Thursday, January 27, 2011

More on Stuxnet

In an earlier post, I wrote about the theory that Stuxnet was created and deployed by the U.S. and Israel. I deplored the deed because it also unleashed a powerful and - to my knowledge - unprecedented form of malicious software that will certainly be copied and re-used for all sorts of mischief.

The January 26, 2010, edition of the New York Times includes two op-ed pieces on Stuxnet. In "25 Years of Vandalism," William Gibson (author of Neuromancer and coiner of the word "cyberspace") traces the history of hacking to 1986. He also claims that it is less likely that Stuxnet is "a cyberweapon purpose-built by one state actor to strategically interfere with the business of another" than "a piece of hobbyist 'street' technology." If he's right, this is probably even worse news than I thought. It seems likely that hobbyist crackers - who are probably more numerous and even less discerning than governments - can adapt each others' code more readily than the kind of sophisticated worm Stuxnet has been described as elsewhere.

Indeed, the other op-ed, "From Bullets to Megabytes" by Richard A. Falkenrath, former "deputy homeland security adviser to President George W. Bush," describes Stuxnet as a "sophisticated half-megabyte of computer code." Falkenrath's analysis of the fallout from Stuxnet is also more sophisticated on mine, touching on the likely effect on relationships between governments and the global information technology industry as well as raising questions about the legality of the authorization of the use of such malware by the U.S. President.

It's a scary place out there.

Ken Pimple, PAIT Project Director

1 comment:

Colin Allen said...

Interesting, thanks! The banality of hacking. I worked in a computer lab once where a student co-worker and I had a kind of digital arms race where we each tried to get around the security on each other's accounts -- password cracking programs, Trojan horses, etc. Turned out that early versions of Novell NetWare were laughably full of security holes. We learned a lot, but we never thought about taking what we had learned to all the corporate sites that were running NetWare. I guess it's nevertheless a case of play emulating battle.