Besides reposting the notion that timestamps imply a USB2 file dump, I am seeing only speculation in this article and no "new data on attributing".
I would like to point out that any skilled unix developer can create a script in about an hour that can make any set of files appear to have been transferred using USB2.
Of course. Even more likely is that the timestamps aren't forged, but are merely a result of the attackers copying everything to some sort of local storage a few days before preparing the big dump to release to the public. It's possible that in reality the data was initially copied 3+ months ago. You can't rely on file timestamps as a sole mechanism of when the true "original" version of a file was created or modified. (This is "conclusion 2" from the post.)
This isn't really news at all, and I'm kind of surprised Schneier thought it was worthwhile enough to publish it. Look at how incredibly sensationalistic this article is, which Schneier cites as the primary source: http://www.4thmedia.org/2014/12/breaking-we-can-conclusively...
"BREAKING: We Can Conclusively Confirm North Korea Was NOT BEHIND Sony Hack", seriously?
I understand he just wanted to aggregate all the updates and commentary since his last post, but this is practically nothing and is just about bordering on FUD (I'd say "reverse-FUD" but that's not how it works, just like "reverse-racism" doesn't exist).
So far, no 3rd party has provided any strong evidence showing that North Korea either was or wasn't involved.
I have been faking date/timestamps on files contributed to both github and pause over the past 10 years. To me that information is private and I see no reason to give real dates out for files I put into the open source world.
I messed up once and set the date/times into the future by a bit and got a bug filed against my project when someone tried to merge my software into a mainline linux distro and had problems with the future date/times.
I don't know how many people have used this information for malicious purposes, but I can guarantee that I always think about it in any hacks I've been involved in.
Do note that file creation time in unix requires kernel level access and quite a bit of low level filesystem knowledge to truly forge. The easily changeable date/time is only access and modify times. If you are going to forge this data to remove tracks from real systems you will need to root the machine completely first. It's nontrivial.
Yeah the faked timestamps aren't new to me, it is the potential faking of copy speed that is interesting. To do that you would need to replicate the transfer order of the copy algorithm (cp in linux vs windows 95), and then modify each timestamp based on the prior file size in the ordered list. I've never heard of anybody doing this before.
That is a very good point; in my attempts previously I simply went alphanumerically but windows at the very least does not follow that rule when copying.
I think the easiest method would be to simply generate a bunch of files, do copies, and compare the datetime stamps with the theoretical values they should have. Once you can model the discrepancies generated in real life you can fake them.
You do make a good point that it isn't really mentioned in cybercrime books that I know of, but it seems like an obvious thing. Would be a fun chunk of code to publish on github; I'll look into it.
It really depends on your goals. If your goal is simply to fake the transfer speed in a tarball you leak, the easiest way would be load up a vm of the system you're spoofing - change the clock and somehow rate limit the copy. That wouldn't be nearly as fun though.
It is one of those things that appears obvious after you've been walked through it though. I've never been in a position where I needed to fake transfer speed though, so I'm not sure if I'd have thought about it. If it actually is an attempt to fake an insider attack, it is an impressive trick.
Rate limiting is not effective. Having copied many terabytes of data do/from usb devices, I can tell you that it is not a consistent throughput. The speed of transfer depends on an inverse square of the file size of sorts. ( sensitive to the block size on both devices I'm sure )
Try copying 100gb of 2k-200k files ( all randomly sized ) It's a huge pain in the butt and works terribly on every system I've tried to do this on.
It would be way more awesome to have a utility that can after the fact forge a scenario directly into an existing tarball. Then, you can simply pick a "model to emulate" and click go, and wham you have a forged tarball.
Even if you did use a VM, it would be slower imo than a real transfer due to both the emulated system and the usb passthrough ( which is typically limited to USB 2.0 ) Show me a VM that is capable of USB 3.0 passthrough with reasonable speeds.
Unless you truly forge the dates in a carefully modeled way, it would be possible to tell that it isn't a real transfer.
Speaking of which; who steals data using USB 2.0? That's dumb. Use a modern USB 3.0 external 2.5" SSD. If you must use something small, use a cheapo 256gb USB 3.0 drive. The throughput on those is not bad. If no USB 3.0 ports are available, bring your own PCI Ex USB 3.0 card and open the system and install it. The BIOS may have intrusion detection... so be aware...
