
Obama Order Sped Up Wave of Cyberattacks Against Iran - joejohnson
http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html
======
redthrowaway
>The code itself is 50 times as big as the typical computer worm

All else aside, this is a clear pointer to government contractors.

~~~
kamaal
How did they possibly know the code is 50 times that big. Is the code out in
the open?

~~~
c16
"Several layers of masking obscured the zero-day exploit inside, requiring
work to reach it, and the malware was huge — 500k bytes, as opposed to the
usual 10k to 15k." - [http://www.wired.com/threatlevel/2011/07/how-digital-
detecti...](http://www.wired.com/threatlevel/2011/07/how-digital-detectives-
deciphered-stuxnet/all/1)

This is a great read and very informative!

~~~
ArbitraryLimits
Yes it is, but your parent post was asking how they knew how large the _source
code_ was. This quotation is reporting the size of the final binary.

~~~
schiffern
Where did the article say 'source code'? Machine code is still 'code'.

You have to consider the audience the NY Times is targeting. Just _knowing_
what a compiler is puts one in relatively sparse company.

------
Jach
_Mr. Obama, according to officials in the room, asked a series of questions,
fearful that the code could do damage outside the plant. The answers came back
in hedged terms. Mr. Biden fumed. “It’s got to be the Israelis,” he said.
“They went too far.”_

 _In fact, both the Israelis and the Americans had been aiming for a
particular part of the centrifuge plant, a critical area whose loss, they had
concluded, would set the Iranians back considerably. It is unclear who
introduced the programming error._

I guess it's naive to think they might be using git and could resolve this
with a simple `git blame`...

~~~
jonknee
It's a little different when half the goal is to leave no trace of who wrote
the software (and everything is obfuscated to hell).

~~~
Achshar
But the obfuscation much be done immediately _before_ deployment. obfuscating
while writing code does not make much sense.

~~~
jonknee
I'd imagine two paranoid governments not being able to agree on a DVCS is not
very far off. Everyone involved wants plausible deniability.

------
jcampbell1
This is clearly an approved leak from the administration. The number of
sources and specifics make it very easy to catch whoever leaked this
information. If this wasn't approved, the leaker is going to be sitting next
to bradly manning within a week, and there is no moral cause to leak this
information, so it is safe to assume this was an approved leak.

The real question, is why did the administration leak the story, and why now?
Is it politically motivated because Obama wants to seem tough on Iran in an
election year? Is it to trick the Iranians into thinking the program is over?
Maybe versions 2, 3, and 4 are already in place, and it will be demoralizing
to Iran's program if they keep getting setback.

~~~
jsz0
_The real question, is why did the administration leak the story, and why
now?_

The latest round of multi-lateral talks on Iran's nuclear program just
concluded a few days ago in Baghdad. I think they're trying to send the
message to Iran that they will never be able to have a clandestine nuclear
weapons program. The world is going to know about it. So if a nuclear power
option is on the table for Iran this might give them a little extra motivation
to accept all international regulations/inspections as a precondition. What
are they actually going to be able to hide? Not much apparently.

The other goal here is to make Iran's position that they only want nuclear
power, not nuclear weapons, even more difficult to accept. They are enduring
sanctions and refusing to accept all of the regulations/inspections for what
purpose exactly? They could have had nuclear power years ago if they were
willing to accept these conditions. The longer they hide behind 'nuclear power
only' the harder it is to believe. At some crucial point I have no doubt we'll
be leaking detailed information about their weapons program. When that happens
Iran will have to probably admit they _do_ want nuclear weapons and from there
the war question pretty much resolves itself.

~~~
jcampbell1
Great point. After reading the article, I completely forgot that Iran was
still claiming that they didn't have a weapons program. This now proves that
claim is complete nonsense and now that this is public, the US can show the UN
security council and infinite amount of data that shows Iran has a weapons
program.

------
jgrahamc
This shouldn't be a surprise to anyone. The set of { countries that are
capable of creating something like Stuxnet and getting it into the plant }
intersection with the set of { countries fearful of Iran } comes down to { US,
Israel }.

You might add UK in there and UK might have assisted the US in the creation of
Stuxnet if the US had asked.

