Sony reminds me of the chaos theory in the hacking world. Yes, you should be very afraid of what's happening at Sony right now. Here's why.
Four years ago, I wandered the halls at the giant RSA security conference collecting scuttlebutt. Companies spend thousands, even millions of dollars, to make a splash at the annual geek-fest, but on this day, one company completely stole the spotlight. For free. And no one was jealous, because on that day, no one wanted to be government contractor HB Gary.
Hackers calling themselves members of the Anonymous group had hacked HB Gary servers, stolen the firm's email, then made it public for all the world to see. Days of embarrassment and nightmarish news followed, from exposure of a less-than-comfortable relationship with Bank of America to incredibly uncomfortable personal emails from employees.
At the time, the smartest geeks on the planet were terrified over the news. These folks weren't afraid of hackers hell bent on stealing their intellectual property or their financial information. Most of them had fought off those attacks for decades. What they feared was chaos. The HB Gary hackers weren't after money; they wanted revenge. And computer criminals who simply want to destroy things are the most frightening. Publishing entire email spools stolen from company servers gains hackers almost nothing. But it exposes everyone inside a company, and everyone who ever communicated with any of those workers, to tremendous embarrassment, or worse. It creates chaos.
It's an unpopular thought, but it's true: there is no absolute security. Spend money and time protecting this, and you will leave that vulnerable. That's how it works at airports, and that's how it works in networks. Folks who protect digital assets for a living are constantly making trade-offs. Email is often one of those trade-offs. Most energy is focused on protecting money. A lot of energy is focused on protecting intellectual property. Four years ago, Anonymous realized email servers are often neglected. And they realized just how much chaos they could cause by publishing, and indexing for easy discovery, HB Gary's email.
Back then, every confident security professional I knew had two burning questions in mind. One, was I in HB Gary's email? And two, what about my email server? What would happen if someone published all my company's email? How many "secret" job searches, sexist or racist jokes, illicit affairs might be exposed with an email dump?
There was a great chill in the entire profession. People imagined the worst.
Now, the worst has happened. Executives have been forced to apologize to President Obama for racist comments. Sony has lawyers running around threatening journalists not to publish bits and pieces of upcoming movie scripts. Journalists have been exposed for too-cozy chats with sources. Heck, Aaron Sorkin is actually attacking not the hackers but those who even looked at what was hacked.
Revenge. Chaos. A crisis that seems without end. Mission accomplished.
Perhaps, these hackers ultimately have money in mind. Perhaps they are state-sponsored. Perhaps the attack is purely politically motivated. We'll probably never know, though, most certainly, someone in the middle of this simply wants money.
But clearly, the criminals here were out to wreak havoc. Folks who just want to break things are pretty hard to stop. And now the playbook, first established four years ago, has been darn near perfected. Out folks' private communications, let curious onlookers go to town, and you have a full-fledged techno disaster on your hands. The point can't be overstated: In both the HB Gary and Sony incidents, hackers exposed their target companies and potentially anyone who had ever emailed with their employees. Publish the email of a big enough company, and you might very well expose a majority of Americans in one hack.
Stealing secrets and dumping them online is the hateful practice of "doxxing"—exposing private parts of victims' lives online, such as their home address, with the intent to invite harassment—writ large. It's pretty hard to stop doxxing. You should all just hope no one ever finds a reason to do it to you. And it's almost as hard to stop doxxing on a massive scale. Yes, shutting down a power plant or similar critical infrastructure hack could be a horrible disaster. But I think this kind of chaos might ultimately be more damaging to the U.S. It's certainly easier to fashion.
What's the lesson here? I've said forever that any time you type anything into any kind of keyboard, you should be prepared for the world to see it one day, even if you think your communication is private. That's good advice, but it has its limits. For starters, we all use chat tools, texts, and even email as casually as we talk now. It's pretty hard to remember that you are always one co-worker's stupid click away from your chatter being exposed to the world. A private note with one comment that could be described as racist, sexist, even elitist, said to one person, could seriously tarnish your career or legacy. In that world, being 99.9 percent careful just isn't good enough.
But the problem is scarier than that. Standards change all the time, but servers are forever. Imagine if we could read long email chats between political or corporate figures from 25 or 50 years ago. They'd all sound awful. It's really, really hard to predict what something you say today might sound like 10 or 20 years in the future. The old "out of context" explanation doesn't work any more. This is why the world of pack-rat programming alarms me. Companies (in the U.S.) reflexively save every piece of data for as long as possible. It will be the radioactive fallout of our time. We haven't even begun to digest the implications of that.
Sony is a pretty good hint, however. Be very, very careful what you type.
This article appeared originally here at bobsullivan.net.
