Interesting Read about a computer virus

[LC]

https://www.quora.com/What-is-the-most-sophisticated-piece-of-software-code-ever-written/answer/John-Byrd-2

 

Crazy and scary as hell

[rb]

Yep. Stuxnet was a complex piece of computer code. But it shouldn't be that surprising. Basically if a state with virtually unlimited budged and resources whats to screw with you, they can do it in any way and in any area of your life.

 

The not so scary part is this. Just like any other weapon system something like stuxnet is very expensive to create. It's unlikely that some gang would create it. Then because it was so expensive to build it would be used for some diplomatic or political reason that does not affect the day to day life of most people. Nobody would create a stuxnet just to steal your credit card number.

[JRM]

Stuxnet is a big reason why my job became a living hell at the nuclear power plant I used to work at.  We actually had Siemens PCS7 controls systems that this virus was made to attack.  The article is a little bit dramatic, but is mostly correct. 

 

The US government most likely designed the virus, and deployed the targeted attack at the Iranian uranium centrifuges.  The scary part is that once the virus was discovered, the "bad buys" could reverse engineer it to perform similar attacks.

[rb]

The US government most likely designed the virus, and deployed the targeted attack at the Iranian uranium centrifuges.  The scary part is that once the virus was discovered, the "bad buys" could reverse engineer it to perform similar attacks.

It sounds scary. But in reality it's not so scary. The payload of Stuxnet was basically just meant to mess around with centrifuges connected to Siemens PLCs. That's basically useless to anyone that doesn't want to mess around with an active nuclear weapons program. The real valuable part of it were the zero days and the digital signatures.

 

If this thing was discovered by someone it would be either a private actor or a state actor. I think in the case of Stuxnet the Iranians didn't figure it out it was private entities. In this case I think there were two security companies. I think Symantec and Kaspersky in this case but I'm not sure. When this happens the zero days get shared and they seize to exist cause they get patched.

 

It's unlikely that a Joe Hacker could use this. Joe Hacker is unlikely to get this before a security company does. Even if he does by chance it's unlikely to unpack and reverse engineer it before the security companies do because it's so complex.

 

If a state gets a hold of it again the most valuable parts are the zero days and the digital signatures. But any state with a cyber weapons program would have a stack of zero days. Maybe some of the same ones that Stuxnet used. Also any state security service worth its salt would be able to to steal digital signatures. I agree that all this state spy stuff does sound a bit scary but it's also been true for a long time and we're still around.

[JRM]

There were copycats as early as 2013.  It may surprise you, but nuclear power plants in the US are not state of the art.  Most of the critical control systems are analog based 1960's vintage technology.  A few critical safety systems are digital.  Mostly ancillary, less critical systems rely on digital controls or computers.  My point is, the computers used to run control some of the systems in these plants are extremely dated.  We're talking Windows 95.

 

At a nuclear power plant its not always as easy as simply upgrading the software/hardware, unfortunately.