
The Stuxnet worm may be the most sophisticated software ever written - graposaymaname
https://www.quora.com/What-is-the-most-sophisticated-piece-of-software-code-ever-written/answer/John-Byrd-2
======
perlgeek
I'd argue that Google Search is much more sophisticated than Stuxnet. Windows
is much more sophisticated. Linux is more sophisticated than Stuxnet. The list
goes on.

We tend to ignore the sophistication of things we are familiar with, and hype
those that surprise. But that's not a fair measure of anything.

~~~
11thEarlOfMar
In my view, the sophistication is implied by the breadth of expertise required
to put the whole thing together. Google Search and the OS landscape are for
sure broad and sophisticated. However, their development was accomplished by
computer scientists.

In order for stuxnet to be effective, it was necessary to employ expertise in:

\- Uranium enrichment methods and processes

\- Capital equipment control systems and their development environments

\- Theory of operation of centrifuge machines

\- Corporate espionage of some sort

\- Organizational management skills that can pull all that together

\- _and_ deep understanding of the operating systems referenced above

~~~
eberkund
But do those things really contribute to the sophistication of the software?
For example imagine some code written with no understanding of uranium
enrichment:

    
    
        const int CENTRIFUGE_RPM = 500;
    

And then some other code written with a deep understanding of uranium
enrichment:

    
    
        const int CENTRIFUGE_RPM = 1203;
    

Can you really say that the second bit of code is more "complex"? Same goes
for stolen driver signing keys and some of the other things mentioned in the
post.

Other large software projects like operating systems or Google search involve
much more complex software concepts which I think is the primary thing that
should be measured when discussing the sophistication of _software_.

~~~
coldtea
> _Can you really say that the second bit of code is more "complex"?_

Yes.

Complexity in the sense discussed is related to the domain knowledge
(including CS knowledge) required for the program to be written and work well.

Else even a trivial BS program could be very complex, just sprinkle it with
gotos and unnecessarily convoluted code...

~~~
ordinaryradical
This is such a powerful distinction that I feel it should help us rethink
language paradigms. Complexity is not (just) the complications one can impose
by construct or the involutions required of ones algorithms, it's the overall
real world system your code addresses.

Simple programs which are coded simply may address complex phenomena to
complex ends--perhaps that's even the ideal?

~~~
reitanqild
Something something about simple rules being able to describe complex
behaviour. Example: you can describe a flock of birds in motion around an
object with 2 or 3 rules.

Complex rules yields stupid results. Example: tax codes in most countries.

Must be a quote but I wasn't able to find a source for it.

~~~
snowwrestler
The problem with simple rules is the volume of computation. Theoretically you
could write a tax code using quantum mechanics, but good luck calculating your
tax each year (or before the heat death of the universe).

When systems get too complex to simulate from first principles, we have to
resort to inductive reasoning--observe the system and then create rules as we
see a need.

Yes the resulting rule set is a mess, like our tax code. But the physical
system that the U.S. federal tax code (for example) covers--the United States
of America--is mind-bogglingly complex.

We have trouble computationally simulating more than a certain number of
neurons... there are billions of neurons in each human brain, and there are
hundreds of millions of human brains interacting in the U.S. This does not
even get into other physical phenomena like surface water or mineral
distribution.

The results are stupid because we are too stupid to understand and analyze the
system we're trying to describe and manage.

------
indescions_2018
Stuxnet changed history. Any "game of chicken" style equilibria is broken if
the probability a nuclear actor's command and control drops below 100%. If
there is even a 1% chance that when a Big Red Button is pushed the missiles
fail to launch the game becomes unwinnable. Simulations of imperfect
information in dynamic brinkmanship where both players are known to have
advanced cyber capabilities results in a single dreaded endgame: general
nuclear exchange.

Thermonuclear Cyberwar

[https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2836208](https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2836208)

We have moved into uncharted domains. And herein lie demons. Past Rules of
Engagement universally agreed upon regarding the use of kinetic weapons no
longer apply. For wiser heads to prevail in the current global climate, the
voice for peace must become the loudest one.

Rules of engagement for cyberspace operations: a view from the USA

[https://academic.oup.com/cybersecurity/article/doi/10.1093/c...](https://academic.oup.com/cybersecurity/article/doi/10.1093/cybsec/tyx003/3058505)

~~~
ckocagil
Yes, it has the potential to break the MAD equilibrium. It's very ironic to me
that offensive technologies do not threaten world peace as much as defensive
technologies.

~~~
kbutler
MAD is a local maximum of peace, but only if we define "peace" to include
"tense standoff". It appears to be the best we can do in the presence of
overwhelmingly powerful offensive capabilities.

Imagine the different "peace" if instead we had overwhelmingly powerful
defensive capabilities.

~~~
Sangermaine
But everyone would have to have those, or else the first country to develop
them would have an insurmountable advantage. A country that has both nuclear
weapons and the ability to block all attacks including nuclear would rule the
world, or at least dominate it without opposition.

~~~
komali2
Or, everyone would have to have a strong sense that nuclear launches weren't
possible.

I'm thinking along the lines of grey-hat anarchists constantly attacking
_everyone 's_ nuclear capabilities. "If nobody is super, everybody is super."

------
vbsteven
The scary thing about this is: Stuxnet is one of the "most sophisticated"
pieces of malware we _have discovered up until now_.

Who knows what kinds of software are still out there quietly doing their thing
in the shadows.

~~~
nathanm412
We're quickly heading toward the age of the first Virtual WMD. The
implications can be as wide as your imagination, but possibly worse than
existing WMDs.

~~~
Harvey-Specter
I'm having a hard time imagining a virtual WMD that is worse than the instant
obliteration of millions of people.

~~~
steego
You know what's worse than the instant obliteration of millions of people? The
slow obliteration and starving of millions of people.

Imagine Venezuela, but much much worse.

Picture a society that doesn't know how to create institutions, conduct trade
and collaborate with the people around them without the aid of a computers.

Now, I don't know if disabling their computers _would_ result in an incredibly
dysfunctional society that would starve, but it's not unthinkable. If it did,
the suffering could be far beyond the instant obliteration of millions of
people.

~~~
um_ya
Actually, in a capitalist country it might be easier to survive such an
attack. If there is demand for a product or service, people and businesses
will find a way to meet that demand. Millions of people working independently
to satisfy their local market demand. It would probably hurt centralized
socialist or communist countries more since it severs their control,
surveillance, and communication mechanisms.

~~~
steego
I agree that markets tend to buffer the effects significantly.

The problem is in times of crisis, the appreciation of market dynamics and
rule of law tend to wane. Even if those things are intact, the flow of goods
and services can be undermined by well-intentioned but misguided politicians.

My point was simple. Despite the systems of trade, a catastrophic shock in
trade or production systems could literally kill millions in a way that is
more brutal and horrific than instant obliteration.

