The IT Nerd

As you likely know by now, Sony Pictures has pulled the plug on a Christmas Day release of “The Interview” because of the rather epic hack and threats directed towards anyone who dares to show the film. According to some, the hack was carried out by North Korea, but that is almost secondary to the fact that Sony has decided to pull the plug on this film. In my view, this is a severe over reaction for the two reasons.

First, Sony got hacked because their network security was substandard and they ignored signs that they were a target as I pointed out here. In fact, I found this article that shows that Sony as an organization has been getting “pwned” by hackers since 2005. Thus, I submit that this is not the act of some super sophisticated group of hackers. Instead, it was likely a group of people with moderate amounts of skill who were able to walk in the metaphorical front door, seeing as it was wide open, and cause havoc. So while I feel sorry for Sony, they should of seen this coming and protected themselves against it. Related to this, Sony calls this hack “cyber-terrorism.” I have a problem with that term as these hackers simply embarrassed Sony by leaking some caustic e-mails and a script for the next James Bond movie among other things. They didn’t cause planes to crash nor did they shut down the power grid or anything like that as those are the sorts of things that I would associate with “cyber-terrorism.” So calling  this hack “cyber-terrorism” seems to be an over the top attempt by Sony to play the victim card.

Second, whomever “The Guardians Of Peace” are, they have shown no sign that they are capable of carrying out the “9/11” style threats that they leveled against anyone who showed this film. Now I get that Sony was likely afraid of something similar to what happened when The Dark Knight Rises opened in Colorado. But that movie wasn’t cancelled when that incident took place. In fact, I would argue that Sony has set a very dangerous precedent by caving to this group who until very recently nobody has heard of as it will only embolden groups like it to do the same thing in the future, thus making others less safe.

What really needs to happen here is that “The Interview” needs to come out. People then need to see it so that Sony can send a collective “f**k you” to the people who did this. Why? Just take a look at the response to the Parliament Hill shootings not too long ago. As soon as it was practical, everyone from politicians to everyday people went to Parliament Hill to send this message to anyone who wanted to do something like that: We will not be intimidated, we will not bend, we will not break and we are not afraid. By over reacting, Sony has sent the opposite message by saying that they will be intimidated, they will bend, they will break and that they are afraid. I guarantee, this will come back to haunt us, all of us. Because there will be a next time, and it will be worse now that the evil doers out there who do things like this know exactly what buttons to push to get us to cave.

This just keeps getting better and better…. Unless you’re working for Sony Pictures. Apparently, they were hacked before and didn’t tell anyone about it. Here’s the details from Forbes:

An email from Courtney Schaberg, VP of legal compliance at Sony Pictures, to general counsel Leah Weil, dated 16 January 2014, reported a compromise of the Sonypictures.de site. The website was swiftly taken down after it emerged the site had been hacked to serve up malware to visitors. Schaberg also expressed concern that email addresses and birthdates for 47,740 individuals who signed up to the site’s newsletter had been accessed by the attacker.

On Friday 17 January 2014, Schaberg told Weil that it was unclear whether personal information had been taken as an investigation by a third party would not start until the following Monday, but it was unlikely Sony would disclose the breach publicly. “At this point, if PI [personal information] was accessed, it does not look like there would be a breach notification obligation to inform individuals. We should, however, inform our data protection officer in Germany, with whom we work on a regular basis. We will likely inform him of the incident tomorrow and will plan to work with him to develop an investigation strategy for next week,” the email read.

In the same email, Schaberg talks about the PR response of Sony. The strategy was simple: don’t talk about the attack. One user, who was likely warned about malware on the site by their browser, made a comment about the issue on the local Facebook page, Schaberg noted. “The strategy at this point is not to remove the comment and not to comment ourselves,” she added. Forbes could not find such a comment on the Sony Pictures Germany page.

