Stuxnet was embarrassing, not amazing (2011)(rdist.root.org)
rdist.root.org
Stuxnet was embarrassing, not amazing (2011)
https://rdist.root.org/2011/01/17/stuxnet-is-embarrassing-not-amazing/
89 コメント
Kim Zetter's article evolved into the book Countdown to Zero Day
https://smile.amazon.com/Countdown-Zero-Day-Stuxnet-Digital/...
https://smile.amazon.com/Countdown-Zero-Day-Stuxnet-Digital/...
Here's a good documentary about Stuxnet as well: https://www.youtube.com/watch?v=TGGxqjpka-U
Yeah, with a headline like that, I was expecting an article about the international implications regarding why/how something like Stuxnet is even created and deployed in the first place. The technical merits of the operation are the absolute last thing to be embarrassed about.
I don't understand.
Do you really think that a military operation that avoided nuclear proliferation without killing a single human life or causing environmental damage is something to be ashamed of?
Do you really think that a military operation that avoided nuclear proliferation without killing a single human life or causing environmental damage is something to be ashamed of?
Obama et al did this by signing the JCPoA. No need for computer virus.
Yeah this definitely read to me like a click bait title and article. The shortfalls seem trivial in the grand scheme of what was accomplished.
Is anyone actually claiming it was a nuclear arms laboratory?
This is juvenile Monday-morning quarterbacking. Stuxnet was the first (as far as we know). It was revolutionary at the time.
Of course its authors didn't know how agressive antivirus researchers would be, agressive largely because of the fascinating complexity of the code. Almost all malware gets a cursory glance and thrown in the bitbucket after processing.
The first one of anything is always the crudest. Getting away with industrial, state-sponsored cyber-sabotage is a huge step.
Of course its authors didn't know how agressive antivirus researchers would be, agressive largely because of the fascinating complexity of the code. Almost all malware gets a cursory glance and thrown in the bitbucket after processing.
The first one of anything is always the crudest. Getting away with industrial, state-sponsored cyber-sabotage is a huge step.
> The first one of anything is always the crudest. Getting away with industrial, state-sponsored cyber-sabotage is a huge step.
I know the claim is disputed, but if the CIA did cause the Trans-Siberian pipeline to explode in the '80s then that would count as prior art. Even if true it was nowhere near as complicated as Stuxnet, of course.
I know the claim is disputed, but if the CIA did cause the Trans-Siberian pipeline to explode in the '80s then that would count as prior art. Even if true it was nowhere near as complicated as Stuxnet, of course.
But Stuxnet did use obfuscation. The last payload was decrypted by concatenating two environment variables on the host and Symantec never managed to decrypt that one. Did author not read the Stuxnet report?
One thing that I've grown to understand is that the difference between enthusiast and professional is not the quality of goods they produce, but the economy of producing the goods. I feel like that is applicable here.
If we want another example of high-profile security incident that was more embarrassing than impressive, Wannacry fits the bill.
If we want another example of high-profile security incident that was more embarrassing than impressive, Wannacry fits the bill.
My English is too limited to be a 100% sure about the following:
"economy of producing the goods"
What does this mean? The amount of time it takes to produce another extra good?
E.g.
Enthusiast: 1 good per 5 hours -- quality level 85%
Professional: 1 good per 0.5 hours -- quality level 80%
Or something else?
"economy of producing the goods"
What does this mean? The amount of time it takes to produce another extra good?
E.g.
Enthusiast: 1 good per 5 hours -- quality level 85%
Professional: 1 good per 0.5 hours -- quality level 80%
Or something else?
I think it's a bit more subtle than that. Professionals are able to create output that more precisely solve the problem at hand. That means that they will often create output that does less.
In the context of Stuxnet, the professional identified that the problem at hand was to shutdown the Iranian nuclear enrichment facility. They ended up with a piece of code that executed that, but was not maximally obfuscated, because more obfuscation does not solve the problem at hand.
In the context of Stuxnet, the professional identified that the problem at hand was to shutdown the Iranian nuclear enrichment facility. They ended up with a piece of code that executed that, but was not maximally obfuscated, because more obfuscation does not solve the problem at hand.
Enthusiast: 4h for the coolest component C, 1h for unnecessary but fun stuff. The rest of components: A, B & D glued from duct tape in 1h.
Quality of C: excellent, quality of the final product: nice demo, but falls apart when exposed to wind.
Professional: 2h for C, 1h for A,B,D each. 1h for testing. Quality of A,B,C and D: good enough. Quality of the final product: gets the job done, withstands winds up to the speeds required in the specs, plus some margin.
