01.17.11
Posted in Crazy Weapons, Cyberterrorism at 11:22 am by George Smith
By now you have heard of or read the exciting story of Stuxnet as a joint Israeli-US cyberweapon. The first of its kind, setting back Iran’s nuclear program for years. Ushering in a new age of cyberwar, it demonstrates the application of the neatest high-tech braininess in malware creation. And so on.
The new ages of cyberwar have been coming for awhile — well over a decade. But they never arrive. Or they have in various ways, just not quite as billed and conflict remains pretty much as always. That is, one needs to make a computer program physically damaging.
Which is where Stuxnet has fit the bill.
Briefly, the received wisdoms, collected by the Times for a cracking good read, describes Stuxnet as actually causing Iran’s uranium centrifuges to tear themselves apart. That is, by taking over the controlling software and forcing an unbalanced operation while reporting that all was OK at the front desk.
The fly in the ointment, and apparently one weak link in Iran’s nuclear program, is the centrifuge in question, called the P-1, sold to Iran by Pakistan.
It’s a crap piece of highly-engineered kit required to work reliably under a great deal of physical stress. However, one doesn’t read this in the NY Times piece until we’re almost at the end of the story.
Reports the Times:
But the United States and its allies ran into the same problem the Iranians have grappled with: the P-1 is a balky, badly designed machine. When the Tennessee laboratory shipped some of its P-1’s to England, in hopes of working with the British on a program of general P-1 testing, they stumbled, according to nuclear experts.
“They failed hopelessly,??? one recalled, saying that the machines proved too crude and temperamental to spin properly.
The New York Times article reports as elegantly and with the same inarguable finality one might see or read from Alex Jones and his many exposes on conspiracy and international doings.
Weaving together the lore on Stuxnet, which has been building for months, it employs anonymous intelligence from unnamed sources. It tells of a plan — a collaboration of Israel and the US, to install their own P-1 centrifuge cascades so as to study the shortcomings of the Iranian production facilities. And eventually glomming onto the idea, a little serendipitously, that controller software could be subverted in an attack on them.
At which point, work went forward to put Stuxnet together and test it on an Israeli P-1 centrifuge cascade secretly installed at Dimona.
Now, here’s the thing: A named expert on Israel’s nuclear program told the times that “Israel succeeded — with great difficulty — in mastering the [P-1] centrifuge technology.”
So, reiterating, the P-1 is a crap centrifuge which needs a lot of work to sustain. It has a good failure rate all by itself. The United States could not make them work. But the Israelis, after a great deal of effort, did.
According to the New York Times story, the Iranians have had a great deal of P-1 centrifuge failure. Which might be expected after reading the material on the nature of the machine.
Circumstantially, the New York Times story, in sources and tone, attributes virtually all of it to Stuxnet.
Maybe it’s absolutely true. Or maybe only partially so. And perhaps the P-1 centrifuges have bedeviled the Iranian bomb program all along because they are rubbish, with or without state-operated malware added.
If some Iranian nuclear scientists could be persuaded to send material to WikiLeaks …
For current purposes it’s good to look at the story from the perspective that, as time goes on, it will grow in stature and mythic proportion. It will be cited time after time in every news story and paper on cyberwar ever written. And because of this it will have a continuing effect on secret military policy on the development of more malware cyberweapons, which will always be green-lighted, no matter how bad the ideas are.
I’ve argued before that there’s no deterrent to nations like the US or Israel tossing a cyberweapon at the world network. In this case, all the justifications are about stopping the Iran bomb program. But the art of virus-writing, even from its crudest days when done by kids, has always been loaded with justifications.
Ours will just be better. Or if not better just more secret and impossible to influence. Trust us. We’re responsible. And never bad international neighbors. Bad ideas with consequences unforeseen down the road never go to our heads.
If one believes all of the New York Times story there is also some good news in it. And it’s not necessarily the part about knocking out 1,000 centrifuges.
It’s that the development of Stuxnet, as reported, is beyond the capabilities of those who routinely write worms for criminal purposes. That coterie doesn’t have the resources to build something like a mock centrifuge facility and then test things on it.
However, since the history of malware distribution shows that whatever gets put on the world network gets to contribute its various bits and pieces to everyone else writing bad stuff.
Permalink
01.07.11
Posted in Cyberterrorism at 11:16 am by George Smith
I was recently asked what I thought of a “volunteer cyber-army.”
This was in connection with some news that Estonia was instituting one.
All from an National Public Radio story here.
Sez NPR:
In the years since [a] cyberassault, Estonia has distinguished itself once again: Now it is a model for how a country might defend itself during a cyberwar. The responsibility would fall to a force of programmers, computer scientists and software engineers who make up a Cyber Defense League, a volunteer organization that in wartime would function under a unified military command.
Haw. Indeed. It’s the Watchmen.
The nature of computer security, nationally and globally, is distributed.
Consortia of private sector workers, government people and academics administer it. Sometimes there’s collaboration. Sometimes not.
Over the years — in the US and other western nations — government agencies, some working cooperatively, some not so much, have stood up to handle cybersecurity.
