
Stuxnet is embarrassing, not amazing - r11t
http://rdist.root.org/2011/01/17/stuxnet-is-embarrassing-not-amazing/
======
danilocampos
Real Mossad Operatives Ship.

These guys weren't making a paean to beautiful, hardened software to impress
their hacker friends. They needed to get the simplest, most reliable and
effective code possible out the door in as short a time as possible.

Israel bought itself a few more years of a nuke-free Iran. This is a
successful, amazing, even miraculous outcome. Outside of nerd circles,
software is measured by results, not architecture or complexity. Beautiful
systems that never ship are fine for weekend projects but, uh, we're talking
about stopping a _nuclear weapons program here_. It's a bit like saying that
Apollo 11 was bullshit because the accommodations weren't anywhere near as
nice as flying on Pan Am.

Stuxnet is the Jack Bauer of software. Rough edges but badass and gets the job
done under impossible circumstances.

~~~
gruseom
_we're talking about stopping a nuclear weapons program here._

But the unanimous consensus ("with high confidence") of all 16 US intelligence
agencies remains that Iran does not have a nuclear weapons program. I haven't
seen that mentioned once in any discussion of this subject here. That's just
weird.

I don't follow this stuff closely and obviously have no idea what's going on
behind the scenes, but it seems likely that everything about this business is
stuffed to the gills with propaganda. Is there any credibly objective source
anywhere?

~~~
Confusion

      But the unanimous consensus ("with high confidence") of 
      all 16 US intelligence agencies remains that Iran does 
      not have a nuclear weapons program.
    

Israel has enough to worry about without Iran developing nuclear weapons. I
sincerely doubt they would keep bringing it up if it obviously wasn't the
case. They really don't need it for their case. So I would like to see the
evidence for your assertion.

~~~
MichaelSalib
I'm not the original poster, but the idea that the US intelligence agencies
have collectively decided that Iran's nuclear weapons program is inactive is
not some crazy conspiracy theory: the most recent NIE really does say that.
[http://www.nytimes.com/2007/12/03/world/middleeast/03cnd-
ira...](http://www.nytimes.com/2007/12/03/world/middleeast/03cnd-iran.html)

------
nikcub
Stuxnet worked. Very well. It was out in the wild, by best estimates, for over
two years before it was detected. During that time it caused complete chaos
within the Iranian nuclear program (to the point where some officials were
executed on the suspicion of espionage).

This post and its backhanded compliments are very arrogant in a way that
epitomizes everything that is wrong with the security industry. It is a game
of one-upmanship amongst those who can talk the talk but not walk the walk.
This blog post is basically:

 _Dear most successful team of virus and backdoor writers in history who
completely changed the paradigm for what worms can do, I suggest you read this
book that I probably know nothing about or haven't read and definitely do not
understand. Ps. here are a ton of links to stuff I googled that you didn't do,
pss. isn't it awesome that you are anonymous and can't respond to my
criticism? psss. Did you get the part about me being smart?_

Pathetic. To make it worse, the entire industry is full of such assholes.

~~~
tptacek
Nate Lawson is not trying to one-up anyone in the security industry. He works
on a level above most of the rest of us, spending most of his time on hardware
and cryptosystem projects. To imply that he's part of the Black Hat
vulnerability research bugfinding rate race is to betray a comprehensive lack
of understanding of how our field is structured.

I'd challenge you to find any reputable party in that field to challenge this
summary. There's a whole Twitterverse of security experts that will back me up
on this. Nate's not an egotist, and that's not where this post is coming from.

The place Nate is coming from is one of skepticism. He's challenging the near-
hagiographic conventional wisdom that Stuxnet's sophistication is a clear sign
of its intelligence lab origins. If Stuxnet isn't particularly sophisticated,
that doesn't mean it wasn't set into motion by nation-state actors, or that it
was ineffective, but it does knock down one factor in most of the discussions
about the importance of "cyber warfare". Maybe Iran's nuclear plants were
simply absurdly exposed to IT-based attacks due to sheer incompetence.

~~~
geophile
_He's challenging the near-hagiographic conventional wisdom that Stuxnet's
sophistication is a clear sign of its intelligence lab origins._

I thought this conventional wisdom was based on the success of stuxnet, once
delivered, at having the desired effect on the centrifuge. The article appears
to be based on techniques used in delivery of the payload, not the payload
itself.

