[Cryptography] North Korea and Sony

ianG iang at iang.org
Fri Dec 12 08:29:31 EST 2014

On 11/12/2014 15:04 pm, dan at geer.org wrote:
>   | > "Banks Dreading Computer Hacks Call for Cyber War Council"
>   | > Bloomberg, July 8, 2014
>   | >
>   | Are these people that clueless (which makes me even more worried about the
>   | vulnerability of our financial systems), or are they trying to accomplish
>   | something else?
> I do not believe that a private company can sustainably deny
> penetration by a commited state-level actor.

If it is the bank's own state, then commitment means courts means open 

But, I think it is a different thing when we are talking about say BoA 
and China, or a Swiss bank and NSA.  Although they may not be able to 
deny every attack, I think they should be able to put up a pretty good 

Spooks don't use rocket science, except in the rarest of cases, and much 
of the stuff they do use routinely is similar that which any criminal 
gang could specialise in over time if it works. E.g., credit card 
forgery, sql injection, phishing of employees, perversion of insiders.

I think the biggest reason why a big bank can easily be attacked by a 
serious attacker is because it doesn't even try to defend itself.

> That then begs the
> question of whether any particular sector or particular company
> sees itself as a target of state-level actors.  It does not strike
> me as nutty for any one of the world's twenty largest banks, taking
> the current example, to think that it is now or could soon be a
> target for state-level aggression.

Well, given the SWIFT scandal of around 2008, we have the luxury of 
knowing more.  At the time (hearsay has it) there were no less than 3 US 
agencies hacking into SWIFT though various means.

> As such, for a bank to request
> state-level protections is not nutty, even if such protections are
> likely to come with significant strings attached.
> Or am I missing your point/question?

As you cast it, sure, I'd agree that it is quite rational for the 
bankers to ask for state-level protections.

But look a little deeper.  They aren't asking for FBI protection, which 
is also "state-level protection" to which they are entitled, one 
suspects.  They are asking for the NSA, in effect.

Which also in effect says that the FBI -- who have their secret/illegal 
backchannel to the NSA -- aren't helping either.

They are also asking for a subsidy.  That might say they are just used 
to asking for subsidies for everything, as they also outsource any 
tricky problem to someone who can be paid to provide a figleaf.

Or it might be a reflection on their view that the current security 
suppliers / knowledge is inadequate at their budget levels.  I'm 
inclined to the former because their budget is huge and they can afford 
to take the long view -- if they care.

Given all that, it would also be in a sensible regulator's interests to 
refuse such a request.  I can't see any upside to the request, it all 
looks like downside to me.  Sadly, I doubt the regulator will even blink 
at such a request.


More information about the cryptography mailing list