Industrial Control Software Easily Hackable

jfruh writes "CoDeSys, a piece of software running on industrial control systems from hundreds of vendors, has been revealed to be easily hackable by security researchers, giving rise to a scenario where computer hacking could cross the line into the physical world. Worse, many of these systems are unneccessarily connected to the Internet, which is a terrible, terrible idea."

Enter Kaspersky

Kaspersky says they'll come up with a new OS specifically designed to protect industrial control systems from hacking and sabotage.

http://www.pcmag.com/article2/0,2817,2411052,00.asp

Re:Enter Kaspersky

They also said they'd come up with an exploit-proof operating system so their credibility is more than just a little suspect.

http://it.slashdot.org/story/12/10/19/2254209/kasperskys-exploit-proof-os-leaves-security-experts-skeptical

Re:Enter Kaspersky

[gweihir]

Talk is cheap. My guess: They cannot do it, but enough people will believe them. Once the OS is in place, they cannot migrate away anymore.

Re:Enter Kaspersky

[Johnny+O]

??? they cant pick a live Linux CD?

Re:Enter Kaspersky

[Interfacer]

Speaking as the system administrator for a large DCS system: the OS will be no good without a complete redesign of the application level software. The problem is not really the OS, but the fact that in order to make everything work together 'automagically', there are hardcoded service accounts, and much of the app executables (which are often executed with system permissions) are writable because the entire installation folder is writable. And of course, the controllers that do perform all control actions use a protocol whose only real claim to security is obscurity.

And from what I can tell, the system I manage is fundamentally no different in that regard from DCS or SCADA systems from other vendors. While it is true that a secure-by-design would be a good place to start, the main problem atm is that the application architecture is hopelessly insecure.

Re:Enter Kaspersky

[bbelt16ag]

so.. please tell me you don't put this on the net do ya? You make sure there is physical security around those systems too? this seems likes ripe pick-ens for any hacker foreign or domestic?

Re:Enter Kaspersky

[plover]

Even if they could do it, very few ICS admins would switch to it. Most people there are responsible for stability as their most important attribute - and that means running a solution that has proven itself over and over and over again. Related to this concern is downtime: often times these plants are running 24x365 schedules, controlling furnaces that keep ovens full of molten iron from freezing solid, which could destroy the oven. Shutting down a production line takes time and planning to prevent damage, and every minute that line is down, they are not making money.

When there is a credible threat, they look at addressing the threat on an individual basis. Firewalls between the controller and the LAN. Epoxy in the USB ports. A locking cabinet around the CD-ROM drive. But replacing the core of the factory, on an unproven software package, just "in case" a hacker might target them? Not terribly likely.

Re:Enter Kaspersky

[gweihir]

Even if they could do it, very few ICS admins would switch to it. Most people there are responsible for stability as their most important attribute - and that means running a solution that has proven itself over and over and over again. Related to this concern is downtime: often times these plants are running 24x365 schedules, controlling furnaces that keep ovens full of molten iron from freezing solid, which could destroy the oven. Shutting down a production line takes time and planning to prevent damage, and every minute that line is down, they are not making money.

Indeed. What they actually need to do is to really isolate these control systems in the hard sense. I.e. no ports network, data import only manually, data export via CD-R or the like, clear message to employees that connecting any USB media, Laptops, etc. will result in immediate termination, ...

It can be done, even if it may require some people to suffer first, as Iran found out. They did execute the people that imported Stuxnet via USB drive. My guess is they will not have that problem again anytime soon.

When there is a credible threat, they look at addressing the threat on an individual basis. Firewalls between the controller and the LAN. Epoxy in the USB ports. A locking cabinet around the CD-ROM drive. But replacing the core of the factory, on an unproven software package, just "in case" a hacker might target them? Not terribly likely.

This is not enough. Firewalls are insufficient. They need to implement real isolation, i.e. only an isolated net may be used and that has to be very heavily protected. It will take quite some time for them to find out how to do that, although competent IT security people could tell them today. The problem is that they are asking the wrong questions and are looking for IT experts that understand their business, instead of looking for competent IT security folks.

Re:Enter Kaspersky

[Hognoxious]

It can be done, even if it may require some people to suffer first, as Iran found out. They did execute the people that imported Stuxnet via USB drive. My guess is they will not have that problem again anytime soon.

Well it's pretty difficult to insert a USB drive when you've had both hands cut off (in Allah's mercy)...

Re:Enter Kaspersky

[Meski]

That's going to have a chilling effect on their 'citizens' volunteering anything happening.

Re:Enter Kaspersky

Except that the point of a controlsystem often is to relay information to other systems. To interact with SCADA, Business Platforms, Order systems etc. So cutting the control system in the line of from the internet makes all the new control software pointless and we can go back to what we had in the 80s.

Also when doing updates to a PLC or Frequency converter I need to bring my Laptop or USB. And since I need to run a multitude of software of my computer aswell as surf the web for solutions etc. there is always the risk that I am infected.

We who program PLCs HMI and suchlike *know* that we are vulnurable, but it's part of the cost of doing business and all the "easy" solutions that people come up with (don't let anyone insert an USB stick, don't connect it to the internet) are just plain stupid most of the time.

Re:Enter Kaspersky

[plover]

And the further simplistic (but still dumb and vulnerable) solution for you might be "two laptops". Only the red laptop connects to the equipment. The other laptop connects to the Internet and lets you read the manuals, docs, slashdot, etc. If you need to download a file, you format a flash drive in the red laptop, insert it into the black laptop and copy the file, then read it back in the red laptop. It's cheap enough, and adds another layer of difficulty. It might not have stopped Stuxnet, but it would have stopped everything else.

But I get that the network connections make these systems far more valuable than isolated systems. If you are working on a municipal water system, having you sit at a desk and remotely connecting in to monitor valves and pumps around the city means you can be effective in dozens of places at once. If you are working in a manufacturing plant, your manufacturing systems can tell your warehouse systems that productivity means you're filling 100 pallets of product per hour today, and your shipping system can schedule the right number of drivers and trucks. Disconnecting is no longer an option in 2012.

The best solution would be to create a test platform that everyone trusts is effective. Prove that you can test security upgrades and guarantee that they won't be bringing the factory down. Get the CEO to sign off on the plan that says "we will test every security patch in this new test system, and install every patch in production within one month." And have billion dollar lawsuits hanging over the vendor's contracts.

It's all very expensive. But how expensive are the vulnerabilities if an attacker does get in?

Not such a bad idea...

[jmerlin]

Worse, many of these systems are unneccessarily connected to the Internet, which is a terrible, terrible idea.

Now you're just being paranoid. Instead, you should develop an artificially intelligent system to defeat would-be attackers and malicious software. That sounds like the best idea.

- Skynet

Re:Not such a bad idea...

Way ahead of you.

-Colosus

Re:Not such a bad idea...

[stanlyb]

I have better idea. Why don't we just make not better, but NORMAL software, with NORMAL developers, not the bunch of idiots that are thinking they have anything common with "developing" anything at all???

Re:Not such a bad idea...

Woosh!

Re:Not such a bad idea...

Colossus - The Forbin Project

Re:Not such a bad idea...

Or you could ask congress to pass laws, hire more police, judges, and special national security agents.

The choice ? More machines, or more people under your control?

Re:Not such a bad idea...

[greg_barton]

Instead, you should develop an artificially intelligent system to defeat would-be attackers and malicious software.

Yes, you should.

(Disclaimer: I work for Skynet.)

Re:Not such a bad idea...

[Capitaine]

Security is not in requirement specification, why would they implement it ?

"- Boss, I got an idea. We could implement two-factor authentication, full AES encryption of network data and D-H key exchange in our industrial software. Nerds will love it. It would cost x k$ (with x > 0).
- Hum, no. And gtfo of here."

Yup

[50000BTU_barbecue]

Having recently switched fields from high-end telecom gear to industrial machinery, I can confirm this. The industry works with what hardware they know. I last worked in the field two decades ago, and now I see the same Cutler-Hammer contacts, the same Schadow switches, the same Schroff and Rittal metal works, the same Panduit wire ducts, the same Oriental motor drives, the same Allen Bradley PLCs... Oops, that PLC now has an ethernet port? The PLC looks the same as before, a grey box covered in screw terminals, but apparently it must have changed from a 6809 running GRAFCET to some sort of modern porous monstrosity needlessly running a 64 bit OS with so much unverifiable code.

It's not necessary.

Re:Yup

But the thing is, the old stuff you're talking to is INSECURE to begin with. Not designed with any security in mind. Verifiable code doesn't fix holes within the whole system design- period. All it does is ensure it does what it was designed to do- and NOTHING more. What if you design in the component in question and you don't account for someone issuing a remote command they're not supposed to? Verifiable code doesn't protect you from that problem.

It's supposed to be airgapped, I know. How many properly airgapped systems do YOU know about?

Now, these Windows based components...the ones of the discussion; they're designed with "modern" development and ease of HMI development in mind- the PLC's still the same beastie, it just exposes MODBUS over IP or similar. The stuff that this article's talking to...it's the HMI parts that're typically what's running on Windows.

