stuxnet #3

There’s a popular theory that Stuxnet was intended to cripple Iran’s nuclear power program. Other theories could fit the facts, but for the sake of argument, let’s say that theory is credible. How would it work?

Here’s what I think is a plausible scenario:

1. Stuxnet is released in Iran so that it will spread there most quickly.

2. Stuxnet, possibly but not necessarily, reaches some control software somewhere in an Iranian plant and does something to make things go wonky, proving that it is a menace.

3. Stuxnet is discovered, either when #2 happens or before, and carefully analyzed.

4. His Utmost Ridiculousness Ahmadinejad and other Iranian leaders believe they’ve had a brush with a serious threat, and they get hopping mad.

5. Iran retaliates for the worm against the United States using physical force, in some showy way.

6. In the United States there are high-fives behind certain closed doors, and outrage at Iran’s unprovoked aggression in front of the TV cameras.

7. Immediately half of Iran’s air force is wiped out, along with virtually all the land-to-sea missiles planted along the Persian Gulf; ships are torpedoed; military communications are smashed up… and as if it were an afterthought, Iranian nuclear research facilities are obliterated, setting the bomb-making program back five years.

That’s how I see Stuxnet could work.

This isn’t so much a real theory I’d like to defend as it is an exercise in coming up with a theory that fits the facts. The theory that Stuxnet by itself, without supporting aircraft and cruise missiles, could seriously inconvenience Iran’s nuclear bomb making efforts, isn’t credible.


1. For the Iranians to retaliate forcefully, they have to notice they’ve been “attacked”. Stuxnet is an internet Windows worm, that spreads using clever zero-day exploits. Once released, it was certain to spread widely and certain to be discovered. That’s something the Stuxnet creators could depend on.

Windows rootkit worms aren’t invisible, except to Windows itself. They typically communicate across networks (Stuxnet does), so they are noisy; a worm will stand out like a camel in a flock of sheep when a file system is inventoried outside of Windows.

The Stuxnet team probably figured they had six months max, and maybe just days, before security researchers would be all over it. But if released the right way in Iran, it might spread enough there to seem threatening.

2. For the Iranians to retaliate forcefully, they would have to believe the worm was really a military-grade threat. With the internet infested by every manner of virus, worm and scam, coming up with a worm that is “military grade” is no small task. Stuxnet is very clever. For “military-grade?” it checks the block.

3. Plausible deniability. Stuxnet is a Windows worm, which has spread all over the world. There’s nothing about its spreading techniques that would limit it to Iran. There’s no way to conclusively tie the worm to any attacker. Many countries and criminal enterprises could put together 5 to 10 engineers plus testers and management for six months.[1]

The discovered payload of the worm (as opposed to the spreading technology) messes with PLC code, but the worm was provided with means to get updates in the wild, so presumably the payload could be switched out for something completely different.

4. In Operation Mincemeat, the British convinced the Germans to do what they otherwise would not have done (concentrating defenses on Greece and Sardinia rather than Sicily). We know the story from a movie, “The Man Who Never Was.” A dead body was dressed as a British officer, with an attached briefcase containing misleading papers, and dropped into the sea off the Spanish coast. A great deal of effort went into making the body convincing. The Germans were fooled, and this affected what the German military did.

From the perspective of many nations — the U.S., Israel, Saudi Arabia, Kuwait, Russia, the UAE, the UK… — a good excuse for someone to reduce Iran’s nuclear weapons program to a smoking ruin would be most welcome. A great deal of effort went into making Stuxnet convincing.

[1] Symantec’s estimate

Posted in Uncategorized | Leave a comment

bird watching

A headline from the front page of Saturday’s Wall Street Journal: “CIA Escalates in Pakistan”. Sub head: “Pentagon Diverts Drones From Afghanistan to Bolster Campaign Next Door”.[1]

Somehow we need to re-label this war, but it’s awkward to take the names of those two countries, with a total of seven syllables between them, not counting one syllable for “War”, and come up with a easy-to-use blend that is likely to get traction in conversation.

