06.01.12
Cat out of bag — watch out for fleas
Told it was unclear how much the Iranians knew about the code, and offered evidence that it was still causing havoc, Mr. Obama decided that the [Stuxnet] cyberattacks should proceed. In the following weeks, the Natanz plant was hit by a newer version of the computer worm, and then another after that.
From the New York Times. Google.
I’ve emphasized this is a good thing. Vigorous anti-virus company competition in the global industry makes finding and neutralizing state-designed viruses a business asset. So the social good on the Internet is served by messing up, terminating or exposing various aspects of cyberwar operations.
So making the paranoid mullahs more paranoid is good, eh?
In the Nineties I set out in my book Virus Creation Labs to tell some of the story of the anti-virus industry. As part of the job its programmers were keen to discover the identity of various virus-writers and they became good at it. Now they have hard news the US government, one of their clients, has been writing computer viruses they have to treat.
Finding some of the virus writers was easy work. The original hackers who wrote them often revealed themselves, anyway. They liked to brag about it. There was no thrill in the activity if people who knew about viruses didn’t know they were yours. Since there was no money in it back then it’s easy to grasp the motivation.
Sometimes it took more analysis of code on the part of the industry to narrow it down to one individual, perhaps unnamed but recognized as the writer.
With the US government now exposed as involved in virus-writing there are different pullers at work in exposing the perpetrators of the operation.
A company may depend a great deal on government contracts. So what to do, what to do, when malware inevitably crawls into non-target computers in non-designated-enemy nations and your analysts and coders have a good idea of who’s behind it?
You develop an antidote and distribute it to everyone. But do you spill the beans? You have a conflict of interest, moral and ethical hazard.
Doing the right thing might cost business.
Or if you’re a security company not in the US does it matter at all? You know who’s behind the attacks and you have a nice story to tell based on your pulling apart viruses. Lots of people might want to hear it.
Be the whistleblower.
Virus-writers, professional or amateur, criminal or state-operated, don’t operate in a vacuum. No matter how classified or expert they think they are, they make mistakes. The code is never perfect. As the complexity of an operation rises so does the potential for error.
Do the state’s virus writers go to anti-virus conventions? Do they chat it up with the industry as virus-writers from many many years ago did?
The anti-virus industry knows. Perhaps some have held their tongues even though they don’t wish to.
Is American virus-writing outsourced, in part or in toto, to arms developers or other small businesses doubling as cybersecurity vendors?
Questions, questions.
When I wrote Virus Creation Labs there was always a small but hard-headed segment of people in information technology (and the computer savvy public) who believed anti-virus companies wrote viruses to help their businesses.
There was never any evidence of it. In fact, it was a ludicrous idea as their was never a shortage in virus writing and distribution.
In the late Eighties a small operation of the US Army made an offer looking for virus-writers. It was met with opprobrium in the a-v industry as well as general computer security circles. Nothing appeared to come of it although the publisher of my book claimed he had worked for a US military operation in NATO on the production of viruses. (He wrote many viruses for all his books on the subject, too.)
There is much more money in virus-writing now. And there is no reason to believe the national security companies, particularly those with government contracts in defending against cyberwar, don’t also want to be in the offensive side of the business.
They do.
They would love to write malware for Uncle Sam for taxpayer moolah.
Some would view it as fun, too, just like the old timey amateur virus-writers.
And the opportunity for early sales pitching is there. The cyberwar hype machine has been operating for so long the pump is primed in national leaders who don’t delve very deeply into these things. Many believe all the wild claims about cyberwar. If someone offers them malware options in attacking an enemy they will take it. And now it is known they have done so.
So when your secret war using malware is no longer secret, what is to be done? Is malware just like lobbing tear gas rounds or random cluster bombs with made in some comoany in the USA clearly embossed on some of the parts, only much less violent and directly hazardous to civilians?
If political leaders openly speak about how cyberwar threats can put lives at risk in the US what’s the difference when we’re caught doing it to someone else? Shouldn’t the president appear to be more thoughtful in such affairs rather than someone giving the OK to fuck up trust on the Internet even more for the sake of going after a pariah country? Do you think it might have been better if someone not in government or the military or intelligence had explained to him how computer viruses work?
Will the worldwide computer security industry work to expose and defeat, say, US cyberwar operations even more vigorously just as it pursues botnets and the work of cybercriminals? Will they now begin to spill the beans when the trail leads right back to a western government office?
Will they let us know when they have suspicions that some employees who’ve either worked for them or become ‘friends’ appear to have advanced the next step of their career in state-sponsored virus-writing?
Will diminishing returns now be a part of state-sponsored virus-writing? That is, is the US government’s virus-writing operation impeded now that the cat’s out of the bag and everyone knows it’s doing it?
Or do people not care? Just another day of bad business as usual on the Internet. And so what if it was against Iran? They had it coming and it’s better than bombing.
And we always trust our guys, anyway. Not a chance of a reliability problem or a crazy Bruce Ivins among ’em.
Just don’t be in the wrong country or line of work. And if it splattered onto you in … Hungary? Well, ha-ha, oops! Sorry ’bout that. Couldn’t be helped. Contact the American consulate.
Chuck said,
June 1, 2012 at 12:58 pm
A great post, George–thanks!
Perhaps big Pharma could take a cue from these guys–manufacture next winter’s flu virus and the vaccine at the same time.
Good times.
Amerikagulag said,
June 1, 2012 at 1:43 pm
Yes, great article. And good observation by chuck about Big Pharma too.
Regarding the STUXNET virus, we should never forget that the Stuxnet was created jointly by the US and Israel to deliberately target Iran. Unfortunately for Japan, the Stuxnet ended up in the Fukushima computer system in October just before the earthquake and resulting tsunami the following March. The failures at Fukushima mirrored what Stuxnet was designed to cause. It is quite possible that the US and Israel were responsible for the Fukushima catastrophe. That would explain why the mainstream is noticeably SILENT on this, the BIGGEST nuclear disaster in mankinds current history. It dwarfs Chernobyl by several orders of magnitude. But we’re hearing nothing about it.
With governments as with religions, we get the form we deserve if we refuse to do anything about it.