~~~
bambataa
I’m intrigued - how does that play out in your head? There’s a disaster
causing social collapse but a free market for food remains. Demand outstrips
supply so it becomes too expensive for many to buy. What do people do before
they can go back to the land and sow their own food? What about areas with a
lack of suitable available land (as referenced in a sister post by the potato
famine)?

~~~
steego
I honestly didn't invest too much time playing out scenarios out in my head,
rather I was mentally recalling events in modern history where we've simply
allowed millions of people to starve. From a BBC article:

 _The scarcity, Mukherjee writes, was caused by large-scale exports of food
from India for use in the war theatres and consumption in Britain - India
exported more than 70,000 tonnes of rice between January and July 1943, even
as the famine set in. This would have kept nearly 400,000 people alive for a
full year. Mr Churchill turned down fervent pleas to export food to India
citing a shortage of ships - this when shiploads of Australian wheat, for
example, would pass by India to be stored for future consumption in Europe. As
imports dropped, prices shot up and hoarders made a killing._

[http://www.bbc.co.uk/blogs/thereporters/soutikbiswas/2010/10...](http://www.bbc.co.uk/blogs/thereporters/soutikbiswas/2010/10/how_churchill_starved_india.html)

I guess if I was to assume a scenario that could lead to the starvation of
millions, I'd imagine a poorer country making the mistake of relying too much
on some sort of electronic platform to trade and save their money. Let's say
this country/region also relied too much on exporting some agricultural
commodity that was being affect by a change in climate.

A catastrophic attack on their banking platform could theoretically destroy
the local populations confidence in the trading currency as well as scare away
foreign lenders. It may create incentives where it's more advantageous to
hoard food and sell it on the international markets rather than distribute it
to local customers who can't pay.

Free markets tend to create the most value in the long run. In some
situations, hoarding can create incentives to distribute to underserved areas.
In scenarios where the underserved areas do not have a means of payment
(monetary, barter, indentured servitude, etc.), free markets and hoarding can
simply be horrifyingly cruel.

What are your thoughts?

~~~
bambataa
Should there be some catastrophic collapse in society, I would far prefer that
the government requisitioned food and rationed it out. While it’s definitely
open to abuse, I think it would do a better job in the short term of keeping
people alive. A free market response to a national emergency sounds dreadful
to me

~~~
steego
I don't disagree. Most times, I would prefer the decisions of how people get
the things they need are made by a network of people with incentives to
provide and profit rather than central planning. However, if the situation is
dire and the incentives create a deadlock, I think thought-out, extraordinary
measures to help people are warranted.

------
fapjacks
I've been arguing about this for the last three days. Mostly around the reason
that "complexity" is not strictly the same thing as "sophistication" when it
comes to software. Noobs will conflate the two, but experienced programmers
will agree that -- just to illustrate my point -- some code which solves a
complex problem in a very clever way while also being very clean and easy to
maintain will be considered strictly more sophisticated than some other code
solving a similar problem which simply has a higher degree of complexity than
the former. There _is_ a subtle difference when it comes to software, and this
subtlety needs to be considered in this question. Now, I think Stuxnet is a
fantastic suggestion to this question, for a number of reasons:

1) The legal, ethical, technical challenges of creating the software.

2) The ability of the software to remain hidden in (sophisticated)
environments rich with (sophisticated) organizations looking for exactly this
kind of thing.

3) The stealth of the entire research, design, development, and deployment
phases of the project.

4) The highly specialized nature of the target.

5) The scale of the entities involved.

6) All of this sophistication and _we can 't even see the source code_
(decompilation doesn't count).

This is frankly some impressively sophisticated software. Also, incidentally,
the Quora poster's company looks like a fun place to work (with good
programmers on the team). Some of his other answers are thoughtful and
interesting to read, too, if you get the chance.

~~~
hedora
On complexity vs sophistication: During the cold war, a US company noticed the
USSR had stolen the plans for a natural gas pipeline system, but not the
software.

In response, the US introduced an integer overflow bug that was uptime
dependent, and took something like 6 months to hit. The bug simultaneously
cranked up the pumps and closed all the valves in the network.

It was known that the Soviet economy would crash in under a year without the
ability to cheaply move natural gas, so they couldn’t test long enough to find
this.

A year or so later, the DoD’s seismographs detected the largest non-nuclear
explosion in human history.

The main impact wasn’t the explosion or the short-term economic damage. The
main impact was that the USSR stopped trusting stolen software, which set them
way further back, economically and militarily.

Arguably, that ~one line of code was infinitely more sophisticated than
stuxnet.

~~~
jespern
Do you have a source for this? I can only find reports from "At the Abyss",
which are uncorroborated.

~~~
gregw2
somewhat described in the book Victory, by Peter Schweizer

------
danielh
If this short read piked your interest in Stuxnet, I can recommend the book
"Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital
Weapon".

It explains in great detail how Stuxnet worked and, which I found the most
exciting, how it was discovered and reverse engineered.

~~~
purrcat259
I read this book a while ago.

Whilst I enjoyed the multiple viewpoints it provides (some claim that Stuxnet
was actually quite sloppily written, depending on numerous factors), it
happened to be one of those books which wrote 100 pages worth of information
in 400 pages instead and dragged every little point on. YMMV.

~~~
danielh
If you read this book purely for its informational value, I agree with your
assessment.

That being said, I read it mostly for entertainment and I think the author did
a good job of packaging a lot of factual information into a captivating story.

That being said, not all parts are created equal. There are quite a few pages
dedicated to looking at the number of centrifuges Iran was installing and
amount of gas they enriched, as this were the metrics Stuxnet was affecting.
To me, that was as exciting as reading a company's monthly inventory report.

But I guess that's to be expected in a book that tells a true story instead of
just being based on true story.