Afghanistan-Pakistan War? Correct, but too long; ungainly.

Pak-Afghan War? Pakistan too abbreviated.

Afpakstan War? Nah. Superficially clever, but blatantly contrived… Besides, what if the war slops over into one or more of the three “stans” to the north? Anyway, someone will come up with something I’m sure. Neither “Afghan War” nor “War in Afghanistan” capture the real situation any longer.

There is a subtlety in that WSJ sub head, possibly unintentional, but it struck me as nicely done: the name “Pakistan” does not appear at all. It’s the “Campaign Next Door”. Indeed, “Next Door” to Afghanistan, to the east, is an area that is also Next Door to Pakistan to the northwest, an area between Afghanistan and Pakistan, which is roughly what Kipling called “Kafirstan”[2]. It’s an area where Pakistan has influence, perhaps because the mountains have caused trade to lean toward Pakistan, and people in the area will tend to use Pakistani airports when they go abroad. This area is certainly not part of Pakistan in the way that Florida is part of the United States, or Cornwall is part of the UK.

However, I meant to talk about bird watching, not 21st century feudalism.

When the CIA adds more drones to the war (a.k.a. “campaign”), there is a mixed nationality coterie of military professionals and engineers, mostly to the east of Afghanistan, who are delighted. I’ll call them “bird watchers”.

Remember that these American drones represent an impressive military innovation, and military people throughout the world, especially in nations that feel they could, potentially, some day, come to blows with the U.S., or with some other nation that could deploy drones, are very interested in these aircraft. They want to know how they work, what logistical support they need, what their limitations are. But there are two things especially the bird watchers want to figure out:

1. How to see them.

2. How to destroy them.

If you assume people on the ground are most interested in hiding from them, you’re thinking of Osama bin Laden and his ilk, hot-footing it from cave-to-cave, not daring to turn on their satellite phones, wondering if it’s safe to light a cigarette or a hash pipe (hint: it’s not).

The bird watchers take notes on how to hide from drones. But they’ve got bigger fish to fry. And they don’t lack for cash money, vehicles and electronics.

The bird watchers are not “for the Taliban”, although they consort with the Taliban, and even help the Taliban trivially from time to time. They need access to the ground over which the drones fly, so they make accommodations with whoever controls the ground — in some areas that may even be Pakistani army units.

Both “seeing” a drone (knowing it is present and where exactly it is in the sky) and figuring out how to destroy a drone are challenging technical problems. I have some ideas about how these problems (especially the seeing) will be tackled, but the main thing to note is that the bird watchers can’t figure out how to see drones, much less destroy them, if there aren’t any drones.

The bird watchers want drones to study.

When the U.S. decides to increase the drone presence over Pakistan and Quasi-Pakistan, that’s good news for the bird watchers.

For the United States, one of the costs of a drawn-out war is that we expose our highly technical weapons — things like drones — to parties not necessarily our friends, who want to learn everything they can about what we have and how we use it.

How long will we linger in Afghanistan and Pakistan, letting all-and-sundry study our drones and develop anti-drone technology? Hard to say. It could be a long time. What began as an easy-to-understand effort to capture or kill Osama bin Laden, and capture or kill everyone who helped him, has morphed into an incomprehensible educational project: American Civics 101 for the Historically and Culturally Challenged.

Afghans are not bright students.

But it’s not obvious who’s presiding in the classroom. Perhaps they’re treating us to a course in Afghan Historical Continuity 101.

We’re not such bright students either.


[1] Wall Street Journal, Saturday/Sunday, October 2-3, 2010
[2] “It’s a place of warring tribes, which is to say, a land of opportunity.” [approximate quote from The Man Who Would Be King]

Posted in Uncategorized | Leave a comment

stuxnet #2

If you’ve followed reports of the Stuxnet internet worm over the last month or so, you probably have in your mind an image. I am about to guess the image in your mind.

