http://news.yahoo.com/s/csm/327178


Cyber security experts say they have identified the world's first known cyber super weapon designed specifically to destroy a real-world target – a factory, a refinery, or just maybe a nuclear power plant.


Could some proponent of nuclear power please address the implications of this?

One of my main concerns with nuclear power is that reactors make very high priority targets. You could have an extremely safe reactor, but when the computer systems get overrun and are functioning in a way that is specifically designed to cause harm, that is a serious concern.

Computer security is always expensive and a hassle, so don't expect infrastructure orgs, like PG&E, etc, to cut their profits by implementing strong security or maintain their infrastructure as 5 nine's, until, like PG&E or BP or Exxon, something like catastrophic happens, like people getting killed.

It's cheaper for the orgs to pay their liability insurance and run with their pants down until they trip. And usually it's not these orgs' employees or mgmt that gets inconvenienced or killed. Dead and maimed people are just capitalism's cost of doing business.

As withWall St having the funds to overpay and suck up so much young intellectual talent to maintain Wall St frauds and gaming the system, criminals motivate their security crackers with much better pay than your garden-variety corporate chair-warming Chief Security Officer and his salary-squished team. aka, asymmetric warfare.

One would hope that such systems have no online access.

One would hope that such systems have no online access.

The Iranian reactors presumedly targeted had no online access.

That attack was carried out by a simple memory module inserted into a computer system by a contractor.

What happens when you get a disaffected big bad gub'mint hater like Timothy McVeigh being given such a program by a very determined terrorist group with years to prepare?

The problem with nukes is that the price for catastrophic failure is... really catastrophic.

The Iranian reactors presumedly targeted had no online access.

That attack was carried out by a simple memory module inserted into a computer system by a contractor.

What happens when you get a disaffected big bad gub'mint hater like Timothy McVeigh being given such a program by a very determined terrorist group with years to prepare?

The problem with nukes is that the price for catastrophic failure is... really catastrophic.
Where I work, they are having issues with people using USB drives, plugging in IPODS to charge etc. Out IT section simply disabled the accessible USB ports.

Still want to build hundreds of new nuclear reactors?

Yes

the internet is under attack this is just another version of the scare tactics used by our govt for decades now. Commies, Red Giants, Terrorists, Drug Wars, all an excuse to capture control. You're fed fear to justify the already-determined aims of big govt.

The internet is under attack.
http://www.huffingtonpost.com/2010/09/22/bonnie-raitt-rem-moveon-t_n_735365.html

http://www.huffingtonpost.com/2010/06/25/internet-kill-switch-appr_n_625856.html

dont be scared. The important thing is that we stop living our lives in fear. Fear =control.

The other day you were telling us we shouldn't trust the tap water but now you'd have us all calm down.

Do you like to spread fear, Parker?

The other day you were telling us we shouldn't trust the tap water but now you'd have us all calm down.

:lol

What group of people might want to attack a nuclear reactor?

What group of people might want to attack a nuclear reactor?

the group of people that control your life.

Actually, this is a very specific threat, and by the looks of the tech used, it was specifically targeting software created by Siemens to do industrial control. That it massively spread in Iran when the worm itself limited the infections, points to specific targeting.

Ultimately it's Siemens that needs to be concerned and provide beefed up security that the OS it's running on does not.

Actually, the attack was not specifically against Nuclear Reactors, but any facility that used the Siemens control software (which may or may not include Nuclear Reactors). There's really no evidence that the Siemens software would be able to, say, cause any facility to blow up. I would expect actual hardware safewards against conditions like that.

Considering the limited targeting and the type of bugs exploited, I agree this is most likely a state-sponsored worm. The question really is which state would be behind this.

The other day you were telling us we shouldn't trust the tap water but now you'd have us all calm down.

What an elementary conclusion. Draw the parallels. What do these two stories have in common? What is my common objection in both? Excessive government control. 1 through science, 1 through fear. 1 commonly used by the left, 1 commonly used by the right. Both effective at usurping the freedoms we would otherwise enjoy. Freedom to decide how and with what we medicate ourselves, and a free internet.

http://3.bp.blogspot.com/_j6135gEuOCM/TIWKfr3VnfI/AAAAAAAABZQ/o2rCGiCXaiQ/s1600/checkmated2.jpg

http://3.bp.blogspot.com/_j6135gEuOCM/TIWKfr3VnfI/AAAAAAAABZQ/o2rCGiCXaiQ/s1600/checkmated2.jpg
Where's the Red Queen?

Where's the Red Queen?

indulge in some of that local hydroponic and she will surely come.

