The Stuxnet worm may be the most sophisticated software ever written

I&#x27;d argue that Google Search is much more sophisticated than Stuxnet. Windows is much more sophisticated. Linux is more sophisticated than Stuxnet. The list goes on.<p>We tend to ignore the sophistication of things we are familiar with, and hype those that surprise. But that&#x27;s not a fair measure of anything.

Stuxnet changed history. Any &quot;game of chicken&quot; style equilibria is broken if the probability a nuclear actor&#x27;s command and control drops below 100%. If there is even a 1% chance that when a Big Red Button is pushed the missiles fail to launch the game becomes unwinnable. Simulations of imperfect information in dynamic brinkmanship where both players are known to have advanced cyber capabilities results in a single dreaded endgame: general nuclear exchange.<p>Thermonuclear Cyberwar<p><a href="https:&#x2F;&#x2F;papers.ssrn.com&#x2F;sol3&#x2F;papers.cfm?abstract_id=2836208" rel="nofollow">https:&#x2F;&#x2F;papers.ssrn.com&#x2F;sol3&#x2F;papers.cfm?abstract_id=2836208</a><p>We have moved into uncharted domains. And herein lie demons. Past Rules of Engagement universally agreed upon regarding the use of kinetic weapons no longer apply. For wiser heads to prevail in the current global climate, the voice for peace must become the loudest one.<p>Rules of engagement for cyberspace operations: a view from the USA<p><a href="https:&#x2F;&#x2F;academic.oup.com&#x2F;cybersecurity&#x2F;article&#x2F;doi&#x2F;10.1093&#x2F;cybsec&#x2F;tyx003&#x2F;3058505" rel="nofollow">https:&#x2F;&#x2F;academic.oup.com&#x2F;cybersecurity&#x2F;article&#x2F;doi&#x2F;10.1093&#x2F;c...</a>

The scary thing about this is: Stuxnet is one of the &quot;most sophisticated&quot; pieces of malware we <i>have discovered up until now</i>.<p>Who knows what kinds of software are still out there quietly doing their thing in the shadows.

I&#x27;ve been arguing about this for the last three days. Mostly around the reason that &quot;complexity&quot; is not strictly the same thing as &quot;sophistication&quot; when it comes to software. Noobs will conflate the two, but experienced programmers will agree that -- just to illustrate my point -- some code which solves a complex problem in a very clever way while also being very clean and easy to maintain will be considered strictly more sophisticated than some other code solving a similar problem which simply has a higher degree of complexity than the former. There <i>is</i> a subtle difference when it comes to software, and this subtlety needs to be considered in this question. Now, I think Stuxnet is a fantastic suggestion to this question, for a number of reasons:<p>1) The legal, ethical, technical challenges of creating the software.<p>2) The ability of the software to remain hidden in (sophisticated) environments rich with (sophisticated) organizations looking for exactly this kind of thing.<p>3) The stealth of the entire research, design, development, and deployment phases of the project.<p>4) The highly specialized nature of the target.<p>5) The scale of the entities involved.<p>6) All of this sophistication and <i>we can&#x27;t even see the source code</i> (decompilation doesn&#x27;t count).<p>This is frankly some impressively sophisticated software. Also, incidentally, the Quora poster&#x27;s company looks like a fun place to work (with good programmers on the team). Some of his other answers are thoughtful and interesting to read, too, if you get the chance.

If this short read piked your interest in Stuxnet, I can recommend the book &quot;Countdown to Zero Day: Stuxnet and the Launch of the World&#x27;s First Digital Weapon&quot;.<p>It explains in great detail how Stuxnet worked and, which I found the most exciting, how it was discovered and reverse engineered.

