My impression at the time was that the code was developed by separate teams who did not necessarily know what they were working on, and then integrated by someone cleared for at least part of the real operation. I speculated that the people repsonsible for deploying it would have been in the tactical area of humint agency that was more indexed on direct outcomes than using techniques any more sophisticated than were strictly necessary to accomplish their specific objective, as why risk or waste the advantage of shipping something with additional tradecraft baked into it?
I remember thinking they could have at least used hashes of registry entries to detect the modules they were looking for if they wanted to protect the identity of target, but then again, the processor load of the hashing operations would have been a significant IoC. Stuxnet was a straight tactical hack to solve a specific problem, which was to delay that nuclear program. It was not just a threat or demonstration of capability to serve as a deterrent.
An example of a demonstration of capability was the silk road arrest, where the FBI mainly used it as a signal to create uncertainty about the absolute security of Tor hidden services, so that people understood they did not have impunity. They didn't break tor, but they showed tor wouldn't protect you if they wanted you. Stuxnet wasn't about demonstrating that they could get at you, it was to delay the nuclear program to give time to negotiations and potential outcomes other than iran achieving a weapons program.
What we call 'cyber' now is in support of variously tactical and strategic objectives, and while the criticisms of the code are valid, it's worth evaluating the tools in that higher level more abstract context as well.
As far as I recall from Kim Zetter’s book Countdown to Zero Day, the development work was indeed likely split into several individual sections: the actual payload targeting specific models of programmable controllers was made with extreme care and attention, and the worm portion didn’t need to be.
So to offer an imperfect analogy, the author of this article is addressing how lame Google’s UI is, discounting the algorithm underpinning the search engine.
(I actually wouldn’t recommend Zetter’s book. It’s fairly dull, with several chapters enumerating every software failure of U.S. critical infrastructure she found during research. For once, the movie was better.)
That part of the book stuck with me because she said the NSA (and friends?) gave the most important tasks to the A team and the rest to the B team just like a software company would. Ever since I’ve been conscious about what “team” I am assigned to at my own private sector job.
I didn’t know there was a movie, but I found the book mostly boring too. She dived deep(ish) technically in three areas: malware, nuclear centrifuges, and policy.
Who exactly is that for? I enjoyed the long description of the program itself but I doubt most non-tech people would. The scientific background on centrifuges was painfully dry to me. By far the best part of the book was the human interest stories about the security researchers who found and reverse-engineered Stuxnet.
"Who exactly is that for?" is the fitting question separating an average from a good writer.
Average writers often deliver "look how much work i did", resulting in a lot of unnecessary fillers and boredom. Good writers contemplated who they are writing for and edit accordingly. As a reader i appreciate it when my time is respected. Of course YMMV, so not an easy problem to solve as a writer.
The charitable interpretation is that she wanted to write “The Book” on Stuxnet. But it seems like a weird thing for a journalist to attempt. It’s like if Carreyrou spent 100 pages describing micro-fluid physics in Bad Blood.
Yeah, the A-team/B-team split is how I remember it, and it definitely made sense for this particular project (and other projects most of us are involved with on a daily basis).
Alex Gibney did the adaptation, and while it’s necessarily far more superficial than the book, it’s much more engaging. It’s also nice to put faces to some of the names.
I remember thinking they could have at least used hashes of registry entries to detect the modules they were looking for if they wanted to protect the identity of target, but then again, the processor load of the hashing operations would have been a significant IoC. Stuxnet was a straight tactical hack to solve a specific problem, which was to delay that nuclear program. It was not just a threat or demonstration of capability to serve as a deterrent.
An example of a demonstration of capability was the silk road arrest, where the FBI mainly used it as a signal to create uncertainty about the absolute security of Tor hidden services, so that people understood they did not have impunity. They didn't break tor, but they showed tor wouldn't protect you if they wanted you. Stuxnet wasn't about demonstrating that they could get at you, it was to delay the nuclear program to give time to negotiations and potential outcomes other than iran achieving a weapons program.
What we call 'cyber' now is in support of variously tactical and strategic objectives, and while the criticisms of the code are valid, it's worth evaluating the tools in that higher level more abstract context as well.