Hacker News new | past | comments | ask | show | jobs | submit login
Stuxnet is embarrassing, not amazing (root.org)
72 points by r11t on Jan 17, 2011 | hide | past | favorite | 107 comments



Real Mossad Operatives Ship.

These guys weren't making a paean to beautiful, hardened software to impress their hacker friends. They needed to get the simplest, most reliable and effective code possible out the door in as short a time as possible.

Israel bought itself a few more years of a nuke-free Iran. This is a successful, amazing, even miraculous outcome. Outside of nerd circles, software is measured by results, not architecture or complexity. Beautiful systems that never ship are fine for weekend projects but, uh, we're talking about stopping a nuclear weapons program here. It's a bit like saying that Apollo 11 was bullshit because the accommodations weren't anywhere near as nice as flying on Pan Am.

Stuxnet is the Jack Bauer of software. Rough edges but badass and gets the job done under impossible circumstances.


That's a nice-sounding narrative, but no assessment of Stuxnet indicates that it foreclosed on Iran's nuclear capability, and if it actually is an intelligence service attack on a foreign industrial process, the fact that it's been analyzed in the New York Times seems to suggest that it wasn't very competently done.

A big part of Nate's point in this article is that the virus and DRM communities have known for over a decade how to take programs like this and make them hard to analyze. Nate is pointing out that nothing like that seems to have been done here.

Note that Nate was a key contributor to the as-yet-unbroken† Blu-Ray BD+ DRM scheme, which he worked on in his last couple years at Paul Kocher's infamous Cryptography Research. Here he is going out of his way to cite well known, public sources for methods that would have allowed an intelligence agency to carry out this attack without broadcasting to the world "AIR GAP ALL YOUR NUCLEAR FACILITIES IMMEDIATELY OR YOU WILL LOSE YOUR CENTRIFUGES". He's not even suggesting that the authors needed to be world-class content protection experts; only that they would have benefited greatly from a book you can get off the shelf at Barnes and Noble.

The C.W. on Hacker News might be that it makes sense for Iran's enemies to brag about destroying centrifuges without a costly military intervention. But real intelligence services don't brag, if only because they'd like to be able to repeat the same trick against Myanmar or Belarus or Syria or whoever the next proliferation threat is.

BD+ is interesting because it was designed to be broken easily and then renewed easily; there are numerous individual disk breaks, but so far as I know no break against the whole BD+ scheme that would enable a bypass of any studio update. BD+ may be the first such renewable content protection scheme ever deployed.


> real intelligence services don't brag

Not being heads of state, I don't think either of us is qualified to guess on the 8-dimensional chess being played here. Israel, if they are indeed behind this, is home to some of the brightest computer scientists on the planet. They already pulled off an impressive feat. It's pretty obvious that accomplishing the obfuscation described would not be outside their abilities.

So if they didn't bother, I have a hunch they had their reasons. They could be technical, and that would be the simplest explanation. They could just as well be political or otherwise strategic. I don't know, and neither does anyone else outside of the Israeli and US intelligence communities.

But whatever their reasoning, it's cheap, Monday morning quarterbacking to call an unprecedented and successful operation like Stuxnet embarrassing. Its exposure in the Times has nothing to do with technical competence and everything to do with the fast pace of information flow in the 21st century.

We all know about Operations Opera, Spring of Youth or Wrath of God, it's possible to read about them at length and I'm not sure anyone can dispute the competence on display there.


The US is home to more of the world's brightest computer scientists, but they aren't apportioned evenly throughout all the intelligence services and their contractors. Even presuming that this was carried out by "Mossad" --- and despite breathless reporting in the mainstream media and our inherent narrative bias about cyberwarfare stories, that's still a presumption --- that doesn't mean the best & brightest actually worked on this.


I guess the point is that it is simply impossible to distinguish between a mediocre team and a brilliant one that has chosen to disguise its capabilities.


If that was his point then title of the article shouldn't have been "Stuxnet is embarrassing, not amazing" rather "Here's how Stuxnet could have been even better"


I think "teenagers have written tfiles that are markedly more sophisticated than this virus" justifies the title, but this is a difference of opinion and a classic example of an unproductive HN argument. If you think his title sucks, fine.


Israel bought itself a few more years of a nuke-free Iran.

Do we actually know that? Is there any evidence that this delayed the program by "years" rather than a few months?


Seems like they really messed them up.

According to Western intelligence reports, Russian scientists warned the Kremlin that they could be facing "another Chernobyl" if they were forced to comply with Iran's tight deadline to activate the complex this summer.

http://www.telegraph.co.uk/news/worldnews/europe/russia/8262...