In this they have been infrequently joined, often informally in one way or another, by various entities within the computer security industry, although such cooperation has been hit or miss.
All that work is paid for, not volunteer. Although the people involved often do work beyond the call of duty which goes with the very spirit of volunteer-ism.
Frequently the same business looks like herding cats. You can’t change the nature of it. It’s the way people work and goes to the heart, for example, of the differences between hacker culture, the private sector, and government. The milieu’s vary. That’s immutable.
There are many other factors not addressed. Only two are, (1), that the US government doesn’t control domestic or international ISPs. And, (2), that it has, from time to time, specifically developed national cybersecurity strategies with the direct involvement of the private sector computer security industry.
So the idea that Estonia is doing something unique, in this matter, is fairly laughable.
There’s nothing at all wrong with the idea of collaborative security work between experts. It’s certainly not new.
Where one gets into trouble — and how the question was presented to me — was in the idea of employing a presumably patriotic volunteer cyber-army.
You can find any number of stories referencing patriotic Chinese hackers, for instance.
Here in the US the gentle interpretation of such is that they are nuisances.
And the basis for this Estonia story was an alleged volunteer cyberarmy attack on that country — one which has been cited ad nauseum over the years.
So any volunteer cyberarmy, depending upon where you stand internationally — because of the dynamic of general security hackers — can either be a random menace or a good thing.
I put it this way for a public called Security News Daily:
“A volunteer cyber-army is about the worst idea one can think up,” said George Smith, senior fellow with GlobalSecurity.org.
“History shows us that ‘volunteer cyber-warriors’ — garden variety hackers — are always around. A volunteer cyber-army attacked WikiLeaks. Volunteer cyber-armies retaliated against various U.S. businesses … You see the problems. You’re just legitimizing and green-flagging often random cyberspace vandalism and bullying in the hopes that it will work out in your favor. That’s atrocious. And really stupid.”
For NPR, the opinion differed.
The reporter found someone to proselytize the idea, Stewart Baker — a lawyer at Steptoe & Johnson. .
And he’s pretty shallow on the issue, just repeating the same wishful thinking crap we’ve heard for close to two decades about computer security and how the private sector industry and government ought to have tighter collaboration.
Presumably like Estonia’s grand new volunteer cyber-army.
“That’s a very sensible approach, and I only wish we had the same kind of relationship with our [Information Technology] sector that they obviously have with theirs,” he told NPR.
“When top cybersecurity experts are willing if necessary to put themselves under a single paramilitary command, a country’s computer networks can be defended more efficiently,” asserts National Public Radio, with absolutely nothing to back the claim up.
“The [volunteer cyberarmy] unit is but one division of Estonia’s Total Defense League, an all-volunteer paramilitary force dedicated to maintaining the country’s security and preserving its independence,” reported NPR.
And who are the top cyber-security experts? That’s rhetorical.
I added some more insult at the end. It’s at Security News Daily here.
The homeland security business lawyer wishes we were more like Estonia? Ludicrous.
GDP of Estonia: 6 billion USD.
GDP of Rhode Island: 47 billion USD.
Price Intel paid for McAfee Associates: 7.6 billion USD.
Permalink
12.15.10
Posted in Culture of Lickspittle, Cyberterrorism at 1:10 pm by George Smith
Fox News network “experts” and pundits, as well as others in the mainstream media, have been very busy conflating WikiLeaks with cyberwar. They do this while willfully ignoring the obvious — that if WikiLeaks were actually conducting a cyberwar against the US, then the newspapers also publishing its materials are doing the same.
And that when Michael Moore went on MSNBC last night to say he was offering his servers to WikiLeaks if they were needed, then he was also lining up to conduct it against this country.
So a Sunday opinion piece in the Philadelphia Inquirer, brought to my attention by Pine View Farm, is typical in its stupefying quality.
In a more intelligent world, one where critical thinking and rigor were valued, its writer, Trudy Rubin, would be someone to be ridiculed. Not someone empowered to blurt whatever received wisdom has been placed in front of her during the past week.
Rubin begins (try not to laugh):
WikiLeaks has woken Americans up to the concept of “cyberwar.”
“Cyberanarchists” are attacking the websites of multinational companies that cut off services to WikiLeaks after it published classified State Department cables.
What follows is a push for Richard Clarke’s last book on cyberwar, now a bit stale in sales terms.
DD covered it, most notably here and here.
Rubin also delivers the standard Clarke argument, now well over ten years old in the public domain, that our enemies — hackers, terrorists, nation states — will strike across the Internet, blowing things up, turning other things off. Airplanes will fall from the sky, pipelines won’t pipe, and the most recent addition (gasp!) — banks will fail as Wall Street is struck.
The latter is so attractive as a meme, let’s savor it again. Banks will fail. Wall Street will get hit.
And what, exactly, would be wrong with that, all things considered?
And this is how the WikiLeaks document dump has been transformed into a cyberattack on the United States.
Any real or potential threat against the aims and desires, or business conducted as usual by big American agencies, is deemed to be evidence of a global attack, something that needs to be met with vigorous force, hysteria and advertising. As well as increasing levels of stupidity and hostility.