Quality of C: excellent, quality of the final product: nice demo, but falls apart when exposed to wind.
Professional: 2h for C, 1h for A,B,D each. 1h for testing. Quality of A,B,C and D: good enough. Quality of the final product: gets the job done, withstands winds up to the speeds required in the specs, plus some margin.
Correct. The professional produces goods which are actually used in real life conditions, with real life delivery dates.
The enthusiast produces goods which look pretty, but often don't work correctly, or need a lot more hours of work to surpass the professional.
The enthusiast produces goods which look pretty, but often don't work correctly, or need a lot more hours of work to surpass the professional.
... and the amateur produces goods out of love that end up powering the internet
"economy" here meaning efficiency (repeatability, time cost to produce)
I mean, why obfuscate at all? Their malware did its job; after that what does it matter what happens to it? Is not adding additional obfuscation "run-of-the mill" or "amateur" as the author puts it?
> Stuxnet does not use all advanced malware techniques the author can think of
Why use (and give away) any more capabilities than required to do the job?
Why use (and give away) any more capabilities than required to do the job?
In fact, there's no need at all. Some of the most complex malway (viruses, to be specific) every written (Zmist, MetaPHOR), which the post author would "appreciate", never had any wide diffusion; Stuxnet accomplished its task.
All in all, the post author just wanted some attention.
All in all, the post author just wanted some attention.
Exactly. If it did the job why showing the enemy (and the world) all your cards, so they can learn your most advanced tricks? It's better to keep some advanced techniques for the next target than to expose them with no need.
coretx(3)
They literally found a way to trash an enemy’s weapons of mass destruction equipment without bombing cities and hurting people, but somehow that’s an “embarrassment.”
Attacking infrastructure is an act of war. In 2011 the Pentagon took this stance on cyber warfare:
“For the first time, the Pentagon has decided that cyber attacks constitute an act of war, reports The Wall Street Journal. The U.S. military drafted a classified 30-page document concluding that the U.S. may respond to cyber attacks from foreign countries with traditional military force, citing the growing threat of hackers on U.S. infrastructure such as subways, electrical grids or nuclear reactors.”
https://www.theatlantic.com/technology/archive/2011/05/penta...
“For the first time, the Pentagon has decided that cyber attacks constitute an act of war, reports The Wall Street Journal. The U.S. military drafted a classified 30-page document concluding that the U.S. may respond to cyber attacks from foreign countries with traditional military force, citing the growing threat of hackers on U.S. infrastructure such as subways, electrical grids or nuclear reactors.”
https://www.theatlantic.com/technology/archive/2011/05/penta...
It delayed nuclear proliferation without harming a single soldier or civilian. If that’s an act of war, then I guess I’m a war monger.
> "But this isn't academically good code."
As others have said, the only real metric of whether or not something is good is if it works in live production.
As others have said, the only real metric of whether or not something is good is if it works in live production.
No, that's a metric for "something is working".
Ease of maintaining, extending, or fixing bugs in the same software are not informed by that metric.
Ease of maintaining, extending, or fixing bugs in the same software are not informed by that metric.
Except in this case, where it was a one-shot, very specific objective. Once this thing was released, it could not have been easily updated.
It's a classic misunderstanding between "academically viable" and "operationally viable".
The military doesn't need to get an A+. It needs to win. Anything else is a bonus.
Which is why the A-10 is a better plane than the F-35. One shows up and BRRRTs the opposition into a fine red mist, when you need it to. the other makes it pilot motion sick as soon as they put the helmet on.
The military doesn't need to get an A+. It needs to win. Anything else is a bonus.
Which is why the A-10 is a better plane than the F-35. One shows up and BRRRTs the opposition into a fine red mist, when you need it to. the other makes it pilot motion sick as soon as they put the helmet on.
The A-10 and F-35 are completely different planes for completely different purposes. The F-35 attempts to be able to perform most of the things the A-10 does, but you can't just say one is better than the other overall. The A-10 is probably better at shooting ground targets at close range. The F-35 is better at bombing them from 5 miles away.
That's the problem though. The F-35 tries to be good at too many things. It has the latest sensors and stealth and armaments.
But it's taking forever and a day to get the damn thing out the door because it's too academically excellent.
But it's taking forever and a day to get the damn thing out the door because it's too academically excellent.
The wired article linked in the top comment talks at some length about how the software was able to be updated in the wild.
It is though. Bad products eventually fail under their expected operating conditions. That means you didn't actually make something production ready.
