Friday, December 10, 2010

Must read progess report on Afghanistan

From the always interesting Abu Muqawama

The Sanka freeze dried version:

1. COIN and intel gathering is very sophisticated and successful at the tactical levels, and we have a serious handle on the 'human terrain'. Therefore, we are taking out a great many of the enemy.

2. Damn bastards still leak in replacements from Pak, and A.M. doesn't see how to plug that hole.

3. The national government is still not perceived as legitimate. This makes it easy for the bad guys to recruit replacements for the enemy killed.

4. If we want to transition to a lighter presence and Counter-Terror as opposed to Counter Insurgency, we'd better work on (3), and pronto.

I'd say, we rely on the National Government to the degree that we must, while making great efforts to recruit and percolate up legitimate replacements for the national level politicians recruiting from experienced and reliable local governing entities, such as the ANA folks we work with. The Karzai brothers have to go before we go. The symbolism alone will do something toward attaining success. Easier said than done, I know.

Assange as Saboteur

Instead of the Espionage Act, why not treat him as a war criminal, making use of military tribunals, after a nice long stay at Club Gitmo? Talk about a precedent that would serve as a disincentive to other foreign nationals that would like to emulate Brave Sir Julian!

It's clear that we have what can be regarded as precedent, not only recently, with the unlawful combatants housed at Gitmo, but farther back in time, as detailed in this rather lengthy discussion of Martial Law and the Constitution.

The story is fairly well known, and presented in this video clip (45 seconds in):

Silent footage:

The legal niceties as outlined in the first linked piece:

In 1942 eight youths, seven Germans and one an American, all of whom had received training in sabotage in Berlin, were brought to this country aboard two German submarines and put ashore, one group on the Florida coast, the other on Long Island, with the idea that they would proceed forthwith to practice their art on American factories, military equipment, and installations. Making their way inland, the saboteurs were soon picked up by the FBI, some in New York, others in Chicago, and turned over to the Provost Marshal of the District of Columbia. On July 2, the President appointed a military commission to try them for violation of the laws of war, to wit: for not wearing fixed emblems to indicate their combatant status. In the midst of the trial, the accused petitioned the Supreme Court and the United States District Court for the District of Columbia for leave to bring habeas corpus proceedings. Their argument embraced the contentions: (1) that the offense charged against them was not known to the laws of the United States; (2) that it was not one arising in the land and naval forces; and (3) that the tribunal trying them had not been constituted in accordance with the requirements of the Articles of War.

The first argument the Court met as follows: The act of Congress in providing for the trial before military tribunals of offenses against the law of war is sufficiently definite, although Congress has not undertaken to codify or mark the precise boundaries of the law of war, or to enumerate or define by statute all the acts which that law condemns. “. . . [T]hose who during time of war pass surreptitiously from enemy territory into . . . [that of the United States], discarding their uniforms upon entry, for the commission of hostile acts involving destruction of life or property, have the status of unlawful combatants punishable as such by military commission.” The second argument it disposed of by showing that petitioners’ case was of a kind that was never deemed to be within the terms of the Fifth and Sixth Amendments, citing in confirmation of this position the trial of Major Andre. The third contention the Court overruled by declining to draw the line between the powers of Congress and the President in the premises, thereby, in effect, attributing to the President the right to amend the Articles of War in a case of the kind before the Court ad libitum.

The decision might well have rested on the ground that the Constitution is without restrictive force in wartime in a situation of this sort. The saboteurs were invaders; their penetration of the boundary of the country, projected from units of a hostile fleet, was essentially a military operation, their capture was a continuation of that operation. Punishment of the saboteurs was therefore within the President’s purely martial powers as Commander-in-Chief. Moreover, seven of the petitioners were enemy aliens, and so, strictly speaking, without constitutional status. Even had they been civilians properly domiciled in the United States at the outbreak of the war, they would have been subject under the statutes to restraint and other disciplinary action by the President without appeals to the courts.

