It’s the best of times and the worst of times for hacker culture. On the one hand, this is a moment of history-making triumph for a cyber-worm, the complex computer virus known and feared as “Stuxnet.” A stunning evolutionary leap in development of “malware” (the generic term for the mischief-making software a virus embeds in computers via digital networks). Composed, it has been reported, of 15,000 lines of code. Stuxnet exhibited virtual superpowers last fall by penetrating, taking control of, and jamming into self-destruction some 1,000 precisely calibrated uranium-refining centrifuges in Iran’s Natanz nuclear facility.
And then, under another alias, another digital disguise (I see the worm in a Bogart-like virtual trench coat), Stuxnet surreptitiously slipped into the brand-new Iranian nuclear reactor at Bushehr last fall as well. This is the reactor that had just taken delivery of nuclear fuel from the Russians (though it still hadn’t been loaded in), the one proclaimed to be for peaceful uses, nonetheless capable of making bomb-grade plutonium as a “byproduct.”
Stuxnet seized the control panel of the Bushehr reactor and did its Stuxnet thing and shut that huge, $1 billion complex down. Just like that. Even Mahmoud Ahmadinejad was compelled to concede the reactor had been the source of “problems” but claimed they’d been “fixed.” That was two months ago. The reactor is still shut down. Some analysts estimate that Iran’s attainment of nuclear bomb-making capacity has been pushed back at least two years.
And the problems may be permanent, perennial, with malicious features as yet unrevealed by the worm. That’s the thing, both admirable and potentially disturbing about Stuxnet: We don’t yet know whether it’s exercised its full capabilities. We don’t know what other tricks Stuxnet has in store. Or whether it can ever be eradicated from an infected machine. Whether it can turn on us. We just know it’s awesome.
Perhaps the ultimate tribute to it was by a computer security expert who called its advent—and the swath of destruction it cut through Iran’s nuclear program—”an Oppenheimer moment” in the history of hacking. A moment in which malware viruses had made the leap from troublemaking but controllable depredations to potentially unstoppable, history-changing weapons, their capabilities miles ahead of their predecessors’, the way the first nuclear weapon Oppenheimer built at Los Alamos left mere TNT in its wake and shadowed the world we live in with the threat of cataclysmic extinction.
Computer-security experts who have handled the most complex “malware” virus infections are agog.
As a German based computer security consultant, Ralph Langner, put it, “The Iranians don’t have the depth of knowledge to handle the worm or understand its complexity.” The “disruptive technology” blog Next Big Future quoted Langner thus:
“Here is their problem. They should throw out every personal computer involved with the nuclear program and start over, but they can’t do that. Moreover, they are completely dependent on outside companies for the construction and maintenance of their nuclear facilities. They should throw out their computers as well. But they can’t,” he explained. “They will just continually re-infect themselves.””With the best of expertise and equipment it would take another year for the plants to function normally again because it is so hard to get the worm out. It even hides in the back-up systems. But they can’t do it.”
But an Oppenheimer moment means more than a quantum leap in the power and deceptiveness of the virus. It means dramatic geopolitical ramifications. If the original Oppenheimer moment may have guaranteed that WWII would end with the horrific Hiroshima and Nagasaki nuclear bombings, the Stuxnet Oppenheimer moment may have bequeathed us an unexpected last-minute reprieve from what seemed like a potential outbreak of nuclear warfare. Consider the fact that Stuxnet disabled Iran’s key nuclear facilities (and infected an estimated 60,000 of its computers) just at the moment when the Israelis were giving out signals that they were prepared to use air strikes on Iranian facilities, using whatever weapons it took (and, of course, they have an undeclared nuclear arsenal), to prevent Iran from getting the bomb. Whatever you think of the Israeli position, there was little doubt they’d do it if there were no other options, and in doing so risk not only Iranian retaliation but nuclear retaliation from Iranian sympathizers in Pakistan’s military, which all-too-loosely controls Pakistan’s “Islamic bomb,” the generic term for the 60 to 100 nuclear warheads the Pakistanis possess.
The world was on the verge of a regional nuclear war with unknowable further consequences. Until Stuxnet did its work.