------
lol-lol
I would argue that this one was more sophisticated:
[http://pferrie.tripod.com/papers/zmist.pdf](http://pferrie.tripod.com/papers/zmist.pdf)

What I am seeing lately with malware is increasing decline in sophistication,
today malware is lame compared to the malware created around 2000. I would
think that level of low level knowledge is rapidly dropping. When there were
still real file infectors, there were some serious nasty technologies involved
(btw, todays ransomware is a very old concept
([http://virus.wikidot.com/onehalf](http://virus.wikidot.com/onehalf)) but it
was used to prevent virus removal instead of making money).

~~~
rollulus
I agree. Mistfall (and z0mbie himself) was years ahead of its time.

For those not aware of Mistfall: typical viruses simply append their code to
the target. To avoid detection, polymorphism was introduced: viruses generate
permutations of decryption logic for the actual static but encrypted virus
body. The next step was metamorphism: the virus body itself got permuted.
Mistfall was one step further: it disassembled the host, merged in its own
permuted body and rebuilt the host. Here is an article by the author himself
[1]. This was in 2000.

In general, before hacking and cybercrime became a commercial activity, there
was a lively virus writing scene, where highly skilled people played the cat
and mouse game with anti virus producers, created magazines with the sources
of their creations and wrote articles.

Too bad that z0mbie disappeared. Sometimes when news about elite Russian
hackers hits the news I wonder if it's him.

[1]:
[http://z0mbie.daemonlab.org/autorev.txt](http://z0mbie.daemonlab.org/autorev.txt)

~~~
lol-lol
Maybe another link for those who love malware history, this site also just
vanished...

[https://web.archive.org/web/20110205151357/http://www.rootki...](https://web.archive.org/web/20110205151357/http://www.rootkit.com/)

> "merged in its own permuted body and rebuilt the host."

Actually it was even more sophisticated, it not only merged its permutated
body into the host, but rather rearanged the host in a way to merge chunks of
its body between the chunks of host original code, using jmp instructions to
keep the code flow, where entry point was inserted on random. If he would
further armored it by additional polymorphism layers for each chunk this would
make it even algorythmicaly impossible to detect (on the other side, even now,
no one can claim it can detect all the permutations, while the disinfection is
limited to "delete infected files"). This was work of art (I was a malware
analyst), todays malware is a joke compared to what z0mbie was doing (even if
I could argue that there is lot to do on windows, infecting MBR and owning the
Windows by serving them the calls to yourself is still (maybe I am outdated?)
something to be seen. I would really love to shake his hand even if we were on
oposite sides :)

------
cptskippy
> This driver was digitally signed by Realtek, which means that the authors of
> the worm were somehow able to break into the most secure location in a huge
> Taiwanese company, and steal the most secret key that this company owns,
> without Realtek finding out about it.

> Later, whoever wrote that driver started signing it with secret keys from
> JMicron, another big Taiwanese company. Yet again, the authors had to figure
> out how to break into the most secure location in that company and steal the
> most secure key that that company owns, without JMicron finding out about
> it.

Oh come on... "most secure location"? I'd wager it would be harder to break
into the janitor's closet and steal his toilet paper supply than it would be
to get those signing certs. If this was most companies it was stored on a
public file share used by software engineers or in an open source control
repository. They either got someone hired as a contractor or bribed an
engineer they found on LinkedIn a couple thousand dollars.

~~~
LeonM
That's not how it works. You need the private key to sign the drivers. This is
not a file that developers of those companies have access too.

These keys are usually stored on a HSM. Even if you want to, you wouldn't be
able to access the keys stored inside. This is specifically designed to
protect against rogue/bribed personnel.

So it's highly unlikely that the stuxnet developers had possession of the key.
I'd bet that they somehow had access to the HSM, to have it sign the driver
for them.

Companies of this size are audited regularly, so access to the HSM is expected
to be strictly controlled.

So yes, it is a pretty secure location, and a highly guarded secret. The fact
that they pulled it of to break into not one, but two of those secrets is
extremely impressive on it's own.

~~~
titzer
> I'd bet that they somehow had access to the HSM, to have it sign the driver
> for them.

Or were able to duplicate the HSM before it was delivered. You know, like how
the NSA intercepted shipments of internet routers in transit and inserted
backdoors.

~~~
erkkie
You don't ship HSM's with keys (you initialise them on-device yourself) nor
can you read read keys out from one (at least in theory).

~~~
Cthulhu_
In theory, theory and practice are the same, in practice they're not.

~~~
ddtaylor
Well, an HSM that doesn't meet those requirements is essentially spoiled milk
and of little value. I agree many HSMs are found vulnerable eventually.

------
ufmace
IMO, the sophistication of the final worm that made it out to security
researchers doesn't have anything on the process that must have been used to
develop it. Take the normal iterative development process, except that:

You don't know anything at all about the design of your targeted system and
networks.

Even getting a little information about it requires writing sophisticated
malware, using various spy capers to get the malware near the target systems,
and somehow exfiltrating data from airgapped systems over the internet, where
the whole mission is blown if anyone detects your data movement.

You may need dozens of iterations of adjusting the software to try and dive a
little bit deeper, getting it snuck into the target systems (hopefully by a
built-in update over the net), gathering information on the network
architecture, then exfiltrating that data back out.

Always a tough balance of spread-happy enough to infect highly protected
airgapped systems in a top-secret facility, but not so spread-happy to get out
on the open net and infect half of the world, where it will inevitably be
discovered eventually. This is probably where they eventually screwed up.

How long to detect that they're using this particular model of PLC with this
particular centrifuge, buy your own copy of them, dig up someone who actually
knows about these things, collaborate with them to figure out a sneaky way to
screw things up just a little bit, build ways to get your virus onto the
target system to do its damage, etc.

I'd assume that there was a team somewhere with a big library of zero-day
exploits and a bunch of ace developers, but no starting knowledge of the
target. Someone gave them the order to figure out a way to hack and screw up
the Iranian nuclear program, maybe with the helper that some other org has a
guy that can deliver any product near the program. They must have spent years
devising ways to get in, slowly gathering info about their target, figuring
out a way to achieve the assigned goal of screwing things up without getting
detected. Now that would be a hell of a project to work on.

~~~
hunterjrj
>You don't know anything at all about the design of your targeted system and
networks.

>They must have spent years devising ways to get in, slowly gathering info
about their target, figuring out a way to achieve the assigned goal of
screwing things up without getting detected.

I'd speculate that given who the intended targets were (Iran, North Korea) and
who would have an interest in disrupting their enrichment operations (Israel,
US), and given the level of intelligence gathering activity that both of these
nation can (and ostensibly do) engage in, that the team tasked with creating
this virus had plenty of information to go on from the start.

Centrifuge models with firmware revision, network topologies, deployed server
configuration, etc were likely known in advance.

------
saagarjha
> This driver was digitally signed by Realtek

> that driver started signing it with secret keys from JMicron

I think this is the scariest part of the worm. Not only do the people writing
it have access to zero-days, they also somehow have (possibly physical) access
to the private keys of two large corporations.

~~~
sneak
Try not to think about how many SREs in the big five are likely receiving a
second secret paycheck from Langley and/or Fort Meade.

