Is the NSA Responsible for N. Korea’s Hack of Sony Pictures?

By Juan Cole | —

In all the discussions of what is alleged to be North Korea’s horrible cyber-vandalism against Sony Pictures, I haven’t seen anyone bring up a key issue: The National Security Agency has been for two decades a powerful behind-the-scenes lobby for weak internet encryption and privacy protocols.

I don’t know enough of the details of how Sony was hacked to be able to prove that specific weaknesses derived from the NSA anti-privacy lobbying and bribing. But it is certainly the case that the US government is implicated in exposing millions of consumers to such invasions of privacy.

Just this year, I wrote of a Reuters story:

Reuters gets the scoop: the National Security Agency gave internet security firm RSA some $10 million to use an NSA encryption formula in its BSafe software. RSA is now a subsidiary of the EMC corporation, and they have urged customers not to use BSafe since the revelations by Edward Snowden made clear that the NSA’s formula in fact allowed the agency access to all the information supposedly encrypted with it.

This story should be a huge scandal, but I fear it won’t be. This is like the FDA paying a pharmaceutical company to carry a drug that does not work and could therefore leave patients open to dying from an untreated illness after taking medication they are assured will cure it. If the NSA could exploit weaknesses in the encryption formula, so could hackers. The NSA subverted the will of millions of customers around the world who used RSA software precisely in a quest to be safe from the prying eyes of government officials and other peeping Toms.

Moreover, the $10 million has to be seen as a bribe (it was a third of that RSA’s income that year). Isn’t it illegal for government officials to bribe private companies? Isn’t it moreover illegal for intelligence officials to give out money like candy to a private company in order to spy on Americans on American soil?

I’d like to know what NSA official or officials were involved in this sting operation on the American people. I’d like to know if Barack Obama knew about it. I’d like to know if the corporate officials who accepted the “contract” with these strings attached knew they were screwing us all over.

This Reuters story makes sense of the allegation emerging from the Snowden leaks three months ago that the NSA had spent $250 million on keeping access to encrypted data by working with firms that provided encryption services. Presumably they have just been ensuring that no one’s encryption formula actually shields things from them.

Increasingly, firms and governments abroad would be crazy to buy encryption products from American companies. Likewise, getting cloud services from US corporations is a way to ensure that the US government can steal your trade secrets.”

And here is Pratap Chatterjee:

“There are three broad ways that these software companies collaborate with the state: a National Security Agency program called “Bullrun” through which that agency is alleged to pay off developers like RSA, a software security firm, to build “backdoors” into our computers; the use of “bounty hunters” like Endgame and Vupen that find exploitable flaws in existing software like Microsoft Office and our smartphones; and finally the use of data brokers like Millennial Media to harvest personal data on everybody on the Internet, especially when they go shopping or play games like Angry Birds, Farmville, or Call of Duty.”

ProPublica has also been reporting on how the NSA systematically and determinedly more or less broke the internet with regard to privacy. Hollywood executives are going back to faxing things instead of emailing them, and that might be a good idea for everyone.

So when Barack Obama urges Sony executives to stand firm, and when Sen. Lindsey Graham (R-SC) rattles sabers at North Korea, we should remember that this “act of war,” as some term Pyongyang’s hacking of Sony, was probably made possible by the baleful effect on the internet of… the US government, because it wants to be able to do to whoever it pleases what North Korea just allegedly did to Sony.

—-

Related video added by Juan Cole:

The National: “North Korea suffers internet outages in wake of Sony hacking attack”

16 Responses

  1. Any technology manager worth anything knows all too well to never use commercial encryption software because the probability that commercial encryption software has been compromised is close to 100%.

    The best encryption software to use is from the Open Source community where the source code is readily available and openly discussed. Any attempt to sneak in a “back door” is quickly discovered and eliminated.

    This is why all the governments on earth hate for non-governmental organizations to use open source encryption (but the governments themselves do use it to ensure their own secrets are kept secret). Once Google discovered that their private fibre links between data centers were being read by the NSA, they put very strict open source encryption in place to keep their data private.

    The best encryption software comes from outside the USA where people have a justifiable fear of their own governments – US companies trust the US government too much.

    • It’s not that US companies trust the US government too much. They work hand in hand with the government. All their protestations are just an act to maintain the appearance of independence. The government has co-opted all the companies. They give the government what it wants because the government portrays it as their patriotic duty–they’re doing it for their country.

  2. Juan – it’s even worse than that. Their (and no doubt my own CSE’s version of) Tailored Access Operations demand a steady supply of zero-day faults, meaning the NSA searches for undiscovered security flaws in software and instead of informing the authors of the problem and then releasing details once a patch is available (i.e. following the standard good-faith approach to these issues), it stores away the details for possible use in its own attacks. That’s probably billions of dollars of smart-person salary spent to *not* fix security flaws.

  3. Truly an upsetting revelation re the poor encryption and the reasons for it , but why the use of the word “responsible” in the header? That makes one believe there was more culpability on the part of the NSA than simply using poor encryption. A thief who robs an ATM user is responsible for the theft, not the bank that constructed the ATM on a street corner.

  4. Professor Cole and with all due respect – North Korea has tenuous connection with the internet, mainly via China. According to cia dot gov , North Korea receives international communications via one Intelsat satellite link and another from a Russian satellite. The latest fiber-optic and microwave connections are made through China, primarily and to a much lesser extent via Russia.

