Slashdot Mirror
Stuxnet Authors Made Key Errors
Trailrunner7 writes "There is a growing sentiment among security researchers that the programmers behind the Stuxnet attack may not have been the super-elite cadre of developers that they've been mythologized to be in the media. In fact, some experts say that Stuxnet could well have been far more effective and difficult to detect had the attackers not made a few elementary mistakes."
Ok! Ok! I must have, I must have put a decimal point in the wrong place or something. Shit. I always do that. I always mess up some mundane detail.
Vivin Suresh Paliath
http://vivin.net
I like
Like breaking the law to get something done that should have been attempted by diplomacy..
"There are a lot of skills needed to write Stuxnet," he said. "Whoever did this needed to know WinCC programming, Step 7, they needed platform process knowledge, the ability to reverse engineer a number of file formats, kernel rootkit development and exploit development. That's a broad set of skills. Does anyone here think they could do all of that?"
May I have a show of /. hands, please?
What one fool can do, another can. (Ancient Simian Proverb)
No. But "we" can certainly /. a site (as is already the case here).
It's pretty safe to assume at this point that Stuxnet was developed as an Israel/USA military collaboration. Spokespeople from both countries smirk before saying "no comment" when asked about it. That being said, hackers have huge egos. The types of hackers that present at security conferences even more so. It's tremendously easy for them to pick apart the worm several months after it was discovered and say "oh ho ho, it doesn't encrypt it's command and control communications!!" like they're smarter than the people that built it.
For those who don't RTFAs, this one has something interesting, not mentioned in the summary. The analyst thought the worm might have started as something else and been re-purposed for sabotage. There might be two separate coder groups, one who made the original program and one who made it into a weapon. The latter group was apparently less skilled, though still would have needed a considerable breadth of knowledge.
Makes me wonder if the perpetrator might not be one of Iran's less advanced neighbours, instead of the US or Israel. After all, there are plenty of Middle Eastern nations who are worried about Iranian power and expansion. And there's two obvious suspects that would be blamed when it came to light.
Of course, it could also be that either American or Israeli coders were rushed, understaffed, over-compartmentalized or otherwise had the quality of their work reduced.
Erotic is when you use a feather. Exotic is when you use the whole chicken.
Screwed up details that reveal it could have been built better?
Well that proves a government was behind it!
"There is more worth loving than we have strength to love." - Brian Jay Stanley
This is the article worth pointing to on the subject: http://rdist.root.org/2011/01/17/stuxnet-is-embarrassing-not-amazing/, not the bullshit linkbait threatpost.com(MERCIAL) "article".
I'm guessing had it come out that it was of Chinese origin, we'd be inundated with articles about how the Chinese are so much smarter than everyone else because the code is just so darned perfect, only the scary Red Chinese could have pulled it off....and America's days are numbered....duck and cover.
But when it's the US/Israel? Meh...it's not that good.
Seems to me, CIA/Mossad devs (if it is in fact one or both of them involved) could have purposely have done it this way to throw anyone trying to figure out who did it, off the trail. These researchers are proving that to be an effective method of dealing with possible tracking.
1) From what I read, and I read a lot on that topic, Stuxnet is pretty damn awesome. The exploits alone are estimated to have been worth a seven to eight figure...
2) Secrecy might not have been a priority.
3) Maybe they wanted to be detected to drive a point home.
4) Mindgame question: What if Russia, China or someone else did it and wanted to frame the USA & Israel?
Huh, in the way the article put it, it seems like it was designed not to look like a weapon but to look like a normal virus. Of course, we saw through that right away
Is there a good source for a technically in-depth list of the mistakes, rather than the vague "ignored several known techniques" summary crap the article discusses?
Mistakes, well what do you expect from the lowest cost bidders for this government project?
The real "Libtards" are the Libertarians!
I'll raise my hand but only slightly over my shoulder as I don't know EXACTLY what they mean by platform process knowledge, that seems too generic.
But just about everything else I've either gotten experience with or touched base somewhere.
