> Mr. Jang said that as time went on, the North began diverting high school students with the best math skills into a handful of top universities, including a military school specializing in computer-based warfare called Mirim University, which he attended as a young army officer.
I realize I'm not engaging the core topic being discussed, but stories like this are why I'm surprised people like Will Scott haven't gotten in trouble. (I don't want to single him out, but he's the best example I have at hand.) For the past two years, he's gone to North Korea to volunteer teaching computer science.[1][2] At best, his students' skills will be wasted on some silly Android apps praising the supreme leader. More likely, these students will go on to make software for less-than-ethical purposes: wargame simulation, nuclear explosion modeling, missile guidance systems, or network/server subversion.
I'm not saying this software shouldn't exist, just that the world would be better-off if the DPRK had more difficulty writing it. And I'm surprised the State Department hasn't fined or revoked the passport of any American who has aided the DPRK in this manner.
That is a very scary argument. To deny education because it could be used in ways you may not like is a very unfortunate position to take. Education is likely the only way a system like North Korea's will ever fall short of a militarized take over - another horrible fate to wish on those same people. And were it to fall, an education is all that would permit their survival in the world at large. To deny individuals a modern education is a particularly cruel punishment - maybe more so to punish those who would wish to educate.
I agree that it's a scary argument. That's why I was careful in how I put it forth. The problem is that many skills are dual-use. At some point, a threshold is reached where a student is more likely to use the knowledge to harm than to help. This threshold depends on the skill and the student.
To use a hypothetical: Would you condone someone teaching particle physics in North Korea? How about biology? Chemistry? Turbine engineering? Teaching any of these would probably increase North Korea's ability to threaten and harm its people and the rest of the world. It's sad that this is the case, but it's hard to argue otherwise.
Unfortunately, I seriously doubt education will help free North Korea. If you read the stories of defectors, you'll find that almost everyone in universities is indoctrinated. Also, because of how people are encouraged to report each other, no underground network of dissenters can exist. Even if 90% of North Koreans wanted to overthrow the government, anyone who voiced dissidence to a few friends would likely be reported and thrown in a prison camp (if not outright executed), along with their family. It doesn't take much to control many.
I really wish it was as easy as, "Education is good." But there can be dire consequences to actions, even ones as typically benign as teaching others. It's important to have a finely-tuned sense of ethics, otherwise we risk harming people who we mean to help.
You aren't exhibiting a finally tuned sense of ethics.
Exactly which ethical principle(s) are you following?
This seems like a 5 minutes of thought kind of solution to an incredibly complex problem.
North Korea can buy/steal/grow the knowledge they need. They already have nukes, and are working on missiles. I think the notion that we should sanction education (on top of the existing sanctions) is just playing by the already broken playbook we (the rest of the world) have been to date. We are feeding their propaganda machine on how evil we are.
Just a question, how is the DPRK any MORE evil than other states the US happily does business with? (Pakistan, Saudi Arabia, Israel, China, etc) What in particular makes them evil?
I agree that it is a messed up situation and some horrible shit is going on. But I also have a feeling we are being manipulated by the media.
>I think the notion that we should sanction education (on top of the existing sanctions) is just playing by the already broken playbook we (the rest of the world) have been to date. We are feeding their propaganda machine on how evil we are.
We are not obligated in any way to provide education to North Korea. Saying we are "evil" for not educating another country is quite a stretch.
Which is why we're discussing denying them education, rather than merely not educating them. Denying or obstructing their education is pretty darn evil.
What's scary is the level of your indoctrination. North Korea has been surviving decades in almost complete world isolation, because it opposes capitalism. It's not mordor, it's a society with a structure that is not compatible with western capitalism. Everything you think you know about has been filtered to hide any positive aspects of such a society and to exacerbate the negatives. This was done to Vietname, to China, USSR. This was done to Obama during the healthcare "debate".
North Korea has withstood decades of economic isolation, and yet it lives and its people live much better than citizens of Somalia and other great capitalist nations, not that anyone would let you know. You're not freeing North Korea by isolating it and starving it, you are killing it, and the people. You say it doesn't tame much to control many, but this applies to the West as much as it does anywhere. You have a set of values, and you are in harmony with enough people, you can work for them, with them. The same applies in North Korea, and USSR (where I'm from). The country is a single company, the CEO might be eccentric, but people do have jobs, work hard, have education, healthcare and believe in communism. What they don't have is Hollywood, McDonnalds and Fox News. And this is why you want to "free them". They have nuclear weapons not because they are evil, but because they know what US does to countries people like you believe need to be freed.
Well, the US didn't have much issue with European fascism in Spain, or with supporting fascism in Chile and otherwhere in Lat. Am., not to mention the horrendous state that Saudi Arabia is...
It is foolhardy to defend North Korea so the only option to argue is that America is bad too, but what you are arguing is the way of the world. If the US thought they could play NK against China they certainly would.
North Korea is not a fascist or nationalistic regime. And it's only been turned into a concentration camp by the West through sanctions. It's not even any more antithesis to democracy either. The party members are elected. The institution members are promoted by performance like anywhere else. The 'supreme leader' being some sort of a Sauron is a fantasy. Since you're comparing to Nazi Germany, you should also know that Hitler wasn't some sort of a god who bent everyone to his will. He was a leader of a party and a movement with the fascist ideology. Please don't equate Nazism and Communism.
Unfortunately, every country has prison colonies. USA has more than anyone, including abroad. You choose to believe 'Database Center for North Korean Human Rights' from which this article is sourced, that it seeks to publicize the truth and isn't funded by CIA. I believe otherwise, after comparing activities of human rights organizations in countries all over the world. It makes me quite sad that the human rights cause and genuinely well meaning people are used to further US imperialism.
Sure. My country(Poland) used to be communist for nearly 50 years, and you know what we called ourselves? Democratic Republic of Poland, just like North Korea calls itself democratic. There were elections, party members were elected - but it was all corrupt through and through. The same party would win with 99.9% of the votes, party members were chosen by who gave the largest bribe or who was closest family member. And the secret police didn't make people "disappear" because of any Western sanctions on the East - it's because they were bad people with bad morals. North Korean government is a bad government, where people at the top have everything and people below them have very little to nothing. Just because they are not starving like people in Africa are, doesn't mean that their system "works". It doesn't.
