Talk:Stuxnet: Difference between revisions

Please add {{WikiProject banner shell}} to this page and add the quality rating to that template instead of this project banner. See WP:PIQA for details.

Rationale for removal of Iran nuclear plant threat information

I removed the sentence about the possibility that this attack was designed to target a nuclear power plant in Iran. There is nothing available to suggest that that one location was the target, from among all the other possibilities (any place that uses that software). It is merely sexier for the news to suggest the possibility, almost always with a question mark at the end of the headline, the tell-tale sign of journalistic conjecture.

"To take one possibility out of many and to claim that [is the explanation] is irresponsible."

--Jeffrey Carr, a cybersecurity expert, here: http://www.aolnews.com/article/big-claims-but-little-evidence-of-cyber-attack-on-irans-nuclea/19644358 --Atkinson (talk) 12:16, 23 September 2010 (UTC)

I agree that is probably unlikely. However, I will replace it with the BBC reference I just added about it likely targeting "high value Iranian assets". The BBC is a very reliable source and I'll phrase it to make sure this is an opinion, rather than a fact. Smartse (talk) 12:21, 23 September 2010 (UTC)

On second thoughts, many reliable sources have linked this to the Iranian nuclear program - the wired article explains this in detail - so I think it is ok to say that there has been speculation about this. I've tried to word it to make sure that it is clear that it is speculation at the moment but please reword it if you wish. Smartse (talk) 14:57, 24 September 2010 (UTC)

NY Times seems to have picked up on the Iran attack angle: http://www.nytimes.com/2010/09/27/technology/27virus.html --Marc Kupper|talk 08:47, 27 September 2010 (UTC)

Most sources quote experts by name who are claiming that the target was Iranian nuclear program. Rationally I also think they are right. Almost all the security experts agree that this is built by a nation state and with a specific aim and target. And almost all infections are in Iran.--Pymansorl (talk) 18:30, 28 September 2010 (UTC)

Iran change, pt. 2

I, too, added a minor edit regarding the relationship between Stuxnet and Iran's nuclear program. Prior to my edit, the Stuxnet entry claimed that analysis of the worm pointed to a purposeful attack on Iran's nuke facility. My edit clarified that the Stuxnet attack motive is speculative at the moment. Oneillrb (talk) 12:45, 23 September 2010 (UTC)oneillrb

Where did the name Stuxnet come from?

Stuxnet (stukhnet) means "will spoil" or "will be extinguished" in Russian. Was it named by the Belorussian security company VirusBlokAda (virus blockade, or bloc of hell)? IHTFP (talk) 14:19, 25 September 2010 (UTC)

According to one of Symantec's blog entries (which I can't seem to track down right now) they called it "Temphid" originally but then changed it to "Stuxnet" to match up with other unpecified sources. "Stuxnet" apparently references the names of some of the files in the package.

The internal name of the project (or at least one of its components) appears to be "Guava" or "Myrtus" from the reference to debugging information "b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb" in one of the files. Guava are members of the Myrtle family. --76.169.39.234 (talk) 18:03, 25 September 2010 (UTC)

Taking into consideration that that US general responsible for cyberspace war was summoned to explain to the senate what it is and told that they are it trying to figure out but "never seen such a thing" the Israelis remain the only option. But for some reason we don't like taking credit, and I also told my Israeli bros-don't be so humble, the world doesn't deserve it.

The name was given to it by the Belorussians who first detected it (not an easy task as it compare its own parameters every 5 seconds) but the male-ware itself didn't come with the name. Most speculations, including one British based on a sourced report from 2007 on a drill which taken place in this year, where elite technological unit from Israel attacked an Israeli well secured energy facility with what seems today as fitting into the description of Stuxnet. In fact, it's assumed Israel have built it 10 years ago. Israel is hi-tec super power, those who are into the industry know that very well, and it someone came with something look so imaginary then it can be only the Israeli, not to mention that Russia have no interest to attack Iranian facilities nor does it has the same technological abilities as Israel. [1][2] —Preceding unsigned comment added by 85.64.171.209 (talk) 22:15, 25 September 2010 (UTC)

