Charles Curley's Weblog

So you think you have computer security problems. What if you were responsible for the security of computers the police and military would really like to seize?

Apparently in a recent raid on the FARC, Colombian authorities seized some 15 laptops and some 100 USB memory sticks. The authorities would like to see what's on them.

The story suggests but does not flat out say that the storage media were encrypted. Given the circumstances and the ready availability of encryption, this is a reasonable assumption.

With any well written and properly deployed encryption setup, lose the keys and you've lost your data. Unless there's a back door placed there by the authors of the software, that is. And how do you know there's no back door? Use the source, Luke.

Assuming the FARC have IT folks capable of the above reasoning, which operating system is almost certainly not on those laptops?

A Sabbath Manifesto. 'Nuff said.

The BBC has an article on the so-called "stuxnet worm". It is, we are told, a very sophisticated program, designed to propagate itself from Windows machine to Windows machine via USB stick. The program hijacks Siemens PLC (programmable logic control) devices by changing the instructions that PLC programming tools hand to the PLCs.

The article quotes a conjecture that the worm is aimed at the Iranian Bushehr nuclear power plant or the uranium enrichment plant at Natanz.

I wonder.

The worm is obviously a very sophisticated program. It is aimed at Windows, and uses not one but four different zero-day exploits -- all of which were supposedly completely unknown (by whom?) until Stuxnet showed up. This shows a very detailed knowledge of Windows. It also suggests that someone knew or guessed which versions of Windows were running at the target.

It then attacks PLC programming tools, which means the authors know that software very well. And it also means the authors know a lot about how the PLC machines are deployed at the targeted site.

An obvious conjecture is that the authors are working for a national government because no one else would have the resources and expertise to put all this together.

Really? If someone knew that much about the target, why not a non-computer attack, which would be much more likely to succeed.

Really? Where better to go for expertise on Windows vulnerabilities than the Windows security industry: Symantec, F-Secure, et al.?

In the 1920s, the US prohibited alcoholic drinks, the famous Prohibition. It was widely circumvented. By the 1930s, it was obvious that Prohibition was on its way out. And that would mean that its enforcers would be unemployed and might actually have to find honest work. So the scare tactics started up. Propaganda like the film "Reefer Madness". Is Stuxnet a modern-day "Reefer Madness", intended to scare people into buying more security for their windows boxes?

As an extra, added, side benefit, the Iranians, say, will scramble around trying to secure their sensitive sites from this threat.

However real the problem posed by Stuxnet is, there is a simple solution to it: Don't use Windows. And there is an even simpler solution: clean any USB or other mass storage before you put it to use. Zero out the partition table, and create new partition(s).

Happy Software Freedom Day. See the map to find an event near you. Enjoy.

Apropos of people overly trusting their GPS receivers, this Non Sequitur cartoon actually does follow, rather nicely. As do some of the comments.