I love how american and european chauvinism continues to conquer reason in the 21th century. Why mention Africa when most of the world's malnourished people are in Asia? With the great variance that can occur on a continent why mention continents at all? If one must it is irresponsible to omit that both continents were forced into producing cash crops for export to Western Europe.
Does that mean that the Western European models of governance work? Duh!
>Why mention Africa when most of the world's malnourished people are in Asia?
Because in the US, at least in my experience, 'starving people in africa' is kind of a colloquial trope - it is more readily referenced than starving people in asia, since we don't see charity organizations constantly using asian faces to advertise their foundations.
>forced into producing cash crops for export to Western Europe
Who exactly went around the the countries in africa and asia and disallowed them from growing their own food instead of cash crops?
My bet is that these places found economic incentive in growing these crops rather than what they would consume locally - whether the global economy is a net benefit or net loss for a poor country is an entirely different discussion
Ok, most of world's malnourished people are in Asia, so now I can't say that people are starving in Africa without being accused of European chauvinism. Got it.
Everyone is saying that North Korea is a bloody dictatorship where people are starving to death. Medias, scientists, tourists who were there (yes, you can actually go there), geopoliticians, ... There is just some evidence everywhere. There is no conspiracy about North Korea and this has nothing to do with capitalism.
They have giant statues of their leader and a massive painting of him in the most prestigious place of the country. On official articles, the leader is mentioned everywhere. They manufacture 'pins' with the face of the leader on it and everyone is wearing it. There is painting of the leader in almost every house. (do I need to continue ?)
I am pretty sure they were mentioning that in the sense that North Korea has a full blown cult of personality around their leader (who is an unelected life-long dictator).
You'll note that there isn't a giant statue of Obama on the White House lawn and in every town square. In N. Korea this is the case.
Adult Americans are not legally required to wear lapel pins featuring prominent past presidents, nor are they required to have images of those presidents in their homes with nothing else permitted on the wall that hosts those images, while in N. Korea they must.
Americans can freely speak a poor opinion of Obama or the Congress or the SCOTUS and not fear that they and their family will be imprisoned and tortured, unlike N. Korea.
The press can say what they like about Obama/other branches of the government without fear of censorship and imprisonment, unlike N. Korea where there is only state-run media that fawn over their leader.
I think that was what they were trying to get at even if they didn't fully expand it.
They don't have a free press either, and political or social dissent tends to result in people being "disappeared". And they have rather a lot of artillery pointed at Seoul.
Where was the free press in the lead up to the Iraq war? How would you know of all the 'disappeared'? There very well might be, but just by stating that like a fact, you're repeating something you simply heard in the 'free press', helping spread the narrative. I'm sure there is ideological cleansing there, so is there in any society, especially one under ideological attack. And I'm sure there is way more artillery pointed at North Korea than exists in North Korea.
I have no doubt that western media loves to play up the stereotypes of that region, but having read a few personal accounts from people who have escaped North Korea, those defectors opinions tend to align with a lot of the negative reporting on the DPRK.
North Korean concentration camps, for example, are several orders of magnitude more horrific than the US prison camps you compared them to. And it's significantly easier to end up in an NK concentration camp than it is in prison too.
Families being rounded up and taken away and/or killed is a common theme discussed by the defectors as well.
Now I'm not saying that America (nor any other country for that matter) is perfect. If anything, I happen to agree with you that the US has some hugely hypocritical tendencies. But for all America's faults, the DPRK is still in a whole other of league of bad.
let me guess - you have this Putin guy as a personal hero and the best thing that happened to Russia for decades, right? :)
Black & white world you live in, I think some time outside your home country would do you good.
>To use a hypothetical: Would you condone someone teaching particle physics in North Korea? How about biology? Chemistry? Turbine engineering? Teaching any of these would probably increase North Korea's ability to threaten and harm its people and the rest of the world. It's sad that this is the case, but it's hard to argue otherwise.
How's NK different from the US to that regard?
You know, the one country among those two that actually blasted two civilian cities with atomic bombs, sprayed Agent Orange over Vietnam, and has chronically had leaders who "speak with god"...
Perhaps we should consider that there are some countries where it is not proper for us to be offering such education? I can name very few countries deserving of nothing more than basic food and medical and North Korea is one of them.
Don't throw the guilt on him or others,their fate is already abysmal because of their government and sending them a few teachers is not going to benefit their society and if its for feels, well they are misdirected and other countries are far more deserving of our time
I think you've massively devalued an entire people based on the actions of their government...
Let's not forget the great value and results of CS education in the US:
- spying for pretty much everybody, regardless of location
- drone guidance systems to kill people unlawfully
- missile systems for air strikes on countries purported to have WMDs
- millions of $ spent on silly apps that arguably do nothing to improve quality of life, whilst millions suffer and die of starvation
Do you really know enough about North Korea's tech community to say that "More likely, these students will go on to make software for less-than-ethical purposes"?
Given it spends around a third of its GDP on military activities, and is a thoroughly planned economy it seems a relatively straightforward inference to make.
Yes but the discussion was about whether you could assume a DPRK computer science grad would go into military (or associated work). Using military spending as a % of GDP as a rough yardstick does suggest that the number of DPRK citizens involved in military activity is very high.
Especially as each comp sci grad probably has greater potential to contribute to GDP than say your average farm labourer.
I flatter myself that I was a pretty competent computer science student, but I'm certainly not a security researcher. I think you're overestimating how much basic computer science knowledge has any applicability to offensive black hat hacking.
Your argument is close to "Nobody should teach basic chemistry in the middle east, because hey, terrorists might use that knowledge to make bombs."
Learning and knowledge are _good_things_, for people anywhere, including NK. If enough people are educated, it is feasable to expect they would push for regime change and more freedoms for themselves. I expect this will eventually happen in China as well where the cat is out of the bag and more and more people have an expectation of individual liberty, leading them to desire political freedom as well.
Do you really think Will Scott gave the DRPK the breakthroughs it needed in any of those areas? I think you would be delusional to think he set them up to significantly improve in these areas. The only thing holding the DRPK back is the fact the socio-economic situation in the country is in complete shambles. Not that lack of American Computer Science teachers.
Plus, More than likely he (and others like him) are providing intel or participating in espionage on behalf of Western Governments.
Yes, and that same argument can be made for pretty much any other country... why teach computer science to US, as they have shown they can't be trusted - they will probably end up in the NSA!
Are you seriously comparing the NSA to North Korea? This is a country that starves and kills millions of its own people. They imprison, torture, and execute their citizens for being related to someone who watched South Korean television. It is quite likely the most harmful regime on the planet. Read some stories from North Korean defectors. Then let me know just how content you are with people contributing to the DPRK's education system.
But to respond to your real argument: It's a matter of probabilities. The chance that an American programmer will work on software harmful to humanity is quite small. The chance that a North Korean programmer will do so is massive. Even if the person doesn't want to work on missile guidance or centrifuge control software, they can be ordered to, and their family can be held hostage. There is no such thing as a conscientious objector in North Korea.
>The chance that an American programmer will work on software harmful to humanity is quite small. The chance that a North Korean programmer will do so is massive.
Spoken like a true patriot.
In actual life, most of the world hates the US interventions (too numerous to mention, including toppling legitimate leaders and installing friendly to the US dictators) and invasions (from Phillipines back in the day, to Korea and Vietnam and on to Bush's wars).
Besides South Korea, and if that, nobody has much to fear from North Korea, an insignificant provincial state that 99% of the time deals with its own issues.
Compare that to a hypocritical world "cop", dealing BS "democracy" all around the globe (e.g. mostly ruining previously stable countries to get rid of dictators it doesn't like, while doing business with or helping install dictators it does like elsewhere) to serve its interests.
"The chance that an American programmer will work on software harmful to humanity is quite small. The chance that a North Korean programmer will do so is massive."
It is the same argument made by nuclear non-proliferation countries. Only responsible countries should own the nuclear weapons. Well, guess how that argument turned out. The only country to use nuclear weapon is the one calls itself responsible one.
Along the lines of your argument, DPRK citizens shouldn't be learning physics, chemistry, mathematics, aerospace engineering, mechanical engineering, civil engineering and medical or any subject because they all can be used as "weapon" for nefarious purposes.
Keeping the population of a country uneducated because you don't agree with the government running the country is discriminatory and racist. No person irrespective of race or belief or country of citizenship should be denied education.
Your line about nuclear proliferation is a total non-sequitur. The US of 1945 is not the US of today. Our ethics and standards have risen significantly in the past 65 years. You might as well call the US hypocritical for backing UN resolutions against racism because of segregation up to the 60's.
> Along the lines of your argument, DPRK citizens shouldn't be learning physics, chemistry, mathematics, aerospace engineering, mechanical engineering, civil engineering and medical or any subject because they all can be used as "weapon" for nefarious purposes.
Except for medicine, probably yes. See my other comment for why I think that is the case.[1]
> Keeping the population of a country uneducated because you don't agree with the government running the country is discriminatory and racist. No person irrespective of race or belief or country of citizenship should be denied education.
How is it racist? I have no ethical issues with South Koreans or North Korean defectors learning these things. I'm simply pointing out a concrete example of how, in some cases, education can be harmful on net. Simplifying it to, "Education is good." won't steer you wrong often. But when it does, the consequences can be horrific.
And to say one doesn't agree with the DPRK is putting it far too mildly. Read Nothing to Envy: Ordinary Lives in North Korea.[2] The stories will make you thankful to be in whatever country you live in. For many people, North Korea truly is hell on earth. It's far worse than anything Orwell wrote about.
If the leaders of the DPRK could get away with it, they would rain fire on South Korea and the US tomorrow. The only thing stopping them is lack of ability. Educating their citizens helps them gain technology that will most likely be used to achieve the goals of the DPRK's leaders. That will almost certainly lead to more harm than good.
> Your line about nuclear proliferation is a total non-sequitur. The US of 1945 is not the US of today. Our ethics and standards have risen significantly in the past 65 years. You might as well call the US hypocritical for backing UN resolutions against racism because of segregation up to the 60's.
Has it though?
Between now and WWII you've still had several -arguably illegal- wars such as Iraq and Vietnam (and not to mention the cold war with Russia and tensions with Cuba and China). You've had a president assassinated. You've had more than 2 decades of racial segregation; and yet more assassinations (this time of figureheads who campaigned for equality such as Martin Luther King). You've have gun laws that most of the rest of the developed world considers right wing. You have your own breed of religious fanatics - which is so riff that election candidates have to prove to believe in God just stand a chance at becoming president. Then there's the NSA leaks - a whole essay could be written just referencing that organisation alone. And don't get me started on the xenophobic beliefs that the likes of Fox News spreads.
From an outsiders perspective looking in, America hasn't looked too respectful to either it's own nationals nor other countries in the decades following the second world war. So it really doesn't surprise me that many outside of the west might consider the US (and Europe) as bloodthirsty.
> The US of 1945 is not the US of today. Our ethics and standards have risen significantly in the past 65 years.
This is true, but what is also true is that most of the world outside the US and EU views the West (which is something like 12% of the worlds population) as an extremely bloodthirsty and cruel culture/society (regarding external behaviour) that is the greatest threat the humanity faces today.
You want to believe that the US is ethical and good because you probably live there and like your country and people, which I can understand very well.
Not at all. In the US, we computer scientists have a wealth of opportunities to which we can apply our knowledge and education. Presumably in NK, you are limited to doing their government's bidding.
I disagree. I believe education is an excellent way to free the north korean people from the brainwashing machine that is the DPRK.
More DPRK people with the hacker mindset (e.g. not just accepting answers but asking questions, a hunger for knowledge, etc) would in the long term be a really great thing for everyone but the leaders of DPRK.
I used to think that way, that education would inevitably lead people to more egalitarian belief structures. Then I spent a few years at school in the US. I met many very educated people (ie well beyond undergrad) that scared the heck out of me. It is very possible to have an advanced CS degree and still believe in a ridged class system.
Yeah. I used to believe technical education will give you a particular outlook at the world, will make you a more careful thinker, etc. I don't believe that anymore. Here are some other things that I've seen going along with a CS degree:
- you can have a CS degree and be a total and utter asshole (for some reason I though education makes people more polite)
- you can have a CS degree and be an antivaxxer who sees vaccines as Illuminati's conspiracy (not joking here)
- you can have a CS degree and not have an ounce of rational thinking in you
- you can have a CS degree and not be able to code your way out of a paper bag
> or network/server subversion.
>
> I'm not saying this software shouldn't exist...
The world would be a better place if subversion didn't exist. As long as the North Koreans keep using it they won't get very far. Maybe Will Scott is funded by the CIA if he's promoting that over git...
Right, in US, the government will never force anyone to perform unethical work. That's an interesting assumption.
What if a skilled programmer in North Korea volunteers to perform unethical work?
What if a skilled programmer in US volunteers to perform unethical work?
What if "ethics" simply depends on your country of origin?
To be honest, what you and the grandparent post should be saying is that North Korea is the enemy, and to help the enemy in any way is "bad". Why pretend that you're helping the people of North Korea by not helping the people of North Korea so they can't help their country?
NK is not an enemy in the same way Iran might be. NK is a Stalinist regime in 2015.
>Right, in US, the government will never force anyone to perform unethical work. That's an interesting assumption.
I think it's a reasonable assumption. You can't be forced to join the military (unless there's a draft) or an intelligence agency, and if you work for one, you can't be forced to do something you don't want to do; you can just quit. They can threaten you with prosecution if you leak anything, but they can't make you do something you don't want to.
In NK you can both be forced to work for an organization and you can be forced to do specific tasks you may not want to do, at risk of torture or death.
>What if "ethics" simply depends on your country of origin?
That is true of course. And no doubt there are going to be NK programmers who are ethical and do nothing but help their populace. Obviously many US programmers are performing unethical tasks daily as well. But again, in the US these will almost always be voluntary actions.
I think educating NK citizens is a perfectly good idea, just there are certain topics that perhaps they should not be taught, due to their oppressive and Machiavellian regime.
It's honestly sad that you picked Stuxnet, an attack that did no appreciable harm to human lives, as opposed to the entire arsenal of munitions available to the Joint Armed Forces.
We have invented, but more importantly manufactured, a lot of pretty fucking effective weaponry.
"I'm surprised people like Will Scott haven't gotten in trouble. (I don't want to single him out,"
You are still doing it by writing that, and actually you aren't suggesting that the trouble to him would come from DPRK, but you are "nicely" suggesting he should get "in trouble" in the US just for lecturing in DPRK. Basically claiming, without writing the words that you are "surprised" he isn't considered a "traitor":
> General Clapper praised the food; his hosts later presented him with a bill for his share of the meal.
Not only are they evil, but they're cheap too.
But the fact is that the hosts would have billed for the meal because the U.S. government asked to be billed.
The USG requires that officials traveling on business not accept gratuities, gifts, dinners, or anything above a certain value (which is about US$100 -- it gets adjusted for inflation, so it might be higher today).[1]
There is an exemption to allow acceptance of gifts of travel expenses of more $100 when officials travel outside the United States on business, but only if "such acceptance is appropriate, consistent with the interests of the United States, and permitted by the employing agency".[1]
In this case, General Clapper and his staff probably didn't want to deal with the question of whether it was "appropriate" or deal with reporting requirements, so they just asked for the bill. Or, their North Korean hosts, knowing U.S. policy, were proactive in making up a bill.
Either way, the NYT article should have mentioned the USG policy. If they can't get that little thing right, it makes me wonder about the accuracy of the rest of the article.
It's customary for foreign governments to give gifts to US officials when there's a diplomatic trip, and it's customary for US officials to accept those gifts (under the exception you cited) given that refusal to do so would embarrass both parties. You can see the list of such gifts here: https://www.federalregister.gov/articles/2013/04/26/2013-099...
Given that presenting one's guest with a bill (or demanding a bill) would seem to violate social norms and cause embarrassment, I would imagine that meals are typically treated the same way.
If a 1000-word article had 50 misspelled words, would you then say that it was a pretty accurate because it was 95% correctly spelled?
No, you'd be horrified. Things like spelling, grammar, and basic facts (the capital of a country, USG policy on gifts, etc.) should be close to 100% correct. That's a lower bound to be taken seriously.
Not quite. When reading an article I want nearly all facts to be correct. Otherwise it won't do me any good.
Now if I sample two facts and one is true, the other is false, it makes it unlikely that the article is mostly true.
Sure, it is also unlikely that nearly every facts is false, but that's still not very comforting.
If I find that the brakes are working only on one side of a car, I don't consider the fact that some of the brakes are working, to be an indicator that the car is probably in good condition.
"We realized there was another actor [South Korea] that was also going against them [North Korea] and having great success because of a 0 day they wrote. We got the 0 day out of passive and were able to re-purpose it. Big win."
NSA learned of a 0-day exploit being used by South Korea (not five eyes) and re-purposed it. They had knowledge of an exploit in the wild. Did they share this with anyone in order to close this security flaw? They exploited it. This is not a case of the NSA developing an exploit in house. They took this from the wild. This would seem to confirm suspicions that NSA is/was willing to allow active 0-days to fester, leaving the general public exposed.
Well, it depends on how the exploit was being used and who was being targeted.
If SK was only using it to target, say, Iran and NK, then it would not be in the NSA's interest to disclose the exploit to anyone. Only if they had reason to believe it could be targeting Five Eyes governments or corporations would they feel any need to.
Are you suggesting the NSA should be a government funded QA department for large corps and open source?
For commercial software the companies who are not finding these bugs on their own are to blame. For open source, the cheapskates who mooch free software without contributing are too blame.
