

Stuxnet Authors Made Several Basic Errors - Garbage
https://threatpost.com/en_us/blogs/stuxnet-authors-made-several-basic-errors-011811

======
acabal
I'm so confused about Stuxnet--some people were saying it was among the most
brilliant viruses ever, (from memory) using several 0-day exploits and doing
things like recording normal activity to play back to machine operators while
it did its damage. That alone sounds pretty impressive to me. Then on the
other hand I've seen a few articles in the past few days calling it "nothing
special after all." Which is it?

~~~
Helianthus16
Whatever people say about the theoretically optimal nature of the virus, the
fact is that it's practically the only example we have of governmental-level
sabotage through black-hat arts.

This is direct action. It isn't script kiddies, it isn't Anonymous, it isn't a
random 1337_h4xr pulling off some minor corporate sting. It's the real deal,
it's programmers putting their lifeblood into an endeavor that changed the
fate of nations.

So whatever flaws that happened to exist don't change the inherent absolute
confidence of the maneuver, nor does it change the precision you praise in
your post.

But it also means that it can't be perfect. Anything that's so grounded in
reality will not be perfect. That's the rules of playing the big games--you
can't please everyone, you can't perform to the theoretical maximum that the
weak articles that call it "nothing special after all" espouse.

Because that theoretical maximum was out of the reach of stuxnet's writers
from the beginning, and they fucking dealt with it. People writing articles
now have had nothing to do with crippling Iran's nuclear capability, if even
for a moment, and the hogwash in the blogosphere that exists is so much
shallow posturing.

~~~
tptacek
You clearly believe the press Stuxnet is getting. I don't. Neither, to some
extent, does this analysis in Forbes:
[http://blogs.forbes.com/jeffreycarr/2011/01/17/the-new-
york-...](http://blogs.forbes.com/jeffreycarr/2011/01/17/the-new-york-times-
fails-to-deliver-stuxnets-creators/)

~~~
mukyu
He does not exactly make a cogent argument. Paraphrasing part of it, "Stuxnet
was made in China because Realtek and JMicron are Taiwanese, which is
basically China."

~~~
tptacek
I may have read the article less carefully than you, but I remember one
sentence about China, referring to some other article the guy wrote.

------
bugsy
> "Whoever did this needed to know WinCC programming, Step 7, they needed
> platform process knowledge, the ability to reverse engineer a number of file
> formats, kernel rootkit development and exploit development. That's a broad
> set of skills. Does anyone here think they could do all of that?"

Sure, I could do that and I am nobody special. That's absolutely nothing
compared to the "minimum requirements" stated in most job ads for jobs that
pay crap.

~~~
nitrogen
One must be careful about admitting to possessing skills that could be used in
the creation of digital "weapons..." But yes, it's not all that uncommon to
meet career generalists that have gathered both the breadth and depth of
knowledge necessary to write something like Stuxnet.

~~~
bugsy
I'm not admitting to any special skills whatsoever that's the whole point.

Programming logic controllers is very simple. They are designed to be like
Excel, something that non-programmers can program.

The hard part of this operation was getting the information about the Iranian
labs, which was surely beyond top secret. There were probably dozens of
special ops guys involved in that part. But that's nothing to do with the
programming.

As far as zero day exploits, they are widely for sale to the highest bidder,
one only needs money not skills. But if one has no money, that's not a problem
either. It's not like there's a shortage of them, I've made plenty of
vulnerability reports myself to various vendors. So have most people who are
even moderately competent. There are thousands of vulnerabilities to choose
from. I don't find it hard to believe there are people holding some back. If
you're a government agency monitoring all the hacking boards though you
already know about a bunch of unpublicized vulnerabilities.

------
Helianthus16
>Parker wrote a tool that analyzed similarities between the Stuxnet code and
the code of some other well-known worms and applications and found that the
code was fairly low quality.

well isn't that hand-wavy.

>For example, the command-and-control mechanism is poorly done and sends its
traffic in the clear and the worm ended up propagating on the Internet, which
was likely not the intent.

this is part speculative and part, in my subjective mind, stupid. propagating
on the Internet seems a highly reasonable method to me. what do you expect it
to use, facebook? maybe the constraint is that it has to express itself on the
internet and therefore 'in the clear?'

>"This was probably not a western state. There were too many mistakes made.
There's a lot that went wrong,"

Is that really so western-centric? this guy is seriously just reaching for
criticism in order to grab headlines.

>Lawson concludes that whoever wrote Stuxnet likely was constrained by time
and didn't think there was enough of a return to justify the investment of
more time in advanced cloaking techniques.

That's at least reasonable, because in all honesty maybe there wasn't enough
of a return. Lawson seems a better analyst than this Parker fellow.

~~~
tptacek
No, it is the opposite of hand-wavy. It is a guy getting up on stage and
performing an actual technical analysis in front of his peers, rather than
posting an anonymous message board post insulting someone they presumably
don't know.

~~~
khafra
If he wrote a tool that broke up the decompiled stuxnet binary into n-grams
and did principal component analysis, then used a a boosting classifier to put
it in clusters of similarly machine-analysed code deemed by some group of
experts to be "high," "medium," or "low" quality, that's an actual technical
analysis. Its merits could be debatable, but it's technical.

If all we know is that he wrote a tool that found the code to be of fairly low
quality, he got up on stage in front of his peers and waved his hands.

------
perlgeek
As far as I can tell, Stuxnet did what it was supposed to do, and left no
provable trace to its authors.

Seriously, what more could the authors want? Additional sophistication, just
to keep some random bloggers happy?

I'm pretty sure their mission was "destroy some Uranium centrifuges" and not
"create the perfect stealth cyber weapon". They succeeded at the former, so it
doesn't matter that they "failed" at the latter.

~~~
tptacek
How about "not disclosing the manner in which it disrupted the target, thus
leaving precisely the same avenue of attack open at multiple sites in the
future"? The fact that this is plastered all over the newspaper would, were
this a professional intelligence operation, be a major flaw in the operation.
So much so that I don't think that's what it is.

------
icarus_drowning
What? A state-funded program that appears to have been somewhat hampered by
bureaucracy?

Say it ain't so! ;)

------
nutjob123
I wonder how much making this virus cost taxpayers.
[http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet...](http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html?pagewanted=1)

------
napierzaza
I guess the author was not an early adopter. He'll like Stuxnet 2.0 I'm sure.

