sorry, but this article is breathless crazy hyperbole. I am a cybersecurity expert that actually reverse engineered a nontrivial part of Stuxnet at one point, and I have reverse engineered other government-built worms and persistence mechanisms.
Driver signing keys are not nearly as difficult to steal as the answer implies; not only are they shoddily managed in most hardware vendors, they could also be purchased on the black market for about 50k$ at the time. They are still not very difficult to come by.
Zero-days (e.g. security vulnerabilities and their corresponding exploits) can be purchased on the grey market, and some are developed by government-internal teams. These are little marvels of strange engineering, but they are also a relatively common occurrence. The total market prices of the exploits in Stuxnet will have amounted to perhaps a few million $ at the time.
The Stuxnet worm’s code showed all the artifacts you would have in a large software project - including but not limited to “handwriting” where you could see that a small team of engineers and architects were excellent developers who delegated the implementation of less-important parts to engineers of lesser ability.
There have been leaner, more elegant, and similarly powerful / crazy pieces of malware.
In general, though, these things are not made of magic, and they are not the most brilliant software ever made. They are usually well-engineered by decent engineers, built by a motivated team with decent funding. Even then, mistakes creep in (Stuxnet had an infamously broken mechanism to limit propagation), multiple versions need to be rolled out, and problems & bugs plague any software system.
Now, comparing something like Stuxnet — a relatively small, well-engineered but ultimatively not terribly innovative assembly of known methods — to something like Google’s data center infrastructure (Borg/Flume/Mapreduce/Bigtable/Spanner), the Windows or Linux Kernel etc. and concluding Stuxnet is somehow superior or more sophisticated is simply false.
Stuxnet was cool etc., but I can assure you the level of sophistication is less than the Windows Kernel, the Linux Kernel, or Google’s data processing infrastructure, by far.
This is unsurprising: Stuxnet is a much smaller operation. Building Windows has probably cost many billion dollars by now. Stuxnet, on the other hand, was likely running on a shoestring budget in comparison.
Assembling a highly impactful worm is much cheaper and simpler than people think; most of our IT infrastructure is not very robust.
Driver signing keys are not nearly as difficult to steal as the answer implies; not only are they shoddily managed in most hardware vendors, they could also be purchased on the black market for about 50k$ at the time. They are still not very difficult to come by.
Zero-days (e.g. security vulnerabilities and their corresponding exploits) can be purchased on the grey market, and some are developed by government-internal teams. These are little marvels of strange engineering, but they are also a relatively common occurrence. The total market prices of the exploits in Stuxnet will have amounted to perhaps a few million $ at the time.
The Stuxnet worm’s code showed all the artifacts you would have in a large software project - including but not limited to “handwriting” where you could see that a small team of engineers and architects were excellent developers who delegated the implementation of less-important parts to engineers of lesser ability.
There have been leaner, more elegant, and similarly powerful / crazy pieces of malware.
In general, though, these things are not made of magic, and they are not the most brilliant software ever made. They are usually well-engineered by decent engineers, built by a motivated team with decent funding. Even then, mistakes creep in (Stuxnet had an infamously broken mechanism to limit propagation), multiple versions need to be rolled out, and problems & bugs plague any software system.
Now, comparing something like Stuxnet — a relatively small, well-engineered but ultimatively not terribly innovative assembly of known methods — to something like Google’s data center infrastructure (Borg/Flume/Mapreduce/Bigtable/Spanner), the Windows or Linux Kernel etc. and concluding Stuxnet is somehow superior or more sophisticated is simply false.
Stuxnet was cool etc., but I can assure you the level of sophistication is less than the Windows Kernel, the Linux Kernel, or Google’s data processing infrastructure, by far.
This is unsurprising: Stuxnet is a much smaller operation. Building Windows has probably cost many billion dollars by now. Stuxnet, on the other hand, was likely running on a shoestring budget in comparison.
Assembling a highly impactful worm is much cheaper and simpler than people think; most of our IT infrastructure is not very robust.