I would argue that this one was more sophisticated: <a href="http:&#x2F;&#x2F;pferrie.tripod.com&#x2F;papers&#x2F;zmist.pdf" rel="nofollow">http:&#x2F;&#x2F;pferrie.tripod.com&#x2F;papers&#x2F;zmist.pdf</a><p>What I am seeing lately with malware is increasing decline in sophistication, today malware is lame compared to the malware created around 2000. I would think that level of low level knowledge is rapidly dropping. When there were still real file infectors, there were some serious nasty technologies involved (btw, todays ransomware is a very old concept (<a href="http:&#x2F;&#x2F;virus.wikidot.com&#x2F;onehalf" rel="nofollow">http:&#x2F;&#x2F;virus.wikidot.com&#x2F;onehalf</a>) but it was used to prevent virus removal instead of making money).

&gt; This driver was digitally signed by Realtek, which means that the authors of the worm were somehow able to break into the most secure location in a huge Taiwanese company, and steal the most secret key that this company owns, without Realtek finding out about it.<p>&gt; Later, whoever wrote that driver started signing it with secret keys from JMicron, another big Taiwanese company. Yet again, the authors had to figure out how to break into the most secure location in that company and steal the most secure key that that company owns, without JMicron finding out about it.<p>Oh come on... &quot;most secure location&quot;? I&#x27;d wager it would be harder to break into the janitor&#x27;s closet and steal his toilet paper supply than it would be to get those signing certs. If this was most companies it was stored on a public file share used by software engineers or in an open source control repository. They either got someone hired as a contractor or bribed an engineer they found on LinkedIn a couple thousand dollars.

IMO, the sophistication of the final worm that made it out to security researchers doesn&#x27;t have anything on the process that must have been used to develop it. Take the normal iterative development process, except that:<p>You don&#x27;t know anything at all about the design of your targeted system and networks.<p>Even getting a little information about it requires writing sophisticated malware, using various spy capers to get the malware near the target systems, and somehow exfiltrating data from airgapped systems over the internet, where the whole mission is blown if anyone detects your data movement.<p>You may need dozens of iterations of adjusting the software to try and dive a little bit deeper, getting it snuck into the target systems (hopefully by a built-in update over the net), gathering information on the network architecture, then exfiltrating that data back out.<p>Always a tough balance of spread-happy enough to infect highly protected airgapped systems in a top-secret facility, but not so spread-happy to get out on the open net and infect half of the world, where it will inevitably be discovered eventually. This is probably where they eventually screwed up.<p>How long to detect that they&#x27;re using this particular model of PLC with this particular centrifuge, buy your own copy of them, dig up someone who actually knows about these things, collaborate with them to figure out a sneaky way to screw things up just a little bit, build ways to get your virus onto the target system to do its damage, etc.<p>I&#x27;d assume that there was a team somewhere with a big library of zero-day exploits and a bunch of ace developers, but no starting knowledge of the target. Someone gave them the order to figure out a way to hack and screw up the Iranian nuclear program, maybe with the helper that some other org has a guy that can deliver any product near the program. They must have spent years devising ways to get in, slowly gathering info about their target, figuring out a way to achieve the assigned goal of screwing things up without getting detected. Now that would be a hell of a project to work on.

&gt; This driver was digitally signed by Realtek<p>&gt; that driver started signing it with secret keys from JMicron<p>I think this is the scariest part of the worm. Not only do the people writing it have access to zero-days, they also somehow have (possibly physical) access to the private keys of two large corporations.

I am just your average software dev with zero knowledge of malware creation, speculating here, and might come across as a fool.<p>The author sensationalizes the effort of the creators, painting a Holywoodesque scenario where they break into every possible software company to steal keys to misrepresent the software, going undetected by every possible security company etc. Since this is a Quora post, I can live with him playing to the gallery.<p>Given the amount of speculation of involvement of US and Israeli intelligence agencies, and the task this worm was assigned, the real effort might have been just about writing a USB worm that identifies specific machines and handing the USB-0 to a double agent (I stopped watching Homeland after season 5 and am rusty with the jargon). The rest of it would have been simply asking all the associated software and hardware companies, politely, to cooperate.<p>If any of this is true, stuxnet is anything but sophisticated. Its just lots and lots of specific API calls.<p>That brings up the question: what is sophistication as applied to software?