At which point the American government chooses not to lead, but to pander, either by being reactionary, unthinking and always willing to find ways to quickly toss taxpayer dollars into businesses which return very little in basic value to the middle class.
“Air Force Blocks Sites That Posted Secret Cables,” reads one headline in the New York Times today.
Incidentally, Clarke’s appearance in Philadelphia was part of his usual peddling, this at a speech/seminar for the locals.
“Clarke also recommended a bigger government commitment to cyberresearch and an effort to craft an international accord banning cyberattacks on civilian institutions such as banks,” concludes Rubin.
Heavens, yes, we gotta protect the banks from cyberwar — like that promised by Assange for the new year. After all, look how much they’ve done for us.
Permalink
12.10.10
Posted in Cyberterrorism, Stumble and Fail at 2:50 pm by George Smith
I have occasionally been asked — most notably this week — for opinion and context on hackers as a counterbalance to government and political power.
This week it was a couple journalists asking about Operation Payback and WikiLeaks as some manner of revolutionary change agent.
These types of questions go back a long way. I used to field them when editing the Crypt Newsletter, an old e-zine that covered the subculture of amateur virus-writers.
“This seems like another kind of culture war,” one fellow sent this week. “The hacks and hack nots. The powerless have found a way to overpower.”
Not quite.
Operation Payback did add to the hysteria surrounding WikiLeaks. It contributed to the mess without accomplishing anything other than the symbolism created by revenge in cyberspace.
And it did again prove how easy it is to have a group tantrum, one that always has the potential to inconvenience people.
However, in the short term, the WikiLeaks dumps have demonstrated the power of that agency is finite.
From my point of view, the reaction to WikiLeaks has pushed the US government into being more unreasonable and secretive. This appears to be part of its aim.
But it shows a naïve belief in an end point that’s favorable. Or the experience of one who hasn’t been living in the US and experiencing the way things are.
You can reveal many interior things about US government or corporate dealings today but even if the press writes about it for weeks, and politicians hold hearings, nothing happens.
The best and most obvious case is the worldwide financial meltdown.
“Inside Job,” Charles Ferguson’s documentary on it has played in Pasadena. And there is no more savage and incriminating an indictment of Wall Street and the US banking industry. Watching it makes the blood boil. In a system that wasn’t broken, such a story would be seen by a lot more people, not just those of us in southern California, San Francisco, NYC or Boston. It’s capability to inflame should stoke outrage and the picking up of pitchforks in Oklahoma, Nebraska — anywhere in the heartland.
But it just hasn’t happened.
And Ferguson’s movie is not the first to tell this story. Many have.
Everyone has already been shown — multiple times, very convincingly — that the bankers engaged in rigging and blew up the economy. And that the people running Goldman Sachs and their corporate rivals are criminal greedheads after everyone’s money.
So if WikiLeaks does another document dump, this time from — maybe — Bank of America, no matter what is revealed about our “ecosystem” of corruption, it’s blinkered to think that things will change. It has already been demonstrated, over and over, that Bank of America participated with other financial institutions in the running of a Ponzi scheme.
What happened after the WikiLeaks release of the helicopter attack video?
Nothing.
What happened after the Afghanistan war diary?
Along with the journalism that has been done on the global financial crisis, these things show us how power is, except for election time, totally insulated from consequences in the US in 2010.
WikiLeaks and Julian Assange can’t change that, probably no matter what material is released.
Does that mean it shouldn’t exist to do what it does? No, not at all!
You would say the same thing to the editors of newspapers who must now realize that despite investigative efforts and the placing of utterly damning material on the frontpage, the power to actually create meaningful change now is just about entirely out of reach.
It’s not an optimistic picture. WikiLeaks has not changed this.
So the idea that hackers can achieve a reversal is beamish.
At the time of underground e-zines years ago, hackers were frequently alleged to be capable of turning the tables on the establishment or government enemies of the moment. And although they can strike at people, companies and agencies, it just never worked out that way.
However, as much reported revenge, which is what this is about, it has always had symbolic value in the domain.
As for instigators of societal change, or protest in the US, the only group that has had any impact has been the Tea Party. And while it is profoundly anti-government, it is the very opposite of WikiLeaks.
Consider this rubbish from William Kristol at the Weekly Standard:
The criminal and anti-American enterprise WikiLeaks said in a Twitter message this morning that it was under a “distributed denial of service attack,” a method often used by hackers to slow or bring down websites. If this is the U.S. government at work, good for our civil servants. If this is patriotic citizens taking matters into their own hands—even better. The original Tea Party was a grassroots citizens’ effort. If Tea Party-inspired Americans—and freedom-loving hackers around the world—can act effectively in cyberspace against today’s threats to our liberties and well-being, and to the liberties and well-being of others —that’s something to be applauded. Indeed, it’s community activism one can believe in.
“Freedom-loving hackers of the world, unite!” is Kristol’s subhed. It’s to laugh.
“Govt Response to Wikileaks Said to Cause More Damage,” was the title of a post at Secrecy blog today.
