Stallman Schneier Stuxnet Security
If I could be further impressed with my crypto-hero Bruce Schneier, I would be. Richard Stallman on the other hand, I find myself vehemently disagreeing with him for the first time in a long... time.
Siemens Simatic S7-300 PLC photo by Ulli1105 on Wikimedia Commons.
For those who haven't been following, it's been widely reported that the Stuxnet worm was developed by the United States government. Stuxnet took advantage in a vulnerability in Windows and certain Siemens PLCs that Iran used in their nuclear facilities. Of course, it affected plenty of other people as well.
Why am I bringing this up now? Because it's a fascinating look into the brains on two different tech luminaries.
Richard Stallman, the champion of the copy-left Free Software Foundation, hasn't made a secret of his policical leanings. While I've largely agreed with his stances on warrentless wiretapping, security theater and the like, I was a a little disturbed by his take on Stuxnet. From his March-June 2012 archives (emphasis added by me):
Stuxnet was made by the US and was approved personally by Obama. I don't think such an attack against Iran is necessarily wrong. However, it can backfire.
So the man of uncompromising principals lets slip that he condones state sponsored attacks, despite even admitting they can backfire. Not only that, this remark is included on the same page where he asks for diplomacy to resist "being pressured into war".
Hacking a foreign government's computers constitutes diplomacy and doesn't pressure us into war? For once, I find myself unimpressed sir.
Let's take the other side. In the context of proposing a cyber security treaty, Bruce Schneier appealed for restraint in one of his recent posts, which serves as a useful counterpoint to Richard's stance.
We're in the early years of a cyberwar arms race. It's expensive, it's destabilizing, and it threatens the very fabric of the Internet we use every day.
Specifically regarding Stuxnet, he addresses my concerns exactly. Forgive the large blockquote, he just lays it out perfectly here.
[C]ountries are engaging in offensive actions in cyberspace, with tools like Stuxnet and Flame. Arms races stem from ignorance and fear: ignorance of the other side's capabilities, and fear that their capabilities are greater than yours. Once cyberweapons exist, there will be an impetus to use them. Both Stuxnet and Flame damaged networks other than their intended targets. Any military-inserted back doors in Internet systems make us more vulnerable to criminals and hackers. And it is only a matter of time before something big happens, perhaps by the rash actions of a low-level military officer, perhaps by a non-state actor, perhaps by accident. And if the target nation retaliates, we could find ourselves in a real cyberwar.
Richard Stallman and a growing cohort of technically minded people don't necessarily see a problem with exploiting security holes for political reasons, even if they acknowledge the potential for escalation and "collateral damage".
I find that... disturbing.