Where's the Red Queen?

you should be on the side of the free btw...

indulge in some of that local hydroponic and she will surely come.
Don't need hydroponics here in Oregon. Just some good volcanic soil.

The problem with nukes is that the price for catastrophic failure is... really catastrophic.

That's scary. I'm scared. Are we all going to die?

Even without sabotage all the nuclear reactors will blow up at 12am, January 1st, 10000. Damn extra digit!

What an elementary conclusion. Draw the parallels. What do these two stories have in common? What is my common objection in both? Excessive government control. 1 through science, 1 through fear. 1 commonly used by the left, 1 commonly used by the right. Both effective at usurping the freedoms we would otherwise enjoy. Freedom to decide how and with what we medicate ourselves, and a free internet.So you buy your own bs about the tap water and you believe in a free internet? Cool.

I hope you can afford all your DVDs. Best of luck.

Software is not the be-all end-all for nuclear control. If a virus caused a situation in the reactor to become serious, it would go into an emergency shutdown state. The reactor core/personnel are able to initiate a S.C.R.A.M. (My favorite acronym ever, btw*) that immediately submerses the core into coolant and halts any further reaction.

Nuclear power plants are some of the safest buildings ever designed, especially post-Chernobyl. The only reason Chernobyl happened is that there weren't nearly as many hardware backups, and workers there took ALL the safeties off the reactor core for a scheduled shutdown... except they didn't actually shut the core down.

There are extremely well-designed hardware failsafes in every nuclear facility now. Are they 100% effective? Probably not. But it's doubtful we will ever see another Chernobyl, at least in our lifetimes.







S.C.R.A.M. - Safety Control Rod Axe Man :lol

So you buy your own bs about the tap water and you believe in a free internet? Cool.

I hope you can afford all your DVDs. Best of luck.

all the BS about tap water? Regardless what you think about flouride, it doesnt bother you in the least that:
1. Chinese industry is shipping flouride straight into the public water supply? WTF? How is entrusting the public's health to chinese industrial standards ON A NATIONAL SCALE a conspiracy?:wtf
2. That our municipalities are spending millions :bling on "treating" youngsters teeth, when they could easily make the choice to brush and get flouride treatments in most cases? :shootme
3. And even if there is only a small percentage of the population who has trouble with ingesting flouride (of which my little brother is one), why the fuck are we forcing these folks to ingest shit that makes them sick?:splitter

Enjoy your preconceived notions, :sucker, and enjoy my simultaneous rhetorical/smiley:pimpslap!

all the BS about tap water? Regardless what you think about flouride, it doesnt bother you in the least that:
1. Chinese industry is shipping flouride straight into the public water supply? WTF? How is entrusting the public's health to chinese industrial standards ON A NATIONAL SCALE a conspiracy?:wtf
2. That our municipalities are spending millions :bling on "treating" youngsters teeth, when they could easily make the choice to brush and get flouride treatments in most cases? :shootme
3. And even if there is only a small percentage of the population who has trouble with ingesting flouride (of which my little brother is one), why the fuck are we forcing these folks to ingest shit that makes them sick?:splitter

Enjoy your preconceived notions, :sucker, and enjoy my simultaneous rhetorical/smiley:pimpslap!

1. Flouride is flouride. Chinese or not. I rather suspect the Chinese flouride in question meets the standard.
2. Perhaps our municipalities should abandon safety code inspections. I mean after all, if a homebuilder wants to make sure his home is safe, he can always hire one on his dime.
3. Eggs make my daughter sick. Shall we ban them as well?

You do realize that the process of flouridation often consists of removing flouride from the municipal water supply, right?

That little bon mot is compliments of a buddy who oversees the municipal water supply for a largish Southern CA municipality.

What group of people might want to attack a nuclear reactor?

The same group of people who fly planes into buildings. Not sure about your question. Your point is....?

What an elementary conclusion. Draw the parallels. What do these two stories have in common? What is my common objection in both? Excessive government control. 1 through science, 1 through fear. 1 commonly used by the left, 1 commonly used by the right. Both effective at usurping the freedoms we would otherwise enjoy. Freedom to decide how and with what we medicate ourselves, and a free internet.

So science is bad?

That's scary. I'm scared. Are we all going to die?

No. But we should consider risks like rational adults, when making policy decisions.

This was a risk that most had not considered until very recently.

Since it is serious, and real, do you think we should blithely ignore it?

Is that what you are saying?

No. But we should consider risks like rational adults, when making policy decisions.

This was a risk that most had not considered until very recently.