~~~
excuse-me
Although a Billion quid government IT project which was then abandoned 5years
later without ever delivering anything would probably be noticed.

~~~
gcb
Or not. That's why they have national security and classified information. So
they don't have to tell you were your tax is going.

------
lunchbox
I'm very curious who gets hired to write the code for a project like this.
What caliber are they, what kinds of backgrounds do they come from, and how
are they recruited to these positions? Is this more likely to be done by a
government agency or a defense contractor?

I have always assumed that the world's most talented hackers work in places
like Silicon Valley and Wall Street, but Stuxnet was clearly the work of some
brilliant minds, so I'm curious.

~~~
brigade
I think there are defense contractors that develop and weaponize exploits,
rootkits, and so on for the government and while I'm sure some of that work
was used in Stuxnet, I think anything specific to Stuxnet was handled by
actual governmental agencies. The article names the NSA and an Israeli unit.

As for recruiting, you wouldn't ever get recruited directly to such a project
- you'd already need a TS/SCI clearance and to have proven yourself within the
NSA. As for recruiting into the general field of classified cybersecurity,
it's not too much different from any other field; they post job ads, scour
college campuses, probably advertise at defcon, etc. Generally if you're
getting hired without a clearance it's not for a specific position - it takes
upwards of half a year before you get cleared and can start, at which point
they figure out which project to put you in.

As for the most talented hackers, keep in mind the subject area: Wall Street
has very little demand for security researchers, and Silicon Valley's demand
for them is minuscule compared to the government's.

~~~
juuso
For example this one seems fairly direct to me:
[http://www.clearancejobs.com/jobs/1536410/cyber-software-
eng...](http://www.clearancejobs.com/jobs/1536410/cyber-software-engineer-2)

~~~
narcissus
Can someone explain to me how Google Earth is considered a 'security research'
tool (as mentioned in 'Preferred Qualifications')?

I'm woefully clueless when it comes to this realm of software, so I'd love for
some insight.

------
pbrook
Holy shit. Stuxnet was just confirmed as being developed by the US and Israel.

~~~
josteink
This really makes you wonder at what point do you go from calling something
"some digital nudging about between nations" to "war".

To me this seems to qualify as terrorism and sabotage on all accounts. I'm
pretty sure I know how the US would react if _they_ had been on the receiving
end of this sort of attack.

~~~
briandear
The difference is that the US doesn't threaten to wipe countries off the map.
Iran is an evil theocracy and can't be trusted with nuclear weapons. Drawing
moral equivalencies between the US and a totalitarian terrorist state is
ridiculous. It's like comparing North Korea with Belgium.

~~~
ttt_
>> _Iran is an evil theocracy and can't be trusted with nuclear weapons._

As per history, I believe the US is the only nation that cannot be trusted
with nuclear weapons.

~~~
mseebach
Yup. That _totally_ extrapolates infinitely. No reason to worry.

~~~
ttt_
I find it does seriously put in question their self appointed authority to be
the global nuclear police.

~~~
mseebach
Using your own logic, they _have_ been 100% successful.

------
yaix
“It turns out there is always an idiot around who doesn’t think much about the
thumb drive in their hand.”

Good quote. And there seems to always be a Windows PC around that auto-runs
anything you stick into it.

~~~
adimitrov
The actual exploit stuxnet used to get onto Windows PCs didn't require the
computer to have autorun turned on. The exploit runs on all newer versions of
Windows (XP-7) and it triggers by _browsing_ the device's contents with
Explorer. (Specifically, it exploits a method Explorer uses to show icons on
.lnk (Windows' sym-links) files.)

[http://www.geek.com/articles/news/new-stuxnet-usb-exploit-
th...](http://www.geek.com/articles/news/new-stuxnet-usb-exploit-threatens-
windows-users-20100719/)

~~~
morsch
You're corroborating the grand-parent's point that Windows PCs autorun
everything you stick into them. Granted, in this case it's not by design, but
still...

~~~
adimitrov
That's kinda the point: blaming autorun will make people who are "smart"
enough to switch off autorun feel secure.

But they aren't. There are vulnerabilities far more insidious than autorun.

------
chubot
Is this a purposeful leak to take credit for a national security win before
the election? Seems like they kept it under wraps pretty well until now.

There was a TED talk by Ralph langer in which he was asked if he thought the
Mossad was behind Stuxnet, as that was the common belief. His response was
that it must be the only cyber superpower -- the US.