~~~
tptacek
An expertly constructed industrial sabotage malware might have taken more
steps to obscure itself simply so that it could leave the same avenue of
attack open to itself in the future, perhaps at a different target. That alone
seems argue against this being the handiwork of the "best & brightest" in the
US intelligence community.

~~~
MichaelSalib
_That alone seems argue against this being the handiwork of the "best &
brightest" in the US intelligence community._

Noob question: is it widely believed in the security community that the US
intelligence community has lots of 'the best and the brightest' when it comes
malware construction?

I only ask because I recall a bit of Jane Mayer's book that explained that
post-9/11, the CIA didn't have any professional interrogators on staff because
they weren't in the business of holding prisoners in custody to interrogate.
Just curious if a similar phenomena might be at work.

~~~
tptacek
NSA is a hiring pipeline for software security. Some very, very talented
exploit developers have come out of NSA.

------
geophile
I know nothing about malware, but I know a lot about shipping production
software.

\- Simpler is better than complicated. As pointed out in one of the comments
on the article, increasing complexity increases risk of failure.

\- Proven techniques are, uhh, proven. Newer techniques are inherently
riskier.

\- Really speculating here, but maybe impenetrable obfuscation was actually
undesirable? I wonder if the authors, (seems to be Israel and/or US), wanted
Iran to figure out who was behind it. A successful cyber-attack means that
future attacks of the same sort are possible, and adds a bargaining chip to
the Israeli/US side. This can lead to Iranian concessions down the road.
Without a proven success, a similar negotiation tactic would have to be much
more difficult.

~~~
viraptor
Alternatively, maybe they just thought it is not that important? They were
attacking important infrastructure. They were actually going against a
country... which had access to the destination machines. As long as they go
through usual AVs and don't do extensive dynamic updates of the malware, how
much time would they gain? How many experienced people were _really_ looking
at that thing? Since their attack wasn't really done the day after the malware
was released, even hiding the payload for a month or more wouldn't make much
difference in reality, would it?

------
raganwald
_No wireless. Less space than a nomad. Lame._

Substitute any of a thousand critiques of <any language except Lisp|Haskell>,
Windows, Linux, you name it that is out in the world getting its job done.

~~~
tptacek
Uncharacteristically facile. The subtext of Nate's post is that while Stuxnet
clearly didn't foreclose on Iran's nuclear ambitions, its careless design may
have foreclosed on an otherwise viable nonviolent method of shutting down the
harmful industrial processes of other rogue states.

Nate is saying, take exactly one step back and look at Stuxnet and you see
that it has _two_ jobs: one†, to retard the Iranian nuclear program, and two,
to do so at a minimal cost to future intelligence activities. At that second
objective it seems to have demonstrably failed; there are teenagers who have
done better jobs of concealing the payloads of malware.

† _If you believe all the Stuxnet press_.

~~~
raganwald
I like your thinking, but the tone of the post doesn't communicate that point
as well as your comment.

Now as to point two, I read elsewhere in these comments that one possible
advantage of Stuxnet's simplicity is that whomever launched this attack can
launch another one with a higher level of stealth.

You are the expert, not I. I only know that in Sports this is often a good
strategy. Hold off on your strongest plays until the opposition has proven
they can stop your average plays.

~~~
NateLawson
The problem with that approach is the game is over once your infection route
is revealed. You don't get to play your stronger plays. No one will attach a
USB flash drive to any Iranian or North Korean industrial computer now.

Why burn a perfectly good vector when you don't have to?

------
jessriedel
Most of the comments here seem to be of the form "Well, maybe Stuxnet isn't
that elegant, but it got the job done and that's what matters", but is it
really that bad of software? All the technical people I've heard discuss the
software in person gush over how advanced and clever it is. Can anyone point
me toward a more technical discussion of Stuxnet which could confirm/dispute
the OP's view?

~~~
NateLawson
Well, you can compare the Symantec analysis for Stuxnet to other malware (say,
Conficker, the previous media darling).

[http://www.symantec.com/content/en/us/enterprise/media/secur...](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf)

<http://www.malwareinfo.org/files/W32.DownadupThreat.pdf>

You'll notice that most of the gushing has devolved to focusing on the payload
and not the infection mechanism. That's because the worm itself is
surprisingly average.

------
ig1
Stuxnet is a hugely complex piece of code already, and it's something that
needed to be as bug free as possible, and that means avoiding unnecessary
complexity.

A key part of being a software developer is knowing when to make trade-offs
rather than striving for "perfection".

The virus did it's complex job successfully. Building a piece of software of
this complexity that has to work in an unknown environment first time is
amazing.