I’ll use the word “research” in my description of what’s in your mind. But if you think “bomb making” sounds better than “research”, feel free to read “bomb making” where I have the word “research”.

The image in your mind is of a Windows computer. This computer is in a nuclear research facility in Iran. It is attached to a network and has access to the internet. It is also attached to a programmable logic controller (PLC), via a Windows application, that allows an Iranian researcher to key in or otherwise load changes to the operational nuclear research environment, adjusting settings and changing live code as he needs to.

In the plant where this Windows computer sits there is no deployment discipline for patches or upgrades. That is, the kind of process which enterprises typically use for bringing code changes online (test –> staging –> prod) is unknown. Someone can sit down at the machine, tap keys for a bit, hit ENTER and immediately production code is changed. There are no safeguards to prevent a typo from causing disaster. There’s no way to quickly roll back a patch if it causes an unexpected problem. There’s no redundancy, so that if one monitoring or control system fails another system — independent — can take over.

This Windows machine is not only on the corp network but it is reachable by other machines on the network — that is, the router doesn’t have it on its own lonely subnet. It has some virus detection software, but that’s it. It is not re-imaged regularly, and no one ever cd boots it with a non-Windows OS to collect checksums from the filesystem to diff against a known baseline.

Is that anything like the image you have in your mind?

The reason it could be is that the superficial reporting of Stuxnet has embedded in it an assumption that the challenge for the worm was only to find its way to a more-or-less ordinary Windows machine with access to production code running a nuke plant, quietly get control of that machine and then make changes to the nuke-plant-controlling code.

Got that? Here’s something else we should take just as seriously:

Living in the sewers there is a race of little green men, originally from Mars, who ooze through keyholes and use precision lasers to steal vital organs from sleeping victims without waking the family doberman.

The image of the alleged target Windows machine and fly-by-the-seat-of-your-pants change management is created by superficial reporting of Stuxnet, and it’s preposterous.

The worm has many clever features, but it’s not magical. Symantec has a good paper describing it, if you have a taste for technical details. I won’t give away the plot, but it is at least conceptually possible for Stuxnet to get its code into a PLC, in the wild (as opposed to in the lab). However, the idea that it could seriously disrupt a nuclear research plant for any length of time, causing anything more than a passing inconvenience, is nonsense.

Now (still reading your mind), you’re thinking, “In Iran maybe they do have Windows boxes that can access live code managing a nuke plant, machines that are also used to check email and surf the net…”

The reason you think that is related to another image in your mind: the image of His Utmost Ridiculousness Ahmadinejad.

The response: “No. In Iran they don’t hire monkeys to manage nuclear research plants. They have smart people, good engineers, who know how to do things that are technically complex. They know how to review code changes, manage patch deployments, limit access to mission critical applications, checksum binaries and code blocks… do rollbacks, ensure redundancy… Iran is not a nation of halfwits, notwithstanding Ahmadinejad’s efforts to persuade us otherwise.

What about the speculation that Stuxnet was created by state-sponsored hackers — maybe Israel, maybe the U.S. — and that the target was an Iranian nuclear plant?

Governments, certainly ours and maybe Israel’s, are capable of delivering truckloads of money to oily, big-talking contractors, who pretend that Rube Goldbergian schemes are easy as tinker toys. But the simple fact is that no one with understanding looked at a proposed objective like, “eliminate Iranian nuclear plant,” and believed that Stuxnet could or would do that.

I can make a case that is coherent (if not likely) that the U.S. or Israel or some other state sponsored the release of Stuxnet on the internet, and that it did have something to do with an Iranian nuclear plant — but the chance that Stuxnet itself would do damage was understood: slim to none.

I’ll make that case… another day.


Posted in Uncategorized | Leave a comment

stuxnet #1

Symantec’s W32.Stuxnet Dossier is the most useful info I’ve seen about stuxnet. Early in the paper, explaining context:

Industrial control systems (ICS) are operated by a specialized assembly like code on programmable logic controllers (PLCs). The PLCs are often programmed from Windows computers not connected to the Internet or even the internal network. In addition, the industrial control systems themselves are also unlikely to be connected to the Internet.