~~~
nyellin
This is an excerpt from a soon-to-be-published book, so some of the quotes
might be much older.

------
fluxon
I'm a little disappointed by the lack of named sources and/or documents. Most
assertions are anonymous paraphrases or quotes. That seems thin, and makes the
book seem rushed and exploitative.

------
c16
What amazes me, and please excuse my naïvety, is that the congressmen are
constantly pushing for more control online- whether that be monitoring skype,
access to our facebook, or what have you. Basically taking our freedom in the
name of 'Cyber Security', however on the other hand, they're the ones who are
creating these viruses, exploiting systems and posing cyber threats.

What has the world come to?

------
hughw
It appears they "acquired" Realtek's code signing certificate. Can Realtek
bring action against the U.S. for stealing the certificate?

Edit: For stealing the private key, I mean.

------
derrida
HB Gary was passed the source in 2010: [http://crowdleaks.org/hbgary-wanted-
to-suppress-stuxnet-rese...](http://crowdleaks.org/hbgary-wanted-to-suppress-
stuxnet-research/) Anonymous scooped the NYTimes.

~~~
derrida
To defend myself against the downvoters who may not have made the same
connections: Aaron Barr talks to Defence Intelligence Agency and DoD about
StuxNet in 2010, they had a copy given to them in 2009 that they claim was a
US produced binary. Keep in mind stuxnet was 'discovered' in 2010.

First reference to Stuxnet being U.S. government produced?

They had a binary they believed was US produced. It was Stuxnet. It was 2009.

------
sethbannon
How ironic that one of the first major forays into cyber warfare be codenamed
"Olympic Games".

------
brainless
So now countries will fight cyber war, then what? cyber defense systems. So
humans will never learn lessons, will they? How far is Skynet?

~~~
saraid216
It's okay. We'll just add this line of code in: <http://xkcd.com/534/>

------
strags
Meanwhile, the US continues to attempt to extradite Garry McKinnon from the UK
- without a trace of irony.

~~~
tptacek
This is like saying that because the US mistakenly invaded Iraq, it no longer
has the moral authority to prosecute drive-by shootings. The syllogism holds
on a message board but is useless in reality.

------
majmun
Are there any clues , how many people worked on stuxnet and flame.coding style
methodology, how this project was managed etc. ? (Im still not convinced that
this is from goverment)

~~~
petegrif
Semantec has done several detailed analyses of Stuxnet. They are in no doubt
this was an extremely well resourced project that was state financed.

~~~
majmun
Yeah I read that, but nobody seems to mention what coding and project
management practices were used in development of this software.

If this software is really done by military then it's development process was
following some strict military standards and regulation. and should be similar
to existing other software.

Regulations like : How is software partitioned to modules? What interfaces it
is using? Are this novel or existing techniques? and things like that.

~~~
Achshar
The code was (obviously) obfuscated and encrypted in every way possible so
that it's origin or any details about it's inception cannot be read if someone
catches the code. To expect a readme file saying "managed by git on mac" in
stuxnet's root directory is laughable.

------
goggles99
Obama will do anything to avoid a conflict right now. If gasoline prices go up
any more, his opposition will be running ads replaying the video of him saying
he believes that gasoline should be in the $5-$7 range so alternative energy
will become more adopted. (everyone knows this so it makes him very weak
internationally)

So this should surprise no one. He used technology to get elected, and he will
use technology to try and stop Iran without a physical military conflict.

