From Punch Cards to Stunt Hacking to Alex Gibney’s ZERO DAYS & Symantec’s Eric Chien on Stuxnet

by Quendrith Johnson, Los Angeles Correspondent

You have to hand it to filmmaker Alex Gibney (GOING CLEAR), he has taken on everything from Eliot Spitzer’s political downfall to the Enron debacle to Lance Armstrong’s doping to soft-money “super-lobbyist” Jack Abramoff to Gonzo journalist Hunter S. Thompson, not to mention Nigerian music legend Fela Kuti. So it comes as no surprise that Gibney goes from wrestling Xenu to rattling the NSA’s cage with ZERO DAYS, his new “thriller” documentary about cyber-warfare phenom Stuxnet. ZeroDaysPoster16Released by Magnolia Pictures, Participant Media and Showtime, ZERO DAYS screens in theaters July 8, also on demand at Amazon Video.  Gibney’s doc defines Stuxnet as “self-replicating computer malware (known as a ‘worm’ for its ability to burrow from computer to computer on its own) that the US and Israel unleashed to destroy a key part of an Iranian nuclear facility, and which ultimately [mutated] and spread beyond its intended target.”

If that’s not enough to get your smartphone wiretapped, who knows what is? And that’s why this doc is really tricky: it names not only names, but Nation States. Plus it lets us know that among the three probable classes of cyber-attack originators, nation-states are the most dangerous. The two other classes being: cyber-criminals, and hacktivists.

But c’mon, for the rest of us workaday non-security-classified folks out there, it is a little difficult to fully grasp the “Olympic Games”-scale virus unleashed on Iran’s nuclear power facility — as detailed in Alex Gibney’s documentary ZERO DAYS via expert interviews — without some backstory on the issues involved. In a moment, Symantec’s brilliant code-cracker Eric Chien who is featured in this film with his boss Liam O’Murchu will chime in, for now let’s rewind the digital clock to analog times for some perspective.

Clear your mind, take a breath, and think about the technology issues from a long angle. Think about the progression from English mechanical engineer Charles Babbage (1791-1871), who with assistance from mathematician Ada Lovelace (1815-1852), came up with the first mechanical engineering computer, the Difference Engine, as a starting point. Mechanical computing (i.e.; tabulating polynomials, i.e. figuring out huge numbers calculations) in the Industrial Age leads to punch cards that control looms in the textile industry. This hold-over method, punch cards, remains in place even up until the 1980’s as analog goes 100-percent digital. A fast-forward timeline means punch-card key machines to vacuum tubes with wires to British polymath Alan Turing (1912-1954), who in the 1940’s added to the war effort by not only “cracking” the German U-Boat message encoder, Engima, but understood and foresaw the possibilities for “large scale digital technology” via the encrypted telephone messages between Churchill and Roosevelt. That said, all the elements are in place to usher in the world of cyber attacks. Consider the sabotage possibilities in the first punch-card driven looms.

If you’re familiar with “spook hardware” such as the Enigma and its US/UK code-breaking counterparts from WWII, ZERO DAYS scope is an easy leap. You just need an update on the acronyms and players we now face in Cyberwar. Cyber attacks, cyber terrorism, and all other penetrations into our enterprise-grade technology require counter measures — only now we’re talking software, or code, and the stakes are world-breaking with the nuclear weapon card in play.

Another helpful insight before seeing ZERO DAYS is the US’s relation to the Shah of Iran. Because before he was deposed, the Shah of Iran received the first piece of their nuclear technology from the US, in support of power generation. The Christian Science Monitor did a round-up once that put dates on the whole mess. “In 1967, under the ‘Atoms for Peace’ program launched by President Eisenhower, the US sold the Shah of Iran’s government a 5-megawatt, light-water type reactor… the foundation of Iran’s nuclear power program.” The Shah reigned from Sept. 16, 1941 until Feb. 11, 1979, when he was toppled by the Iranian Revolution. However questionable the Shah’s regime was, it’s axiomatic that something would go wrong once the largely secular world of his rule fell into theological hands as the 1980’s began.

Next things go from theological to zealot by US estimations, and then there’s Sept. 11, 2001. Allegations are Iran is inching its way toward the “bomb,” because it’s not a huge stretch from power-reactor fuel to weapons-grade material. You can see why the US Government would consider cyberwar in the wake of 911, especially since the hardware and software for their nuclear program comes mostly from the West (read: a way in via upgrades to the tech). Plus, would anyone ever find out? Someone high up likely gambled on the wrong side of “No.” So malware was secretly engineered, somewhere, to attack the centrifuges at Iran’s Natanz facility. Alex Gibney’s take on it is, “I started out making a small film investigating ‘Stuxnet…’ What I discovered was a massive clandestine operation involving the CIA, the NSA, the US Military and Israel’s intelligence agency Mossad to build and launch secret cyber ‘bombs’ that could plunge the world into a devastating series of… attacks on critical infrastructure, shutting down electricity… this science fiction scenario…”

That’s Mr. Going Clear for you, outing the whole gamut of international players from “three-letter agencies” to nation states. Gibney steps into the lion’s den, where most of us would shiver and recite the Cowardly Lion’s “I do believe in spooks, I do believe in spooks” from the Wizard of Oz. But then you talk to someone like Eric Chien, Technical Director of Symantec’s Security Technology and Response division, who was among the first handful to discover and name the Stuxnet virus, and it becomes clear that the message of ZERO DAYS is not rehashing old news about the perils of technology.

