As far as I can tell, there are (EDIT: at least) three scenarios:
1. The NSA is competent, and has verified that NK is responsible.
2. The NSA is competent, and is lying about whether NK is responsible.
3. The NSA is incompetent, and erroneously concluded that NK is responsible.
Since we know that the NSA is filled with highly competent people (based on the quality of the people who periodically join the commercial world after a stint at the NSA) we can probably consider 1 or 2 the most likely explanation.
Which do you believe, and why? Unless there is strong evidence, 1 seems the most likely. It's also the simplest explanation.
Also, the reason I'm talking about the NSA even though the article is talking about the FBI is because this surely falls under their umbrella, and the NSA has the most powerful tools for verifying what happened. Other agencies would seek answers from them, and the NSA's input would matter. For example, one sentence starts, "As a result of our investigation, and in close collaboration with other U.S. government departments and agencies, ..."
EDIT: Could we focus on the question? Which do you believe, and why? Please feel free to add additional scenarios, but at least mention whether you believe them and why they're likely.
The FBI and NSA are two very different entities. The investigation goes to the FBI because it is essentially an "in the USA crime". While FBI and NSA may both be looking into it, they don't share all of their data.
Also, from my experience, the FBI is quite incompetent. The 'evidence' so far is, as others are pointing out, that people in NK wrote similar malware and some of the components used. Trend Micro says that the malware used is available on the black market. This points to my previous conclusion that this is being paid for.
Whether NK government is involved in funding this particular hack is the real question. I don't think NK has direct control over the hackers at this time, because as others have pointed out, it is not in NK best interest for this to continue.
It is easy to pin the blame on NK, and I think that is exactly what the hackers want to happen. Personally I think Sony simply pissed off too many people and this is the inevitable result.
> The 'evidence' so far is, as others are pointing out, that people in NK wrote similar malware and some of the components used.
I had written a lengthy post pointing out the many pieces of evidence you're ignoring, but I think the FBI release does the job just as well. I find the infrastructure evidence as interesting, if not more interesting than the similar code:
> Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.
> The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.
>Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.
This also does not mention that some of the code was compiled on a machine configured with Korean language settings. This doesn't establish definitively that North Korea was behind this, but it is consistent with that conclusion.
There is also classified evidence. You may choose to ignore it, but I find the claim deserving of some (though not decisive) weight, and certainly worthy of mention.
Sure there are things pointing to NK; but I believe this is intentional. Using an IP in NK, or one "associated with NK actors" doesn't prove it is NK. Consider all the discussion for piracy. IP doesn't prove anything.
I don't think the action was directed clearly by high level NK officials.
Consider; what if the hackers had said "We are NK, war on USA" from the very start. Would that change anything? Nope. Just because something appears to be something doesn't mean it is.
Also; why is the evidence classified? The public already has the leaked data in immense amounts... many groups already have the malware itself that was used... How about they actually show the evidence instead of just pointing fingers.
Anyone can go "yeah it's NK; they do this sort of thing".
>The fact that the code was written on a PC with Korean locale & language actually makes it less likely to be North Korea. Not least because they don’t speak traditional “Korean” in North Korea, they speak their own dialect and traditional Korean is forbidden. This is one of the key things that has made communication with North Korean refugees difficult. I would find the presence of Chinese far more plausible.
That's an uninformed confused argument. That blogers' links about "traditional" korean are about a few differences in vocabulary that have developed between North and South. Nothing that would suggest that there are any differences in the characters used to type on a computer with. That's because the languages and characters are the same.
BTW, the original investigation on the locale concluded that the UTF8 character could be decoded with korean or chinese locales.
The fact that the hackers were using a korean (or chinese) locale doesn't prove that the hackers were korean, but it also doesn't prove that the hackers were NOT korean, as this blogger tries to do.
I don't find that argument very persuasive. First, while there are dialect differences I think this argument significantly overstates them - I think the last answer in this Quora discussion sums it up well, saying that it's like the differences in American and British English - significant, but hardly a serious barrier: http://www.quora.com/Korean-language-1/How-different-is-the-...
