WEBVTT - What is Stuxnet? 0:00:00.280 --> 0:00:02.960 Brought to you by the reinvented two thousand twelve Camray. 0:00:03.160 --> 0:00:08.920 It's ready. Are you get in touch with technology with 0:00:09.039 --> 0:00:17.840 tech Stuff from how stuff works dot com. Hello again, everyone, 0:00:17.880 --> 0:00:20.200 and welcome to tech stuff. My name is Chris Polett, 0:00:20.239 --> 0:00:22.400 and I am an editor at how stuff works dot com. 0:00:22.400 --> 0:00:25.759 Sitting across from me as always a senior writer, Jonathan Strickland. George, 0:00:26.079 --> 0:00:29.480 you've heard about this virus? Shall I cough on you? George? 0:00:32.440 --> 0:00:35.720 That was a good one. Yeah, that's from a classic film, definitely. 0:00:36.120 --> 0:00:38.040 I actually know where that comes Oh yeah, wow, I 0:00:38.040 --> 0:00:40.120 can't believe you've seen that one. I haven't. I just 0:00:40.159 --> 0:00:42.440 know where it comes from. All right, Well, we're going 0:00:42.479 --> 0:00:51.320 to launch directly into a little listener mail. This listener 0:00:51.320 --> 0:00:53.840 mail comes from Patrick, who says, Dear text Stuff, I 0:00:53.920 --> 0:00:56.400 really think an appropriate topic for discussion would be the 0:00:56.440 --> 0:00:59.120 infamous stucks net that has been all over the news 0:00:59.200 --> 0:01:01.000 these past few months. Thank you, and I hope to 0:01:01.000 --> 0:01:04.440 hear from more from you guys. Well, Patrick, we thought 0:01:04.480 --> 0:01:07.240 we'd tackle stucks net to We've talked about a couple 0:01:07.240 --> 0:01:09.640 of times in other podcasts, just kind of mentioning it 0:01:09.680 --> 0:01:12.840 off hand, and of course we've done podcasts about viruses 0:01:12.880 --> 0:01:16.360 and worms before. But the stucks net is it's is 0:01:16.400 --> 0:01:21.560 a particularly interesting form of malware. Yes, yes, it is 0:01:21.600 --> 0:01:25.360 in fact a worm um and UH one of the 0:01:25.400 --> 0:01:29.440 reasons it's so interesting is because it is extremely complex. 0:01:30.440 --> 0:01:34.840 It seems to be targeted at a specific purpose, and 0:01:34.880 --> 0:01:37.480 if if not a specific purpose, as a specific location. 0:01:38.440 --> 0:01:43.080 And uh, no one officially knows where it came from. 0:01:43.560 --> 0:01:46.720 Somebody knows, but it's It does also seem to be 0:01:46.920 --> 0:01:51.640 a state sponsored um virus, or at least some department 0:01:51.720 --> 0:01:55.440 in some country appears to be responsible for it, based 0:01:55.520 --> 0:01:59.800 upon the various investigations that have gone on since the 0:02:00.040 --> 0:02:03.120 discovery of stocks net. Yeah. Now, it's important to note 0:02:03.560 --> 0:02:05.600 that we have to be careful when we talk about 0:02:05.640 --> 0:02:08.600 that because we don't know for sure. And as we 0:02:08.639 --> 0:02:12.560 have mentioned many times before, probably most notably in our 0:02:13.560 --> 0:02:17.880 hacking of Google and China discussions that we've had before, UM, 0:02:17.919 --> 0:02:20.200 it is possible to make an attack look like it 0:02:20.280 --> 0:02:23.280 came from someone it didn't, and that'll that will come 0:02:23.360 --> 0:02:26.080 up later in our discussion too. But UM, you know 0:02:26.160 --> 0:02:28.840 it it appears that way, but there's really no way 0:02:29.320 --> 0:02:32.040 for UH to tell for sure. And and and we've 0:02:32.040 --> 0:02:37.160 had some very dedicated computer security experts looking into this. 0:02:37.840 --> 0:02:42.720 So some seriously talented people have been evaluating this the 0:02:42.800 --> 0:02:46.359 stucks net worm and have been unable to determine that 0:02:46.680 --> 0:02:49.680 for sure. So do you want to uh, should we start? 