It is much more likely than direct system transfer that data is leaked slowly through an un-monitored network channel ( DNS tunneling... email... etc ) Hence the need to make things appear to be local; to distract from looking for the real method of transfer.
When you get to the point where you are emulating the actual hardware in the spoof (seek time, etc), I think you've already fallen below the noise floor. It would be like a side channel attack on string comparison during hash checks, you would need a huge number of trials to tease out the signal. I wouldn't think it would be that difficult to fake a media speed constraint though - just pay attention to the clock and sleep when you're ahead of the target bitrate. You don't care if the speed is under, you just don't want it any higher than the max theoretical limit.
USB 3.0 shouldn't be a problem for VMs, just grant the guest PCI passthrough access to the USB controller. So you'd have to use something like Xen instead of Virtualbox.
My workstation doesn't have USB 3.0, so if I were to steal company data - it would be at USB 2.0 speed. Also, if I were already inside - I'd much rather do that than trying to be clever about getting it out over the network (which would be much slower and more likely to be logged).
"Do note that file creation time in unix requires kernel level access and quite a bit of low level filesystem knowledge to truly forge."
Timestamps are a mess on unix. POSIX doesn't support creation time but instead has ctime (change time). Newer filesystems add crtime but common utilities don't ever display crtime. Also partitions sometimes are mounted to not update atime for performance reasons.
crtime (and ctime) can be modified with root privileges without kernel access with debugfs.
Or you can go the ugly hackish way:
date -s $forgedate && touch tmp && date -s $realdate && cat original >> tmp && mv tmp original
Neither are elegant, but certainly not hard.
What's really hard to forensically cover up is the order of inodes on a filesystem. That file with forged timestamps to 2012 will still have an inode that looks much more recent.
It is the inode trail that I am referring to; not the simple forging of the dates ( which you could obviously do by just changing the date and duplicating the file as you've described ). Messing with the inodes is much more difficult.
These featured files presented as dated 2003 even though internal evidence (including references to software and fonts) showed that they could only have been created much later.
Faked timestamps are not uncommon, but I've never heard of somebody faking a transfer speed using fake timestamps. If anybody could point to a prior example, I'd certainly appreciate it. I wonder what other data can be extracted from that as well: like the file copy algorithm used for the transfer (the the files copied alphabetically, shallow, deep, etc)?
The bigger issue is that even if you accept the USB2 transfer, you can't make any real conclusions. Was the USB transfer from victim machine to external storage or from attacker machine to external storage.
There will be distinctly different patterns for the dates transferring in different ways. Suppose the source is a shared network drive. From share to external USB thumbdrive will have a different fingerprint than from external USB thumbdrive to single local SATA.
Also, you can likely detect what OS was used ( well Linux or Windows ) due to differences in copy order as well as speed.
In theory such analysis can be done on the Sony data and tell us something more interesting than is known so far.
I don't think there are any existing tools that analyze date stamps and determine anything quite on this level... Purely because it is rare to have such a huge such of files.
All I can think of is the FBI statement about how they in consultation with other federal agencies have conclusive evidence that the "hack" emanated from NK. I seriously hope that is rubbed in everyone's face if this turns out to be an insider action that almost and possibly even caused a cyber attack by the USA on a sovereign nation, no matter how much we have been trained not to like NK.
I think people should really consider that there was nothing but the intent to assist in the Sony PR campaign in the first place. The US Government is a corporation first and foremost, both on paper, and in action. They want to see all of their subsidiaries do well.
The way I see it, they're bending over backwards for the sake of profit and consumerism, as that boat is currently sinking.
> no matter how much we have been trained not to like NK.
I get that you're skeptical of the U.S. government. For good reason. But nobody needs to be trained to dislike NK (except, perhaps, North Koreans). Is your implication that NK isn't really so bad, and it's only a brainwashed reflex to think that it is? I, personally, really wish that were the case, for the sake of everyone who lives in NK. But it isn't.
There are things much worse than the U.S. government.