The name actually comes from some of the decrypted files inside the Stuxnet code.--Pymansorl (talk) 18:33, 28 September 2010 (UTC)

Other sabotage attempts

The Americans are known to have conducted sabotage operations against the Iranian nuclear program in the past.[3] (Interestingly, the centrifuge sabotage was reported in 2007, and Stuxnet was reportedly created 2 years ago, perhaps in 2008). Should we not include a mention that USA has been involved in such sabotage operations? Is there are source which discusses this the link between the previous sabotage operations and Stuxnet? Offliner (talk) 16:38, 26 September 2010 (UTC)

No, first-sources in Israel described the very same thing itself year before stuxnet was detected [4]. There are no evidence to previous cyber attacks by the US on the Iranian program and both Israel and US were reportedly involve in secret operations to sabotage sensitive equipment on its way to Iran. Also, most sources, including this one[5] suggests it was Israel. —Preceding unsigned comment added by 85.64.171.209 (talk) 20:39, 26 September 2010 (UTC)

Personally, I don't think we should be speculating about who developed this. Sure some reliable sources suggest it is Israel, but they don't have any evidence other than circumstantial evidence. I think we should wait until more is known before including questionable information such as this. Smartse (talk) 21:05, 26 September 2010 (UTC)

Israeli Involvement

'Specifically written by the government of israel' - any references to back this claim up?

71.190.202.148 (talk) 03:56, 27 September 2010 (UTC)

This claim was added by an editor who has never made any other edits. And there certainly are no references to back this up. At this moment, there are a handful of folks across the globe who have speculated that Israel could be involved. If this speculation becomes widespread, it might be appropriate to add a section entitled "Speculation about Stuxnet Origins" in which this is discussed. But it clearly can't be stated as a fact, given the complete lack of evidence. — Lawrence King ^(talk) 04:17, 27 September 2010 (UTC)

I'm not SPA, you had no reason to assume I'm, and even if I was still my points are valid. Do some googling, of a bit more than milion results for stuxnet, more than 406,000 (>40%) are for Israel+Stuxnet, including articles like these: [6][7][8]. So you may don't know much about Israel or about how much Israeli technology you use on daily basis, but your statement that "there certainly are no references to back this up" in reference to an alleged connection between stuxnet and Israel is baseless.

Well, The Guardian has speculated in it and Israel has the resources for it.[9] // Liftarn (talk)

Sorry if you thought I was referring to you, but I wasn't. I was referring to this edit [10] made by Vesuviuz, who is clearly SPA (take a look at his/her contribution history). If you look at the beginning of this section of the Talk page, 71.190.202.148 asked, "'Specifically written by the government of israel' - any references to back this claim up?" 71 is quoting from Vesuviuz' edits, not from yours. So I responded to 71 by discussing Vesuviuz. When I said "there are no references to back this up," I meant "there are no references to back up the statement that the government of Israel wrote it." Which is true. Even if Israel was involved, we could speculate that the government of Israel paid two dozen computer experts in South Korea to write Stuxnet. Or that the government of the United Kingdom wrote it, and sold it to Israel. I wasn't commenting on, in your words, "an alleged connection between stuxnet and Israel" -- as long as the words "alleged" and "connection" are present, there are plenty of references. But there are no references to back up a simple statement, as a fact, that the government of Israel (which is not the same as "Israelis") wrote this virus. And that is what Vesuviuz has twice edited this article to say.

I should have mentioned Vesuviuz by name, to avoid confusion. Sorry that I didn't.

