The latest round of Stuxnet revelations hit manic levels in the mainstream media over the weekend, and the unsubstaniated, uninformed, unconscionable wild-eyed speculation I've seen stinks to high heaven. Several so-called reporters should be strung up and goose-marched back to J-School.
What's wrong with the mainstream coverage? Let me count the ways.
First, nobody has any idea if Iran -- much less the Bushehr Nuclear Power Plant -- was the primary target.
Second, nobody knows who put Stuxnet together -- or even if, indeed, it came from one single organization.
Third, calling Stuxnet a "state-sponsored cyber attack" entails a leap of faith spanning several chasms, a handful of continents, and one or two parallel universes.
Let's all take a deep breath and look at what we know, for sure.
Was Iran targeted? Estimates about Stuxnet infections, and the location of infected Windows PCs, run all over the place. Alexander Gostev at Kaspersky puts it this way:
[A]ny estimates about the number of infected machines can only be based on the data which AV companies get from their clients' machines. And such data only comes from those countries where a company actually has clients. So if there aren't any clients, or the antivirus product in question isn't widely used, any estimates have to be regarded as having a serious margin of error.
Since the beginning of July, Kaspersky's Internet-based scanner -- which primarily scans personal, not business, systems -- caught 86,000 infected PCs in India, 34,000 in Indonesia, and 14,000 in Iran. Back in July, when Kaspersky first started scanning for Stuxnet infections, India had 8,600 infected PCs, Indonesia had 5,100, and Iran had 3,100.