It's not like North Korea's government just picks random proles and tells them to start writing malware if they want to keep receiving gruel; anyone engaged in cyber-espionage is going to have a very high security clearance and be well educated by North Korean standards. You wouldn't be surprised by the idea of a KGB officer (or FSB these days) that spoke perfect English, would you? Why is the idea that North Korean spies would be fluent in dialect/idiom of their own language so hard to swallow? I would imagine that any North Koreans engaged in cyber espionage/security has spent at least some time infiltrating South Korean social networks, to gather intelligence, disseminate subtle propaganda (as opposed to the chest-beating type put out by the official news agencies) and so forth.
I don't know if the Sony attack was carried out by NK or not, but the idea that it could not have been rests on the notion that North Koreans are incapable of social engineering, acquiring language skills beyond their own, or impersonating anyone else for espionage purposes - a modern version of the trope that Russian spies could be quickly detected by the poor cut of their suits.
What OSs have "North Korean" locale and language settings? The Windows 7 PC I'm on now sure doesn't have one (though it does have "Korean"). And if there is no "North Korean" setting available, wouldn't it make sense for them to use Korean, seeing as it's the only other language that uses their system of writing?
>>> While FBI and NSA may both be looking into it, they don't share all of their data.
The irony of this statement is this is one of the primary reasons the department of homeland security was established, so sharing of information between these very offices would enable them to be more on top of stuff like this.
> The irony of this statement is this is one of the primary reasons the department of homeland security was established, so sharing of information between these very offices would enable them to be more on top of stuff like this.
No, it wasn't. Which is evidenced by the fact that neither of these entities were among those moved from other Departments into the new Department of Homeland Security.
Improved information sharing among the parts of the intelligence community that were not consolidated into the DHS is the reason that various changes in the laws governing information sharing in the IC were changed, and that the office of the Director of National Intelligence was created to separate the head of the IC from the Director of a particular agency (the CIA) in that community.
It's basically a specialization of the base rate fallacy. If, say, idiots can still be right by chance 10% of the time, and experts are right 90% of the time, but only 10% of the population are experts, then lucky idiots will make up fully half of the population of people who are right.
10% is pretty generous for most of the work experts actually do, though.
Experts do many things, one of which is to occasionally make predictions, where 10% might be more reasonable.
But, for work like imagining how a given goal can be realized, I would guess an "idiot" could compose an achievable plan less than a fraction of a percent of the time.
It's all about having enough variables in the system so you can point to something else as the cause when there is failure, and yourself as the cause when there is success. With willful ignorance of reality, idiots can have a success rate much higher than 10%. :)
5. This is an FBI statement. As the Sony movie studio's network is not a classified US Government network, it isn't the NSA's job to defend it.
So, they may not have even been consulted on this - or (far more likely) their contributions, if relatively inconclusive, may have been cherry-picked for only those specific points which supported a politically-convenient, face-saving conclusion. (Which, as we all know, has happened before on a few infamous occasions.)
When you have a big hammer, sometimes everything looks like a nail. When you have a database of every IP address which sends packets transiting a collection point to every other IP address suspected of being a C&C (and the NSA & GCHQ do have exactly that), everything looks like a potential controller. There is a remarkably strong bias towards false-positive confirmation caused by (amongst other things) P2P networks and UDP packets with forged IP addresses. A bias the NSA (and/or GCHQ) would warn about: a warning that, alas, law enforcement tend to not always take to heart - which is (anecdotally) partly why GCHQ rather dislike working with the plod (and quite probably the same feelings persist in the NSA towards the FBI).
I still think the links to DPRK are very weak, if they even point that way at all - not that the North Korean government aren't vile dictators (they are) but because everything I've seen makes it look more like low-rent organised crime - indeed, I gather the payload and C&Cs used, which the FBI have (IMO) erroneously used in their attribution, are publicly available (though no, I will not link to them)!