0:02:49.720 --> 0:02:52.000 I guess we This really all started back in two 0:02:52.000 --> 0:02:54.919 thousand nine as far as we know, Yes, yes, So 0:02:55.600 --> 0:02:58.760 let's let's give a brief overview of what stucks net 0:02:59.040 --> 0:03:02.440 is and what it's meant to do. So stocks net 0:03:02.560 --> 0:03:06.359 is a worm, is a Windows based worm, so it's 0:03:06.440 --> 0:03:10.080 this isn't This is not a you know, that doesn't 0:03:10.120 --> 0:03:13.480 target Lenox, it doesn't target mac os, targets machines running 0:03:13.560 --> 0:03:17.760 various forms of the Windows operating system. And as far 0:03:17.919 --> 0:03:19.880 as we are able to determine it by the time 0:03:19.880 --> 0:03:25.840 of this recording, it originally spread through USB sticks or 0:03:25.960 --> 0:03:30.520 USB drives. Yes, it is not. It is not propagated 0:03:30.720 --> 0:03:33.680 primarily over the Internet, right, And the reason for that 0:03:33.880 --> 0:03:38.720 is because the intended target of stocks net that tends 0:03:38.760 --> 0:03:42.480 to be disconnected from the Internet, so you can't target 0:03:42.520 --> 0:03:45.960 it from the Internet. That that specific target is well. 0:03:46.440 --> 0:03:52.120 Stocks net is able to attack factory systems. Yes, it 0:03:52.200 --> 0:03:56.960 actually targets a series of vulnerabilities in the Windows operating system, 0:03:57.000 --> 0:04:00.680 which I understand have been patched at this time at 0:04:00.680 --> 0:04:04.200 the time the ducks net virus was written, or the 0:04:04.200 --> 0:04:07.880 original one was written. Um, it was aimed at several 0:04:07.920 --> 0:04:12.960 vulnerabilities and use those vulnerabilities to get at industrial control 0:04:13.000 --> 0:04:18.920 systems for gas pipelines and power plants right and aimed 0:04:18.960 --> 0:04:22.200 as very specific hardware connected to Windows networks. And in 0:04:22.240 --> 0:04:25.400 fact the ultimate target for this turned out to be 0:04:25.480 --> 0:04:32.320 some centrifuges in Iranian uh nuclear facilities. So these were 0:04:32.320 --> 0:04:36.920 centrifugures that were designed to to process uranium, and the 0:04:36.960 --> 0:04:42.039 idea here apparently was to infect systems so that an 0:04:42.040 --> 0:04:47.440 outside controller could gain access to the systems and overload 0:04:47.480 --> 0:04:51.680 them in such a way as to cause possibly irreparable 0:04:51.760 --> 0:04:54.599 damage to the facilities. Now, as it turns out, that 0:04:54.640 --> 0:04:56.840 does not seem to have happened. It doesn't look like 0:04:56.880 --> 0:05:00.839 the damage was was as deva stating as it could 0:05:00.880 --> 0:05:04.440 have been, and there's some interesting explanations for why that is. 0:05:04.839 --> 0:05:09.320 One of which is that some security experts have said 0:05:09.640 --> 0:05:13.279 stucks net is kind of like a double layer worm, 0:05:14.360 --> 0:05:17.600 the core of which is incredibly complex. One of the 0:05:17.640 --> 0:05:21.719 most sophisticated worms possible, but the outer layer of which 0:05:22.160 --> 0:05:26.960 is less complex and that because of the the reduced complexity, 0:05:27.000 --> 0:05:29.359 this is the layer that is that's specifically designed to 0:05:29.360 --> 0:05:34.679 help hide stucks net from prying eyes and discovery. Because 0:05:34.800 --> 0:05:38.960 it was less sophisticated, it was not as difficult to discover, 0:05:39.240 --> 0:05:44.000 although it took an entire year before anyone saw it. Um, 0:05:44.000 --> 0:05:46.760 it's not it's not so hard to discover that is 0:05:46.839 --> 0:05:51.000 impossible to weed it out. So if the outer layer 0:05:51.040 --> 0:05:53.040 had been as sophisticated as the inner layer, it may 0:05:53.080 --> 0:05:55.680 even be that we still would not know what stucks 0:05:55.680 --> 0:06:00.560 net is so infecting, you know. The idea here is 0:06:00.560 --> 0:06:03.120 that you you send in some sort of infected USB 0:06:04.120 --> 0:06:08.960 uh media, whether that's a USB stick or a an 0:06:08.960 --> 0:06:13.039 external drive or some other device that could contain the 0:06:13.160 --> 0:06:16.320 stuck net code in it, connected to a computer that's 0:06:16.360 --> 0:06:20.479 within this network that's not connected to the Internet necessarily, 0:06:20.839 --> 0:06:22.600 or maybe there's like a couple of machines on the 0:06:22.640 --> 0:06:24.760 periphery that are connected to the Internet, but the main 0:06:25.080 --> 0:06:28.960 machines aren't. You infect the machine