
Stuxnet was embarrassing, not amazing (2011) - MrXOR
https://rdist.root.org/2011/01/17/stuxnet-is-embarrassing-not-amazing/
======
manigandham
The Wired article on Stuxnet remains one of the best long-form stories I've
ever read: [https://www.wired.com/2011/07/how-digital-detectives-
deciphe...](https://www.wired.com/2011/07/how-digital-detectives-deciphered-
stuxnet/)

The criticism here seems to be mostly academic about not using the most
advanced obfuscation while completely ignoring the actual objective and just
how many obstacles were overcome.

The mission used several 0-days and stolen signing keys to get into a secret
foreign air-gapped nuclear arms laboratory under a deadline and ruin the
machinery while it kept reporting everything was fine. I dont see how this is
anything short of amazing.

~~~
kqr2
Kim Zetter's article evolved into the book _Countdown to Zero Day_

[https://smile.amazon.com/Countdown-Zero-Day-Stuxnet-
Digital/...](https://smile.amazon.com/Countdown-Zero-Day-Stuxnet-
Digital/dp/0770436196/)

~~~
emilga
Here's a good documentary about Stuxnet as well:
[https://www.youtube.com/watch?v=TGGxqjpka-U](https://www.youtube.com/watch?v=TGGxqjpka-U)

------
CapitalistCartr
This is juvenile Monday-morning quarterbacking. Stuxnet was the first (as far
as we know). It was revolutionary at the time.

Of course its authors didn't know how agressive antivirus researchers would
be, agressive largely because of the fascinating complexity of the code.
Almost all malware gets a cursory glance and thrown in the bitbucket after
processing.

The first one of anything is always the crudest. Getting away with industrial,
state-sponsored cyber-sabotage is a huge step.

~~~
blotter_paper
> The first one of anything is always the crudest. Getting away with
> industrial, state-sponsored cyber-sabotage is a huge step.

I know the claim is disputed, but if the CIA did cause the Trans-Siberian
pipeline to explode in the '80s then that would count as prior art. Even if
true it was nowhere near as complicated as Stuxnet, of course.

------
petjuh
But Stuxnet did use obfuscation. The last payload was decrypted by
concatenating two environment variables on the host and Symantec never managed
to decrypt that one. Did author not read the Stuxnet report?

------
zokier
One thing that I've grown to understand is that the difference between
enthusiast and professional is not the quality of goods they produce, but the
economy of producing the goods. I feel like that is applicable here.

If we want another example of high-profile security incident that was more
embarrassing than impressive, Wannacry fits the bill.

~~~
mettamage
My English is too limited to be a 100% sure about the following:

"economy of producing the goods"

What does this mean? The amount of time it takes to produce another extra
good?

E.g.

Enthusiast: 1 good per 5 hours -- quality level 85%

Professional: 1 good per 0.5 hours -- quality level 80%

Or something else?

~~~
huffmsa
Correct. The professional produces goods which are actually used in real life
conditions, with real life delivery dates.

The enthusiast produces goods which look pretty, but often don't work
correctly, or need a lot more hours of work to surpass the professional.

~~~
wizardforhire
... and the amateur produces goods out of love that end up powering the
internet

------
saagarjha
I mean, why obfuscate at all? Their malware did its job; after that what does
it matter what happens to it? Is not adding additional obfuscation "run-of-the
mill" or "amateur" as the author puts it?

------
ahartmetz
> Stuxnet does not use all advanced malware techniques the author can think of

Why use (and give away) any more capabilities than required to do the job?

~~~
pizza234
In fact, there's no need at all. Some of the most complex malway (viruses, to
be specific) every written (Zmist, MetaPHOR), which the post author would
"appreciate", never had any wide diffusion; Stuxnet accomplished its task.

All in all, the post author just wanted some attention.

------
Vaslo
They literally found a way to trash an enemy’s weapons of mass destruction
equipment without bombing cities and hurting people, but somehow that’s an
“embarrassment.”

~~~
casefields
Attacking infrastructure is an act of war. In 2011 the Pentagon took this
stance on cyber warfare:

“For the first time, the Pentagon has decided that cyber attacks constitute an
act of war, reports The Wall Street Journal. The U.S. military drafted a
classified 30-page document concluding that the U.S. may respond to cyber
attacks from foreign countries with traditional military force, citing the
growing threat of hackers on U.S. infrastructure such as subways, electrical
grids or nuclear reactors.”

[https://www.theatlantic.com/technology/archive/2011/05/penta...](https://www.theatlantic.com/technology/archive/2011/05/pentagon-
cyber-attacks-act-war/351239/)

~~~
MaupitiBlue
It delayed nuclear proliferation without harming a single soldier or civilian.
If that’s an act of war, then I guess I’m a war monger.

------
huffmsa
> "But this isn't academically _good_ code."

As others have said, the only real metric of whether or not something is good
is if it works in live production.