The Sutxnet should have been developed using open source model. That way more experts would have seen the code and that would have eliminated all these errors. Maybe I should create a project in SourceForge.
It may very well be that the lack of proper cloaking was intentional, for at least two reasons : on the one hand, as long as the aim was reached, there was no need to reveal the full scope of expertise put behind it. Better keep still unknown cloaking techniques in case they may come handy in the future. On the second hand, stuxnet is certainly as much a psychological weapon as it is a technological one. What would be the interest to disrupt Iran's nuclear program if nobody knew what happened ? As such, it's a very good deterrent : any would be rogue third world country willing to go nuclear knows "someone" will take offense and knows that this "someone" has the abilities to bring their program down. But at this point, nobody can pinpoint who this "someone" may be with plausible certainty.
It's a government IT project, of course it is going to be botched.
Points to things been too good?
The Unabomber manifesto, the use of certain people and devices can point back to/expose groups eg http://en.wikipedia.org/wiki/Gladio_in_Italy
The early use of a 'new' plastic explosive, a DNA sequence http://www.newscientist.com/article/dn2265-anthrax-attack-bug-identical-to-army-strain.html can all be tested. Could the code in a more perfect, more pure, quality form (as found in the wild) ever really point back to teaching methods or something geographical?
If its still highly effective on some levels, its fine, anything better could the residue of a state actor start to glow?
Domestic spying is now "Benign Information Gathering"
It's much easier to highlight someone else's mistakes than create something that would stand up to the same scrutiny yourself.
...or maybe the creators either didn't care if it was discovered or wanted it to be discovered. If it was Israel, the last time they decided to stop another countries nuclear program, they just flew jets over and bombed it. Not too much subtly in that. It could be that they wanted Iran to eventually find it just so they'd know. Saber rattling does little good if nobody can hear the saber or know who's doing it. Perhaps somebody thought it was more important to let Iran know they were out there and would try and stop the program, than let a long term plan go into effect that would would harm but not actually stop the program.
... Makes me wonder if the perpetrator might not be one of Iran's less advanced neighbours, instead of the US or Israel ...
I've always thought that it was politically expedient and sloppy to assume that the US or Israel was behind it. The equipment is not coming from either of these countries, neither are the technicians who have had onsite access. It is silly to assume that because some Europeans, the Russians and the Chinese are friendly to Iran that they are also OK with Iran obtaining nuclear weapons. Major powers want client-like states, not regional competitors. All major powers know that Iran is unstable and the makeup of its government in ten years is basically unknown. No one wants the current or some future Iranian government to be nuclear armed.
The comments within the article were more informative than the article itself. A number of commentators pointed out the context in which the Stuxnet developers were working and presumed tradeoffs in complexity behind covering their tracks versus achieving their objective. (Which by most accounts appears to have been successful at covering their tracks long enough to permanently damage the uranium centrifuges. Sounds like a solid achievement to me and not whatif conjecture on how good it could have been.) As usual the self-appointed /. experts assume that their "hive" hindsight knowledge could conquer the day. More likely you'd just flame one another over irrelevant technical details, and boast whose toolkit was bigger and more colourful.
http://threatpost.com/en_us/blogs/stuxnet-authors-made-several-basic-errors-011811
Those who have been so quick to blame the US or Israeli governments based on what really amounted to non-evidence probably wont be convinced by this though. It is so much easier to put on a tin foil hat and rave about Three Letter Agencies or Zionist Occupation Government conspiracies (which IMO is what the NYT did as well).
Security of any sort is always about tradeoffs -- you can always make things more secure, but is the cost (in dollars or convenience) worth the effort? The same general principle applies to the kind of things that could have been done to Stuxnet that the author of this article talks about. He presents the conclusion that they simply ran out of time, but overlooks the more likely answer: that they decided the extra time wouldn't be worth the extra benefit. Sure, some of those things might have delayed its discovery, but they would have also delayed its initial deployment. Even if there was no hard deadline, it's not clear that the benefit here would be worth the cost.
"Convictions are more dangerous enemies of truth than lies."