Security doesn't come from just verifiability. It comes from thinking things through- from start to finish as a system design. The moment you bemoaned verifiability, you lost- because you're little different than any of the other people in the SCADA space. How do you prevent unauthorized users from issuing commands? How do you ensure that there's not a man in the middle munging your PLC's data return, causing you to do wrong things in your design? If you can't answer those things and talk to them in a conversation like this, you're no better than the rest with their heads in the sand.

Re:Yup

Every program attempts to expand until it can read mail. Those programs which cannot so expand are replaced by ones which can.
And now, so do industrial control systems.

Hooray.

Re:Yup

[hjf]

I like to compare the problem in this industry to Powerpoint presentations. If you ever attend a university lecture, you'll see the professor, who is an engineer, doctor, master's, Ph.D or whatever. He has 5 degrees, hundreds of certifications, and thousands of hours of experience in the field or in front of a class. Yet, he cannot be bothered to invest a few hours of his time in learning *GOOD* powerpoint skills. And don't even get me started on "getting your computer hooked up to the projector".

In the automation industry it's the same thing. A very clever engineer, real genius sometimes, comes up with mechanisms you wouldn't even dream of, and designs a machine as big as a building, that works perfectly. The problem is, it's the same guy who programs the PLC, and he likes to do it in Ladder diagram (which has its advantages. I do ladder and i admit it has the benefit that you can "see" the program, and not get losts in semicolons and braces). But, like a rookie programmer, he disables security, releases in debug mode, uses default passwords, and many other "bad practices" that could be easily solvable if he bothered to spend a few hours to learn to think as a software guy. Sure, disabling your firewall isn't harmful if you're testing for a few minutes. But "i can't find the problem so the only workaround i found was to disable the firewall" is pretty much what happens with these guys.

Re:Yup

"to some sort of"

So, you don't know. So you can't say,

"It's not necessary"

You could be right, but that would be by accident, not by information.

Re:Yup

It's insanity to build 1000 identical machines with different passwords. Customers expect to get similar machines, and having different passwords only invites utter chaos.

Customers also expect electricians to be able to look at PLC logic, and know passwords on machines that they might look at once every two years. To expect different passwords is idiotic at best.

What needs improved are network level firewalls, which the IT department needs to do. Instead, IT people ask things like, "Can't you migrate that HMI to Windows 7 from NT4?" not realizing that it is impossible, and would would utterly break it, shutting down production for unknown amounts of time.

I know that Slashdot is very IT-centric, but it's a network (and USB key) restriction problem, not a problem with operation-level equipment.

Re:Yup

[stanlyb]

The hardware is insecure, yes, that's true, but the Intel machine controlling this old hardware...i wonder what is the excuse there? They use the latest VS2010, .NET, MOP.net, you say whatever NET, and it is still sooo entirely insecure, that i....i simply have no words.

Re:Yup

[hjf]

So why do they have passwords if the password is always 1234 and even the janitor knows it?

Re:Yup

I work in this industry too, and I assure you I've never met another person in my field who knew anythimg about computer security, let alone thought it was important. When I point out obvious security precautions like putting a firewall between the industrial network and the corporate network, it's like I'm speaking Greek. Nobody knows or cares. I once worked with a contractor PLC programmer that brought a home wireless router and plugged it into the customer's industrial network with no password just for the convenience of geting online with the PLC wirelessly. It's so frustrating. We're screwing ourselves so badly. There's nothing I can do except wait for a major catastrophe to wake up the industry and make them change their ways. I hope I'm wrong.

Re:Yup

[ancienthart]

Posting to remove a mistaken moderation. :(

Re:Yup

[Bacon+Bits]

The same reason they put locks on the glass doors of convenience stores. To keep out inquisitive idiots.

Re:Yup

[inasity_rules]

On the other hand when the SI password protects the PLC so another SI can't get in and fix the system(because the first SI is now out of business), now we can get in and do it without re-engineering the whole system. Sometimes low security has benefits.

90% of the security we implement is air gap. Once someone has physical access to the control panel, you've lost anyway, they could start swapping wires and pulling relays if they wanted. If the system must be on a network, we put it on physically separate network, with at most one SCADA PC on both(because the client demanded it). Still, you can set up a nice secure(ish) system, and two weeks later the client's IT department has screwed it up completely.

The major catastrophe you're waiting for is actually surprisingly unlikely. Sure a malicious person could cause a lot of damage, but from what I have seen people are more interested in stealing stuff than blowing it up. Why go to all the effort of destroying the mill on the goldmine when you could go to all the effort of smuggling gold out? They'd rather get on the internet to check their facebook, and once they realise the control PC is not on the internet they don't care anymore.

Re:Yup

[bbelt16ag]

then i would suspect we owned by any and all hackers in the world. so once they take it all down and kill millions of people, since they dont got generators to protect the power grid, . will they learn from this lesson? will the Gov. peeps haul their ass up to congress and make em fix it or will they get a slap on the wrist like the finance peeps?

Re:Yup

[thegarbz]

The industry works with what hardware they know.

No. The industry works with what hardware they TRUST. The problem is that trust is built up on a per company basis. After many years of experience with one vendor that vendor ends up on a list of preferred suppliers for any product they manufacture.

This is really good and really bad. By finding the good vendors you end up with a reliable and consistent equipment base which all your techs can be trained to work on and the next new project won't introduce uncertainty in the way of equipment requiring new training, new maintenance etc.

However it all comes unstuck if you have too much goodwill towards a company that you won't boot them off the preferred vendor list. We the end users aren't experts and few of us known what goes on inside the equipment. But the end users need to have the balls to say to a vendor that they'll end up on the banned vendor list if they do something we don't like.

Re:Yup

It doesn't take a few hours to start thinking like a software guy. It's illusion of simplicity.

Re:Yup

[fph+il+quozientatore]

If you ever attend a university lecture, you'll see the professor, who is an engineer, doctor, master's, Ph.D or whatever. He has 5 degrees, hundreds of certifications, and thousands of hours of experience in the field or in front of a class. Yet, he cannot be bothered to invest a few hours of his time in learning *GOOD* powerpoint skills. And don't even get me started on "getting your computer hooked up to the projector".

Not in mathematics. Almost everyone uses Latex (often, the beamer package for slides); the most old-style people use the good ol' blackboard or hand-written transparencies. If you show up at a conference with a ppt file, you look immediately like a rube.

Re:Yup

[shentino]

It can also prevent people named Terry Childs from taking your network hostage.

The most important security, is watching the watchers. Can the top boss still get into the system?

Re:Yup

[inasity_rules]

The top boss normally demands access to the SCADA in a monitoring mode. Or the SQL based reporting system at least, which should have a blame trail logged in it... Normally you don't want anyone but a qualified engineer messing around in a PLC.

Re:Yup

[RobinH]

Certainly the GP isn't talking about physical security, or even trying to use cybersecurity as a replacement for physical security. If there's a malicious guy standing beside your control panel, good luck. However, the fact is more and more industrial control systems, are connected directly to the corporate network. Even if they're not on the same network, you almost certainly need some kind of MES system with access to both networks, so you have a single point of failure there. Even without that you have laptops with the programming software. You need to copy EDS files onto those from the vendor's site, you need to "activate" the programming software by connecting it to the internet, so you're constantly moving it between both networks. That's another major security hole.

Plus, numerous times I've been required to logon to these systems to do support remotely, even when they were in different countries. I even went online with a line CompactLogix PLC across the internet for troubleshooting because the customer requested it. Management stood behind me (literally) oooh'ing and ah'ing about how cool it was that it could be done, thinking they were brilliant for coming up with the idea to save a trip onsite. Think about that situation... if the customer's laptop was directly connected to the industrial network and they were connected to a Webex meeting from that laptop, and giving control of their desktop to my PC, exactly how did they do that if their industrial and corporate networks are actually "air gapped"? They're not the only customer doing this either.

Re:Yup

[inasity_rules]

Well, ultimately the customer is going to care more about downtime than about security. Even if security has a nebulous risk (that they have not run into yet) of causing downtime. Where I work, we also remote into systems, sometimes directly over a 3G modem. It is a massive security issue, but the convenience sometimes trumps it. Admittedly you'd have to hack a private APN to get into the system, and then bypass the passwords. It is doable, I am sure, but it would be a lot of effort to go to to get into, say, a water recovery plant in the middle of nowhere.

Most of the PLC software I work with, thankfully only requires activation once(or in one case not at all). Rockwell's system of software licensing and flashing the blasted PLC every time you need to do something that should be standard actually does them no favors with me. I will not recommend them to clients and I will only use them if the customer specifies that I do. I am much happier with an Omron or Mitsubishi system. Hell, I'll even take Toshiba over their stuff. Not to mention the terrible support I've gotten out of Rockwell. No thank you very much.

Ultimately there is a compromise on these systems between security and convenience. And that is just the way it is.

Re:Yup

[gtall]

That's fine when you enemy is a crook who needs a financial incentive to get off. However, if your enemy is, I don't know...pick any of the global actors, someone or organization who gets off on causing mayhem, then the calculus changes.