Since it is serious, and real, do you think we should blithely ignore it?

Is that what you are saying?

Hardware failsafes. Do you know how a modern nuclear reactor works? Or are you just buying into the culture of fear because someone is making a lot of noise?

the internet is under attack this is just another version of the scare tactics used by our govt for decades now. Commies, Red Giants, Terrorists, Drug Wars, all an excuse to capture control. You're fed fear to justify the already-determined aims of big govt.

"they are out to get us".

Sorry, not buying it. Have anything else for sale?

Hardware failsafes. Do you know how a modern nuclear reactor works? Or are you just buying into the culture of fear because someone is making a lot of noise?

I am not intimately familiar with how reactors work, no.

I would hope there are such failsafes.

No one is making a lot of noise about this, it was something I ran across in my daily news trawl.

Quite honestly, I am sure that such attacks can be guarded against fairly effectively. I am also sure that the risks while mitigated, still exist. The question in the OP was an honest one. I really did want to know some information, and was hoping someone a bit more familiar could provide it.

As I have said before, I am not against nukes just to be against nukes, but *do* want the issue addressed comphrehensively and rationally.

In short, I am not buying into an irrational fear, as you seem to suggest.

I *am* buying into an honest look at the advantages and drawbacks.

Another drawback to nuclear reactors is that they could become self aware and then mistakenly think they were playing a game of chess and blow us all up.

Milk makes my wife and a friend of mine sick. I guess we should ban milk then as well.

dickhead convinced everybody that "modern technology" was so advanced that there was no risk to drilling and piping in Alaska (or anywhere).

I'm sure his assurances are also good to 100s of nuclear plants, that McLiar/2008 said he wanted to build.

But even before looking at operational dangers, who's going to finance $10B/each, and who's going to insure for 10s of $Bs? The capital and insurance costs are significant.

France and Siemens know how to build nuclear plants and are an example for inexperienced US builders?

http://www.businessweek.com/news/2010-06-24/areva-s-overruns-at-finnish-nuclear-plant-approach-initial-cost.html

http://www.nytimes.com/2009/05/29/business/energy-environment/29nuke.html?pagewanted=print

1. Flouride is flouride. Chinese or not. I rather suspect the Chinese flouride in question meets the standard.
2. Perhaps our municipalities should abandon safety code inspections. I mean after all, if a homebuilder wants to make sure his home is safe, he can always hire one on his dime.
3. Eggs make my daughter sick. Shall we ban them as well?

You do realize that the process of flouridation often consists of removing flouride from the municipal water supply, right?

That little bon mot is compliments of a buddy who oversees the municipal water supply for a largish Southern CA municipality.

Well, I have worked in water/wastewater and my wife oversees laboratory analyses for multiple municipalities and industrial entities throughout Texas, so we both have some knowledge of the area.

Now on to these:

1. Flouride is flouride. Chinese or not. I rather suspect the Chinese flouride in question meets the standard.

I dont trust the Chinese Industrial practices. Neither do these guys. They summarize Chinese infractions towards the end. Maybe you should reconsider where you put your faith.
http://www.youtube.com/watch?v=nZRWvcvPo3o


2. Perhaps our municipalities should abandon safety code inspections. I mean after all, if a homebuilder wants to make sure his home is safe, he can always hire one on his dime.
Safety codes protect the public at large. Real Property changes hands. If you take out this safeguard, you diminish the transferability of real estate, which is a major economic driver for our economy. People wont buy/sell so readily. Liquidity in the market is key to our overall economic health, and people need to be able to trust building standards so they buy/sell realty, create/generate wealth, build personal equity etc.

If you are implying that flouride is a required safety measure for citizens, please explain. Im not convinced of that myself. Other countries do great without it.


1) 97% of western Europe has chosen fluoride-free water . This includes: Austria, Belgium, Denmark, Finland, France, Germany, Iceland, Italy, Luxembourg, Netherlands, Northern Ireland, Norway, Scotland, Sweden, and Switzerland. (While some European countries add fluoride to salt, the majority do not.) Thus, rather than mandating fluoride treatment for the whole population, western Europe allows individuals the right to choose (http://www.fluoridealert.org/govt-statements.htm), or refuse, fluoride.



3. Eggs make my daughter sick. Shall we ban them as well?


These two things are incomparable. There is no one forcing your daughter to ingest eggs. Thats the whole point.

If the eggs made your daughter sick, and the govt forced her to eat eggs every day, wouldnt you be opposed to it? Especially if she could get her protien/nutrition from other sources?