within that network, then 0:06:29.080 --> 0:06:32.880 the worm spreads within inside that network until it hits 0:06:32.920 --> 0:06:37.040 those critical systems that that are connected to the the 0:06:37.080 --> 0:06:41.440 factory environment right now. UM I I read an interview 0:06:41.680 --> 0:06:46.000 with security expert Ralph Langner who spoke with Eleanor Mills 0:06:46.120 --> 0:06:50.679 of c net UM and Langner said a good way 0:06:50.720 --> 0:06:54.640 to get this virus in place would be to infect 0:06:55.040 --> 0:06:58.720 a one of the contractors who worked with these power 0:06:58.800 --> 0:07:02.960 systems um SO a contractor in this case a trusted 0:07:03.240 --> 0:07:06.760 business partner. Hey can you come in and fix this machine? 0:07:07.200 --> 0:07:12.080 So if you can infect UH somebody else and have 0:07:12.440 --> 0:07:14.960 you know their machines or at a USB drive and 0:07:15.040 --> 0:07:17.840 have them take the virus in on foot with a 0:07:17.920 --> 0:07:22.120 USB stick and put it on a computer inside the 0:07:22.160 --> 0:07:26.480 power plant. UM then this person who already had clearance 0:07:27.240 --> 0:07:29.000 is you know, you don't have to worry about getting 0:07:29.000 --> 0:07:32.600 it into the impregnable. You don't have to do hard 0:07:32.880 --> 0:07:36.640 impossible type thing to get in there and plant this stuff. 0:07:36.840 --> 0:07:39.320 You can use a lower point of security for that. 0:07:40.000 --> 0:07:42.040 And the reason he thinks that, I'm sorry to interrupted 0:07:42.760 --> 0:07:46.840 the reason he thinks that, based on on my readings 0:07:46.880 --> 0:07:51.240 of his theory, UM there were other UH countries that 0:07:51.280 --> 0:07:56.400 were infected to including Indonesia, India and Pakistan who all 0:07:56.560 --> 0:08:01.360 used this one same contractor, a Russian contractor who worked 0:08:01.440 --> 0:08:06.400 on the the Bush Air nuclear power plant in Iran. 0:08:07.520 --> 0:08:10.720 So the same contractor worked at all those places and 0:08:11.840 --> 0:08:15.320 Stuck snat surfaced and all those locations. So I think, 0:08:15.360 --> 0:08:19.080 based on that you've got you've got yeah, I mean 0:08:19.120 --> 0:08:23.160 he's that that's a logical idea. Yeah, So I think 0:08:23.200 --> 0:08:25.440 based on on that information, he said, well, you know what, 0:08:25.480 --> 0:08:29.040 I bet that's how they did it. And the goal 0:08:29.120 --> 0:08:31.680 here is that at least one of those machines within 0:08:31.720 --> 0:08:35.000 that network has to have some sort of connection to 0:08:35.040 --> 0:08:38.080 the Internet. If it doesn't, then you cannot control from 0:08:38.160 --> 0:08:42.040 outside the network. You cannot control what's going on inside 0:08:42.040 --> 0:08:46.200 the factory. But but the in general, the the factory 0:08:46.240 --> 0:08:49.480 systems themselves are not connected the Internet. There's a gap there, 0:08:49.559 --> 0:08:52.679 it's air gap. That's what it's often called um. But 0:08:52.840 --> 0:08:55.920 as long as you can get control of the network 0:08:55.960 --> 0:08:58.640 that is, in turn connect to the factory systems, you 0:08:58.720 --> 0:09:02.840 might you have the oportunity to infect them. And what's 0:09:02.840 --> 0:09:07.400 interesting is the original version of Stuck's net required use 0:09:07.559 --> 0:09:11.640 auto run to initiate itself, but you can turn auto 0:09:11.720 --> 0:09:16.040 run off on your machine. So if you are let's 0:09:16.040 --> 0:09:18.840 say you work for a facility where security is a 0:09:18.840 --> 0:09:21.480 major concern. You may have a policy that auto run 0:09:21.559 --> 0:09:25.560 must be disabled, so that way nothing no malware that 0:09:25.760 --> 0:09:30.120 uses auto run would automatically upload itself to your system. Well, 0:09:30.160 --> 0:09:33.640 the the next generation of stucks net, which, by the way, 0:09:33.679 --> 0:09:36.240 but the first two generations of stuck snet were deployed 0:09:36.280 --> 0:09:39.440 before we ever knew that they existed. Well, anyone not 0:09:39.559 --> 0:09:44.680 connected to the the the scheme had no idea they existed. 