I think it was an automatic update - rollout program that really really sucked.
Was it more important to have a really amazing virus, or was it more important to get something "good enough" out the door in time?
I think Stuxnet did pretty well at its intended purpose.
Hail Eris, full of mischief...
E pluribus sanguinem
"Rather than being proud of its stealth and targeting, the authors should be embarrassed at their amateur approach to hiding the payload. I really hope it wasn’t written by the USA because I’d like to think our elite cyberweapon developers at least know what Bulgarian teenagers did back in the early 90s," Lawson said. "First, there appears to be no special obfuscation. Sure, there are your standard routines for hiding from AV tools, XOR masking, and installing a rootkit. But Stuxnet does no better at this than any other malware discovered last year. It does not use virtual machine-based obfuscation, novel techniques for anti-debugging, or anything else to make it different from the hundreds of malware samples found every day."
If the goal was to disrupt or disable part of Iran's nuclear program and the goal was achieved, what is the point of being 1337?
Every news story in /. seems to conclude something wasn't really that good. Or at least, their users do.
"Science can amuse and fascinate us all, but it is engineering that changes the world. " - Asimov.
Especially when that causes the key to get stuck in the lock, or even break off... I only go to good key cutters if I want keys made without errors.
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
What you say?
These posts express my own personal views, not those of my employer
And they probably skipped beta testing too. Oh, look, those same /. hands are still up...
Quidnam Latine loqui modo coepi?
I thought it was "proven' that the US and Israelis wrote it, only days ago on /.
Did someone outsource the development to India?
* found several indications that the code itself is not very well done
* found that the code was fairly low quality.
* There were too many mistakes made.
* There's a lot that went wrong,
* They were all logic flaws
I wish they would have provided us geeks some examples!
I guess we'll just have to take their word on it.
The last part of the development of Stuxnet was the live test on the centrifuge, probably coordinated by a mechanical engineer. And we, mechanical engineers, usually don't know jack about programming.
Severe case of WWIC.
Actually I think they've done a decent job. Setting back Iran's nuclear weapons program has been the greatest military achievement for years. I just wonder why all these security experts are so eager now to help the antisemites get rid of the bug. Something to put on their CV in case the power balance changes? Oh, wait. That's the Kaspersky blog. No more questions.
This was probably not a western state. There were too many mistakes made.
Does this mean I'm really Chinese?
They forgot to use comments! Obviously, this eliminates more than half of the world's coders.
Of Your Product, You’ve Launched Too Late ... Reid Hoffman
Have gnu, will travel.
to distract from the other one.
They didn't release it under the GPL.
Who's to say Stuxnet was the only, or even the primary payload?
This would be up to 5 already if I had a mod point.
For every benefit you receive a tax is levied. - Ralph Waldo Emerson
Decades? Decades ago Iran was on our side. We were selling them weapons and intel. We installed a leader for them. There was no need for a 'diplomacy' decades ago.
2011 - 1979 = 32, that is over 3 decades, Jimmy Carter was president.
Perhaps you are confusing Iran and Iraq. We supported Saddam Hussein in Iraq with weapons and intel because we viewed Iran as the enemy.
the working version without the bugs is still out there undetected
yours is colourful? don't you ever *wash* the damn thing?
1: SpinUpCentrifuge
2: BOOL shaking = Alert( "Is Centrifuge shaking violently?" );
3 if ( ! shaking) FAIL TEST
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Oh my government employees rushed to produce results? Government workers produced a less than perfect product? It surely couldn't have come from the country that coined the Phrase "Good enough for government work."
Those developers being outsmarted by a teenage kid makes the idea of government involvement much more believable.
If most governments did it, it was sent out to be done by a contractor for the lowest bid. Thus, you got something that made the bare specification and little else.
You were mistaken. Which is odd, since memory shouldn't be a problem for you
...if the damn thing worked?
As has been pointed out by comments in TFA, it's quite possible that security wasn't a major consideration for the virus. Maybe they didn't care to cloak the code. Isn't what really matters that the attack succeeded? I'd take these criticisms a lot more seriously if the Iranians had thwarted the attack and had tracked down the coders. The article just sounds like sour grapes.