What followed was a lament from an anonymous employee of the Department of Homeland Security.
“It has even been suggested that if it is discovered that we have accessed a classified Wikileaks cable on our personal computers, that will be a security violation,” the person writes.
Adds Aftergood:
There has been no sign of leadership from any Administration official who would stand up and say: “National security classification is a means, and not an end in itself. What any reader in the world can discover is no longer a national security secret. We should not pretend otherwise.???
Permalink
11.29.10
Posted in Cyberterrorism, Extremism, War On Terror at 2:44 pm by George Smith
From today’s New York Times:
Motorcyclists attached bombs to cars carrying two of the country’s top nuclear scientists early Monday, detonating them from afar. One scientist was killed and the other injured.
Iran immediately accused the United States and Israel of again trying to disrupt Iran’s nuclear program.
President Mahmoud Ahmadinejad said that “undoubtedly the hand of the Zionist regime and Western governments is involved. ??? He also publicly acknowledged, apparently for the first time, that the country’s nuclear program had been disrupted recently by a malicious computer software that attacked its centrifuges.
Good advertising, though, for contractors wanting to enlarge their portfolios into cyber-warfare.
It’s bad news for everyone who harbors even a slight hope for reason.
More Stuxnets, faster stronger Iranian advancement toward the bomb, more instability, even less incentive for non-violent outcomes.
In this sense, Stuxnet could be seen as counter-productive, since it did not actually shut down the program but was more of a harassment.
Incidentally, today at Heritage — the policy position that new START should not be ratified because of Iran, which is exactly what proliferating states would admire in policy.
In other words, it’s a kind of argument which gives you the sub rosa idea that the extreme right GOP wants Iran and nuclear proliferation to advance quickly because it enhances recommendations for ballistic missile defense spending. So it’s in their interest to see that things gets gummed up.
The president should dump the New START treaty — its one-sidedness makes the U.S. look like a lousy negotiator in the eyes of the world … and a patsy in the eyes of the Russians. — some Heritage employee who writes about every rotten idea the foundation wants pushed
And, of course: “The President should also make it a publicly top priority to hunt down any American connected with these leaks and prosecute them.”
Julian Assange is Australian. Once upon a time long ago he researched a book on hacking in Australia, a non-fiction story of which he was a part, and this entry was from when he subscribed to the Crypt Newsletter.
And Bradley Manning, an American, is already in the stockade.
Permalink
11.16.10
Posted in Cyberterrorism at 10:42 pm by George Smith
The Register summarizes recent findings that the Stuxnet worm targets mechanisms which are export-controlled under US anti-nuclear proliferation regimes.
DD lets the pub do the heavy lifting:
New research, published late last week, has established that Stuxnet searches for frequency converter drives made by Fararo Paya of Iran and Vacon of Finland. In addition, Stuxnet is only interested in frequency converter drives that operate at very high speeds, between 807 Hz and 1210 Hz.
The malware is designed to change the output frequencies of drives, and therefore the speed of associated motors, for short intervals over periods of months. This would effectively sabotage the operation of infected devices while creating intermittent problems that are that much harder to diagnose.
Low-harmonic frequency converter drives that operate at over 600 Hz are regulated for export in the US by the Nuclear Regulatory Commission as they can be used for uranium enrichment. They may have other applications but would certainly not be needed to run a conveyor belt at a factory …
The gist is that it seemingly confirms a malware jab at Iran’s nuclear program.
“Plant officials at the controversial Bushehr nuclear plant in Iran admitted the malware had infected its network in September,” continued the Reg.
“This had nothing to do with a recently announced two-month delay in bringing the reactor online, government ministers subsequently claimed.”
Could be true.
And nuclear power plants do not enrich uranium, perhaps indicating that Stuxnet’s creators have lousy aim, a topic I’ve addressed earlier. (We’ll get to it.)
In any case, various news agencies report Bushehr ready to join Iran’s power grid in 40 days. Exposing again a hard limit on using software to sabotage stuff in the physical world.
The Reg concludes:
The appearance of the malware has provoked talk of cyberwar in some quarters and certainly done a great deal to raise the profile of potential attacks on power grid and utility systems in the minds of politicians. This is regardless of the potential likelihood of such an attack actually being successful, which remains unclear even after the arrival of Stuxnet.
On limitations, previously at DD blog:
I’d only add that the lack of substantial proof of success in offensive malware operations won’t stop anyone in the business of insisting just the opposite.
However, Iran’s nuclear program also won’t be stopped by a piece of malware aimed at controller software in its factories.
And the liabilities of employing something like Stuxnet are now fairly obvious.
The most glaring being that such a thing is immediately seized upon and pulled apart by the worldwide distributed network of computer security researchers. And second, that even granting for a moment that it was designed to be directed at Iran, the intelligence requirements for it to be solely limited to that were still way too great to limit its spread to that country.
Another ramification is the identification of the originating country. But if the country of [creation] is already an international pariah, then it doesn’t matter if Stuxnet is pinned on [it].