We dont need flouride so why do we administer en masse? I think I know, but I will close with this:

Water fluoridation’s benefits to teeth have been exaggerated. Even proponents of water fluoridation admit that it is not as effective as it was once claimed to be. While proponents still believe in its effectiveness, a growing number of studies strongly question this assessment. (24-46) According to a systematic review published by the Ontario Ministry of Health and Long Term Care, "The magnitude of [fluoridation's] effect is not large in absolute terms, is often not statistically significant and may not be of clinical significance." (36)

a) No difference exists in tooth decay between fluoridated & unfluoridated countries. While water fluoridation is often credited with causing the reduction in tooth decay that has occurred in the US over the past 50 years, the same reductions in tooth decay have occurred in all western countries, most of which have never added fluoride to their water. The vast majority of western Europe (http://www.fluoridealert.org/health/teeth/caries/who-dmft.html) has rejected water fluoridation. Yet, according to comprehensive data (http://www.fluoridealert.org/health/teeth/caries/who-dmft.html) from the World Health Organization, their tooth decay rates (http://www.fluoridealert.org/health/teeth/caries/who-dmft.html) are just as low, and, in fact, often lower than the tooth decay rates in the US. (25, 35, 44)
b) Cavities do not increase when fluoridation stops. In contrast to earlier findings, five studies published since 2000 have reported no increase in tooth decay in communities which have ended fluoridation. (37-41)
c) Fluoridation does not prevent oral health crises in low-income areas. While some allege that fluoridation is especially effective for low-income communities, there is very little evidence to support this claim. According to a recent systematic review (http://www.york.ac.uk/inst/crd/fluoridnew.htm) from the British government, "The evidence about [fluoridation] reducing inequalities in dental health was of poor quality, contradictory and unreliable." (45) In the United States, severe dental crises (http://fluoridealert.org/media/2002d.html) are occurring in low-income areas irrespective of whether the community has fluoride added to its water supply. (46) In addition, several studies have confirmed that the incidence of severe tooth decay in children (“baby bottle tooth decay”) is not significantly different in fluoridated vs unfluoridated areas. (27,32,42) Thus, despite some emotionally-based claims to the contrary, water fluoridation does not prevent the oral health problems related to poverty and lack of dental-care access.

http://www.fluoridealert.org/fluoride-facts.htm, #8.

"they are out to get us".

Sorry, not buying it. Have anything else for sale?

no they are not out to get us. They are out to get for themselves. Do you understand the difference? Do you understand that the more crises we face (real or fabricated) the larger the govt can grow, the more lucrative govt positions become, the more power govt can usurp, the more our liberties will suffer?

Milk makes my wife and a friend of mine sick. I guess we should ban milk then as well.

please read above. no one puts milk in the tap water.

So science is bad?

science is great. BUT, science isnt 100% reliable, can be manipulated with $ (just look at all the conservative think-tank studies on climate change), and BOTTOM LINE: Science can be used to rile the herd into the next pasture just as well as fabricated military intelligence can.

We dont need flouride so why do we administer en masse? I think I know, but I will close with this:

I think you are confusing bureaucratic and social inertia with sinister ulterior motives that you have provided no evidence for.

Do you have some evidence as to motive on the part of someone that I have not seen?

You do realize that the process of flouridation often consists of removing flouride from the municipal water supply, right?
.

you are confirming my thoughts on flouridation. we input unnecessary medication into the water supply at great expense, and then spend even more to remove that unnecessary chemical from the water supply, only to input it again.

Sounds like a hell of a way to spend money, considering we didnt have to put it in in the first place (see quote above re Western Europe).

science is great. BUT, science isnt 100% reliable, can be manipulated with $ (just look at all the conservative think-tank studies on climate change), and BOTTOM LINE: Science can be used to rile the herd into the next pasture just as well as fabricated military intelligence can.

No, science can't be used quite so easily. The problem with the assertion that "science can be manipulated", is that ultimately science seeks rather objective truths. Those truths, unlike intelligence estimates can be verified and tested.

You are vastly oversimplifying both things, making bad comparisons, and using false dilemmas based on a cynical worldview and little evidence.

I think you are confusing bureaucratic and social inertia with sinister ulterior motives that you have provided no evidence for.

Do you have some evidence as to motive on the part of someone that I have not seen?

wrong thread. There is evidence on the flouride thread in the form of links, provided to those interested. The flouridation is 1. a way to dispurse toxic byproducts of certain industrial processes (eg fertilizer manufacturing) without creating polluted hot spots, and 2. helps to mitigate the expense to the industrial actors.

