December 15, 2014

Over the weekend I received a nice holiday letter from lawyers representing Sony Pictures Entertainment, demanding that I cease publishing detailed stories about the company’s recent hacking and delete any company data collected in the process of reporting on the breach. While I have not been the most prolific writer about this incident to date, rest assured such threats will not deter this reporter from covering important news and facts related to the breach.

A letter from Sony's lawyers.

A letter from Sony’s lawyers.

“SPE does not consent to your possession, review, copying, dissemination, publication, uploading, downloading, or making any use of the Stolen information, and to request your cooperation in destroying the Stolen Information,” wrote SPE’s lawyers, who hail from the law firm of Boies, Schiller & Flexner.

This letter reminds me of one that I received several years back from the lawyers of Igor Gusev, one of the main characters in my book, Spam Nation. Mr. Gusev’s attorneys insisted that I was publishing stolen information — pictures of him, financial records from his spam empire “SpamIt” — and that I remove all offending items and publish an apology. My lawyer in that instance called Gusev’s threat a “blivit,” a term coined by the late, great author Kurt Vonnegut, who defined it as “two pounds of shit in a one-pound bag.”

For a more nuanced and scholarly look at whether reporters and bloggers who write about Sony’s hacking should be concerned after receiving this letter, I turn to an analysis by UCLA law professor Eugene Volokh, who posits that Sony “probably” does not have a legal leg to stand on here in demanding that reporters refrain from writing about the extent of SPE’s hacking in great detail. But Volokh includes some useful caveats to this conclusion (and exceptions to those exceptions), notably:

“Some particular publications of specific information in the Sony material might lead to a successful lawsuit,” Volokh writes. “First, disclosure of facts about particular people that are seen as highly private (e.g., medical or sexual information) and not newsworthy might be actionable under the ‘disclosure of private facts’ tort.”

Volokh observes that if a publication were to publish huge troves of data stolen from Sony, doing so might be seen as copyright infringement. “The bottom line is that publication of short quotes, or disclosure of the facts from e-mails without the use of the precise phrasing from the e-mail, would likely not be infringement — it would either be fair use or the lawful use of facts rather than of creative expression,” he writes.

Volokh concludes that Sony is unlikely to prevail — “either by eventually winning in court, or by scaring off prospective publishers — especially against the well-counseled, relatively deep-pocketed, and insured media organizations that it’s threatening,” he writes. “Maybe the law ought to be otherwise (or maybe not). But in any event this is my sense of the precedents as they actually are.”

This is actually the second time this month I’ve received threatening missives from entities representing Sony Pictures. On Dec. 5, I got an email from a company called Entura, which requested that I remove a link from my story that the firm said “allowed for the transmission and/or downloading of the Stolen Files.” That link was in fact not even a Sony document; it was a derivative work — a lengthy text file listing the directory tree of all the files stolen and leaked (at the time) from SPE. Needless to say, I did not remove that link or file.

Here is the full letter from SPE’s lawyers (PDF).


129 thoughts on “In Damage Control, Sony Targets Reporters

  1. Sam H

    Sony has long ignored negative comments from customers and I’d be willing to bet that this hack is the result of long standing frustration with that attitude, plus the unwarranted and unreasonable actions of organizations like the MPAA. It’s been pointed out in several articles that this intrusion was against Sony Pictures, rather than Sony Corporation, but since one controls the other, they are one and the same and the policies of the corporation influence and control the entertainment arm. Personally I gave up on buying Sony products years ago because of their lousy customer service. Having said all that, I would be willing to bet that the single biggest factor that allowed this intrusion is BYOD. As someone who works in (the security group of) an industry where BYOD is allowed, I am both horrified and (slightly) delighted to see things like this happen. It provides a huge boost to our funding, but at the same time, senior management continues to insist that we allow them to use their personal iPad/iPhone, etc. on the company network.

    1. Tek_Inv

      “senior management continues to insist that we allow them to use their personal iPad/iPhone, etc. on the company network.”

      That’s all good as long as they are willing to accede to IT policies and requests regarding device and network security.

    2. Khürt Williams

      There is nothing inherently wrong about BYOD programs. BYOD promises lowered cost — employees buy own equipment — and improved productivity — work from any device at any time. Unless you get on-board with the program you will be sidelined. Find a way to give the business — the one generating profits — what it needs/wants in as secure a manner as possible.

      http://gcn.com/blogs/cybereye/2014/01/byod-security.aspx

      1. Frank Blank

        “find a way to give the business what they want….” That’s merely what everyone does and is why our cybersecurity is so porous. Security is inconvenient and high security is highly inconvenient. Not fun for even low level executives. Therefore things are as they are.