There is a huge difference between your edits [11] [12] and the two by Vesuviuz [13] [14]. Vesuviuz is stating as a fact that virus was "written by the government of Israel". Your contributions do not state this as a fact, but discuss it in the section on "specuation". — Lawrence King ^(talk) 16:30, 27 September 2010 (UTC)

According to the sources in the article mentioning experts of the field, only five countries of Israel, United States, Russia, China and United Kingdom have the capability to create such a sophisticated weapon.--Pymansorl (talk) 18:36, 28 September 2010 (UTC)

kaspersky

http://www.kaspersky.com/news?id=207576183 Flayer (talk) 12:22, 27 September 2010 (UTC)

Source of the Stuxnet

This statement "The US and NATO have cyberwarfare facilities in Tallin, Estonia which may have been involved in the development and deployment of the worm." was removed by me from the article because it's not sourced and made an original research conjecture. —Preceding unsigned comment added by 85.64.171.209 (talk) 13:19, 27 September 2010 (UTC)

Agreed, thanks for removing it. Smartse (talk) 13:31, 27 September 2010 (UTC)

decent Source for basic summary of everything

6 mysteries about Stuxnet Hope it is of use The Resident Anthropologist (talk) 02:59, 28 September 2010 (UTC)

Speculation

I just added the speculation template to the article. I mean, there's an entire section that has "speculation" as the title. Also, is there any proof of this worm targeting Iran? It seems like every article says that Iran may be the target of the worm. It doesn't seem like there's any proof of Iran actually being the target other than a coincidence that many infected systems are located there. Iran itself is not a reliable source, they spew out propaganda with no basis in fact on a regular basis. fintler (talk) 16:37, 28 September 2010 (UTC)

Have you read the article and the references? The article clearly frames the fact that it is all speculation - the speculation template says "Information must be verifiable and based on reliable published sources." which everything in the article is - I'd therefore suggest we remove it. If a reliable source speculates on something then it is fine for us to include it so long as it is made clear it is speculation. Many RSs state that Iran is the likely target (NYT, BBC, Guardian etc.) so we should clearly cover this. Iran's comments are fine IMO, I can't see how we can maintain a NPOV without them. Do you have any suggestions as to how we can improve the article, or are you suggesting we remove anything that is at all speculation? Smartse (talk) 16:49, 28 September 2010 (UTC)

I would prefer that speculation is removed (the mudslinging from all sides... Iran, Israel, USA, etc). An encyclopedia should be based on fact. Just as an example, a statement such as: "the group building Stuxnet would have been well-funded, comprising between five and 10 people, and that it would have taken six months to prepare" is speculation without anything to back it up. I could just as easily say something like this: "The sole Siemens engineer who built Stuxnet used his professional PLC experience and personal interest in windows rootkits to develop the worm over several years using little funding or resources". It seems like all of the news outlets are taking a bunch of opinion statements and attempting to repackage them as fact because they don't really have any facts to go with. The opinion statements, or statements that source the opinions don't belong in an encyclopedia. fintler (talk) 16:58, 28 September 2010 (UTC)

There's obviously a difference there - although both are possible - because a reliable source states the first, whereas you've just made up the second. True it would be good to know the truth, but we'll probably never know who did it so we can only go on what RSs speculate. I don't see the problem with speculation when this is the case. Smartse (talk) 17:31, 28 September 2010 (UTC)

To add to the speculation, has anyone considered that 9001 super hackers from 4chan's double secret /i/ are probably behind all of this as part of Anonymous Iran? ;) fintler (talk) 17:08, 28 September 2010 (UTC)

Now that is speculation, and belongs on a forum, not here! Smartse (talk) 17:31, 28 September 2010 (UTC)

Removed content

I removed: "Kaspersky Labs has released a statement that Stuxnet will lead to creation of a new arms race in the world, while noting that the infections in Iran are off the charts." because I feel this is too sensationalist. "Stuxnet targets not only nuclear facilities but a variety of SCADA-based environments, including non-nuclear power generation and transmission facilities, oil refineries, chemical plants, water management facilities, and factories." because we're nto sure what the actual target is, sure it probably infects all of these, but that's not the same as saying it targets them. "Stuxnet could make Iran the first victim of cyber warfare in history." because this is incorrect, Syria most probably was as part of Operation Orchard. Smartse (talk) 19:57, 28 September 2010 (UTC)