Edit: You might also want to reflect on why it is that you're so willing to doubt NK's responsibility for the attack on Sony, but apparently pretty eager to believe that the U.S. is behind the attack on NK. Is the evidence for the latter claim somehow stronger than the evidence for the former? I would have thought the opposite was true.
You do realize the US is doing or has done all of those inhumane actions attributed to NK? The proof is a simple Google search away. You might, instead, ask why you are so willing to immediately engage in such defensive argumentation in support of the US? Is it, perhaps, that you have been trained in a variety of ways to connote certain negative emotions with NK that you, however, do not connote with the US?
I'm sorry, but this lacks all perspective. We have, on occassion, done some of the same kind of things as NK, but not typically to the same extent, with the same level of brutality and control, let alone all at the same time, today.
When, for example, have we done this?
> The government practices collective punishment, sending to forced labor camps not only the offender but also their parents, spouse, children, and even grandchildren. These camps are notorious for horrific living conditions and abuse, including induced starvation, little or no medical care, lack of proper housing and clothes, continuous mistreatment and torture by guards, and executions. Forced labor at the kwan-li-so often involves difficult physical labor such as mining, logging, and agricultural work, all done with rudimentary tools in often dangerous and harsh conditions. Death rates in these camps are reportedly extremely high.
Or this?
> All media and publications are state controlled, and unauthorized access to non-state radio or TV broadcasts is punished. North Koreans are punished if found with mobile media such as DVDs or computer ‘flash drives’ containing unauthorized TV programs, such as South Korean drama and entertainment shows.
Or this?
> North Korea criminalizes leaving the country without state permission.
Or this?
> people arrested in North Korea are routinely tortured by officials seeking confessions, bribes, and obedience. Common forms of torture include sleep deprivation, beatings with iron rods or sticks, kicking and slapping, and enforced sitting or standing for hours. Guards also sexually abuse female detainees.
(Yes, I realize we have done some of these things to CIA detainees overseas, which is truly terrible. But we're talking here about all arrest in NK.)
Or this?
> Forced labor is essentially the norm in the country, and workers are systematically denied freedom of association and the right to organize and collectively bargain.
Well there was the cop that extorted an arrested woman into giving him nudes, seizing the houses of the parents of people arrested for minor drug crimes, using children as leverage in civil asset forfeiture, solitary confinement, tacit approval of prison rape as reformatory, prison labor and private prisons, and the murders of union organizers...
Yeah. All that is bad. The U.S. needs some work. We agree on that. But read that NK human rights report again... I'm not sure you'll see anything in there about, for example, the behavior of a single cop. What's going on in NK is on an entirely different scale.
Faulty intel about nation-state actions as a precursor to intervention has been proven to be an unsuccessful long-term strategy. Examples are left as an exercise to the reader. Questioning assertions should be commended, for the truth doesn't fear investigation.
First, what evidence? Second, the USG has demonstrated the fact that it cannot be trusted to tell the truth. That has been the funniest thing about the whole Snowden story, the cycle of lies and spin when the lie is exposed by an additional leak the following day. Third, Obama publicly threatened retaliation - so a hasty cyberattack by the USG isn't far fetched at all.
You are jumping to conclusions. Don't get me wrong, I am very greatful for what my government (USA) contributes to the world and does. I think it's just that I have very high expectations and am a principled person that believes in honesty with oneself and the world around us.
I know that NK is bad, but I also know that there are worse places, worse places even right on our door step and even within our own house that really demand and should be getting far more attention than some hermit kingdom that is rather inconsequential on a practical level.
I am "so quick" to doubt that NK has anything to do with it not based on some irrational assumption, but rather that the whole damn thing sounded and felt rather fishy from the get-go and there has just been more and more support and substantiated doubts that it was a NK originated attack.
That it might have emanated from NK, and been an insider job, are not mutually exclusive concepts. For example an North Korea operative could have paid someone in Sony to open the right door.
This is the correct response to this meme. The hacks are far too damaging to be viral marketing.
That said, there can be no denying that Sony turned lemons into lemonade, and milked this attack for all the awareness it could possibly get.
I saw "MPAA cyberterrorism experts" on CNN, I saw CNN commentators say that in the interest of free speech, it was every American's patriotic duty to see this film.
