I'm so confused about Stuxnet--some people were saying it was among the most brilliant viruses ever, (from memory) using several 0-day exploits and doing things like recording normal activity to play back to machine operators while it did its damage. That alone sounds pretty impressive to me. Then on the other hand I've seen a few articles in the past few days calling it "nothing special after all." Which is it?
Whatever people say about the theoretically optimal nature of the virus, the fact is that it's practically the only example we have of governmental-level sabotage through black-hat arts.
This is direct action. It isn't script kiddies, it isn't Anonymous, it isn't a random 1337_h4xr pulling off some minor corporate sting. It's the real deal, it's programmers putting their lifeblood into an endeavor that changed the fate of nations.
So whatever flaws that happened to exist don't change the inherent absolute confidence of the maneuver, nor does it change the precision you praise in your post.
But it also means that it can't be perfect. Anything that's so grounded in reality will not be perfect. That's the rules of playing the big games--you can't please everyone, you can't perform to the theoretical maximum that the weak articles that call it "nothing special after all" espouse.
Because that theoretical maximum was out of the reach of stuxnet's writers from the beginning, and they fucking dealt with it. People writing articles now have had nothing to do with crippling Iran's nuclear capability, if even for a moment, and the hogwash in the blogosphere that exists is so much shallow posturing.
He does not exactly make a cogent argument. Paraphrasing part of it, "Stuxnet was made in China because Realtek and JMicron are Taiwanese, which is basically China."
Its array of attacks is quite impressive; its attempts at hiding itself, much less so. As Nate Lawson points out (http://rdist.root.org/2011/01/17/stuxnet-is-embarrassing-not...), more advanced techniques for hiding the payload are known. (E.g. instead of storing PAYLOAD, store AES(key, checksum(PAYLOAD) || PAYLOAD), where key is dependent on the hardware - an analyst would then have to bruteforce the key, at least. Bonus points for making the calculation of key expensive, etc.)
It's been called many things. Security people have self-esteem problems, so if they see something being praised, they start convulsing at the sight of this injustice and must immediately blog about it and argue on forums.
As someone who has actually read the code, my opinion is that yes it was special, but not because it was brilliant. It took a lot of resources, and although there was clearly a relatively high degree of skill involved for at least parts of it (finding 0days), there were not really any new techniques. So, I personally find it impressive because of the sheer amount of work that went into it.
I think it is more the principal of it that is noteworthy - if someone tried to make a movie plot about that a few years ago, we would have scoffed.
The reason that it was obviously a nation-state is because the number of people that worked on it, the amount of time they spent on it, and what the group would stand to gain (nothing), would not have been funded by any other entity. I won't go so far as to say it would be impossible to do by someone else, but that is improbable and really would not make much sense at all. Combine that with various external clues, and it is really obvious.
The complaining is simply that the authors did not hide the payload. Consensus seems to be that it would have bought them an additional few months. However, the virus worked and hiding the payload would have added to its complexity. So, kudos to its authors.
Huh? What consensus are you talking about? The techniques Nate brought up --- techniques that are in a book that (while good) you can buy at Barnes and Noble --- would have made brute-force recovery of the payload infeasible; within reach only of organizations that had a full "stack" of "centrifuge"† equipment in the Natanz† configuration, and certainly out of Symantec's reach.