It seems that this is a promising avenue to investigate. There are obvious disanalogies, however. The saboteurs were agents of Germany, intending to inflict damages to infrastructure, which in turn would have impact on our capacity to fight Germany. Assange, on the other hand, while a non-state actor, and not intending to cause damage to our ability to fight any particular state or organization (such as AQ) does freely admit to wanting to damage America's ability to conduct military operations. This he intends to do by revealing classified information of any type he deems potentially damaging, including military and diplomatic information which he pilfered with the help of Manning, a U.S. citizen. He also freely admits his activities to date are just the tip of the iceberg of what he would like to do, and does have the capability of doing. Add to that, that he obviously does not advertise himself as a combatant in any of the normal ways, we have good reason then to treat him as an unlawful combatant or some close analog, just as was done in the case of the Nazi Saboteurs. There is a sort of spectrum of cases, on the left hand side, including unlawful combatants in the service of nation states, in the middle area including unlawful combatants and saboteurs from non state organizations, and further to the right, saboteurs or unlawful combatants working individually. Assange is located somewhere to the right of middle, KSM in the middle, the Nazi saboteurs over on the left hand side. The language of the covering laws seems to allow room for applying the legal framework used with KSM and like agents to Assange, because his is part of a non-state organization which is engaged in something very like war with the U.S.

Yes, in light of some more recent SC decisions, we may have to grant him habeas hearings, but that is not an impediment to arresting him as an unlawful combatant, and processing him through military tribunals. Lord knows he won't have any trouble getting representation. Ramsey Clark and company will be tripping all over themselves to take the case.

Denis Nedry strikes again: this stuxnet story just keeps getting more interesting.

From Weekly Standard a thorough technical description of how it spread, finding its way to its target.

1. USB drives (doing so while also effectively hiding itself)

The worm gained initial access to a system through an ordinary USB drive. Picture what happens when you plug a flash drive into your computer. The machine performs a number of tasks automatically; one of them is pulling up icons to be displayed on your screen, representing the data on the drive. On an infected USB drive, Stuxnet exploited this routine to pull the worm onto the computer.

The challenge is that once on the machine, the worm becomes visible to security protocols, which constantly query files looking for malware. To disguise itself, Stuxnet installed what’s called a “rootkit”—a piece of code that intercepts security queries and sends back false “safe” messages, indicating that the worm is innocuous.

But installing a rootkit requires using drivers, of which Windows machines are well trained to be suspicious. Windows requires that all drivers provide verification that they’re on the up-and-up through presentation of a secure digital signature. These digital keys are closely guarded secrets. Stuxnet’s malicious drivers presented genuine signatures from two genuine computer companies, Realtek Semiconductor and JMichron Technologies. Both firms have offices in the same facility, Hsinchu Science Park, in Taiwan. Either by electronic trickery or a brick-and-mortar heist job, the creators of Stuxnet stole these keys​—and in a sophisticated enough manner that no one knew they had been compromised.

2. Print spoolers on local area networks.

Stuxnet spread in other ways, too. It was not designed to propagate over the Internet at large, but could move across local networks using print spoolers. In any group of computers which shared a printer, when one computer became infected, Stuxnet quickly crawled through the printer to contaminate the others. Once it reached a computer with access to the Internet, it began communicating with command-and-control servers located in Denmark and Malaysia. (Whoever was running the operation took these servers offline after Stuxnet was discovered.) While they were functional, Stuxnet delivered information it had gathered about the systems it had invaded to the servers and requested updated versions of itself. Several different versions of Stuxnet have been isolated, meaning that the programmers were refining the worm, even after it was released.

And, a description of the cyber-sabotage / warhead, its intended purpose, which, at least in the one case of the Natanz facility, was well accomplished:

Finally, there’s the actual payload. Once a resident of a Windows machine, Stuxnet looked for WinCC and PCS 7 SCADA programs. If the machine had neither of these, then Stuxnet merely went about the business of spreading itself. But on computers with one of these two programs, Stuxnet began reprogramming the programmable logic control (PLC) software and making changes in a piece of code called Operational Block 35. For months, no one knew exactly what Stuxnet was looking for with this block of code or what it intended to do once it found it. Three weeks ago, that changed.

