Stuxnet and the Poisons that Open Your Eyes
Playwright August Strindberg wrote, “…There are poisons that blind you, and poisons that open your eyes.”
We’ve been blinded for decades by complacency and stupidity, as well as our trust. Most Americans still naively believe that our government acts responsibly and effectively as a whole (though not necessarily its individual parts).
By effectively, I mean Americans believed their government would not deliberately launch a military attack that could affect civilians — including Americans — as collateral damage. Such a toll would be minimized substantively. Yesterday’s celebration related to the P5+1 interim agreement regarding Iran’s nuclear development program will lull most Americans into deeper complacency. The existing system worked, right?
But U.S. cyber warfare to date proves otherwise. The government has chosen to deliberately poison the digital waters so that all are contaminated, far beyond the intended initial target.
There’s very little chance of escaping the poison, either. The ubiquity of U.S. standards in hardware and software technology has ensured this. The entire framework — the stack of computing and communications from network to user applications — has been affected.
• Network: Communications pathways have been tapped, either to obtain specific content, or obtain a mirror copy of all content traveling through it. It matters not whether telecom network, or internal enterprise networks.
• Security Layer: Gatekeeping encryption has been undermined by backdoors and weakened standards, as well as security certificates offering handshake validation
• Operating Systems: Backdoors have been obtained, knowingly or unknowingly on the part of OS developers, using vulnerabilities and design flaws. Not even Linux can be trusted at this point (Linux progenitor Linus Torvalds has not been smart enough to offer a dead man’s switch notification.)
• User Applications: Malware has embedded itself in applications, knowingly or unknowingly on the part of app developers.
End-to-end, top-to-bottom and back again, everything digital has been touched in one layer of the framework or another, under the guise of defending us against terrorism and cyber warfare.
Further, the government watchdogs entrusted to prevent or repair damage have become part and parcel of the problem, in such a way that they cannot effectively be seen to defend the public’s interests, whether those of individual citizens or corporations. The National Institute of Standards and Technology has overseen the establishment and implementation of weak encryption standards for example; it has also taken testimony [PDF] from computing and communications framework hardware and software providers, in essence hearing where the continued weak spots will be for future compromise.
The fox is watching the hen house, in other words, asking for testimony pointing out the weakest patches installed on the hen house door.
The dispersion of cyber poison was restricted only in the most cursory fashion.
• Stuxnet’s key target appears to have been Iran’s Natanz nuclear facility, aiming at its SCADA equipment, but it spread far beyond and into the private sector as disclosed by Chevron. The only protection against it is the specificity of its end target, rendering the rest of the malware injected but inert. It’s still out there.
• Duqu, a “sibling” cyber weapon, was intended for widespread distribution, its aims two-fold. It delivered attack payload capability, but it also delivered espionage capability.
• Ditto for Flame, yet another “sibling” cyber weapon, likewise intended for widespread distribution, with attack payload and espionage capability.
There could be more than these, waiting yet to be discovered.
In the case of both Duqu and Flame, there is a command-and-control network of servers still in operation, still communicating with instances of these two malware cyber weapons. The servers’ locations are global — yet another indicator of the planners’/developers’ intention that these weapons be dispersed widely.
Poison everything, everywhere.
But our eyes are open now. We can see the poisoners fingerprints on the work they’ve done, and the work they intend to do.
After their poison effectively damaged the viability of Natanz uranium refinement program, they will claim victory with the Iranian agreement on nuclear proliferation — yet at what long term price? Not unlike the early treatments for syphilis requiring the patient’s exposure to mercury, those who stood by as therapists and visitors must have been exposed on a limited basis to the chemical neurotoxin, collaterally damaged.
Likewise, Stuxnet’s collateral damage remains, a toxic cure waiting to realize maximum potency on targets which were not the primary focus of Stuxnet’s first and second deployments.
Code lies waiting for a patch or update to refresh it, ready to be relaunched for aims that may not serve the original planners. Holes remain open, serving as doors for some other entity’s purposes — perhaps another nation-state’s hostile attack, perhaps a criminal smash-and-grab, or a massive extortion attempt.
