25 lines
11 KiB
Plaintext
25 lines
11 KiB
Plaintext
Was Stuxnet a work of hackers?
|
|
<p>My friend Jay Maynard has successfully incited me to blog by asking me the following question: “Would you call the perpetrators of the Stuxnet worm `hackers’, rather than crackers”? He’s actually raised an interesting question of definition, culture, and ethics, and I’m going to tackle it.</p>
|
|
<p><span id="more-2646"></span></p>
|
|
<p>The factual background: The Stuxnet worm takes over a particular make of Siemens programmable industrial controller and does things to it the exact nature of which are undetermined, but which are highly unlikely to be good for whatever the controller is running. Once in place, it can be remote-programmed from a control machine. It appears to have targeted the industrial infrastructure of Iran. Code analysts believe the development and test time required to field Stuxnet would be 2.5 to 5 man years of full-time work by a well-funded group with access to test hardware. The worm continues to spread in Iran; the Iranians deny that it has damaged any government systems, but are offering big bucks to any security experts willing to help them clean it out.</p>
|
|
<p>Well-grounded speculation: It is widely believed that Stuxnet was aimed at the Iranian uranium-enrichment plant at Natanz and the nuclear power plant at Bushehr; experts have described it as clearly a “directed sabotage weapon” aimed not at normal criminal purposes such as spamming, phishing or intrusion blackmail but rather at causing physical infrastructure damage. The development effort was probably beyond the sustained funding capability of entities smaller than a large multinational or nation-state; the most obvious candidates are Israel and the United States. </p>
|
|
<p>For the purposes of this post, I am going to assume all these speculations are correct. I will further assume that actions which delay or halt the acquisition of nuclear weapons by Iran are a good thing, if only because they lessen the likelihood that the regime will actually be able to make good on its threats to execute a genocide on Israel.</p>
|
|
<p>Jay’s question is whether I think the programmers who wrote this code fall within the semantic field of the term “hacker”, and if not, what would I call them? Crackers? Jay clearly does not intend this merely as a question about my personal preferences, but as a question about how the hacker community defines itself in relation to large ethical issues: is it ever correct for us to use our abilities in such an attack, or should hackers adhere strictly to a rule of doing no harm?</p>
|
|
<p>I am by no means the hacker community’s only tribal elder. But I am one of them, and it is thus fair of Jay to ask the question and within my duty to attempt an answer.</p>
|
|
<p>Generally, I and others confer the label “hacker” only on people who build things that are useful or aesthetically interesting, and deny it to those who break things (or break into them). We dismiss people who merely exploit security vulnerabilities as “crackers”. A typical cracker trick relies, for example, on system administrators failing to change default passwords programmed into a router.</p>
|
|
<p>Hackers recognize the existence of a subculture of crackers distinct from our own; an important marker of the difference is that, in contrast to our open-source ethos, crackers keep their methods secret and use pseudonyms intended to hide their identities. We consider the members of that culture to be generally inferior to us in both technical skill and ethics – they couldn’t create something like (say) the Linux operating system, and would have little desire to try. The activities we primarily associate with crackers are vandalism and crime – spamming, phishing, data theft, and instrusion blackmail.</p>
|
|
<p>We know that many hackers could be extremely effective at cracking, but choose not to do it because they have better uses for their time. My own experience includes instructive examples. In the late 1980s I cracked into some systems on a Sun network where I was a guest – and promptly sent the system administrator mail as root explaining the hole and how to plug it. A few years later I broke some very trivial security on a real-estate database so that my mother (a licensed real-estate agent) could access it from a home PC rather that having to drive to the dedicated terminals at her firm’s offices. Most senior hackers could, I think, tell similar stories. But hackers don’t think of cracking as a primary skill, nor do we go looking for targets in the absence of a specific impediment to getting actual work done, and we have a strong ethos of not doing harm with the cracks we find.</p>
|
|
<p>These categories are further complicated by the fact that some sorts of cracking do both require real creative skill and contribute to the general good. The recent <a href="http://www.freedom-to-tinker.com/blog/felten/understanding-hdcp-master-key-leak">reconstruction of the HDCP master key</a>, for example, must have required serious programming skill and mathematical analysis. By once again demonstrating the futility of DRM, it impedes the ongoing effort by the music and film industries to abolish fair-use rights and cripple general-purpose computers in order to prop up their failing business models. It supports the right of consumers to control and tinker with all the hardware they own.</p>