This is done under the guise of healthy teeth, even though topical application is far better way to ensure healthy teeth, and ingesting the flouride hasnt really shown to be effective at all. It actually boils down to accomodating otherwise toxic activities by spreading the toxic byproduct over the entire population at levels that are not harmful. Boils down to $. But, that doesnt help sensative portion of the population, nor does it help children of uneducated moms who use flouridated water to make formula. Nor do municipalities educate on this:


Fluoridated water is no longer recommended for babies. In November of 2006, the American Dental Association (http://ada.org/prof/resources/pubs/epubs/egram/egram_061109.pdf) (ADA) advised that parents should avoid giving babies fluoridated water (3). Other dental researchers (http://www.fluoridealert.org/health/infant/) have made similar recommendations over the past decade (4).
Babies exposed to fluoride are at high risk of developing dental fluorosis (http://www.fluoridealert.org/dental-fluorosis.htm) - a permanent tooth defect caused by fluoride damaging the cells which form the teeth (5). Other tissues in the body may also be affected by early-life exposures to fluoride. According to a recent review published in the medical journal The Lancet, fluoride may damage the developing brain, causing learning deficits and other problems

http://www.fluoridealert.org/fluoride-facts.htm

No, science can't be used quite so easily. The problem with the assertion that "science can be manipulated", is that ultimately science seeks rather objective truths...

...only if the person funding the science wants an objective result. Scientists are not above $. They must eat too. This assertion is far too broad and assumes that every scientist has altruistic intentions.

Computer security is always expensive and a hassle, so don't expect infrastructure orgs, like PG&E, etc, to cut their profits by implementing strong security or maintain their infrastructure as 5 nine's, until, like PG&E or BP or Exxon, something like catastrophic happens, like people getting killed.


Boutons is pretty close to the truth here. Some of the big corporations do spend a good mint on security experts for trade secrets, or due to law. (A company has to be doing "due diligence" when it comes to security; if they get hacked and their employees' names come out, and their security was old, they could be held liable.

Let's say this: corporations will often hire IT security guys, but they're certainly not thrilled with it. IT security doesn't provide any visible, tangible benefits to the company; if the IT is doing their job well, then there should be limited to no penetration. This means a security manager has to sell themselves by saying, "Well, X amt of companies had IT losses related to security in the Y amt of dollars, and I can (kinda) guarantee you I can prevent that." :lol

You are vastly oversimplifying both things,

see above.

making bad comparisons.

I think the bad comparisons are comparing banning things that public can avoid ingesting with ceasing things the public is forced to ingest. If you cant see that, I cant help you really. But I think you can.

Another drawback to nuclear reactors is that they could become self aware and then mistakenly think they were playing a game of chess and blow us all up.

:rolleyes

Strawman logical fallacies simply reinforce my belief that people who generally believe the way you do are incapable of thinking about reality in a rational, logical manner. It is one of the main reasons why I am deeply skeptical of "conservative" policy solutions.

Thanks for making my point for me.

using false dilemmas...

the dilemma is expense, and liberty. It doesnt need to be any more than that. Freedom to be free from forced ingestion of potentially harmful "medication"

nothing false about it.

Where I work, they are having issues with people using USB drives, plugging in IPODS to charge etc. Out IT section simply disabled the accessible USB ports.

That works, in theory. But the point is that this is a "hands-free" cyber attack, needing no zombot-like controller. That means the virus could probably be disseminated in various ways; memory module, CD, etc etc. All software needs updates eventually. What if such a weapon got snuck into an update? I think that's the point.

using false dilemmas based on a cynical worldview and little evidence.

cynical perhaps. Little evidence: wrong thread. The evidence is in the flouride thread. we shouldnt hijack this one any further.

What group of people might want to attack a nuclear reactor?

You're so NUANCED, DarrinS. :lol

http://4.bp.blogspot.com/_WRYzUWY23r8/SGedqxubkAI/AAAAAAAAAEg/O32O8qoypoQ/s400/Game+Set+Match.jpg

Actually, the attack was not specifically against Nuclear Reactors, but any facility that used the Siemens control software (which may or may not include Nuclear Reactors). There's really no evidence that the Siemens software would be able to, say, cause any facility to blow up. I would expect actual hardware safewards against conditions like that.

That's what I didn't get about the article. It kept saying



Once a system is infected, Stuxnet simply sits and waits – checking every five seconds to see if its exact parameters are met on the system. When they are, Stuxnet is programmed to activate a sequence that will cause the industrial process to self-destruct, Langner says.


