The blog author Nate Lawson [0] runs a small cybersecurity consulting company [1].
It’s not surprising that a small independent consultant would bikeshed over trivial imperfections in something like Stuxnet while ignoring the much bigger picture of the operation. I bet the vast majority of security holes he finds in his line of work are relatively minor exploits (e.g. poor key handling, unpatched software, etc.) that would be devastating to his small business client if exploited but totally irrelevant to an operation like Stuxnet. It is akin to a custom gunsmith criticizing an ICBM for its ugly paint job.
As Pauli would say, Lawson’s argument is not only not right, it is not even wrong.
It is also a concern when developing these "weapons" that after using them, they could potentially be reverse engineered. In that context a successful payload that appears poorly constructed could be intentional.
Either way, for the mission goals it was a success.
When you're on the defense side (I am) you often read a lot of research and watch conference talks about cutting edge stuff. It makes you wonder - why don't attackers do these things?
I actually asked a criminal I was in contact with once why he didn't attempt to perform an attack a certain way that I thought would be very lucrative and significant. His answer was that there was no point, he made thousands of dollars a month with very little effort, and he was more interested in refining his existing work through improved C2 communications as opposed to what I had been suggesting (academically, I never supported that work).
The title's a bit clickbaity too of course. The end is more reasoned:
> However, I think the final explanation is most likely. Whoever developed the code was probably in a hurry and decided using more advanced hiding techniques wasn’t worth the development/testing cost.
Yes, naturally that is exactly what happened. There is no question at all that the NSA has people capable of doing more advanced work, they just really don't have to.
Rob Joyce gives a great talk about his work on TAO. The short version is that TAO doesn't have to do anything crazy, they just have to know who their target is and spend the time figuring out the environment they'll be working in - then they meet the bar that's beyond what that environment is capable of handling.
Homomorphic encryption is gonna be pretty overkill. Then again, the NSA also leveraged the first publicly known attack that used an MD5 collision, which probably cost quite a bit of money, so they can flex when they decide it's worth it.
It’s not surprising that a small independent consultant would bikeshed over trivial imperfections in something like Stuxnet while ignoring the much bigger picture of the operation. I bet the vast majority of security holes he finds in his line of work are relatively minor exploits (e.g. poor key handling, unpatched software, etc.) that would be devastating to his small business client if exploited but totally irrelevant to an operation like Stuxnet. It is akin to a custom gunsmith criticizing an ICBM for its ugly paint job.
As Pauli would say, Lawson’s argument is not only not right, it is not even wrong.
[0] https://www.linkedin.com/in/natelawson
[1] http://www.rootlabs.com/ (yes, his own site ironically is not HTTPS)