As cybersecurity engineer Ralph Langner puts it, Stuxnet was one weapon with two warheads. The first payload was aimed at the Siemens S7-417 controller at Iran’s Bushehr nuclear power plant. The second targeted the Siemens S7-315 controller at the Natanz centrifuge operation, where uranium is processed and enriched. At Bushehr, Stuxnet likely attempted to degrade the facility’s steam turbine, with unknown results. But the attack on Natanz seems to have succeeded brilliantly.

Once again, Stuxnet’s design was unexpectedly elegant. With control of the centrifuge system at Natanz, the worm could have triggered a single, catastrophic incident. Instead, Stuxnet took over the centrifuge’s frequency converters during the course of everyday operation and induced tiny bursts of speed in the machinery, followed by abrupt decelerations. These speed changes stressed the centrifuge’s components. Parts wore out quickly, centrifuges broke mysteriously. The uranium being processed was corrupted. And all the while, Stuxnet kept sending normal feedback to the Iranians, telling them that, from the computer’s standpoint, the system was operating like clockwork. This slow burn went on for a year, with the Iranians becoming increasingly exasperated by what looked like sabotage, and smelled like sabotage, but what their computers assured them was perfectly routine.

In sum, Stuxnet wasted a year’s worth of enrichment efforts at Natanz, ate through centrifuge components and uranium stores, sowed chaos within Iran’s nuclear program, and will likely force Iran to spend another year disinfecting its systems before they can operate at peak levels again. All in all, a successful operation.

Who dunnit? The article ends with some speculation:

The planning and implementation of Stuxnet involved three layers of complication. First, there’s the sophistication of the worm itself. Microsoft estimates that the coding of Stuxnet consumed somewhere in the neighborhood of 10,000 man-work days. With a team of 30 to 50 programmers, that’s a year or two of effort, at least. Between the workload, the zero day exploits, and the innovative design of the worm, Stuxnet required not just time but enormous technical sophistication and sizable financial resources.

On the next level, the creators of Stuxnet needed competency in the more traditional cloak-and-dagger elements of espionage. The digital verification certificates had to be stolen from the companies in Taiwan, and the infected USB drives had to be planted on or around the community of people who worked in the Iranian nuclear program—modern espionage tradecraft at its best.

The final complication is that vast amounts of expertise in nuclear engineering were required. It’s not enough to design a worm to infiltrate a nuclear plant—Stuxnet’s creators had to know (1) what parts of the systems to target, (2) the intricacies of the systems’ designs, and (3) how to manipulate the systems to achieve the desired effects. This knowledge base might have been the most difficult to obtain. The world is full of enterprising computer jocks; there are only so many people who understand exactly how centrifuges and nuclear reactors work and the minute complexities of Siemens’s S7-315 and S7-417 control systems. It seems unlikely that a private party—a group of rogue hackers or interested civilians—could amass the requisite competencies in all three of these areas.

So who was it—the Israelis, the United States, Germany, Russia? Some combination of the above? We may never know. Given the scope of the operation, it’s amazing that we understand as much as we already do about Stuxnet. Most prior acts of cyberwarfare took place in the shadows; Stuxnet is the first serious cyberweapon to be caught in the wild by civilians. As a result, we’ve witnessed over the last few months an open-source investigation involving experts in different disciplines from around the world. The techies will continue to push and prod Stuxnet, trying to understand how it worked—and how systems can be protected from a similar attack.

Because, in fundamental ways, cyberwar is no different from real war. Innovations can be copied, and there is always the potential for enemies to turn them to their advantage.