Re:Yup

[gtall]

I recently went to a logic conference in Poland, only one presentation used ppt, the rest were Beamer and Latex. That's more or less the way it is done through theoretical computer science and among logicians. The reason has to do with typesetting mathematics. MS seems to have worked overtime to make that as painful as possible in ppt. Apple's Keynote makes it easy so it isn't impossible on something like ppt. Frankly, I won't touch ppt unless it is the last step in a process of producing slides and the slides simply have to be in ppt so management doesn't lose its tiny brain.

Re:Yup

[inasity_rules]

Well, which is a better target? A nuclear power plant or a water recovery plant for a mine in the middle of nowhere. Set up your security accordingly - lock down the nuclear plant tightly. The water recovery plant can go down for weeks until someone bothers to go fix it and plug any minor issues. Seriously whats with all the paranoia on /. today?

Re:Yup

[tibit]

All this password brouhaha is silly. If you have physical access, you can always do whatever the heck you want -- for all we know, you can unplug the control wiring from the PLC and run the machine from a pushbutton panel. That has always been the case. All one needs is a button on the PLC that you have to press, perhaps twice, to indicate that you're local and want to let a connection from your laptop access the PLC's administrative functions. Otherwise, if you're doing it from a cental office of some sort, there is no reason at all not to have your public key uploaded to all the PLCs during commissioning. Passwords fill a need that IMHO doesn't exist in real scenarios in a plant. Either you have local access, or you have access to system documentation that includes the file with public key. Anything else invites an "electrician" to cause a lot of damage.

Re:Yup

[tibit]

Yeah, because you can't have a fucking button on the PLC itself to enable direct passwordless access when you already have physical access and can screw things as you please... For everything else, you don't need passwords, just loading up the set of public keys of entities that are allowed to make changes in the PLC. That's all there's to it. No passwords.

Re:Yup

[inasity_rules]

That is actually a very good idea. Sort of what OPC UA is trying to achieve. It is a great pity nobody has implemented it that I can see.

Re:Yup

[Hognoxious]

So your machines run all night, banging out 100,000 promotional cake tins for True Love Waits.

And they all have penisbird embossed on them.

I bet it was that bastard in Accounts Receivable.

Re:Yup

[RobinH]

That same PLC has to work in tiny little job shops where the only support is a local electrician, and they're perfectly capable of going online with said PLC, adding a new sensor they need to stop the machine when the new hopper they installed is full, and going on their merry way. In that kind of situation it's likely the PLC isn't hooked up to a network anyway. Besides, you underestimate the ability of an "electrician" who needs to get a job done. Trust me, there are much more serious ways for an electrician to screw things up than making a mistake with a PLC. In fact PLCs are designed to be understood and programmed by electricians. That's why most are programmed in ladder logic.

Re:Yup

[tibit]

Again, if you have physical access, all it takes is a little button to temporarily allow unlimited, password-less connection. I'm sure there's plenty of simple PLCs that are programmable with ladder logic only and any electrician will understand them, the stuff I deal with is used for motion control and you need to know your shit to do anything much with them. Like, for example, knowing a bit about a couple of different industrial communications protocols, knowing a bit about TCP/IP networking, knowing a bit about computer science (algorithmic complexity), knowing a bit about digital signal processing, etc. The apocryphal "electrician" would probably manage to do a lot of damage and nothing much else. This is stuff where if you get a control loop unstable, things that cost $20k apiece will run into other things and get broken.

Re:Yup

I work around PLCs in an industrial setting. I do not do the programming, but I interact with those that do to make sure it does what is required and nothing it should not to the best of my abilities. Typically, to access the program locally requires a permission signal from the main control room. Of course there are ways around this, just as some installations have EEPROMS that can be erased by moving the shutter and shining a UV light on the cell. Without these EEPROMs, things run sub optimally. To truly secure a system would take very careful thought and much more followup. Keeping out the lookey loos can be easy enough. A determined opponent with physical access would be much, much harder to thwart.

WRT the Iranian centrifuges; Stuxnet from what I read destroyed them by rapidly changing the speed until they tore themselves apart. A simple VFD from Rockwell can drive 400 Hz for the price of around $5000 US. I read that the Iranian gear did up to 800 Hz. When I set up a VFD, there are specific parameters I personally verify with physical tests (coast to stop on loss of comms, max freq, etc) and I understand that the high end VFDs capable of 800 Hz may be programmable over the plant network (ideally isolated from the internet) but it seems to me that there would be a way to set max Hz and disable changes over the network.

Re:Yup

That's the difference between street smart and book smart.

Re:Yup

[hjf]

TFA was about SCADA hacks. SCADA systems are networks with (usually) remote screens. The point is that you can hack these systems easily with no physical access.

From the article

PLC = programmable logic controller

The CoDeSys runtime allows PLCs to load and execute so-called ladder logic files that were created using the CoDeSys development toolkit on a regular computer. These files contain instructions that affect the processes controlled by the PLCs.

According to the Digital Bond report, the CoDeSys runtime opens a TCP (Transmission Control Protocol) listening service that provides access to a command-line interface without the need for authentication.

One of those PLCs was running Linux on an x86 processor while another was running Windows CE on an ARM processor.

"We are aware of this security issue," Edwin Schwellinger, support manager at 3S-Smart Software, said Friday via email. "A patch is under development but not released. We are working with high pressure on these issues."

The vulnerability is only exploitable by an attacker who already has access to the network where the PLC runtime operates, Schwellinger said. Runtime systems should not be accessible from the Internet unless additional protection is in place, he said.

While Kaspersky's claiming...

...that they'll come up with something, the REAL solution has NOTHING to do with what they're talking to.

The OS isn't just the problem. It's the SCADA applications themselves as well. Something I've pointed out on several occasions to industry and even to people at NIST on the subject- in fact, quite a few researcher's have pointed this out over the last decade now. (And, all of a sudden, it's a "problem" now...sigh...)

Kaspersky's solution WON'T fix things like they're claiming- it's just more snake oil in a field FILLED with it.

They're more worried about having to change out things and the expenses of these deeply flawed designs they've cobbled together to manage the system components of things. The solution is to START OVER with honest security in mind instead of all of the half-assed solutions including authenticated DNP3 and the like.

Old

Old news is old

Yea

Just got a memo on "Enabling proactive facilitation of clowd services with our industrial controls offerings."

Re:Yea

I can't work out if you're Chinese and saying "crowd services" or American and saying "cloud services".

Re:Yea

[ColdWetDog]

Actually works better if you read it as 'clown' services.

Re:Yea

That's the clowd clown. It plays with your data so much it likes to share it.

Stuxnet

The operators of the Iranian centrifuges thank these researchers for the warning.

Simple solution

Make the first episode of BSG Season 1 required viewing for "intro to computers" class.

This is a mouse, this is a keyboard, this is why you don't jack your global defense grid into a wifi hotspot.

Re:Simple solution

[Opportunist]

The last part will be censored. Of course, only for graphic display of violence and gruesome death.

Professionalization of software

At what point will software engineering be professionalized like the other branches of engineering?

Surely there are well established guidelines for securing software at this point.

1) Create a professional society for software engineers (the SPSE, let's say) with the power to grant and revoke certificates. Assemble a blue-ribbon committee and give them 6 months to come up with membership requirements
2) Have the SPSE adopt existing standards regarding security, stability, and whatever other categories are needed
3) Amend the existing construction/operating permitting mechanisms by adding a requirement to use certified software engineers

Voila, now whenever you build a factory, hospital, or other civil engineering structure that is already heavily regulated, you will be required to use certified gear, and that certified gear must now be built to a minimum industry standard.

Other industries can then piggy-back on your new standards: the codes for banks can be rewritten, and miscellaneous unregulated industries and companies can write the requirement into their contracts.

Re:Professionalization of software

[Opportunist]

A nice idea in theory, but you're dealing with security. A field that reinvents itself every 3-6 months.

Judging from the average "standardized" guideline, the moment the final draft is getting its last changes it will be outdated by about 2 generations. So you now have the choice, either be accurate and give attention to detail and be about 3-4 years behind the attackers, or be vague and spotty and have everything pass because they can somehow fudge it.

We're not talking about approving technology where your "enemy" is physics and bugs in programs that wait for you and has no chance to strike until you employ your technology, because only then flaws in your programming or your physics will manifest. Your enemy is a human attacker who will strike today, given a chance, and who doesn't care that you need a few more years to get through approval.

Re:Professionalization of software

Keep deluding yourself. Did professional engineers prevent the Challenger Disaster? No? What possesses you to think that mere "professional" licensing will prevent issues?

Re:Professionalization of software

Fuzzy guidelines are better than no guidelines. And existing engineering societies have some fuzzy regs that, together, get you most of the way there:

- Require that engineers stay abreast of changes in their field
- Require x hours per year of training for certified engineers to help achieve that
- All decisions an engineer signs off on must be defensible to a jury of peers.

Together, this avoids the need to re-write detailed regs every 6 months, and puts the burden of that change on the individual engineers. And those areas of the field that are simply informed judgement calls - the art part of software design - are still covered.

Re:Professionalization of software

"Did professional engineers prevent the Challenger Disaster?"

No, they did not. They tried like hell to prevent it, they were quite certain there was going to be an issue, because they knew the seals failed with lower temperatures, and seals had failed at temperatures not as extreme as on that day, so they were pretty certain there would be a problem and tried to stop the lunch. Sadly, it was not the engineers who were ultimately responsible for that launch, but folks more worried about bad PR.