This was happening in the context of Project Goliath, and threatened legal action against twitter and individual users for posting the leaks.
No, he also posted the timecodes from the torrent, which imply the data was transferred at USB 2.0 speeds. This data can indeed be verified with the torrent.
I agree with your criticism of naming former executives. But Schneier also expresses his skepticism towards this viewpoint, and merely states that the data transfer speeds do seem to support the "inside job" argument.
He continues to say that he still doesn't buy the "inside job" theory.
I deleted my last post which came out snarkier than I meant it.
The point I meant to get at was that the timecode analysis which was featured is not just claimed by Charles Johnson, but rather is in the torrents released by GOP.
I don't have any problem with Schneier referencing this article.
The most important data on attributing the Sony attack might be out-of-band data: data that has been collected and analyzed totally separately from the data involved in the attack itself.
There's no question that the U.S. and allies are heavily invested in surveilling and analyzing everything that the North Korean government does, so they would have a lot of opportunity to collect such data. And if they did, it's not likely that they would publish one bit of it.
I think the firmness of the U.S. statement that it was North Korea, combined with the waffling on the execution details (maybe they outsourced some of the hacking, maybe not) points pretty clearly to out-of-band data. They would know who to blame, but not necessarily every detail of how the attack was conducted.
For everyone else out here in non-classified land, trying to analyze the attack using only the data that the attackers themselves leaked is going to be tough, because the attackers have total control about what data we see. They can redact and obfuscate to their hearts' content before releasing it.
> the very same day that Sony Pictures' head of corporate communications, [... name removed by rbobby ...], publicly resigned from a $600,000 job. This could be a coincidence but it seems unlikely.
So Schneier is repeating GotNews' (Charles C. Johnson) accusation that this fellow is connected to a serious set of crimes. All on the basis that a portion of these crimes appear to have happened on the same day the alleged conspirator resigned from his job.
Pretty outrageous behavior. Especially since the FBI has has identified NK as responsible. It's worth noting that the FBI had access to _ALL_ the available data and has presumably investigated any employees known to have left recently on bad terms (i.e. the FBI did a professional job of investigation).
All the bullshit speculation as to why the FBI is wrong has been based solely on crumbs of publicly available data/information. The underlying premise is that the FBI is utterly incompetent and unable to investigate a crime of this nature. That doesn't pass Occam's Razor let alone any kind of smell test.
> That doesn't pass Occam's Razor let alone any kind of smell test.
Really? So North Korea launching a cyber attack in order to prevent the release of a stupid movie seems like a plausible story to you? Of course the story is a moving target, as they are now hedging with the whole foreign contracted hacker angle... Do you think they conducted a "professional job of investigation" before blaming North Korea? Do you think that they'd change their position on the matter even after discovering evidence that they were wrong? Keep in mind, Obama quickly restated their claims and threatened retaliation.
> The underlying premise is that the FBI is utterly incompetent and unable to investigate a crime of this nature.
No, there's lots of different things that could be happening. The FBI could have said it was North Korea to save face. As @thegrugq (who, by the way, is one of three security researchers who I can find who believes it was North Korea) suggests, the NSA could have investigated, discovered the culprit was DPRK, and then just informed the FBI. The FBI could also be incompetent.
But lets bear in mind that this is the same organization that blackmailed MLK and told him to kill himself, launched the COINTELPRO program, started fires at Waco, spied on Elvis Presley, Frank Sinatra, John Denver, John Lennon, Jane Fonda, Groucho Marx, Charlie Chaplin, MC5, Lou Costello, Sonny Bono, Bob Dylan, Michael Jackson, and Mickey Mantle, and three years ago used a chainsaw to break into a house before realizing that it was the wrong house.
So you'll forgive me if I'm skeptical of the organization's claims.
PS. If you have any other 3rd party security researchers who believe the FBI's claims, I'd be happy to add them to my list.
The list could go on for quite a while, but this reminds me more of their handling of the anthrax attacks. Pinning the attacks on Bruce Ivins after driving him to suicide. It is pretty difficult finding anybody who actually agrees with the FBI on that one.