Oh, it will probably happen sooner or later, that regional nuclear war, but Stuxnet may have postponed the flashpoint for at least a couple of years. Although there is some disagreement about how much time Stuxnet and other measures have bought.
No wonder one satirical blog named the Stuxnet worm “Man of the Year” and I half-seriously suggested the worm be offered the Nobel Peace Prize, a modest proposal echoed by other blogs.
It has indeed been a season of triumph for the hacker and hacker culture.
(A “hack,” it should be emphasized, is any unauthorized intrusion into a computer’s innards, whether that intrusion is carried out by a lone hacker or agents of a hostile government. The one flaw in the New York Times’ enterprising recent investigation of Stuxnet’s origins is that it seems to deny Stuxnet was the product of “hackers,” because the hack may have been created by a government, by U.S. and/or Israeli teams of hackers. A hacker is a hacker is a hacker, government-employed or not. It is common knowledge, for instance, that the Chinese military has an entire division of its army devoted to cyber warfare—which is no less hackery for being government sponsored.)
And the recent triumphs of hackerdom range beyond Stuxnet. We also saw the more crude but voluminous Wikileaks, the Gawker hack, the Facebook worm that spammed and phished people last fall. It began to seem as if no one, no system, was invulnerable. An ominous piece on the front page of USA Today on Jan. 11 claimed “Experts fear cyberspammers are plotting new attack modes,” citing the sharp drop-off of traditional criminal botnet hacker networks, the ones that infect thousands of PCs and turn them into “zombie” computers to serve their ends. The sudden abandonment of this profitable mode of computer crime, the story claimed, might presage a sinister new twist in hacker tactics.
Which makes it particularly ironic that at this best of times for hackers and their worms and “weaponized malware,” the legendary godfather of hackerdom, the “epic iconic figure” (as Computerworld* calls him), the real-life mythic ghost in the machine, superhero to generations of nerds and geeks including the founders of Apple, the man known as “Captain Crunch,” suffered a sudden mysterious debilitating injury that left him with excruciating pain and nerve damage, incapacitated and fighting for the use of the hands that—almost singlehandedly—created hacker culture. This news comes just at the moment when we might well need a hacker superhero, someone to deal with the unknown new challenges the super-cyber-worms represent. Because just as the Oppenheimer moment at Los Alamos was a scientific triumph and a human tragedy, Stuxnet and its analogs may have a profoundly unsettling dark side.
I’m not alone in thinking this. I’ve written here of the 50 nuclear missiles that went rogue in Wyoming for an hour back in late October. The 50 Minutemen nukes stopped responding to communications from their launch control center at F.E. Warren AF Base*. It was reported that their communications link had been disrupted after some malfunction had caused their missile-to-missile pinging to speed up and slow down out of phase, causing them to cut themselves off from what might be an outside intrusion.
Probably just an accident, but accounts of Stuxnet’s disabling of the Iranian centrifuges spoke of the way it seized control of their operating controls and sped up and slowed down the centrifuge speed cycles, leading to jamming and crashing. While doing some background research for this column, I came across a comment about the Wyoming incident on the extremely well-informed Armscontrolwonk.com* blog that simply said: “Why not stuxnet?”
The implications are vastly unsettling. If a Stuxnet-like worm can disable Iranian nuclear manufacturing controls, there is reason to be concerned that a similar or more highly evolved worm (devised by the much-feared Chinese military cyber corps, perhaps) could seize control of our nuclear missile launch-control capacity. Maybe not yet. But the potential can’t be ruled out.
The possibility may remind some of what was once a futuristic fantasy in the Terminator movies: a nuclear weapons control program called “Skynet” that turned on its masters and sought to use its power to destroy humanity.
No one really believes machines are capable of such apocalyptic mischief on their own. But human beings…It seems not only prudent but urgent that we mobilize all the best hackers in the nation to devise defenses against the malicious use of Stuxnet worms to start cataclysmic wars. Or would you rather depend on Pentagon bureaucrats?
And first among such a team of supergeek recruits would be Captain Crunch, who may have started it all.