So, what was your point?

Re:Professionalization of software

[interval1066]

No, but engineers are soley responsible for the mars orbiter crash; http://articles.cnn.com/1999-09-30/tech/9909_30_mars.metric_1_mars-orbiter-climate-orbiter-spacecraft-team?_s=PM:TECH

Re:Professionalization of software

[Opportunist]

I like your ideas. Who's going to pay for it, though? And please don't say the engineer. Looking around in my field, even my paycheck would hardly allow me to actually stay on top of the development in security.

Re:Professionalization of software

[shentino]

That engineering is like every other field where the chain of command prevails.

The guys at the top get all the goodies and glory and the guys at the bottom get stuck with the blame when shit goes wrong.

Re:Professionalization of software

[RobinH]

I'm a P.Eng. I work in the control system industry. Most of the people who work in this industry are P.Eng.'s or certainly have an Engineering degree. Most of the ones I've met know *nothing* about computer security. These Engineers are the ones plugging PLCs directly into office networks because they're EE's. They have little to no training in computer networks (short of setting up their home routers). They have no idea what a VLAN is. They have heard the term firewall but don't really know what one does. Usually it's also EE's who are the ones writing the software (like CoDeSys) that runs on these devices (because it's embedded software and it helps to have lots of good hardware knowledge).

The only reason I know something about computer security is because I'm very interested in it, and I really think we, as an industry, need to know this stuff. Unfortunately nobody else seems to agree with me.

At any rate, we *are* professionals. I pay hundreds of dollars per year to maintain my P.Eng. license. I had to write law and ethics exams to get my license. I can lose my license if I don't follow industry best practices. Unfortunately the best practices *in our industry* for this kind of thing are completely inadequate. In fact, none of the stuff we're talking about here actually requires a P.Eng. to stamp the design. Sure, the *safety* system has to be stamped by a P.Eng., but anybody can plug network switches together. So no, requiring control system guys to be licensed won't help... many already are. You need to educate the professional organizations and standards organizations, and have them change the regulations.

Re:Professionalization of software

[fatphil]

Erm, no. True engineers use metric. Anyone not using metric is by definition not a true engineer.

I do like the sophistry in that CNN article - blaming the "English" units, rather than "Imperial" units. Nobody calls them "English" units, that's just an attempt to try to distract blame from shoddy American sloppiness.

Re:Professionalization of software

Usually, course fees are paid by the employer, and dues (ca 100 per year) are paid by the employer or employee.

Re:Professionalization of software

[Hognoxious]

The irony is that the part of the world that is most stubbornly attached to it[1] was the first to gain independence from the British Empire - after which the antiquated measurement system is named.

[1] or rather, a half-arsed bastardised dumbed-down version of it.

Re:Professionalization of software

[interval1066]

Troll much, ass?

Industrial machinery is easily hackable if...

[couchslug]

...you have physical access and hand tools. The ease of access in-place isn't a problem.

Controlling access itself is the problem.

Re:Industrial machinery is easily hackable if...

You know CouchSlug, everyone else hooks up their systems to the internet and has no security problems whatsoever. I never heard of any security issues with any of them. The only one who seems to be unable to do so securely is you! Should I hire someone else?

- Sincerely, your PHB Boss

Re:Industrial machinery is easily hackable if...

[RobinH]

Mod parent up... they hit the nail on the head.

Re:Industrial machinery is easily hackable if...

[fatphil]

Exactly. "Worse, many of these systems are unneccessarily connected to the Internet" is mostly bollocks. That's not the "worse", that's the whole problem. But they put MS windows on cash machines, so they'll basically do anything that seems quick and easy. I have no sympathy for any industries which invest in such hackable devices and have connected to (a network connected to) the internet. Open season - hack away!

Re:Industrial machinery is easily hackable if...

[couchslug]

If I have a PHB for a boss who pisses me off my mission is to fuck him over (being a PHB forfeits any moral obligations I'd otherwise have) so I'd document everything I'm directed to do and make slyly sure others know his every fuckup. I'd also befriend him so he didn't know what hit him.

Easily hackable?

[manu0601]

What we have here is a TCP port that let you have an unauthenticated shell access. In other words, this an easy to find backdoor. It is so easily exploitable that I am not sure it even deserve the term "hack".

Re:Easily hackable?

[godrik]

Nobody will ever think of doing "telnet nuclearbomb.gov 1337". That would be too simple!

Re:Easily hackable?

But it made us look stupid! Quick, make up some ludicrously inflated figures about the cost so thane it's felony terrism and try to extradite some foreign loony.

may need unions as well so the coders can stand

[Joe_Dragon]

may need unions as well so the coders can stand up to the PHB's and say that...

That time table is to tight

We need more staff and the 80 hour weeks are just makeing us make more errors.

We can't cut QA

You can't hire people who can't pass the certified test but have BA/BS while passing over people who have passed the test but don't have a BA/BS.

No I will not add this new stuff to the code this late in the roll out hell we still have some big bugs in the code base to work out.

No will not use that POS best buy special as the system that will run the PLS hell it's PSU is a very poor one per this review of it.

tell that to the PHB who said we can save my remot

[Joe_Dragon]

tell that to the PHB who said we can save by remoteing control to some offsite place.
 

Re:Speaking of hacks...

I'd mod you off-topic, but seeing as you're in slashdot-superuser mode you'd just remove it.

Re:Speaking of hacks...

Same thing has happened to my account. I just thought they loved me.

Industrial Manufacturing is changing

[hypnobuddha]

With the emergence of 3D Printers, rapid prototyping and the domestication/democratization of manufacturing, I don't think it's going to do so much harm. Manufacturing is undergoing a revolution. Many parts (and even burritos... Google that up to see what I mean) will be "printed out" at home. People won't give toys and dishes for Christmas, they'll gift the blueprints and some resins instead. Heavy Duty Industrial will remain somewhat the same, but not manufacturing as we think of it now.

Re:Industrial Manufacturing is changing

[hypnobuddha]

Using Slashdot's mobile app (which is excellent btw) but I wasn't aware I needed HTML for simple paragraph breaks.
You'll just have to imagine them ;-)

"...unneccessarily connected to the Internet"

"many of these systems are unneccessarily connected to the Internet, which is a terrible, terrible idea."
Someone is finally getting it. These systems are __not__ designed to be secure. It would cause too many problems, make things needlessly complex, as well as much less robust.
The one good thing is, the languages these things use are quite esoteric - the example given, CoDeSys, is programmed in a block diagram language. It is NOT easily understood, and if somebody uses custom blocks (as my company does) you stand even less a chance of figuring out what it does.
CAN it be done? Well, of course. There is Stuxnet. We have learned, though, that Stuxnet was created just for one brand of SCADA system, running one brand of PLC, and using one particular type of variable-speed drive.
And, yes, we do have customers who utilize "air-gap" security. Very successfully, too.

Re: the Challenger Disaster?

[dgharmon]

"Did professional engineers prevent the Challenger Disaster?"

No, nor did they cause it, what did cause the disaster was political interference, such as the decision to manufacture the solid booster rockets in another state, necessitating them being made from segments bonded together with O-rings .. ref

Licensing. It's all about licensing.

I was doing some electrical work at an oil refinery up north in Canada about 5 years ago. I wasn't specifically attached to their control systems or PLCs, though since the electrical was intertwined with a bunch of the automation I naturally knew all the guys who were taking care of that portion of the project since we were required to collaborate together.

On one particular day, I entered the facility as usual and was heading to an unfinished section to check out some conduit. On my way there I noticed a CAT5 cable stretched across a walkway, disappearing into a stairwell. This was so incredibly absurd and suspicious that I just had to see what the hell was going on, even though something in my head told me I didn't want to know. I traced the cable back to the management office where it was plugged into one of the network switches. Okay, weird- follow it back in the opposite direction, all away across the plant- after about 80 meters there was a hub/repeater dangling over a walkway rail plugged into the wall and another CAT5 cable stretching off into the oblivion. Following the second extension cable led me to a set of PLCs and a group of the control guys throwing vulgar insults at an Allen Bradley PLC unit.

Turns out the PLC was a "new" model. Instead of handling the licensing through a floppy disk (!) like all the old units did, this one used some sort of a proprietary activation scheme that had to run over the friggin' internet before the PLC would actually do anything. The CAT5 cable I'd traced about 180 meters across the plant going back into the office internet connection was setup to allow this process to complete, since they had apparently failed to do it earlier when the system was OOTB but not yet hooked up.

They eventually got it all working, but it took them about 5 hours of fiddling to get the damned thing working properly.

Shit like that is the reason why things are hooked up to the internet, sometimes improperly. I know there's certain requirements for remote monitoring and such, and that should all be done over an isolated, encrypted VPN- but then you've got licensing bullshit like this that expects to phone home to a random server on the internet with little or no fire walling in-between. There's no reason for it otherwise- apart from the PLC guys wanting to make sure you're licensed and all paid up, god forbid anyone should buy a second hand PLC and reprogram it to do something useful again.

-AC

Re:Licensing. It's all about licensing.

The PLC doesn't need the activation license. The development software, in this case RSLogix, does. That resides on a computer, probably a laptop. Maybe someone was providing remote support.

