I must be brief because my plate, today, is full. Earlier today, NPR broadcast a supremely irritating round table discussion on the alleged North Korean attack on Sony pictures. "Annoying" because every participant presumed as a given that NK was, in fact, the culprit -- and when asked how we can be sure of NK's guilt, one participant said, in essence, 'Because the government says so.'
North Korea isn't the only country in which the infallibility of Dear Leader is a given.
Now, it seems as though the United States has retaliated against the entire North Korean internet
. It seems that NK has been hit with a massive distributed denial of service attack -- which will do exactly nothing to hurt most North Koreans, since so few have internet access.
this U.S. retaliation? See here
While many minds will immediately jump to the idea of retaliation by the United States, it’s worth noting that the international hacker’s group Anonymous has threatened action against North Korea for its actions against Sony. Additionally, as noted, the collapse that is being reported could be due to North Korea’s own efforts to disconnect its Internet connections in anticipation of retaliation from the outside world.
An interesting scenario, this. What if the cyber-war -- in both directions -- is being directed by non-state actors? What if outsiders are staging a North Korea/US war?
Talk about lulz!
Despite the presumptions of those smug panelists on NPR, many people still think that North Korea did not stage
the Great Sony Hack. See here.
The Gawker piece at the other end of that link points to this post
by security expert Marc Rogers, an analysis which we looked at in a previous post here on Cannonfire. Marc offers an updated viewpoint here
The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.What the FBI is essentially saying here is that some of the IP addresses found while analyzing the malware samples and the logs of the attack have been used in the past by North Korea. To me, this piece of evidence is perhaps the least convincing of all. IP addresses are often quite nebulous things. They are addresses of machines connected to the Internet. They are neither good, nor bad.
The IP address is never what is interesting. It’s what’s running on the system that has that IP address that is interesting. Furthermore, to imply that some addresses are permanent fixtures used by North Korean hackers implies a fundamental misunderstanding of how the internet works and in particular how hackers operate.
For starters, hackers – at least the ones that want to stay out of jail – do NOT use their own machines or websites as staging points for operations. Instead, they hijack other vulnerable systems and route their traffic through them – and often many others – as a way to hide their origin. You know IP addresses such as those belonging to hotels in Thailand for examples.
of the IP addresses shows that the trail does not point to NK. Here are the IP numbers:
22.214.171.124 – Thailand
126.96.36.199 – Poland
188.8.131.52 – Italy
184.108.40.206 – Bolivia
220.127.116.11 – Singapore
18.104.22.168 – Cyprus
22.214.171.124 – USA
These are all known proxies. Anyone
can use a proxy.
At the end of the day, if these are all the IP’s that the US is using as evidence that DPRK carried out this attack I think it is pretty weak as evidence goes. The majority of these systems are proxies and known to be such and the others are weak systems that have likely been compromised for use in this attack and maybe others because hackers share a lot of these C&C boxes. They do so to muddy the waters so to speak, the more groups using them the more confusion can be sewn.
The machine in NY is interesting in that it is still online. I would have thought that the authorities would want to take that into evidence but there it is, still online. Maybe they are still getting round to that...
Back to Marc:
So in conclusion, there is NOTHING here that directly implicates the North Koreans. In fact, what we have is one single set of evidence that has been stretched out into 3 separate sections, each section being cited as evidence that the other section is clear proof of North Korean involvement. As soon as you discredit one of these pieces of evidence, the whole house of cards will come tumbling down.
There's more. Here's a great round-up of the views offered by skeptics.
It isn’t that anyone is saying that North Korea didn’t do it. It is just that the information we have thus far doesn’t indicate that they did. Instead, it looks like the US government just wants it to be North Korea and the perpetrators want it to appear as though it is North Korea, and so everyone assumes it is North Korea. But other than that, there really is nothing.
What else can I add? After the Iraq war/WMD debacle, the "Uncle Sam says it, I believe it, and that settles it" argument doesn't have much power to persuade.