The biggest problem with nuclear weapons isn’t the devastation they cause, it’s that they proliferate. Once the first atomic bomb went off, everyone in the world new it was possible and they can have “The Bomb” if they were willing to dedicate enough research effort. While there’s been the occasional story of someone building a bomb in their shed, for the most part it usually takes a nation state multiple years to develop all the knowledge and infrastructure required to get a functioning nuclear combat capability. Usually some of the bigger nation states successfully intervene and convince them otherwise.
However some countries, like Iran and North Korea, won’t listen to reason and decide to go ahead anyways. Sometimes sanctions work to dissuade them, other times it’s a surgical strike and most recently Offensive Computer Code (I don’t want to call this Malware – that justs makes it sound irritating or criminal). While one can debate merits and ethics of all the options, as well as who may have undertaken the attacks, there’s definitely something appealing about a zero casualty and highly expedient option. However, stopping nuclear ambitions with Offensive Computer Code is, for now, a delaying tactic and the trade that is made to protect human life (or to provide political insulation) limits the degree of irrecoverable damage that can be done (compared to destroying something with a bomb). So, with the appearance of first Stars and now Duqu, it seems that one has to keep revisiting the problem and continue efforts to delay the march to nuclear statehood.
F-Secure’s FAQ on Duqu has an interesting note:
Q:Â What problem will Duqu create?
A:Â Once Microsoft patches the Windows kernel vulnerability, criminals at large will be able to reverse engineer the patch, and will discover the vulnerability. At that point, any Windows computer that isn’t up to date will be vulnerable to what could prove be to be a very serious exploit.
So just like nuclear weapons the biggest problem with Offensive Computer Code isn’t the damage it causes, although it is certainly the most pressing one for those targeted by it. The biggest problem with Offensive Computer Code is proliferation; but it doesn’t take any major investments to gain the same capability and put it to other uses; all you need to know will be contained in the forthcoming patch and the skills to use that knowledge are far more available than those of nuclear weapons scientists. Mike Rothman (@securityincite) has a great post over at Dark Reading on the increasing access to exploit capabilities.
Now you’re probably not a target of Duqu, but you will almost certainly become a victim of the bastard son of Duqu (work around available, patch coming soonish). Every time someone pulls the trigger on a piece of Offensive Computer Code, they let that particular cat out of the bag and that bag is crammed full of cats, many of them pregnant.
TL;DR patches disclose the original vulnerability; there’s no such thing as perpetually secret vulnerability