For the purposes of nations with offensive cyberwar operations, Stuxnet shows there is no obstacle or particular reluctance to shoot a weapon across the networks. Even if it doesn’t achieve much from an outside perspective. Stuxnet is all good for the computer security business. Contractors love it. That’s just the way things work here. Nothing could be better than for nations to secretly make more of them.
Any interior arguments — coupled with the natural bent of the computer security industry — would validate operations, anyway. So the US or Israel can be bad actors all the time in this area, if they so wish.
There’s no oversight and little practical interest outside of the malware story’s use as a justification for more offensive and defensive spending.
Stuxnet actually only comprises a small part of the weekly news on the excellence of attacking Iran.
The political leadership, particularly the right, doesn’t care about the magical malware on Iranian networks. It is far more interested in just unleashing the bombers.
Having far more traction, for example, is an opinion piece in which a famous Village asshat recommended all out war with Iran in order to save the US economy. A development that most experts in international relations and nuclear proliferation would guarantee an Iranian bomb eventually.
By comparison, Stuxnet is interesting but petty shit.
Permalink
09.28.10
Posted in Crazy Weapons, Cyberterrorism at 3:36 pm by George Smith
On Stuxnet, yes, I’ve seen the stories.
But do go to the site of the German researcher propagating its central thesis, Ralph Langner.
Langner’s discussion is an interesting one and often compelling.
But “hack of the century” is the type of overused phrase that won’t get you a lot of mileage in circles not inclined to believe absolutely everything published about global malware. Or cyberwar.
Langner knows the technical side and makes a reasonable argument
as to the amount of effort put into the Stuxnet bug. He argues that it was created by a national intelligence/defense program. And the obvious insinuation for this story is Israel, although other countries are not ruled out.
However, the discussion goes a bit to far — understandably, in linking circumstantial news — that Iran’s nuclear program has progressed slower than expected — and Stuxnet.
There is no proof that anything went bang or failed catastrophically in a nuclear reactor or even a a centrifuge cascade. Other equally or more plausible explanations exist for any perceived slow down, if there is one, in an Iranian nuclear weapons program.
Still, if one takes the broad leap and grants that a virtual effect of some kind was achieved, Stuxnet still has had an indiscernible effect to everyone not already in on the story.
Years ago, I said publicly that I thought governments would try to write malware and pursue cyberwar. I had no real idea how long ago until I started digging up some old digital news records.
It was all the way back in 1995.
At the time, it was for a Voice of America news broadcast, and this is what I said, something I’ve repeated from time to time in many other discussions:
“George Smith is skeptical that offensive military operations will work very well in cyberspace.
“For years, Mr. Smith has been writing a newsletter on computer break-ins . . . He says Pentagon officials are overstating the danger from computer hackers and intruders.
“Nevertheless, [Smith] expects the United States and many other nations to try to create ‘cyber-attack’ forces: ‘I think it is likely that people will try, I think it is unlikely they will have any impact.’
“Mr. Smith says armies in Bosnia and the Gulf War faced computer problems, including viruses. He says they coped with them in much the same way they coped with flat tires on vehicles, or worn out parts on aircraft.
“[Smith] said] the idea that small groups of people, armed only with keyboards, could seriously hurt a powerful military force belongs in Hollywood — not the battlefield.”
To this I’d only add that the lack of substantial proof of success in offensive malware operations won’t stop anyone in the business of insisting just the opposite.
However, Iran’s nuclear program also won’t be stopped by a piece of malware aimed at controller software in its factories.
And the liabilities of employing something like Stuxnet are now fairly obvious.
The most glaring being that such a thing is immediately seized upon and pulled apart by the worldwide distributed network of computer security researchers. And second, that even granting for a moment that it was designed to be directed at Iran, the intelligence requirements for it to be solely limited to that were still way too great to limit its spread to that country.
Wrote David Sanger at the New York Times over the weekend:
Stuxnet, which was first publicly identified several months ago, is aimed solely at industrial equipment made by Siemens that controls oil pipelines, electric utilities, nuclear facilities and other large industrial sites. While it is not clear that Iran was the main target — the infection has also been reported in Indonesia, Pakistan, India and elsewhere — a disproportionate number of computers inside Iran appear to have been struck, according to reports by computer security monitors.
Another ramification is the identification of the ioriginating country. If the country of origin is already an international pariah, then it doesn’t matter if Stuxnet is pinned on such a nation.
As a thought experiment, assume for a minute that Stuxnet is a part of a US program, not Israel’s.
In terms of national security and unilateral action, everyone already thinks the US acts rashly and can be reliably depended upon to behave with little regard for others.
At this point, there’s no longer much of a downside to using something like Stuxnet.
Even if a national program were to execute something so poorly the backfire would sweep over the originating country’s civilian systems. (That’s certainly progress, of sorts.)
It would just be yet another example of some team or some agency thinking, perhaps reasonably, that it’s godly and beyond reach.
And we’ve already had a few of those.
Bruce Ivins and the lack of professional diligence at Fort Detrick, in the world of real things as opposed to virtual, coming to mind.
