This week marked an "Hour of Code," a not-for-profit effort that backers believe will teach up to 100 million people to be computer programmers. The code.org website claims over 3.8 billion lines of code have been written by students and even President Obama got into the act by typing in a single line of JavaScript. Maybe next year, backers can talk about hackers with 5 minutes to discuss computer security—a much neglected field.
While the President was typing in his one-liner, Sony's film division is being publicly humiliated due to a major computer security breech. A group of unknown—but widely assumed to be North Korean-sponsored—hackers broke into Sony Pictures Entertainment network. The "Guardians of Peace" (GOP) group scooped up a vast amount of information, including employee social security numbers, company passwords, upcoming movies, sensitive email discussing Hollywood negotiations and decision-making, and how much people are getting paid.
GOP says they have sucked down nearly 100 terabytes of Sony corporate data and will continue to release company information unless "The Interview," a comedy about a plot to assassinate North Korean leader Kim Jong-un, is canceled. Financial information documenting corporate relationships and how much money the company has actual made on pictures could be damaging.
You can't make this up. One hopes Sony has the movie rights to its own turmoil.
Critics say that Sony's internal cybersecurity practices have been poor, while new reports claim the company has launched a distributed Denial of Service (DDoS) counterattack on GOP servers distributing Sony's dirty laundry. Back in 2005, Sony Pictures was raked over the coals for security weaknesses by an outside auditor.
Others note Sony BMG ended up distributing its own form of spyware back in 2005 through 22 million CDs as a measure to protecting its music. The Sony software deeply embedded itself into the operating system, infringed on copyright of open-source code, and was designed not to be easily uninstalled. Hackers used security holes created by the Sony code for their own purposes, causing further problems. A series of class action lawsuits forced Sony to withdraw CDs with the code and pay damages.
While one might be justified in a bit of schadenfreude at Sony's current circumstances—Hollywood is gleefully feasting upon every information disclosure—we should be more circumspect. The FBI isn't willing to point at North Korea, but the country's leader has motive, means, and opportunity. Is this a purely criminal matter or an act of state-sponsored terrorism?
If it is "terrorism," that would open the door for involvement beyond the FBI to include the National Security Agency (NSA) and the Department of Defense's U.S. Cyber Command. Given the "victim" is a single company without a threat to national infrastructure or resources, the U.S. military may be content to simply observe and monitor than get involved.
How do you punish a cyberattack of this nature? More importantly, how do you prevent attacks like this in the future?
There are no easy answers at the moment, only ironies. "Blackhat," a Michael Mann film about a convicted hacker released from jail to shut down a cybercrime network, arrives in theatres next month. The Sony-North Korea conflict over "The Interview" doesn't have the high-voltage intensity of a Michael Mann film, but it isn't unreasonable to start thinking about five minutes of security for every hour we start talking about code.
Edited by
Maurice Nagle