This doesn't add up. Russian scientists are extremely concerned about Iran's lax attitude towards nuclear safety issues (note plural). Against this backdrop we're supposed to be able to read tea leaves from a captured virus and determine the level of damage it did to a shoddily-operated highly-secret massively-complicated nuclear plant?


The source on the disruption to the nuclear program wasn't from analyzing the worm, it was from:

Three UN diplomats who were sources to an AP story:

http://news.yahoo.com/s/ap/20101122/ap_on_re_eu/iran_nuclear...

A "former top IAEA official":

http://www.washingtonpost.com/wp-dyn/content/article/2010/11...

Iran stopped all uranium production, according to official IAEA report:

http://www.isis-online.org/uploads/isis-reports/documents/Ir...

IAEA again:

http://au.news.yahoo.com/world/a/-/world/8378260/iran-tempor...

Head of Mossad and Hillary Clinton both announced:

"that they believed Iran’s efforts had been set back by several years."

(from the very NYT article)

And no less than the President of Iran, Mahmoud Ahmadinejad:

"Iran's enemies used computer code to make "limited" problems for centrifuges involved in uranium enrichment at some of its nuclear sites, President Mahmoud Ahmadinejad said on Monday"

http://israelinsider.net/profiles/blogs/ahmadinejad-those-wh...

but he would say 'limited', wouldn't he. Afterall two weeks earlier they were vehemently denying that Stuxnet had any effect.


All these stories say the same thing: Natanz suffered a major setback, and various researchers suspect Stuxnet played a role. Here's what I think: Natanz suffered a major setback, and the role Stuxnet played was to provide a smokescreen for the actual sabotage. I have no evidence to support my take, but then, there's not much evidence for the alternative take.

I also think it's plausible that Ahmedinijad (who, remember, is not necessarily a key player in Iranian nuclear politics) or his handlers might play along with a bogus Stuxnet story if it suits the narrative; for instance, if humdrum human sabotage dealt a much greater blow to their plans than has been acknowledged, Iran might prefer the "virus cost us a few months" story to the "we're back to square one" story.


I don't know about your theory, but I agree you do have to notice that Iran wants to be considered a serious threat to increase their global bargaining position. Therefor, they have an incentive to publicize the "sophisticated cyberweapon" angle.


The IAEA report numbers are from two sources:

a) Iran send periodic letters as updates to the IAEA b) The IAEA confirm the reported numbers through on-the-ground inspections.

The reason why Iran had to eventually confirm production problems is because the IAEA was reporting centrifuges being replaced and production numbers steadily declining to a halt.

The best report that ties all this together with Stuxnet is this one:

http://isis-online.org/isis-reports/detail/did-stuxnet-take-...


I am really confused. I thought the goal of Stuxnet was to delay the production of Iranian enrichment efforts at Natanz. Not to delay a civilian reactor at Bushehr, which is hundreds of miles away.

Assuming the Telegraph report is correct, I don't see how this tells us anything about how effective Stuxnet was at delaying enrichment efforts.


What evidence would you accept


I'll accept anything, but I'll give more credence to some sources than others.

But this seems backward. If there is no evidence that Stuxnet was effective at significantly delaying Iranian production, then people should stop saying that there is. My willingness to accept evidence really shouldn't have anything to do with it.


I'm asking because it's unlikely http://presstv.ir is going host an article saying that Iran's ability to obtain a nuclear bomb has been delayed.

Mossad is saying that Iran doesn't possess the capability to build a nuclear bomb before 2015 and it says attacking Iran would be unwise [1]. Can you think of any reason why they would be saying this unless they believed it to be true?

[1. http://www.alarabiya.net/articles/2011/01/07/132525.html]


I'm asking because it's unlikely http://presstv.ir is going host an article saying that Iran's ability to obtain a nuclear bomb has been delayed.

True, but that doesn't mean we should accept every claim as true.

Can you think of any reason why they would be saying this unless they believed it to be true?

What? This doesn't tell us anything about the effectiveness of Stuxnet. Even if they did, intelligence services have a nasty habit of exaggerating their own effectiveness, so I'd find it more credible if that assessment came from another Israeli government organization or another nation's intelligence service altogether.


Even if they did, intelligence services have a nasty habit of exaggerating their own effectiveness

This is where we disagree (I also don't know where this perception comes from). In no way is it in Israel's best interest to do an about-face on their assessment of the time frame for a nuclear Iran unless they had good evidence that indeed Iran's capability to obtain nuclear weapons was severely diminished. Israel has been trying to convince the international community that Iran has been on the cusp of nuclear weapons for the past two years.

You're arguing that the organization Mossad is acting irrationally. What benefit does Mossad exaggerating their effectiveness bring Israel?


You're arguing that the organization Mossad is acting irrationally.

No, I'm arguing that Mossad's claims about when Iran will have a weapon tell us nothing about the effectiveness of Stuxnet. This is a matter of logic.