~~~
dboreham
Interesting. This is the first time I've seen a public comment anywhere about
a strong suspicion I've held for more than 20 years.

~~~
sneak
It seems obvious to me. Want to illegally snoop on someone’s iMessages? Don’t
compromise Tim Cook’s plausible deniability, just get an asset to climb the
ladder until they can touch the systems that send the list of keys to the
target device. Same goes for signing malware binaries for evil maid against
iOS devices, chromebooks, et c. There are controls you can put in place as an
organization to make this harder, but not impossible; eventually human beings
are going to be handling keys and senior management isn’t always going to be
in the room to make sure NSLs aren’t being handed out.

“Keep this quiet or go to the same jail in which Manning was tortured
basically to death” is a pretty persuasive argument.

The fact that Google was asleep at the wheel so long wrt encryption of
internal network WAN links (I mean, wikipedia has an article about the double-
hull sub that the navy uses to tap intercontinental fibers) suggests to me
that most Googlers (and despite organizational differences, also most Apple
and FB and Amazon staff (outside of govcloud)) simply aren’t thinking about
the illegal lengths to which the military will go to obtain huge amounts of
information about possible threats to their safety, security, or persistence
methods (e.g. whistleblowers).

It’s like the industrial rank and file never read the military-industrial
complex speech, even while hearing their bosses take off from Moffet using
taxpayer jet fuel. [1]

[1] [https://www.wsj.com/articles/google-jet-fleet-loses-a-
nasa-f...](https://www.wsj.com/articles/google-jet-fleet-loses-a-nasa-fuel-
perk-1379018371)

~~~
xroche
> “Keep this quiet or go to the same jail in which Manning was tortured
> basically to death” is a pretty persuasive argument.

You don't even have to speak about it. Not cooperate, and you'll go to jail.

[https://www.washingtonpost.com/news/the-
switch/wp/2013/09/30...](https://www.washingtonpost.com/news/the-
switch/wp/2013/09/30/a-ceo-who-resisted-nsa-spying-is-out-of-prison-and-he-
feels-vindicated-by-snowden-leaks/)

------
vinayms
I am just your average software dev with zero knowledge of malware creation,
speculating here, and might come across as a fool.

The author sensationalizes the effort of the creators, painting a
Holywoodesque scenario where they break into every possible software company
to steal keys to misrepresent the software, going undetected by every possible
security company etc. Since this is a Quora post, I can live with him playing
to the gallery.

Given the amount of speculation of involvement of US and Israeli intelligence
agencies, and the task this worm was assigned, the real effort might have been
just about writing a USB worm that identifies specific machines and handing
the USB-0 to a double agent (I stopped watching Homeland after season 5 and am
rusty with the jargon). The rest of it would have been simply asking all the
associated software and hardware companies, politely, to cooperate.

If any of this is true, stuxnet is anything but sophisticated. Its just lots
and lots of specific API calls.

That brings up the question: what is sophistication as applied to software?

~~~
Xophmeister
> The rest of it is all about asking the associated companies, politely, to
> cooperate.

What keeps this cooperation secret? It would only take one weak link at any
one of those companies to reveal -- accidentally or otherwise -- that they
were coerced into providing their signing keys. As soon as that got out,
speculation runs amok: Are all products from said company compromised? This
would be ruinous to a company, so no one in charge would agree to that without
something significant -- which would be even harder to hide from the public --
in return. Then, who asked for the key and why? Could that be traced back to
the (presumably) agency in question? That weak link was weak once, there's
nothing to assume that he/she won't be weak again, etc., etc.

~~~
mykull
I'm not sure that it would be ruinous. Isn't RSA still trusted? People have a
tendency to overlook or even defend broken protocol when it's "the good guys"

~~~
Xophmeister
“Compromised” in the sense of that company’s trustworthiness, not in the
cryptographic sense.

------
bichiliad
The title of this post is a bit misleading (and a bit click-bait-y) — this is
one person's response to a quora question, and it seems like the point of his
answer was more "the Stuxnet worm is a seriously complex piece of history if
you don't know about it" and less "this is the definitive most sophisticated
piece of software ever." I feel like we can agree that the definition of
sophisticated[0] is fairly hard to quantify and rank software objectively
against.

[0]: "(of a machine, system, or technique) developed to a high degree of
complexity", according to google:
[https://www.google.com/search?q=define+sophisticated](https://www.google.com/search?q=define+sophisticated)

------
sneak
Stuxnet was able to be reverse engineered successfully so that we can know
these things.

IIRC, its sequel actually used certain directory listings (registry keys or
filesystem) of a target system as input to a KDF that is used to generate an
AES key that is used to decrypt the next stage payload. That is, if you don’t
have the exact specific system configuration that is being targeted (program
names, versions, et c) then the primary function of the worm remains entirely
opaque.

------
tdullien
sorry, but this article is breathless crazy hyperbole. I am a cybersecurity
expert that actually reverse engineered a nontrivial part of Stuxnet at one
point, and I have reverse engineered other government-built worms and
persistence mechanisms.

Driver signing keys are not nearly as difficult to steal as the answer
implies; not only are they shoddily managed in most hardware vendors, they
could also be purchased on the black market for about 50k$ at the time. They
are still not very difficult to come by.

Zero-days (e.g. security vulnerabilities and their corresponding exploits) can
be purchased on the grey market, and some are developed by government-internal
teams. These are little marvels of strange engineering, but they are also a
relatively common occurrence. The total market prices of the exploits in
Stuxnet will have amounted to perhaps a few million $ at the time.

The Stuxnet worm’s code showed all the artifacts you would have in a large
software project - including but not limited to “handwriting” where you could
see that a small team of engineers and architects were excellent developers
who delegated the implementation of less-important parts to engineers of
lesser ability.

There have been leaner, more elegant, and similarly powerful / crazy pieces of
malware.

In general, though, these things are not made of magic, and they are not the
most brilliant software ever made. They are usually well-engineered by decent
engineers, built by a motivated team with decent funding. Even then, mistakes
creep in (Stuxnet had an infamously broken mechanism to limit propagation),
multiple versions need to be rolled out, and problems & bugs plague any
software system.

Now, comparing something like Stuxnet — a relatively small, well-engineered
but ultimatively not terribly innovative assembly of known methods — to
something like Google’s data center infrastructure
(Borg/Flume/Mapreduce/Bigtable/Spanner), the Windows or Linux Kernel etc. and
concluding Stuxnet is somehow superior or more sophisticated is simply false.

Stuxnet was cool etc., but I can assure you the level of sophistication is
less than the Windows Kernel, the Linux Kernel, or Google’s data processing
infrastructure, by _far_.

This is unsurprising: Stuxnet is a much smaller operation. Building Windows
has probably cost many _billion_ dollars by now. Stuxnet, on the other hand,
was likely running on a shoestring budget in comparison.

Assembling a highly impactful worm is much cheaper and simpler than people
think; most of our IT infrastructure is not very robust.

------
thedancollins
The respect comes with the single-mindedness of this code's approach. You
would think the people doing this would have at least a little bit of The
Joker in them - if they saw an opportunity to cause chaos for chaos' sake they
tend to take it. Whoever did this - didn't. That is impressive focus.