Whew… Don’t miss this: “…PLCs are often programmed from Windows computers not connected to the Internet or even to the internal network…”

From the superficial reporting of stuxnet you could get the idea that a Windows box, casually attached to a network, could also casually access and change production code in an industrial environment. When you stop to think about it, you know that can’t be true.  It could be true somewhere at some time, simply because there are outliers in any large sample, but if you know how things work, you know it can’t be true in general.

Fortunately, Symantec mentions what is hardly worth mentioning — because it will be assumed by technically literate readers. But a lot of people don’t know much about development and deployment processes that are widely used, even for goofy web apps…

— “What? You go through all that to change one line of code on your webserver?”
— “On our production webserver”.

The Symantec paper has enough technical detail to be interesting. The assessment of resource requirements:

The full cycle may have taken six months and five to ten core developers not counting numerous other individuals, such as quality assurance and management.

From the superficial reporting, I had guessed 10 engineers (including QA) for 1 year, plus equipment, simulators, etc. — way less than $10 million if done in the private sector, and probably not more than $100 million if government sponsored.

This, of course, is easily within the reach of many criminal organizations (today in Wired: “5 Key Players Nabbed in Ukraine in $70-Million Bank Fraud Ring“) — and criminal-government blends.

Because the Symantec paper has fairly close technical analysis, it includes odd notes like this:

…If this value is equal to 19790509 the threat will exit. This is thought to be an infection marker or a “do not infect” marker. If this is set correctly infection will not occur. The value appears to be a date of May 9, 1979. While on May 9, 1979 a variety of historical events occured, according to Wikipedia “Habib Elghanian was executed by a firing squad in Tehran sending shock waves through the closely knit Iranian Jewish community. He was the first Jew and one of the first civilians to be executed by the new Islamic government. This prompted the mass exodus of the once 100,000 member strong Jewish community of Iran which continues to this day.” Symantec cautions readers on drawing any attribution conclusions. Attackers would have the natural desire to implicate another party.

Wikipedia has a short article about Habib Elghanian:


Why does this remind me of “The Man Who Never Was”?


Posted in Uncategorized | Leave a comment

Critical Thinking 101: WSJ #2

So, how is it that the Wall Street Journal’s Full Methodology flunks the basic, pass-fail test? Why do all the numbers in “On Web, Children Face Intensive Tracking” add up to a zero-value story?

The Full Methodology is disappointing on several counts, but the core problem is related to Principle #3 in the previous post: Whenever we read numbers, where something has been counted, it’s important to ask, How were things that could affect the count controlled?

The Full Methodology tells us this:

Mr. Campbell used Mozilla Firefox 3.5 and Adobe Flash Player 10.0. Following each session, he examined the tracking files that had been placed on the computer.

That’s all we’re told about the browser. We don’t know the main thing: How was the browser’s cookie management configured?

Which browser was used is of relatively minor importance. I happen to have IE6 on the computer I’m using now, and even that relic allows blocking of either third-party cookies or first-party cookies, or both. Firefox 3.6, which I actually use, has much more granular cookie handling functionality. I can allow cookies only from certain sites, or block them only from certain sites. Or block all 3rd party cookies, etc.

Since the research involved collecting cookies from websites and counting them, the main thing we want to know is how Mr. Campbell, the researcher, configured the browser for cookies. What gets caught in a net very much depends on what the net is designed to catch — minnows or tuna or whatever — and what the net is designed to catch is analogous to how the user has decided to configure his or her browser. If you’re browsing a website, what you accept in the way of cookies in under your control, not the website’s.[1]

There is a clue to how Mr. Campbell, configured his browser in the legend for a graph on the WSJ site, “What we found on one site”. The site is There were 195 cookies and 4 first party cookies…

Pause there.