The title of this post is a bit misleading (and a bit click-bait-y) — this is one person&#x27;s response to a quora question, and it seems like the point of his answer was more &quot;the Stuxnet worm is a seriously complex piece of history if you don&#x27;t know about it&quot; and less &quot;this is the definitive most sophisticated piece of software ever.&quot; I feel like we can agree that the definition of sophisticated[0] is fairly hard to quantify and rank software objectively against.<p>[0]: &quot;(of a machine, system, or technique) developed to a high degree of complexity&quot;, according to google: <a href="https:&#x2F;&#x2F;www.google.com&#x2F;search?q=define+sophisticated" rel="nofollow">https:&#x2F;&#x2F;www.google.com&#x2F;search?q=define+sophisticated</a>

Stuxnet was able to be reverse engineered successfully so that we can know these things.<p>IIRC, its sequel actually used certain directory listings (registry keys or filesystem) of a target system as input to a KDF that is used to generate an AES key that is used to decrypt the next stage payload. That is, if you don’t have the exact specific system configuration that is being targeted (program names, versions, et c) then the primary function of the worm remains entirely opaque.

sorry, but this article is breathless crazy hyperbole. I am a cybersecurity expert that actually reverse engineered a nontrivial part of Stuxnet at one point, and I have reverse engineered other government-built worms and persistence mechanisms.<p>Driver signing keys are not nearly as difficult to steal as the answer implies; not only are they shoddily managed in most hardware vendors, they could also be purchased on the black market for about 50k$ at the time. They are still not very difficult to come by.<p>Zero-days (e.g. security vulnerabilities and their corresponding exploits) can be purchased on the grey market, and some are developed by government-internal teams. These are little marvels of strange engineering, but they are also a relatively common occurrence. The total market prices of the exploits in Stuxnet will have amounted to perhaps a few million $ at the time.<p>The Stuxnet worm’s code showed all the artifacts you would have in a large software project - including but not limited to “handwriting” where you could see that a small team of engineers and architects were excellent developers who delegated the implementation of less-important parts to engineers of lesser ability.<p>There have been leaner, more elegant, and similarly powerful &#x2F; crazy pieces of malware.<p>In general, though, these things are not made of magic, and they are not the most brilliant software ever made. They are usually well-engineered by decent engineers, built by a motivated team with decent funding. Even then, mistakes creep in (Stuxnet had an infamously broken mechanism to limit propagation), multiple versions need to be rolled out, and problems &amp; bugs plague any software system.<p>Now, comparing something like Stuxnet — a relatively small, well-engineered but ultimatively not terribly innovative assembly of known methods — to something like Google’s data center infrastructure (Borg&#x2F;Flume&#x2F;Mapreduce&#x2F;Bigtable&#x2F;Spanner), the Windows or Linux Kernel etc. and concluding Stuxnet is somehow superior or more sophisticated is simply false.<p>Stuxnet was cool etc., but I can assure you the level of sophistication is less than the Windows Kernel, the Linux Kernel, or Google’s data processing infrastructure, by <i>far</i>.<p>This is unsurprising: Stuxnet is a much smaller operation. Building Windows has probably cost many <i>billion</i> dollars by now. Stuxnet, on the other hand, was likely running on a shoestring budget in comparison.<p>Assembling a highly impactful worm is much cheaper and simpler than people think; most of our IT infrastructure is not very robust.

The respect comes with the single-mindedness of this code&#x27;s approach. You would think the people doing this would have at least a little bit of The Joker in them - if they saw an opportunity to cause chaos for chaos&#x27; sake they tend to take it. Whoever did this - didn&#x27;t. That is impressive focus.

