Stuxnet and the triumph of hacker culture.

Scrutinizing culture.
Jan. 21 2011 11:55 AM

The Triumph of Hacker Culture

Stuxnet and the iconic, pioneering hacker Captain Crunch.

Iranian President Mahmoud Ahmadinejad. Click image to expand.
Iranian President Mahmoud Ahmadinejad

It's the best of times and the worst of times for hacker culture. On the one hand, this is a moment of history-making triumph for a cyber-worm, the complex computer virus known and feared as "Stuxnet." A stunning evolutionary leap in development of "malware" (the generic term for the mischief-making software a virus embeds in computers via digital networks). Composed, it has been reported, of 15,000 lines of code. Stuxnet exhibited virtual superpowers last fall by penetrating, taking control of, and jamming into self-destruction some 1,000 precisely calibrated uranium-refining centrifuges in Iran's Natanz nuclear facility.

And then, under another alias, another digital disguise (I see the worm in a Bogart-like virtual trench coat), Stuxnet surreptitiously slipped into the brand-new Iranian nuclear reactor at Bushehr last fall as well. This is the reactor that had just taken delivery of nuclear fuel from the Russians (though it still hadn't been loaded in), the one proclaimed to be for peaceful uses, nonetheless capable of making bomb-grade plutonium as a "byproduct."


Stuxnet seized the control panel of the Bushehr reactor and did its Stuxnet thing and shut that huge, $1 billion complex down. Just like that. Even Mahmoud Ahmadinejad was compelled to concede the reactor had been the source of "problems" but claimed they'd been "fixed." That was two months ago. The reactor is still shut down. Some analysts estimate that Iran's attainment of nuclear bomb-making capacity has been pushed back at least two years.

And the problems may be permanent, perennial, with malicious features as yet unrevealed by the worm. That's the thing, both admirable and potentially disturbing about Stuxnet: We don't yet know whether it's exercised its full capabilities. We don't know what other tricks Stuxnet has in store. Or whether it can ever be eradicated from an infected machine. Whether it can turn on us. We just know it's awesome.

Perhaps the ultimate tribute to it was by a computer security expert who called its advent—and the swath of destruction it cut through Iran's nuclear program—"an Oppenheimer moment" in the history of hacking. A moment in which malware viruses had made the leap from troublemaking but controllable depredations to potentially unstoppable, history-changing weapons, their capabilities miles ahead of their predecessors', the way the first nuclear weapon Oppenheimer built at Los Alamos left mere TNT in its wake and shadowed the world we live in with the threat of cataclysmic extinction.

Computer-security experts who have handled the most complex "malware" virus infections are agog.

As a German based computer security consultant, Ralph Langner, put it, "The Iranians don't have the depth of knowledge to handle the worm or understand its complexity." The "disruptive technology" blog Next Big Future quoted Langner thus:

"Here is their problem. They should throw out every personal computer involved with the nuclear program and start over, but they can't do that. Moreover, they are completely dependent on outside companies for the construction and maintenance of their nuclear facilities. They should throw out their computers as well. But they can't," he explained. "They will just continually re-infect themselves."

"With the best of expertise and equipment it would take another year for the plants to function normally again because it is so hard to get the worm out. It even hides in the back-up systems. But they can't do it."

But an Oppenheimer moment means more than a quantum leap in the power and deceptiveness of the virus. It means dramatic geopolitical ramifications. If the original Oppenheimer moment may have guaranteed that WWII would end with the horrific Hiroshima and Nagasaki nuclear bombings, the Stuxnet Oppenheimer moment may have bequeathed us an unexpected last-minute reprieve from what seemed like a potential outbreak of nuclear warfare. Consider the fact that Stuxnet disabled Iran's key nuclear facilities (and infected an estimated 60,000 of its computers) just at the moment when the Israelis were giving out signals that they were prepared to use air strikes on Iranian facilities, using whatever weapons it took (and, of course, they have an undeclared nuclear arsenal), to prevent Iran from getting the bomb. Whatever you think of the Israeli position, there was little doubt they'd do it if there were no other options, and in doing so risk not only Iranian retaliation but nuclear retaliation from Iranian sympathizers in Pakistan's military, which all-too-loosely controls Pakistan's "Islamic bomb," the generic term for the 60 to 100 nuclear warheads the Pakistanis possess.

The world was on the verge of a regional nuclear war with unknowable further consequences. Until Stuxnet did its work.

Oh, it will probably happen sooner or later, that regional nuclear war, but Stuxnet may have postponed the flashpoint for at least a couple of years. Although there is some disagreement about how much time Stuxnet and other measures have bought.

No wonder one satirical blog named the Stuxnet worm "Man of the Year" and I half-seriously suggested the worm be offered the Nobel Peace Prize, a modest proposal echoed by other blogs.

It has indeed been a season of triumph for the hacker and hacker culture.