0:09:45.080 --> 0:09:47.680 We didn't know they existed until I wasn't July of 0:09:47.720 --> 0:09:53.480 two when it first showed up. But they think it 0:09:53.520 --> 0:09:56.640 could have been out in the wild and looking for 0:09:56.840 --> 0:10:01.000 targets as or I shouldn't say that, because we were 0:10:01.040 --> 0:10:02.840 just saying that it doesn't spread of the internet. It 0:10:02.880 --> 0:10:06.760 was available and ready to go as uh, possibly even 0:10:06.800 --> 0:10:10.079 a year earlier, but they don't know for sure. Well, 0:10:10.160 --> 0:10:12.160 essentially a full year had passed since it had been 0:10:12.200 --> 0:10:15.439 first deployed and when it was first discovered. That's true. Yeah, 0:10:15.480 --> 0:10:18.200 they first spotted it in the summer of two thousand nine. Well, 0:10:18.240 --> 0:10:22.400 the later generations used a vulnerability in l n K 0:10:22.960 --> 0:10:29.240 which allows the exploit to essentially install itself. Basically, what 0:10:29.280 --> 0:10:33.640 happens is you plug your USB stick that happens to 0:10:33.720 --> 0:10:36.360 be UM infected with the stuck s net virus into 0:10:36.440 --> 0:10:41.920 your computer, and then you decide to use uh explorer 0:10:42.240 --> 0:10:45.080 to look at what is on that that memory stick. 0:10:45.200 --> 0:10:47.640 Just by using Explorer to open up the memory stick, 0:10:47.800 --> 0:10:50.880 you have uh that that's all it takes for stocks 0:10:50.920 --> 0:10:54.480 net to then in fact that computer, now your basic computer. 0:10:54.600 --> 0:10:56.839 Like you guys out there who are using your computers, 0:10:57.240 --> 0:11:00.079 stucks net would not do anything to your machine. You 0:11:00.080 --> 0:11:02.640 wouldn't get any you know, you're not you're not being 0:11:02.640 --> 0:11:06.440 spied on, You're not being uh, your your computer is 0:11:06.440 --> 0:11:09.240 not gonna start acting weird. The whole purpose of stuck 0:11:09.280 --> 0:11:14.000 snet is to affect these factory systems, not individual users computers. Yes, 0:11:14.040 --> 0:11:17.359 and in fact it's looking specifically for a semen sematic 0:11:17.440 --> 0:11:21.200 wind c C step seven uh software. And most of 0:11:21.240 --> 0:11:23.680 us don't have that. No, I don't I I don't 0:11:23.679 --> 0:11:25.720 have it on my Windows installations. No, it's not even 0:11:25.720 --> 0:11:30.960 in Minecraft. So yeah, if you don't have that, then 0:11:31.000 --> 0:11:32.920 it's not going to target you. But if you are 0:11:33.559 --> 0:11:38.959 running a very large system like a water facility, power facility, 0:11:39.160 --> 0:11:44.240 nuclear power facility, which of course that was the main target, UM, 0:11:44.360 --> 0:11:46.559 then you'd have to be concerned about this, and the 0:11:46.800 --> 0:11:49.640 the other part of this that was really interesting is that, 0:11:50.559 --> 0:11:54.439 like Chris said, it targeted several vulnerabilities, not just one. Right, 0:11:54.480 --> 0:11:57.640 your typical virus or worm, especially if it's developed by 0:11:57.640 --> 0:12:00.719 someone who just you know, knows an enough to get 0:12:00.760 --> 0:12:03.040 into trouble, but not like enough to make a really 0:12:03.040 --> 0:12:07.520 sophisticated tool. Those tend to target a single vulnerability, but 0:12:07.640 --> 0:12:10.280 Stuck's net was much more sophisticated, and it used a 0:12:10.320 --> 0:12:13.800 series of vulnerabilities to spread itself. The one of the 0:12:13.800 --> 0:12:16.080 other things that that the reasons why it was able 0:12:16.120 --> 0:12:19.760 to install itself without checking for a certificate is because 0:12:19.800 --> 0:12:25.080 it stole certificates. Yes, And that's that's another interesting point too, 0:12:25.160 --> 0:12:30.520 because originally it had used and used an official certificate yes, 0:12:31.160 --> 0:12:35.520 that had been stolen and uh, they revoked that certificate, 0:12:36.200 --> 0:12:42.520 and it surfaced very shortly thereafter with another yes exactly, 0:12:42.559 --> 0:12:45.160 so it appears to be completely legit. And the two 