&quot;Zero Days&quot; documentary is focused on Stuxnet. <a href="https:&#x2F;&#x2F;www.imdb.com&#x2F;title&#x2F;tt5446858&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.imdb.com&#x2F;title&#x2F;tt5446858&#x2F;</a>

_When that USB drive is inserted into a Windows PC, without the user knowing it, that worm will quietly run itself, and copy itself to that PC._ Truly magical. Anthropomorphism and personification help continue the myth of sentient, usually evil, software. Whilst scaring the heebie jeebies out of everyone.

We have much work to do on <a href="https:&#x2F;&#x2F;github.com&#x2F;EnterpriseQualityCoding&#x2F;FizzBuzzEnterpriseEdition" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;EnterpriseQualityCoding&#x2F;FizzBuzzEnterpris...</a> if we want to catch up.

I thoroughly enjoyed this writeup as well: <a href="https:&#x2F;&#x2F;www.langner.com&#x2F;wp-content&#x2F;uploads&#x2F;2017&#x2F;03&#x2F;to-kill-a-centrifuge.pdf" rel="nofollow">https:&#x2F;&#x2F;www.langner.com&#x2F;wp-content&#x2F;uploads&#x2F;2017&#x2F;03&#x2F;to-kill-a...</a><p>Appendix C is my favorite part: a look at all the things that can be gleaned from television footage of the facilities, brief glances at control screens, etc.

If you come to think at it, this &quot;worm&quot; is really a form of life, with a certain degree of intelligence, I might add.<p>Just like a biological virus, it replicates itself, it hijacks a pretty secure environment, like a cell, and uses it, first to replicate even more, and second, to alter its behaviour in order to accomplish its &quot;goals&quot;, meaning deeply hidden instructions that only activate, and this is amazing, only in certain conditions, just how a certain piece of DNA is only activated in certain conditions in the cell.<p>The intelligent part, in a more humane uderstanding of the term, comes when it is able to act and update in a distributed fashion orchestrated by a central command and control.<p>This is not just a sophisticated form of software. This is a sophisticated form of life, albeit a distructive one.

This confuses cleverness for sophistication. Yes, Stuxnet is ingenious, but mostly in concept&#x2F;access to secret Windows bugs, not execution. Something like Pagerank or modern video encoders easily beats Stuxnet in terms of sophistication&#x2F;complexity.

I don’t have the expertise to understand if this article is hyperobolic but it was the first article I have read in a while start to finish. The author should try his hand at fiction.

There is no conclusive evidence that stuxnet was successful at all. This article <a href="https:&#x2F;&#x2F;nypost.com&#x2F;2013&#x2F;05&#x2F;16&#x2F;stuxnet-virus-might-have-improved-irans-nuclear-capabilities-report&#x2F;" rel="nofollow">https:&#x2F;&#x2F;nypost.com&#x2F;2013&#x2F;05&#x2F;16&#x2F;stuxnet-virus-might-have-impro...</a> actually claims opposite. With cyberwarfare and espionage everything is possible so let&#x27;s not guess too much as we have really limited information.

And to think that a combination of decades of diplomatic work and years of one of the most sophisticated cyberattacks were entirely thrown away by capricious, corrupt politicians.

Is it still believed that Stuxnet was never intended to escape and infect machines worldwide? If so, I think that blunder deserves to be a more prominent part of the story.

A very nice writeup of Stuxnet, although plainly intended for a lay audience...<p>Shame the author didn&#x27;t mention Flame (or any of the other since-discovered super-viruses) at the end.

If someone adds a layer to OS&#x27;s file system such as only the know good white list app, exe, .so, .dll, .sys files with complete crypto-hash signatures are allowed to run in &quot;lockdown&quot; mode.<p>Everything else are reported and blocked.<p>Would it be enough to prevent such worm?<p>It would be interesting exercise to take an old exploitable OS (Win XP, or 10 years old Linux with known issue) add such layer to it. Put it on internet as honeypot and see what other kind of inflections it might get.