Now, let's jump on over to this story that has an intereseting little tidbit to add. While Li'l Ahmie, for a time played Bagdhad Bob, claiming nothing serious had happened, he now admits to some difficulties introduced by the stuxnet program. The coda of this report reveals something else interesting:

Ralph Langner, the German expert who was among the first to study and raise alarms about Stuxnet, said he was not surprised by the development.

“The Iranians don’t have the depth of knowledge to handle the worm or understand its complexity,” he said, raising the possibility that they may never succeed in eliminating it.

Here is their problem. They should throw out every personal computer involved with the nuclear program and start over, but they can’t do that. Moreover, they are completely dependent on outside companies for the construction and maintenance of their nuclear facilities. They should throw out their computers as well. But they can’t,“ he explained. “They will just continually re-infect themselves.”

"With the best of expertise and equipment it would take another year for the plants to function normally again because it is so hard to get the worm out. It even hides in the back-up systems. But they can’t do it,” he said.

And Iran’s anti-worm effort may have had another setback. In Tehran, men on motorcycles attacked two leading nuclear scientists on their way to work. Using magnetic bombs, the motorcyclists pulled alongside their cars and attached the devices.

One scientist was wounded and the other killed. Confirmed reports say that the murdered scientist was in charge of dealing with the Stuxnet virus at the nuclear plants.

So, we have some good old fashioned espionage, to go along with the cyber espionage/sabotage/war. This last event raises questions:

1. Were these agents who carried out the attack on the two scientists Iranians who have been cooperating all along, or were they agents of the U.S., Israel, Germany or Russia? It seems more likely that they are Iranians. It is more difficult, while not impossible, to sneak agents in, yes even for the Israelis. So, we can imagine that Li'l Ahmie and the folks running the science fair experiment just don't know who to trust. Nice.

2. Granted the amount of information that was needed about Windows 7, security certifications and the SCADA controls, one has to ask how much of this information was indeed stolen, as the accounts both seem to assume. Might not the successful use of these programs indicate that Microsoft and other companies cooperated, on the hush-hush of course, and with arrangements to provide plausible deniability in the event of cyber-counter attacks? (Not that the Iranians look to be capable of this currently.)

3. Something similar can be asked about Siemans as well. If they cooperated, good for them.

So, I think a case can be made that the effort need not have involved the level of espionage and theft assumed, but could have involved not only governments, but cooperating private sector companies Whatever the case, we have to admit the possibilities: Information was provided either by individuals within these Western companies, who were planted or recruited, or people working with approval from the companies themselves), perhaps along with..

Iranians (either moles within Iran who worked in the nuclear program itself, or Iranians who while not privy to that access, nevertheless were well positioned to make it likely that the payload made its way to its target).

In any case, the Iranian regime is presently in a pickle. To be assured of eradicating the worm, they must get rid of and replace all computers they now use for the purposes of controlling the science fair experiment, not only those in the control rooms of the facility, but those that are apparently within the machines themselves, with which the control room machines communicate. The chances of their crack team of that one stuxnet counter-warriors actually succeeding in removing the worm without removing and replacing the offending computers is small, according to the account. (Letting alone the impossibility of removing and replacing all the computers in Iran that may have been the source of the infection. Good luck with that.)

Well, if they remain reliant on what is perhaps the most evil technology of the Great Satan, the Windows OS, then it seems that any machines they plug in as replacements will run a significant risk of coming prepackaged with 'Stuxnext', the next Generation, simply re-infecting the science fair experiment. This is especially true if they also continue to be reliant on technology from Siemans, one of Great Satan's capitalist minions. Hey, the stuff has to be shipped, and Li'l Ahmie and his cohorts aren't building the things themselves. Sucks to depend on the West doesn't it?

The only thing that is extremely dissapointing but understandable is that the folks that put together the worm did not include anything like this which would play on and on and on until the geniuses in Iran figured out the 'hack':

Just to see the frustration, I'd pay some serious coin.

Nedry strikes again Li'l Ahmie, and to paraphrase Samuel L. Jackson, their aint a GD thing you can do about it.