I first got to know the Captain when I was writing “Secrets of the Little Blue Box,” a 1971 Esquire story that began with a focus on proto-hacker “phone phreaks”—among them blind electronic teenage geniuses who devised ways of hacking into the long-distance circuits of then-monopoly AT&T. Into which the Captain (real name John Draper) inserted himself because he was making a key transition from phone phreaking (using “blue boxes” which replicated the internal signal cycles of the phone company) to modem-based hacking into computer circuitry.
He was known for cruising around what was later to be called Silicon Valley in a Volkswagen van equipped with his “computerized unit” as he called it, stopping by isolated phone booths and hooking himself into circuitry all over the world. The first hacker superhero, complete with phone booth.
After my story came out, both good and bad things happened for the Captain. The good thing was that the Steves—Jobs and Wozniak—reached out to him. First for help in their own attempts to manufacture blue boxes in their parents’ garage. Then, after they formed the Apple partnership, they took him on as a skilled techie who helped them devise Apple’s early word processing program, EZ Writer. It’s also said he had key input in designing the first PCs as well. The bad things were that he talked too much about his nonlegal hacking exploits and the feds locked him up for a time.
Nonetheless he was never what has come to be called a “black hat hacker”—one who uses his skills for criminal ends. He was more of what has been called a “look-at-me” hacker. One of those superadept wizards who liked to show off by showing up, virtually, behind the firewalls, the anti-virus immunizations, and all the defenses that the most super-secure sophisticated computer security people could devise.
Not just to show off, such hackers would maintain, but to perform a public service, by “demonstrating vulnerabilities” in the computer systems around them. Even more culturally significant, Captain Crunch made hacking “cool” to a subculture of supersmart geeks who were not content with their code-and-cubicle life but wanted a dimension of James Bond-like daring in their lives. (I am of the opinion that the relative immunity of Apple and Macs from hacker attacks has something to do with the coolness factor that their association with Captain Crunch gave them in the hacker subculture.)
Crunch is a progenitor of the joyfully anarchic sensibility, the Robin Hood outlaw outlook, that drew some of the best unconventional minds in tech, many of whom later got hired away to became cyber-security experts because they knew so much about causing cyber insecurity.
So I found it shocking and dismaying this month when I was Googling around for the latest developments in hacker culture and Stuxnet lore and came on a site called Saving Captain Crunch, which gave some minimal details that other sympathetic Web sites filled in for me.
According to PC World, the epic hacker icon was minding his own business at a computer conference when an apparently overenthusiastic fan gave him a kind of bear hug around the neck, which wrenched some vertebrae—already delicate from recent surgery—to the point where they cut off almost all nerve communication to his arms and hands. He was in terrible pain and was suffering terrifyingly progressive paralysis of his hands.
The accident took place back in October and the Captain and his friends made an appeal for support because he couldn’t afford the extensive and expensive surgery required, despite Medicaid.
The PC World piece brings good news, however. The operation got performed. In the comments section of the PC World online article, the Captain himself reports that he is recovering.
There’s something both awful and eerie about the confluence of Stuxnet’s paralysis of a nuclear facility nerve system and the nerve damage that rendered Captain Crunch’s talented hands paralyzed.
I think we are entering an age of increasing anxiety about the “robustness” of the cyber structures that now are the invisible foundations of our personal and geopolitical existence. The shadowy figure of the anonymous hacker, Black Hat or White Hat, may have more power over our lives and fate than Zuckerberg, Jobs, and Brin and company, for all their billions.
In a way, I’m glad I wasn’t aware of Captain Crunch’s dire straits until he had what looks like a successful operation. It would have been too painful to contemplate the irony. But now with rumors that variations on Stuxnet have become available on the black market, or may be ramped up to commandeer nukes by hostile nations, it’s good to have the Captain back in action. He is, if not a national treasure, a great national resource of man-vs.-machine savvy and guile, the triumph of the infinite creative deviousness of the human mind over silicon circuitry.
Get well soon, Captain.
Correction, Jan. 21, 2011: This piece originally stated that 50 nukes had gone rogue at Warrenton AF Base; it was F.E. Warren AF Base. The piece also mistakenly called Computerworld magazine Computer World and referred to the blog Armscontrolwonk as Amscontrolwonk. ( Return to the corrected page.)
