Another shilling's worth
I am delighted by the discussion here, since bringing these issues into the open was my immediate agenda. Understand, a podcast interview is not conducive to the most precise semantics or the finest technical details. I want to apologize if I left some unnecessary ambiguities in my ad hoc answers. I turned to that forum (thank you, Steven Cherry) because none of the mainstream media--print or electronic--would touch the story, a curious matter in itself.
As to how wild or widespread the infection was, what I was trying to highlight was that there was never any worldwide indiscriminate spread of Stuxnet by email or Web, as with much malware, but something much more limited based on direct system-to-system connection or sneakernet communication through removable media. As some of the experts here have pointed out, there are some holes (e.g., VPN) that might have allowed Stuxnet to reach beyond the LAN to infect other LANs. In any case, whether 100,000 is a lot of infections or small compared to many other worms, the analysis shows a small number of very tight clusters tied closely to initial points of infection.
I concur that Ralph Langner, a colleague of mine, is probably one of the go-to guys on the PLC side of Stuxnet. And I will underscore, that all my sources are secondary, as I was not directly involved in the forensic analysis.
My main point is that Sanger's narrative is flawed. Whether it is a journalistic failure, sloppy semantics, or disinformation is not for me to say, as I have no access to Sanger or his sources. But the fact that his reporting is being accepted so credulously and that the press is not taking on the story of flaws in his articles and book is troubling.
As to the actual initial infection and route into the facilities at Natanz, my understanding had been that the point of entry was not by directly carrying a doctored USB drive into this highly secure plant, but by infection of adjacent or closely related facilities, with the software then spreading itself as it could until it found the right installation of STEP 7 with precisely the right project files representing the particular frequency-controlled motor configuration. On the other hand, Raviv and Melman, who have sources inside Mossad and the IDF, suggest that the patient-zero USB was carried into the plant by Siemens maintenance engineers under direction of German intelligence (BND) collaborating with HaMossad. I cannot say. What we do know is that in one version of Stuxnet, the first infection (not at Natanz) was within 12 hours of the last compilation timestamp. If accurate, it does suggest that versions might have been hand delivered to specific targets. And it has already been established that Mossad operatives were in Iran at the time.
Perhaps we will someday know the real story, but it is not the one Sanger told, at least on some pivotal details.
--Prof. Larry Constantine (pen name, Lior Samson)
Biting the hand that feeds IT
