Chaos theory takes root in aftermath of Sony Pictures hack

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

by Bob Sul­li­van, ThirdCertainy

Four years ago hack­ers call­ing them­selves mem­bers of the Anony­mous group hacked HB Gary servers, stole the well-con­nect­ed consultancy’s email, then made it pub­lic for all the world to see. Days of embar­rass­ment and night­mar­ish news fol­lowed, from expo­sure of a less-than-com­fort­able rela­tion­ship with Bank of Amer­i­ca to incred­i­bly uncom­fort­able per­son­al emails from workers.

At the time, the smartest geeks on the plan­et were ter­ri­fied over the news. These folks weren’t afraid of hack­ers hell-bent on steal­ing their intel­lec­tu­al prop­er­ty or their finan­cial infor­ma­tion. Most of them had fought off those attacks for decades.

What they feared was chaos.

The HB Gary hack­ers weren’t after mon­ey. They want­ed revenge. And com­put­er crim­i­nals who sim­ply want to destroy things are the most fright­en­ing. Pub­lish­ing entire email spools stolen from com­pa­ny servers gains hack­ers almost noth­ing. But it expos­es every­one inside a com­pa­ny, and every­one who ever com­mu­ni­cat­ed with any of those work­ers, to tremen­dous embar­rass­ment, or worse. It cre­ates chaos.

Four years ago, Anony­mous real­ized email servers are often neglect­ed. And they real­ized just how much chaos they could cause by pub­lish­ing — and index­ing for easy dis­cov­ery — HB Gary’s email.

Back then, every con­fi­dent secu­ri­ty pro­fes­sion­al I knew had two burn­ing ques­tions in mind. One: was I in HB Gary’s email? And two: What about my email serv­er? What would hap­pen if some­one pub­lished my all company’s email?

How many ‘secret’ job search­es, sex­ist or racist jokes or illic­it affairs might be exposed with an email dump?

Now, the worst has hap­pened to Sony. Hol­ly­wood execs have been forced to apol­o­gize to Pres­i­dent Oba­ma for racist com­ments dis­closed in their hacked emails.

Sony has lawyers run­ning around threat­en­ing jour­nal­ists not to pub­lish bits and piece of upcom­ing movie scripts. Jour­nal­ists have been exposed for too-cozy chats with sources. Heck, Aaron Sorkin is actu­al­ly attack­ing — not the hack­ers — but those who even looked at what was hacked.

Revenge. Chaos. A cri­sis that seems with­out end. Mis­sion Accomplished.

Bob Sullivan
Bob Sul­li­van

Per­haps, these hack­ers ulti­mate­ly have mon­ey in mind. Per­haps they are state-spon­sored. Per­haps the attack is pure­ly polit­i­cal­ly moti­vat­ed. We’ll prob­a­bly nev­er know, though most cer­tain­ly, some­one in the mid­dle of this sim­ply wants money.

But clear­ly, the crim­i­nals here were out to wreak hav­oc. Folks who just want to break things are pret­ty hard to stop. And now the play­book, first estab­lished four years ago, has been darn near perfected.

Out folks’ pri­vate com­mu­ni­ca­tions, let curi­ous onlook­ers go to town, and you have a full-fledged tech­no-dis­as­ter on your hands. The point can’t be over­stat­ed: In both HB Gary and Sony, hack­ers exposed their tar­get com­pa­nies and poten­tial­ly any­one who had ever emailed with their employees.

Pub­lish the email of a big enough com­pa­ny, and you might very well expose a major­i­ty of Amer­i­cans in one hack.

Steal­ing secrets and dump­ing them online is the hate­ful prac­tice of “doxxing” — expos­ing pri­vate parts of vic­tims’ lives online, such as their home address, with the intent to invite harass­ment — writ large.

It’s pret­ty hard to stop doxxing. You should all just hope no one ever finds a rea­son to do it to you.

What’s the les­son here? I’ve said for­ev­er that any time you type any­thing into any kind of key­board, you should be pre­pared for the world to see it one day, even if you think your com­mu­ni­ca­tion is private.

That’s good advice, but it has its lim­its. For starters, we all use chat tools, texts, and even email as casu­al­ly as we talk now. It’s pret­ty hard to remem­ber that you are always one co-worker’s stu­pid click away from your chat­ter being exposed to the world.

A pri­vate note with one com­ment that could be described as racist, sex­ist, even elit­ist — said to one per­son — could seri­ous­ly tar­nish your career or lega­cy. In that world, being 99.9 per­cent care­ful just isn’t good enough.

But the prob­lem is scari­er than that. Stan­dards change all the time, but servers are for­ev­er. Imag­ine if we could read long email chats between polit­i­cal or cor­po­rate fig­ures from 25 or 50 years ago. They’d all sound awful.

It’s real­ly, real­ly hard to pre­dict what some­thing you say today might sound like 10 or 20 years in the future. The old “out of con­text” expla­na­tion doesn’t work any more.

This is why the world of pack-rat pro­gram­ming alarms me. Com­pa­nies (in the U.S.) reflex­ive­ly save every piece of data for as long as pos­si­ble. It will be the radioac­tive fall­out of our time. We haven’t even begun to digest the impli­ca­tions of that.

Sony is a pret­ty good hint, how­ev­er. Be very, very care­ful what you type.


Posted in Cybersecurity, Data Breach, Guest Essays