If they know there were 4 first-party cookies, and there were 195 total cookies, there must have been 191 third-party cookies, and to know that, the browser must have been set to accept third-party cookies. Mr. Campbell could have blocked 191 cookies simply by de-selecting the “Accept third-party cookies” box in Firefox.[2]

But four measly cookies wouldn’t make a sensational story would it? Four cookies from hitting 20 pages on a website just doesn’t rate front-page play. Is it possible that… Did the Journal promote 10 inches worth of filler from inside Weekend Journal to a front-page splash by telling Mr. Campbell to set his browser to accept 3rd party cookies?



[1] A website might not work if you block all cookies, which doesn’t change the fact that you’re in control. A discussion of cookie management can get quite involved. What I’m considering here are not flash cookies, but the old-fashioned, 90s technology flat text cookies we’re all familiar with, which in recent versions of Firefox are kept in a sqlite database.

[2] I thought the default in Firefox was to block third-party cookies, which means to get all those 191 cookies you’d need to deliberately change the setting.  I need to check this.

Posted in Uncategorized | Leave a comment


just rehearsing

a tombstone.

Posted in Uncategorized | Leave a comment

Critical Thinking 101: WSJ #1

Today’s Wall Street Journal story “On Web, Children Face Intensive Tracking“, is interesting, and if you go to the website and click around you find it has a fair bit of material that fills in gaps. There’s a decent video explaining cookies, for those who don’t already know how they work.

I went to the web version of this story  because the paper version said this:

(Full methodology, as well as previous privacy investigations in this series, at

I wanted to know about the “full methodology” for the study, because the article has several precise figures for the number of “tracking tools” placed on the Journal’s test computer. Precise figures suggest a methodology rigorous enough to produce reliable, precise figures:

…Y8 installed 69 tracking files…

…On average, the eight installed 81 tracking tools, close to the 82 average for all 50 sites…

…a games site called, installed 146; another game-and-video site,, installed 92…

…the math-games site installed 60 on a test computer…

… installed 144 tracking tools in the Journal’s test…

Here’s the Critical Thinking 101 question for the day: What do you need to know about the Full Methodology of the research before you can gauge the importance of all those exact numbers?

Here’s what I think are basic, pass-fail, questions the Full Methodology information must answer:

1. What did they count?

In this case, it’s not difficult. We know what cookies are, since they’ve been around for a long time, since Windows 95 days. Flash cookies and beacons, we’ll guess, are different from traditional flat text cookies, but still discrete, countable things. In other words, if you looked at a bunch of them together there wouldn’t be any doubt as to whether there were 10 or only 8.

Principle #1: Whenever we read numbers, where things have been counted, it’s important to ask, What exactly did they count?

2. How many pages were pulled back from each site and how were those pages selected? Did the researchers just click on links randomly or did they have an algorithm for selecting links?

It’s an obvious possibility that the more pages someone clicks through, the more cookies will be collected, and different kinds of pages could serve cookies differently.

Principle #2: Whenever we read numbers, where things have been counted, it’s important to ask, How did they count?

3. What were the browser (and flash) settings?

Cookie intake is largely controllable by the user.[1] With the browser I’m using presently (Firefox 3.6), I can allow or not allow 3rd party cookies; accept cookies in general, but make exceptions for particular sites I want to deny; deny cookies in general but allow them for particular sites; flush them when I close the browser… It’s fairly granular control, and that’s just with basic browser configuration settings; other functionality is available with plugins or 3rd party software, and if I’m especially fastidious there are tricksy things I can do with my home network firewall, or with the hosts file on my computer.

Given that cookies slurped off the web are controlled by the user, how did the Wall Street Journal’s user doing research set the controls?

Principle #3: Whenever we read numbers, where things have been counted, it’s important to ask, How were things that could affect the count controlled?

With those 3 questions and principles in mind, how does the WSJ’s Full Methodology score?

Not very well, I’m afraid. In fact, it flunks.