If elaborate&#x2F;sneaky&#x2F;surprising real world modeling is the quora answer&#x27;s mark of sophistication, (which I agree with personally), then I have another &quot;most sophisticated in 2018&quot; nominee. And the nominee is ...<p>Facebook&#x27;s graph database!<p>Consider, Facebook has modeled:<p>* All our PII (face scans, key dates and times in our lives (birth to death), employment history, and on and on)<p>* All our activities (web, real-world)<p>* All our relationships&#x2F;interactions (facebook, web, person-to-person, person-to-business, business-to-business, face recognition over practically all digital photos, chat, audio capture from mobile? what else?)<p>* Data appropriately tagged and categorized: Geo-location and a million other things<p>* Place information<p>* And then, the coup de gracie ... how all that data changes over the time dimension<p>And it&#x27;s all searchable! A search of that database must be thrilling. You can know what&#x27;s going on at every level of society at any point in time. You could quantify moods, trends, money, stars and governments currently rising and falling, etc. Consider the unholy power of that graph database, nothing else must come close! Sometimes, I want to get a job there as a data researcher just so I could query it.

I wonder towards what kind of landscapes the cyber arms race will lead us.<p>The problem is how civilians will end up being the victims of it. What can be scary is how data can mess around the links of trust that is making society work. I hope there are people who are able to think about the problem of preventing online psy ops and other nasty things that can not cause threat, but do damage on the &quot;data&quot; of how society operates. As long as this problem is not fixed and the public is not educated about how computers work, I&#x27;m for limiting the use of computers in sensitive areas of society, would it be money, finance, the military, electricity and water networks, infrastructure, computers as a work tool, etc.<p>Funny that a couple of months a ago I received a paper mail written in russian. There are no way in hell this was not related to my address getting leaked online, this must have been related to the internet somehow.

I have a question. Since the worm travels from USB to USB, does that mean that it infected thousands (or more) of regular people USBs but did nothing, until it found itself in a purity facility? Or was the worm somehow directly sent (physically or digitally) to the facility?

1: What is sophisticated for a non-state actor may be semi-trivial for a state actor. Why? State actors demand access to the source code of proprietary software; state actors circumvent laws that bind mere mortals like ourselves. If you own the playing field that which is sophisticated for even the most competent and knowledgeable coders may be semi-trivial for the spooks.<p>2: In my opinion Stuxnet is an act of war. If Iran doesn&#x27;t consider itself to be at war with Israel and the US (even though there has been no formal declaration of war) then they are not thinking straight.<p>If I were to enrich uranium I wouldn&#x27;t let a Windows PC within a mile of the centrifuges, I&#x27;d only use locked down versions of Linux.

The other day I had an argument with a proponent of online voting. As a non-techie, he could not understand my security concerns. In his laic view, we all use internet banking every day and nobody stole all the money yet, right?

So.... For people who have followed this story more closely then i have, did the hostile actor ever get identified? Last i checked it was a toss up between USA, Israel and France, was a conclusion ever drawn?

I recall an early analyst of Stuxnet writing that it was so complex that it was almost as if it had been written by an alien intelligence. That really captured the imagination of Slashdot for awhile.

So sophistication == Exploiting dozens of Windows zero day exploits.

One thing that was somewhat glossed over in the article is that stuxnet used 4 zero-days... That is it exploited 4 different software vulnerabilities that were unknown. This is a completely unprecedented level of sophistication in malware.<p><a href="https:&#x2F;&#x2F;www.symantec.com&#x2F;connect&#x2F;blogs&#x2F;stuxnet-using-three-additional-zero-day-vulnerabilities" rel="nofollow">https:&#x2F;&#x2F;www.symantec.com&#x2F;connect&#x2F;blogs&#x2F;stuxnet-using-three-a...</a>

Would it have been easier or harder to implement Stuxnet if the target networks were running some sort of linux? Or if it would&#x27;ve been a mac-only facility?<p>I&#x27;m curious.