Yes and no. They are tasked with protecting national security assets within the US, most of which rely on commercial systems. When they find a dangerous flaw in those systems, especially one loose in the wild, they are to help fix it. To not fix it is to leave US systems at risk.
"in almost all instances, for widely used code, it is in the national interest to eliminate software vulnerabilities rather than to use them for US intelligence collection" ( quote from the 2013 panel report, not wired.)
NSA, no. But a non-NSA influenced USG, or some other new agency that should be in charge of cyber-security and not cyber-war (like NSA is) should be responsible for that. Developing strong security policies, finding about loopholes, and then nagging companies and government about fixing those loopholes and implementing those strong security policies (such as: "Go enable HTTPS for your site already god damn it, EPA!!"). NSA doesnt do anything like that right now, yet they keep yelling from the rooftops about "cyber security".
The NSA should have absolutely no relationship with this agency. If NSA finds out about some "catastrophic" loophole, then they should disclose it to multiple agencies at the same time, including this new cybersecurity agency, and should have no "special" relationship with it.
Also this new agency should be a civil agency, not a military or a spy one. NSA is and has always been a "war-time" agency, even if it has been used for non-war purposes (in my opinion wrongfully). Security is in most cases not about war. So why do we let a war-time agency try to militarize the Internet and treat it as a battleground, with everyone's computers as collateral damage, even if there's no immediate danger of "war"?
We know that the NSA tapped into computer systems and the backbone of essentially every country on Earth - I don't see how NK would have somehow been excluded.
What's interesting is what information the New York Times includes that is not covered in the NSA document, presumably from unidentified officials and former officials.
The document on Der Speigel speaks primarily about taking copies of intelligence from SK hacking efforts against NK and also taking copies of intelligence from NK hacking efforts that had in turn been hacked by SK (and in turn by NSA - "fifth party collection").
The document mentions the NSAs unwillingness to rely on intelligence filtered through so many third parties and made efforts to establish its own foothold.
Essentially none of the article is backed by the document as a first source and must have come from the unnamed sources.
I believe the reason this is "a big deal" is due to how the average US citizen reacted over the recent Sony Breach and the US Government's blame of NK (I might add with no supporting evidence, most industry professionals in high doubt, and even some security companies providing evidence to the contrary of statements by the government).
The average US citizen was outraged that some other government would have the audacity to hack anything in the US. This article's goal seems to be to point out that the US Government is hacking all other nation's governments, including NK. (pot calling the kettle black)
To be fair, there were other issues involved in the Sony hack that are not present in NSA spying.
- The North Koreans attempted to impose a heckler's veto on speech by private citizens of the United States.
- The Sony hack had direct and very visible consequences for Americans (economic consequences, release of personal data like salaries and health information, embarrassment of people by releasing private communications).
It's entirely possible to take the position that countries are going to engage in espionage, but that there should be norms about how intelligence services behave. Right now we're all trying to figure out what those norms are.
Thank you for mentioning international cyber operation norms. This is the center of US international cyberpolicy efforts. Ontologies describing categories of cyber operations often place destructive attacks like the one against SONY into a category of its own and these are usually considered fair only in very particular scenarios of provocation.
An addendum here regarding 'free speech'. There is some question about The Interview being a propaganda effort on behalf of the US State Department (which was given a preview as early as July) since #GOP released emails where CEO Lynton discusses the effects of the ending with RAND Corporation strategist and nuclear deterrence specialist Bruce Bennett and Lynton confirmed analysis of its effectiveness with Senior State Department officials. (It also doesn't help that the script writer was asked specifically to consider changing his character from an anonymous leader of NK to Kim Jong-Un).
"To be fair," there are norms about how intelligence services behave. That we, the proletariat, aren't aware of them doesn't make them any less real. That they've either changed or that we've only just discovered what they are doesn't say anything about what they are or used to be.
"Norms" don't necessarily make things objectively or even subjectively better. They just make them standard. Asking for norms will get you absolutely nothing, even if you get what you ask for: They'll just establish what they're already doing as normal, and continue to not tell you about the new things they start doing. Because that's what intelligence is; if they told people what they were doing, for better or worse, people would make it harder for them to do.
The norms in question are those of cyber attacks. This includes but is not limited to intelligence operations. The SONY attack, for example, was not an intelligence operation. The downing of the Syrian airforce was not an intelligence operation. Nor was Stuxnet or the the Georgia cyberattack.
Norms are important because they are precursors to law (in this case international law). Norms create ground upon which a country can accuse another, a ground upon which you can achieve consensus among many parties, and norms set expectations of behavior that if loosely followed every country can benefit from.
I hold Sony primarily responsible for the release of private data, due to their ignoring basic security practices. Why are health records stored on Sony Pictures servers along with everything else? Why were data silos and graduated access not in place? I never see any of these corporate officers held to account for their decisions to not spend resources for security. The only people I have any measure of sympathy for are the rank-and-file employees caught in the middle of decisions made by well-compensated executives who never have to face the consequences of their disregard for anything other than themselves and their own compensation.
I have to take issue with "norms" for intelligence services as well. These are groups with no morals or ethics, what makes you think they would ever adhere to any sort of "norm." These are criminals and criminals do not adhere to norms imposed from anyone other than themselves.
I seem to be in the minority on Hacker News, but as someone in the professional computer security field I know that any company or state/department/organization can be hacked by a motivated attacker. In the case of SONY, the attackers were able to enter the network through spearphishing emails - something that essentially no investment in security is going to prevent. The malware similarly could not have been detected, as signatures for this specific compilation were not known.
I have a hard time blaming the victim of a cyber attack that would have been practically impossible to prevent. I agree that SONY made bad decisions with regard to its hording of unnecessary data, but also recognize that this is hardly unique to SONY and not standard advice given by security professionals (it should be).
Norms are important so that you can accuse 'groups with no morals or ethics' of doing something wrong. Norms may only discourage and not prevent behavior but without norms its difficult to find common ground for behavior that may otherwise be chalked up to 'culture' or 'tradition' or 'nature'.
