You make it sound much simpler than reality, have you read any of the technical reports or just the latest CNN report? I would highly recommend at least reading the Wikipedia entry for Stuxnet, particularly under "Operation" [0] before brushing it off as a job any script kiddie with access to zero-days could accomplish.... never mind that using four zero-days is "unprecedented". Also you are ignoring the fact that they just didn't hack Windows, but also a number of very specific Siemens custom software packages and PLCs. All technical analysis of Stuxnet that I have read until now have said it could only be a government actor with enough resources and time to build something of this magnitude, targeted so specifically as to only affect centrifuges in Iran, although it was discovered in various countries. If you need more technical details, Symantic wrote up a ~60 page dossier with lots more technical details[1]. You would be surprised how insanely detailed this thing is.
I am completely aware of how it worked and you seem to have ignored what I said. The organizational effort to collect the 0 days, target the right centrifuges, etc is what was impressive but there was nothing new technological there. Putting together multiple 0 days is how hackers win sandbox busting competitions for browsers.
Stuxnet has been analyzed in detail and there were no new special hacking techniques like unknown ASLR vulnerabilities or arbitrary unprivileged memory reads like spectre. It was just some 0-days wrapped up with a laser focused task that took years of effort to research.
It's shockingly impressive how much effort went into researching what needed to be done, not the actual mechanism thag was used to do it.
If someone plans out a super elaborate assassination of the hardest target in the world and completes it with a homemade shiv, you don't comment on how impressive the shiv itself was. It was the ability to know when/where/how that was impressive.
Yeah, if Stuxnet had been using something like Spectre or Meltdown the world really would have exploded. And without the source/whitepaper I'm not sure people would have even figured out what it was doing for quite a while.
They say Stuxnet featured nothing very new or technological but I don’t recall anything else infecting PLC’s and using ambient temperature sensors to define behavior. That is just one techno. aspect I found original. The fact that this wasn’t anything new to Symantec researchers is kinda frightening of itself.
>but I don’t recall anything else infecting PLC’s and using ambient temperature sensors to define behavior. That is just one techno. aspect I found original.
The target was interesting and the attack subtle, but attacks on industrial control systems had been the target of research even in the public in the same time frame: http://edition.cnn.com/2007/US/09/26/power.at.risk/
[0]: https://en.wikipedia.org/wiki/Stuxnet#Operation
[1]: https://www.symantec.com/content/en/us/enterprise/media/secu...