The New York Times is reporting the FBI's director is publicly stating that the bureau has no doubt the North Koreans are behind the Sony hacking attack:
James B. Comey, director of the Federal Bureau of Investigation, said on Wednesday that no one should doubt that the North Korean government was behind the destructive attack on Sony’s computer network last fall.
Mr. Comey said he had “high confidence” in the F.B.I.’s quick determination that North Korea was behind the attack. He said skeptics in the Internet security world who have suggested other theories for who was responsible did not have all the information he does.
The F.B.I. director said national security concerns limited just how far law enforcement officials could go in revealing evidence that points to North Korea. But at a conference on cybersecurity in New York, Mr. Comey offered some of the evidence the F.B.I. had found.
One of the telltale pieces of evidence, he said, were a few I.P., or Internet Protocol, addresses that could be traced directly to North Korea. Mr. Comey said members of the group claiming responsibility for the hacking — Guardians of Peace — did a good job concealing their identities but slipped up in some cases.
"They used proxy servers to disguise” the trail of evidence, Mr. Comey said. “But sometimes they got sloppy.”
Should we believe him? After all, he is the FBI director, not exactly a source of truthful information.
Related Stories
James Comey has been asked by President Trump to stay on as Director of the Federal Bureau of Investigation. Comey is three years into a ten-year term.
News at NYT (which broke the story), USA Today, Washington Post, CNN, and The Hill.
Here's the bulk of our extensive past coverage of FBI Director Comey's career (oldest first):
2014:
FBI Director Concerned about Encryption on Smartphones
F.B.I. Director Calls "Dark" Devices a Hindrance to Crime Solving
To FBI Director Comey: You Reap What You Sow!
2015:
F.B.I. Has No Doubt that North Korea Attacked Sony, says Director
FBI Chief Links Video Scrutiny of Police to Rise in Violent Crime
2016:
Apple Ordered by Judge to Help Decrypt San Bernadino Shooter's phone
FBI Unable to Decrypt California Terrorists' Cell Phone
FBI vs. Apple Encryption Fight Continues
New York Judge Sides with Apple Rather than FBI in Dispute over a Locked iPhone
Apple Lawyer and FBI Director Appear Before Congress
FBI Error Locked San Bernardino Attacker's iPhone
FBI's iPhone Hack Only Works on 5C and Older
Washington Post: The FBI Paid "Gray Hat(s)", Not Cellebrite, for iPhone Unlock
FBI Director Blames 'Viral Video Effect' for Spike in Violent Crime
FBI Recommends No Prosecution for Clinton
FBI Chief Calls for National Talk Over Encryption vs. Safety
(Score: 4, Funny) by hoochiecoochieman on Thursday January 08 2015, @12:54PM
It can only be true, because they showed some aerial pictures showing aluminium tubes. Isn't the Internet made of tubes? The hackers must be hidden inside the tubes.
I saw the pictures, so it must be true.
(Score: 0) by Anonymous Coward on Thursday January 08 2015, @04:51PM
While it's true that the Internet is made of tubes and what you saw is a picture of tubes from North Korea to Sony with someone using them to hack what you saw as really a Photoshopped image. What hackers do is they use Photoshop to hack the Internet by redrawing the tubes. Sometimes there is a door within a tube and they simply paint an opening over it and they use those to slip inside the perimeter and take things. Then they use the photoshop erase feature to start deleting everything at the ends of the tubes.
Photoshop should be responsible for making this all possible.
(Score: 5, Interesting) by bradley13 on Thursday January 08 2015, @01:01PM
IP addresses, they show, nothing else. Obviously, he has never heard of proxies. If someone is good enough to pull off this hack, they aren't going to use easily traceable IP addresses. Meanwhile, any "real" evidence isn't being shown, just possibly because there isn't any.
Native Korean speakers have pointed out that the Korean texts associated with this case read like someone ran a Western language through Google translate. The hack almost certainly required inside knowledge, and there aren't many North Koreans who have worked for Sony.
What's behind the curtain? Why would the FBI want to point their finger at North Korea?
Everyone is somebody else's weirdo.
(Score: 4, Interesting) by zocalo on Thursday January 08 2015, @02:02PM
Ultimately though, the public still only has what the FBI et al are saying they have and no tangible evidence, circumstantial or otherwise, to back that up so we're not really any further along than yesterday in establishing how likely one theory is over another.
UNIX? They're not even circumcised! Savages!