Although it is public record that Belorussian engineer Sergey Ulasen was the first responder to report the then-unnamed Stuxnet virus as a BSOD (Blue Screen of Death) reboot over there in the Iranian nuke-related nest of computers; the message of this film is really about the knowledge gap between policy makers and digital purveyors, who, at the speed of technology, will reshape the world for us if we don’t watch out. 2016-06-28 11.17.02In person, Eric Chien is incredibly personable, a youthful exemplar of next-generation digital professionals (read: Not Nerds) in business casual attire with stand-up bangs and a friendly, open demeanor. He twists his wedding ring briefly, the only sign that being nervous is normal under the weight of the controversial topics involved. Then Chien uses his outdoor voice, launches into a patter that suggests he is used to briefing Subcommittees and Fortune 100 clients on the in’s and out’s of tech topics, which he does in real life. “We make Norton Anti-Virus,” he begins, to kind of define Symantec. He also apologizes that colleague Liam O’Murchu couldn’t make it. “He had his hands on it first,” Chien adds, meaning Stuxnet.

“Normally what we do, day-to-day, is we look at the latest (cyber) attacks. About one million a day. A lot of it is handled through automation, which automatically create fixes for them. When we come across some big attacks, we share (with stakeholders)” pieces of the code for others to monitor or give feedback on. “Recently someone tried to transfer $1 BN from the Bank of Bangladesh,” he said. This discovery brought back some similarities to the adrenaline of the Stuxnet discovery. It’s fascinating to watch Eric speak frankly and transparently from the super-secret cyber-crypto world where “pen tests” — penetration tests of security systems — make these reverse-engineers just as tricky as their malware-making counterparts. “You never want to roll out your own crypto,” he corrects. “You really want it to be peer-reviewed.”

Chien will let slip a few telling details that demonstrate how John le Carré his day job is, like “when you have black motorcycles, wearing all black following you, behind you, you start to wonder.” Or, on why Stuxnet wasn’t part of the Snowden leak, he casually mentions, “Edward Snowden didn’t leak this because those files are stored on a different server.” Then, ironically, Chien says he is not under an NDA (non-disclosure agreement), because “we don’t have a two-tiered system. We share this information with our clients… we would never work for hostile nations.”

This charming ambassador of tech will also note that ‘zero-day’ is a term that basically means the virus is discovered at the same time the vulnerability is revealed that makes the exploit even possible. (Think of it as a hole-in-one golf shot, but nobody knew there was a hole there until the ball hit. Now you’ve got two problems.)  “Stuxnet had not one, but four zero-days in it,” Chien emphasizes, “even one zero day is rare, but four?” This is how “we knew nation states must be involved.” But breaking the code, finding out what this virus was supposed to do “was the needle in the haystack. I mean it had a (kill) date in it, but it was not easy to figure out.” Then Symantec’s wizard recites that oft-quoted refrain that while most attacks take his team about “three minutes to crack, this one took three months.”

“Liam (O’Murchu) is the first one who picked it up. I then pulled it as well.” The first approach was “What is this thing? Is it trying to like hold my computer for ransom? Steal some documents?” But the most impactful theory was covert espionage. “As we began to rip (the code) apart, we saw that it was (targeted at) Siemens PLC.” PLC stands for programmable logic controller, which, from Siemens controls functions for a very specific piece of hardware, in this case the rotating nuclear centrifuge at Natanz in Iran. “We ordered the exact same model of PLC. We were expecting something the size of a mini-frigerator. But when the box came, it was the size of a book!”

There’s something admiring in the way Eric Chien describes the puzzle pieces from the dark side that Alex Gibney has detailed in ZERO DAYS. “The code was perfect, there were no errors in it, that’s how we knew it was a nation state,” Chien admits. “The way Alex incorporated the exact pieces of code (from Stuxnet) at exactly the right moment it is being discussed on screen really impressed us.” By “us” Eric Chien means the super smart people working on encryption, the white hats.

When pressed, Chien adds that most technology-related movies and TV projects are “ridiculously inaccurate,” but not ZERO DAYS. Or the USA Network TV show Mr. Robot, which he admits to watching, a huge endorsement.  But if you ask who his favorite hackers are, Chien demurs. “Today it’s just stunt hacking, I don’t find that interesting. Doing something just so you can show you can do it. Like hacking a PLC to show you can do it.” Then he pauses, “you know Captain Crunch? I liked him.” Captain Crunch (a/k/a John Draper) was Steve Jobs‘ favorite hacker, the guy ‘who stole from Ma Bell’ back in the old days of blueboxing by “whistling” analog tunes into a phone receiver to fool the network into thinking it was a digital tone to allow free long distance. Then if you ask: ‘Do you think smart people will take over the world, since there is such a knowledge gap with policy makers?’ Symantec’s distinguished engineer will smile, and come back with “the world is not a meritocracy,” as if the concept of brains over brawn has been debunked throughout history.

In one parting quote, Chien remarks “there’s something to be said for obsolescence. Because when Russia tried to shut down (the grid) in the Ukraine, their technology was so old, they could actually go to each site and crank it back on by hand.” That’s not in ZERO DAYS, but Nitro Zeus is. So now you’re armed with enough information on the backstory to grasp the enormity of ZERO DAYS. A must-watch, Gibney’s newest premiered at the Berlin Film Festival and opens July 8. To find out more, visit the official site here for screen times and venues.


# # #

5 replies
  1. PollyMGrande
    PollyMGrande says:

    Greetings! I realize this can be type of off topic having said that i was wondering if you knew where I was able to get
    a captcha plugin for my comment form? I’m using the same blog platform as
    yours and I’m having difficulty finding one? Thanks
    a great deal!


Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *