I found some arguments against NK being responsible.
http://touch.latimes.com/#section/-1/article/p2p-82344233/
...it may be wise to stay cautious; some cybersecurity experts who were skeptical of the North Korean connection are still skeptical.
The North Korea/"Interview" narrative is comforting in several ways. It feeds into the tendency to attribute almost God-like capabilities to an adversary, especially a secretive one; that's very much a scenario favored by Hollywood. (Think of the all-time definitive James Bond movie line, from "Dr. No": "World domination--same old dream.") And it helps Sony executives deflect blame -- how could anyone expect them to defend against an attack by such a sinister, all-powerful enemy? You can expect to see more coverage, like
this piece from CNN, about North Korea's shadowy "Bureau 121," purportedly its Cyberattack Central.
There are great dangers in mistaken attribution -- it shifts attention from the real perpetrators, for one thing. A counterattack against North Korea could needlessly provoke the regime, wrecking the few diplomatic initiatives taking place.
Here's a rundown of the counter-narrative.
--"Whitehat" hacker and security expert
Marc W. Rogers argues that the pattern of the attack implies that the attackers "had extensive knowledge of Sony’s internal architecture and access to key passwords. While it’s plausible that an attacker could have built up this knowledge over time ... Occam’s razor suggests the simpler explanation of an insider," perhaps one out for workplace revenge. (N.B. "Occam's razor" is the principle that the simplest explanation for something is often the best.)
--The assertion that the attack was uniquely sophisticated, which is an element of the accusation against North Korea, is both untrue and incompatible with the North Korea narrative. It presupposes that a nation-state without a native computer infrastructure could launch an unprecedented assault. More to the point, very similar hacking technology has been used in earlier hacks in Saudi Arabia and elsewhere. The
consulting firm Risk Based Security has a discussion of these and other aspects of the Sony affair.
It's worth noting that Risk Based Security's team isn't entirely convinced by the FBI statement. In
an update to their commentary Friday, they observed that the agency has "not released any evidence to back these claims." They add: "While the FBI certainly has many skilled investigators, they are not infallible. Remember, this agency represents the same government that firmly stated that Iraq had weapons of mass destruction, leading the U.S. into a more than ten year conflict, which was later disproven.
--Attribution of responsibility for attacks is much harder than laypersons believe.
Kim Zetter of Wired observes, "Skilled hackers use proxy machines and false IP addresses to cover their tracks or plant false clues inside their malware to throw investigators off their trail." Evidence pointing to North Korea, Zetter writes, is also consistent with attacks by "hacktivists," who attack institutions for political motives of their own.
For more skepticism, see these posts by hacker
Grugq and
Jericho.
It is one thing for us to so generously sacrifice Sony employee personal identities, social security numbers, credit card and banking passwords, intimate health and HR records, all on the altar of free speech. But what if all Americans had to pay the very same price - for the free speech of a Japanese entertainment company? What if even higher sacrifices had to be made if it should come to cyber attacks on infrastructure, including powergrids, dams and nuke plants? When you are playing for the highest stakes, you don't go turning the cube on every roll of the dice.
