“Cyberwar” and Iran: the other side of the hill

If I hadn’t been fiddling with file permissions to get WordPress running last Sunday, I’d probably have been writing about the Haystack saga. I’m a bit gestört by some of the coverage of it – Evgeny Morozov, typically, has been doing good work in the general war on bullshit, but I’m less convinced of his broader conclusions. See here.

What stands out about Haystack isn’t so much the technology – which we can’t really make statements about, because they kept everything secret until it all fell down, and the implementation is apparently so awful nobody wants to release the code in case someone tries to use it – but the meta-technology. As this post makes clear, perhaps the biggest problem was that it was half-open, half-closed. The code wasn’t released, so it was impossible for anyone to review it, but it was circulated widely enough that the core development team had little or no idea how far it might have spread. In fact, some people who did have the source code thought it would be a good idea to compile it, package it, and share it with people who might need it.

And although there is apparently a client-server element in it, the server was allowed to accept connections from the wider Internet. So they’d accidentally allowed the unfinished and untested project to start operating in production.

The Guardian is mocked; John Graham-Cumming is right (and check out the remarks about Tor in comments) and points out that Haystack’s crypto was reliant on a source of random numbers that, well, isn’t random. The EFF has good advice.

Now, this week has another superspy Iran story, Stuxnet, the worm that apparently attacks a Siemens SCADA application. Here’s JGC again, being sceptical. There’s a rundown at Alliance Geostrategique. The author of the theory that it’s an attack on the Bushehr nuclear power plant is self publicising here – I, for one, am not convinced that the fact they hadn’t got some software licence key in 2009 is great evidence, especially as the Windows .lnk exploit involved wouldn’t care either way. It’s the one from July in which Windows will execute code packed into the icon file for a desktop shortcut on a USB stick, so how pleased the Business Software Alliance is with the Iranians is here or there.

And it also seems to target Indian and Indonesian systems. Maybe its authors are protesting against Eat, Pray, Love.

To put it another way, I think we’re under a cyberattack from a sinister network of chancers and self-publicists who have glommed on to the whole issue as a way of getting their faces in the news and their hands into the till. As our occasional reader Bos puts it:

When you say “weapons-grade cybermunitions developed by nation states”, I hear “this patchwork of consulting gigs won’t cover my coke bill.”

Meanwhile, what’s going on in Iran? In many ways, this is much more interesting. Way back in 2006, I blogged about how the Iranian government was putting impressive resources into aid to Afghanistan. One facet of this was that they had laid a fibre-optic cable from Iran to Herat; another was that the cybercafe in Kabul with the most bandwidth and the least censorship was the one in the Iranian cultural centre.

Now, it looks like the Iranian wholesale telco monopoly, DCI (Datacomms Iran), is becoming a significant transit provider to networks in Iraq, specifically Kurdistan, and Afghanistan, including the Afghan Government. As the good people at Renesys point out, this is perfectly sensible for the Kurdish operators – they’re getting rid of their expensive and slow VSAT links, and diversifying their sources of transit – but this is dependent on actually diversifying, rather than just replacing.

The Afghan government’s network, it turns out, has recently started to show up through DCI as well as through Pakistan and an Uzbek provider. For a while, all the Afghan prefixes were being routed via either Iran or Uzbekistan and Russia, after a fibre cut on the route to Pakistan.

You can certainly see why the Afghans might not want to pass all their traffic through Pakistan. But treating this as a political issue does have a point. Back in the summer of 2009, the Iranian state found an elegant way to use DCI as an instrument of political power – rather than turn everything off, as in Burma, or call out the troll army, as in China (although they do have that capability), they rate-limited everyone down to about 20% of the typical throughput. As all Iranian ISPs have to use DCI for transit, this meant that a lot of hostile Internet activity will just not have happened, although the really determined would get through.

They are, of course, the ones you want to catch. Squelching down the bandwidth also probably meant that the traffic was reduced to a level where their lawful-intercept infrastructure* could capture and process it all. Almost certainly, they can do the same to any of their downstreams, or continue to pass customer traffic while squelching their own.

It is impressively ironic that a few router configuration rules can mean freedom in Herat and tyranny in Tehran.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.