I also don't know where this perception comes from

Reading books about intelligence services...like Legacy of Ashes http://www.amazon.com/Legacy-Ashes-History-Tim-Weiner/dp/038...

Beyond that, this is really basic systems theory. Intelligence service oversight, at least in the US, is very lax. The people doing oversight know a lot less about operations than the people being overseen. So when they screw up, they can spin their nominal bosses so that no one gets fired or goes to jail. It is really hard to keep secret and highly compartmentalized organizations honest. The principal agent problem is a big deal.


> This is a matter of logic.

Which brings me to my question above: what evidence would you accept? I agree there is no concrete link (just as there is no concrete link between Israel and Stuxnet), but Iran is not going to a) announce their nuclear weapons program and b) detail how far Stuxnet has set them back.

> So when they screw up, they can spin their nominal bosses so that no one gets fired or goes to jail. It is really hard to keep secret and highly compartmentalized organizations honest.

I guess we just disagree on the reasons Mossad is making these statements. It makes no sense to me why Mossad would subject Israel to threat of annihilation in order to make Mossad leaders look good.

Let's assume Mossad isn't behaving pettily. Why would they make these statements unless they believed them to be true?


At the very least, to make a Mossad claim plausible, you'd need to have:

(1) a statement by Mossad issued before Stuxnet was released forecasting that Iran would have a weapon by time T_0

(2) a statement by Mossad issued after Stuxnet was released forecasting that Iran would have a weapon by time T_1

(3) T_1 larger than T_0 by at least a year

(4) a statement by Mossad claiming that there were no significant impediments to progress besides Stuxnet

Again, this all assumes that Mossad is not lying. These are the requirements just as a matter of logic. If you don't have all these elements, you can't claim that Mossad's statements prove that Stuxnet was effective at significantly delaying Iran. At best, you have (2), but without (1), (3), and (4), that proves nothing.


To add another source, John Bolton said last August that Israel had 'a week' to attack Iran as the nuclear fuel would be ready to load at that point:

http://www.foxnews.com/politics/2010/08/17/israel-weeks-end-...

That timeframe has now been extended from 'a week' to 2014+ (according to the NYT quoting both Mossad chief and Clinton)

What happen between these two statements to shift the timeframe estimates so dramatically? Stuxnet.


1) According to the Wikileaks cables, Israel's spy agency Mossad's latest claims foreshadowed that Iran would be nuclear armed by 2011.

http://www.presstv.ir/detail/159244.html

2) Iran not able to build nuclear bomb before 2015

http://www.alarabiya.net/articles/2011/01/07/132525.html

3) 2015 > 2011

4) Israel refuses to take credit for stuxnet. So this is impossible.


Real Mossad Operatives Ship

Someone needs to do that t-shirt, with the Stuxnet code on the back. I'd get one... although I'd probably be too afraid to wear it :-)


Just pointing out that you would be wearing a t-shirt of an agency that doesn't mind assassinating and torturing people.


It reminds me of the Israeli treatment of the humanitarian supply ships that tried to help Gaza.


Afraid of whom?

I've never heard of someone afraid to be pro-Israel/Mossad, only the opposite.


That statement is extremely location-dependent.


Exactly! The fact that the anti-Mossad regime is so secret is what makes it even scarier. The less proof we can find, the more compelling it becomes!


we're talking about stopping a nuclear weapons program here.

But the unanimous consensus ("with high confidence") of all 16 US intelligence agencies remains that Iran does not have a nuclear weapons program. I haven't seen that mentioned once in any discussion of this subject here. That's just weird.

I don't follow this stuff closely and obviously have no idea what's going on behind the scenes, but it seems likely that everything about this business is stuffed to the gills with propaganda. Is there any credibly objective source anywhere?


  But the unanimous consensus ("with high confidence") of 
  all 16 US intelligence agencies remains that Iran does 
  not have a nuclear weapons program.
Israel has enough to worry about without Iran developing nuclear weapons. I sincerely doubt they would keep bringing it up if it obviously wasn't the case. They really don't need it for their case. So I would like to see the evidence for your assertion.


I'm not the original poster, but the idea that the US intelligence agencies have collectively decided that Iran's nuclear weapons program is inactive is not some crazy conspiracy theory: the most recent NIE really does say that. http://www.nytimes.com/2007/12/03/world/middleeast/03cnd-ira...


Today is the 50th anniversary of President Eisenhower's historic speech criticising the rise of the American milittary industrial complex. So if you're wondering why Israel would make up a nuclear program that doesn't exist in Iran check it out. http://content.usatoday.com/communities/theoval/post/2011/01...

