What we know and what we assume: Schneier on Stuxnet

Paul Raven @ 08-10-2010

Bruce Schneier has a good round-up of the hard facts about the Stuxnet worm (as mentioned previously), as well as an examination of how those hard facts – combined with a few very speculative conspiracy-theory-grade interpretations of some of the more cryptic and tiny facts – have led to the current state of the story in mainstream (i.e. non-techie) media, namely “it was probably an Israeli job”.

Best I can tell, this rumor was started by Ralph Langner, a security researcher from Germany. He labeled his theory “highly speculative,” and based it primarily on the facts that Iran had an usually high number of infections (the rumor that it had the most infections of any country seems not to be true), that the Bushehr nuclear plant is a juicy target, and that some of the other countries with high infection rates–India, Indonesia, and Pakistan–are countries where the same Russian contractor involved in Bushehr is also involved. This rumor moved into the computer press and then into the mainstream press, where it became the accepted story, without any of the original caveats.

Once a theory takes hold, though, it’s easy to find more evidence. The word “myrtus” appears in the worm: an artifact that the compiler left, possibly by accident. That’s the myrtle plant. Of course, that doesn’t mean that druids wrote Stuxnet. According to the story, it refers to Queen Esther, also known as Hadassah; she saved the Persian Jews from genocide in the 4th century B.C. “Hadassah” means “myrtle” in Hebrew.

Stuxnet also sets a registry value of “19790509” to alert new copies of Stuxnet that the computer has already been infected. It’s rather obviously a date, but instead of looking at the gazillion things–large and small–that happened on that the date, the story insists it refers to the date Persian Jew Habib Elghanain was executed in Tehran for spying for Israel.

Sure, these markers could point to Israel as the author. On the other hand, Stuxnet’s authors were uncommonly thorough about not leaving clues in their code; the markers could have been deliberately planted by someone who wanted to frame Israel. Or they could have been deliberately planted by Israel, who wanted us to think they were planted by someone who wanted to frame Israel. Once you start walking down this road, it’s impossible to know when to stop.

Are those mysterious little comments in the code the flourished signatures of master cyberwar artistes? Or a frame-job packed with credible deniability? Or an elaborate double (or triple) bluff? Truth of the matter is, we’re all just guessing. They say that life sometimes imitates art; this is a case of life imitating The Illuminatus! Trilogy, only without so many puns or sex scenes. We all have a story we want to map on to the world, and it only takes a few pins to tack it down in a way that seems to explain everything…

[ * For the record, my instinct tells me – with admittedly very little professional knowledge to back it up – that Stuxnet stinks of nation-state vs. nation-state, and I get the impression Schneier thinks so too. His point is about how we treat speculative interpretations as givens when they match up with the way we already think things work… confirmation bias, in other words. ]

Schneier slams quantum crypto as ‘pointless’

Paul Raven @ 16-10-2008

bank vault doorSecurity maven Bruce Schneier (who’s an active science fiction fan, by the way) has a column up at Wired that gives quantum cryptography a vigorous kicking. Evidently he’s been noticing the same stories as myself, because he points out that “headlines like the BBC’s “‘Unbreakable’ encryption unveiled” are a bit much.” O RLY?

The big difference between Schneier and me, though, is that he really knows how this stuff all works… and as such, he’s not seduced by quantum cryptography’s golden promises:

Security is a chain; it’s as strong as the weakest link. Mathematical cryptography, as bad as it sometimes is, is the strongest link in most security chains. Our symmetric and public-key algorithms are pretty good, even though they’re not based on much rigorous mathematical theory. The real problems are elsewhere: computer security, network security, user interface and so on.

Let’s not forget the weakest link of all, either – the users themselves… [image by the anonymous collective]

Transparency bites – Brin blasts back

Paul Raven @ 12-03-2008

transparent-train-carriage Wired has given David Brin some rebuttal space to defend his Transparent Society concept in response to Bruce Schneier’s recent criticisms (as covered earlier here on Futurismic):

“How did we get the freedom we already have, becoming the first civilization in history to (somewhat) defy ancient patterns? Yes, it’s imperfect, always under threat. We swim against hard currents of human nature. But reciprocal accountability is the innovation that lets us even try.

Schneier claims that The Transparent Society doesn’t address “the inherent value of privacy.” But several chapters do, and I conclude that privacy is an inherent human need, too important to leave in the hands of state elites, who are themselves following ornate information-control rules written by other elites — rules, by the way, that never work. (Robert Heinlein said “‘privacy laws’ only make the bugs smaller.”)”

Going back and reading Schneier’s piece again, it does seem like he’s arguing a similar point from a different direction – they’re both opposed to top-heavy hierarchies of control. It would be great if Wired could arrange some sort of formal public debate between Schneier and Brin – the topic has never been more relevant, after all, and as Cory Doctorow points out, talking about these issues is the best way to ensure things don’t get any worse. [image by David de Groot]