0:12:45.200 --> 0:12:49.000 certificates came from two companies that exist within a few 0:12:49.080 --> 0:12:53.120 miles of each other in Taiwan. Interesting. Yeah, interesting huh. 0:12:53.320 --> 0:12:58.840 So that suggests that someone, maybe another contractor, was specifically 0:12:59.240 --> 0:13:04.160 stealing electronic certificates from other from companies in order to 0:13:04.360 --> 0:13:06.720 mask this stuff. And that's the thing is that if 0:13:06.760 --> 0:13:09.160 you if you've told your computer or your if your 0:13:09.200 --> 0:13:13.840 network administrator has told all the computers to trust UH 0:13:14.000 --> 0:13:18.680 software that comes from a particular source, and it bears 0:13:18.720 --> 0:13:23.280 that certificate, then there's no reason for the computer to say, Hey, 0:13:23.480 --> 0:13:26.120 I see you're trying to upload stuck snet. Are you 0:13:26.160 --> 0:13:30.120 sure you want to continue? Thanks clippy. UM, you see 0:13:30.160 --> 0:13:32.360 you're trying to bring down the system from within. Do 0:13:32.400 --> 0:13:36.640 you need help with that? And when I'm trying to 0:13:36.679 --> 0:13:40.040 think of something to say, don't sorry now um. And 0:13:40.080 --> 0:13:44.720 that's that's funny that you mentioned the Taiwanese connection, because 0:13:45.200 --> 0:13:47.960 when stuck snet is in operation, it is it actually 0:13:48.080 --> 0:13:50.680 makes tries to make contact with two control servers in 0:13:50.720 --> 0:13:54.120 Malaysia in Denmark, and it does use a peer to 0:13:54.240 --> 0:13:58.080 peer scheme to compare versions of itself and update to 0:13:58.120 --> 0:14:01.720 the most recent version. So it is it is checking. 0:14:02.400 --> 0:14:04.920 It may not necessarily have an Internet connection, but if 0:14:04.960 --> 0:14:07.920 it's UH, if it can find other versions of itself 0:14:07.960 --> 0:14:11.280 on the intra net where it is located, it will try. UM. 0:14:11.360 --> 0:14:13.800 The diversions will try to update themselves to the most 0:14:14.320 --> 0:14:18.240 current version to take advantage of any vulnerabilities that might 0:14:18.280 --> 0:14:22.640 be available to it. UM. And this is I mean, 0:14:22.680 --> 0:14:27.280 it's it's really fascinating stuff. UM. I also read another 0:14:27.400 --> 0:14:32.920 article uh with security expert Bruce Schneier, who uh some 0:14:32.960 --> 0:14:35.160 of you might have heard of. Actually he's a pretty 0:14:35.160 --> 0:14:41.080 outspoken guy. UM. You know, information suggests that uh, you 0:14:41.120 --> 0:14:44.640 know it uh may have infected as many as a 0:14:44.720 --> 0:14:49.200 hundred thousand or even more computers worldwide, but about six 0:14:49.840 --> 0:14:53.600 that was in uran UM, which suggests that Iran was 0:14:53.680 --> 0:14:58.080 in fact the target, and specifically, Ralph Langer had found 0:14:58.160 --> 0:15:00.560 and in his partners at his firm had found data 0:15:00.600 --> 0:15:04.760 structures in the netens facility UH in Iran that that 0:15:04.920 --> 0:15:07.600 matched that specifically matched the stucks net code. So it 0:15:07.680 --> 0:15:14.280 is possible that uh, it was aimed at that particular facility, 0:15:14.440 --> 0:15:18.640 and you know, in particular was totally redundant, un repetitive. 0:15:19.320 --> 0:15:23.680 But let me reiterate, there was a there were several articles. 0:15:23.720 --> 0:15:27.880 The Telegraph, UM and New York Times have published articles 0:15:27.880 --> 0:15:32.680 that suggest uh that uh, you know that that that's 0:15:32.840 --> 0:15:36.400 facility in particular was the target. And the idea here 0:15:36.520 --> 0:15:39.640 is that it would it was an effort to disrupt 0:15:40.120 --> 0:15:43.760 Iran's nuclear program, and that, like I said, the idea 0:15:43.840 --> 0:15:46.720 was that you would uh make the centrifuges that are 0:15:47.240 --> 0:15:52.000 um processing the uranium in these facilities to spend too 0:15:52.040 --> 0:15:58.600 fast and to essentially break them UM. And what's really 0:15:58.640 --> 0:16:01.120 fascinating to me is that stucks Net didn't just what 0:16:01.360 --> 0:16:03.560 