~~~
marcinw
Being a software developer and being an exploit developer are two entirely
different things. Professional exploit developers DO NOT ship unless it's
perfect. Malware authors will ship even if it's not perfect, because the
target is not technically advanced and can get away with it. If you're
targeting a nation-state, you best not compromise your intent, how you broke
in, nor how long you've been there for.

~~~
NateLawson
Yes, that is the exact point of this article.

------
InclinedPlane
The current interpretation of events is that Stuxnet is a project of the
Israeli government which has been at least partially successful in slowing
Iran's attempts to build nuclear weapons.

Considering that the alternative would be bombing of nuclear facilities
involving perhaps unauthorized overflights of neighboring countries and the
risk of inflaming a hot war in the middle east (through the overflights and
the bombings) I don't think I can rate this operation as anything other than a
huge success.

~~~
kreneskyp
according to leaked cables some middle eastern countries actually encouraged
us to bomb Iran. Otherwise I agree that a non-military solution is at least
initially appealing.

    
    
      I fear whoever unleashed this has opened a pandora's box of destructive malware.  We've already seen things like China hacking major corporations and manipulating it's currency.  It's not hard to picture a future where malware is used to hurt the competition's production, at either a corporate or state level.

~~~
InclinedPlane
From the perspective of just about every other country in the region there is
a hell of a lot of difference between Israel bombing Iran and the US bombing
Iran.

------
redthrowaway
As to the "in a hurry" bit, we know that to be true, or at least we do if we
believe the recent NYT article. Obama was, according to that article, briefed
on Stuxnet before coming into office. As soon as he was in office, he rushed
the program. It may be that he simply removed some bureaucratic hurdles, or he
may have told the team that said they needed 9 months to get in done in 4. I
suspect we'll never know.

------
Tycho
I don't see what the problem is... I thought everyone was in favour of
launching with a minimal viable product these days.

But seriously, maybe the thing was cobbled together from a whole bunch of
government workers/contractors who didn't really know what they were building.
Sort of like that film, Cube. Hence the lack of finesse.

Or, maybe they wanted it to be analysed so other factions would be less wary
of it. I mean, who knows.

------
rbanffy
I think it's safe to assume Iran will no longer control their nuclear
facilities with Windows boxes...

~~~
kenjackson
Nor use OpenBSD ;-)

------
GHFigs
It may be that the authors did not want to telegraph their true capabilities
to other state actors with cyberwarfare units. Although Iran is one such
nation, the outcome suggests they're too far behind to constitute a threat.

More sophisticated states are looking at this and either learning: 1) that
Israeli/US offensive cyberwarfare capability is much weaker than they
previously believed, or 2) nothing, because they already know better.

------
jcl
Or perhaps the software got an accidental "early release"?

------
georgieporgie
I do not understand this criticism at all. Stuxnet worked, right?

~~~
MichaelSalib
Assuming that Stuxnet was designed to delay Iranian nuclear efforts, there are
different degrees of "working". Delaying for a week is better than delaying
for a day, etc. If better cloaking would have allowed Stuxnet to remain hidden
for longer, than it would have delayed Iranian nuclear efforts more.

~~~
eli
Sending a clear message of, "we have the ability to launch effective
cyberattacks against you" may have been a goal as well. Make it too stealthy
and it might be a while before anyone realizes they were attacked.

------
gcb
You don't want to hide your weapons in an arms race.

~~~
nikcub
My own theory is that after watching Iran kill themselves for a year trying to
figure this thing out, they sent out an update of Stuxnet that made it easier
to discover as a way of showing their hand.

By that point, according to most reports, the program had been set back by
three years (as effective as what a military strike would have been, according
to the NYT article).

It was hidden for almost two years, then suddenly discovered - at which point
dozens of security companies around the world deconstructed the worm in a
process that took weeks.

------
fleitz
The simplicity of the design makes it easy to point fingers at non-US /
Israeli sources. Via the simplistic design the US and Israel have plausible
deniability. When a piece of malware looks no different than any other
released last year then it could well have been developed by bulgarian
teenagers. Bulgarian teenagers will raise less international issues than using
advanced techniques that only the highly trained CIA / NSA / Mossad operatives
have.

~~~
mxavier
Most Bulgarian teenagers don't have access to nuclear centrifuge controller
units for the purpose of designing/testing their code.

------
shareme
Consider this:

-Obfuscation is often used to obscure the operative. I submit the conclusion that Stuxnet was 'dumbed' down on purpose to obscure which country wrote it. Also by obfuscation of the virus one can also send a strong message of 'You do not know who attacked and you will never know'