What industrial process? And if this "process" self-destructs, does that have real-world effects? This is the one part I'm skeptical about; it sounds like the author may not be understanding what the IT experts are talking about.

...only if the person funding the science wants an objective result. Scientists are not above $. They must eat too. This assertion is far too broad and assumes that every scientist has altruistic intentions.

Not all do.

But then, I would not expect, nor claim otherwise.

You are implying that science in general has been subverted by people with money, bent on purposefully manipulating it to their own ends, and that some portion of scientists are going along with it.

If that is the point you are trying to make, then you need to provide some level of proof for that assertion.

Please provide proof showing that a majority, or even a large percentage of scientists have unaltruistic intentions.

Otherwise, we must assume that the stated intent of scientists, i.e. that of an objective, testible measure of reality, is correct.

You could clarify: what percentage of scientists are lying about that?

wrong thread. There is evidence on the flouride thread in the form of links, provided to those interested. The flouridation is 1. a way to dispurse toxic byproducts of certain industrial processes (eg fertilizer manufacturing) without creating polluted hot spots, and 2. helps to mitigate the expense to the industrial actors.

To my memory you never provided proof of motive.

Do you have a document on the part of a floride proponent or manufacturer stating that they are solely advocating the use of floride for no other purpose than to dispose/sell their product?

Not all do.

But then, I would not expect, nor claim otherwise.

You are implying that science in general has been subverted by people with money, bent on purposefully manipulating it to their own ends, and that some portion of scientists are going along with it.

If that is the point you are trying to make, then you need to provide some level of proof for that assertion.

Please provide proof showing that a majority, or even a large percentage of scientists have unaltruistic intentions.

Otherwise, we must assume that the stated intent of scientists, i.e. that of an objective, testible measure of reality, is correct.

You could clarify: what percentage of scientists are lying about that?

youre taking it to an extreme. It doesnt have to involve more than a handful who are willing to present contradictory findings for $. just look at litigation...each side can pay for experts to bolster their case. Same with politics. Each party/each interest can find scientists willing to support their angle, or at least undermine the oppositions. Its the American way. No findings win undisputed.

lying = overbroad generalization. Percentage poking holes in the opposition, not telling the entire story, playing devils advocate for $ = that percentage who can be bought. What percentage of any profession can be bought? Science would probably fall about equal to other professions.

So staying on topic, PCWorld did an article on this:

http://www.pcworld.com/businesscenter/article/205827/was_stuxnet_built_to_attack_irans_nuclear_program. html

And they seem to pinpoint the effects this rootkit can have more precisely:



One of the things that Langner discovered is that when Stuxnet finally identifies its target, it makes changes to a piece of Siemens code called Organizational Block 35. This Siemens component monitors critical factory operations -- things that need a response within 100 milliseconds. By messing with Operational Block 35, Stuxnet could easily cause a refinery's centrifuge to malfunction, but it could be used to hit other targets too, Byres said. "The only thing I can say is that it is something designed to go bang," he said.


Some other interesting stuff:


Whoever created Stuxnet developed four previously unknown zero-day attacks (http://www.networkworld.com/news/2010/091610-is-stuxnet-the-best-malware.html) and a peer-to-peer communications system (http://www.symantec.com/connect/blogs/stuxnet-p2p-component), compromised digital certificates belonging to Realtek Semiconductor and JMicron Technology, and displayed extensive knowledge of industrial systems. This is not something that your run-of-the-mill hacker can pull off. Many security researchers think that it would take the resources of a nation state to accomplish.

How it hides itself:

http://www.symantec.com/connect/blogs/stuxnet-introduces-first-known-rootkit-scada-devices



Previously, we reported that Stuxnet can steal code and design projects and also hide itself using a classic Windows rootkit, but unfortunately it can also do much more. Stuxnet has the ability to take advantage of the programming software to also upload its own code to the PLC in an industrial control system that is typically monitored by SCADA systems. In addition, Stuxnet then hides these code blocks, so when a programmer using an infected machine tries to view all of the code blocks on a PLC, they will not see the code injected by Stuxnet. Thus, Stuxnet isn’t just a rootkit that hides itself on Windows, but is the first publicly known rootkit that is able to hide injected code located on a PLC.
In particular, Stuxnet hooks the programming software, which means that when someone uses the software to view code blocks on the PLC, the injected blocks are nowhere to be found. This is done by hooking enumeration, read, and write functions so that you can’t accidentally overwrite the hidden blocks as well.


It's a pretty vicious piece of work, by all accounts.

