely followed every country can benefit from.

I have to take issue with "norms" for intelligence services as well. These are groups with no morals or ethics, what makes you think they would ever adhere to any sort of "norm." These are criminals and criminals do not adhere to norms imposed from anyone other than themselves.

I have a hard time blaming the victim of a cyber attack that would have been practically impossible to prevent. I agree that SONY made bad decisions with regard to its hording of unnecessary data, but also recognize that this is hardly unique to SONY and not standard advice given by security professionals (it should be).

Norms are important so that you can accuse 'groups with no morals or ethics' of doing something wrong. Norms may only discourage and not prevent behavior but without norms its difficult to find common ground for behavior that may otherwise be chalked up to 'culture' or 'tradition' or 'nature'.

You seem to give Sony too much credit, and also forget that they had a file server with open internal access which had a directory called "Passwords" which contained a plain text file with all the credentials to their internal servers.

That's something I'd expect to see at some small business with no professional IT on staff... certainly not from a multi-billion dollar company with thousands of employees and a full-time professional IT staff.

Sure, the attackers may very well have spearphised their way inside, but once inside, they didn't have to go through any of the normal hassles of island-hopping with more exploits, etc. They just logged in like they belonged.

Motivated attacker or script-kiddy, once inside, Sony made it awfully easy.

FWIW this is my experience with multi-billion dollar companies with thousands of employees and full time professional IT staff.

Perhaps we can get other security professionals to chime in.

Once you get a foothold in a corporate environment, it is the unfortunate truth (I'm sure others will back me up here) that it is very easy to move around without 'island hopping with exploits'. For the most part, pivoting by passing-the-hash will work for 99% of networks.

It is also my understanding that the malware that was purchased for this compromise had the capability to persist across the network, to exfiltrate data, and to sabotage computers.

I'd challenge that assertion. Employee's are often the first line of defense for any company, be it seeing something suspicious or knowing when to alert the right people. Investing in phising attack training can be very worth-while. Or at least adopt a strict company policy that helps ward off the basic forms of this attack.

It's not uncommon to have a company-wide policy that users are not allowed to open attachments in any email from anyone without IT's approval. It's inconvenient, sure, but it protects against multiple email-based attacks (everything from simple viruses to more advanced phishing attacks).

There's even phishing attack training specifically targeted at large enterprise (they send phishing attack emails to your targeted employees and when they fall for it, they get a quick lesson and explanation). [1]

[1] http://threatsim.com/how-it-works/

Then again, this is only from two studies done at one large corporation.

I looked around but could not find any studies or data about the long term effectiveness of phishing awareness campaigns (only PR junk), nor could I find evidence that SONY did not engage employees with these sorts of policies and training. Do you know of any such studies?

Do you believe that #GOP would not have gotten in if there were more strict policies and more frequent training?

Investment can make spearphishing much harder. Defense is not always absolute, but about raising the cost for the attacker.

I have trouble thinking of a cost-effective way that SONY could have prevented #GOP from getting in.

IMO SONY had two failures:

1.) The hording of data. Again I don't think that this is uncommon. I would expect to see this at pretty much any company of their size.

2.) The lack of an ability to respond to the APT once it was discovered. This is extremely tricky business, but a critical piece of security. It is common now for businesses to assume that they have been compromised and to build out the capability to recover and isolate issues as quickly as possible. Unfortunately for SONY, all of their data had been exfiltrated out of the network by the time they knew there was a problem.

The context of the discussion is that SONY, even if it 'increased spending on defense' would have been compromised because it was targeted in an attack rather than an attack of opportunity.

Amazon and Google also get hacked. So does Adobe and Microsoft. So does the DoD and Whitehouse. So does JPMorgan and Wallstreet.

The difference between Sony and the other companies you listed is the effort they put into security/technology-defense.

Yes, anyone might be hacked. That doesn't mean you just throw your arms up and let it happen. Sony effectively threw their arms up.

I think the biggest splash this article may have is added narrative supporting the truthiness of USG attribution to NK - something that seems to be held in high doubt by a large percentage of the technical crowd (but that I think seems pretty reasonable).

I would disagree that this opinion is fine; this is only fine if one selfishly considers oneself more important than the 7000000000+ other people on the planet.

Considering that the majority of Earth's people and natural resources lie outside the US, the long-term best move for the US is to promote global stability and equality. It's not a matter of weakness vs. strength, but short-term vs. long-term thinking.

There are plenty of people more important than me, but I wouldn't sacrifice myself for any of them.

Personally, I think humanity as a whole is pretty important. I wouldn't sacrifice myself for one other person without a really good reason, but I'm more than happy to accept a small short term decrease in local living standards in exchange for the long term stability and prosperity that would come from raising global living standards.

Specifically with regards to surveillance, the NSA is weakening the long-term position of US companies by leaving their systems and software vulnerable to known exploits, and by their actions, encouraging other countries to do the same. It's a negative sum game.

  Searching all directions
  with your awareness,
  you find no one dearer
  	than yourself.
  In the same way, others
  are thickly dear to themselves.
  So you shouldn't hurt others
  	if you love yourself.

That said one can apply an Occam's calculus using whatever information and reasoning you do trust. I personally trust that, whomever the #GOP was, they were motivated by SONY's role in developing "the movie of terrorism". This seems to me to be consistent with what the group published and with their 'Christmas surprise' showing collaboration between the State Department and SONY on the development of the movie related to its diplomatic value - something I don't think the NSA or allies would do. So I think the group had NK sympathies in mind. Granted, this doesn't rule out attribution to other states or hacktivists who hold these sympathies.