wasn't just designed to go there and just immediately ramp 0:16:03.600 --> 0:16:08.640 everything up. It actually would analyze the operations of the 0:16:08.680 --> 0:16:12.600 facility for several days for two reasons. One to determine 0:16:12.600 --> 0:16:17.120 what would be the most disruptive course of action. So, 0:16:17.160 --> 0:16:19.400 in other words, if the centrifuges are turning in a 0:16:19.400 --> 0:16:24.720 certain number of revolutions per second, how many more does 0:16:24.760 --> 0:16:27.400 it need for it to be the perfect amount to 0:16:27.440 --> 0:16:32.800 be disastrous without immediately setting off all the alarms. The 0:16:32.840 --> 0:16:37.200 second was that the reason it was observing for several 0:16:37.280 --> 0:16:43.600 days was to create a kind of partitioned system so 0:16:43.640 --> 0:16:46.120 that when people are looking at their monitors and are 0:16:46.120 --> 0:16:49.560 trying to upload code to fix the problem, that it 0:16:49.640 --> 0:16:54.600 all is um. It's a it's all segregated from those 0:16:54.640 --> 0:16:57.240 factory systems. So if you're looking at the screen, if 0:16:57.240 --> 0:16:59.920 you're an engineer looking at your screen trying to fix 0:17:00.040 --> 0:17:03.920 the problem. What you see looks like the problems fixed, 0:17:04.359 --> 0:17:07.080 that the code you've uploaded has gone in and that's 0:17:07.119 --> 0:17:09.639 been incorporated and that's taking care of the problem. But 0:17:09.720 --> 0:17:13.680 in reality, those centrifutures are still spinning like crazy. And 0:17:13.800 --> 0:17:15.760 that was the really clever thing. It's the idea of 0:17:15.800 --> 0:17:18.840 like you pull this mask down or that you know, 0:17:18.880 --> 0:17:22.760 you you shield what's really happening, and all the the 0:17:22.880 --> 0:17:25.680 monitoring systems don't show that anything's going wrong at all. 0:17:25.720 --> 0:17:30.720 That that's pretty devious and that was another reason why 0:17:31.160 --> 0:17:34.159 security experts call this a very sophisticated attack, because it 0:17:34.200 --> 0:17:38.280 wasn't just that it was able to infect systems, you know, efficiently, 0:17:38.600 --> 0:17:41.760 it was able to mask that infection somewhat. And there's 0:17:41.880 --> 0:17:43.840 also it also involved a root kit, so if you've 0:17:43.880 --> 0:17:46.240 listened to our root kit podcast, there was a root 0:17:46.320 --> 0:17:49.800 kit element to this as well. And m yeah, I 0:17:49.840 --> 0:17:53.560 thought that was a pretty neat idea. The and and 0:17:53.760 --> 0:17:58.320 a lot of the the attribution for this. As we said, 0:17:58.480 --> 0:18:00.480 we still don't know for sure who did it, no right, 0:18:01.359 --> 0:18:04.080 but you'll if you if you do research on it 0:18:04.720 --> 0:18:07.360 and you start looking around at articles that were published 0:18:07.640 --> 0:18:13.240 this year, you'll see that the there's some common elements 0:18:13.280 --> 0:18:16.760 popping up that at least one Western power was involved 0:18:16.800 --> 0:18:20.359 in this, and that Israel was involved in it. Yes, 0:18:20.560 --> 0:18:23.399 a lot of a lot of fingers initially pointed to 0:18:23.400 --> 0:18:27.919 the United States government, UM, and which is still a possibility, 0:18:27.960 --> 0:18:31.160 which is you know, yeah, as is the British government. UM. 0:18:31.200 --> 0:18:34.600 Bruce Snyer. It's so hard to say. Bruce Schneier said 0:18:34.640 --> 0:18:37.800 that he thinks that around eight to ten people spent 0:18:37.920 --> 0:18:42.040 about six months, maybe a little longer on creating this 0:18:43.040 --> 0:18:49.520 UM and uh, you know, they think that Israel has 0:18:50.040 --> 0:18:53.840 mentioned I read one article from Schneier that suggested had 0:18:53.960 --> 0:18:57.240 had a number of references in it. UM. There bits 0:18:57.280 --> 0:19:01.240 of code that have dates in them that appeared to 0:19:01.280 --> 0:19:08.719 be yes, dates important dates in Iranian Israeli relationship, and 0:19:08.800 --> 0:19:11.720 in an incredibly negative way. We're talking like dates of 0:19:11.760 --> 0:19:15.480 