So staying on topic, PCWorld did an article on this:

http://www.pcworld.com/businesscenter/article/205827/was_stuxnet_built_to_attack_irans_nuclear_program. html

And they seem to pinpoint the effects this rootkit can have more precisely:



One of the things that Langner discovered is that when Stuxnet finally identifies its target, it makes changes to a piece of Siemens code called Organizational Block 35. This Siemens component monitors critical factory operations -- things that need a response within 100 milliseconds. By messing with Operational Block 35, Stuxnet could easily cause a refinery's centrifuge to malfunction, but it could be used to hit other targets too, Byres said. "The only thing I can say is that it is something designed to go bang," he said.


Some other interesting stuff:


Whoever created Stuxnet developed four previously unknown zero-day attacks (http://www.networkworld.com/news/2010/091610-is-stuxnet-the-best-malware.html) and a peer-to-peer communications system (http://www.symantec.com/connect/blogs/stuxnet-p2p-component), compromised digital certificates belonging to Realtek Semiconductor and JMicron Technology, and displayed extensive knowledge of industrial systems. This is not something that your run-of-the-mill hacker can pull off. Many security researchers think that it would take the resources of a nation state to accomplish.

How it hides itself:

http://www.symantec.com/connect/blogs/stuxnet-introduces-first-known-rootkit-scada-devices



Previously, we reported that Stuxnet can steal code and design projects and also hide itself using a classic Windows rootkit, but unfortunately it can also do much more. Stuxnet has the ability to take advantage of the programming software to also upload its own code to the PLC in an industrial control system that is typically monitored by SCADA systems. In addition, Stuxnet then hides these code blocks, so when a programmer using an infected machine tries to view all of the code blocks on a PLC, they will not see the code injected by Stuxnet. Thus, Stuxnet isn’t just a rootkit that hides itself on Windows, but is the first publicly known rootkit that is able to hide injected code located on a PLC.
In particular, Stuxnet hooks the programming software, which means that when someone uses the software to view code blocks on the PLC, the injected blocks are nowhere to be found. This is done by hooking enumeration, read, and write functions so that you can’t accidentally overwrite the hidden blocks as well.


It's a pretty vicious piece of work, by all accounts.

To my memory you never provided proof of motive.

Do you have a document on the part of a floride proponent or manufacturer stating that they are solely advocating the use of floride for no other purpose than to dispose/sell their product?

the motive is absolutely there. the introduction of flouride follows industrial practices starting in florida. industry that was about to go bankrupt over pollution lawsuits.

it follows a typical chain of events. A commercial interest paid to fund a lobby interest under the table, who bought endorsement of the ADA, and effectively fleeced/bought politicians/public for flouridation. The same group lobbied for asbesos as well (science for sale). early 20th century. check the other thread. If I had time I would get it for you.

Hey Parker, RG, you guys mind taking your stuff to the flouride thread? kthxbai

Motive: why go B/R for poisoning the public, when you can sell your industrial waste and offset the scrubbing operations in your production plants?

Hey Parker, RG, you guys mind taking your stuff to the flouride thread? kthxbai

sorry mane. they called me out, I didnt start this. I asked them to take it over there a while back.

sorry mane. they called me out, I didnt start this. I asked them to take it over there a while back.

Discretion is the better part of valor.

The concerning part is that these rootkits TARGET the means by which any safety system would be able to respond. What good are procedures (dependent on human response) if the little bugger prevents access to the very systems that would enable a return to normal?

From my experience in a refinery setting, this type of attack would be severely crippling and devastating on many fronts (Environmentally, Economically, not to mention the Safety Hazards posed by the unplanned release of thousands of pounds of toxic chemicals, and flammable products).

If some 'State' did produce this kit as an attack on Iran's facilities... why would they arm them with such a weapon?... a stated by the article LnGrrrR posted above, the code can be reverse-engineered. Why wouldn't the creators realize that said tactic would backfire... someone out there has basically armed them with new weapons, weapons they can now use on us because it was delivered to their doorstep.

Public bliss would be better than having such articles enlighten whatever radicals are out there looking for new ways to exact their terrorism.

Public bliss would be better than having such articles enlighten whatever radicals are out there looking for new ways to exact their terrorism.

Eh, the security world has shown that public knowledge is by far much safer than keeping stuff private; that's roughly the whole idea of open-source docs, white-hat hackers, etc etc.

Better to get this knowledge out so people can check the systems currently infected now, and be on the lookout for future issues. This attack obviously hid itself quite well, but it was still discovered. Hopefully the cyber experts can use this info to track other variants. It was pretty sophisticated; anyone who isn't already heavily in the field probably isn't reading this article and becoming a hacker capable of writing this kind of code overnight.