Stuxnet as a super cyber weapon is a hot, sexy story. The hype behind it is predictable, even logical. Paradoxically, one of the famous journalists usually the first to exaggerate such things — John Markoff of the New York Times — gave it, what was for him, a mild reception.
Markoff’s second paragraph, from the 27th:
The most striking aspect of the fast-spreading malicious computer program — which has turned up in industrial programs around the world and which Iran said had appeared in the computers of workers in its nuclear project — may not have been how sophisticated it was, but rather how sloppy its creators were in letting a specifically aimed attack scatter randomly around the globe.
All of the old anti-virus programmers, as far back as the late Eighties and Nineties, would have told anyone the same. In fact, they told stories like it about various computer viruses many times, the only difference being the wherewithal didn’t yet exist to aim them roughly over a global network.
In essence, once a piece of replicating malware is released into the world, no matter how “smart” (that being a relatively elastic term) its creator(s), it’s effectively liable to wind up where least expected, no matter how exactingly programmed.
If we get back to nuclear fuel cycles and national bomb programs for a moment, it should be remembered that uranium can be enriched, and an atom bomb made, entirely without the use of Siemens software and globally networked computers.
Entire libraries of books exist on the matter.
And people who have devoted professional careers to the study of nuclear proliferation can give entire classes on what can go wrong inside a bomb program. Without ever getting to software problems and malware. There are many things in the material world which can effect the progress of a bomb-making program, not the least of which are easily understood hurdles like inexperience, subpar skills and interference with access to essentials and properly engineered machinery.
In August, prior to Stuxnet news, the Times reported:
It is unclear whether the problems that Iran has had enriching uranium are the result of poor centrifuge design, difficulty obtaining components or accelerated Western efforts to sabotage the nuclear program …
For most of this year, Iran has added relatively few centrifuges — the machines that spin uranium at supersonic speed, enriching it — to its main plant at Natanz. Only about half of those installed are operating, according to the International Atomic Energy Agency. So far, Iran has produced about 5,730 pounds, enough, with considerable additional enrichment, to produce roughly two weapons.
The public explanation by American officials is that the centrifuges are inefficient and subject to regular breakdowns. And while Iranian officials have talked about installing more advanced models that would be more efficient and reliable, only a few have been installed.
“Either they don’t have the machines, or they have real questions about their technical competence,??? Mr. Samore said.
Some of Iran’s enrichment problems appear to have external origins. Sanctions have made it more difficult for Iran to obtain precision parts and specialty metals.
Any of these explanations are as likely, perhaps even greatly moreso, than Stuxnet.
keys: cyberwar, cybersecurity, cyberterrorism, cybersabotage
Update: Some typos corrected.
Permalink
06.16.10
Posted in Cyberterrorism at 8:41 pm by George Smith
Wrong venue, wrong audience.
You’re in the wrong place when you’re trying to argue ” ‘The Cyber War Threat Has Been Grossly Exaggerated'” before an audience at the Newseum in Washington, D.C.” — this from NPR here.
Sort of reminiscent of famous catastrophic bills in rock and roll. Like the Jimi Hendrix Experience opening for the Monkees.
Marc Rotenberg and Bruce Schneier went up against Cult of Cyberwar chieftain Mike McConnell of Booz Allen Hamilton and Jonathan Zittrain.
Sez NPR:
Before the debate, the audience voted 24 percent in favor of the motion “The Cyber War Threat Has Been Grossly Exaggerated,” and 54 percent against, with 22 percent undecided. And the side arguing against the motion carried the day: After the debate, 71 percent of the audience voted to oppose the motion, 23 percent supported it and 6 percent remained undecided.
John Donvan, correspondent for ABC News’ Nightline, moderated the June 8 debate.
“What Mike McConnell didn’t mention is that grossly exaggerating a threat of cyberwar is grossly profitable,” argued Schneier, a point others have made — including me, many times.
“The last article I saw said there’s about $400 million in Booz Allen contracts on cyberwar. You don’t get those by saying, you know, this is kind of dumb. But it really is.”
McConnell did not respond — which was lame. It was a good challenge and Schneier made it twice, the second time in his closing statement. The moderator, a newsman, didn’t care to call the Booz Allen man out on it. And it was not something that resonated in the venue or with the audience. Bald-faced conflicts of interest often don’t raise the ire one thinks they should in polite American intellectual salons.
There was also a good bit of laughter and jokes about beer during the discussion, allegedly conducted to Oxford rules.
The transcript is here.
Permalink
05.24.10
Posted in Cyberterrorism, Extremism at 12:08 pm by George Smith
Finally, there’s blood in the water. And it’s the Cult of Cyberwar’s.
DD got enough cuts in over the last few months that even those most inclined to blind endorsement of whatever some celebrity voice of authority has to say can’t overlook it.
So recent reviews of Richard Clarke’s Cyberwar tell a story of waning enthusiasm.
Sure, the standard scripts and memes of cyberwar doom are deployed, but they’re just on display for show. Everyone has written them and the overkill has squeezed all the zip fresh out. The reviewers realizes they’re getting a hot and canned delivery of something, not necessarily the truth, more likely a sales pitch.