~~~
sneak
[https://en.wikipedia.org/wiki/Operation_Olympic_Games](https://en.wikipedia.org/wiki/Operation_Olympic_Games)

It’s not really a secret anymore.

------
4llan
"Zero Days" documentary is focused on Stuxnet.
[https://www.imdb.com/title/tt5446858/](https://www.imdb.com/title/tt5446858/)

~~~
lossolo
I highly recommend this documentary, it explains step by step how stuxnet was
found, how it was debugged (by people that debugged it) and how it was used.

------
realworldview
_When that USB drive is inserted into a Windows PC, without the user knowing
it, that worm will quietly run itself, and copy itself to that PC._ Truly
magical. Anthropomorphism and personification help continue the myth of
sentient, usually evil, software. Whilst scaring the heebie jeebies out of
everyone.

~~~
Y_Y
>"run itself"

I find that misconception worse!

------
phendrenad2
We have much work to do on
[https://github.com/EnterpriseQualityCoding/FizzBuzzEnterpris...](https://github.com/EnterpriseQualityCoding/FizzBuzzEnterpriseEdition)
if we want to catch up.

------
jquinby
I thoroughly enjoyed this writeup as well: [https://www.langner.com/wp-
content/uploads/2017/03/to-kill-a...](https://www.langner.com/wp-
content/uploads/2017/03/to-kill-a-centrifuge.pdf)

Appendix C is my favorite part: a look at all the things that can be gleaned
from television footage of the facilities, brief glances at control screens,
etc.

------
zer0gravity
If you come to think at it, this "worm" is really a form of life, with a
certain degree of intelligence, I might add.

Just like a biological virus, it replicates itself, it hijacks a pretty secure
environment, like a cell, and uses it, first to replicate even more, and
second, to alter its behaviour in order to accomplish its "goals", meaning
deeply hidden instructions that only activate, and this is amazing, only in
certain conditions, just how a certain piece of DNA is only activated in
certain conditions in the cell.

The intelligent part, in a more humane uderstanding of the term, comes when it
is able to act and update in a distributed fashion orchestrated by a central
command and control.

This is not just a sophisticated form of software. This is a sophisticated
form of life, albeit a distructive one.

------
rjplatte
This confuses cleverness for sophistication. Yes, Stuxnet is ingenious, but
mostly in concept/access to secret Windows bugs, not execution. Something like
Pagerank or modern video encoders easily beats Stuxnet in terms of
sophistication/complexity.

------
gigatexal
I don’t have the expertise to understand if this article is hyperobolic but it
was the first article I have read in a while start to finish. The author
should try his hand at fiction.

------
howox
There is no conclusive evidence that stuxnet was successful at all. This
article [https://nypost.com/2013/05/16/stuxnet-virus-might-have-
impro...](https://nypost.com/2013/05/16/stuxnet-virus-might-have-improved-
irans-nuclear-capabilities-report/) actually claims opposite. With
cyberwarfare and espionage everything is possible so let's not guess too much
as we have really limited information.

------
stochastic_monk
And to think that a combination of decades of diplomatic work and years of one
of the most sophisticated cyberattacks were entirely thrown away by
capricious, corrupt politicians.

~~~
gadders
The JCPOA?

~~~
stochastic_monk
Exactly.

------
mjw1007
Is it still believed that Stuxnet was never intended to escape and infect
machines worldwide? If so, I think that blunder deserves to be a more
prominent part of the story.

------
veddox
A very nice writeup of Stuxnet, although plainly intended for a lay
audience...

Shame the author didn't mention Flame (or any of the other since-discovered
super-viruses) at the end.

------
srcmap
If someone adds a layer to OS's file system such as only the know good white
list app, exe, .so, .dll, .sys files with complete crypto-hash signatures are
allowed to run in "lockdown" mode.

Everything else are reported and blocked.

Would it be enough to prevent such worm?

It would be interesting exercise to take an old exploitable OS (Win XP, or 10
years old Linux with known issue) add such layer to it. Put it on internet as
honeypot and see what other kind of inflections it might get.

~~~
TACIXAT
Depending on the hash, an attacker would look for collisions to get something
running that could then change settings or launch other things. Failing that,
you would look for flaws in the system or vulnerabilities in the OS in order
to bypass it. Going deeper you run into trusted computing issues, of how do
you know the verification firmware hasn't been tampered with?

The simplest approach though is if you're running Chrome, and I exploit
Chrome, I'm now running as Chrome and could persist in memory at least until
you shut down.

------
EdSharkey
If elaborate/sneaky/surprising real world modeling is the quora answer's mark
of sophistication, (which I agree with personally), then I have another "most
sophisticated in 2018" nominee. And the nominee is ...

Facebook's graph database!

Consider, Facebook has modeled:

* All our PII (face scans, key dates and times in our lives (birth to death), employment history, and on and on)

* All our activities (web, real-world)

* All our relationships/interactions (facebook, web, person-to-person, person-to-business, business-to-business, face recognition over practically all digital photos, chat, audio capture from mobile? what else?)

* Data appropriately tagged and categorized: Geo-location and a million other things

* Place information

* And then, the coup de gracie ... how all that data changes over the time dimension

And it's all searchable! A search of that database must be thrilling. You can
know what's going on at every level of society at any point in time. You could
quantify moods, trends, money, stars and governments currently rising and
falling, etc. Consider the unholy power of that graph database, nothing else
must come close! Sometimes, I want to get a job there as a data researcher
just so I could query it.

------
jokoon
I wonder towards what kind of landscapes the cyber arms race will lead us.

The problem is how civilians will end up being the victims of it. What can be
scary is how data can mess around the links of trust that is making society
work. I hope there are people who are able to think about the problem of
preventing online psy ops and other nasty things that can not cause threat,
but do damage on the "data" of how society operates. As long as this problem
is not fixed and the public is not educated about how computers work, I'm for
limiting the use of computers in sensitive areas of society, would it be
money, finance, the military, electricity and water networks, infrastructure,
computers as a work tool, etc.

Funny that a couple of months a ago I received a paper mail written in
russian. There are no way in hell this was not related to my address getting
leaked online, this must have been related to the internet somehow.

------
Yajirobe
I have a question. Since the worm travels from USB to USB, does that mean that
it infected thousands (or more) of regular people USBs but did nothing, until
it found itself in a purity facility? Or was the worm somehow directly sent
(physically or digitally) to the facility?