That's what I didn't get about the article. It kept saying

What industrial process? And if this "process" self-destructs, does that have real-world effects? This is the one part I'm skeptical about; it sounds like the author may not be understanding what the IT experts are talking about.

That guy is dreaming or doesn't really know much about industrial systems. As pointed out in the Symantec article you quoted later, and another one I read a long time ago that had soundbites from both Symantec and Kapersky, the worm can reprogram a PLC in a industrial control hardware through the Siemens software. Due to the variety of installations that the Siemens software can control, it's really difficult, if not completely unlikely, that this was targeting more than one type of installation, if not a single installation entirely. That said, I'm pretty sure that if there's a big red button in the Siemens software, it's to shut down the entire system, not to blow it up.

Eh, the security world has shown that public knowledge is by far much safer than keeping stuff private; that's roughly the whole idea of open-source docs, white-hat hackers, etc etc.

Better to get this knowledge out so people can check the systems currently infected now, and be on the lookout for future issues. This attack obviously hid itself quite well, but it was still discovered. Hopefully the cyber experts can use this info to track other variants. It was pretty sophisticated; anyone who isn't already heavily in the field probably isn't reading this article and becoming a hacker capable of writing this kind of code overnight.

Agreed. This raises awareness on Siemens that they cannot trust the security base provided by Windows and they probably need to roll their own.

Plus, it's not like attacks like this one are really new. Targeted attacks at very specific programs or processes have existed for a long, long time. They just weren't labeled terrorism back then, and they normally used a single unknown backdoor, instead of multiple unknown backdoors. What's fishy about this one is that it's quite precisely targeted as far as a geographical area. Most worms don't really restrict themselves from infection. And if they do, it's to avoid detection and normally stop at a certain infection count. This thing restricts the penetration depth, which makes it very specific (and odd).

What's fishy about this one is that it's quite precisely targeted as far as a geographical area. Most worms don't really restrict themselves from infection. And if they do, it's to avoid detection and normally stop at a certain infection count. This thing restricts the penetration depth, which makes it very specific (and odd).

Well, according to the article, it seemed that it wasn't designed like a normal "worm" in order to propagate widely, and that most of the infections were caused by a Russian contractor who worked as a consultant at many of these sites.

Also, in one of those articles, it does mentions that after three infections, it deletes itself, which would also help to stop propagation and keep it geographically limited. It is pretty curious.

This is bad news - let out of the bag way too early. Now Skynet will be able to adapt.

Eh, the security world has shown that public knowledge is by far much safer than keeping stuff private; that's roughly the whole idea of open-source docs, white-hat hackers, etc etc.

Better to get this knowledge out so people can check the systems currently infected now, and be on the lookout for future issues. This attack obviously hid itself quite well, but it was still discovered. Hopefully the cyber experts can use this info to track other variants. It was pretty sophisticated; anyone who isn't already heavily in the field probably isn't reading this article and becoming a hacker capable of writing this kind of code overnight.

I agree that Seimens/PLC end users should be made aware of such threats... I just don't agree that we should have articles that give our enemies ideas on how to cripple our energy infrastructure... They basically told them what they needed to do to reprogram it, and why they should do it. Hell, even some environmental extremist could use this type of attack as a highly short-sighted means to a way...

I just keep thinking of the movie Hackers. "row row row your boat...."

The concerning part is that these rootkits TARGET the means by which any safety system would be able to respond. What good are procedures (dependent on human response) if the little bugger prevents access to the very systems that would enable a return to normal?

From my experience in a refinery setting, this type of attack would be severely crippling and devastating on many fronts (Environmentally, Economically, not to mention the Safety Hazards posed by the unplanned release of thousands of pounds of toxic chemicals, and flammable products).

If some 'State' did produce this kit as an attack on Iran's facilities... why would they arm them with such a weapon?... a stated by the article LnGrrrR posted above, the code can be reverse-engineered. Why wouldn't the creators realize that said tactic would backfire... someone out there has basically armed them with new weapons, weapons they can now use on us because it was delivered to their doorstep.

Public bliss would be better than having such articles enlighten whatever radicals are out there looking for new ways to exact their terrorism.

It would require some sophisticated Iranian programmers. I doubt that that they have many.

Using it on anyone else, would then require access to the versions of operating systems used by a target, something Iran would find difficult to obtain.

Iran was uniquely vulnerable, because it seems they were using pirated software.

Software makers don't give software pirates patches that fix known glitches.