    The U.S. has formally requested assistance from China in this matter.

    This instance of apparent nationalistic techno vandalism against a multinational corporation most likely was transported via Chinese bandwidth who may be embarrassed by an unwitting part in the ”Sony Hack.” And China is the most capable to greatly diminish North Korea services as is the situation, currently.

    Yes, the NSA is loathe-worthy, brazenly unconstitutional and increasingly funded by every Congress since The infamous Reagan Executive Order but the NSA is primarily interested in listening to AMERICAN CITIZENS. The fact the techno vandalism occurred without NSA scrutiny would indicate it came via assets not readily available to the NSA.

    This speculation is much more likely??

  5. Take 9/11. Didn’t I read that Bilkowski prohibited the FBI from getting the heads up? That’s inter-agency competition that’s counterproductive. Clearing up that problem obviates the need for 99% of the back doors on everyone everywhere. Then too, there’s 5 million gov employees with highest security clearance. Bad odds?

    Spyguy, I’m just a prole and keep trying to understand open source. My idea is that, eg, with open source encryption the keys still stay secret. But, say, Target would have to have trustworthy people at all sender ends and all receiver ends. And I suppose that that means they’re well paid? So, therein lies the problem? Thanks to you and thank you, John.

    Some sources say anonymous is gonna assist release of Interview, and some say they’re disputing that NK did the hack. IMO the whole movie project is insane. There must be a huge contingent of symbolic analysts in Hollywood who don’t comprehend the concept of nukes delivered via ICBMs.

  6. Thank you. I’ve been thinking about the same thing, the lack of reporting about US government efforts to water down security for everybody but themselves. A key part of the story.

    Just read Bruce Schneier, an independent computer security expert, and he is not at all convinced that the North Korean government is behind the hack. I also have my doubts.

    • “Just read Bruce Schneier, an independent computer security expert, and he is not at all convinced that the North Korean government is behind the hack. I also have my doubts.”

      Bingo! This movie and the Sony hack look like the perfect black-flag psy-op. Can the NSA prove they didn’t do it?

      • I doubt it’s a black flag attack – it seems far more of a “round up the usual suspects” blame game.

        Pretty much any hacktivist type could have targeted North Korea using, say, the network time protocol security hole:

        A vulnerability in the “monlist” feature of ntpd can allow remote attackers to cause distributed denial of service attack (DDoS) via forged requests. US-CERT and the Canadian Cyber Incident Response Center (CCIRC) have both observed active use of this attack vector in recent DDoS attacks.
        Source: US-CERT website

        The North Korean government may or may be involved – but the rush to publicly blame them seemed so politically convenient that it raises my suspicions.

        Regardless, perhaps someone should put some money into real Internet security? I realize the NSA loves the ability to snoop through our underwear drawers for tasty secrets, and wants to maintain the ability to attack other nations infrastructure through known security holes. However, it’s a bit too much like spending all one’s defense funding on bombers while blocking research into better air defense systems. One hopes that this era is coming to a close, and that people will start securing their networks.

        • What was that security hole in NTP? I ported NTP to a router years ago and was impressed by its suspicion of time authorities, but also by its near total lack of internal code documentation, as though the author didn’t want anyone to follow the core algorithms very closely. If that was due to a planted bug I would not be surprised.

        • OK, I see your link to the documents. The reflected DOS problem was only on NTP servers.

  7. There has been a lot of talk on TV news about this movie and the hack attack, but what I’ve seen has not been very informative. It verges on propaganda at times. The internet has provided somewhat more information. For example, the Daily Beast reported that at least two government officials screened a rough cut and approved the film (link below), evidently with some hopes that it might incite regime change. If so, perhaps NK’s intense reaction is not entirely surprising. It seems a naive strategy on the part of the U.S. Beyond that, I don’t understand why our government would want to have the CIA portrayed as an agency that tries to arrange the assassination of foreign leaders. I recall when President Ford banned the CIA from more such efforts, after the nation concluded that it was not well served by such a policy. Based on recent revelations, it would seem that we have forgotten what was learned then.

    link to thedailybeast.com

    • The idea that government officials thought a movie could initiate regime change in North Korea sounds more like studio-generated buzz than reality.

      • Google “CIA regime change schemes” before drawing any conclusions about that, maybe? One really big dumb one, that we ordinary people will be paying for forever, was “Operation Iraqi Freedom Fiefdom,” and there’s that concerted sustained attack on Castro’s beard…

  8. Some media re-broadcast the content of private mail and call it ‘revelations’, as if this kind of privacy invasion were journalism. Snowden and wikileaks revealed information about our government that we should know. The content of the Sony hacks ,however, should be ignored. But the media need to feed our boundless hunger for gossip. The millions of consumers of entertainment news are responsible for many invasions of privacy.

    • I understand that the leaks included internal business data. This is something Hollywood might have good reason to hide, because there has long been suspicion of studio corruption and misreporting of earnings. James Garner and Cliff Robertson were two activist actors who took on crooked studio contracts that promised profit shares to actors, but then rigged the books so that there would never be a “profit”. Maybe investors would like to know how much of their money really goes up the noses of brain-damaged studio execs who spend a hundred million $ each on all the awful movies we always complain about. Maybe minorities complaining about their depiction in movies would like to know that Sony execs are racist pigs in private.

Comments are closed.