(Score: 3, Insightful) by Anonymous Coward on Thursday January 08 2015, @02:36PM
Which shows you don't know jack shit about Intelligence work, or common sense. Nobody said it came from a ,"chance random PC." The idea is that if you want to intentionally fuck up North Korea, you'd purchase botnets and have them ping your own honeypot until you get a live one from the NK block (if you're not a state actor running your own botnet)... then utilize that system(s) for the attack as a proxy. Thus the FBI "discovers" "evidence" that the attack "came" from N.K.
*If* that's the level of proof being offered, then the FBI needs to fire whomever actually wrote the conclusion that Director Comey is parroting.
The reality is, though, thanks to George Bush and Colin Powell and their staffs, nothing this government offers as "evidence" should be trusted by anybody, ever. I'm still working out if this was actually a service to humanity or treason against the American public.
At least we know we've been here before, though. The only question, untilmately, is how many lives Barack Obama or his successor will squander on more pointless wars.
(Score: 0) by Anonymous Coward on Thursday January 08 2015, @05:08PM
These wars are not pointless. They clearly reinforce the status quo, people with money make even more from the wars, and patriotism is rising at a disturbing rate. Every wounded or killed military service member is another intentional "hero" martyr in the never-ending war against whichever other the political class is scapegoating. Lives lost are of no concern to them. Those lives are merely a means to the end of retaining the current socioeconomic stratification.
(Score: 2) by zocalo on Thursday January 08 2015, @05:28PM
As to your other point, why not think about how flimsy your scenario's circumstantial evidence is? For that to work, all of the following would have to be true, and more besides:
A PC in DPRK got infected with a RAT.
That RAT was able to bypass the DPRK's firewalls and other any other systems they might have designed to control & monitor Internet access.
The RAT was able to phone home and establish a connnection with the botnet's C&C servers.
The C&C servers were able to send commands to the RAT, again circumventing the DPRK's firewalls etc.
That botnet operator contacted by someone looking to shaft DPRK for the actions of the GoP.
The RAT is able to act as a proxy for connections to Sony's systems, a company that the DPRK presumably does not want any of their general populace dealing with right now (based on Comey's comments "connect" is all that is required, it can then drop the connection).
That seems even less likely to me than DPRK based hackers messing up their proxy configuration and connecting directly by mistake, but it's definitely possible and really needs to be something that the actual evidence the FBI has (whatever that may or may not consist of) can definitively rule out before they can be sure they actually have their man.
UNIX? They're not even circumcised! Savages!
(Score: 2, Interesting) by Synonymous Homonym on Friday January 09 2015, @07:41AM
Read this:
https://nknetobserver.github.io/?utm_content=10739531 [github.io]
NP has RedHat servers running Apache with OpenSSL reachable at public, assigned IPv4 addresses.
No circumventing of any firewalls necessary here. Or even traversing NATs.
(Score: 1) by fleg on Friday January 09 2015, @10:07AM
+1 interesting
(Score: 2) by zocalo on Friday January 09 2015, @10:38AM
You're still missing my point though, which is that the FBI's supposed evidence is *still* entirely unsubstantiated and what they are now claiming they have is also *circumstantial* - e.g. not something that can be considered as a fact for a conviction in a criminal court of law, no matter how accepting people are of the new "data". That doesn't necessarily mean it's entirely bunk though; there's one very obvious scenario that would absolutely allow the FBI to pin the blame on the DPRK in the timeframe they had and also provide hard evidence in the form of IP address logs; the NSA has pwned the routers via which all the DPRKs traffic (it's such a small allocation that the number or routes the traffic must initially take is low enough to make this possible) or has compromised systems within the DPRK's internal networks. If they can see all the inbound and outbound traffic, and can show that the connections were initiated from DPRK IP space without any corresponding botnet/proxy traffic inbound (e.g. be 100% certain the know the originating IP of the actual human operator), then the FBI's claims would actually be truthful, shocking as that might be.
Assuming this isn't just a false flag to justify more sanctions (or worse) then I suspect something along those lines is probably what's actually gone on here. Since that's obviously into sources and methods territory there's no way they are going to be able make that data public - assuming it exists, of course, so we're probably just going to have to accept that the DPRK has been judged and sentenced by a Star Chamber on this one. Still, just because it's a Star Chamber doesn't necessatrily mean that the evidence isn't valid, the accused guilty and the punishment permissable within the accepted and applicable legal frameworks - it's just means that those outside the chamber don't get to know for sure.
UNIX? They're not even circumcised! Savages!
(Score: 1) by Synonymous Homonym on Tuesday January 13 2015, @12:25PM
You do realise that there is a almost certainly difference between crossing a firewall inbound and outbound though, right?
Yes. Outbound is usually easier, and often the only way.
You're still missing my point though, which is that the FBI's supposed evidence is *still* entirely unsubstantiated
No, I'm with you on that.
And I would be very surprised if the network infrastructure of North Korea wasn't at least partially undermined by the NSA.
Which would make a convincing false flag very easy.
(Score: 5, Insightful) by RamiK on Thursday January 08 2015, @02:46PM
The China–North Korea border is 1400km long with cell phone reception extending 10km into North Korea and individuals smuggling smart-phones and TVs all the time.
Fact is, there's no reason for NK to use any known IP for such activities when they can just as easily buy IPs from a Chinese carrier without the carrier even knowing who's the customers.
compiling...
(Score: 2) by zocalo on Thursday January 08 2015, @03:36PM
UNIX? They're not even circumcised! Savages!
(Score: 2) by ikanreed on Thursday January 08 2015, @02:54PM
It's hard to say IP addresses are poor evidence.
North Korea isn't exactly a Utopia for anonymous proxies, and IP blocks are, broadly speaking, allocated to countries.
Sure, it's hypothetically possible to say some other nation used North Korean resources to launch an attack that happened to be focused on NK's "interests". But an IP alone has been enough to convict people of file sharing in the past.
(Score: 1, Insightful) by Anonymous Coward on Thursday January 08 2015, @03:34PM
Of course the biggest issue is whether the presented evidence is real evidence, or was manufactured. I mean, it's easy to take a log, change IP addresses, and present the changed log as "evidence". It's certainly easier than to fake evidence of WMD. After all, it's just digital data, and logs are usually not cryptographically signed (and even if they were, with only parts of it shown, the public couldn't verify anyway).
(Score: 2) by ikanreed on Thursday January 08 2015, @03:38PM
I think if you're broadly willing to consider the FBI as manufacturing evidence, the problems in your hypothetical universe probably ought not to focus on some random hacking.
In this hypothetical universe, you ought to consider bombing federal prisons to free the millions of falsely imprisoned.
(Score: 2) by tonyPick on Friday January 09 2015, @07:15AM
I think if you're broadly willing to consider the FBI as manufacturing evidence, the problems in your hypothetical universe probably ought not to focus on some random hacking
I would remind you of the (apparently widely accepted) US law enforcement technique of Parallel Construction [reuters.com], which is pretty much manufacturing evidence for cases where they "know" someone to be guilty, and concealing the actual investigation.
(Score: 2) by ikanreed on Friday January 09 2015, @03:13PM
It's not inventing evidence, it's dodging constitutional guards against improper evidence collection.
Those are not the same, and while both ideas form around the core notion that the government is doing something wrong, you actually have to prove the claim that you made.
(Score: 2) by urza9814 on Friday January 09 2015, @04:44PM
Who says the *hackers* didn't alter the evidence? I mean come on, you've got some disgruntled employee or Anon/Lulzsec type, or one of the millions of other people with plenty of motivation to want to take Sony down. Then you see North Korea making this speech to the UN screaming about Sony's new movie. Easier to change the evidence than conceal it -- if you try to just be careful and hide the evidence, you might miss something and they'll keep looking until they find it. If on the other hand you inject evidence pointing towards someone who they already suspect and who they already consider the enemy, then they're going to find that evidence and stop looking. If they wanted to frame someone for this hack, North Korea would certainly be the obvious and ideal choice.
(Score: 2) by tonyPick on Saturday January 10 2015, @09:59AM
It's not inventing evidence,
From the linked article
In a Florida drug case he was handling, the prosecutor said, a DEA agent told him the investigation of a U.S. citizen began with a tip from an informant. When the prosecutor pressed for more information, he said, a DEA supervisor intervened and revealed that the tip had actually come through the SOD and from an NSA intercept.
I'd agree that the objectivepoint of the fabrications in these examples is to introduce additional evidence, and conceal the source of other information, into the formal chain they submit to a court due to the context they're using it in.
However inventing an informant is pretty clearly fabrication in my book, regardless of where the subsequent chain goes. Once you go down this line I'm not seeing a big step to inventing a log.
(and as an aside, I'm not the GP)
(Score: 0) by Anonymous Coward on Friday January 09 2015, @07:32AM
Out of curiosity: How much does JTRIG pay you?
(Score: 1, Funny) by Anonymous Coward on Thursday January 08 2015, @06:14PM
IP addresses, they show, nothing else.
In related news the MPAA has issued subpoenas for multiple Duck Doe Johns charging them with illegal uploading of copyrighted material. The MPAA estimates that the losses related to this illegal upload at $25 billion, which is slightly more than twice the GDP of North Korea.
(Score: 0) by Anonymous Coward on Thursday January 08 2015, @08:45PM
There probably is additional evidence... gleaned from secret NSA programs that may not have been leaked by Edward Snowden. At least we are not planning on invading North Korea.
(Score: 5, Insightful) by Nerdfest on Thursday January 08 2015, @01:08PM
The level of trust I assign to statements from the FBI is about the same as I assign to those from North Korea.
(Score: 4, Insightful) by DeathMonkey on Thursday January 08 2015, @06:02PM
The level of trust I assign to statements from the FBI is about the same as I assign to those from North Korea.
In this case I trust NK more. The hackers managed to completely pwn Sony; but they are too stupid to realize you can be traced by an IP?
(Score: 2, Interesting) by Gallomimia on Thursday January 08 2015, @07:20PM
North Korea has no central bank controlled by the banking cartel of the west, and is therefore inherently more trustworthy.
I have personally met hackers who route their hacks through Iranian IP addresses just for laughs. (The only other country on the planet worthy of the same trust for the same reason)
(Score: 2) by mendax on Thursday January 08 2015, @07:13PM
There is an old joke about lawyers that I apply to the FBI and the other public statements by other Three-Letter-Agencies:
Q. How can you tell when a lawyer is lying?
A. His lips are moving.
It's really quite a simple choice: Life, Death, or Los Angeles.
(Score: 2) by Pav on Friday January 09 2015, @02:02AM
...or, in light of the blanket spying, how much they trust US. They're proven liars - perhaps they're telling the truth, but they've gone so far beyond just crying wolf...
(Score: 1) by CaptainK on Thursday January 08 2015, @01:26PM
is just an oxymoronic word for these three letter acronymed institutions.
Are they not imbued with so much deceit and false morality, that we can make no trust with them whatsoever?
Your imagination is your only limitation to creation.
(Score: 1) by poutine on Friday January 09 2015, @04:07AM
You should pick up a book. Oxymoron doesn't mean what you think it does. It's when you have MULTIPLE words, that seemingly contradict each other, like jumbo shrimp. Educate yourself and don't try and sound smarter than you are.
(Score: 2) by wonkey_monkey on Thursday January 08 2015, @01:35PM
F.B.I. Has No Doubt tWhat North Korea Attacked Sony, says Director
tWhat, no spellcheck?
systemd is Roko's Basilisk
(Score: 1) by Buck Feta on Thursday January 08 2015, @01:37PM
> tWhat North Korea
Also spelled tWat North Korea in some cultures.
- fractious political commentary goes here -
(Score: 2, Interesting) by MichaelDavidCrawford on Thursday January 08 2015, @02:06PM
There are a whole bunch of good reasons for the FBI not to disclose certain kinds of information, such as the identities of informants whose lives would be at risk were their names to be made public.
But for not the President, but the Commander-in-Chief to threaten retalation, is to threaten an act of war. To actually carry out such retaliation, is actual warfare.
Suppose NK wasn't _really_ behind this, or alternatively, suppose that North Korean people pulled it off, but by working alone, on their own initiative and not on behalf of the government of the DPRK. While North Korean residents would not have the means to pull this off without the government's knowledge, their have been many North Korean citizens who have left the country, whether they defected, got permission to emigrate, are in other countries that trade with the DPRK - it sells missile parts all over the world.
If this wasn't an act of official North Korean government policy, then the US either has, or will carry out a unilateral, unprovoked attack against completely innocent people. The DPRK would be completely within its rights to retaliate. Consider the Seoul is only thirty miles from the DMZ, South Korea is full of US troops and US citizens, and that NK has enough short-range missiles to make a smoking crater of the South Korean capital as well as a whole bunch of American military bases.
If the DPRK really is behind this, then the American public deserves to know why the FBI thinks so. There are all kinds of ways they could demonstrate that without putting human lives at risk.
Yes I Have No Bananas. [gofundme.com]
(Score: 1) by Rich on Thursday January 08 2015, @02:19PM
When I think of this "6000 strong" NK hacker force, I have to imagine 10% of them being grouped in one big hall, in a slightly derelict building with a depressing, cold, flickering illumination, empty for nothing but 30 rows of benches with 20 hackers in each bench. The hall all in a dirty, somewhat spotty light gray, the hackers all identically dressed in pale olive gray uniforms. There are some windows, with grids, not because the hackers have to be kept locked in, but because no large size sheet glass was available to the builders. On the benches the finest i386 machinery in slightly pre-ATX desktop casing, each with a 14" multi-sync CRT on top, the wires of each of the 600 machines routed in identical fashion. At the front of the room, also in one of the pale olive gray uniforms a woman, significantly larger than the hackers at the benches. Possibly a hammer throwing athlete from the NK olympic team. The woman holds a cushioned stick in each hand, with which she slowly beats a drum in front of her that somewhat resembles the drums known from Japanese rhythm & dance performances. On each beat of the drum, one huge clacking vibration shakes the air, as each of the hackers hits the next key in his work.
And now, these guys creatively come up with that http://blogs-images.forbes.com/thomasbrewster/files/2014/12/Screen-Shot-2014-12-03-at-08.34.38.png [forbes.com] splash screen?
Please.
(Score: 0) by Anonymous Coward on Thursday January 08 2015, @04:11PM
Damn those republican hackers!
(Score: 2) by FatPhil on Thursday January 08 2015, @04:42PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by The Archon V2.0 on Thursday January 08 2015, @02:48PM
> Mr. Comey said he had “high confidence” in the F.B.I.’s quick determination that North Korea was behind the attack.
Well, it's a shame then that no one has any confidence in you, isn't it?
(Score: 0) by Anonymous Coward on Thursday January 08 2015, @03:31PM
Just because you see the IP of one or even a dozen likely ancient bot-netted XP boxes from NK doesn't mean you were hacked by NK.
But they sure are a convenient patsy.
(Score: 0) by Anonymous Coward on Thursday January 08 2015, @04:22PM
... Why would they dump all the info to the world, instead of strategic leaks of small pieces of it?
(Score: 2) by Jeremiah Cornelius on Thursday January 08 2015, @06:22PM
They are a WEAPON of an undeclared, low-level war of aggression by the United States. The truth is an irrelevant quality in information warfare - actually an inconvenience.
The aide said that guys like me were "in what we call the reality-based community," which he defined as people who "believe that solutions emerge from your judicious study of discernible reality." ... "That's not the way the world really works anymore," he continued. "We're an empire now, and when we act, we create our own reality. And while you're studying that reality—judiciously, as you will—we'll act again, creating other new realities, which you can study too, and that's how things will sort out. We're history's actors…and you, all of you, will be left to just study what we do."
N.B. [nytimes.com]
IGNORANCE IS STRENGTH
You're betting on the pantomime horse...
(Score: 1) by Synonymous Homonym on Friday January 09 2015, @07:16AM
Wow, so they have indeed rejected our reality and substituted their own.
(Score: 1) by goody on Friday January 09 2015, @12:01AM
Yea, not exactly a source of truthful information, like that little kid dictator with a small appendage and an inferiority complex who had his uncle and family executed.
(Score: 0) by Anonymous Coward on Friday January 09 2015, @02:36AM
Neither should be trusted. Which leaves the opinions of credible, independent security experts... who all seem to think NK didn't do it.
(Score: 1) by Synonymous Homonym on Friday January 09 2015, @07:10AM
that little kid dictator with a small appendage and an inferiority complex who had his uncle and family executed.
What has Raja Gyanendra to do with all this?
(Score: 3, Insightful) by urza9814 on Friday January 09 2015, @04:59PM
So hang on a minute. There's one very important questions nobody has answered. If this was North Korea, what was their motivation? Why did they do it?
I mean OK, they were pissed about The Interview, right? But they didn't stop the release of the movie. And their attacks didn't seem to focus on that, they dumped a bunch of unrelated info to the internet, tried to shut down Sony offices, but I haven't seen much specific to that movie. If they were trying to stop the movie, they were clearly trying to do so through broad intimidation. A show of force. But you can't do a show of force in secret, that kind of defeats the purpose. They want Sony and the USA to be afraid of their great power, but they claim it's *someone else's* power? And they then offer to help investigate that person? I can understand that they might not be able to directly admit it, since that might be an act of war, but that just means they don't want it to be *provable* that they were behind it. They'd still want people to *believe* they were behind it.
So in what universe does that make sense? These aren't the actions of someone looking to intimidate, these aren't the actions of someone trying to demonstrate their power. These are the actions of someone who just wants to screw with Sony. That's not generally how a military would operate. Even one controlled by a fanatical dictator.