? Steyn in Scandinavia | Main | Pink Floyd: Us and Them ?

September 28, 2010

The medium is the message

Posted by Ghost of a flea at September 28, 2010 08:47 AM


You should take that Hot Air commentary with a grain of salt. J.E. Dyer is talking out his or her ass.

If the target was Siemens the firm, would it make more sense to craft a precision weapon that looked for one specific, individual network? Or a shotgun/scattershot instrument that would nail as many Siemens products as possible as rapidly as possible?

Stuxnet is a virus in the technical sense that it infects many networks, but is only designed to destroy one. It's a highly precise weapon. Yes, it infects many networks, and it's targeted at one that use Siemens software because the software requires the user to employ Siemens' own from-the-factory hard-coded password—and that is easy to exploit. (Guess what feature the next version will introduce, I'm sure.)

But on the precision side, Stuxnet examines the infected network to see whether the network matches a specific fingerprint of hostnames/equipment/etc, and if not, the attackware portion stays dormant. You would never be able to set off Stuxnet's attackware component accidentally; not unless your network is the exact one it was designed to kill.

It also has a kill switch that prevents the attackware portion from activating after July 2009; it's a harmless inconvenience now.

These precautions are not the actions of someone who wants to create a lasting headache for a whole company. It is a precision weapon crafted to take out one facility by a certain time, and to render itself inert after that.

It's a headache only in the sense that every infected network should be sanitised as a matter of corporate/industrial security; but it's harmless to every network except the one it already took out.

The Wired and Hot Air fellas neglect to tell everyone about the precision pieces; probably the best layman's roundup you can find are these two articles (1, 2) from the Christian Science Monitor.

Posted by: Chris Taylor [TypeKey Profile Page] at September 28, 2010 10:35 AM

I defer to your technical authority, of course. But I would argue an attack on Siemens intended to draw attention to their commercial relationship with Iran's nuclear program would be more damaging than a scattershot attack on Siemens globally.

If I were directing the attack, my aim would be to damage the firm's brand, not simply to bring their systems security into question. The latter is a technical problem and can be addressed with technical solutions. The former is an ethical problem that can only be addressed with ethical solutions.

Posted by: Ghost of a flea [TypeKey Profile Page] at September 28, 2010 12:35 PM

I see your point, but it would only be damaging if the customers actually cared. Or had leverage.

The way I see it, the number of generating station suits that would dump Siemens SCADA gear because it's insecure and stupidly built would be much higher than the number of suits that would dump Siemens SCADA gear because the firm intentionally or unintentionally exported its stuff to Iran.

To be blunt, a compromised SCADA system costs the generating utility money (things must be taken offline, contractors hired, code reviewed, etc etc). This is something the board would consider.

Whereas outraged consumers don't often have a choice between utilities for their electrical needs, so even if they are sick to their guts that their local power outfit uses Siemens gear, who else will they get electricity from? The end customer has no real leverage over a generating utility; so there's no financial impetus to change.

Posted by: Chris Taylor [TypeKey Profile Page] at September 28, 2010 01:29 PM

You are quite right to point out how little leverage the consumer has vis a vis their power generation infrastructure. But the consumer has plenty of leverage with Siemens telephones and appliances; it is the brand I would be after, not a specific division.

The trouble is finding a consumer who cares. Most people appear to be just as content to deal with today's death cults as they were with the death cults of yesteryear.

Posted by: Ghost of a flea [TypeKey Profile Page] at September 28, 2010 01:36 PM

I was moved to a cold sweat, and my blood pressure rose reading this.

The idea that corporations have a history and culture is the property of the left. You are no leftist. You should, quite rightly (er, leftly), only go after those corporations that can be shaken down for social spending. And some of the associations of this fine, gay vegetarian corporation, are now be rehabilitated thanks to the magical thinking of our ever wiser leftist open mouthed eaters in the press, academia, and wherever low effort, high paying jobs are to be gotten from white guilt sticky lovers and friends.

You better trim your sails, Flea. You might be offending some basement dweller.

(Ever check out the fascinating person that is Otto Skorzeny? You might wish to explore his post-war career as an engineer and investor. And, according to family tradition, he is the model for Ernst Blofeld)

Posted by: Sargon the Magnificent [TypeKey Profile Page] at September 28, 2010 08:54 PM

There might even be a simpler solution.

German firms of my experience tend to have a nasty habit of unloading production overruns and second quality stuff on less-sophisticated users who might not be able to tell exactly what they're getting. Waste not, want not.

If Siemens ended up with more units than needed to fulfill their Iranian contract, India or Indonesia would be exactly the sort of place they might shuffle them off to, with only those minor mods necessary to make them work there -- which might even be in the computer software that operates the PLC network; all it would have to do is know more than one password, and to deactivate or simply not use the unused custom codes.

The Stuxnet worm would then attack all PLCs from the same production run, and problems would show up far outside the intended target.


Posted by: Ric Locke [TypeKey Profile Page] at September 29, 2010 11:15 PM