Max Kelly’s business card doesn’t say much: It has an email address, and a trade-marked black masking box where the name of his computer security company, [redacted], ought to be. He is deeply interested in North Korean affairs. But don’t ask him, for instance, whether the U.S. had a hand in the recent Korean rocket launch failures. He wouldn’t tell you, even if he knew.
Still, Kelly, darkly bearded with razor-sharp wit and an independent streak (he once ran for California’s State Assembly in the 41st District as a Libertarian candidate and picked up 4,136 votes, 3.6% of the electorate), is finally willing to share some new details, if not secrets, of an effort that just more than two years ago helped Sony Pictures to release its Seth Rogen-Evan Goldberg political farce The Interview. That happened in the face of violent threats, and of a cyber-attack that U. S. officials said involved the government of North Korean strongman Kim Jong-un. (North Korea denied involvement.)
In late 2014, when Sony was first attacked by hackers in what was later said to be North Korean retaliation for the film, Kelly—a former Facebook security chief—was an employee of the National Security Agency, detailed to the United States Cyber Command. Over drinks recently at a Santa Monica hotel and in subsequent conversations, both he and David Harvilicz, a fellow player in the Sony hacking drama, described a portion of the dealings that allowed Sony to release The Interview both in independent and small-chain theaters and via video-on-demand after major exhibition chains and companies as powerful as Amazon and Apple stood back, at least partly from fear of attracting a cyber-attack on themselves or their customers.
In the end, as described by Harvilicz and Kelly, an effort by smaller companies that acted quickly, somewhat bravely, and often in response to the personal conviction of principals who were offended by the notion that North Korea might actually curtail free expression in the U.S. overcame reluctance by some larger players to act in Sony’s defense. “This was the market versus free speech,” Harvilicz said. “There was a failure.”
Sony Hack: A Timeline
At a time when Kim Jong-un has been striking back with threats and some “entertainment” of his own—a recent North Korean propaganda video showed the country’s forces destroying a U.S. bomber and the aircraft carrier USS Carl Vinson—the Harvilicz-Kelly recollections carry a reminder that the Sony hack was indeed about more than the fate of a Seth Rogen comedy. In that case, said Harvilicz, things turned out well thanks to “American ingenuity and entrepreneurship,” and a stubborn refusal to be intimidated by threats. In his words: “Liberty is strong.”
In the North Korean worldview, there isn’t a strong line between a film and government policy. When Rogen and James Franco, a couple of media buffoons, killed Kim Jong-un in The Interview, they were seen to be committing a U.S.-sanctioned hostile act—so, as outlandish as the notion of a Korean attack on Sony seemed at the time, it was, in fact, consistent with a pattern of events that have kept North Korea and the U.S. at war or on the brink since the early 1950s.
Kelly became involved in the Sony episode through Harvilicz, a boyish enthusiast who looks enough like the cartoon character Tin Tin to include his image on emails (“I also have a dog,” he notes). The co-founder and chief executive of a small, digitally based fan maintenance company called Kernel—several of whose core workers have now joined him in a similar venture at much larger Fandango—Harvilicz had been pitching Sony a proposal to generate fan-oriented events, products and interest in advance of a film, The 5th Wave, to be based on a popular young adult book by author Rick Yancey.
But on Wednesday, December 17, Sony’s needs suddenly changed. The day before, hackers who had already crippled the studio’s digital operations had threatened physical attacks against theaters that dared to show The Interview. Within a day, the major theater chains said they wouldn’t play the movie, and Sony was forced to cancel its planned Christmas Day release. The studio immediately began searching for an alternative release plan, including the possibility of a VOD release, but was thwarted by general wariness among needed corporate partners, who controlled needed server capacity, about sharing the risk.
Harvilicz was within hours of boarding a flight for Malaysia when Andrew Gumpert, Sony’s business affairs president, called him that Wednesday with a proposition: Could Kernel build and arrange to host a portal for the film, to be ready by December 24?
The request wasn’t entirely unrealistic. Kernel, though small, included tech specialists who had worked with Hulu, and so were familiar with the business of hosting mass entertainment. While the tech team immediately tackled the architectural challenge of building a portal almost overnight, Harvilicz, eager to make a name for his young company, began hunting for servers that could accommodate an anticipated 5 million viewings over three days, beginning on Christmas Eve.