Criminal investigations are tough enough, but when you are trying to catch somebody who is intelligent and doesn't want to be caught - it is pretty close to impossible. Couple that with political pressure and you get the present state, where it is much easier either create a boogieman (giving phony detonators to unstable people) or just piling more blame on those that can't defend themselves (dead men, hermit kingdoms).
Also, I'm surprised that the Secret Service isn't mentioned in all this - they've traditionally been much better equipped to handle computer related crime. This is an area that the FBI has always really sucked at.
43 comments
[ 3.9 ms ] story [ 95.7 ms ] threadI would like to point out that any skilled unix developer can create a script in about an hour that can make any set of files appear to have been transferred using USB2.
This isn't really news at all, and I'm kind of surprised Schneier thought it was worthwhile enough to publish it. Look at how incredibly sensationalistic this article is, which Schneier cites as the primary source: http://www.4thmedia.org/2014/12/breaking-we-can-conclusively...
"BREAKING: We Can Conclusively Confirm North Korea Was NOT BEHIND Sony Hack", seriously?
I understand he just wanted to aggregate all the updates and commentary since his last post, but this is practically nothing and is just about bordering on FUD (I'd say "reverse-FUD" but that's not how it works, just like "reverse-racism" doesn't exist).
So far, no 3rd party has provided any strong evidence showing that North Korea either was or wasn't involved.
I messed up once and set the date/times into the future by a bit and got a bug filed against my project when someone tried to merge my software into a mainline linux distro and had problems with the future date/times.
I don't know how many people have used this information for malicious purposes, but I can guarantee that I always think about it in any hacks I've been involved in.
Do note that file creation time in unix requires kernel level access and quite a bit of low level filesystem knowledge to truly forge. The easily changeable date/time is only access and modify times. If you are going to forge this data to remove tracks from real systems you will need to root the machine completely first. It's nontrivial.
I think the easiest method would be to simply generate a bunch of files, do copies, and compare the datetime stamps with the theoretical values they should have. Once you can model the discrepancies generated in real life you can fake them.
You do make a good point that it isn't really mentioned in cybercrime books that I know of, but it seems like an obvious thing. Would be a fun chunk of code to publish on github; I'll look into it.
It is one of those things that appears obvious after you've been walked through it though. I've never been in a position where I needed to fake transfer speed though, so I'm not sure if I'd have thought about it. If it actually is an attempt to fake an insider attack, it is an impressive trick.
Try copying 100gb of 2k-200k files ( all randomly sized ) It's a huge pain in the butt and works terribly on every system I've tried to do this on.
It would be way more awesome to have a utility that can after the fact forge a scenario directly into an existing tarball. Then, you can simply pick a "model to emulate" and click go, and wham you have a forged tarball.
Even if you did use a VM, it would be slower imo than a real transfer due to both the emulated system and the usb passthrough ( which is typically limited to USB 2.0 ) Show me a VM that is capable of USB 3.0 passthrough with reasonable speeds.
Unless you truly forge the dates in a carefully modeled way, it would be possible to tell that it isn't a real transfer.
Speaking of which; who steals data using USB 2.0? That's dumb. Use a modern USB 3.0 external 2.5" SSD. If you must use something small, use a cheapo 256gb USB 3.0 drive. The throughput on those is not bad. If no USB 3.0 ports are available, bring your own PCI Ex USB 3.0 card and open the system and install it. The BIOS may have intrusion detection... so be aware...
It is much more likely than direct system transfer that data is leaked slowly through an un-monitored network channel ( DNS tunneling... email... etc ) Hence the need to make things appear to be local; to distract from looking for the real method of transfer.
USB 3.0 shouldn't be a problem for VMs, just grant the guest PCI passthrough access to the USB controller. So you'd have to use something like Xen instead of Virtualbox.
My workstation doesn't have USB 3.0, so if I were to steal company data - it would be at USB 2.0 speed. Also, if I were already inside - I'd much rather do that than trying to be clever about getting it out over the network (which would be much slower and more likely to be logged).
