[Cryptography] North Korea and Sony

John Ioannidis ji at tla.org
Wed Dec 10 12:35:43 EST 2014 

On Wed, Dec 10, 2014 at 11:41 AM, ianG <iang at iang.org> wrote:

> On 10/12/2014 15:49 pm, John Ioannidis wrote:
>
>>
>>
>> On Tue, Dec 9, 2014 at 2:55 PM, <dan at geer.org <mailto:dan at geer.org>>
>> wrote:
>>
>>     "Banks Dreading Computer Hacks Call for Cyber War Council"
>>     Bloomberg, July 8, 2014
>>
>>     www.bloomberg.com/news/print/2014-07-08/banks-dreading-
>> computer-hacks-call-for-cyber-war-council.html
>>     <http://www.bloomberg.com/news/print/2014-07-08/banks-
>> dreading-computer-hacks-call-for-cyber-war-council.html>
>>
>>
>> Are these people that clueless (which makes me even more worried about
>> the vulnerability of our financial systems), or are they trying to
>> accomplish something else?
>>
>
>
> This is a real development.  Large IT companies (I'm referring to the
> banks here, who are by majority vote are IT orgs at this stage in their
> evolution) are unable to secure themselves.  This is a gathering trend.
>
> The number of large groups that find themselves unable to deal with the
> increasing number of serious attacks is an indication on the security
> industry.
>
> E.g., Did we not predict this?  Did we not prepare?  Did we not know how
> to prepare?  Was it considered an acceptable risk?
>
> It's probably OK to say, we got the risk wrong, now we'll just do some
> re-work, add some stuff and get back to business.  That will just cost hard
> money, no hard thing for banks at least.
>
> But that might not be what is happening.  If these orgs are demanding
> state representation, that looks awfully like going to the USG and saying
> we need NSA help.  Google and others have also in the past cut deals with
> the NSA to get their help, before backing off in realisation that the NSA
> isn't exactly going to help them.
>
> The point here is if google can make this choice, even for a short time,
> what hope Sony?
>

I am not aware of any deal between Google and the NSA. Quite the contrary.
What are you referring to?

/ji


>
> Does the security industry actually know enough to deal with this?
>
> The implications of this question are pretty severe.  If the security
> industry has the smarts to deal with it, then there are institutions (NSA,
> companies, etc) that can do the Sony makeover and turn the story into one
> that will sell.
>
> If not, then not.  What does the world look like when no-one can save
> Sony?  Or the banks?  Or...
>
>
>
> iang
>
>
>
> ps; long term readers will know that what is being tested today is the
> hypothesis that security is a market in lemons, or the alternate, a market
> in silver bullets.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141210/4c2cd1dd/attachment.html>

More information about the cryptography mailing list