The following day, Schaberg noted Sony had slightly changed tack on to whom it would divulge information on the breach. “When we have more facts, we will evaluate how to notify the German DPO, which we determined not to do today given (i) that we do not yet know if there was PI involved, (ii) the limited types of PI potentially involved, and (iii) the fact that the PI was stored on a server separate from the infected server.  With additional facts, we will also determine whether to notify individuals and/or the Berlin DPA,” her email read.

Well. That does not inspire confidence. Neither does this:

But the leaks continue to reveal breaches of Sony’s defences. Previously reported leaks have already uncovered a hack from February that exposed data of 749 “individuals associated with theaters in Brazil”, which Sony also decided not to disclose, as well as some notable gaps in Sony Pictures’ security that meant it was blind to the status of 17 per cent of devices on one of its networks.

So in other words, Sony Pictures was just asking for something like this to happen to them. If I had any sort of business relationship with Sony Pictures, I’d be very, very concerned. Clearly, this is one of these situations where someone in government needs to hit Sony Pictures hard from a legal standpoint as they clearly need to be taught a lesson.

The hits keep on coming for Sony, and not in a good way. I woke up to the news that the PlayStation Network was possibly hacked this morning. Global News was reporting that it was down for two hours but is now up and running. An investigation is ongoing. This is hot on the heels of the Sony Pictures hack which also had threats e-mailed to Sony Pictures employees. To add to the fun, speculation abounds that North Korea who allegedly has an army of hackers at its disposal was behind the hack because of their displeasure over the upcoming comedy film “The Interview” which is being put out by Sony and spoofs the North Korean regime. But over the weekend, they denied that they were. However they did call it a “righteous deed.”

Take it from me. There’s more to this story to come.

Some disturbing news just got my attention and it underlines why this was the worst hack ever. Here’s what news.com is reporting:

Threatening email have been sent to Sony Pictures employees and their families after a massive breach of Sony’s computer network, the FBI confirmed late Friday.

While the FBI confirmed it is investigating threatening emails sent to Sony Pictures employees, it declined to elaborate. “We’re not confirming the details of the threat,” the FBI said in a statement.

The emailed threats say in part: “Many things beyond imagination will happen at many places of the world… Please sign your name to object the false of the company at the email address below if you don’t want to suffer damage. If you don’t, not only you but your family will be in danger.” The text of the email was first reported by Variety.

Sony declined to comment on the emails.

Well. This is a plot twist that I wasn’t expecting. Still, when someone steals all sorts of personal information, you can expect that something really bad will be done with it. And this qualifies as really bad. I don’t think I have ever heard of anything like this before and it’s clearly a new low by these hackers who call themselves “The Guardians Of Peace.”

It does not sound like any peace I want to be a part of. That’s for sure.

The title sounds overblown, but it isn’t. You might have heard that hackers broke into Sony Pictures and stole digital copies of a number of upcoming movies. But that may be only the tip of the iceberg according to Gizmodo:

Sony Pictures suffered a pretty devastating hack last week. In fact, according to documents recently leaked on the web, it looks like Sony Pictures might’ve just suffered one of the worst corporate hacks in history. Salary numbers, layoff strategies, personal details of laid off staffers, and some 3,800 Social Security numbers are now out in the open.

That’s really, really bad. Fusion’s Kevin Roose just published the details of 26 archives linked to in a Pastebin file purportedly from the attack. Therein is a trove of highly sensitive information about 6,000-plus Sony Pictures employees, details as specific as names, birthdays, and salaries. There are also a number of HR-related charts and spreadsheets that reveal how much it costs Sony Pictures to layoff workers as well as a division-by-division breakdown of salary numbers, including those of senior executives. And those Social Security numbers. There are those, too.

Well, I’d hate to be a past or present employee of Sony Pictures right about now.

Clearly, Sony did an absolutely craptastic job of securing their data. This is another example of why you need to have governments force companies to secure their data, and really really punish them to the fullest extent of the law when they don’t. Otherwise, these hacks will simply get worse in terms of scale and what gets stolen.