Timestamps are a mess on unix. POSIX doesn't support creation time but instead has ctime (change time). Newer filesystems add crtime but common utilities don't ever display crtime. Also partitions sometimes are mounted to not update atime for performance reasons.
crtime (and ctime) can be modified with root privileges without kernel access with debugfs.
Or you can go the ugly hackish way: date -s $forgedate && touch tmp && date -s $realdate && cat original >> tmp && mv tmp original
Neither are elegant, but certainly not hard.
What's really hard to forensically cover up is the order of inodes on a filesystem. That file with forged timestamps to 2012 will still have an inode that looks much more recent.
http://balyozdavasivegercekler.com/2012/10/04/dani-rodrik-di...
These featured files presented as dated 2003 even though internal evidence (including references to software and fonts) showed that they could only have been created much later.
Also, you can likely detect what OS was used ( well Linux or Windows ) due to differences in copy order as well as speed.
In theory such analysis can be done on the Sony data and tell us something more interesting than is known so far.
I don't think there are any existing tools that analyze date stamps and determine anything quite on this level... Purely because it is rare to have such a huge such of files.
The way I see it, they're bending over backwards for the sake of profit and consumerism, as that boat is currently sinking.
I get that you're skeptical of the U.S. government. For good reason. But nobody needs to be trained to dislike NK (except, perhaps, North Koreans). Is your implication that NK isn't really so bad, and it's only a brainwashed reflex to think that it is? I, personally, really wish that were the case, for the sake of everyone who lives in NK. But it isn't.
There are things much worse than the U.S. government.
http://www.hrw.org/world-report/2014/country-chapters/north-...
Edit: You might also want to reflect on why it is that you're so willing to doubt NK's responsibility for the attack on Sony, but apparently pretty eager to believe that the U.S. is behind the attack on NK. Is the evidence for the latter claim somehow stronger than the evidence for the former? I would have thought the opposite was true.
When, for example, have we done this?
> The government practices collective punishment, sending to forced labor camps not only the offender but also their parents, spouse, children, and even grandchildren. These camps are notorious for horrific living conditions and abuse, including induced starvation, little or no medical care, lack of proper housing and clothes, continuous mistreatment and torture by guards, and executions. Forced labor at the kwan-li-so often involves difficult physical labor such as mining, logging, and agricultural work, all done with rudimentary tools in often dangerous and harsh conditions. Death rates in these camps are reportedly extremely high.
Or this?
> All media and publications are state controlled, and unauthorized access to non-state radio or TV broadcasts is punished. North Koreans are punished if found with mobile media such as DVDs or computer ‘flash drives’ containing unauthorized TV programs, such as South Korean drama and entertainment shows.
Or this?
> North Korea criminalizes leaving the country without state permission.
Or this?
> people arrested in North Korea are routinely tortured by officials seeking confessions, bribes, and obedience. Common forms of torture include sleep deprivation, beatings with iron rods or sticks, kicking and slapping, and enforced sitting or standing for hours. Guards also sexually abuse female detainees.
(Yes, I realize we have done some of these things to CIA detainees overseas, which is truly terrible. But we're talking here about all arrest in NK.)
Or this?
> Forced labor is essentially the norm in the country, and workers are systematically denied freedom of association and the right to organize and collectively bargain.
First, what evidence? Second, the USG has demonstrated the fact that it cannot be trusted to tell the truth. That has been the funniest thing about the whole Snowden story, the cycle of lies and spin when the lie is exposed by an additional leak the following day. Third, Obama publicly threatened retaliation - so a hasty cyberattack by the USG isn't far fetched at all.
I know that NK is bad, but I also know that there are worse places, worse places even right on our door step and even within our own house that really demand and should be getting far more attention than some hermit kingdom that is rather inconsequential on a practical level.
I am "so quick" to doubt that NK has anything to do with it not based on some irrational assumption, but rather that the whole damn thing sounded and felt rather fishy from the get-go and there has just been more and more support and substantiated doubts that it was a NK originated attack.
That said, there can be no denying that Sony turned lemons into lemonade, and milked this attack for all the awareness it could possibly get.
I saw "MPAA cyberterrorism experts" on CNN, I saw CNN commentators say that in the interest of free speech, it was every American's patriotic duty to see this film.