~~~
stef25
A usb drive discreetly dropped in the parking lot, labelled cat memes would
probably do the trick

~~~
baud147258
Are cat memes popular in Iran too?

~~~
cptskippy
Cat memes transcend cultural boundaries.

~~~
baud147258
Thank you, I didn't know, I haven't crossed a lot of boundaries.

------
igravious
1: What is sophisticated for a non-state actor may be semi-trivial for a state
actor. Why? State actors demand access to the source code of proprietary
software; state actors circumvent laws that bind mere mortals like ourselves.
If you own the playing field that which is sophisticated for even the most
competent and knowledgeable coders may be semi-trivial for the spooks.

2: In my opinion Stuxnet is an act of war. If Iran doesn't consider itself to
be at war with Israel and the US (even though there has been no formal
declaration of war) then they are not thinking straight.

If I were to enrich uranium I wouldn't let a Windows PC within a mile of the
centrifuges, I'd only use locked down versions of Linux.

~~~
wepple
> State actors demand access to the source code of proprietary software

So, when China or Russia are building windows exploits, they just demand
Microsoft hand over source?

Also, the idea that “locked down” Linux would do any better than windows is
ridiculous. The Linux codebase is enormous and complex and full of bugs. At
least if you’d said some type of high security microkernel, you could put
forward forward some logical arguments.

~~~
igravious
> So, when China or Russia are building windows exploits, they just demand
> Microsoft hand over source?

Yes in fact they do.
[https://download.microsoft.com/download/B/C/A/BCAFF3F5-5DB5-...](https://download.microsoft.com/download/B/C/A/BCAFF3F5-5DB5-4AB4-9AAB-5CF0814E0948/GovernmentSecurityProgram.pdf)

“Throughout the history of the company, Microsoft has worked with national
governments around the world to help them build and deploy more secure IT
infrastructure and services to protect their citizens and national economies.
In 2003, Microsoft built on these efforts to create the Government Security
Program (GSP). The scope of the program has grown over time, and continues as
a cornerstone of Microsoft’s efforts to help address the unique security
requirements of more than 30 national governments around the world.” (Russia
and China included) [https://www.zdnet.com/article/does-microsofts-sharing-of-
sou...](https://www.zdnet.com/article/does-microsofts-sharing-of-source-code-
with-china-and-russia-pose-a-security-risk/)

> Also, the idea that “locked down” Linux would do any better than windows is
> ridiculous. The Linux codebase is enormous and complex and full of bugs. At
> least if you’d said some type of high security microkernel, you could put
> forward forward some logical arguments.

It's not a `logical' argument, it's a _pragmatic_ argument. A sufficiently
tech-savvy admin can dictate the hardware on the network, roll their own
kernel so that USB drivers cannot be loaded, have that image as the boot
image, and use TPM if totally necessary. The reason you wouldn't want to run a
high security microkernel is because those can't run regular desktop software
like LibreOffice and what have you.

------
dandare
The other day I had an argument with a proponent of online voting. As a non-
techie, he could not understand my security concerns. In his laic view, we all
use internet banking every day and nobody stole all the money yet, right?

~~~
stordoff
For me, there is a fairly clear argument that works - online banking, you will
know if there is a problem (the money is gone), online voting, you might not
even _know_ it was compromised (in a close election, skewing a few percent of
the votes could change the results without it being significantly different to
the polls).

------
swarnie_
So.... For people who have followed this story more closely then i have, did
the hostile actor ever get identified? Last i checked it was a toss up between
USA, Israel and France, was a conclusion ever drawn?

~~~
stochastic_monk
The current belief is that it was a joint effort between at least Israel and
the USA.

~~~
stirlo
It was leaked to the New York Times (sanctioned leak?) that it was a
collaboration of USA and Israel. Not sure where France comes into it...

------
hfdgiutdryg
I recall an early analyst of Stuxnet writing that it was so complex that it
was almost as if it had been written by an alien intelligence. That really
captured the imagination of Slashdot for awhile.

------
ankurdhama
So sophistication == Exploiting dozens of Windows zero day exploits.

------
synfin80
One thing that was somewhat glossed over in the article is that stuxnet used 4
zero-days... That is it exploited 4 different software vulnerabilities that
were unknown. This is a completely unprecedented level of sophistication in
malware.

[https://www.symantec.com/connect/blogs/stuxnet-using-
three-a...](https://www.symantec.com/connect/blogs/stuxnet-using-three-
additional-zero-day-vulnerabilities)

------
bflesch
Would it have been easier or harder to implement Stuxnet if the target
networks were running some sort of linux? Or if it would've been a mac-only
facility?

I'm curious.

~~~
Piskvorrr
Smaller platforms (which Linux and Mac OS are, compared to Windows) draw less
interest (both in exploits _and_ scrutiny against exploits), and fragmented
platforms (Linux) are harder to code for (SystemV? systemd? something else
entirely?). I guess that it would have required more effort - but at this
level of involvement, I would say that the result would have been achieved
regardless.

~~~
wepple
The stuxnet dev team managed to get their hands on the exact same centrifuges
as used in Natanz, so getting replica Linux control systems would’ve been a
walk in the park.

Also, “less interest” is irrelevant when we are talking about nation states
picking a specific target and throwing considerable engineering resource at
exploitation.

------
_bxg1
"most sophisticated software ever written" is a bit of a hyperbole. "most
sophisticated computer worm ever discovered" seems more accurate.

~~~
mkagenius
Its amazing to see people go crazy about this worm -- I mean how can someone
think that that's the "most" sophisticated software. Come on, people.

~~~
_bxg1
It's very cool in a hacker-movie kind of way, and carries a certain mystique
because of the fact that nobody's ever claimed responsibility for it. I think
those facts amplify its media presence.

------
0xb8000
I was waiting for someone to point out IDF (Unit 8200?) and NSA collaboration
being responsible for this to come up. The only proof we have is a smile by a
an Israeli Defense leader in response to a question asked on 60 minutes (or a
similarly named show)

Also the author leave a few details out such as the intermitted activation
,for example it was only activated on day 7 and day 21. and other stuff like
size of this.

------
autokad
"Realtek, which means that the authors of the worm were somehow able to break
into the most secure location in a huge Taiwanese company"

err, no. The companies gave the US access. as for all the 'unknown windows
vulnerabilities' it exploited, I wouldn't be 100% surprised if Microsoft left
the vulnerabilities for what ever security agency that made it.