What I've seen even (albeit weakly) indicates at least two actors with different names, one of whom asked for a monetary ransom, and the latter mentioned the movie after the media did and thanked the other (for giving them access?).
It may be (but there is no strong evidence either way) that the latter is actually the DPRK - in which case their "cyber-army" looks like low-rent organised criminals, which I admit would not be implausible, but speaks volumes about Sony's stunningly negligent incompetence!
The one thing I feel absolutely confident saying is this: Sony Pictures were an extraordinarily soft target, and this was not a display of any high degree of technical competence on the part of the attackers. It could've been anyone from North Korea to a disgruntled ex-employee (of which they have no recent shortage) to some random 14-year-old angry kid, or anyone in between. My sodding cat could have hacked them. ¬_¬
I suspect they know who did it, and they have data that would expose just how much they know and do not want to disclose that information. They possibly know because they've compromised an allies system to do so, and providing that information would expose this vector and compromise relations. These guys aren't incompetent, full stop. Saying so may make you feel better, but we have all the proof in the world about their capabilities.
Shouldn't "NSA" be replaced with "FBI" in all three scenarios (and all additional scenarios)? After all, the news release from the FBI indicates that the conclusion is the FBI's, not the NSA's.
Further, the equation of "competent" and "correct" in the scenarios is ill-founded; competent people can reach incorrect conclusions and vice versa.
> Since we know that the NSA is filled with highly competent people (based on the quality of the people who periodically join the commercial world after a stint at the NSA) we can probably consider 1 or 2 the most likely explanation.
Perhaps, but even if so, #1 and #2 need to be expanded to:
1a. The FBI is competent, and has correctly determined that NK is responsible, and is accurately reporting its correct determination.
1b. The FBI is competent, but has nevertheless incorrectly assessed that NK is responsible, and is accurately reporting its incorrect determination.
2a. The FBI is competent, and has correctly determined that NK is not responsible, and is misrepresenting its correct determination.
2b. The FBI is competent, but has nevertheless incorrectly determined that NK is not responsible, and is misrepresenting its incorrect determination.
In pure logical terms, why is "competent, and erroneously concluded that NK is responsible" not an option? Leaving that out seems based purely on opinion and not in any reported or historical facts.
Smart people make mistakes, too.
In fact, I'm not sure why competence or incompetence affects the second half of your scenarios at all.
Reply to EDIT: Your logical estimation was based on the wholesale elimination of several options, of which, I think "competent but wrong" has the largest possibility.
I don't think which I believe and why matters much here, but this is a "false choice" fallacy that seems to be based on personal opinion and doesn't accurately set up the question for others to answer. I think that should be called out.
If I accept that the NSA is competent in their intelligence gathering capacity. An organization does not get away with what they did for years and keep it secret for any period of time by being incompetent. That said, AFAIK the NSA has not stood behind this information, the FBI has.
If the NSA were able to identify with some certainty who the attackers were and it was another nation, and they forewent actually using this as an example of a real tangible good that comes from the intelligence gathering apparatus they've put in place after all the flak they've gotten, to me that colors the information somewhat. If they don't want to stand behind the assessment, it could be entirely political (none of the controversial programs helped, so don't fuel the fire of people asserting they aren't worthwhile) or it could be operational, as in they aren't as confident as the FBI is professing. I'm sure there are many other possible reasons as well, but I don't think it simply boils to competence or incompetence.
For the sake of completeness, there's also a fourth:
4. The NSA is incompetent, but correctly concluded that NK is responsible anyway.
I agree that the "incompetent" ones are pretty unlikely. As for choosing between the first two, the big question to me is motive. I've seen plenty of people proposing 2, but I've not yet seen anybody articulate why they would do so. The only reasoning I've seen consists of references to similar false attributions in the past, which certainly has happened, but there are always reasons for it.