    3. C eye Oh!

      You’ve gotta be kidding me. Sony PE went down for one reason only – the wide variety of eminently hackable Windows and Enterprise systems on their networks.

      Witness the article on TechCrunch today that cites the only productive groups at Sony Pictures are the Mac and iOS-using people. Everyone else has been reduced to scorched-earth office equipment. Hauling out the Selectrics.

  2. one_percent

    I went picking through the folder tree that was posted on this site a while back. One thing I did find interesting is that there were several documents with the word “terminated” or “termination” in the title and an indivual’s name. I’m going to guess that was their termination letter or details surrounding their termination.
    It seems like such metadata might pass the test of infomation being declared “highly private”; perhaps not so much for Sony, but for the individuals. In either case, I don’t see the value in posting the directory structure when any enterprising individual can just go find it on their own. Seems like a risk not worth taking and though it may not be a successful attempt at legal action, any legal action gets expensive mighty fast.
    However, what’s the fun of making the money if you can’t enjoy spending it?

  3. Rajesh

    It seems more like the executives wanting the problem to go away by asking their attorneys to do “something” about it.

    The attorneys happily send these letters out (read billable hours).

    Still, can’t believe David Boies et al and his firm being a party to this blivit … I am starting to like the word.

    Remember that Boies was the guy who destroyed Microsoft. He is a pretty tech savvy guy.

    1. Joe

      Boies also represented the two-bit company SCO which sued IBM for a couple billions over some bogus claims about the ownership of Unix and Linux.
      Of course, SCO lost and ended up in Chapter 7 bankruptcy: https://en.wikipedia.org/wiki/SCO_Group
      Because of that, Boies nowadays lacks any reputation in the tech world.

  4. JC

    Got a message for Sony-

    Back off.

    If you encrypted your internal data, all this press would be a non issue.

    Nuff said.

    1. TK

      To JC, Brian and all the bloggers

      What were major management and technical gaffs in Sony’s security that caused this? Just simple summaries please…I want peoples view points.

  5. JJ

    Not really, JC. For one thing they obviously had access to running systems as well as large number of passwords and digital certificates. Even if Sony had encrypted almost everything, which I can guarantee that 99.9999% of companies do not do, they undoubtedly would have lost the decryption keys. It’s not difficult at all to pull decryption keys off running systems.

    And yes, you can be sure that the decryption keys would have been left lying around somewhere as well, maybe some admin’s Aol email account or something.

    Encryption is generally only a good control for “data at rest” like backup tapes that get lost in transit. It’s a weak control for all others due to the common implementation errors. The ONLY reason you are starting to see US companies use it is that it gives them a “Get out of jail free” card from most state notification laws. Why? Because the laws never have enough specificity to require reasonably strong implementation. As long as the stolen data was not plain text, they can claim safe harbor.

    It’s pretty much impossible for a very large, global corporation like Sony or JP Morgan to adequately secure everything. There are too many people involved, any one of which could be the key to unlocking everything. But you do not have to leave the doors and windows unlocked when you’re away on vacation after getting all of the neighbors mad at you either.

  6. JJ

    And as far as Mandiant’s “unprecedented” statement about Sony, Bloomberg has proven them wrong: http://www.businessweek.com/articles/2014-12-11/iranian-hackers-hit-sheldon-adelsons-sands-casino-in-las-vegas

    And Mandiant is now in the same league as Dell: “Similarly, Dell SecureWorks submitted an incident brief to Sands stating that the “attack was in response to CEO comments regarding Iran.” Sands executives made their displeasure known, and the next internal report from Dell, about a month later, omitted that page. Dell spokeswoman Elizabeth Clarke declined to comment.”

    1. Brian Cummings

      Paid service providers simply trying to provide high cover for their clients. Much like in a court of law, the truth about hacks needs to be dragged into the open, kicking and screaming.

    2. Eaglewerks

      I read in full (all 5 pages) of the above Bloomberg article. I found it both confirming and interesting. I wish it had more about the Sony Hack, but as we all know, that saga is still unfolding.