It didn't meet the specified requirements. That's a bad product.
If I have a car motor which runs, but throws a piston 20k miles before it should, I didn't build to the production spec.
It didn't meet the specified requirements. That's a bad product.
If I have a car motor which runs, but throws a piston 20k miles before it should, I didn't build to the production spec.
It's hard to be good when you work in complete secrecy. A typical malware creator can talk to anyone in the world. If they talk to white hats they just pretend to be on the side of good. The job of a government spook is much harder because of that lack of communication. You are always on the outside looking in...
Random question for HN: How to articles like this get upvoted so much? Virtually all the top comments talk about how this is an amateurish, Monday-morning quarterbacking effort. Is it just spam upvoters?
No, it's just the people who vote and the people who comment are very different.
This reeks of "I could have done it better" but if they accomplished it with what they had what can you really say? Nice to know there were myriad of other "better" ways to do this. But it's not an embarrassment.
>>Stuxnet was embarrassing, not amazing (2011)
Stuxnet worked. Deal with it. Of course, for obvious reasons, it would be traced back to US/Israel and not to a kid in his mom's basement.
Stuxnet worked. Deal with it. Of course, for obvious reasons, it would be traced back to US/Israel and not to a kid in his mom's basement.
It's OK if USA/Israel does it, otherwise it's an act of war.
More hypocrisy from the "good guys".
We often forget, but even the world’s top professionals get tired, cut corners, and make mistakes.
But also, what substantial gains would have come from adopting the techniques in this article?
But also, what substantial gains would have come from adopting the techniques in this article?
I've seen bits and pieces of disassembled stuxnet code around the web, does anyone here know where I could get my hands on the original binaries?
There are so many system configuration parameters you can collect to encrypt the payload. If you did so, it should not be too hard to enumerate all of them.
Moreover, the virtual machine-based code obfuscation is being regularly pwned by software cracking teams so I can imagine that obfuscation would only postpone the publication of the tool’s code for a week max.
Moreover, the virtual machine-based code obfuscation is being regularly pwned by software cracking teams so I can imagine that obfuscation would only postpone the publication of the tool’s code for a week max.
Yet it worked.
Just like the NSA Cisco exploit chain. According to armchair programmers it was ugly. But it worked it could take over every Cisco router. it doesn't have to always be pretty if it gets the job done.
Just like the NSA Cisco exploit chain. According to armchair programmers it was ugly. But it worked it could take over every Cisco router. it doesn't have to always be pretty if it gets the job done.
The book recommendation at the end, Surreptitious Software, seems interesting. Does anyone know if it is still relevant, or there are newer more relevant books on the market with the same goal?
I will suggest another alternative.
The authors weighed the risk of not being successful vs the risk of someone analyzing the worm. The latter was inevitable but the former would have been disastrous. Those protections would have only slowed down malware analysts. If this was normal malware that would be the goal, exist for as long as possible without being detected. ‘Normal’ malware has a high tolerance for failure.
In this case the goal appears to be ‘break some sensitive equipment before a particular deadline hits’, with a razor thin margin for error. But your points are not lost, good post.
The authors weighed the risk of not being successful vs the risk of someone analyzing the worm. The latter was inevitable but the former would have been disastrous. Those protections would have only slowed down malware analysts. If this was normal malware that would be the goal, exist for as long as possible without being detected. ‘Normal’ malware has a high tolerance for failure.
In this case the goal appears to be ‘break some sensitive equipment before a particular deadline hits’, with a razor thin margin for error. But your points are not lost, good post.
Did you really just copy/paste the top reply from the article, without attribution or comment?
While some hiding is required to get past the virus scanners... Once it trashed the centrifuges, there is huge value in letting the target know they were pwned. There had to be a huge internal "who's the internal spy/saboteur" hunt that planted it - even if it was accidental - and the weapon grade target of the micro controller to let them know it was no accident.
I'd think a witch hunt is exactly what you'd want if there were no internal saboteurs, though. Getting the enemy to waste time, effort and loyalty like that would be the perfect cherry on top of the physical disruption.
What did Bulgarian teenagers do in the early 90s? all links to the story are dead.
[deleted]
m0zg(11)
The criticism here seems to be mostly academic about not using the most advanced obfuscation while completely ignoring the actual objective and just how many obstacles were overcome.
The mission used several 0-days and stolen signing keys to get into a secret foreign air-gapped nuclear arms laboratory under a deadline and ruin the machinery while it kept reporting everything was fine. I dont see how this is anything short of amazing.