&quot;most sophisticated software ever written&quot; is a bit of a hyperbole. &quot;most sophisticated computer worm ever discovered&quot; seems more accurate.

I was waiting for someone to point out IDF (Unit 8200?) and NSA collaboration being responsible for this to come up. The only proof we have is a smile by a an Israeli Defense leader in response to a question asked on 60 minutes (or a similarly named show)<p>Also the author leave a few details out such as the intermitted activation ,for example it was only activated on day 7 and day 21. and other stuff like size of this.

&quot;Realtek, which means that the authors of the worm were somehow able to break into the most secure location in a huge Taiwanese company&quot;<p>err, no. The companies gave the US access. as for all the &#x27;unknown windows vulnerabilities&#x27; it exploited, I wouldn&#x27;t be 100% surprised if Microsoft left the vulnerabilities for what ever security agency that made it.

Damn that guy can write! I&#x27;ve read this story 4 times now since it was posted and it still gives me goose bumps to read it.

- windows security is not Uranium HD Ready &#x2F;s<p>- remember systems evolve, these failures aren&#x27;t hard to harden, both at the electromechanical and human level.<p>- raw network and electronic activity can be monitored<p>- is there a way to render MITM UI (the fake display loop) impossible ? a feedback loop pc -&gt; devices, and if deltas are too high ALERT ?<p>ps: is IBM refining radioactive material ? ;)

It is worth noting the stuxnet worm version that effected Iranian nuclear facilities only attacked certain industrial controlled system built by Siemens systems otherwise the worm stays dormant. The wormed allegedly had signed drivers which could be state sponsored inside job to get signing facilitated.

...ever written...that we, the general public, are aware of.<p>If Stuxnet&#x27;s discovery was a &quot;bug&quot; and that hole has since been plugged, then there&#x27;s likely plenty we aren&#x27;t aware of.<p>Minor, but still important to note (for context).

So stuxworm is more sophisticated than an OS its written for? Sounds ridiculous.

There is a good documentary on STUXnet on Youtube <a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=TGGxqjpka-U" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=TGGxqjpka-U</a>.

IMHO monitoring&#x2F;controlling a high-speed centrifuge with Windows (or with any non-real-time-OS for that mattters) is actually a huge design flaw, there is even a warning somewhere in MS documentation about Windows not being suited to Real Time operation, and RTOS are specifically used&#x2F;needed for closed-loop applications (such as monitoring and controlling motors).<p>References (National Instruments):<p><a href="http:&#x2F;&#x2F;www.ni.com&#x2F;white-paper&#x2F;3938&#x2F;en&#x2F;" rel="nofollow">http:&#x2F;&#x2F;www.ni.com&#x2F;white-paper&#x2F;3938&#x2F;en&#x2F;</a><p><a href="http:&#x2F;&#x2F;www.ni.com&#x2F;white-paper&#x2F;14238&#x2F;en&#x2F;" rel="nofollow">http:&#x2F;&#x2F;www.ni.com&#x2F;white-paper&#x2F;14238&#x2F;en&#x2F;</a>

I highly recommend &quot;Avogadro Corp: The Singularity Is Closer Than It Appears&quot; by William Hertling to anyone interested in some good AI scifi around computer worms&#x2F;virus.

I wonder how many people have Stuxnet on their devices to this day and have no idea. It would be interesting to see how this spread, from an epidemiological standpoint.

I&#x27;d recommend Kim Zetter&#x27;s book on this subject: <a href="https:&#x2F;&#x2F;amzn.to&#x2F;2rQUGnq" rel="nofollow">https:&#x2F;&#x2F;amzn.to&#x2F;2rQUGnq</a>

Stuxnet might be the most sophisticated worm ever written with the number and types of layers it drills through.<p>There is likely far more complex and sophisticated software elsewhere.

I wonder how many people worked on this, and for how long

Out of curiosity, do we know that the state actors that built stuxnet didn&#x27;t simply pay or force those taiwanese companies to turn over the keys?