Large blocs of server capacity controlled by Amazon, Microsoft, Google, and Apple for the moment were out—the big tech companies, though not all categorically opposed to cooperating, were nonetheless wary of the hack, and needed time to investigate the security implications of hosting the film. Lynton would tell CNN on Friday, December 19, “there has not been one major VOD distributor or e-commerce site” that agreed to handle the film. Google was generally willing, and had strong security in place, but needed time to mobilize. BitTorrent, a file-sharing service treated gingerly by studios suspicious of pirates using technology of the same name, said it was interested; but Sony didn’t take up the offer. People associated with Apple’s iTunes, Comcast and Netflix told the New York Times they had no immediate plan to adopt the film, and Amazon declined comment. (Amazon did not respond to new query on the point last week.)
Meanwhile, Harvilicz, intent on helping Gumpert and Sony chairman Michael Lynton meet their Christmas deadline, immediately began calling every contact he thought might have access to servers not controlled by the giants. His first glimmer of success came with companies, both on-shore and off-, that controlled servers used for gambling and pornography sites. Some were willing to cooperate; but Lynton, mindful of Sony’s corporate image, scotched that foray “within minutes,” said Harvilicz.
On the night of Thursday, December 18, Harvilicz tried something different: A call to John Brown, a Marine veteran and Harvard graduate whom he knew from mutual work with the U.S. government in previous years. “Give me a minute,” said Brown, by Harvilicz’s recollection. Within an hour, Brown called back to say: “I’ve got a solution.” He directed Harvilicz to call Kelly, though it was already 3 AM on the East Coast. “He’ll help,” assured Brown.
Kelly, who before joining Facebook worked at the FBI, had moved to the NSA in 2010. He does not speak precisely about his role with either agency. By the time Harvilicz called, however, he was sufficiently familiar with Sony’s problems to be interested in joining the response.
It became readily apparent that government resources would not be available. (President Barack Obama publicly declared the attack an act of “cyber-vandalism,” not of war.)
Undeterred, Kelly asked for, and received, a leave of absence in order to work with Sony on the film release. In all, he was away from the government for about 10 days. In that time, he helped Harvilicz to locate a bloc of available servers—they decline to say precisely where– to host a portal that was called SeeTheInterview.com, a name purchased on Friday, December 19, from GoDaddy for $2.99.
With a VOD release now in prospect, Google locked a plan to show the film on its GooglePlay and YouTube services. Vanity Fair later reported that Google had a tech team on the Sony lot by Tuesday, December 23. Similarly, Microsoft opened the door to its Xbox portal.
Alamo Drafthouse and other small chains simultaneously mobilized support for a renewed Christmas theatrical release. But a fresh and even more difficult problem had arisen: How to take payment for the video streams without endangering the customers or companies involved? PayPal told Harvilicz it was willing to support a release, but would need as much as three months to work out security arrangements.
“I went to bed on Friday night thinking we would not be able to do it,” said Harvilicz.
But at 5 AM on Saturday morning, his Kernel co-founder, Andy Martinez, called to say he had a possible answer. Stripe, a new payment service run by the Irish entrepreneur Patrick Collison, was potentially willing to process transactions. But Collison would need approval from a corporate board that included Peter Thiel, Elon Musk, and Max Levchin.
Harvilicz spoke with Collison, who was in Ireland, on Saturday morning. Within 45 minutes, he said, Collison had approval from his board. As it turned out, Lynton had also approached Stripe through another contact, and found that Collison shared his belief that the film’s release was an important free-speech issue. Too, Collison called Max Kelly, who, by coincidence, had shortly before invested in Stripe, and Kelly’s assurances helped to move the board. In a statement on his company’s blog, Collison framed Stripe’s involvement as a matter of Web freedom. “Online freedom isn’t automatic, and it’s only through active effort that the internet will stay an open platform for creativity and innovation,” he wrote. “We take our role seriously.”
The price was set at $5.99, more than a token, but less than a previously unseen, big-star studio film would normally command. The arrangement required Sony’s willingness to forgo the usual digital piracy protection, in order to avoid collecting information that might compromise customers; so the film was widely downloaded by video thieves. But it achieved a commercial release, thanks to the stubborn insistence of individuals who were unwilling to see North Korea set a precedent by bullying an American studio. And, by early January, a large number of retailers, foreign distributors, and digital services, including Netflix and Sony’s Crackle, had struck arrangements to show the movie.
In August 2015, Kelly left his post to found his security company, though he continued to work for the government, in digital services at the White House, through last September. The Sony episode, he said, confirmed his belief that private measures are the best defense against cyber-assaults, whatever their source.
“The government is unwilling or unable to do what needs to be done, to protect U. S. companies who are on the front line of cyber-warfare,” he said.
“That’s why I left to start this company.”
Subscribe to Deadline Breaking News Alerts and keep your inbox happy.