~~~
eternalban
No, that's a metric for "something is working".

Ease of maintaining, extending, or fixing bugs in the same software are not
informed by that metric.

~~~
chris_wot
Except in this case, where it was a one-shot, very specific objective. Once
this thing was released, it could not have been easily updated.

~~~
huffmsa
It's a classic misunderstanding between "academically viable" and
"operationally viable".

The military doesn't need to get an A+. It needs to win. Anything else is a
bonus.

Which is why the A-10 is a better plane than the F-35. One shows up and BRRRTs
the opposition into a fine red mist, when you need it to. the other makes it
pilot motion sick as soon as they put the helmet on.

~~~
GhostVII
The A-10 and F-35 are completely different planes for completely different
purposes. The F-35 attempts to be able to perform most of the things the A-10
does, but you can't just say one is better than the other overall. The A-10 is
probably better at shooting ground targets at close range. The F-35 is better
at bombing them from 5 miles away.

~~~
huffmsa
That's the problem though. The F-35 tries to be good at too many things. It
has the latest sensors and stealth and armaments.

But it's taking forever and a day to get the damn thing out the door because
it's too academically excellent.

------
upofadown
It's hard to be good when you work in complete secrecy. A typical malware
creator can talk to anyone in the world. If they talk to white hats they just
pretend to be on the side of good. The job of a government spook is much
harder because of that lack of communication. You are always on the outside
looking in...

------
hn_throwaway_99
Random question for HN: How to articles like this get upvoted so much?
Virtually all the top comments talk about how this is an amateurish, Monday-
morning quarterbacking effort. Is it just spam upvoters?

~~~
oxide
No, it's just the people who vote and the people who comment are very
different.

------
nathanvanfleet
This reeks of "I could have done it better" but if they accomplished it with
what they had what can you really say? Nice to know there were myriad of other
"better" ways to do this. But it's not an embarrassment.

------
onetimemanytime
_> >Stuxnet was embarrassing, not amazing (2011)_

Stuxnet worked. Deal with it. Of course, for obvious reasons, it would be
traced back to US/Israel and not to a kid in his mom's basement.

------
Bendingo
It's OK if USA/Israel does it, otherwise it's an act of war. More hypocrisy
from the "good guys".

------
dblotsky
We often forget, but even the world’s top professionals get tired, cut
corners, and make mistakes.

But also, what substantial gains would have come from adopting the techniques
in this article?

------
voldacar
I've seen bits and pieces of disassembled stuxnet code around the web, does
anyone here know where I could get my hands on the original binaries?

------
heavenlyblue
There are so many system configuration parameters you can collect to encrypt
the payload. If you did so, it should not be too hard to enumerate all of
them.

Moreover, the virtual machine-based code obfuscation is being regularly pwned
by software cracking teams so I can imagine that obfuscation would only
postpone the publication of the tool’s code for a week max.

------
paulie_a
Yet it worked.

Just like the NSA Cisco exploit chain. According to armchair programmers it
was ugly. But it worked it could take over every Cisco router. it doesn't have
to always be pretty if it gets the job done.

------
tobbe2064
The book recommendation at the end, Surreptitious Software, seems interesting.
Does anyone know if it is still relevant, or there are newer more relevant
books on the market with the same goal?

------
gzer0
I will suggest another alternative.

The authors weighed the risk of not being successful vs the risk of someone
analyzing the worm. The latter was inevitable but the former would have been
disastrous. Those protections would have only slowed down malware analysts. If
this was normal malware that would be the goal, exist for as long as possible
without being detected. ‘Normal’ malware has a high tolerance for failure.

In this case the goal appears to be ‘break some sensitive equipment before a
particular deadline hits’, with a razor thin margin for error. But your points
are not lost, good post.

~~~
allworknoplay
Did you really just copy/paste the top reply from the article, without
attribution or comment?

------
heelix
While some hiding is required to get past the virus scanners... Once it
trashed the centrifuges, there is huge value in letting the target know they
were pwned. There had to be a huge internal "who's the internal spy/saboteur"
hunt that planted it - even if it was accidental - and the weapon grade target
of the micro controller to let them know it was no accident.

~~~
DuskStar
I'd think a witch hunt is exactly what you'd want if there were no internal
saboteurs, though. Getting the enemy to waste time, effort and loyalty like
that would be the perfect cherry on top of the physical disruption.

------
arpa
What did Bulgarian teenagers do in the early 90s? all links to the story are
dead.