But, the fact that the WSJ offered something intended to be a “full methodology” for the research at all, and referenced it in the paper edition, is very much to the Journal’s credit. In general interest media, studies are often cited, but information about how these studies are done — study methodology — is so rare that anything at all about the methodology of a study is worth noting, and even celebrating. With that in view, we can give the WSJ a few points for at least showing up[2], which pulls its grade up from a solid F to, say, a weak D+.


[1] Yes, I know that Adobe’s ubiquitous flash software has made absolute control of all cookies somewhat more complex than it was 10 years ago.

[2] In many situations in life, you may not excel, but you can pass if you just show up.

Posted in Uncategorized | Leave a comment

Defending a new domain 5

“Like an answer, the three slogans on the white face of the Ministry of Truth came back at him…” -George Orwell

William J. Lynn III made this statement:

In cyberspace, the offense has the upper hand. [1]

As noted in a previous post, Mr. Lynn doesn’t bother to make a serious argument in support of this dubious theory. He does preface the assertion with a paragraph that begins “First, cyberwarfare is asymmetric”. But asymmetric warfare is what you have when an unambiguously superior force is dealing with pin prick annoyances at a tactical level. It has nothing to do with whether there is an intrinsic strategic advantage for the offense in a contest between equally matched opponents.

Mr. Lynn doesn’t make any effort to convince readers that “in cyberspace, the offense has the upper hand,” but as his essay develops he does refer to the theory, as if it were a settled fact:

In an offense-dominated environment, a fortress mentality will not work.

Given the dominance of offense in cyberspace…

Now, I’ve got a question for you: How would you complete that second sentence?

Given the dominance of offense in cyberspace _________________.

Well, logically, you’d insert something like, “it is imperative that the United States have a strong offensive posture” or “we must invest resources in offensive capabilities” or “we must accept the possibility that to win a conflict in cyberspace we will need to strike first”.

Given the dominance of offense, the side you want to be on is the side that goes on the offense, right? Let’s say, it’s football and it’s the Pittsburgh Steelers vs. Herndon High School. Complete this sentence: Given the dominance of the Steelers in football, I should place a large bet on __________.

If you say, “Herndon HS”, read no further. I’ve lost you.

You will not believe how Mr. Lynn completes the sentence:

Given the dominance of offense in cyberspace, U.S. defenses need to be dynamic. [emphasis added]

I understand that to mean, essentially, “Because A can beat the fool out of B, the U.S. should go with B shaking its hips and making funny faces.”

If you read this essay closely, you start to wonder if Mr. Lynn really wrote it. That is, you wonder if any one person wrote it. There are odd inconsistencies and logical gaps, context switches, subtle vagaries…

Certainly a government bureaucrat could produce 10 or 12 pages of text with logical issues. I understand that. But this essay reads more like the product of a committee, cobbled together over a long period of time, with compromises in selection of words and phrases — compromises that have nothing at all to do with network security (or “cybersecurity”, if you’re a jargon addict) and everything to do with some bizarre high-wire balancing act performed in the Circus where those ridiculous clowns we elect to public office gather to devise new con games for taking away what we work hard to earn…

But… I digress  : – )

At any rate, the numerous incoherent threads running through this essay can be nicely summarized by this one incoherent statement: “Given the dominance of offense in cyberspace, U.S. defenses need to be dynamic.”

An inquisitive reader, W. Smith, asks:

“So, where you expect the word “offense” Mr. Lynn uses a curious phrase, “dynamic defense”?

Yes, that’s right.

Smith: “And as the essay continues, does Mr. Lynn come back to the concept of dynamic defense?”

Yes, he does.

Smith: “Does he define it?”

No, he doesn’t.

Smith: “I see.”

Ah… I’m not sure I see, but… this is reminding me of something… surely it’s not… The B Vocabulary?

Hold on… Where did I leave my copy of 1984?


[1] Foreign Affairs, September/October 2010: “Defending a New Domain”

Posted in Uncategorized | Leave a comment

Defending a new domain 4

William J. Lynn III makes this statement:

In cyberspace, the offense has the upper hand. [1]

And the reason for this?

