2014-12-24

What have we learned this week?

The Sony/N Korea spat is fascinating in its implications

Ape of ninetree

  1. Never make an enemy of a nation state
  2. Any sufficiently large organisation is probably vulnerable to attack. I even worry about the attack surface of two adults and child, and I don't know who is the greater risk: the other adult or the child. The latter I am teaching foundational infosec to, primarily as he learns to break household security to boostrap access to infrastructure facilities to which he is denied access (e.g. the password to the 5GHz wifi network that doesn't go off at 21:00).
  3. Always encrypt HDDs with per-user keys. Any IT keys need to be locked down extra-hard.
  4. Never store passwords in plaintext files. At the very least, encrypt your word documents.
  5. Never email passwords to others. That goes for wifi passwords, incidentally, as children may come across unattended gmail inboxes and search for the words "wifi password"
  6. Never write anything in an email that you would be embarrassed to see public. Not confidential, simply unprofessional stuff that would make you look bad.
  7. The US considers a breach of security of a global organisation possibly by a nation state an act of terrorism.
The final one is something to call out. Nobody died here. It's cost money and has restricted the right of people round the world to watch something mediocre, but no lives were lost. Furthermore, and is salient, *it was not an attack on any government or national infrastructure*. This was not an attack on the US itself.

In comparison, the Olympic Games/Stuxnet attack on the Iranian nuclear enrichment facility was a deliberate, superbly executed attack on the Iranian government, to their "peaceful enrichment project"/stage 1 nuclear weapons program. That was a significantly more strategic asset than emails criticising Adam Sandler (*).

By inference, if an information-leak attack on a corporate entity is terrorism, mechanical sabotage of a nation's nuclear program must be viewed as an act of war.

That doesn't mean it wasn't justified, any less than the Israeli bombing of a Syrian facility a few years back. And at least here the government(s) in question did actually target a state building WMDs rather than invade one that didn't, leave it in a state of near-civil-war and so help create the mess we get today (**).

Yet what -someone- did, was commit an act of war of war against an other country, during "peacetime". And got away with it.

Which is profound. Whether it is an attack or Iranian nuclear infrastructure, or a data grab and dump at Sony, over-internet-warfare is something that is taking place today, in peacetime. It's the internet's equivalent of UAV attacks: small scale operations with no risk to the lives of your own-side, hence politically acceptable. Add in deniability and it is even better. Just as the suspects of the Olympic Games actions, apparently the US & Israel, deny that project while being happy with the outcome, so here can N. Korea say "we laud their actions even though we didn't do it"

Well, the US govt. probably set the precendet in Operation Olympic Games. It can't now look at what happened to Sony and say "this isn't fair" or "this is an act of war". As if it is, we are already at war with Iran -and before long, likely to be at war with other countries.

(*) Please can Team Netflix add a taste-preferences option that asks about specific actors, so i can say "never recommend anything by Adam Sandler" without having to 1-* everyone they throw up and so let it learn indirectly that I despise his work?

(**) On that topic, why is Tony Blair still a middle east peace envoy?