From the Financial Times:
Poison gas clouds over Wilmington and Houston. Serial crashes on the New York subway and the Washington Metro. Aircraft plunging to the ground. The president of the United States clueless as to what to do next.
This scenario belongs not to Hollywood but to Richard Clarke, who has served four presidents, from Ronald Reagan to George W. Bush, as national security adviser. In short, his startling new book, Cyber War, argues that the sky is about to fall on our heads.
“Cyber War will strengthen Clarke’s claims as one of the founding fathers of cybersecurocracy,” it continues.
“While enjoying the verve of his writing, the question must still be asked: is he right? Because if so, he and his fellow securocrats will be the recipients of huge sums of taxpayers’ cash … Take Clarke’s warnings with a pinch of salt but do not dismiss them out of hand.”
Coming from a well-known establishment publication, it’s the equivalent of someone saying, “Run along now.”
And from the Washington Post:
Still, few seem too worked up about [cyberwar]. On a recent “Real Time With Bill Maher” episode, for instance, Clarke’s cyber-scare stories fell flat.
Even backward North Korea is exercising its cyber-muscles. Last year, on July 4, the hermit kingdom reportedly sent a virus to attack commercial and government Web sites in the United States, including those of the New York Stock Exchange and the White House, as well as sites in South Korea. Little damage seems to have been done …
Not nearly as much as one torpedo, I might add.
“It will probably take ‘an electronic Pearl Harbor’ to wake us up, Clarke says,” adds the reviewer.
Clarke ought to know, he was one of the founding fathers of ‘electronic Pearl Harbor’ scare stories — more than ten years ago.
And he’s flogged it in the media big time. To a seemingly endless number of reporters willing to be nothing more than stenographers.
However, you can’t Google it anymore without running into a few dissenting voices.
The Richard Clarke publicity circus — from the archives.
More on the Cult of Cyberwar.
Permalink
05.01.10
Posted in Crazy Weapons, Cyberterrorism, Extremism at 2:50 pm by George Smith
As an appendix to today’s earlier Cult of Cyberwar piece, DD brings you an editorial writer at a Dallas newspaper who can’t help but conflate it with electromagnetic pulse doom, or the Cult of EMP Crazy. After recommending Richard Clarke, he goes on an electromagnetic pulse weapon jag.
It’s not uncommon but always surprising to see what rubbish people will publish, just for the sake of convincing you that something very dangerous out there is about to hurl us back to the Stone Age.
[Forget about BP’s oil spill, dangit, that’s just nothing compared to EMP and cyberwar.]
Opines an editor at the Dallas Morning News:
[Retired Lt. Gen. Harry Raduege Jr.] spent most of his 35-year military career studying the effects of electromagnetic pulses. The good news, he said, is that the fiber-optic cable that makes up much of our ground-based communication network would survive an EMP attack. But anything that uses micro-circuitry would be “tremendously impacted,” he explained; the pulse would “literally fry” such components.
A single electromagnetic pulse weapon, he says, “can kill electronic systems in an area the size of a tennis court or throughout the entire United States.”
We know this because our country has developed and tested such weapons, clearly with plans to deploy them in the event of war against another technologically advanced country. But it would be naive to think we’re the only ones with this weaponry.
More chilling is the fact that an electromagnetic pulse bomb would be relatively easy for terrorists to build and deploy. In 2001, Popular Mechanics magazine described an electromagnetic-pulse bomb that it said could be built for $400 and would be capable of sending out a pulse that “makes a lightning bolt seem like a flashbulb by comparison.” It wouldn’t harm humans but would fry all the microcircuits we rely on, including in our cars. Imagine real disaster scenes like those depicted in ABC’s hit show Flash Forward.
Over the last decade, a constant feature in talks on notional electromagnetic pulse bombs and/or rays is that they can do just about anything. In this case, a single weapon could fry electronics in a tennis court, or in the entire nation. And they’re so easy to make anyone can have them for a paltry few hundred dollars.
For instance, from Congressional testimony ten years ago:
During [a] June [Congressional] hearing, [retired Army general Robert Schweitzer] made seemingly contradictory claims during the course of his presentation. At different times, Schweitzer claimed that electromagnetic pulse guns could be made for $800, that they could be made for $35, that they had been used against London banks although he was informed this was a hoax, and such weapons were now capable of disrupting Wall Street.
??? . . . the cost is about $800 to do this,??? Schweitzer said at one point.
As for knocking out Wall Street, Schweitzer later commented to Congressman Saxton, “[It] can be done with going to RadioShack and buying the components . . . And the prices are from $35 to $200 to buy components and do a number on Wall Street.??? Schweitzer also alluded to, but did not mention by name, a generic hacker tech catalog that claimed to sell parts and schematics for such a weapon.
Further, Schweitzer testified that London banks were attacked by radio-frequency weapons, a myth that has been touched on in Crypt Newsletter.
“I was told that was a hoax,??? Schweitzer said to Saxton. “. . . and it’s disputed in the Intel community and elsewhere but I think, frankly, and having gone into this in great detail, the dispute is to protect the fact it happened.???