This was happening in the context of Project Goliath, and threatened legal action against twitter and individual users for posting the leaks.
[1] my comment when this "source" was posted to HN (before it was flagged for removal): https://news.ycombinator.com/item?id=8789341
Yes, I know that Chuck Johnson (http://gawker.com/what-is-chuck-johnson-and-why-the-web-s-wo...) is unreliable and worse. But in this case, I thought the data sound enough to republish.
After reading that article.. why would he believe anything from this guy?
For transparency's sake, my post was (from memory):
> The data is publically available on torrents.
>
>You could easily prove Schneier wrong.
I agree with your criticism of naming former executives. But Schneier also expresses his skepticism towards this viewpoint, and merely states that the data transfer speeds do seem to support the "inside job" argument.
He continues to say that he still doesn't buy the "inside job" theory.
The point I meant to get at was that the timecode analysis which was featured is not just claimed by Charles Johnson, but rather is in the torrents released by GOP.
I don't have any problem with Schneier referencing this article.
There's no question that the U.S. and allies are heavily invested in surveilling and analyzing everything that the North Korean government does, so they would have a lot of opportunity to collect such data. And if they did, it's not likely that they would publish one bit of it.
I think the firmness of the U.S. statement that it was North Korea, combined with the waffling on the execution details (maybe they outsourced some of the hacking, maybe not) points pretty clearly to out-of-band data. They would know who to blame, but not necessarily every detail of how the attack was conducted.
For everyone else out here in non-classified land, trying to analyze the attack using only the data that the attackers themselves leaked is going to be tough, because the attackers have total control about what data we see. They can redact and obfuscate to their hearts' content before releasing it.
So Schneier is repeating GotNews' (Charles C. Johnson) accusation that this fellow is connected to a serious set of crimes. All on the basis that a portion of these crimes appear to have happened on the same day the alleged conspirator resigned from his job.
Pretty outrageous behavior. Especially since the FBI has has identified NK as responsible. It's worth noting that the FBI had access to _ALL_ the available data and has presumably investigated any employees known to have left recently on bad terms (i.e. the FBI did a professional job of investigation).
All the bullshit speculation as to why the FBI is wrong has been based solely on crumbs of publicly available data/information. The underlying premise is that the FBI is utterly incompetent and unable to investigate a crime of this nature. That doesn't pass Occam's Razor let alone any kind of smell test.
Really? So North Korea launching a cyber attack in order to prevent the release of a stupid movie seems like a plausible story to you? Of course the story is a moving target, as they are now hedging with the whole foreign contracted hacker angle... Do you think they conducted a "professional job of investigation" before blaming North Korea? Do you think that they'd change their position on the matter even after discovering evidence that they were wrong? Keep in mind, Obama quickly restated their claims and threatened retaliation.
No, there's lots of different things that could be happening. The FBI could have said it was North Korea to save face. As @thegrugq (who, by the way, is one of three security researchers who I can find who believes it was North Korea) suggests, the NSA could have investigated, discovered the culprit was DPRK, and then just informed the FBI. The FBI could also be incompetent.
But lets bear in mind that this is the same organization that blackmailed MLK and told him to kill himself, launched the COINTELPRO program, started fires at Waco, spied on Elvis Presley, Frank Sinatra, John Denver, John Lennon, Jane Fonda, Groucho Marx, Charlie Chaplin, MC5, Lou Costello, Sonny Bono, Bob Dylan, Michael Jackson, and Mickey Mantle, and three years ago used a chainsaw to break into a house before realizing that it was the wrong house.
So you'll forgive me if I'm skeptical of the organization's claims.
PS. If you have any other 3rd party security researchers who believe the FBI's claims, I'd be happy to add them to my list.
Criminal investigations are tough enough, but when you are trying to catch somebody who is intelligent and doesn't want to be caught - it is pretty close to impossible. Couple that with political pressure and you get the present state, where it is much easier either create a boogieman (giving phony detonators to unstable people) or just piling more blame on those that can't defend themselves (dead men, hermit kingdoms).
Also, I'm surprised that the Secret Service isn't mentioned in all this - they've traditionally been much better equipped to handle computer related crime. This is an area that the FBI has always really sucked at.