Here is a good debate concerning the issue of trusting Iran that they have no nuclear program. http://www.youtube.com/watch?v=RVZGREqdfZ8

I also invite you read this document. Specifically section 4.5 starting on page 30."Despite pressure from the US, successive reports by the IAEA have found no evidence of an Iranian nuclear weapons programme, past or present." http://www.transcend.org/tri/downloads/The_Iran_Threat.pdf


Source please.


I didn't include a link because I don't have time to vet any particular source. But you can take your pick of countless ones: http://www.google.com/search?q=iran+nie.


Yet. The unanimous consensus was that Iran does not yet have a nuclear weapons program, but that it was attempting to establish one.

The purpose of Stuxnex was to push back Iran's progress by a few years.


The purpose of Stuxnex was to push back Iran's progress by a few years.

Ah, but why bother? Iran's nuclear weapons are always just a few years away, in the future: http://www.cato-at-liberty.org/bad-intelligence-but-in-which...

“Late 1991: In congressional reports and CIA assessments, the United States estimates that there is a ‘high degree of certainty that the government of Iran has acquired all or virtually all of the components required for the construction of two to three nuclear weapons.’ A February 1992 report by the U.S. House of Representatives suggests that these two or three nuclear weapons will be operational between February and April 1992.”

“February 24, 1993: CIA director James Woolsey says that Iran is still 8 to 10 years away from being able to produce its own nuclear weapon, but with assistance from abroad it could become a nuclear power earlier.”

“January 1995: The director of the U.S. Arms Control and Disarmament Agency, John Holum, testifies that Iran could have the bomb by 2003.”

“January 5, 1995: U.S. Defense Secretary William Perry says that Iran may be less than five years from building an atomic bomb, although ‘how soon…depends how they go about getting it.’”

“April 29, 1996: Israeli prime minister Shimon Peres says ‘he believes that in four years, they [Iran] may reach nuclear weapons.’”

“October 21, 1998: General Anthony Zinni, head of U.S. Central Command, says Iran could have the capacity to deliver nuclear weapons within five years. ‘If I were a betting man,’ he said, ‘I would say they are on track within five years, they would have the capability.’”

“January 17, 2000: A new CIA assessment on Iran’s nuclear capabilities says that the CIA cannot rule out the possibility that Iran may possess nuclear weapons. The assessment is based on the CIA’s admission that it cannot monitor Iran’s nuclear activities with any precision and hence cannot exclude the prospect that Iran may have nuclear weapons.”

You'd think that after consistently making false predictions for decades, people might be a little more careful about this, but no....


The people making these predictions have great interest in making them false. It's quite possible the ETA keeps getting pushed back exactly because of things like Stuxnet.


That's a remarkably charitable view of intelligence service/government statements given what we now know of Iraq's capabilities.


It's not charitable, it's realistic. I think sometimes they succeed and sometimes they fail, like any organization. I don't assume they're completely incompetent when they fail, nor that they are perfect when they succeed.

A project like Iran's would have its own setbacks even in ideal environment. When there are organizations working against it, it's likely to have even more setbacks.


It is also possible that these people are simply irrational or paranoid. Intelligence is always fragmentary and uncertain, but people who are intent on believing that Iran is a deadly enemy about to acquire a vast nuclear arsenal can interpret arbitrary data to justify that belief.


I don't think it's in dispute that Iran has nuclear aspirations, or that it's an enemy of Sunnis and Jews in the Middle East.

Whether they would actually manage to build a bomb and whether they'd actually use it are different questions - but given the Middle East's practices and history, not ones people would tend to ponder too long over.


Unfortunately this sort of success results in publicly perceived failure. For more examples, see y2k.


Maybe the predictions were true, until somebody made them false?


"Halted in 2003" is how I remember it. How can you push back the progress of something that was halted in 2003 (if it was)? Anyway, (a) I haven't read the report; (b) an objective discussion of this matter seems impossible; (c) I already regret contributing to something that probably shouldn't be on HN; (d) I think I'll stop here.


But the unanimous consensus ("with high confidence") of all 16 US intelligence agencies remains that Iran does not have a nuclear weapons program _anymore thanks to stuxnet_

FTFY


I think that is quite inconclusive that Israel is the source.

If it is, it's likelier that Stuxnet is the creation of Unit 8200 rather than the Mossad.

Reference: http://en.wikipedia.org/wiki/Unit_8200


> Real Mossad Operatives Ship.

How do you know that?


I suspect your question is "how do you know that they're behind stuxnet" for which none of us probably have the answer - or if one of our loyal HN readers does, they're not really likely to divulge it.

The statement quoted in general, though, seems pretty true. That particular agency has a track record for being rather active rather than just quietly/passively gathering intel.


> ... none of us probably have the answer - or if one of our loyal HN readers does, they're not really likely to divulge it.