Your removal of the content was not warranted. Kaspersky Labs are experts in the field and their statements are not based on sensationalism regardless of how you feel. If you have a source which explicitly says that Kaspersky Labs is sensetionalist then it is something else. The sources already mention the fact that though Suxnet infects all machines but its target is a specific one. And this is already noted in the body of article. Just because we do not know the target it does not warrant to hide the facts. At the end the sources again put Iran the probable first victim of a real cyberwar as compared to innocuous Denial service attacks or website defacements because stuxnet as per expert who specialize in malware is designed to destroy a physical target.--Pymansorl (talk) 04:36, 29 September 2010 (UTC)

Personal feelings

It is noted in the history of the article that some respected editors are removing material from the article based on their personal feelings and their personal speculation. It is reminded here that wikipedia is an encyclopedia. The materials being removed are backed by sources which quote the best laboratories and experts in the field. The mere fact that this situation is an ongoing one and research into it is continuing to the problem does not warrant to brush it under the carpet and hide the facts. Surely the counter points to the views in the article can be added provided they are sourced and cited. Please refrain from removing cited material from the article based on your personal views. Thank You.--Pymansorl (talk) 04:52, 29 September 2010 (UTC)

Just reverted your last contribution which weaseled US is behind the Stuxnet with no direct sources, just by synthesis of reports made before anyone heard about Stuxnet. 85.64.171.209 (talk) 09:25, 29 September 2010 (UTC)

I agree, it was pure synthesis. --Golbez (talk) 13:13, 29 September 2010 (UTC)

Current Event

This article needs to indicate it's covering a current event. --173.161.6.33 (talk) 16:14, 29 September 2010 (UTC)

{{current}} isn't placed on articles just because it is a current event, after looking at Template:Current_event#Guidelines I don't think it is required on this article at the moment. Smartse (talk) 19:54, 30 September 2010 (UTC)

Too much emphasis on Iran here.

The entirety of this article seems to focus very quickly and relentlessly on the effect the virus has had on Iran, its reaction to it and, based on Iran and then speculating that one or more of Iran's enemies are the source of the code.

As far as I can tell, this malware is very specific about WHAT it attacks, but not WHERE the attack will take place. This malware appears to want to monitor SCADA systems and has spread to systems worldwide. The fact that Symantec reports that 60% of the infected systems appear to them being in Iran could have a number of reasons, one of which could simply be very poor InfoSec practices in Iran compared to other countries. The very fact that Iran has a distrust of SIEMENS and Siemens SCADA antivirus solutions supports this theory.

For one moment, if we assume this is the case, then almost all of the rest of this article seems rather media-fueled, eh? 217.174.59.128 (talk) 19:44, 30 September 2010 (UTC)

Myrtus/Esther Speculation

I suggest someone include this new york times article under the speculation heading in the article. At the very least it contains some information on the worm. At the most it highlights an interesting clue as to the people who coded the worm. http://www.nytimes.com/2010/09/30/world/middleeast/30worm.html?pagewanted=1&hpw Cheers. LazyMapleSunday (talk) 19:44, 30 September 2010 (UTC)

"Date"

According to this source: "The malware does contain a date however – May 9 1979. The date coincides with the execution of an Israeli businessman in Iran, but he explained it was also, for example, the birth date of actress Rosario Dawson so could be a red herring." But our article says "The worm contains a component with a build time stamp from 3 February 2010." Perhaps they are talking about two different things? --BorgQueen (talk) 05:39, 1 October 2010 (UTC)

Ambiguous pronoun

Currently article reads:

Symantec claims that the majority of infected systems were in Iran (about 60%),[30] which has led to speculation that it may have been deliberately targeting "high-value infrastructure" in Iran[6] including either the Bushehr Nuclear Power Plant or the Natanz nuclear facility.

But the it is unclear. Is it Symantec or the virus? WilliamKF (talk) 23:40, 1 October 2010 (UTC)

60% of computers in Iran?