See &quot;Zero Day: Stuxnet and the Launch of the World&#x27;s first Digital Weapon&quot; by Kim Zetter for many more details about Stuxnet.

Weird how the US IC developed and deployed such advanced software while agreeing that Iran was not developing nuclear weapons.

I bet it was a bitch to debug and test it :)

The only really interesting part is finding and keeping OS bugs secret. I wonder how many more the NSA is sitting on?

Without a doubt the article is fascinating but without defining what we mean by sophisticated how can we debate this?

So what if I run my top secret weapons grade uranium producing plant on a sanely secure operating system, like linux.

Good that the Americans and or Israelis got what they wanted without bombing away ...

im surprised that everyone keeps referencing the book and not the Documentary&#x2F;Movie<p>Zero days<p><a href="https:&#x2F;&#x2F;www.imdb.com&#x2F;title&#x2F;tt5446858&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.imdb.com&#x2F;title&#x2F;tt5446858&#x2F;</a>

How do you define sophisticated? Complex or elegant? Because if it&#x27;s more towards the latter then I&#x27;d suggest the software that took humans to the moon and back, several times, is much more sophisticated.<p>But from reading the article it seems the author is aiming more for complex than elegant.

writer has no idea how worms, exploits &amp; antivirus programs work.

* the most sophisticated software reviewers have seen so far

Whether he is right or wrong, that was a fantastic writeup.

This is pure opinion. I&#x27;ve heard that the code for bitcoin is pretty complex too. But since this opinion, it&#x27;s all a debate. I kind think the linux kernel or Windows OS might be in the running too.

Why so many upvotes for a pretty typical Quora answer? Stuxnet certainly made a big impact, but do we really think it&#x27;s that sophisticated?

Any links to any of its source code?

TLDR; a team of state-sponsored developers &amp; engineers with access to a huge list of vulnerabilities across windows, drivers and industrial equipment designed a worm to malfunction centrifuges used in uranium enriching with multiple hops of infection and stealth mode of operation.<p>Don&#x27;t get me wrong, but &quot;sophisticated&quot; doesn&#x27;t exactly mean obscure and stealth which is what stuxnet worm is all about. With access to all those vulnerabilities, i would call the worm implementation straighforward &amp; stealth rather than sophisticated. Most likely the engineers didn&#x27;t have much choice than to proceed in one possible way to be able to make it work. If one of the vulnerabilities didn&#x27;t then stux.net wouldn&#x27;t exist.

And then people make a fuss about Russia &quot;hacking&quot; the election with some dumb Facebook ads which cost less than maxed out Ford Mustang.<p>When on the other hand we have the state-sponsored military grade&#x2F;purpose viruses used to attack other nations&#x2F;regions (Flume attacked a large number of targets and countries) and nobody blinks an eye.

Wrong. Ask the NGA.

I want to do this.

What do you think, are the authors of Stuxnet reading Hacker News? I wonder how tempting it is to comment, and what the repercussions would be.

&gt; The most sophisticated software in history was written by a team of people whose names we do not know.<p>Isn&#x27;t this hyperbole? I&#x27;d grant that Stuxnet is probably the most sophisticated <i>malware</i> ever written, but calling it the most sophisticated <i>software</i> is a big stretch.<p>Stuxnet seems to be the product of a competent, professional, and well-funded software engineering organization that writes malware and understands the domain of computer espionage. That was unprecedented in the malware space, but it&#x27;s not if you include other domains.

More sophisticated than self driving car software?

Considering that we have known about Stuxnet for nearly a decade, why are we still using OS technology that makes such changes&#x2F;intrusions&#x2F;phoning-home so easy to conceal?

A somewhat crazy guy once told me that he worked on Stuxnet. Obviously I didn&#x27;t believe him. But he did seem to know quite a bit about it. How weird would it be if he wasn&#x27;t lying. I mean, somebody had to work on this somewhere.