Not to mention the loss of trust among global partners whose civilian technology has been put at risk at scale undetermined, for a period of time unclear.
Or worse: whoever ordered, planned, and wrote the Stuxnet family of cyber warfare weapons wanted assurance that any other attempts to subvert their will could be dealt with in the same fashion that Stuxnet damaged Iran. There is no trust, just hegemonic cyber power. There is only a technological poison waiting for the day when its manufacturer decides to re-arm the toxic payload — a cyber weapon held to the heads of every nation-state, every corporation, every individual who relies on the existing, compromised computing and communications framework.
If Iran was successfully cowed by systematic damage to its nuclear development program and more, how easily will other nation-states be pressured into compliance with but a bit of fresh cyber poison? Will the next deployment be restrained as the second wave of Stuxnet, or will it be as ruthless as Stuxnet’s earlier evil twin was intended to be?
Open your eyes.
What’s the effect called; SKYNET? I say it’s the reverse. Human error has always been the linchpin. It’s not that the Ghost in the Machine achieves total consciousness; it’s more like stupid is as stupid does.
But rather than be comforted by such a notion, it holds the greatest risk.
@Ben Franklin: It’s exactly the stupid part at work here. There was a lack of systemic modeling beyond “take down Natanz.”
Somebody didn’t ask what utility there was and for whom after Stuxnet et al had finished its mission.
I think this placing of Linux on the same level as the closed-source, proprietary Windows is a bit misguided. I don’t think there’s any question that if you are worried about your computers becoming “poisoned”, you should use open source operating systems like Linux or Unix. Especially now that everyone knows that USG compulsively spies on friend and foe alike, the open source community will be diligent in examining source code for back doors. (Of course, as Ken Thompson famously pointed out, you can hide a backdoor in a compiler, but so far, this appears to be just a theoretical possibility.)
@Demian: While I have great respect for the open source community at large, bringing us everything from OpenOffice and LibreOffice to Android, I’ve lost respect for Torvalds. He’s been a butthead to female developers as it is, but to treat the valid concerns of the community about the NSA’s encroachment in such an unserious fashion? Ridiculous, displaying a complete lack of respect for them with his childish antics in lieu of a response.
You can say the community will examine its code, but who is doing it comprehensively?
Once upon a time this cyber warfare stuff was just Hollywood talking out its ass. Not any more. A nation-state — or several, working together — could easily hid a backdoor in a compiler. All it takes is compromising the very few folks who write compilers.
This is exactly the same approach that a certain large software company took when faced with stiff competition from the open source community. They simply identified and hired the one guy who was the primary driver behind all efforts on a particular software package. Done – it bought them about a year’s time, worth far more than this one guy’s salary and benefits.
The NSA has more tools to use to this effect than a certain software firm that had nothing more than money, a nice office, a better location to offer their target. Based on metadata alone they can figure out how to crack the guys writing compiler code; they’ll know what it takes to buy them or compromise them into cooperation.
And don’t get me started on Ubuntu’s caving in to Amazon. Total idiocy.
@Rayne: You’re not going to get serious disagreement from me about anything you said there. I was never a big fan of Linux: I prefer real Unix. :-)
As for the compiler issue, most free software projects use gcc, and, come to think of it, the code for that is such a mess that it might not be all that difficult for a determined spy agency to sneak a backdoor into it.
@Demian: Unless you have done a bootstrap compilation of gcc itself, on a clean machine, there are probably all kinds of backdoors already present. Just because the source code is available doesn’t mean that the compiler that you download is a faithful representation of that code.
@Ken Muldrew: Actually, sometimes I do use a gcc that I do a bootstrap build of inside a fresh zone. No need for using a clean machine if you’re running Solaris.
To get back to Rayne’s post: I forgot to say that “serious” *nix users think little more of Ubuntu than they do of Windows.
GCC Rocks! Stallman for President!
@Frank33: Indeed. It’s harid not to see most people surrendering their computing freedom to Microsoft as being a step along the way to it being stolen by the NSA.