Exactly, if he works for them and boasts about how efficient they are, it sort of makes them look unprofessional. If he doesn't then how can he say that they are "shipping"? Maybe they waste lots of taxpayers money on projects that never make it out of the door.

From what I know their general policy is to never confirm or deny _anything_.


Stuxnet worked. Very well. It was out in the wild, by best estimates, for over two years before it was detected. During that time it caused complete chaos within the Iranian nuclear program (to the point where some officials were executed on the suspicion of espionage).

This post and its backhanded compliments are very arrogant in a way that epitomizes everything that is wrong with the security industry. It is a game of one-upmanship amongst those who can talk the talk but not walk the walk. This blog post is basically:

Dear most successful team of virus and backdoor writers in history who completely changed the paradigm for what worms can do, I suggest you read this book that I probably know nothing about or haven't read and definitely do not understand. Ps. here are a ton of links to stuff I googled that you didn't do, pss. isn't it awesome that you are anonymous and can't respond to my criticism? psss. Did you get the part about me being smart?

Pathetic. To make it worse, the entire industry is full of such assholes.


Nate Lawson is not trying to one-up anyone in the security industry. He works on a level above most of the rest of us, spending most of his time on hardware and cryptosystem projects. To imply that he's part of the Black Hat vulnerability research bugfinding rate race is to betray a comprehensive lack of understanding of how our field is structured.

I'd challenge you to find any reputable party in that field to challenge this summary. There's a whole Twitterverse of security experts that will back me up on this. Nate's not an egotist, and that's not where this post is coming from.

The place Nate is coming from is one of skepticism. He's challenging the near-hagiographic conventional wisdom that Stuxnet's sophistication is a clear sign of its intelligence lab origins. If Stuxnet isn't particularly sophisticated, that doesn't mean it wasn't set into motion by nation-state actors, or that it was ineffective, but it does knock down one factor in most of the discussions about the importance of "cyber warfare". Maybe Iran's nuclear plants were simply absurdly exposed to IT-based attacks due to sheer incompetence.


He's challenging the near-hagiographic conventional wisdom that Stuxnet's sophistication is a clear sign of its intelligence lab origins.

I thought this conventional wisdom was based on the success of stuxnet, once delivered, at having the desired effect on the centrifuge. The article appears to be based on techniques used in delivery of the payload, not the payload itself.


An expertly constructed industrial sabotage malware might have taken more steps to obscure itself simply so that it could leave the same avenue of attack open to itself in the future, perhaps at a different target. That alone seems argue against this being the handiwork of the "best & brightest" in the US intelligence community.


That alone seems argue against this being the handiwork of the "best & brightest" in the US intelligence community.

Noob question: is it widely believed in the security community that the US intelligence community has lots of 'the best and the brightest' when it comes malware construction?

I only ask because I recall a bit of Jane Mayer's book that explained that post-9/11, the CIA didn't have any professional interrogators on staff because they weren't in the business of holding prisoners in custody to interrogate. Just curious if a similar phenomena might be at work.


NSA is a hiring pipeline for software security. Some very, very talented exploit developers have come out of NSA.


I'd challenge you

I don't understand, what are you challenging me to? That was the entire point of my rant.


You inferred Nate's motives from his post and judged him an asshole for writing it. You are comprehensively wrong. I wouldn't be the only person in the industry to stay that you're wrong almost on the face of the matter just by implying that Nate's part of the vulnerability research "community"; he isn't.


I don't see how it could be interpreted in any other way. He referred to what is probably the most successful hack in history as 'embarrassing' without any real argument to back up his claim.

If Stuxnet fizzled out quickly, didn't work and exposed who was behind it, then I imagine it being an 'embarrassment' (in the way that the Dubai assassination could be referred to as an embarrassment). That situation could have called for a post outlining 'they did this part wrong, they could have tried this' (in the same way Schneier wrote about Dubai)

But the fact that Stuxnet was a blazing success, took years (unheard of) to be captured, months to be analyzed and totally broke new ground that everybody (lest the author of the post) didn't understand five months ago, nullifies all of the 20-20 hindsight theoretical feature improvement arguments made in the post.


The part I'm calling embarrassing is the lack of sophistication. If I were in the NSA and we had implemented this, I would be embarrassed.

What would make me proud is year upon year of subtle equipment failure that could not be attributed to any particular cause. When it was discovered years later, it would appear to be an innocent software bug. That's an overwhelming success.


When confronted with facts, you editorialize based on unsourced or anonymously sourced narrative journalism accounts in the mainstream press. Meanwhile, the points you make aren't even incompatible with his analysis.

Did you actually read the article, or are you too upset by the suggestion that Stuxnet was inexpertly constructed?


I don't happen to share Nate's opinion that Stuxnet is embarrassing, but I think your characterization of him based on his blog post is pretty off-base.