assassinations and things of that and things like that. UM. 0:19:15.520 --> 0:19:17.719 Some people have said that they just happened to be 0:19:17.800 --> 0:19:20.280 the code that you needed to get that done, the 0:19:20.320 --> 0:19:23.160 particular function in the software done, and it just so 0:19:23.280 --> 0:19:25.920 happened to end up like that, which is possible, Which 0:19:25.960 --> 0:19:28.840 is completely possible if you've ever seen any of those theories, 0:19:29.080 --> 0:19:33.600 any numerology theory where they say this number is significant 0:19:33.640 --> 0:19:36.960 because blah blah blah. Uh. A lot of that ends 0:19:37.000 --> 0:19:40.320 up being confirmation bias, which is that's a logical fallacy. 0:19:40.400 --> 0:19:43.440 That's when you look at something and you count all 0:19:43.480 --> 0:19:46.440 the hits and you ignore all the misses. So it's 0:19:46.480 --> 0:19:50.119 possible that this is another case of that. So we 0:19:50.200 --> 0:19:52.400 have to keep that in mind too. Yeah, I don't 0:19:52.440 --> 0:19:54.600 suggest ignoring the misses because she's going to get really 0:19:54.600 --> 0:19:56.520 angry with you. Well, she's gonna be gone for a week, 0:19:56.600 --> 0:20:00.960 so just I can't really pay attention to her anyway. Um. 0:20:01.080 --> 0:20:04.440 Joking aside, though, UM, I have a quote from Schneier 0:20:04.480 --> 0:20:07.879 who said, quote whoever wrote stuck s net was willing 0:20:07.920 --> 0:20:09.919 to spend a lot of money to ensure that whatever 0:20:10.000 --> 0:20:13.240 job it was intended to do would be done end quote. 0:20:13.880 --> 0:20:17.639 So uh, it's a professional job. It's it's not something 0:20:17.680 --> 0:20:21.040 that script kitties, which are you know, hackers who do 0:20:21.119 --> 0:20:23.720 this for the fun of hacking and not for a 0:20:23.760 --> 0:20:28.040 monetary purpose or for bringing down governments or you know, 0:20:28.400 --> 0:20:32.720 the high level hacking people are doing it for fun. Um. 0:20:32.840 --> 0:20:35.439 You know, this is not a casual hacking project. This 0:20:35.560 --> 0:20:38.840 is something serious the amount of code was something like 0:20:38.880 --> 0:20:43.480 one point five megabytes, which is actually huge for a worm. Yeah, 0:20:44.000 --> 0:20:46.600 because worms and viruses tend to be very tiny bits 0:20:46.600 --> 0:20:49.600 of code, just like just like you can imagine a virus, 0:20:50.119 --> 0:20:52.879 you know, and virus that can affect an organism is 0:20:52.960 --> 0:20:56.560 very tiny. Well, typically your viruses that affect computers tend 0:20:56.600 --> 0:20:59.000 to be tiny too. They might be a tiny part 0:20:59.040 --> 0:21:01.639 of a larger program, and the larger programs designed, but 0:21:01.640 --> 0:21:04.560 the larger program is just an infection method. It's not 0:21:04.640 --> 0:21:08.439 actually part of the virus or worm necessarily. Another article 0:21:08.480 --> 0:21:12.080 I saw that may point to Israel as as being 0:21:12.359 --> 0:21:15.000 a potential source for this attack, and again we don't 0:21:15.000 --> 0:21:17.200 know for sure, was in the New York Times. It 0:21:17.280 --> 0:21:20.239 published on January fift and it's called Israeli test on 0:21:20.359 --> 0:21:25.600 worm called crucial in Iran nuclear delay. And in this 0:21:26.240 --> 0:21:31.320 UH article it the writer's state that m Israel has 0:21:31.359 --> 0:21:37.040 this UH nuclear facility in Demona, that UM one of 0:21:37.080 --> 0:21:41.520 those facilities is designed to be essentially a copy of 0:21:41.640 --> 0:21:44.920 the main target in Iran. Right, I remember that article. 0:21:44.960 --> 0:21:47.760 And the idea here is that just because you create 0:21:47.840 --> 0:21:50.399 something that can infect a factory system doesn't mean that 0:21:50.480 --> 0:21:53.480 you can you know, really rereak havoc because you need 0:21:53.520 --> 0:21:56.800 to know how the machines within that that facility work. 0:21:57.640 --> 0:22:00.119 So in this case, we're talking about the centrifuges. So 0:22:00.600 --> 0:22:05.000 they had a facility using the same centrifuge technology that 0:22:05.480 --> 0:22:09.080 the Iranian facility was using, so that in theory, they 0:22:09.080 --> 0:22:13.000 could test the stucks net uh worm out to make 0:22:13.040 --> 0:22:15.560 sure that it would be effective and that they could 0:22:15.560 --> 0:22:20.760 indeed control these centrifugures from a remote location. Now granted, 0:22:20.800 --> 0:22:25.200 these are again these are all allegations and and uh theories. 