    3. Brian Cummings

      Is a cyber attack against a casino entity a good idea? Those organizations have “enforcers” who operate according to a different book of rules than law enforcement. The aftermath of the Sands attack may get very interesting, indeed.

  7. Brian Cummings

    Has anyone pointed out how unusual it is for a “living” person to be named in a film? Films usually have that disclaimer that says “…any relation to any person living or dead is purely coincidental.” The Sony CEO characterized the hack as an IT matter, trying to downplay it. However, seems like a business decision was made to do something out of norm with The Interview. Would the hack have happened if they had had a fictitious country and its leader, no matter how close the correlation might be to North Korea. Oops!

    1. Eaglewerks

      Movies, television programs, and most especially print have a history of discussing or exposing heads of state, dignitaries and sometimes royals in negative, positive, and even comedic renditions, sometimes factual sometimes fictitious.

      1. Brian Cummings

        Yes. The disclaimer is very much a “best practice” in the movie-making industry.

  8. Dave

    All the more reason to charge them triple on the movie rights to the book!

  9. NS

    Sony is the victim – that should not be lost in all of this. Bad people did bad things to them. Third parties should not exploit or profit from the terrorist acts of others.

    1. Kazoo

      That article was pretty good.

      Unfortunately, most people forget as quickly as they can. They keep on forgetting until the lesson(s) becomes overwhelmingly stark. Even then, a good percentage will try to forget a few more times.

  10. Bob

    Aside from the fact that Sony is an injured party, I have noticed over the years that their approach to many problems is to take a very arrogant stance.

    Remember years ago when music CDs from Sony contained a rootkit that could harm your computer simply by you listening to the music on the computer instead of a stereo system?

    When I was an independent IT contractor, I worked on some Sony computers. Their design deliberately made the laptops difficult to work on, so that only people trained and certified by them could readily work on them.

    I’m sure that there are many other examples out there of their level of arrogance.

    Their stance in this issue reflects the same sort of arrogance. I’m buying as few Sony products myself as feasible.

  11. Brian Cummings

    Sony Hack – Scary Implications: It occurred to me, maybe in a worst nightmare, that the Sony hack was based on some sleeper cyber-bomb already planted in their system and ready to trigger. Then the scarier thought occurred: What if such an exploit had already been planted in many other companies…hence the “Doomsday Christmas” warnings from the hackers. I don’t think the rest of us should take that warning lightly.

  12. Dan

    North Korea did it!
    The U.S. is getting ready to blame N.Korea for the mega hack on Sony Pictures as the studio said Wednesday it would cancel next week’s planned release of its controversial comedy “The Interview.”

    U.S. investigators say an announcement pinning the blame on hackers working for the Pyongyang regime could come as soon as Thursday.
    http://money.cnn.com/2014/12/17/media/the-interview-sony-theater-owners/index.html?hpt=hp_t2

    U.S. officials determine North Korea is behind the Sony hack
    http://www.washingtonpost.com/business/economy/top-movie-theater-chains-cancel-premiere-showings-of-the-interview/2014/12/17/dd1bdb2a-8608-11e4-9534-f79a23c40e6c_story.html

  13. Aztech

    It is funny that Sony is now making more threats around the world regarding this than the North Koreans.

    1. Tim A

      That’s the trailer for American Sniper, hence the “trailer-american-sniper” in the URL. And I can find any Sony story by Jayne W. Orenstein.

  14. Richard Bartel

    It looks like a large share of the Sony attacks were coordinated from a convention center in Singapore, and Thammasat University in Thailand.

  15. Wlad Spany

    You’ve gotta be kidding me. Sony PE went down for one reason only – the wide variety of eminently hackable Windows and Enterprise systems on their networks.

    Witness the article on TechCrunch today that cites the only productive groups at Sony Pictures are the Mac and iOS-using people. Everyone else has been reduced to scorched-earth office equipment. Hauling out the Selectrics http://tinyurl.com/qjgd49f

  16. DarthDiggler

    I support Sony using legal measures to get news outlets from not publishing private emails. If Sony was responsible for some wrong-doing and these emails were evidence they would be news-worthy. Given that these emails are not any evidence of wrong doing there is no reason for them to be published by a news entity.

    Just as Mr. Krebs has stated in his book, the security industry is far behind the capabilities of cyber-criminals. It recently affected Sony and I am sure if it affected your company your opinion of the news-worthiness of private emails would be different if it was your emails exposed.

Comments are closed.