> but as someone in the professional computer security field I know that any company or state/department/organization can be hacked by a motivated attacker.
You seem to give Sony too much credit, and also forget that they had a file server with open internal access which had a directory called "Passwords" which contained a plain text file with all the credentials to their internal servers.
That's something I'd expect to see at some small business with no professional IT on staff... certainly not from a multi-billion dollar company with thousands of employees and a full-time professional IT staff.
Sure, the attackers may very well have spearphised their way inside, but once inside, they didn't have to go through any of the normal hassles of island-hopping with more exploits, etc. They just logged in like they belonged.
Motivated attacker or script-kiddy, once inside, Sony made it awfully easy.
> You seem to give Sony too much credit, and also forget that they had a file server with open internal access which had a directory called "Passwords" which contained a plain text file with all the credentials to their internal servers.
FWIW this is my experience with multi-billion dollar companies with thousands of employees and full time professional IT staff.
Perhaps we can get other security professionals to chime in.
Once you get a foothold in a corporate environment, it is the unfortunate truth (I'm sure others will back me up here) that it is very easy to move around without 'island hopping with exploits'. For the most part, pivoting by passing-the-hash will work for 99% of networks.
It is also my understanding that the malware that was purchased for this compromise had the capability to persist across the network, to exfiltrate data, and to sabotage computers.
> the attackers were able to enter the network through spearphishing emails - something that essentially no investment in security is going to prevent
I'd challenge that assertion. Employee's are often the first line of defense for any company, be it seeing something suspicious or knowing when to alert the right people. Investing in phising attack training can be very worth-while. Or at least adopt a strict company policy that helps ward off the basic forms of this attack.
It's not uncommon to have a company-wide policy that users are not allowed to open attachments in any email from anyone without IT's approval. It's inconvenient, sure, but it protects against multiple email-based attacks (everything from simple viruses to more advanced phishing attacks).
There's even phishing attack training specifically targeted at large enterprise (they send phishing attack emails to your targeted employees and when they fall for it, they get a quick lesson and explanation). [1]
I have never seen corporate policy with regard to attachments and link following effectively thwart a spearphishing campaign and have been privy to studies done at large corporations before and after phishing-awareness training. The short of these studies is that after approximately a week employees mostly reverted to regular habits and that during the week of high alert many employees fell to the internal audit anyway.
Then again, this is only from two studies done at one large corporation.
I looked around but could not find any studies or data about the long term effectiveness of phishing awareness campaigns (only PR junk), nor could I find evidence that SONY did not engage employees with these sorts of policies and training. Do you know of any such studies?
Do you believe that #GOP would not have gotten in if there were more strict policies and more frequent training?
> In the case of SONY, the attackers were able to enter the network through spearphishing emails - something that essentially no investment in security is going to prevent.
Investment can make spearphishing much harder. Defense is not always absolute, but about raising the cost for the attacker.
I agree that all security is a cost-benefit tradeoff. This is of course folklore wisdom. The importance with regard to the SONY case is that SONY was not the victim of an opportunistic attack but was targeted specifically. In this case, it is highly likely that SONY did invest in training its employees in corporate policy and security awareness (at least as much as any other corporation).
I have trouble thinking of a cost-effective way that SONY could have prevented #GOP from getting in.
IMO SONY had two failures:
1.) The hording of data. Again I don't think that this is uncommon. I would expect to see this at pretty much any company of their size.
2.) The lack of an ability to respond to the APT once it was discovered. This is extremely tricky business, but a critical piece of security. It is common now for businesses to assume that they have been compromised and to build out the capability to recover and isolate issues as quickly as possible. Unfortunately for SONY, all of their data had been exfiltrated out of the network by the time they knew there was a problem.
Nothing is different if they are also targeted specifically.
The context of the discussion is that SONY, even if it 'increased spending on defense' would have been compromised because it was targeted in an attack rather than an attack of opportunity.
Amazon and Google also get hacked. So does Adobe and Microsoft. So does the DoD and Whitehouse. So does JPMorgan and Wallstreet.
Ditto keep in mind that so called "hacking isn't just digital. Social engineering in many instances is involved in hacks. Boil it down to not only discovering vulnerabilities in code, but people as well.
I agree about lack of basic security, and that's the reason we have security compliance programs. Security Awareness Training, classification of health records as sensitive, and properly segmenting those sensitive health records from the rest of the environment are all appropriate controls that security compliance prescribes. It took me 6 months to decipher PCI and 3 months to implement. To others, compliance may seem like a joke, but I felt very confident that at least I had done 100% my due diligence in protecting our customers and employees. I think that's all they can ask and all we can give, 100% honest due diligence.
Interesting. I had thought it was common knowledge at this point that the US regularly hacks and is hacked by other nations.
I think the biggest splash this article may have is added narrative supporting the truthiness of USG attribution to NK - something that seems to be held in high doubt by a large percentage of the technical crowd (but that I think seems pretty reasonable).
It's perfectly fine to be OK with your government hacking other countries while also being mad when those other countries do the same thing (though it's foolish to be shocked when it happens).
It's perfectly fine to be OK with your government hacking other countries while also being mad when those other countries do the same thing (though it's foolish to be shocked when it happens).
I would disagree that this opinion is fine; this is only fine if one selfishly considers oneself more important than the 7000000000+ other people on the planet.
Do you really not consider yourself and family more important than most of the 7000000000+ other people on the planet? There are plenty of people more important than me, but I wouldn't sacrifice myself for any of them. In the same vein, it would be foolish for me, a US citizen, to say that my government should intentionally weaken itself for the benefit of the citizenry of other countries.
...government should intentionally weaken itself for the benefit of the citizenry of other countries.
Considering that the majority of Earth's people and natural resources lie outside the US, the long-term best move for the US is to promote global stability and equality. It's not a matter of weakness vs. strength, but short-term vs. long-term thinking.
There are plenty of people more important than me, but I wouldn't sacrifice myself for any of them.
Personally, I think humanity as a whole is pretty important. I wouldn't sacrifice myself for one other person without a really good reason, but I'm more than happy to accept a small short term decrease in local living standards in exchange for the long term stability and prosperity that would come from raising global living standards.
Specifically with regards to surveillance, the NSA is weakening the long-term position of US companies by leaving their systems and software vulnerable to known exploits, and by their actions, encouraging other countries to do the same. It's a negative sum game.
Searching all directions
with your awareness,
you find no one dearer
than yourself.
In the same way, others
are thickly dear to themselves.
So you shouldn't hurt others
if you love yourself.
And another thing from Spiegel's article. NSA routinely attacks targets and then makes it look as if someone else did it:
> But the loot isn't delivered directly to ROC's IP address. Rather, it is routed to a so-called Scapegoat Target. That means that stolen information could end up on someone else's servers, making it look as though they were the perpetrators.
So how do we really know it was North Korea, and not just NSA planting that evidence that NK hacked Sony in those two months? I mean other than "trusting NSA"?
We can't really know. There is no way to be perfectly certain.
That said one can apply an Occam's calculus using whatever information and reasoning you do trust. I personally trust that, whomever the #GOP was, they were motivated by SONY's role in developing "the movie of terrorism". This seems to me to be consistent with what the group published and with their 'Christmas surprise' showing collaboration between the State Department and SONY on the development of the movie related to its diplomatic value - something I don't think the NSA or allies would do. So I think the group had NK sympathies in mind. Granted, this doesn't rule out attribution to other states or hacktivists who hold these sympathies.
This post is another example of a trend in this thread to down vote the on-topic posts. Am I the only one that noticed that the highest voted comment in this thread is about Clapper splitting the bill? Why aren't we discussing the rest of the article?
This is the second NYTimes article I've seen that has suggested that the NSA was collecting information on a group while that group was planning an attack, but that the collection or the analysis was not sufficient to stop the attack. (The other article was on the Mumbai terrorist attack).
This is interesting and you could look at it a number of different ways:
- Collecting data is one thing, but understanding what it means is incredibly challenging and the NSA might not be doing a great job.
- Even when they can't prevent an attack, there is still value in having this data so that they can attribute the attack and understand something about the motives and methods of the attackers.
- Or "national security" doesn't mean what normal English-speaking humans think it means. The hack was no threat to the reigning industrial/government structure or the dollar.
Might be me, but I'd be surprised if they hadn't. They hacked so many countries including China[1], Mexico[1], Belgium[1], Syria[3], Iran[4], etc. (after saying that a digital attack is an act of war[2]). I don't remember each and every leak and I don't feel like looking up everything, but they seem to have targeted loads of people in various countries. I doubt North Korea (which is not even an ally) is the exception.
I don't believe that the US has ever said that "a digital attack is an act of war". The quote that you linked to says that the United States reserves the right to respond militarily to "hostile acts in cyberspace" if it exhausts all other options and judges the costs of action to be greater than the costs of inaction.
The statement is not saying that any cyberattack is an act of war, it is saying that the United States might treat certain attacks as the cost of doing business but that other attacks might require a military response, depending on the specifics of the incident.
Typical for the NYT to bury the strong countervailing evidence against the official war-mongering story in a couple of paragraphs 2/3rds of the way through the article.
Still, the sophistication of the Sony hack was such that many experts
say they are skeptical that North Korea was the culprit, or the lone
culprit. They have suggested it was an insider, a disgruntled Sony
ex-employee or an outside group cleverly mimicking North Korean
hackers. Many remain unconvinced by the efforts of the
F.B.I. director, James B. Comey, to answer critics by disclosing some
of the American evidence.
... it would not be that difficult for hackers who wanted to appear to
be North Korean to fake their whereabouts.
The sophistication of the attack is pretty questionable IMO. The malware used can be purchased by anyone on the black market and had been used before by Iranian hackers in 2012. Furthermore, spearphishing emails were used to get inside the network. Furthermore, how would sophistication be evidence against a State actor with (a reported) 7,000 personnel?
There is absolutely differing levels of sophistication in cyber attacks. The presence of new exploits, clever persistence mechanisms, evidence of a staged attack involving multiple targets (i.e. attacking a company through a compromised vendor, using a certificate from a prior breach), ability to break out of security boundaries like hypervisors, custom malware, jumping of air gaps, handling of multi-factor authentication, clever use and depth of renaissance, ability to change tactics in response to detection, specialization across multiple security contexts, highly scoped and pre-planned operations; these are some things that suggest higher levels of sophistication.
Unfortunately the term is thrown around pretty loosely, limiting the usefulness of the term.
Typical for Hacker News posters (in general) to dislike the United States government so much that, despite having complained and worried and speculated about the sophistication of the NSA's online snooping for the last year in a half, they assume that the government couldn't possibly have obtained any evidence they didn't want to release to the public, instead trusting the high certainty of experts who have decided that it couldn't have been North Korea because the Korean region setting is for the South Korean dialect or the writing didn't have the right 'Korglish' errors or other such trivialities (those are both actual points that have been made).
It's not as if the claims in this article that the U.S. has successfully penetrated North Korean networks (to the extent they exist, anyway) should be any surprise; it would be highly surprising if they hadn't. One might imagine that while the North Koreans are not super advanced, they know enough about how to analyze and remove malware that it might be better to stay vague, even at the cost of appearing less credible, rather than disclose specifics of what communications you're able to intercept. Yet surely, just because the finger is pointing at one of the usual enemies, it must just be warmongering rather than reflecting reality.
(Yes, yes, WMDs in Iraq. It is certainly possible that the U.S. really is that incompetent and/or hawkish. I just don't think it's very likely.)
The USG has lied like a rug about the causus belli and operations of most of its major military adventures since WWII.
If they had convincing evidence of NK involvement, they would find a way to share it without further compromising the collection method. Since the Snowden leaks, every non Anglo Saxon government in the world has had to assume the NSA has its hand up the ass of its IT infrastructure.
Does anyone not believe they had similar access to Iraqi systems before either of the wars? The problem with good intelligence is that sometimes it doesn't mesh with your political goals.
