Tuesday, December 23, 2014

Dear Leader's Lesson in Confirmation Bias

Brian Krebs has a blogpost citing those who claim evidence of North Korea involvement in the massive Sony hack. He uses as an example the similarities between the Sony defacement and a South Korean defacement that was attributed to the North Koreans. He shows these two images side-by-side so that you can see that they are obviously similar.

However, they don't look similar at all. This is generally what all website defacements look like. Specifically, the common components among defacements in are:
  • black background
  • green, red, and white foreground
  • "Hacked by" message
  • WARNING banner
  • Phrack-style headers (like ::: on either side of header)
  • Powerful picture in center, often a skull
  • Message that strokes the ego, often "we are legion" style
In the bottom of this post, I include a gallery of other defacement pictures, so that you can see that this is normal hacker underground culture.

There are certainly some similarities, such as the "we have all your data" message. But that's easily explained by the fact that the South Korean hack was widely popularized in the media, so it's easy to see how they would take this as inspiration. Or, it's just simply that if the goal of your hack is to steal data and extort the victim, this is pretty much always going to be how your phrase it.

At the same time, there are many dissimilar items. One does multiple colors in the same word, the other doesn't. One capitalizes every word, one doesn't. One appears to have copied and pasted from a word processor with broken unicode characters, the other didn't. Stylistically, these point to very different groups.

This is an example of something called confirmation bias, a well known logical fallacy. Once you've decide on the conclusion ("North Korea hackers"), your perception of the evidence changes. Everything you see starts to confirm your conclusion. This is especially true when you are ignorant of the larger perspective. To those of us with perspective, we don't see the evidence that you believe in.

I see the similarities with the underground as disproof of DPRK involvement. North Korean hackers are trained as professional, nation state hackers. They aren't part of the vast world wide underground of hackers, were kids start as teenagers and are mentored by the system. This vast underground shares culture, tools, techniques, and processes. That's why attacks from wildly diverse cultures often appear the same. North Korean may certainly recruit foreign hackers into their teams, or contract out tasks to foreign groups, but it's unlikely their own cybersoldiers would behave in this way.

Here are a bunch of defacements. See for yourself whether the above two are particularly similar.

1 comment:

Anonymous said...

Then you have the Trippin Smurfs who went for a Mondrian look.