It wasn't a specific characterization of Nate, but rather a generalized, overly sarcastic and sweeping view of the security industry as a whole.

Many in security are just far too condescending, as this post was (not just wrong, but smug to boot).

For some reason there is a constant, tense competition between netsec bloggers and personalities for absolutely no reason. It is ridiculous.


You said "This blog post is basically:", which I took to mean that you referring to him specifically (as he is the author of the blog post). I apologize if you weren't targeting him specifically.

Many in security are indeed condescending, although I don't find it to be more true than in the computer community at large; especially amongst programmers (who seem to feel an almost intrinsic need to disparage someone else's opinion about a language or design choice).

It might just be that we travel in different circles, but I actually am constantly impressed with how helpful and non-condescending most folks in the security community are. I frequently ask questions of people on Twitter who are among the best in the industry and I generally get really helpful replies (as helpful as you can be in 140 characters).

And I don't know Nate personally (I only refer to him by his first name because "Mr. Lawson" has a bit too much of a "Agent Smith" vibe to it), but I've never gotten the impression from anything he's written that he's smug or especially competitive about the infosec industry.


I got into tech via the security industry, so all my experience dates back to 10+ years ago when I left it. Since then I have only kept up with the more mainstream stories and the odd blog post.

I did make a sweeping generalization, and if it seems like I am holding a grudge it is probably because I am. I went through a lot of bad issues and arguments through the process of publishing articles, advisories, exploits etc. Enough to turn me (and many others) off for good.

I don't doubt that there are very good people out there in the netsec space, it just seems that every time a story floats up onto my radar it reminds me of the same issues we dealt with all that time ago (ie. pointless arguments, point-counter-point, one-upmanship, eliteness etc.). I recognized the template of that post pretty quickly, and it simply isn't constructive.

For all I know Nate could be awesome, but as somebody who only knows of him through the paragraphs I just read he fits the old stereotype that I am familiar with pretty well. But outside of the first line, the rest of what I wrote was more about that old template of how subjects, even as big and awesome as Stuxnet, are dealt with and written off by some in the sec industry.


You picked a uniquely bad person to use an example of the excesses of the security industry. It's too bad, because I probably could have agreed with most of your issues, but now I think you're a crank.

I opted out of software security ~10+ years ago too (I went from software vulnerability research to streaming media and multicast and then ISP operations software and then marketing). Coincidentally, that was about the same time Nate stopped being one of the world's better software vulnerability researchers and moved headlong into cryptography and hardware. He's a friend and I don't speak for him, but I'm guessing his move was made for similar reasons as yours.


I would hope the takeaway from my post is not "hey, this guy is so smart" but instead "hey, this hype about this malware sample is definitely overblown because he is citing really old work here".


I'm sorry you think it's arrogant. If I were to talk to the authors, I'm sure they'd say either: "yeah, it wasn't our cleanest work but we had a tight deadline" or "thanks for the tip, we never heard of secure triggers."

Any high-end agency would never say the latter, so either there were severe time pressures or this was Team B. The narrative that this is highly polished work of a high-end agency (4! I mean 3 0-days!) is not supported by evidence.


Stuxnet worked. Very well. It was out in the wild, by best estimates, for over two years before it was detected.

How long it was out in the wild doesn't matter though: what matters is how long it infected the target machines.

During that time it caused complete chaos within the Iranian nuclear program (to the point where some officials were executed on the suspicion of espionage).

How do we know that the people being executed were innocent as opposed to people committing espionage? I mean, if Stuxnet caused Iranian counterintelligence to discover an Israeli operative, then I'm not sure that's a win: delaying the program by an unspecified amount of time at the cost of lots of dollars and the loss of some operatives doesn't seem like a win to me. But this is all very speculative, so who knows.

Is there a good source justifying the "complete chaos" claim? Or the executions?


"I mean, if Stuxnet caused Iranian counterintelligence to discover an Israeli operative, then I'm not sure that's a win"

I should have clarified. The Iranians, according to reports, resorted to firing, jailing and executing their own scientists and engineers because they couldn't figure out why the operation was going so wrong.

Apparently they replaced all equipment, re-programmed the centrifuges etc. etc. until they thought they eliminated everything except for the actual people involved - at which point they became paranoid and the firing, jailing, executions started.


Where are these reports? I haven't seen them in any of the more, ah, reputable media, but I may have missed them.


Here are some of the links I bookmarked, I didn't grab them all but as I find them in my history I will paste them here.

"“Intelligence sources report information reaching the West in the past week that Iran has put to death a number of atomic scientists and technicians suspected of helping plant the Stuxnet virus in its nuclear program.”

http://www.securityweek.com/did-iran-execute-nuclear-facilit...

