Countdown To Zero Day

Kim Zetter, 2014


A book about Iran by an Israeli. OK, now that that is out of the way ...

The book is about Stuxnet, the virus created by the United States and Israel to damage the centrifuges Iran is using to enrich uranium.

Nuclear

The book seems to imply that Iran was attempting to make a nuclear weapon, since the same centrifuges can be cascaded in series to produce the 95% U235 material a fission weapon needs, as opposed to cascaded in parallel to produce 20% U235 for Triga-style reactors, or vastly more 4% U235 material for power reactors. The mere existence of lots of centrifuges does not demonstrate a desire for bombs. Many Iranian leaders have stated publically that nuclear weapons are evil and contradictory to Islam. Perhaps they are liars; if so, they aren't the only ones.

Iran has a small amount of native uranium ore, and imported most from China. How much native uranium they can mine depends on the ore concentration they will bother with, so they could conceivably run a nuclear economy with domestically sourced uranium, or purchase it from other outcast islamic nations in Africa. Since the US and its allies like to impose embargos on Iran, and permitted Saddam's attack on the country, it is not surprising that the Iranians seek energy independence.

Israel has perhaps 200 nuclear weapons, some of them fusion, and wants a regional monopoly. Pakistan has perhaps 90, and the Saudis have ICBMs that can deliver them anywhere. If Iran made a few weapons, and exploded all of them in Israel, both Iran and Pakistan would be wiped off the face of the earth. If Iran used nuclear weapons as a last ditch measure to protect themselves the Sunni Daesh looters (ISIL, ISIS) invading their country, would they still be attacked?

Mindreading is for paranoid fools. The shah is dead, as are most of the US state department idiots who propped him up. The US should befriend Iran, and build interdependence and friendship, not embargos.

Note: The cover picture is not described, but it is the Esfahan Iran production complex. That took a one hour search of digitalglobe.com to figure out. About half of the industrial space is devoted to zirconium production, useful for power reactor fuel rods, but not used to make uranium bombs. The picture is evidence for peaceful power production, not weapons.

More useful pointers at:

http://fas.org/issues/nonproliferation-counterproliferation/nuclear-fuel-cycle/uranium-enrichment-gas-centrifuge-technology/separation-theory/

http://lewis.armscontrolwonk.com/archive/1035/more-fun-with-swu

Stuxnet

This is where this book is important - though the interleaving of episodes is annoying and difficult to follow. Perhaps the interleaving helps obscure the many redundancies, permitting a fatter book with a higher sales price, while retaining much dime-per-word verbiage seemingly intended for magazine articles.

The Stuxnet virus worked by attacking (through Windows PCs) the Siemens Step 7 series Programmable Logic Controllers that controlled and monitored the centrifuges, speeding or slowing them and wearing out the bearings, while reporting "all condition normal" to the PCs and the human operators monitoring operations.

The virus was discovered independently by Liam O'Murchu, Nicholas Falliere, and Eric Chien at Symantec in Culver City, California, and by Boldizsár Bencsáth and Jóska Bartos in Budapest, Hungary. A more complete picture emerged as others joined in, including PLC security researcher Ralf Langner in Hamburg, Germany.

The complexity and sophistication (in places) of the code shows that it was not an amateur effort. It includes four new "zero days", insecure flaws in Microsoft Windows that allow it to infect computers. One of the flaws is in the Windows Update system; Zetter points out that this makes that system untrustworthy for everyone.

Besides threatening the update system, Stuxnet does two things that are bad for the United States and the world. First, it released a whole bunch of weaponized code to a world of malware writers, many examples of extremely dangerous "best practices" that can now be studied and copied by the less skilled. Second, it establishes attack malware as a "legitimate" weapon in peacetime; if such attacks were launched against the United States, we have established that it is "OK" to do so.

So, OK, the book is flawed and biased, though not as flawed as anything I might write. I can think of far worse exploits than the power grid examples used by Zetter - and NO, I will not write about them here. I suspect there is a whole world of cat-and-mouse cyber demonstration and diplomacy going on right now, a secretive "balance of terror" practiced at the state level by back channel, keeping our rickety infrastructure intact. Scaring the boobs into supporting powerful central states, without taking those states past the brink of global destruction.

Relevance to Server Sky

I write this a day after the public revelation of the Android "Stagefright" vulnerability - and asking our cell provider to turn off text messaging for my wife's "smart" phone. Why is this relevant to Server Sky? A torrent of radiation-induced Single Event Upsets will require massive monitoring and self-correction. That already-complex hardware extension should also encompass security, building in multiple methods to monitor the health and security of a thinsat. In spite of open technology and best efforts, there will be successful attacks. Server sky operators must also be able to permanently disable and recycle irretrievably compromised thinsats, and have built-in economic incentives to do so.

We must also demand engineering-grade software production and analysis tools, forgoing fashionable software techniques that enhance performance or glitz at the expense of security and life-cycle safety. Again, constructing economic incentives into the architecture of the thinsats before the first prototypes are built will be a design challenge. This is no place for "build something fast and cross your fingers."

CountdownToZeroDay (last edited 2015-07-28 21:27:12 by KeithLofstrom)