The article claims that 60% of the affected computers are in Iran. Later in the article it lists the number of computers affected in different countries. There it claims that 6 million Chinese computers have been affected with Iran coming in at only 62 thousand (1% as many). The article isn't self consistent. If the 60% number is going to be left in the article should make it clear that 'early reports indicated that 60% of the effected computers were Iranian' or something to that affect. I would vote to remove it all together. Ender8282 (talk) 22:03, 3 October 2010 (UTC)

Sources report the changing numbers. http://www.infoworld.com/t/malware/stuxnet-worm-iran-mainstream-media-global-nuclear-meltdown-796?page=0,0 "Since the beginning of July, Kaspersky's Internet-based scanner -- which primarily scans personal, not business, systems -- caught 86,000 infected PCs in India, 34,000 in Indonesia, and 14,000 in Iran. Back in July, when Kaspersky first started scanning for Stuxnet infections, India had 8,600 infected PCs, Indonesia had 5,100, and Iran had 3,100." "Symantec's July 16 report says that 40 percent of the infections seen at that point were in India, 33 percent in Indonesia, and 20 percent in Iran. Shortly after, Symantec started intercepting Internet traffic bound for Stuxnet's "phone home" website, and the numbers shifted. The numbers get a little dicey because Stuxnet doesn't always phone home, and because Symantec was only able to collect unique IP addresses -- it couldn't identify individual PCs. Given those caveats, over a 72-hour period Symantec picked up 8,000 infected "phone home" calls from different IP addresses in Iran, 2,600 from Indonesia, and 1,200 from India.

In August and September, Iran, by most reports, seems to have topped the infection charts. But in the past weeks, according to Kaspersky, Iran has cleaned many infected systems, while India has not -- and Russia and Kazakhstan infections grew steadily. Kaspersky infection numbers right now are way up for Bangladesh, Iraq, and Syria, with Iran's infection rate below those in Russia and Kazakhstan. Still, local news reports in Iran confirm Stuxnet is still active, although the details appear overblown."

I think it appropriate to include the info in the article, perhaps in a chart. Sephiroth storm (talk) 10:08, 4 October 2010 (UTC)

Some media reports say that the virus was not meant to spread so widely. See e.g. the analysis at foreignpolicy.com. Blake Hounshell's asks himself: "Why did it spread so widely? John Markoff, the longtime tech reporter for the New York Times, takes on this question in today's paper. "If Stuxnet is the latest example of what a government organization can do, it contains some glaring shortcomings," he writes. "The program was splattered on thousands of computer systems around the world, and much of its impact has been on those systems, rather than on what appears to have been its intended target, Iranian equipment." He only offers one theory, however: "One possibility is that they simply did not care. Their government may have been so eager to stop the Iranian nuclear program that the urgency of the attack trumped the tradecraft techniques that traditionally do not leave fingerprints, digital or otherwise.
A couple points here. One is that Stuxnet does not seem to have had an "impact" on all those systems, for the reason noted in #1 above: It wasn't aimed at them. Second, it may be that the worm's designers needed it to spread within Iran to be effective -- i.e. from one computer to another within the same facility, or between facilities -- but that there was no way to prevent it from propagating further. Finally, there's some debate among researchers as to whether the virus was programmed to "expire" on a certain date, supposedly in January 2009. In other words, it wasn't supposed to spread, but somehow it did anyway, possibly through Russian contractors." http://blog.foreignpolicy.com/posts/2010/09/27/6_mysteries_about_stuxnet
If the virus was programmed to "expire" on January 2009 as some experts believe than this would be the only date where comparisons of country infection rates would make sense. Infections beyond this date may only be accidental, e.g. on computers that run pirated copies of windows with older (wrong) system dates, which are very common in Asian countries. Am I going too far here? --spitzl (talk) 16:18, 4 October 2010 (UTC)

First possible disclosed victim of Stuxnet

Can someone add this to the article [15]?--85.64.157.194 (talk) 14:37, 6 October 2010 (UTC)