Re:Licensing. It's all about licensing.

The only 1-time internet activation required on Allen Bradley equipment is the computer software (RSLogix 500/5000) to program the PLCs, AB PLCs don't need to be activated ever. (new or old).

As a PLC/PAC guy I am a HUGE fan of Ethernet/IP. It is the best fucking thing ever and people on this thread have no clue about the security of this technology. Try difficult (servos) programing with DeviceNET, Its a fucking joke and a waste of time, old technology. We have to have access to 100's of PLCs on our network to 1 computer for data accusation for the scale weights, which gets emailed to our QA people. Its impracticable any other way.

Steps to make Ethernet/IP secure (Allen Bradley in particular)... reminder I am an AC
1) keep the physical key-switch on the PLC in RUN MODE. No virus/program can write to the PLC when it is in this mode (Excluding global tags/variables, so intelligent programming is required).
2)Firewall, limiting the Ethernet location accessible to the Network we only have 2 ports accessible in our entire plant (outside of the plant floor). Everyone else is denied. And lock those computers down to hardcore.
3) keep it on a separate subnet (more for speed then security)

The only thing that scares me is Remote IO over Ethernet/IP (Flexlogix)... because it takes A FULL MINUTE to acquire/connect an IP address at startup before all the moving objects get set to their default positions. and that's a more safety then security issue.

Re:Licensing. It's all about licensing.

[inasity_rules]

I have found DeviceNET a pleasure to work with. Omron do it extremely well, and it is very easy to use. It is also sufficiently fast for most applications. My biggest hassle was connecting a Toshiba PLC to an Omron SliceIO system. Once it was working though, it worked exceptionally well. I'd much rather work with DeviceNET than ethercat or any of the other systems.

Re:Licensing. It's all about licensing.

I have to ask. Why not just courrier flash drives and put this needless step to rest. If you are a high profile target you have to assume that the entire world has their own IT dept with their own objectives. PLCs that control large scale operations can cause damage to both the employees physically as well as the company as a whole. Just courrier out an encrypted usb drive and make sure you hand out in person the operation instructions at the training sessions that consern those instructions.

It always seemed to me that connecting anything that is really this important (Security, Monetary, etc) systems to the internet at *anytime* is a kin to having a top secret meeting at the local Starbucks during a morning rush. We can move a small box across the globe in just over 24hrs, why not just spring for it?

Re:Licensing. It's all about licensing.

"data accusation"? I hope you don't write that way in work emails.

Re:Licensing. It's all about licensing.

LMAO, flash drives makes this safer!!!!!

no need for internet connectivity

[__aaacoe2998]

I've said it before, and I'll say it again: What possible reason could industry have to put controls networks on the internet? I can understand putting some type of reporting on the internet, so the bigwigs can keep track of up to the minute production. *disclaimer: I am an industrial electrician. I work on industrial controls in a sawmill. The day a production foreman asks us to give him control of machinery over the internet is the day I find a new industry.

Re:no need for internet connectivity

[thebigmacd]

This is very common in the HVAC industry. Customers want to be able to check on their building on their smart phone at home over the weekend. Even without that requirement, the systems get put on the local intranet with everything else because the customer will not provide a separate network nor allow us to add our own. Very few of our customers put HVAC controls on separate VLANs with no access to the Internet.

Re:no need for internet connectivity

[Jimbookis]

Yah well I have solution... make them (the managers) utterly aware of the situation and risks in writing so they can't disavow any knowledge when it goes haywire. As an aside the engineer in me says if you want to monitor the state of a HVAC or any control system, keep the control and internet connected networks separate and using a data diode (http://en.wikipedia.org/wiki/Unidirectional_network) spit out some self contained UDP data with system state information but not allowing any control signals of any kind back into that more secure network.

Re:no need for internet connectivity

[murder_face]

I have seen this first hand with HVAC. I worked on a Walmart in Orange County California and the HVAC guys were having some problems with the EMS controls, instead of just being able to make the adjustments themselves they had to call Bentonville Arkansas and ask the guys there to make a few minor adjustments.

Re:no need for internet connectivity

[gman003]

My father works in an industry that uses a lot of PLCs and such. This is what he's told me:

Quite often, even though the PLCs run on their own locked-down OS, the console to manage it is just a standard Windows desktop. Kind of logical - it's just to display what's going on, maybe issue manual commands, but it doesn't "run" the system. And they're *designed* to be connected only to the LAN, not have any physical connection to the Internet. But quite often, he comes into an installation site and sees that they've plugged that desktop into the Internet, just because it had a port for it (or so the techs monitoring it 24/7 can relieve the boredom, against all procedure). So they end up connected to the internet just because the off-the-shelf desktop the blinking-lights-display runs on has an Ethernet port.

He's also told me pretty much everyone keeps the default password. Three fucking characters.

Would it terrify you to know that many of the sites he works at are power plants, both coal and nuclear? He doesn't touch the "functional" parts, but it still says bad things about their approach to security.

Re:no need for internet connectivity

[Billly+Gates]

In writing? Jim Books? Everyone else has them accessible on their ipads and iphones and I never hear about any security problem. The only one who has a problem doing this securely over the internet is you! If you are not capable of doing the job do I need to find someone who will do it securely? As a PHB I need up to date information in a modern way like everyone else.

Sincerely your PHB

In a more serious note we need to wait for a terrorist attack like what Iran is planning and a possible nuclear power plant meltdown. Only then will the phbs be convinced it is a bad practice and laws against this will take place sadly. When money talks shit walks and it always wins everytime until proven it is a bad idea later.

Re:no need for internet connectivity

[inasity_rules]

Ask him about the horror of OPC and DCOM. As a result of those two abominations most people just disable all security and add "Everyone" to all the lists in order to just get the damn thing working in a reasonable amount of time.

Re:no need for internet connectivity

[shentino]

And sadly the PHB will have walked away with a big fat bonus long before his short sighted mandates have left a steaming mess for IT to get stuck with being blamed for.

Just part of being above the peons in the food chain, you get to eat the goodies and everyone below you has to take your shit.

Re:no need for internet connectivity

..I see no problem in relaying factory data to the phone. Just lock it down so that it is single-purpose and it becomes read-only outside the factory GPS coordinates or if GPS does not yield coordinates. Of course that would cease to be a "smart phone".

Certainly, put a strong password on it and lock it forever after three bad password attempts.

Re:no need for internet connectivity

...and by reasonable, I would guess you mean before the end of time. Nothing makes me back away faster than networked OPC on an IT managed network. Even if you get it working today, some combination of policy and updates will break it next Tuesday.

Re:no need for internet connectivity

[inasity_rules]

OPC UA promises to fix all of this, but nobody is implementing it...

Re:no need for internet connectivity

[omglolbah]

DCOM is the spawn of satan.... ugh

Re:no need for internet connectivity

[thegarbz]

He is unfortunately right, but it's skirting around the larger issue.

Humans are absolute geniuses when they act like fools. You can't regulate away boredom and idiocy. It's one thing to say, don't plug in USB sticks here it's against company rules, and it's quite another to leave a person alone unsupervised on nightshift with the piece of equipment. I kid you not we had one operator show us triumphantly how he managed to play a movie on the monitor screen of a gas chromatograph analyser, which happened to run windows underneath it's interface. We had another interesting call to fix an ultrasonic flow instrument that was reading funny. Turns out the electronics had been set up with a pipe dimension 8m wide rather than the 200mm. What happened was some operator was trying to sleep, and this unit which was showing an error was beeping at him. So he just started pushing random buttons to try and silence it, which he managed to do quite successfully at the expense of a working instrument.

To get around these problems you must remove the temptation and to do that the easiest way is to help people be the idiots they want to be. There's a reason that we have a stock standard PC next to every operator station where I work. This PC is internet connected, has USB ports out the wazoo, and the operators generally spend their boredom surfing youtube and watching videos on this expendable PC.

Re:no need for internet connectivity

[thebigmacd]

They want to be able to change setpoints to make people happy...without going in to work. I agree, data diode is a great idea...when you don't need to interact with the system.

the PHB's over redid there issues.

[Joe_Dragon]

the PHB's over redid there issues.

why no dongles?

[Joe_Dragon]

That seams like a good way and they can be hard to copy as well.

Re:why no dongles?

[Billly+Gates]

Because God forbid someone would sell them used and deny megacorp profits!

This way everyone is forced to buy new only as if you used a dongle then someone could sell them. Can you imagine how much the car companies would love to make buying used cars illegal?

Re:why no dongles?

"seams"?

Soon pinball games will have WIFI and PC's dirvein

Soon pinball games will have WIFI and PC's driving them.

Just think of the fun some can do by hacking one and they better not put windows on the pc's. At least lunix is safer but they still need to update the OS so hackers can use a hole to get into the system and better be a good watch dog system so some can lock a coil on and maybe start a fire.

No shit

And an "air gap" is not exactly the answer because that will fail in a lot of cases too.

Good luck

Re:No shit

[Hognoxious]

I've seen air gaps cause problems, especially when they're between the user's ears.

Of course one solution is to install another air gap between the eyes, but this is generally frowned upon by both HR and the janitors.

Re:Just an Iranian terrorist attack

[Billly+Gates]

Sadly no one will listen until something bad happens.