So what would the motivation be to lie about it? The Iraq WMD lie was used to justify war, but hacking a movie company won't move the dial on national support for war against North Korea, and there are many better ways to drum up popular support for such a thing. Increased cybersecurity funding? Again, I don't think people will care too much about a movie company as the target. Maybe someone in the US government hated the movie and wanted to sink it, and NK is just a convenient scapegoat? Pretty far fetched. Some other group carried out the hack, but this can't be disclosed somehow? Doesn't make much sense to me.
Unless there's some sort of reasonable proposal for why the US would lie about NK being the source of the hack, it doesn't seem too useful to discuss that angle beyond a basic "and yes, they might be lying for some unknown reason."
How about, if the people behind the hack are trying to make it seem like it is NK, then investigators may go publicly with that theory while trying to track a culprit, as to announce otherwise may make finding who it is more difficult.
Is there any particular reason we haven't included the "incompetent, erroneously concluded that NK is not responsible, and is lying about it" quadrant? It's always nice to fill out the last box of the square.
Or perhaps something without such stark, binary conclusions:
The NSA has much competence, but not omniscience. There's indirect evidence of overlap with NK hacking activities.
Maybe the evidence means NK was the prime mover. Or maybe it means NK got invited in later, during the many months of likely compromise. Or maybe it means NK was intentionally implicated ("framed") by others. Or maybe it's a coincidence of many teams working the same tools/pathways/compromised servers.
Certain agencies and people gain politically – in budget or prestige or minimization-of-embarrassment – by leaning towards the "finger NK" call. There's enough murky evidence it's defensible, whether true or not, and in any case hand-waving about confidential "sources and methods" makes the call low-risk. Who else are people going to believe?
So the NK call goes out, and no one's competence or veracity is really on the line.
Agreed that #1 is most likely. In fact, it seems probable that if this hack were indeed carried out by NK, the NSA is likely to have known about it during the planning or execution stages. Certainly they have eyes and ears on NK officials. While they wouldn't step in to prevent the attack (not their job), certainly they are active with the FBI to make decisions on the source and technical nature of the attack.
I wouldn't expect the FBI to do a thorough job on matters of digital security or cryptography, but I certainly would expect that of NSA. And therefore it seems unlikely we will be told all the evidence that they have collected in order to conclude NK is responsible.
Edit: This assumes they are telling the truth, which they might not be. But if they do honestly think NK is behind this, they certainly have a wealth of secret evidence supporting that decision.
> I think a trichotomy would be 3 categorical bins.
That's what was presented.
> This looks like OP cherry picked 3 options from a 2x2x2 choice matrix with NSA competency, NSA honesty, and the truth as its axes.
That sounds about right, which would mean there ought to be (assuming each of the implicit dichotomies was valid, and that they covered the problem space), 8 categorical bins, which is why the presented trichotomy would be a false one.
My comment was a prompt. It was to inspire interesting discussion and debate. It wasn't meant to persuade. It also wasn't meant to be an exhaustive list.
I'm just happy some interesting discussion came of it.
That 2x2x2 table isn't complete, by the way. For example, "The NSA came to a different conclusion other than the most politically desirable one" falls nowhere within it.
That's why I didn't try to enumerate all possible scenarios, especially the less plausible ones. That would be uncharitable to readers, as well as talking down to them.
Strong evidence is lacking to make any conclusion, including that NK is responsible.
There are incentives to falsely place blame on NK and there is a wealth of history demonstrating that type of behavior. In particular the US may have wanted to attack NK for some time but lacked a way to galvanize the public's support. Opportunities to get backing for war are rare, and so there is good reason to think that the government would try to capitalize on them. The fact that the government isn't releasing evidence suggests that it is weak or non-existent.
There is also good reason to believe that NK did do the hack.
Assuming 1, NK has opportunity (but, given the Internet and the time frame, about half the world has), means (but, apparently, the method of break-in is for sale, so many parties epwill have the means), and, apparently (I haven't seen the movie), motive.