Schweitzer added later: “I validated [this]. It isn’t just taking rumors or drivel off of the tabloids. These are solid facts that I’m giving you.???
As a matter of fact, it was rumors and drivel. And Schweitzer died a few years later, never having seen his electromagnetic pulse weapons.
And from April of last year, on the old blog:
The second category of crazy associated with electromagnetic pulse doom lobby is filled with ‘experts’ who believe electromagnetic pulse weapons can be easily made from stuff cadged at Radio Shack. (Well, not quite, but for the sake of this post, the demographic extends into this domain of consumer electronic store junk.)
“Electromagnetic pulse weapons capable of frying the electronics in civil airliners can be built using information and components available on the net, warn counterterrorism analysts,” reads a very recent piece of EMP crazy emission at the New Scientist. (If you saw it originally, readers will note the other ‘most read’ story on the site — how masturbation might protect one from hay fever, certainly puts the entire matter in proper perspective.)
Written for decades — the original electromagnetic pulse gun stories date from at least as early as 1994 — this flavor always has one thing of note: EMP rayguns are easy to make from plans found on the web and materials available in every town.
The New Scientist story obfuscates this cliche only slightly. Instead of using the word ‘easy,’ practical synonyms are employed.
“[An ‘expert’] told delegates at the annual Directed Energy Weapons conference in London last month that … basic EMP generators can be built from descriptions available online, using components found in devices such as digital cameras,” reads New Scientist. “These are technologically unchallenging to build and most of the information necessary is available,” she said.
And DD wrote a syndicated news piece from just before the war, from which I will now draw:
“Talk of the secret electromagnetic pulse bomb was mythology as news, taking on a uniquely American demented quality,” wrote Crypt News in a syndicated feature published around the beginning of the second war in Iraq, the one we’re still in.
“No other single weapon — real or imagined — rivaled its power for sensation. In fact, in a nation where photographs of all weapons, no matter how trivial, are either officially distributed by the Department of Defense or leaked to the public, it was simply astonishing that absolutely none existed of the e-bomb.
“Bubbling over with excitement at something they’d never seen, the media mused openly on a wondrous capacity to destroy the Iraqi military without harming people. How the bomb would stop soldiers with old-fashioned artillery, automatic weapons, or tanks was nowhere to be seen. And guerrilla warfare was completely off the radar.
“Instead, the U.S. media furnished hyperventilated comment on the wonder bomb, exclamations suitable for Hollywood script.
“‘ Kabammy! A huge electronic wave comes along and sends out a few thousand volts,” blared one newspaper. ‘. . . like man-made lightning bolts!’ crowed another. Weeeee! Watch out Iraq, said the American buffoon corps, it’s the e-bomb.
“Reporters certainly believed this copy. As non-embedded journalists moved into Baghdad in the days prior to hostilities, editors contacted military analysts asking for advice on how to e-bomb-proof the electronic tools of the profession. Would cell phones survive? Could a microwave oven be used as an improvised microwave-proof carrier?”
Yes, the invisible e-bombs certainly took care of Iraq.
If DD goes back even further, to the time of the old Crypt Newsletter, we read that home-made or guvmint electromagnetic pulse weapons have always been arriving but never quite appearing. Or they are said to already be here though no one has seen them.
Or because someone has seen them in a computer game or on a TV show like 24 they must exist. Just like the bioweapon that caused rapid onset Alzheimer’s disease in Jack Bauer curable just in time for the next season.
From Crypt News:
A collection of comment and blurt from various EMP weapon kooks was originally [published under the title] “Calling Victor von Doom.”
That piece, from the Crypt Newsletter, cites an original electromagnetic pulse gun story from 1994 in Forbes magazine, one in which hackers are interviewed for their expertise in such things.
The EMP-weapon-used-against-Iraq (this time in the first war) myth was deployed:
“Forbes writer: Have you ever heard of a device that directs magnetic signals at hard disks and can scramble the data?
“Dangerous ex-hackers, in unison: Yes! A HERF [high energy radio frequency] gun.
“Dangerous ex-hacker A: This is my nightmare. $300: a rucksack full of car batteries, a microcapacitor and a directional antenna and I could point it at Oracle . . .
“Dangerous ex-hacker B: We could cook the fourth floor.
“Dangerous ex-hacker A: . . . You could park it in a car and walk away. It’s a $300 poor man’s nuke . . .
“Dangerous ex-hacker A, on a roll: They were talking about giving these guns to border patrol guards so they can zap Mexican cars as they drive across the border and fry their fuel injection . . .
“Dangerous ex-hacker A, really piling it on: There are only three or four people who know how to build them, and they’re really tight lipped . . . We used these in the Persian Gulf. We cooked the radar installation.
“In other parts of the article the “dangerous ex-hackers” discuss the ease of building what purports to be a $300 death ray out of Radio Shack parts and car batteries. In a rare moment of intellectual honesty and self-scrutiny the ‘dangerous ex-hackers’ admit there are a lot of ‘snake oil salesmen’ in the computer security business.”
Permalink
« Previous Page — « Previous entries « Previous Page · Next Page » Next entries » — Next Page »