If you told someone pre-2009 about the need for financial regulations and the upcoming collapse people would call you a communist and a liberal! Peter Schiff did jsut that and was laughed at before he earned fame when the Great Financial Collapse hit.

Same is true with nuclear powerplants after fukashima, airport security after 9-11, and same after the space shuttle Challenger exploded, IE 6 security after code red. Money talks and shit walks. Only when deemed necessary does something change.

Right now sadly we might be without power or worse another nuclear powerplant meltdown here in the US caused by Iran before anything gets done. Not unions or professional software orgnaizations or even licensing.

People hate change and especially MBA PHBs who never have heard of a single internet security attack on a PLC piece of equipment. If you can't do it MR. Slashdotter reading this then someone else will since it is never a problem.... therefore it is perfectly secure etc.

I mean they hated upgrading browsers too until IE 6 was shown a risk and they still love XP despite it. Why? Money. Until it becomes a liability and laws come into effect and PHBs shit their pants the problem will nto be solved

Re:Speaking of hacks...

Not just you - I'm god here too now.

Re:Speaking of hacks...

[ColdWetDog]

Well then, the Gods Must Be Crazy.

(Actually is happened to me earlier this week. I think it's Obama's fault.)

Re:Speaking of hacks...

Did you accidentially log in to the Microsoft account?

It's more about lack of knowledge

[WebCowboy]

The CAT5 cable I'd traced about 180 meters across the plant going back into the office internet connection was setup to allow this process to complete, since they had apparently failed to do it earlier when the system was OOTB but not yet hooked up.

Assuming it was all Rockwell/Allen+Bradley gear then it was undoubtedly the FactoryTalk Activation system they were struggling with, and they were undoubtedly unqualified to be doing the work they were assigned to do (disclosure: I am a former Rockwell Automation employee so I have familiarity with the subject, but apart from that I do not speak on behalf of any employer past or present here).

First and foremost, Allen+Bradley(AB) PLCs don't need activations, so the licensing really isn't relevant to this story. AB makes a crap-pile of profit on that hardware the moment they've sold you the box--activation makes no sense. What DOES need to be activated (and is what creates profit for the Rockwell Software division) is the RSLogix programming software, without which the PLC is as useful as a doorstop. So unless they were completely clueless they'd have just taken their laptop into the office and activated their software then come back, rather than break all sorts of IT, security and safety rules stringing out 180m of CAT5 and a spare switch to get internet. The same goes for their drives--the drive units don't need activating but DriveTools software on the programming laptop may have.

That said, there may have been an industrial PC like a VersaView or third-party unit running the Rockwell HMI software and was bolted into the cabinet with un-activated software for some reason, but Rockwell/AB have thought of that...

The legacy licensing system used utility software called "EVMove" and relied on "master disks" (towards the end you could set up a USB flash drive) and in the field this was a royal pain in the ass--floppies and their drives are far too sensitive for such an environment, and USB memory sticks are terrible to manage and secure. Thus the development of the FactoryTalk Activation internet service-based scheme. Though it requires the internet the end system does not need to be connected to activate. The easy "wizard" way sends a "host ID" (the ethernet MAC address or some such number) from the end device to Rockwell via the internet. However, you can actually write down the mac address, or generate the hostID file on the target machine, then go to an internet-connected computer and type the hostID into a secure web form or upload the hostID file. The website then generates a license file that you can save to removable media or a laptop/portable machine to take over to the target machine physically, thus preserving the air gap (and making the method more similar to the old EVMove floppy method).

I do agree that licensing/DRM/activation is a big problem that costs end users millions of dollars globally (above and beyond the actual purchase cost of the products). It adds complication and downtime and confusion and contributes exactly zero value to its users. One might argue about its value to the vendor as well--FactoryTalk activation and many other similar schemes are just as trivial to circumvent as CoDeSys' ladder logic runtime for hackers, and adds the burden of extra support costs from the honest users it keeps honest. But the problem in industrial automation is bigger than that. The problem is that the world in general moves faster than industrial control systems can keep up, and the people who have "experience" honed their skills in the mid 1990s or earlier and haven't kept up. In the meantime, PHBs of the world in management and government demand of them far more than they are capable of delivering.

It used to be that refineries/factories/etc were content with paper chart recorders where operators and plant managers could peruse them if something came up to troubleshoot. Then came data recorders where you could plug in a serial cable or transfer via floppy to a computer for more deta

Re:It's more about lack of knowledge

[inasity_rules]

You are correct sir. We have never had to connect any PLC to the internet, and we deal with almost all manufacturers. Rockwell's horrible licensing scheme is why we don't use them so much. Other PLC manufacturers give SIs their software cheaply because that sells lots of hardware that way. Not Rockwell. I suppose it is better than Toshiba's "free" software (which I think was last updated in the 90s), but come on, don't Rockwell want to sell hardware? Even the evil Siemens practically fell over themselves trying to sell us their software, with demo versions and SI discounts. And the software from other manufacturers normally lasts more than a year before bombing out. Rockwell are near impossible to deal with for a small SI.

We normally try to get around the security issue (when an air gap is unpractical) by having a separate control network with one PC on both networks. This isn't the best of solutions, but it is probably the most practical we've come up with.

Re:It's more about lack of knowledge

I have come up with a slightly better solution... you can put a firewall (possibly using NAT) between the industrial network and the office network. Disallow all incoming connections, and monitor for all other weird stuff on the outbound connections. Then on your data collection server you run a service that listens to incoming connections from the PLC. Then write ladder logic code in the PLC that collects important events in a queue and sends data collection info to that server. I've done it with PLCs from two different vendors. Firewalls are just better devices to separate 2 networks than a PC with 2 network cards. Another option is to use some kind of Data Diode, etc., but that gets more expensive.

Car analogies are passe so here is a sex analogy.

[WebCowboy]

Preaching that automation systems be kept off the internet is like preaching abstinance until marriage to teens. It sounds like the lgical solution to all the problems but it is unreasonalbe to ever expect it to happen, so the best course of action is to educate on how to do it safely and responsibly.

Ther are many valid reasons that automation systems are connected to the internet in some fashion (though they never need direct internet access). Some of those reasons relate to not braking the law.

In industries like oil and gas, regulators require data to be collected 24/7/365 on all critical aspects of an operation. If an environmental or safety incedent were to happen and such data was not available for scruitiny it could lead to the permanent closure of that operation in extreme cases. Lack of due diligence in such matters can mean huge monetary fines and even jail time for wilful violations.

As such, in those operations a "process historian" server is standard equipment. These are central data logging servers that have essentally full read-only access to the industrila control system, and even some limited write access too (say, to assert a bit in a PLC to confirm it has received data, or to reset a totaliser or set a new batch number). Becasue of how vital the data is, there has to be some way to get the data off-site for archival and reporting purposes, and because of the volume of data and the immediacy that is demanded removable media is not an option. Thus these systems end up with some means of corporate network access. This does NOT mean the need "direct internet" access, but very commonly it means tunnelling through public/internet infrastructure via VPN (the "condom" if you will). Though technological measures can be taken to make this route into the plant impeneratable, it is complex enough to set up that people make mistakes and thus you end up with "holes in the condom".

The other use for outside conenctivity relates to support from off-site engineers, vendors and operators. A control system can be set up to report critical alarm conditions to smartphones, email inboxes and the like automatically with much more rapidness than a human operator at the board can do. The more rapid response to a critical incident the less likelihood for loss of revenue, damage to equipment, and injury or death of workers (again, in the case of "sour sites"--thouse that deal with natural gas containing deadly H2S, rapid response is vital to evacuate the facility and surrounding area and some of these are required by law).

So "preaching abstinence" in the complete absence of "sex education" is a bad idea. It is ineffective to say "disconenct from the internet" and not say how you can manage network security safely and responsibly, because at some point these people will be pressured into doing it and need to be able to "say no" if they aren't ready, and to know when and why it is "the right time", becasue if you DO use that internet connection responsibly it can actually be a great experience ;-)

Re:Just an Iranian terrorist attack

[Opportunist]

Necessity is the mother of invention. That, or an article in the business newspaper your boss reads.

My solution to that problem was simply to subscribe to the same magazines my boss reads, peruse them for articles supporting my case and getting him to read it. Not only will he listen to them more than to you, he'll also think that you read "relevant" magazines and start listening to you, at least from time to time.

I know it's silly. hey, it's management!

Slight plug here, and I told you so.

[bytesex]

We've been saying this for years, but then again - our company makes data diodes.

Re:Slight plug here, and I told you so.

[omglolbah]

Try this on for size.....

3rd party logging vendor is given permission to run their logging servers on the secure network.
They require 5 open ports (7777, 25xxx) open both ways in the firewall.
They use ping to verify redundancy of hosts (derp...) so pinging through the firewall for all hosts has to be enabled/accepted.
Their logging software can be fully configured and modified from outside the firewall. They use simple tcp sockets with no encryption to send their management commands... like starting and stopping windows services.

This was accepted and verified by the IT security staff of a major oil company recently.
Even after it was demonstrated that it was close to trivial to perform denial of service attacks on the system with the now open ports and their badly written software....

