Yeah, great, bravo, clap-clap-clap. Problem is, now everybody knows how to write a virus like that.
Do they though? And if so, are other countries like the USA protected against it? I suppose that’s the source of the debate in my OP.
I haven’t seen any evidence that everybody now knows how to program a worm like this.
There’s a huge difference between knowing that something can be done, knowing how it’s done, and being able to do it yourself.
Everybody knows how to send someone to the moon as well, yet no one else has managed to actually do it again. There are a lot of things that everybody knows how to do…except the little detail about having the expertise, resources and ability to pull it off.
ETA: If it were easy, and ‘everybody’ COULD do this, then it would have been being done already by the horde of hackers out there on the interwebs. If it were ‘easy’ then, at a minimum, other countries would already have done it multiple times in the past. Basically, if it can be done easily (or even not so easily) then it’s better to find out about it sooner than later so that the security hole can be patched. That’s how we’ve found most of the security holes that are out there, after all…by people exploiting them and then developers patching the holes.
-XT
The comparison isn’t a very good one, since you can’t just copy and paste a space program. Otherwise I would have one in my backyard right now.
All that’s going to happen is that Iran is going to beef up computer security, disconnect their computers from sources of contamination, and continue producing fissile material. It would have been much better to save the surprise for an actual war or something.
I’m willing to bet that there are programs like Stuxnet running on important military and civilian systems right now, just waiting for the right packet of data from a Chinese or Russian server.
So? That would have been their reaction to any cyber attack. Obviously, if you’re going to launch a cyber attack sooner or later, they’ll strength up security sooner or later in response.
They already did. The suspicion is that someone snuck in the worm on a USB or something of the sort.
So… we could only use a non-military solution if we’d already decided and initiated a military solution. And we’d only try to disable their nuclear production capabilities once we were dropping bombs on them to disable their nuclear production capability.
This does not make any sense, at all.
It’s a very good one, since you can’t just cut and paste a hack like this…if you could, then, again, everybody would be doing it or have done it already. Seriously, I’m no expert on this, since I’m a network engineer and haven’t done any hacking or cracking since before most of the posters on this board were probably born, but I know enough to know just how sophisticated this really was. And you don’t even have that small glimmer of an idea of how very difficult and vertically oriented this hack actually was, so you really shouldn’t poo poo the comparison that quickly.
But you are willing to bet this without any actual knowledge of the subject, so what would your bet be worth?
-XT
The Devil is in the details.
This worm is highly specific and targeted. You cannot just cut-and-paste to attack something else. It is like saying now you saw how to bake cookies you can cook a cheesecake. Some basics might be similar but the details are very different and important.
It is true Iran is not out of the game completely but then I heard even bombing their site would only delay them several years (they’d rebuild elsewhere). As I understand it this really screwed them up and delayed them several years…except no bombing.
Realize those centrifuges are precision devices and finicky as hell (from what I heard). Although Sam Stone stated above they were not “destroyed” I think they were effectively ruined or at the least rendered useless for a long time. Whatever the issue with them it is not a matter of turning them off and then back on again and they are good to go. The end result seems to have been very effective.
And just knowing a thing in its broad outlines is not the same as doing it. I know how a nuclear bomb works. It is not a secret and the design is fairly simple. It is the fiddly bits that get you if you actually tried. Turns out they are pretty difficult to actually build and expect them to work.
The intricate details of Stuxnet have been known for quite a while. I work in the industry, and it’s been the subject of discussion with my peers quite a bit.
As you can imagine, it’s been a hot topic among computer security professionals, and there are lots of resources on the web with good information in them.
Symantec has done great work on this. Here’s everything you want to know about the technical details of Stuxnet: Symantec Stuxnet Dossier (pdf).
More info from Symantec: Stuxnet: a Breakthrough. That site has a cool demo that Symantec put on, where they actually set up a Siemens control system and show how Stuxnet changed the PLC behavior. It’s not the actual stuxnet virus, it’s one the engineer wrote for the demo. There’s nothing amazing about it for anyone who knows anything about PLC’s, but if you’re not familiar with them it’s educational.
F-Secure’s Stuxnet Q&A: Stuxnet Q&A
Wired had a good article on Stuxnet in November: Wired “Threat Level”
What freaks me out is that since its a a classified deal WRT to Iran, etc that its such a well-known thing amongst internet security companies, gurus, etc.
“We will perpetrate this upon you, yet we will also find out ways to keep it from harming us domestically using existing security companies”.
It just seems weird.
Yes, a Stuxnet-like worm, if used against us, could do damage to our industrial capabilities (any aspect of industry, not just military applications). You know what else would hurt our industry? Bombs blowing up in or on factories. Stuxnet and its kin are basically just a new kind of bomb. There are three major differences, though: First and possibly most importantly, Stuxnet was a lot more precise than conventional bombs, and caused essentially zero collateral damage. Second, it’s a lot harder to build a Stuxnet-like worm than it is to build an explosive bomb: Your typical teenager knows a few recipes for something that’ll go bang, and a good number of amateurs can build a bomb powerful enough to do serious damage to a factory. But almost nobody can make a computer worm as sophisticated as Stuxnet. Third, once a worm exists, it’s possible (and not all that hard) to change systems so they’re no longer vulnerable to it at all. Sure, you can’t close all the security holes, but you can force the attackers to go back to square one to find new vulnerabilities. It’s more work for the attackers than it is for the defenders. With conventional weapons, though, about all you can do is make the concrete in your walls thicker, which is more work for the defender than it is for the attacker. All told, if we’re going to have weapons anyway (which has been unavoidable for the past million years or so), I’d much prefer that they’d be Stuxnet-style weapons than the other kind.