Note it says 'suspected', another source I recall was more firm on the employees not being involved (they innocently helped spread the virus through USB disks etc.) but the level of paranoia in Iran was so high that they needed a scapegoat.

This all started with the centrifuges wearing out, having to be replaced, debugged etc. and uranium production being set back by years. Two good sources on this aspect:

* http://www.globalsecuritynewswire.org/gsn/nw_20101123_2990.p...

* http://www.haaretz.com/news/international/iran-pauses-uraniu...


I know nothing about malware, but I know a lot about shipping production software.

- Simpler is better than complicated. As pointed out in one of the comments on the article, increasing complexity increases risk of failure.

- Proven techniques are, uhh, proven. Newer techniques are inherently riskier.

- Really speculating here, but maybe impenetrable obfuscation was actually undesirable? I wonder if the authors, (seems to be Israel and/or US), wanted Iran to figure out who was behind it. A successful cyber-attack means that future attacks of the same sort are possible, and adds a bargaining chip to the Israeli/US side. This can lead to Iranian concessions down the road. Without a proven success, a similar negotiation tactic would have to be much more difficult.


Alternatively, maybe they just thought it is not that important? They were attacking important infrastructure. They were actually going against a country... which had access to the destination machines. As long as they go through usual AVs and don't do extensive dynamic updates of the malware, how much time would they gain? How many experienced people were really looking at that thing? Since their attack wasn't really done the day after the malware was released, even hiding the payload for a month or more wouldn't make much difference in reality, would it?


> "I wonder if the authors, (seems to be Israel and/or US), wanted Iran to figure out who was behind it."

Or perhaps it was engineered to be as complex as necessary to accomplish the job (sabotage), but simple enough that Israel didn't have to show all of its cyber-warfare cards.

There's a good chance that any worm, no matter how engineered, will be detected and reverse engineered. It makes sense not to go all-in on any single one and reveal your techniques unless the difficulty of intrusion calls for it.


>Really speculating here, but maybe impenetrable obfuscation was actually undesirable? I wonder if the authors, (seems to be Israel and/or US), wanted Iran to figure out who was behind it.

I think the idea (Making the red team have to put up with expensive and costly countermeasures to malware) is a good one, however I think it is unlikely the reason this was detected.


The technique I describe is actually less-risky in terms of false positives. If you don't get the right combination of inputs right, you literally can't decrypt the payload. Even 1 bit of error gives a completely invalid key. It also isn't a new technique. I've seen it in shipping products for at least 12 years.

The one valid criticism is that it is more work to implement. But it's not that hard.


No wireless. Less space than a nomad. Lame.

Substitute any of a thousand critiques of <any language except Lisp|Haskell>, Windows, Linux, you name it that is out in the world getting its job done.


Uncharacteristically facile. The subtext of Nate's post is that while Stuxnet clearly didn't foreclose on Iran's nuclear ambitions, its careless design may have foreclosed on an otherwise viable nonviolent method of shutting down the harmful industrial processes of other rogue states.

Nate is saying, take exactly one step back and look at Stuxnet and you see that it has two jobs: one†, to retard the Iranian nuclear program, and two, to do so at a minimal cost to future intelligence activities. At that second objective it seems to have demonstrably failed; there are teenagers who have done better jobs of concealing the payloads of malware.

If you believe all the Stuxnet press.


I like your thinking, but the tone of the post doesn't communicate that point as well as your comment.

Now as to point two, I read elsewhere in these comments that one possible advantage of Stuxnet's simplicity is that whomever launched this attack can launch another one with a higher level of stealth.

You are the expert, not I. I only know that in Sports this is often a good strategy. Hold off on your strongest plays until the opposition has proven they can stop your average plays.


The problem with that approach is the game is over once your infection route is revealed. You don't get to play your stronger plays. No one will attach a USB flash drive to any Iranian or North Korean industrial computer now.

Why burn a perfectly good vector when you don't have to?


Most of the comments here seem to be of the form "Well, maybe Stuxnet isn't that elegant, but it got the job done and that's what matters", but is it really that bad of software? All the technical people I've heard discuss the software in person gush over how advanced and clever it is. Can anyone point me toward a more technical discussion of Stuxnet which could confirm/dispute the OP's view?


Well, you can compare the Symantec analysis for Stuxnet to other malware (say, Conficker, the previous media darling).

http://www.symantec.com/content/en/us/enterprise/media/secur...

http://www.malwareinfo.org/files/W32.DownadupThreat.pdf

You'll notice that most of the gushing has devolved to focusing on the payload and not the infection mechanism. That's because the worm itself is surprisingly average.


Stuxnet is a hugely complex piece of code already, and it's something that needed to be as bug free as possible, and that means avoiding unnecessary complexity.

A key part of being a software developer is knowing when to make trade-offs rather than striving for "perfection".