The Internet was designed to be collaborative and rapidly expandable and to have low barriers to technological innovation; security and identity management were lower priorities. For these structural reasons the U.S. government’s ability to defend its networks always lags behind its adversaries’ ability to exploit U.S. networks’ weaknesses.

His summary of the “structural reasons” is simply pitiful, but given what he says, what is to prevent “low barriers to technological innovation” from including technical innovations that improve security?

Nothing. In fact, that’s exactly what has happened. Where a need appears, people innovate.

As the internet has evolved from the days when a single hosts file was retrieved periodically by the few hundred computers linked in the network, the need for and importance of security has grown, so there has been tremendous, inexorable technical innovation in the area of security. Security oriented tools — firewalls, virus scanners, spam filters, wireless encryption algorithms, etc, etc… — have proliferated and become highly sophisticated. And the way we do things has changed. Do you still attach a Windows box directly to the net with file and print sharing enabled? I’ll bet you don’t. Your 12-year old getting familiar with linux knows ssh, but if she’s heard of it at all, she thinks “telnet” has something to do with fat televisions, like the one in the attic.

If Mr. Lynn wanted to identify a “structural reason” that could plausibly explain why offense would have the upper hand, he could have used this paragraph from later in his essay:

On average, it takes the Pentagon 81 months to make a new computer system operational after it is first funded. Taking into account the growth of computing power suggested by Moore’s law, this means that by the time systems are delivered, they are at least four generations behind the state of the art.

Yes, that could explain why the U.S. military, on defense, would be at a disadvantage with respect to, say, 4 or 5 Russian teen-agers taking the offense.

But using that as an explanation for a special advantage enjoyed by the offense in cyberspace, is problematic: it doesn’t explain why offense per se is superior to defense per se. It would support the idea that a technically lagging network will be at a disadvantage, defensively, against a relatively cutting edge offense. And it would explain the “always” in this statement: “...the U.S. government’s ability to defend its networks always lags behind its adversaries’ ability to exploit U.S. networks’ weaknesses.

A poorly defended network will always be at a disadvantage when up against clever and energetic attackers, and perhaps even against an attacker with mediocre skills who happens to get lucky. The “significant compromise” Mr. Lynn describes in his essay’s introduction could be cited as an example of an indifferent offense that overwhelmed the military’s inept network defenses.

Does offense have a special advantage over defense in “cyberspace”?

No. The question doesn’t even make sense without particulars. The only reasonable response to that question is a clarifying question: What defense, and what offense?

Given some specific information about the defense and about the offense, you could argue for the advantage of one over the other, in a particular case.

Offense: worm exploiting Windows autorun
Defense: homogenous network of Microsoft operating systems, with autorun typically enabled
Prediction: Offense overwhelms defense initially; defense eventually wins because vulnerability is easily eliminated and unwanted files easily found.

That “Prediction” is what actually happened in DOD vs. Agent.btz.



[1] Foreign Affairs, September/October 2010: “Defending a New Domain”

Posted in Uncategorized | Leave a comment

Defending a new domain 3

William J. Lynn III was asked a question by Wired writers about an alleged foreign intelligence connection to a run-of-the-mill Windows exploit that got loose on Department of Defense networks in 2008:

But what spy service would launch such a lame attack?

His response did not address the question:

“It isn’t the most capable threat, I agree with that,” Lynn replies. “But that kind of makes the point. If you had something of the kind of capability you described and we suffered a compromise as the result of it, it clearly means that we need to have a new strategic approach…”

Mr. Lynn’s answer is not about spy services, spy service motivations, spy service capabilities or anything else related to spy services. It’s about DOD strategic approach going forward. DOD strategic approach going forward might be fascinating, but to me, the original question is quite as interesting and merits a better answer: “What spy service would launch such a lame attack?”

Here are two theoretical approaches to an answer:

#1. A lame spy service, or lame non-state entity, would launch a lame attack. In this category would be Somalia, North Korea, feudal realms that show on the map as being part of Pakistan, Iraqi factions, etc. The idea here is that if it was an unsophisticated attack, it must be an unsophisticated attacker. The attacker was doing his best, but his best was lame.