|
|
<p>Many hackers (I’d dare to say “almost all”, actually) consider the elements of the media industry pushing DRM to be gangsters, thieves, and enemies of liberty. We would be willing to consider whoever cracked the HDCP master key a peer in technical skill, and allow that he/she/they probably had motives reflecting the hacker ethos – after all, the crack was publicly released rather than privately exploited for criminal gain. The anonymity of the release is not quite good form by hacker standards, but excusable in light of the fact that the gangsters would certainly use the courts and law enforcement to attack the responsible person(s) if self-identified. </p>
|
|
<p>Tentatively, then, hackers might be willing to describe whoever broke HDCP as a hacker – the skill and the ethical commitments required seem to be present. The only hesitations we’d have would be about mindset and shared culture. Before conferring the honorific, we’d really prefer to know that the person <a href="http://esr.ibiblio.org/?p=2520">laughs at hacker humor</a> and shares the traditions we do. Not that this is a huge barrier, it’s not like there’s a lodge-pin or secret handshake, but it’s there. A good test for that cultural continuity is this: anybody who wouldn’t feel honored by being called a hacker almost certainly isn’t one.</p>
|
|
<p>In two important ways, the Stuxnet worm is like the HDCP crack, with bigger stakes on the table. Stuxnet is an extremely sophisticated and capable piece of software, not the sort of thing we think of crackers as being able to produce. And there are not many imaginable good outcomes larger than preventing a nuclear genocide. On the other hand, Stuxnet is unlike HDCP decryption code (which you could use to back up encrypted video) in that it has no constructive use. One does not commonly break into industrial plants in order to improve their process efficiency!</p>
|
|
<p>Stuxnet becomes a still more challenging case if we accept the speculation that it was created by a national military or intelligence establishment. I don’t doubt this, myself, and in particular I’d say the style of the operation has Israeli fingerprints all over it. Bold covert operations striking from unexpected angles have been a trademark of Israeli statecraft and warmaking since 1948. My bet would be that the most obvious speculative scenario is the correct one: Stuxnet was an Israeli project with U.S. approval and technical assistance.</p>
|
|
<p>The problem with this is that hackers do not in general handle the demands of operating in a military or spook shop very well. Even when there is no political clash, there’s a psychological beard-vs.-crewcut one; we tend to have strongly internalized personal ethics and not do subordination very well, and we don’t like secrecy. Thus, hackers in general don’t find it easy to imagine that they might have peers in the basement of the Pentagon or its Israeli equivalent.</p>
|
|
<p>What Jay is pointing out with this question is that we really don’t have good language or categories for edge cases like these. Furthermore, this absence is not a mere gap in language; it reflects troublesome issues of ethics and identity. Which is in turn why it’s not silly for me to be writing about it.</p>
|
|
<p>If we call the Stuxnet crew “hackers” we do two questionable things. First, we make an assumption about their cultural attachments that may not be true. Maybe they’ve never laughed at RFC1149! Second, we extend the honorific “hacker” to those who create software for destructive purposes. Yes, there’s the argument that preventing nuclear genocide is a constructive purpose, but there’s an obvious slippery slope here that I think many hackers would be reluctant to go near.</p>
|
|
<p>On the other hand, “cracker” doesn’t seem quite adequate either. Stuxnet is too clever for that. I think our community would also be reluctant to put people motivated by a desire to prevent their country from being A-bombed into radioactive slag in the same bin with people who break into websites to steal credit-card data.</p>
|
|
<p>I don’t think I can justify labeling the Stuxnet team as hackers based on the present state of my knowledge – but I can also imagine having a fifteen-minute conversation with one of them that would change my mind about that. </p>
|
|
<p>In professional security circles, where the term “hacker” is often sadly abused and misused, they often speak of “white hats”, “black hats”, and “gray hats”. This is a reference to old Western movies in which stereotypically villains wore black hats and good guys wore white ones. When Jay telephoned me about this question, the least bad approximation I thought I could come up with for the Stuxnet team was “white-hat crackers”.</p>
|
|
<p>That will do for now, I think. The important thing is not to quibble over labels but to understand the ethics and value issues behind the labels.</p>
|
|
<p>UPDATE: I should clarify that if I had been personally asked to work on Stuxnet on the premise that it was the least violent way to stop an Iranian A-bomb from happening, I would have accepted instantly and felt it was in conformance with hacker ethics to do so. However, I recognize that <em>other</em> hackers might consider creating destructive software to be unethical regardless of purpose, and therefore do not project my judgment on all hackers.</p>
|