Steven Cherry: In his book, Sanger describes in some detail how the Stuxnet worm escaped into the wild. What is Sanger’s account, and what’s wrong with it?
Larry Constantine: Well, the issue to me—why this, I think, is important—is whether journalists who are reporting important political stories to the public have a responsibility to get pivotal technical details right. And there are a number of things about Sanger’s account which are just not possible. So there are a number of possibilities here. One is that Sanger somehow, despite the fact that he’s a good journalist, didn’t do all the necessary background research. Another possibility is that he was deliberately misled by his sources. A third possibility might even be that he actually knew the account that he was sharing was not valid but had been requested or directed to do that since he was dealing with high-level personnel in the current administration. So, what did he get wrong? First of all, the Stuxnet worm did not escape into the wild. The analysis of initial infections and propagations by Symantec show that, in fact, that it never was widespread, that it affected computers in closely connected clusters, all of which involved collaborators or companies that had dealings with each other. Secondly, it couldn’t have escaped over the Internet, as Sanger’s account maintains, because it never had that capability built into it: It can only propagate over [a] local-area network, over removable media such as CDs, DVDs, or USB thumb drives. So it was never capable of spreading widely, and in fact the sequence of infections is always connected by a close chain. Another thing that Sanger got wrong that he reported in slightly different words in his original New York Times article earlier this year and in the book was the notion that the worm escaped when an engineer connected his computer to the PLCs that were controlling the centrifuges and his computer became infected, which then later spread over the Internet. This is also patently impossible because the software that was resident on the PLCs is the payload that directly deals with the centrifuge motors; it does not have the capability of infecting a computer because it doesn’t have any copy of the rest of the Stuxnet system, so that part of the story is simply impossible. In addition, the explanation offered in his book and in his article is that Stuxnet escaped because of an error in the code, with the Americans claiming it was the Israelis’ fault that suddenly allowed it to get onto the Internet because it no longer recognized its environment. Anybody who works in the field knows that this doesn’t quite make sense, but in fact the last version, the last revision to Stuxnet, according to Symantec, had been in March, and it wasn’t discovered until June 17. And in fact the mode of discovery had nothing to do with its being widespread in the wild because in fact it was discovered inside computers in Iran that were being supported by a Belarus antivirus company called VirusBlokAda. So there are a number of aspects of Sanger’s story that on technical grounds simply cannot be correct, and to me this is a significant issue, not just an obscure technical matter, because it raises broad questions about the nature of the so-called leaks from administration personnel to Sanger about the quality and reliability of his reporting. If he got these aspects wrong—and these are the ones that I was able to check through public sources and my knowledge of industrial control systems—then the question is, what else did he get wrong? And interestingly enough, none of the mainstream media seems to be interested in this story, which is why I’m talking with you.
