The Stuxnet Story

Paul Raven @ 12-07-2011

In case you’ve not seen it already, Wired has a marvellous long-form piece about the discovery and analysis of the Stuxnet worm; well worth a look, whether you’re interested in the procedural side of malware analysis or just the storyable shape of a modern technothriller mystery-hook. Go read.

If that looks a bit TL;DR for you, there’s always the infographic video.


Hacker’s report says cyberwar fears misdirected

Paul Raven @ 18-01-2011

Not that I expect governments and military bureaucracies to change course in response to sensible thinking from qualified experts, the guy who penned (or rather keyed) The Hacker’s Handbook back in the day has co-authored a report that suggests the recently fashionable wing-flapping over “cyberwar” is counterproductive:

Published today, Reducing Systemic Cybersecurity Risk says that a true cyberwar would have the destructive effects of conventional war but be fought exclusively in cyberspace – and as such is a “highly unlikely” occurrence.

[…]

Controversially, the OECD advises nations against adopting the Pentagon’s idea of setting up a military division – as it has under the auspices of the US air force’s Space Command – to fight cyber-security threats. While vested interests may want to see taxpayers’ money spent on such ventures, says Sommer, the military can only defend its own networks, not the private-sector critical networks we all depend on for gas, water, electricity and banking.

Co-authored with computer scientist Ian Brown of the Oxford Internet Institute, UK, the report says online attacks are unlikely ever to have global significance on the scale of, say, a disease pandemic or a run on the banks. But they say “localised misery and loss” could be caused by a successful attack on the internet’s routing structure, which governments must ensure are defended with investment in cyber-security training.

Personally, I think the Pentagon’s bluster and chest-thumping over “cyberwar” is thrown into an interesting light by the increasingly inescapable conclusion that they played a large part in commissioning the Stuxnet worm; as Chairman Bruce puts it, “what’s worse, strategically: Stuxnet, or proliferating Iranian nuclear weapons? How about a world where you’ve got proliferating Stuxnets AND proliferating Iranian nuclear weapons?”

Pandora’s box strikes again; code is far easier and cheaper to reverse engineer than a nuke, and requires no expensive and/or dangerous physical contraband. Beware of starting a knife-fight in a downtown full of ninjas.


Stuxnet almost certainly meant to hobble Iranian uranium

Paul Raven @ 17-11-2010

Remember all the hypothesising about what the Stuxnet worm was supposed to do, and who had designed it for such? Well, the expert verdicts are in, and it appears Stuxnet was designed to very subtly sabotage uranium centrifuges by varying their rotation speeds in a way that, while hard to notice for humans, would effectively negate the enrichment process they are designed to perform.

So Iran’s Bushehr plant was almost certainly the target (or one target among many); and while we don’t have (and may never have) any substantive proof as to exactly who decided that they wanted to spoke Ahmedinejad’s nuclear wheels on the sly, I think we all know how the odds would fall if you were to pop down to your local bookmakers*.

Regardless of who did it, Stuxnet represents the opening of a particularly well-stocked Pandora’s box: highly-specific sabotage targetting of embedded (and potentially critical)  industrial systems. As Bruce Sterling points out, anyone who hadn’t thought of it before has certainly thought of it now. All the recent hyperbole describing the antics of patriotic  DDoS skript-kiddiez as “cyberwar” is gonna look pretty facile when stuff like Stuxnet becomes commonplace… which, with the benefit of hindsight, may have been the entire point all along.

[ * I’ll take a £5 spread on the US and Israel, please. ]


Swapping the Senate for Reddit, and other daft ideas about digital democracy

Paul Raven @ 25-02-2010

Pool's closed (due to extropianism)For the sake of change-around, I’m gonna let someone else propose the wild idea this time. So, how’s about you US citizens swap your Senate for something like Reddit.com? [image adapted from a photo by cliff1066™]

Let’s abolish the Senate! Replace it with something truly new and egalitarian, a system that gives us thrilling optimism and empowerment, something far more representative than the so-called “House of Representatives” […] My proposal is to replace the moldering Senate with an electronic plebiscite system, i.e., something like Reddit.com.

Here’s how it works.

  1. Everyone who reaches voting age gets a log-in ID and a password.
  2. All bills advanced by the House of Representatives are posted on “reddit.com” for approval.
  3. Upvote or Downvote, voters get two weeks to cast their ballots and to state their opinions in comments as lengthy and as often as desired.
  4. The millions of comments are categorized in an efficient way so that the curious public can read all existing viewpoints. They are, in turn, also upvoted and downvoted as people find them more or less relevant.
  5. At the end of two weeks, all proposals that have received 60% (or another agreed-upon number) approval are enacted into law.

That would be just the start, apparently… :-s

Look, I’m a proponent of the idea of digitising democracy, but Reddit itself is a great example of why it wouldn’t work for major policies at a national scale. The tyranny of the minority, a banal hegemony of kneejerk special-interests NIMBYism and me-too-gimme-gimme… not entirely unlike a lot of the Western world as it already stands, in other words, albeit with more cat videos (which would admittedly be something of an improvement).

But if you can’t see how easily that sort of plebiscite framework could be gamed (let alone hacked)… well, you were a bit bold naming your website “Extropism”, let’s put it that way. Rhizomatic digital democracy could work, sure, but only in small numbers over small areas. You wanna go national with plebiscite, you need to think again, especially in a territory as large as the US – and you’re going to have to think about representatives in some shape or form, because there’s too much law and too little time for us everyday Josephines to deal with it at the same time as holding down a job. Now, if you want to talk about ways of building a representation system with total transparency and full-duplex discussion between the people and the rep, though, that’s another argument entirely…

That said, it’s hard not to be sucked in by the illusion of participation that the internet already offers – I’ve signed more petitions in the last two years than I have in my entire life, just because it’s so damned easy to do online. But things easily done are easily ignored, and that nice warm glow you get afterwards is the glow of complacency. You may not believe me, but the big charities and campaign groups are certainly waking up to it:

“… underlying slacktivism isn’t enough — you can’t just turn your profile green. If you show support you are lazy? No. But there has to be a number of people taking actions in the real world, too.” Anderson said.

It is this growing trend to show support via an online campaign that is threatening human rights movements across the globe, and the panel quickly picked up on the drawbacks of the internet in promoting false activism.

“I coined the phrase ‘mousy solidarity’ to explain how easy it is to click on a petition. We feel like we can participate.” said Professor Sreberny.

What was made clear from the event was that both sides — activists and regimes — can see the potential for technology to promote their cause. But it was the words of a press spokesman for hosts Amnesty International that really struck home, underlining the need to continue to fight across several platforms, rather than relying on new trends to promote the cause.

Speaking of supporting political protest against corrupt regimes, everyone seems a little stuck on this whole Iran business. Why don’t we just bombard Iran… with satellite internet signal!

This would be an invaluable help for a movement that the government can currently easily hinder with telecommunication cuts in the wake of large demonstrations. Most importantly, and from a US policy perspective, it would empower Iranians without committing troops or confronting the Iranian regime directly, solving the dilemma of American non-interference.

(Ah, non-interference is a dilemma, now? Is that another word for “knowing that there’s no legal way to pull it off, and remembering how badly it worked out last time?”)

Complications might, of course, arise. The Iranian government can crack down on the use of satellite dishes, as it has consistently done in the past, or attempt to jam the signal. The whole project might prove costly, perhaps cost more than the Voice Act’s $20m budget. But is a cyber war with Tehran’s regime not a more palatable route than the other “options” that remain relentlessly on the table?

Um. This chap somewhat misses the point of cyberwar – namely that the people opposing you on the web don’t necessarily have to be based in the country you’re trying to face down, or even care much about it beyond some vague and naive notion of religio-cultural brotherhood – but the idea itself isn’t entirely crazy.

In fact, if I wanted to destabilise a totalitarian regime with a censorship fixation, giving its people open internet access is one of the first things I’d want to be able to do… which leads me to suspect that toppling the Iranian regime probably isn’t as big a priority for the governments of the West as they might like us to think.

But maybe it would be, if we all just popped over to Reddit and clicked “upvote” enough times through multiple different proxy servers…


Hackers of the future – the Pentagon is hiring!

Paul Raven @ 26-05-2009

hackerWell, maybe John Robb was wrong about the Pentagon… because here they are, announcing a recruitment contest for young hackers with the intention of turning them into military cybersecurity professionals.

The competitions, as planned, go far beyond mere academics. The Air Force will run a so-called Cyber Patriot competition focused on network defense, fending off a “Red Team” of hackers attempting to steal data from the participants’ systems. The Department of Defense’s Cyber Crime Center will expand its Digital Forensics Challenge, a program it has run since 2006, to include high school and college participants, tasking them with problems like tracing digital intrusions and reconstructing incomplete data sources.

The security-focused SANS Institute, an independent organization, plans to organize what may be the most controversial of the three contests: the Network Attack Competition, which challenges students to find and exploit vulnerabilities in software, compromise enemy systems and steal data.

All that stuff that the Chinese aren’t supposed to be able to do to US systems, in other words. The brass are worried that China’s got the jump on them as far as young hacker talent is concerned:

China, for its part, may be well ahead of the U.S. in cybersecurity education and recruiting, Paller argues. In a hearing before the Senate’s Homeland Security last month, Paller told the story of Tan Dailin, a graduate student in China’s Sichuan province who in 2005 won several government-sponsored hacking competitions and the next year was caught intruding on U.S. Department of Defense networks, siphoning thousands of unclassified documents to servers in China. “China’s People’s Liberation Army is running these competitions all the time, aiming their recruits at the U.S.,” Paller says. “Shouldn’t we be looking for our best talent the way other countries are?”

But a parallel track of domestic cyber training raises the specter of U.S. government-trained hackers not only stealing data from foreign enemies–a diplomatically thorny prospect in itself–but also hacking other targets for fun or profit, and potentially becoming a rogue collection of skilled cybercriminals. “There probably could be a couple people we train that go to the dark side,” admits Jim Christy, director of the Department of Defense’s Cyber Crime Center. “But we’ll catch them and send a message. The good guys will outweigh the bad.”

You’ll catch the ones who aren’t so good at covering their tracks, perhaps. Still, I wonder if the same motivations will express. As mentioned before, China’s hackers are allegedly self-trained and motivated by their own patriotism; will the same apply to the geek demographic in the US, or will the young console cowboys see more opportunity (or less risk) in the civilian sphere? [via SlashDot; image by ioerror]


Next Page »