I do not see a huge motive, though. Also, I think we can assume that the NK is above average competent, too. Why would the NK find this so important to spend time and effort on? Did they buy options on shares in movie companies to make a lot of money? Is this a small operation by some NK agent or department head who wants to make an impression to his superiors, or intends to blackmail Sony Pictures (if that is the case, the villain should already have asked for money. We don't know whether he did).
4. The NSA is competent, and has good reason to carry out a false-flag operation.
As far as I can gather, only the CIA and FBI have published statements pointing to North Korea. I believe the NSA to be competent, but I have seen members of the US government lie repeatedly in the recent past.
Regarding Iraq, we know now that the US government lied and/or misrepresented facts regarding chemical weapons, biological weapons, and uranium enrichment programs. We know from recent revelations that the CIA considered, planned, and approved of false-flag operations in Cuba in the 1960s. Given this history, we should not rule out the possibility that the US intelligence agencies are misleading the American public intentionally to achieve their own goals, independent of the facts.
It's a bit unnecessary to invent three scenarios and choose which is the most likely.
There is no reason to believe the NSA is involved. The article does not mention it and there is no other official reason to think they are. The FBI have their own cybercrime unit.
But if the FBI investigation actually did conclusively show that NK was involved, what could they possibly have to gain by putting out a press release? To let the hackers know that we're on to them?
The only possible reason for a press release at this time is to widely circulate this piece of information, which must be valuable to the FBI for some reason. There's no need to complicate the issue further.
I don't believe in any of the provided options. My only decision making guide is definitive evidence and not some emotion-based public interpretation as to what might have happened.
I guess I'd have to favor #2. I think the NK connection is dubious at best, but it probably best serves political interests to point the finger that way at this time in history.
NSA and FBI have a strong history of lying to the public. I would say that makes #2 more possible.
It's also in their interest to position the threat as a national security issue because that's where they derive their power to regularly break the law through spying and other tactics as well as their over-inflated budgets. If the threat is coming from a hostile nation it helps their narrative better than a disgruntled employee or someone doing it for lulz.
If the FBI is involved and there was significant uncertainty to their conclusion wouldn't they slightly biased against concluding it is an international actor since it takes it out of their jurisdiction?
If the above is true should that cause us Bayesians to slightly believe their conclusion more? Or are they so influenced by governmental interests (who may want cyber warfare) that it really isn't a factor?
There have now been 239 years since the Declaration of Independence, and you honestly believe that the simplest explanation is 1) the government is competent and 2) the government is honest.
One week after the torture report, you simply can't make this up. Then of course, you did make this up, because nobody has even mentioned the NSA.
> Since we know that the NSA is filled with highly competent people (based on the quality of the people who periodically join the commercial world after a stint at the NSA) we can probably consider 1 or 2 the most likely explanation.
Since we know that the NSA is government agency we probably can rule out the possibility of it being competent. No matter how competent are the people are hired there.
Mob that consists of intelligent and competent individuals is still a mob.
1. The NSA is competent, and has verified that NK is responsible.
2. The NSA is competent, and is lying about whether NK is responsible.
3. The NSA is incompetent, and erroneously concluded that NK is responsible.
Since we know that the NSA is filled with highly competent people (based on the quality of the people who periodically join the commercial world after a stint at the NSA) we can probably consider 1 or 2 the most likely explanation.
Which do you believe, and why? Unless there is strong evidence, 1 seems the most likely. It's also the simplest explanation.
Also, the reason I'm talking about the NSA even though the article is talking about the FBI is because this surely falls under their umbrella, and the NSA has the most powerful tools for verifying what happened. Other agencies would seek answers from them, and the NSA's input would matter. For example, one sentence starts, "As a result of our investigation, and in close collaboration with other U.S. government departments and agencies, ..."
EDIT: Could we focus on the question? Which do you believe, and why? Please feel free to add additional scenarios, but at least mention whether you believe them and why they're likely.