You can build a perfect system, but when nobody in management knows or cares... you're screwed either way...
All I can do is get a ton of paperwork showing that we think it is a horrible idea to do it this way, provide an option which is a hell of a lot more secure (but rejected by the customer) and cover my/our asses in all ways possible...
Because sooner or later shit hits the fan...

Re:Just an Iranian terrorist attack

[bbelt16ag]

isn't this why we have think tanks though? people who think up the worst possible scenario? then they find a way to fix it? you could even make it like a Reddit for professionals, who can post ideas and up vote them? en-mass idea generator... ?

Different worlds between Office and SCADA environm

The industrial world with PLC's and SCADA equipment is totally different then what we hav ein our offices.
That is often hard to believe, but the industial world is still 10 years behind on IT. And with a good reason.
Current systems simply do guarantee the responce time needed for a lot of process control situations.
Imagin what would happen if your pressure control value would suddenly deside that it is time for a virus scan, of then it wants to reboot because microsoft has issues a bugfix for the office environment that is nowhere found on the pc, but still it has the checkbox 'reboot' marked in the installer.
Every update is a nightmare for these environments because it needs to be checked and checked again befor it can be taken into production. When it;s into production it cannot be changed so fast as more processes are 24/7 running. There are even chemical processes that take days to startup. No late night server reboots for these guys.
This mixture makes it very hard to evolve the overall IT environment as they need systems without bugs and we are all so very used to live with buggy software.
 

What's Your Point ?

We all know the PLCs themselves are insecure as hell. That does not mean you have to expose that insecurity to an intranet or (god beware) the internet. Hook all those shitty little controllers to Linux or BSD machines. Then set up a Virtual Private Network using IPSEC on Linux/BSD. If you need Windows-based control GUIs, hook them into the secure VPN, too. Don't connect the Windows crapola to the intranet. I am not sure you know this, but proper secure VPNs are secured against man in the middle. Of course, you must physically protect all the hardware and the cabling between PLC and Linux boxes. The cables between the Linux machines are secure courtesy of the secure VPN.

Certainly you have to interface to the guys in R&D, sales, marketing and so on. They might want to describe custom chemical mixtures by means of an Excel file and that information has to be somehow communicated to the PLCs. DO NOT bring the Excel shit into the secure VPN. At least not in the "microsoft way" by starting an Excel process to parse (and execute if it contains macros) the file. Instead, use the xlsx format, unpack the ZIP and then parse the xml files to get the bespoke chemical mixture parameters, That can be done on the Linux machines, no Macrosuck software required at all.

All the tools are there, all the experts are there; they are just ignored/not hired by the MBA CRAP.

Re:What's Your Point ?

You kind of missed the point, sir. (But then, so many Anon Cowards...they don't get it. I'm posting anon because I work in this field...you on the other hand...)

The whole concept needs re-done. Security is designed in from the start, not slapped on top of something. If they're insecure, you need an airgapped system- which we all know NEVER HAPPENS.

That having been said, the GP poster implied that validated software was the solution. Which, sadly, it's not.

Plus

..don't forget to check the sanity of the Excel file. All parameters should be bounds-checked and in many cases you need to do more complicated checks to ensure your plant does not "accidentally" make explosives because the idiots in sales have fucked up or their computer have been hacked. But that knowledge should firmly exist in your company or you are 100% screwed.

So You Are Saying

..electricians are too stupid to look up passwords in a little red book ?

No Need For Physically Separate Networks

Only the PLC crap and their legacy Windows crap need to be physically separate. Linux and BSD can happily route secure traffic over insecure networks, including the internet. It is called IPSEC.

http://en.wikipedia.org/wiki/IPsec

All the tools are out there, they are free except for the expertise to set them up properly.

Regarding your argument that "passwords will be forgotten" - that is insane bullcrap. If a company cannot maintain a list of their passwords in a fucking little book, their plant should be forcibly shut down by the government.

Re:No Need For Physically Separate Networks

[inasity_rules]

"Passwords will be forgotten". I don't recall saying that. Perhaps let me spell it out for you AC. The password may never have been given in the first place. A common despicable tactic by some less scrupulous vendors and SIs.

As for "Linux will fix it", we know about that, and sometimes use it. However, there are other very good reasons for having your control network physically separate apart from security. Network load and response times spring to mind. But then Slashdot's default "throw linux at it and your problems will magically go away" response is hardly surprising.

Re:No Need For Physically Separate Networks

Of course you cannot expect a shared network to have any realtime capabilities. If you need soft-realtime, get a dedicated ethernet-based network and if you need hard-realtime, better get something especially designed for that purpose. Internet Protocol won't cut it. Also the typical ethernet router has no realtime assurances whatsoever and tacking on something such as Token Passing on the software level is still fishy.

But if "Security" is the only issue then indeed the Free Software World has much better tools than the Slimy Corporate Business World. You cannot trust cryptography you cannot look into. You cannot trust an OS kernel you cannot look into. You cannot trust a PLC you cannot look into. These corporations/companies have conclusively proven to be purveyors of dangerous stuff. Why the heck do they need an unsecured TCP port ??? Malice ? Incompetence ? Government ?

So hell, yeah, lock that shit behind BSD or Linux because you cannot trust it. Sorry to offend your skillset or your "nice business partners".

Regarding passwords - why don't PLC users require all passwords to be delivered when handing over a system ? Because PLC users are run by fat, lazy and ignorant scum who call themselves "leaders".

Re:No Need For Physically Separate Networks

[inasity_rules]

Ethernet is actually good enough for a number of things if and only if the network is unloaded. Reading values from a Modbus based protection relay for example. The values are not critical and even if the network fails the protection relay will still trip, but they are useful values to have and mean someone doesn't have to keep walking into the substation to look at them. I can think of a number of other such use cases where ethernet/ip is more than good enough. For remote IO, I would use something better, like DeviceNET(RS485, basically). But Even then, some remote ethernet IO is also good enough. It depends entirely on your use case. One size does not fit all. I am quite aware of the limitations of ethernet IP, and a lot of systems use the same physical layer as ethernet, but make special hubs (remember those?) mandatory instead of switches. I believe ethercat is one such system if you must know. In general ethernet IP is more than sufficient for any SCADA system (with a few exceptions). Time critical stuff should always be done in the (far more reliable) PLC not the (inherently suspect) SCADA system. But that is standard practice. Mostly. I have seen some horrible systems....

My skillset includes setting up linux security as well as programming PLCs and setting up windows security. I run various OS systems in industrial environments. But it is obvious you have never really worked with these systems? Your ideals are nice, but the real world called and wants to know if you'd like to meet for coffee sometime.

When people buy a machine they buy a machine. They don't think about the password because they bought a machine and they need no password to operate it. The salesman comes in and gives his spiel, and then they buy it. The SI or manufacturer password protects the PLC to protect his "IP" and that is that. It is annoying, yes, but I am more inclined to blame the SI/manufacturer than the customer. The customer's skillset does not include programming the PLC and if the system is made right, it should not have to. That is the point of the entire system - so that the customer does not have to worry about it. That is what sells. That is how it is, and how it works, and it is unlikely to change.

Hmmm, Whatabout the PHBs ?

You The Engineer will be between a rock and a hard place because the PHBs will demand lots on insane ("need excel run a marketing-supplied macro to control process") things while the "SPSE" will later get you for violating some insane rules ("all machines must run virus scanners").

Better leave it as it is; wait and see until a refinery blows up spectacularly ( I am banking on the Iranians to do that as revenge). Or better, let them test the efficacy of a reactor containment vessel after cyber attack.

Our politicians and leader are corrupt ignorants who are 100% capable of manipulating the sheeple, but they don't have and don't want a clue about technology. That is all "geek stuff" and they want to play angry birds instead of learning anything "hard". Compare that to the Chinese Politbureau, which is stuffed full with engineers and they apparently manage to kill the "social science" turkey that is the western world leadership - one cheap excavator, one cheap telephone at a time.

Oh Really ?

Haji has a crap education, while John got a proper one from an American or European university. But I agree we don't need unions - see what they did to GM. We need to switch jobs if we don't like a boss or a company. If you need to work more than 40hours per week on a regular basis, there is something wrong and you need to switch. So simple.

And no, John is not the self-trained idiot who calls himself "C# programmer". He got a BS or an MS in Computer Science, he loves what he does and he researches things he is interested in thoroughly. He is an "Expert" or "Meister", whatever you like to call it. Not a monkey trained by himself or a Monkey School.

Naaah

You are over-simplifying it. The Great General Curtis LeMad (or was it LeMay ?) ordered all the nuke locks to be set to "1111111", to ensure a Quick Armageddon Capability. He essentially gave a fuck about technology and relied 100% on "command authorization by voice".

Muhaaaahhahahahahahaha

Boy, wean yourself off that computer and venture out into reality. All the plastics, the concrete, the fertilizer for your cheap food, the pesticides, all the medicine, all the fuel, all the textiles, all the metal around you will continue to be made in large facilities for the next 100, probably 1000 years.