These errors would never have been occured when Stuxnet were open source.
Open Source Alternatives
So the worm is not perfect, but who is? They may not have had time to build it into perfection due to time constraints. Maybe they deemed it necessary to release something that worked as soon as possible, instead of when it's too late.
My work here is done.
- Captain Hindsight
After all, it worked, payload was delivered.
Maybe the creators didn't want the Iranians (or anyone else) to intercept - and reverse-engineer - their super secret anti-detection algorithms.
Perhaps there are other worms out there that do use some advanced hiding techniques and haven't been discovered yet.
So this malware is brilliant at some things but makes rookie mistakes in others.
Maybe it was some very skilled programmers working in a field they were not fully familiar with?
Perhaps US and Israel do not have super skilled virus authors on their payroll? I would actually like that to be true.
As if.
My toolkit is clearly biggest and most colorful.
Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
I think it also useful to point out that
It will be interesting to see what other malware is found in Iran. For it seems very unlikely that stuxnet was the only arrow in the quiver. It seems much more likely that it is just the first of several products to be discovered.
Will
Really? I just read an article about a sloppy Mossad operation:
http://www.gq.com/news-politics/big-issues/201101/the-dubai-job-mossad-assassination-hamas
Huh!
Made by the same folks who designed the security measures in the PS3, then.
One department in the ultra-semi-secret world of semi-clandestine operations and general screwing around would have been in charge of building the thing to accomplish whatever task it was designed for, though due to rampant compartmentalization, they probably didn't know where it was being aimed.
Another department was probably in charge of making sure the world found out about it and that the project got plenty of attention so as to continue the psy-ops war against Iran. ("I'm not yet convinced that Iran really is the boogey man we need to spend a trillion dollars going to war against on flimsy evidence made up by a couple of psychopathic war-mongers in England and the U.S.. I need more news stories where Iran is the bad guy.")
And few of the project workers would have been clued into what the other project workers were clued into. Compartmentalization keeps stuff mostly secret but then drops the ball on organization.
Go Team!
-FL
As a counterargument to your reasoned (and reasonable) conclusion I highly recommend experiencing the hivemind workflow as can be found when for example an Anonoymous operation takes off. I had the pleasure to witness that for OperationTunisia and it was amazing, it lived up to the concept of the word hivemind.
I am not saying that Stuxnet was the result of a public freely available hivemind (everyone would already know if it was thus it obviously wasn't), only that there is no reason why it couldn't have been (including the possibility of creating physical rudimentary mock-ups for testing, lots of people all over the world have easy unfettered access to high quality workshops and materials).
Now would the same possibly be achievable with a closed non-public hivemind? Could be.
I will never underestimate the potential of hiveminds again, I hope their implementation expands towards the completeness as described in science fiction. I would most likely permanently join/merge with such a "meta-being" if given the chance.
I wanted to try to give a thorough description but realized I could not do the experience justice. When Operation Tunisia took off it had previously existed for at least about a week with low activity, however in about two hours the following was done:
- several free 12-connections limited PiratePads established for information gathering and press releases
- PiratePads deleted by hostiles and restored from local non-"save point" sources with minimal losses
- adequate data had been collected for the Tunisian network infrastructure with a focus on governmental nodes and assessment of them
- Tunisian governmental technical defensive measures identified and understood
- specific tactical choices discussed
- specific strategical choices made and reinforced
- press releases
One cannot sustain freedom without responsibility nor can one sustain responsibility without freedom.
You are totally correct. Case in point: they have found Stuxnet, but not the other two worms currently crawling through their systems...
I've said it several times... Look for the author in his mothers basement somewhere, not in some gleaming government-funded cyber-warfare bunker...
If it were government cyber-warfare we should expect the sites to literally blow up, not just shut down. They would want radioactive pollution in order to make the sites unusable both short term and long term. Just shutting them down for a few days or weeks surely isn't worth the effort.