But what if the attacker wasn’t doing his best? What if the “lameness” was calculated? If the attack were too sophisticated, DOD might not have noticed it, but if the attacker wanted DOD to notice that wouldn’t be so good.

#2. So, another possibility: It wasn’t a real “attack” at all; it was a probe, a sophisticated adversary’s investigation into readiness of the U.S. military, a way of getting some information about how the military might react to a real attack.

In the context of traditional combat a commander may send a small body of troops forward to probe the enemy. The objective isn’t to break through enemy lines or win a battle, but rather to get enough of a skirmish going to see what the strength of an opponent is, to learn something about the disposition of opposing forces and their agility in response.

Could Agent.btz have been a probe?

Personally, I doubt the worm had anything at all to do with an intelligence service, but setting aside that skepticism, if its source was a foreign spy service, and it was a probe, what did adversaries learn about DOD readiness?

1. DOD was unprepared for an exploit which was already familiar.

Windows autorun has been a known vector for worms since the 1990s. This suggests that DOD’s approach to network security is reactive rather than proactive. DOD is not looking around, is not surveying the landscape as it were; DOD isn’t analyzing known exploits with its own deployed software (and hardware) in mind.

2. DOD’s reaction was disproportionate and off target:

The Defense Department’s geeks are spooked by a rapidly spreading worm crawling across their networks. So they’ve suspended the use of so-called thumb drives, CDs, flash media cards, and all other removable data storage devices from their nets, to try to keep the worm from multiplying any further. [Wired Nov. 2008]

The Pentagon actually launched an “operation” to deal with the worm: Operation Buckshot Yankee.

But remember, this was just a Windows autorun worm. Why not turn off autorun on Windows boxes, then require that removable storage devices be checked before use? How to check a device? Turn off autorun on a Windows machine and that machine can now safely check for Agent.btz on a thumb drive. If you see it, delete AUTORUN.INF and executables that go with it (better: copy the files somewhere first; the more specimens the better).

3. DOD strategists went off on a snipe hunt.

This incident was “an important wake-up call,” according to Mr. Lynn. Two years later, his essay in Foreign Affairs suggests that after DOD woke up it invited a bunch of Hollywood script writers to start attending meetings with defense contractors and network security illiterate beaurocrats — to devise an expansive strategy that would include everyone and do everything.

First accomplishment of this team: slap a new label — “Cyber” — on everything that for more than a decade we’ve called “network security”. And jack up the price. Then, instead of doing things to improve existing network security operations, add on top of real network security work a thick layer of talkers, report writers, PowerPoint presenters and strategic thinkers. CyberExperts. Network security expertise: Not Required.
How would an adversary use knowledge gained by an Agent.btz probe? One thought:

If the Pentagon, and the U.S. Government in general, is prone to over-react to network intrusion events, an intrusion doesn’t need to be effective in itself; it might be as lame as Agent.btz, with most of its impact dependent on U.S. over-reaction.

Here’s what I see: People who should approach real network security problems with balanced, thoughtful analysis, instead defer to sci-fi obsessed story tellers — who can be depended on to propose super-cool, super-scarey cyber-problems, even cyber-catastrophes, like financial system collapse and power grid failures.

Is all the wacky talk of cyber-this and cyber-that preparing our military, and more broadly, the U.S. Government, to react with hysterical frenzy to network security incidents?

Take a picture of this:

A geeky attacker wearing a funny hat but without a weapon jumps out from around a corner and shouts, “Boo!” The American soldier is startled, and seconds later he blows himself up fumbling with radio, gas mask, rifle, bayonette and grenade pins all at once…

In the wake of Agent.btz and the introduction of DOD’s extravagantly off-target cyberdefense strategy, an adversary may be thinking…

“They over-react… hmm… very interesting.”


Posted in Uncategorized | Leave a comment