------
mrep
Damn that guy can write! I've read this story 4 times now since it was posted
and it still gives me goose bumps to read it.

------
agumonkey
\- windows security is not Uranium HD Ready /s

\- remember systems evolve, these failures aren't hard to harden, both at the
electromechanical and human level.

\- raw network and electronic activity can be monitored

\- is there a way to render MITM UI (the fake display loop) impossible ? a
feedback loop pc -> devices, and if deltas are too high ALERT ?

ps: is IBM refining radioactive material ? ;)

------
eddywebs
It is worth noting the stuxnet worm version that effected Iranian nuclear
facilities only attacked certain industrial controlled system built by Siemens
systems otherwise the worm stays dormant. The wormed allegedly had signed
drivers which could be state sponsored inside job to get signing facilitated.

------
chiefalchemist
...ever written...that we, the general public, are aware of.

If Stuxnet's discovery was a "bug" and that hole has since been plugged, then
there's likely plenty we aren't aware of.

Minor, but still important to note (for context).

------
Dolores12
So stuxworm is more sophisticated than an OS its written for? Sounds
ridiculous.

~~~
trumped
Maybe because sometimes it can be relatively easy to to write some software,
but much harder to find its bugs and write exploits for them? otherwise, why
would bugs even exist?

~~~
Dolores12
>why would bugs even exist

people make mistakes, it is innate feature of human being. Bugs exist because
it is not economically effective to find them. Bugs, given unlimited amount of
resources, is possible easy to find whenever they are. Google how one guy
hacked infamous HackingTeam alone. He provided some estimates how long it took
him. Does it make his software the most sophisticated one on the planet? If
his software is the most sophisticated, can he develop Windows alone?

~~~
trumped
Because something takes a long time to do doesn't necessarily mean that it is
complex...

~~~
Dolores12
Are you talking about finding bugs? That's exactly the case.

~~~
trumped
no, I was talking in general... since you brought up how long it takes to make
stuff.

------
nodesocket
There is a good documentary on STUXnet on Youtube
[https://www.youtube.com/watch?v=TGGxqjpka-U](https://www.youtube.com/watch?v=TGGxqjpka-U).

------
jaclaz
IMHO monitoring/controlling a high-speed centrifuge with Windows (or with any
non-real-time-OS for that mattters) is actually a huge design flaw, there is
even a warning somewhere in MS documentation about Windows not being suited to
Real Time operation, and RTOS are specifically used/needed for closed-loop
applications (such as monitoring and controlling motors).

References (National Instruments):

[http://www.ni.com/white-paper/3938/en/](http://www.ni.com/white-
paper/3938/en/)

[http://www.ni.com/white-paper/14238/en/](http://www.ni.com/white-
paper/14238/en/)

~~~
lima
The actual monitoring is done by the embedded controller, Windows is just
there for displaying fancy panels and programming the devices.

~~~
jaclaz
Ok, still seemingly the trick Stuxnet used was looping a good copy of those
fancy panels and (still through windows) changing (slightly) the operating
parameters of the machine, so in this case Windows (directly or indirectly)
was capable of monitoring the device and change its operating status.

~~~
kchr
Are you saying that there are no zero-days for platforms other than Windows?
There could just as well have been a Linux computer used as interface to the
embedded system that runs the centrifuges, that could be owned.

~~~
jaclaz
Not really saying that, of course _any_ OS is hackable, Linux also is not
normally a RTOS with the exception of RT Linux, and possibly some other
specific distro's.

What I was trying to say is that something that has a more direct connection
to the device is less likely to be prone on this specific kind of attack,
which is AFAICU a sort of MITM (displaying a loop of the recorded display),
and of course with a very "vertical" and "dedicated" operating system there
should be less chances of the "casual" insertion of a USB stick in it (and
possibly even no USB port at all on the actual hardware used).

------
vazamb
I highly recommend "Avogadro Corp: The Singularity Is Closer Than It Appears"
by William Hertling to anyone interested in some good AI scifi around computer
worms/virus.

------
LargeWu
I wonder how many people have Stuxnet on their devices to this day and have no
idea. It would be interesting to see how this spread, from an epidemiological
standpoint.

------
calabin
I'd recommend Kim Zetter's book on this subject:
[https://amzn.to/2rQUGnq](https://amzn.to/2rQUGnq)

------
j45
Stuxnet might be the most sophisticated worm ever written with the number and
types of layers it drills through.

There is likely far more complex and sophisticated software elsewhere.

------
omribahumi
I wonder how many people worked on this, and for how long

~~~
sametmax
It's probably not a single project, but the insights of many projects for
years, finally merged on one that took a long time as well.

~~~
omribahumi
For the 0days, probably.

But even the integration is impressive.

~~~
kchr
I think devising this plan altogether was a huge investment in time and
patience. Consider the social engineering feats needed to get your hands on
the driver signature cerificates, for example. And that's just one step in the
entire sequence of lateral movement.

------
ixtli
Out of curiosity, do we know that the state actors that built stuxnet didn't
simply pay or force those taiwanese companies to turn over the keys?

------
gibbsnich
See "Zero Day: Stuxnet and the Launch of the World's first Digital Weapon" by
Kim Zetter for many more details about Stuxnet.

------
jerkstate
Weird how the US IC developed and deployed such advanced software while
agreeing that Iran was not developing nuclear weapons.

~~~
tripplethrendo
Do we know it was the US IC? I think its likely that it was Mossad.

~~~
jerkstate
by most accounts, it was a joint effort. [https://arstechnica.com/tech-
policy/2012/06/confirmed-us-isr...](https://arstechnica.com/tech-
policy/2012/06/confirmed-us-israel-created-stuxnet-lost-control-of-it/) and
[https://www.washingtonpost.com/world/national-
security/stuxn...](https://www.washingtonpost.com/world/national-
security/stuxnet-was-work-of-us-and-israeli-experts-officials-
say/2012/06/01/gJQAlnEy6U_story.html)

------
mariusmg
I bet it was a bitch to debug and test it :)

~~~
titzer
VMs :)

~~~
kchr
Imagine the intel needed for setting up the centrifuge lab with the same
environment and behavior as the target...

------
crunchlibrarian
The only really interesting part is finding and keeping OS bugs secret. I
wonder how many more the NSA is sitting on?

------
yoyar
Without a doubt the article is fascinating but without defining what we mean
by sophisticated how can we debate this?