The virus did it's complex job successfully. Building a piece of software of this complexity that has to work in an unknown environment first time is amazing.


Being a software developer and being an exploit developer are two entirely different things. Professional exploit developers DO NOT ship unless it's perfect. Malware authors will ship even if it's not perfect, because the target is not technically advanced and can get away with it. If you're targeting a nation-state, you best not compromise your intent, how you broke in, nor how long you've been there for.


Yes, that is the exact point of this article.


The current interpretation of events is that Stuxnet is a project of the Israeli government which has been at least partially successful in slowing Iran's attempts to build nuclear weapons.

Considering that the alternative would be bombing of nuclear facilities involving perhaps unauthorized overflights of neighboring countries and the risk of inflaming a hot war in the middle east (through the overflights and the bombings) I don't think I can rate this operation as anything other than a huge success.


according to leaked cables some middle eastern countries actually encouraged us to bomb Iran. Otherwise I agree that a non-military solution is at least initially appealing.

  I fear whoever unleashed this has opened a pandora's box of destructive malware.  We've already seen things like China hacking major corporations and manipulating it's currency.  It's not hard to picture a future where malware is used to hurt the competition's production, at either a corporate or state level.


From the perspective of just about every other country in the region there is a hell of a lot of difference between Israel bombing Iran and the US bombing Iran.


A huge success would be if it derailed Iran's nuclear program completely and managed to contaminate the installations for the next couple thousand years, with enough warning as to avoid loss of human life, while forcing Iran to rebuild from scratch somewhere else and, at the same time, leave their authorities wondering what kind of bad luck hit them.

Of course, not all Israeli military want to avoid a confrontation. Military don't usually get medals for preventing wars.


All the current interpretations of events commit the fallacy of "if A then B, B therefore A". Just because centrifuges have purportedly been taken offline recently doesn't mean Stuxnet necessarily caused it. There are other potential causes that are more mundane.


As to the "in a hurry" bit, we know that to be true, or at least we do if we believe the recent NYT article. Obama was, according to that article, briefed on Stuxnet before coming into office. As soon as he was in office, he rushed the program. It may be that he simply removed some bureaucratic hurdles, or he may have told the team that said they needed 9 months to get in done in 4. I suspect we'll never know.


I don't see what the problem is... I thought everyone was in favour of launching with a minimal viable product these days.

But seriously, maybe the thing was cobbled together from a whole bunch of government workers/contractors who didn't really know what they were building. Sort of like that film, Cube. Hence the lack of finesse.

Or, maybe they wanted it to be analysed so other factions would be less wary of it. I mean, who knows.


I think it's safe to assume Iran will no longer control their nuclear facilities with Windows boxes...


Nor use OpenBSD ;-)


It may be that the authors did not want to telegraph their true capabilities to other state actors with cyberwarfare units. Although Iran is one such nation, the outcome suggests they're too far behind to constitute a threat.

More sophisticated states are looking at this and either learning: 1) that Israeli/US offensive cyberwarfare capability is much weaker than they previously believed, or 2) nothing, because they already know better.


Or perhaps the software got an accidental "early release"?


I do not understand this criticism at all. Stuxnet worked, right?


Assuming that Stuxnet was designed to delay Iranian nuclear efforts, there are different degrees of "working". Delaying for a week is better than delaying for a day, etc. If better cloaking would have allowed Stuxnet to remain hidden for longer, than it would have delayed Iranian nuclear efforts more.


Sending a clear message of, "we have the ability to launch effective cyberattacks against you" may have been a goal as well. Make it too stealthy and it might be a while before anyone realizes they were attacked.


You don't want to hide your weapons in an arms race.


My own theory is that after watching Iran kill themselves for a year trying to figure this thing out, they sent out an update of Stuxnet that made it easier to discover as a way of showing their hand.

By that point, according to most reports, the program had been set back by three years (as effective as what a military strike would have been, according to the NYT article).

It was hidden for almost two years, then suddenly discovered - at which point dozens of security companies around the world deconstructed the worm in a process that took weeks.


The simplicity of the design makes it easy to point fingers at non-US / Israeli sources. Via the simplistic design the US and Israel have plausible deniability. When a piece of malware looks no different than any other released last year then it could well have been developed by bulgarian teenagers. Bulgarian teenagers will raise less international issues than using advanced techniques that only the highly trained CIA / NSA / Mossad operatives have.


Most Bulgarian teenagers don't have access to nuclear centrifuge controller units for the purpose of designing/testing their code.


Consider this:

-Obfuscation is often used to obscure the operative. I submit the conclusion that Stuxnet was 'dumbed' down on purpose to obscure which country wrote it. Also by obfuscation of the virus one can also send a strong message of 'You do not know who attacked and you will never know'




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: