What we know and what we assume: Schneier on Stuxnet

Paul Raven @ 08-10-2010

Bruce Schneier has a good round-up of the hard facts about the Stuxnet worm (as mentioned previously), as well as an examination of how those hard facts – combined with a few very speculative conspiracy-theory-grade interpretations of some of the more cryptic and tiny facts – have led to the current state of the story in mainstream (i.e. non-techie) media, namely “it was probably an Israeli job”.

Best I can tell, this rumor was started by Ralph Langner, a security researcher from Germany. He labeled his theory “highly speculative,” and based it primarily on the facts that Iran had an usually high number of infections (the rumor that it had the most infections of any country seems not to be true), that the Bushehr nuclear plant is a juicy target, and that some of the other countries with high infection rates–India, Indonesia, and Pakistan–are countries where the same Russian contractor involved in Bushehr is also involved. This rumor moved into the computer press and then into the mainstream press, where it became the accepted story, without any of the original caveats.

Once a theory takes hold, though, it’s easy to find more evidence. The word “myrtus” appears in the worm: an artifact that the compiler left, possibly by accident. That’s the myrtle plant. Of course, that doesn’t mean that druids wrote Stuxnet. According to the story, it refers to Queen Esther, also known as Hadassah; she saved the Persian Jews from genocide in the 4th century B.C. “Hadassah” means “myrtle” in Hebrew.

Stuxnet also sets a registry value of “19790509” to alert new copies of Stuxnet that the computer has already been infected. It’s rather obviously a date, but instead of looking at the gazillion things–large and small–that happened on that the date, the story insists it refers to the date Persian Jew Habib Elghanain was executed in Tehran for spying for Israel.

Sure, these markers could point to Israel as the author. On the other hand, Stuxnet’s authors were uncommonly thorough about not leaving clues in their code; the markers could have been deliberately planted by someone who wanted to frame Israel. Or they could have been deliberately planted by Israel, who wanted us to think they were planted by someone who wanted to frame Israel. Once you start walking down this road, it’s impossible to know when to stop.

Are those mysterious little comments in the code the flourished signatures of master cyberwar artistes? Or a frame-job packed with credible deniability? Or an elaborate double (or triple) bluff? Truth of the matter is, we’re all just guessing. They say that life sometimes imitates art; this is a case of life imitating The Illuminatus! Trilogy, only without so many puns or sex scenes. We all have a story we want to map on to the world, and it only takes a few pins to tack it down in a way that seems to explain everything…

[ * For the record, my instinct tells me – with admittedly very little professional knowledge to back it up – that Stuxnet stinks of nation-state vs. nation-state, and I get the impression Schneier thinks so too. His point is about how we treat speculative interpretations as givens when they match up with the way we already think things work… confirmation bias, in other words. ]