[Cryptography] North Korea and Sony

ianG iang at iang.org
Wed Dec 10 11:41:25 EST 2014 

On 10/12/2014 15:49 pm, John Ioannidis wrote:
>
>
> On Tue, Dec 9, 2014 at 2:55 PM, <dan at geer.org <mailto:dan at geer.org>> wrote:
>
>     "Banks Dreading Computer Hacks Call for Cyber War Council"
>     Bloomberg, July 8, 2014
>
>     www.bloomberg.com/news/print/2014-07-08/banks-dreading-computer-hacks-call-for-cyber-war-council.html
>     <http://www.bloomberg.com/news/print/2014-07-08/banks-dreading-computer-hacks-call-for-cyber-war-council.html>
>
>
> Are these people that clueless (which makes me even more worried about
> the vulnerability of our financial systems), or are they trying to
> accomplish something else?


This is a real development.  Large IT companies (I'm referring to the 
banks here, who are by majority vote are IT orgs at this stage in their 
evolution) are unable to secure themselves.  This is a gathering trend.

The number of large groups that find themselves unable to deal with the 
increasing number of serious attacks is an indication on the security 
industry.

E.g., Did we not predict this?  Did we not prepare?  Did we not know how 
to prepare?  Was it considered an acceptable risk?

It's probably OK to say, we got the risk wrong, now we'll just do some 
re-work, add some stuff and get back to business.  That will just cost 
hard money, no hard thing for banks at least.

But that might not be what is happening.  If these orgs are demanding 
state representation, that looks awfully like going to the USG and 
saying we need NSA help.  Google and others have also in the past cut 
deals with the NSA to get their help, before backing off in realisation 
that the NSA isn't exactly going to help them.

The point here is if google can make this choice, even for a short time, 
what hope Sony?

Does the security industry actually know enough to deal with this?

The implications of this question are pretty severe.  If the security 
industry has the smarts to deal with it, then there are institutions 
(NSA, companies, etc) that can do the Sony makeover and turn the story 
into one that will sell.

If not, then not.  What does the world look like when no-one can save 
Sony?  Or the banks?  Or...



iang



ps; long term readers will know that what is being tested today is the 
hypothesis that security is a market in lemons, or the alternate, a 
market in silver bullets.

More information about the cryptography mailing list