Brian Honan still doesn't buy it.
At a cybersecurity conference at Fordham University on Wednesday, Mr. Comey announced the agency's newest piece of technical evidence: Internet protocol address. The hackers, he said, blundered while sending e-mails and failed to mask the true IP addresses that represent their devices on a network. Those addresses, he said, were "exclusively” used by North Korea.
But that wasn't exactly the smoking gun Honan and other skeptics in the security community needed to convince them that North Korea is the real culprit.
"IPs can be spoofed and computers at IPs can be compromised," says Honan, director of BH Consulting, an Irish security firm. “In my experience, no IPs are every guaranteed to be ‘exclusively’ used by anybody."
Honan wonders why these IP addresses had not been released to researchers for independent review or, at a minimum, to allow network administrators at risk of an attack from North Korea to block that traffic.
"The last time the FBI said IP addresses they found were controlled by North Korea was when the initial statement said they were hardcoded into the malware. Experts agreed they were wrong,” says Rob Graham of Errata Security, an Atlanta cybersecurity firm. "There is little reason to believe them this time."
He's referring to research conducted by Scot Terban, a security expert and popular blogger often known by his Twitter handle ‘Krypt3ia,’ and Sean Sullivan of F-Secure, a Helsinki-based provider of online security products.
According to Mr. Terban, the IPs pointed to an international list of widely used proxy servers and one compromised computer in New York.
While Mr. Sullivan is reserving his judgement on the e-mail IPs until his team can examine them, he still questions some of the vagaries in Comey’s talk this week.
"The FBI didn’t say why they thought the e-mails were actually from the hackers," says Sullivan. "It could just be a separate group of North Koreans saying ‘You guys suck.' "
According to Terban, Comey didn't produce enough evidence to back up his claims about the IP addresses. “If they have a log, produce the log. It’s not like North Korea doesn’t know.”
Meanwhile, analysts that already agreed with the government's North Korean attribution continue to support the FBI's theory.
"I was always certain. I’ve seen what they've seen," says Dmitri Alperovitch, cofounder of CrowdStrike, a California security firm. Soon after the initial FBI report linking the Sony hack to North Korea, CrowdStrike announced it had been tracking the same North Korean hackers for many years.
Mr. Alperovitch says that FBI's announcement this week was more about sending a message to enemy states that the US is capable of quickly attributing cyberattacks and less about convincing loud and dissenting voices in the security community.
"Establishing a precedent for response," said Alperovitch. "That's what they were thinking."