Stuxnet is embarrassing, not amazing

Real Mossad Operatives Ship.<p>These guys weren't making a paean to beautiful, hardened software to impress their hacker friends. They needed to get the simplest, most reliable and effective code possible out the door in as short a time as possible.<p>Israel bought itself a few more years of a nuke-free Iran. This is a successful, amazing, even miraculous outcome. Outside of nerd circles, software is measured by results, not architecture or complexity. Beautiful systems that never ship are fine for weekend projects but, uh, we're talking about stopping a <i>nuclear weapons program here</i>. It's a bit like saying that Apollo 11 was bullshit because the accommodations weren't anywhere near as nice as flying on Pan Am.<p>Stuxnet is the Jack Bauer of software. Rough edges but badass and gets the job done under impossible circumstances.

Stuxnet worked. Very well. It was out in the wild, by best estimates, for over two years before it was detected. During that time it caused complete chaos within the Iranian nuclear program (to the point where some officials were executed on the suspicion of espionage).<p>This post and its backhanded compliments are very arrogant in a way that epitomizes everything that is wrong with the security industry. It is a game of one-upmanship amongst those who can talk the talk but not walk the walk. This blog post is basically:<p><i>Dear most successful team of virus and backdoor writers in history who completely changed the paradigm for what worms can do, I suggest you read this book that I probably know nothing about or haven't read and definitely do not understand. Ps. here are a ton of links to stuff I googled that you didn't do, pss. isn't it awesome that you are anonymous and can't respond to my criticism? psss. Did you get the part about me being smart?</i><p>Pathetic. To make it worse, the entire industry is full of such assholes.

I know nothing about malware, but I know a lot about shipping production software.<p>- Simpler is better than complicated. As pointed out in one of the comments on the article, increasing complexity increases risk of failure.<p>- Proven techniques are, uhh, proven. Newer techniques are inherently riskier.<p>- Really speculating here, but maybe impenetrable obfuscation was actually undesirable? I wonder if the authors, (seems to be Israel and/or US), wanted Iran to figure out who was behind it. A successful cyber-attack means that future attacks of the same sort are possible, and adds a bargaining chip to the Israeli/US side. This can lead to Iranian concessions down the road. Without a proven success, a similar negotiation tactic would have to be much more difficult.

<i>No wireless. Less space than a nomad. Lame.</i><p>Substitute any of a thousand critiques of &#60;any language except Lisp|Haskell&#62;, Windows, Linux, you name it that is out in the world getting its job done.

Most of the comments here seem to be of the form "Well, maybe Stuxnet isn't that elegant, but it got the job done and that's what matters", but is it really that bad of software? All the technical people I've heard discuss the software in person gush over how advanced and clever it is. Can anyone point me toward a more technical discussion of Stuxnet which could confirm/dispute the OP's view?

Stuxnet is a hugely complex piece of code already, and it's something that needed to be as bug free as possible, and that means avoiding unnecessary complexity.<p>A key part of being a software developer is knowing when to make trade-offs rather than striving for "perfection".<p>The virus did it's complex job successfully. Building a piece of software of this complexity that has to work in an unknown environment first time is amazing.

The current interpretation of events is that Stuxnet is a project of the Israeli government which has been at least partially successful in slowing Iran's attempts to build nuclear weapons.<p>Considering that the alternative would be bombing of nuclear facilities involving perhaps unauthorized overflights of neighboring countries and the risk of inflaming a hot war in the middle east (through the overflights and the bombings) I don't think I can rate this operation as anything other than a huge success.

The simplicity of the design makes it easy to point fingers at non-US / Israeli sources. Via the simplistic design the US and Israel have plausible deniability. When a piece of malware looks no different than any other released last year then it could well have been developed by bulgarian teenagers. Bulgarian teenagers will raise less international issues than using advanced techniques that only the highly trained CIA / NSA / Mossad operatives have.

As to the "in a hurry" bit, we know that to be true, or at least we do if we believe the recent NYT article. Obama was, according to that article, briefed on Stuxnet before coming into office. As soon as he was in office, he rushed the program. It may be that he simply removed some bureaucratic hurdles, or he may have told the team that said they needed 9 months to get in done in 4. I suspect we'll never know.

I don't see what the problem is... I thought everyone was in favour of launching with a minimal viable product these days.<p>But seriously, maybe the thing was cobbled together from a whole bunch of government workers/contractors who didn't really know what they were building. Sort of like that film, Cube. Hence the lack of finesse.<p>Or, maybe they wanted it to be analysed so other factions would be less wary of it. I mean, who knows.

I think it's safe to assume Iran will no longer control their nuclear facilities with Windows boxes...

It may be that the authors did not want to telegraph their true capabilities to other state actors with cyberwarfare units. Although Iran is one such nation, the outcome suggests they're too far behind to constitute a threat.<p>More sophisticated states are looking at this and either learning: 1) that Israeli/US offensive cyberwarfare capability is much weaker than they previously believed, or 2) nothing, because they already know better.

Or perhaps the software got an accidental "early release"?

I do not understand this criticism at all. Stuxnet worked, right?

You don't want to hide your weapons in an arms race.

Consider this:<p>-Obfuscation is often used to obscure the operative. I submit the conclusion that Stuxnet was 'dumbed' down on purpose to obscure which country wrote it. Also by obfuscation of the virus one can also send a strong message of 'You do not know who attacked and you will never know'