Oh, there was nothing easy about it. For example of one of the challenges the hackers faced, the software had to have a valid authentication certificate. The hackers managed to steal one from Realtek. Eventually, the certificate theft was discovered, and the authentication for the certificate was revoked. It only took Stuxnet one day to be back in business with another stolen certificate.
The virus could talk to a home server and update itself, so it could dynamically mutate. For it to work at all, the developers of it needed intricate details of how the SCADA system at Natanz was programmed, and they needed blueprints for the whole system. No one knows how they got it - some speculate that an earlier worm infected their system and downloaded all the software to a home server and maybe even the facility blueprints. Another possibility is that there was a mole inside the facility (the Iranians have apparently ‘questioned’ several engineers, and I think more than one has vanished). Or, the people who built and programmed the facility (the Chinese, Finns, or others) leaked the documents to the worm authors.
This is a virus that required the resources of a government to put in place. There’s no way in hell private hackers could have done anything like this. It was an order of magnitude more sophisticated than anything else that’s been made. There were man-years of effort involved here, along with high-level access to very, very sensitive material.
Scary.
With the NSA’s budget the US damn well better be good at this stuff.
Reminds me of a scene in William Gibson’s Neuromancer trilogy where they’re witnessing a highly sophisticated program crack ICE, and one of the characters remarks “so this is what a war would be like.”
I think the history books may well regard ‘Stuxnet’ as the first shot fired in a cyber-war.
On the other hand, there’s evidence that the Chinese have already been doing stuff like this for a while.
Honestly, I don’t know what to think of this stuff. You can look at viruses like Stuxnet as being malicious and dangerous, but on the other hand you can look at them as antibodies in the information age. Maybe we’re headed for a future in which our networks are full of ‘protective’ virus that are lying dormant while looking for threats, then attack them when they appear.
Right now it’s kind of the wild west with respect to governments probing and attacking each other digitally, because no one really knows how to respond when they are discovered. If the enemy sends a bomber to wipe out a factory, it’s an act of war, and we know what the range of responses are. Since the enemy also knows, they don’t do it. But if we discover a Chinese or Russian or Iranian worm infesting a defense complex, stealing classified documents, or sabotaging critical infrastructure, what’s the right response? Can you blow up stuff of theirs? Would you start a war over it?
This kind of uncertainty is dangerous. Eventually, I imagine we will work out treaties and establish protocols for the level of response that is acceptable for a cyber-attack, but until we do there’s a high risk of an eventual conflict starting this way, in my opinion.
True, as exemplified by nuclear weapons programs themselves.
This looks like a win-win-win story to me. Slows down Iran’s nuclear program. Maybe buys some time for a potential regime change at a future date (after which point Iran would presumably be less of a perceived threat to its neighbors). Avoids all the potential unintended consequences of a physical attack on Iran’s facilities.
As for the “Now we have to worry about cyber-attacks against us!” argument, we have to worry about that anyway.
No, no ,no! It’s a win-win-win-win because computer nerds and right wing war fetishists need even less proof that their paranoid delusions over their enemies are actually true. Now that I think about it it’s a win-win-win-win-win because the proof of Iran’s nuclear intentions are clearly demonstrated by the need for Stuxnet. I can’t wait until Stuxnet 2.0 causes regime change and a new Iranian constitution with a fellate the United States and Israel amendment! OMG! Win-win-win-win-win-win-win!
If that tag is meant to apply to me, you have mistaken me badly. I welcome this news precisely because it makes actual warfare less likely.
I don’t know why you think e-warfare would lessen the risk of other types of warfare. There is no logical reason to think so. Maybe you know different right-wing war fetishists from the ones I have met. The ones I have met will pretty much do and say anything to get that war they need. This stunt just emboldens them and if you are against warfare then there is no reason why you should support it. Stuxnet was used but the right-wingers and paranoiacs have yet to demonstrate that Iran has a nuclear weapons program, have given Iran further excuses not to play ball with inspectors (the inspectors are carrying Stuxnet 2.0!), and incrementally increased our likelihood for conventional war. Its really too bad that you don’t get their motivation. Sanctions, assassinations, arming terrorist groups, and now e-warfare are being brought to bear on our dire enemy Iran. Its just one more tool in the toolbox and the only thing that will guarantee peace is Iran’s nuclear weapons or the removal of the Ayatollah.
Also, this whole “set back the Iranian program by years” belief has absolutely no basis in fact and can never be verified. It’s bullshit propaganda at best. We’ve been hearing about Iran’s imminent nuclear weapons capability since the 90s at least. Just a few more years keeps being said. So now we have “just a few more years” again but instead of it being due to either (1) Iran really isn’t interested in a bomb or (2) Iran is more technologically hamstrung than we poorly estimated, we now have our elite Stuxnet attack! There is no verifiable evidence that it did anything like hold them back years. There hasn’t been a single verifiable piece of evidence supplied by the West in this whole circus.