Sony hackers: it's not the North Korean government, nor an insider, suggests security expert Bruce Schneier

Private emails from ordinary staff released by Sony hackers show why privacy is so important - Schneier

Cryptographer and security expert Bruce Schneier has suggested that the hackers behind the devastating hack and leak of internal data from Sony Pictures is neither the work of the North Korean government, nor of insiders.

"At this point, the attacks seem to be a few hackers and not the North Korean government. (My guess is that it's not an insider, either). That we live in the world where we aren't sure if any given cyber attack is the work of a foreign government or a couple of guys should be scary to us all," he wrote in a blog post.

Instead, he added, the attack looks like the work of a handful of committed hackers, targeting Sony because of the reputation it has earned in the IT and hacking community over the years.

"Sony is a company that hackers have loved to hate for years now. (Remember their rootkit from 2005?) We've learned previously that putting yourself in this position can be disastrous. (Remember HBGary?) We're learning that again," wrote Schneier in a blog post.

And, he added, the most devastating information that has been released by the hackers isn't the unreleased films or executive communications, but the emails from ordinary staff, including credit-card log-ins and staff emailing each other about private matters.

"These people didn't have anything to hide. They aren't public figures. Their details aren't going to be news anywhere in the world. But their privacy has been violated, and there are literally thousands of personal tragedies unfolding right now as these people deal with their friends and relatives who have searched and read this stuff," wrote Schneier. "This is why privacy is so important for everyone."

Back in 2007, in a magazine interview, Sony Pictures' then executive director of security said that it was a "valid business decision to accept the risk of a security breach" if the cost of protecting against such attacks was higher than the probable loss.

However, the latest "guestimate" of the cost of the attack is now in excess of $100m, and could be even more, depending on the losses arising the widespread piracy of content stolen during the attack. "I don't see how Sony launching a DDoS attack against the attackers is going to help at all," added Schneier.