"For every complex problem, there is a solution that is simple, neat, and wrong." -- H.L. Mencken (1880-1956) --
The hardest part about this must have been to keep everything secret. Finding people that can keep a secret must have had a higher priority then finding people that are really good at making this kind of software. The recruitment process must also have been kept secret, that makes it even harder to find really skilled employees.
It might even be written by two groups because the first group, or some people in that group, was suspected to leek and was removed from the project.
" ... Stuxnet could well have been far more effective and difficult to detect had the attackers not made a few elementary mistakes. ... "
If someone can detect your system by making a few elementary mistakes, your system is not secure. End of story. Sounds like they are trying to rationalize it to me.
America, Home of the Brave.
The developers were solid, but not top-notch people and there were budget and/or time limitations. This is not surprising. It is what you usually can do with a reasonable budget. For example, that Stuxnet was too obvious is something that was initially clear. The hype was mostly in the non-specialized press.
Still, take, say, 5 good but not excellent developers for 6 months. This costs very roughly about half a million USD/EUR (including offices, equipment, etc., salary will be only about 50%). This is serious money and probably more than ever spend on developing a virus. Doing this with top-notch people, provided that you can get them in the first place, would probably cost 2-5 times as much. Of course, compared to dropping bombs, this was extremely cheap and very, very cost effective.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
It is entirely possible they held back on this one so that next time they still have a few more tricks they can use. No point showing them everything you have if you can get away with less.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
they still smirk when asked about blowback.
Iran is never easy to deal with. There is an even simpler option. Iran did it. Why? Because they saw what happened to Iraq. Disable their own tech till things quiet down and avoid loosing face at the same time while blaming their hated enemies. Bonus!
It all seems a little bit to convenient. And from this, it could have been build by outside forces, been detected AND allowed to run free to give Iran a way out.
What sends a red flag to me about it all is that Iran is so open about it all. They are never open about anything but they sure spilled their guts on this. Why?
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
News report from yesterday says that Israel and the US launched stuxnet together:
http://www.spacedaily.com/reports/Israel_tested_Stuxnet_on_Iran_with_US_help_report_999.html
I think they may have been on a schedule-driven development cycle here. Shipping IS a feature, you know.
1) identify your target
2) hire naive programmer with skilz to write a program to attack target
3) put just enough of his untested code into the 'real' program and in just the right way so it looks like his work
4) dissapear him
5) 'discover' his notes at his apartment after the FBI raid
6) vow to never give up looking for him
Nice way to frame the article. If a third person agrees, I am sure it would have been unanimous.
If Israel publicly admits they have nuclear weapons, that triggers a variety of sanctions in U.S. Law, including cutting off foreign aid, getting them labeled as a "bad actor"
Not me... I wouldn't touch anything to do with Siemens with a 10 foot politician.
Saying Android is a family of phones is akin to saying Linux is a family of PCs.
Lawson concludes that whoever wrote Stuxnet likely was constrained by time and didn't think there was enough of a return to justify the investment of more time in advanced cloaking techniques.
Whoever wrote Stuxnet was right. It had enough tricks to get its payload delivered and to harm the target. Yeah, one could imagine it having been easily discovered, but it wasn't discovered until after the damage had been done. So either the folks behind Stuxnet were making rookie mistakes, or they're just as sophisticated as we all presumed and they prioritized what was important to get the job done, not what would have allowed the worm to evade countermeasures that the Iranians weren't even using, or what would have made them look cooler in the eyes of security researchers. Where's the story here?
"I don't care about the Constitution!" --Bill O'Reilly, November 17, 2009
My guess would be they are pointing to the intimate knowledge of the industrial controllers that were targeted. I doubt that many people know how to code for those units as they are only used in heavy machinery.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
There is a reason it is a homonym of semen.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
What precisely does STUXNET attack, and how is it that whatever-it-is is exposed to the threat in the first place? Shouldn't critical control systems for nuclear equipment be physically separated from the public Internet?
Or is the idea that someone with access introduced STUXNET into said critical systems in situ? Youth wants to know.