Pages

Monday, December 22, 2014

Goosebumps: A Scary Sony Story


Can we bring the discussion of the Sony hack back to earth?

It’s a hack.

Somebody hacked into the Sony Pictures Entertainment computer network in Hollywood, and released to the public a treasure trove of confidential information. Everything from embarrassing emails to forthcoming movie scripts was dumped out in public. This is an embarrassment for an international (Japanese-American) media corporation and a bunch of celebrities. It may be a violation of intellectual property rights, and personal privacy rights, and common courtesy. It may be condemnable on any of those grounds. But it is not “terrorism” or “cyberwar.” It’s a hack.

It is, furthermore, a rather ordinary and foreseeable kind of hack, despite the Sony cybersecurity guy’s insistence that: "This attack is unprecedented in nature. …an unparalleled and well planned crime, carried out by an organized group, for which neither [Sony Pictures Entertainment] nor other companies could have been fully prepared,"[1]  To which one security expert, known as "The Grugq," says: “Bullshit.” Malware for such attacks can be purchased on the Internet.  A similar attack struck 30,000 computers at Aramco in Saudi Arabia and at banks and media companies in South Korea. 

In fact, Sony itself had been hacked in 2011, forced to shut down its Online Entertainment and PlayStation Networks for weeks.[2]  In a previous security audit, Jason Spaltro, Sony’s Executive Director of Information Security, was warned about the company’s cyber vulnerabilities, with an emphasis on its lax password practices (simple nouns, passed around in plaintext documents), with the blunt admonition: “If you were a bank, you’d be out of business.” To which Spaltro replied: “If a bank was a Hollywood studio, it would be out of business.”