"Realizing that mere belief in the gap was an extremely effective funding source, a series of similarly nonexistent Soviet military advances were constructed in a tactic now known as "policy by press release." "
There is no information anywhere exactly on what the attack entailed or how it was carried out. So if it is a 1 on the sophistication scale or a 10 is anyones guess.
According to the article, NSA noticed the first spear-phishing attacks against Sony in September. Yet they didn't realize admin credentials had been stolen until much later. Nor did they seem to notice terabytes of data being exfiltrated out of Sony. Fishy story.
Why would they notice terabytes leaving Sony? It's a motion picture studio. They surely have piles of film-related data flowing constantly in and out of all sorts of places. And it's not like the hackers sent it directly to Pyongyang.
As a member of the MPAA, probably the most hated organization in the history of the internet, I'm surprised that Sony wasn't under constant phishing attack. Given their total lack of internal security, I would have thought some angry filesharers would have broken in long ago.
Fishy? It seems quite likely that such a thing could be overlooked. The NSA was (as the article says) concentrating their efforts on the DPRK's nuclear weapons program. Some spear phishing attacks aren't exactly a priority in comparison.
If that's true, who's to say our guys didn't launch the attack from their computers? Why would they even admit to being in there? The NSA doesn't say anything unless 1) they have to, or 2) they want to. I don't see why they would make this claim.
Certainly false flag operations are a tactic that has seen reliable and regular use, especially in counterintelligence. But what purpose exactly would a false flag operation against SONY serve? Definitely not as a pretext to take action against North Korea - the US could much more easily justify actions against NK than it has many other nations in its history.
The NSA is arguably having a credibility problem at home in the US. It needs to convince the tech industry that there are enemies abroad who threaten their security, and attacks by nation states (who aren't the US) is something that is real.
North Korea is a great scape goat. They can deny it all they want, and we don't care about the diplomatic costs, because it can't get any worse. People can't demand sanctions, can't demand recall of ambassadors, the only thing anyone could demand would be going to war with them, but for the most part, we don't care. They're the crazy uncle of the world stage. So basically, the only problem would be if the NSA got caught lying about it.
</ devils advocate>
However, getting caught would probably be the worst possible thing for the NSA (remember, there is likely still a leaker inside); as it would jeopardize the main benefit from doing this in the first place. So I don't think the risk versus reward pans out. That said if North Korea IS behind it, the above motivation for speaking out is still valid.
I similarly don't see the risk (and collateral damage) v. reward pan out. Plus there are so many legitimate cyber attacks against the United States, it would seem like a waste of resources. And it doesn't seem to me like the NSA would so joyously release the Lynton/Bennett/State Department emails. If they wanted to paint NK in a bad light this would seem so counter to that goal.
It's certainly being used as a pretext to lock down legal control of independent computation. The proposed updates to the CFAA and Obama's siding with Cameron on the intolerability of government-opaque communications have more credibility as a result of it. And it lends credibility to the steady reports from "a government official with knowledge of the matter" that US infrastructure is only an exploit away from being disabled by a hostile nation state, and to possible anti-hacker propaganda like the movie "Blackhat."
They could use North Korea "attack" to justify more local measures, you know, banning encryption, tighter regulations, more penalties... more or less what has been happening last weeks.
I absolutely believe that attacks are used as conveniences to justify legislative wishlists, but question whether such things are planned in advance like you are suggesting or are opportunistic responses to actual events.
Regarding encryption bans I've mostly seen justification referencing the Charlie Hebdo attacks (which are assuredly not a false flag).
Personally I believe that North Korean sympathizers were behind the SONY attacks given a number of pieces of evidence, but most heavily the #GOP leaks of emails detailing SONY collaboration with the US State Department and RAND Corporation that point toward The Interview being a strategic diplomacy product.
In 5 years time when this tit for tat results in some massive disruption in the US (power outage or something) people are going to be severely angry and say NK attacked them for no reason, etc. (i.e 9/11)
The US yet again going around the world making enemies, and giving them perfectly valid reasons to retaliate.
In some sense, this has already happened. The US State Department seems to have been involved, at least to some degree, with the development of The Interview as a propaganda effort (see the leaked Lynton emails) and this has upset North Korea, since it knows the movie would get leaked to its people.
The current narrative is that North Korea (or sympathizers) attacked SONY for absolutely no reason - or that they wanted to silence free speech arbitrarily.
The United States is regularly hacked by foreign states and regularly hacks them. Hopefully the development of international norms and increased investment in computer security cools global tensions and prevents the kind of infrastructure sabotage that would result in human casualties from happening.
Something that probably gets overlooked is that Sony is a Japanese Corporation, and that the politics between Japan and Korea are often to be considered.
Does this mean the NSA hacked Sony (from NK)? Would explain both the 'Sony internal' nature of the attack and the FBI's assertion that this was 'from North Korea'.
I've read enough comments about "We already knew that blah blah blah ...", "What's interesting is that blah blah blah ...". Seems that you guys get used to the reality so fast, the only thing you can do is trying to dig into some detail about this kind of news and to avoid the discussing about whether this kind of things is RIGHT or WRONG from the beginning!
I'm planing to watch POI for the second time, may your god bless you American, and may there be a real-hero like Reese or Carter.
But we all know that most people are just as normal as Lionel, they don't have the courage to face the problem alone. So let's just wait for your bright future. LOL
I realize I'm not engaging the core topic being discussed, but stories like this are why I'm surprised people like Will Scott haven't gotten in trouble. (I don't want to single him out, but he's the best example I have at hand.) For the past two years, he's gone to North Korea to volunteer teaching computer science.[1][2] At best, his students' skills will be wasted on some silly Android apps praising the supreme leader. More likely, these students will go on to make software for less-than-ethical purposes: wargame simulation, nuclear explosion modeling, missile guidance systems, or network/server subversion.
I'm not saying this software shouldn't exist, just that the world would be better-off if the DPRK had more difficulty writing it. And I'm surprised the State Department hasn't fined or revoked the passport of any American who has aided the DPRK in this manner.
1. https://news.ycombinator.com/item?id=8869265
2. https://news.ycombinator.com/item?id=6829558