------
trisimix
So what if I run my top secret weapons grade uranium producing plant on a
sanely secure operating system, like linux.

~~~
wepple
I can’t tell if you’re being sarcastic or not, but if not: the idea that Linux
is any more secure against a nation state than windows is ridiculous. There
are no shortage of regular vulns discovered in each part of the Linux OS as
used by stuxnet.

~~~
ishaanbahal
Yeah, I never understood why people think like this. I often read people
saying Linux is most secure or some Unix or Mac, Any operating system can be
equally vulnerable, humans are writing code for it after all. And blaming
Microsoft for the insecure OS seems even worse. Their OS runs on way too many
machines, making it the first target. I love linux, not for the security, but
just for the utilities on the command line I can use. I'd feel equally unsafe
on either OS!

------
chvid
Good that the Americans and or Israelis got what they wanted without bombing
away ...

------
Wheaties466
im surprised that everyone keeps referencing the book and not the
Documentary/Movie

Zero days

[https://www.imdb.com/title/tt5446858/](https://www.imdb.com/title/tt5446858/)

------
INTPenis
How do you define sophisticated? Complex or elegant? Because if it's more
towards the latter then I'd suggest the software that took humans to the moon
and back, several times, is much more sophisticated.

But from reading the article it seems the author is aiming more for complex
than elegant.

~~~
0xTJ
I'd say it's got both. It's extremely complex, but it does what it needs so
cleanly. I'd argue that it's extraordinarily elegant.

~~~
INTPenis
Anything complex that also does what it's supposed to does of course have some
inherent elegance but that doesn't mean I'd call stuxnet elegant.

It would be elegant if they could accomplish what they did with less code,
relying on fewer exploits and perhaps even without the reliance on stolen
private keys from other corporations.

Having stolen private keys from hardware vendors is pretty brute force to me.

------
nihil75
writer has no idea how worms, exploits & antivirus programs work.

------
bitL
* the most sophisticated software reviewers have seen so far

------
santoshalper
Whether he is right or wrong, that was a fantastic writeup.

------
hsnewman
This is pure opinion. I've heard that the code for bitcoin is pretty complex
too. But since this opinion, it's all a debate. I kind think the linux kernel
or Windows OS might be in the running too.

------
drumttocs8
Why so many upvotes for a pretty typical Quora answer? Stuxnet certainly made
a big impact, but do we really think it's that sophisticated?

------
tony2016
Any links to any of its source code?

------
diminish
TLDR; a team of state-sponsored developers & engineers with access to a huge
list of vulnerabilities across windows, drivers and industrial equipment
designed a worm to malfunction centrifuges used in uranium enriching with
multiple hops of infection and stealth mode of operation.

Don't get me wrong, but "sophisticated" doesn't exactly mean obscure and
stealth which is what stuxnet worm is all about. With access to all those
vulnerabilities, i would call the worm implementation straighforward & stealth
rather than sophisticated. Most likely the engineers didn't have much choice
than to proceed in one possible way to be able to make it work. If one of the
vulnerabilities didn't then stux.net wouldn't exist.

------
ssijak
And then people make a fuss about Russia "hacking" the election with some dumb
Facebook ads which cost less than maxed out Ford Mustang.

When on the other hand we have the state-sponsored military grade/purpose
viruses used to attack other nations/regions (Flume attacked a large number of
targets and countries) and nobody blinks an eye.

~~~
beager
Those are indicative of the public’s enduring lack of technology literacy, and
the media’s desire to have facts and eyeballs meet halfway. Media reports
Russian election interference via digital ad spend, astroturfing, and
infiltration attempts on state voting systems accurately, but the views to
that reporting probably pale in comparison to the oversimplified, tweet-size
“Russia hacked the 2016 US election” reporting that gets around more quickly
and sticks in the public conversation.

Stuxnet is considerably more sophisticated and _technologically_ more brazen,
but won’t get the same reporting. But it’s also worth it to consider whether
the lack of awareness/awe over Stuxnet vis a vis Russian election tampering is
simply due to technology illiteracy, or whether media is not considering the
notability of the means, just the effect of the ends.

~~~
baursak
> But it’s also worth it to consider whether the lack of awareness/awe over
> Stuxnet vis a vis Russian election tampering is simply due to technology
> illiteracy, or whether media is not considering the notability of the means,
> just the effect of the ends.

No, it's because the media is ultimately subservient to power regardless of
what they might think of themselves. US attacks on countries designated by
power as enemies -- Iran, Venezuela, Russia, etc., are only to be discussed in
clinical terms, marveling at their technological sophistication, for example,
never in moral terms. Bringing up any introspection of what American reaction
would be if Iran did the same thing to us is virtually career suicide for a
mainstream media professional. Trying to draw parallels between Russia
meddling and Stuxnet, noting that Stuxnet was an attack many times worse, is
cutting it dangerously close.

~~~
beager
That may be the larger factor, but I also believe that if you control for the
media perspective on the perpetrator and targets of separate incidents,
something like Stuxnet and its sophistication will be given less emphasis,
because its sophistication is beyond the public's technology literacy, and
would be considered too "inside baseball".

------
KasianFranks
Wrong. Ask the NGA.

------
daenz
I want to do this.

------
andrelaszlo
What do you think, are the authors of Stuxnet reading Hacker News? I wonder
how tempting it is to comment, and what the repercussions would be.

~~~
askmike
"throwaway account for obvious reasons - I'm a devops for the C&C servers. Our
process is actually quite similar to most other tech companies. We spend half
our time arguing over what programming language to use (node/go/rust) and the
other half arguing over whether we should use microservices."

~~~
Clubber
I assume you spend a lot of time getting the SME to clarify what the hell they
mean by "such and such," as well. :)

------
Lionsion
> The most sophisticated software in history was written by a team of people
> whose names we do not know.

Isn't this hyperbole? I'd grant that Stuxnet is probably the most
sophisticated _malware_ ever written, but calling it the most sophisticated
_software_ is a big stretch.

Stuxnet seems to be the product of a competent, professional, and well-funded
software engineering organization that writes malware and understands the
domain of computer espionage. That was unprecedented in the malware space, but
it's not if you include other domains.

------
jacksmith21006
More sophisticated than self driving car software?

------
olfactory
Considering that we have known about Stuxnet for nearly a decade, why are we
still using OS technology that makes such changes/intrusions/phoning-home so
easy to conceal?

~~~
kchr
Because people keep requiring an interface to the machine...

------
rbosinger
A somewhat crazy guy once told me that he worked on Stuxnet. Obviously I
didn't believe him. But he did seem to know quite a bit about it. How weird
would it be if he wasn't lying. I mean, somebody had to work on this
somewhere.

~~~
the_grue
Do you happen to remember what was the crazy guy's nationality?

