That's not to say that I'm not fascinated by issues around security and cryptology. It's just that I know that I have no aptitude for it--particularly what you'd call "thinking like a hacker." And hacking-post mortems are like candy for me.
Which, in the wake of last week's Sony mega-hack, basically makes me a rubbernecker. (In my defence, I don't rubberneck in real life; gawping at disasters online doesn't slow down the traffic or hinder first responders.)
Oh, and is this ever a train-wreck. Partly, it's the sheer scope. Thirty-eight million files stolen--some of those files whole databases.
- Movies leaked to torrent sites before their release date
- Scripts for movies not even in production yet
- Source code--presumably for games
- Legal assets like contracts, non-disclosure agreements, etc.
- Salaries, including highly embarrassing discrepancies in executive level pay
- Human resources data, including social security numbers, addresses, birthdays, phone numbers, etc.
- Sales and financial data going back years.
- I/T infrastructure maps, complete with security credentials
Also, though, there was the initial blank-wall response, and now the possibility of fingering the wrong wrongdoer. North Korea was the prime suspect from the get-go. That assessment has been disputed and even criticised by the infosec. community, but that's Sony's story and they're sticking to it. You have to admit, being targeted by a rogue government makes for better security theatre than falling victim to an inside job carried out by pissed-off plebeians.
Oh, and passwords weren't encrypted and the hackers managed to nab SSL root certificates that won't expire for years? #headdesk
It's impossible not to look, right? There are just so many flavours of "screwed" involved here--for the short-, medium-, and long-term:
- Revenue lost to piracy
- Further revenue loss if said pirated content sucks and no one wants to pay to see it
- A pretty-much-unquantifiable loss in competitive advantage to its competitors in the entertainment and gaming industries
- Equipment and staffing costs for scanning, then scrubbing or replacing every single computer currently on possibly touched the network
- Nothing short of an identity theft nightmare for thousands of employees and contractors: Sony footing the bill for any reasonable amount of credit-monitoring and remediation will easily run into the millions of dollars
- The productivity-killing morale-buster for employees now freaking about their current job or their future credit rating
- Possible (probable?) massive class-action lawsuits, particularly if North Korea doesn't turn out to be the villain after all
- The inevitable stock price bobbles, particularly as the after-shocks play out
If it sounds like I'm blaming the victim, I am--but only sorta-kinda. Yes, it's tempting to see this as karma for a company that had no problem infecting paying customers with malware--basically using them as conscripts in their battle against piracy--thus leaving them open to other hackers. And, honestly, Sony's response when the news broke might just be the douchiest thing you'll read all day...assuming you're not following Timothy Loehmann / Daniel Pantaleo apologists on Twitter, of course:
NPR was one of the first to report on the scandal on November 4, 2005. Thomas Hesse, Sony BMG's Global Digital Business President, told reporter Neda Ulaby, "Most people, I think, don't even know what a rootkit is, so why should they care about it?"
Obviously, I don't work for or at the company, so please don't think I'm speaking with any evidence-based authority here. But the circumstantial evidence points to a management mindset in which security was viewed as an expense to be minimised, rather than an asset to be built and leveraged as a competitive advantage.
If true, investors and other stakeholders should take that cavalier attitude--toward their own crown jewels as well as the personal data of others--as a sign-post on the road to extinction.
Because ultimately, Sony lives in a fully digital world. Movies no longer exist as spools of celluloid. Except for audiophiles, 21st century music is not served up on fragile black vinyl platters. Most games do not play out with wooden/plastic/metal markers on cardboard these days. The upside of that world is that copies of intellectual property can be made for mere fractions of pennies. The downside of that world is that copies can be made for mere fractions of pennies.
Playwright GB Shaw claimed that because the "reasonable man" adapts himself to his environment while the "unreasonable man" adapts his environment to suit himself, all progress must therefore be driven by the unreasonable man. But that assumes two finite ends of a continuum--a continuum that ignores the possibility of unreasonability shading into delusion.
Further back in time, the earliest tragedy tracked the ruin of the great, often precipitated by the hubris with which they met forces or events beyond their control. You'd think that an entertainment company would take that wisdom to heart. The warnings of Euripides and Sophocles ring true even today. But companies like Sony bear no resemblance to the travelling companies of players in centuries past. They're little more than accounting machines, slicing revenues into royalties and residuals.
But you're smart enough to actually listen to your security folks, am I right, Gentle Reader? Please tell me I'm right. Because as much as I do enjoy a good hacking post-mortem (in the same way some people enjoy a good murder mystery), I'd really rather not be rubbernecking at the hacking of someone I know. Thanks.