0:22:25.440 --> 0:22:28.119 So well, I think if I'm not mistaken, that's the 0:22:28.200 --> 0:22:31.000 article by William J. Brod, John Markoff, and David E. 0:22:31.160 --> 0:22:36.959 Sanger Um. And yeah, they they added that Siemens, Remember 0:22:36.960 --> 0:22:39.520 I said that that was a specific Siemens controller and 0:22:39.600 --> 0:22:44.040 software that it targets UH. Siemens had done had cooperated 0:22:44.040 --> 0:22:48.320 with the United States government on some research on that 0:22:48.440 --> 0:22:53.000 kind of equipment, on on the equipment used in the 0:22:53.040 --> 0:22:57.600 Iranian nuclear program. So that just that just adds fuel 0:22:57.640 --> 0:23:00.400 to the fire. Now, I mean, again, this could all 0:23:00.400 --> 0:23:04.240 be coincidence. These things happen. Semens makes a lot of 0:23:04.240 --> 0:23:07.840 different kinds of industrial equipment that's used all over the world. 0:23:08.400 --> 0:23:11.040 So you know, you could say that and it it. 0:23:11.640 --> 0:23:16.720 You know, I don't think that's anything that UH is 0:23:16.840 --> 0:23:21.000 a definitive finger pointing at the United States government involved 0:23:21.000 --> 0:23:23.919 in that, and personally, UM, if it were me and 0:23:24.000 --> 0:23:26.120 I were trying to do something like this, I wouldn't 0:23:26.160 --> 0:23:29.800 want anything that that even revealed this. In fact, I 0:23:29.840 --> 0:23:33.240 would want to um obfuscate. I would try to cover 0:23:33.359 --> 0:23:35.440 up or maybe point to finger at someone else, which 0:23:35.520 --> 0:23:38.640 is why some I agree with the people who say 0:23:38.640 --> 0:23:41.159 that those little hints that might be in the code 0:23:41.160 --> 0:23:44.040 that seemed to point to Israel, if I were trying 0:23:44.040 --> 0:23:46.320 to blame somebody, I would try to blame somebody that 0:23:46.320 --> 0:23:50.680 that would be an obvious UH target for that kind 0:23:50.720 --> 0:23:55.000 of attention, and Israel would be obviously interested in discontinuing 0:23:55.040 --> 0:23:58.560 Iranian's nuclear program. So if I were you know, Antarctica, 0:23:59.200 --> 0:24:01.280 I picked that because it's not a government that's likely 0:24:01.320 --> 0:24:04.400 to do that, and it's run by penguins. Um. But 0:24:04.640 --> 0:24:09.280 penguins are very much anti nuke they are, so yeah. 0:24:09.359 --> 0:24:13.520 I mean, if if another country wanted to disable that UH, 0:24:13.560 --> 0:24:15.440 and I were running that country, I would say, let's 0:24:15.440 --> 0:24:18.320 point to finger someone else, throw some throw some red 0:24:18.359 --> 0:24:20.720 herrings in the code to make it look like it's 0:24:20.760 --> 0:24:24.600 these guys over here and not me. So I wouldn't 0:24:24.600 --> 0:24:26.720 be a bit surprised. I can't imagine that you would 0:24:26.760 --> 0:24:30.119 want and something this sophisticated. Why would you want anything 0:24:30.160 --> 0:24:33.520 that would attract attention to yourself as as the creator 0:24:33.560 --> 0:24:37.840 of this worm, Why would you create a system that could, 0:24:38.240 --> 0:24:42.520 in theory reset itself at the year two thousand. Well, 0:24:42.600 --> 0:24:45.080 I'm just saying sometimes people aren't as smart as we 0:24:45.119 --> 0:24:48.959 give them credit for. So, yeah, there's I totally agree 0:24:49.000 --> 0:24:51.600 that your argument is valid. I mean there we cannot 0:24:51.760 --> 0:24:55.360 leap to the conclusion that this is necessarily the source 0:24:55.480 --> 0:24:57.920 of the attack. Yeah, And I don't mean to h 0:24:58.000 --> 0:25:01.199 to sound like I've reached conclusions. I just I it 0:25:01.240 --> 0:25:04.240