Or at least go to youtube and look at a video of a burning refinery or a burning chemicals plant. All the stuff that makes your life so easy is directly or indirectly made in huge plants controlled by PLCs.

eg:
http://en.wikipedia.org/wiki/Sandoz_chemical_spill

Not The Issue

IPSEC VPNs are very secure and you can double down by setting up router rules which allow only designated IP addresses talk to your IPSEC router machines. You can indeed control industrial plants remotely over the internet, if you follow the best security practices. Don't expect 100% uptime of your internet connection, of course.
The problem is that the MBA Crap does not want to spend a dime on competent security experts (Linux and BSD admins who know IPSEC, iptables and so on). They don't want to hire programmers who have CS degrees and who know their stuff. It has all to BE CHEAP ! I mean SUPER-CHEAP. The corporation is making billions a year, by saving 50000 dollars/euros on proper experts, don't cha know ?

Also

..use SSL for the link between factory and smart phone.

Secure VPNs Are NOT Difficult

Setting up IPSEC and iptables is within the grasp of thousands of Linux and BSD pros. A simple setup will cost you less than 2000 dollars in consulting fees. You can route that data via Iran, France, a Huawei Switch or Russia (that could/will actually happen during to a routing cockup) and it won't reduce your security.

http://en.wikipedia.org/wiki/IPsec

This is not rocket science to Experts. You just have to find and hire them. The latter seems to be the big issue.

I am an altruistic man who does the googleing for you:

http://www.ipsec-howto.org/

http://openvpn.net/

http://www.netdigix.com/linux-vpn.php

http://linas.org/linux/vpn.html

http://www.tummy.com/Services/Consulting/networking.html

http://atxconsulting.com/posts/Giganews_VyprVpn_on_Linux_with_IPSEC_and_L2TP/

http://www.managed-it.eu/?page_id=20

http://bookshop.pearson.de/main/main.asp?page=englisch/bookdetails&ProductID=103369

http://www.m-it.com/?article=vpn&lang=de

http://www.google.com/url?sa=t&rct=j&q=%22ipsec%20consulting%22%20linux&source=web&cd=3&ved=0CCsQFjAC&url=http%3A%2F%2Fwww.iabg.de%2Finfokom%2Fit_sicherheit%2Fdokumente%2Fitsec_en.pdf&ei=4SWNUOXzFdT04QTSsIDwCQ&usg=AFQjCNE3KjLUFC07JDKlgS5aC_kn0ZSoew&cad=rja

http://www.openbsd.org/support.html (search for IPSEC)

http://www.google.com/search?client=ubuntu&channel=fs&q=ipsec+consulting&ie=utf-8&oe=utf-8

http://www.milesconsultingcorp.com/IPSEC-Security.aspx

http://blogs.metcorpconsulting.com/tech/?p=435

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html

Re:Secure VPNs Are NOT Difficult

[omglolbah]

Um... 2000 dollars in a perfect world of milk and honey.

Set up a test network
Do all internal testing and documentation of the system
Get all docs verified by the customer and signed off on
Hold a factory acceptance test, get everything verified and signed off
Travel to the oil rig.
Oh, your tech IS certified for offshore work right? No? Oh, send him on the full week 5000 dollar training course first then.
Install and get everything verified in real system

Oh, and this has to run on Windows 2003 R2 by the way, that is the chosen platform for the HMI...

Easily comes to 50k USD doing this job. Not that big a cost in comparison to other expenses, but it is a bit of an expense to justify to someone who knows nothing about security... sigh

You Are Clueless

No security expert will code their own software as long as OpenSSL, IPSEC, GPG and so on will do the job. Too expensive and too many mistakes to be make by bespoke software.

I suggest you hire one of these bearded Unix admins with some real crypto and networking experience and he is going to sort out the security issues in short order. Just listen to his advice and don't fuck his advice up with some el-stupido low-level requirement such as "PLC must talk directly to enterprise datat warehouse SQL server". Set up a clean, simple concept with defined interfaces and application-level firewalls which control the data flow in/out of the PLC secure VPN (delivered by BSD or Linux) and ensures sanity of any data inflowing. Don't bother too much about data flowing out, that is only a concern regarding industrial secrets and we all know the average corporate intranet is Insecure As Hell.

Re:You Are Clueless

[K.+S.+Kyosuke]

No security expert will code their own software as long as OpenSSL, IPSEC, GPG and so on will do the job. Too expensive and too many mistakes to be make by bespoke software.

You sure about that? I mean, it's one thing to try to write a correct implementation of a very generic protocol (the ones you named), but who is to say that a tailored protocol sporting just the things you need for the app and nothing else can't be correctly implemented with a much lesser effort?

Errata

Must read " Also the typical ethernet SWITCH has no realtime assurances"

Think Rigorously !

What is the problem with remote access to a PLC ? Only if the transport network or the opposite endpoint is insecure. So if you come with a (truly) secure laptop, a UMTS, connect to the PLC via Ethernet and then the PLC does a proper SSL connection with its manufacturer ? Nothing at all insecure with that, as long as it is properly done.

Problems only pop up if the Laptop runs in Admin mode 100% of time and is used for internet porn so that the maintenance technician can jack one off during lunchtime in a remote part of the factory. Or the session is not SSL encrypted.

Excellent Linux Security (not) 2011-2012

2012:

Medicaid hack update: 500,000 records and 280,000 SSNs stolen:

http://www.zdnet.com/blog/security/medicaid-hack-update-500000-records-and-280000-ssns-stolen/11444

So, what's dts.utah.gov running everyone?

LINUX (and yes, it got HACKED) -> http://uptime.netcraft.com/up/graph?site=dts.utah.gov

What's health.utah.gov running too??

YOU GUESSED IT: LINUX AGAIN -> http://uptime.netcraft.com/up/graph?site=health.utah.gov

* Ah, yes - see the YEARS OF /. "BS" FUD is CRUMBLING AROUND THE PENGUINS EARS HERE & 2012's starting out just like 2011 did below!

===

2011:

KERNEL.ORG COMPROMISED - The Cracking of Kernel.org: (that's VERY bad - do you trust it now?)

http://linux.slashdot.org/story/11/08/31/2321232/Kernelorg-Compromised

---

Linux.com pwned in fresh round of cyber break-ins:

http://www.theregister.co.uk/2011/09/12/more_linux_sites_down/

---

Mysql.com Hacked, Made To Serve Malware:

http://it.slashdot.org/story/11/09/26/2218238/mysqlcom-hacked-made-to-serve-malware

What's that site running? You guessed it - Linux -> http://uptime.netcraft.com/up/graph?site=mysql.com

---

London Stock Exchange serving malware:

http://slashdot.org/submission/1484548/London-Stock-Exchange-Web-Site-Serving-Malware

(I mean hey - NOT ONLY DID LINUX FALL FLAT ON ITS FACE less than a few minutes into the job http://linux.slashdot.org/story/11/02/19/0147232/London-Stock-Exchange-Price-Errors-Emerged-At-Linux-Launch, & crash not only ONCE, but TWICE there? You see "Linux 'fine security'" in motion @ the LSE too!)

---

DUQU ROOTKIT/BOTNET BEING SERVED FROM LINUX SERVERS:

http://it.slashdot.org/story/11/11/30/1610228/duqu-attackers-managed-to-wipe-cc-servers

---

Linux Foundation, Linux.com Sites Down To Fix Security Breach:

http://linux.slashdot.org/story/11/09/11/1325212/linux-foundation-linuxcom-sites-down-to-fix-security-breach

---

Linux's showing in CA's breached recently too? Ok: (very, Very, VERY BAD for ecommerce, online shopping, banking, etc./et al)

http://uptime.netcraft.com/up/graph?site=StartCom.com

http://uptime.netcraft.com/up/graph?site=GlobalSign.com

http://uptime.netcraft.com/up/graph?site=Comodo.com

http://uptime.netcraft.com/up/graph?site=DigiCert.com

http://uptime.netcraft.com/up/graph?site=www.gemnet.nl

The list of CA Servers BREACHED that RUN LINUX (StartCom, GlobalSign, DigiCert, Comodo, GemNet)... per these articles verifying that:

http://itproafrica.com/technology/security/cas-hacked/

&

http://threatpost.com/en_us/blogs/site-dutch-ca-gemnet-offline-after-web-server-attack-120811

---

The Stratfor SECURITY hack: (can't blame it on poor setup, this IS a security firm that uses Linux)

http://yro.slashdot.org/story/11/12/28/1743201/data-exposed-in-stratfor-compromise-analyzed

What's that domain run? Yes kids - you guessed it: LINUX -> http://uptime.netcraft.com/up/graph?site=www.stratfor.com

---

Phishers/Spammers FAVOR attacking LAMP: (Linux, Apache, mySQL, PHP)

http://www.theregister.co.uk/2011/06/10/domains_lamped/

PERTINENT QUOTE/EXCERPT:

"Phishers compromise LAMP-based websites for days at a time and hit the same victims over and over again, according to an Anti-Phishing Working Group survey. Sites built on Linux, Apache, MySQL and PHP are the favoured targets of phishing attackers"

---

Toss ANDROID (yes, a Linux since it uses a Linux kernel) in also, since it's being "shredded" on the mobile phone security-front rampantly for years now?

* You get the picture...

APK

P.S.=> Linux Security Blunders DOMINATE in 2011-2012, despite all /. "FUD" for years saying "Linux = SECURE" (what "b.s."/FUD that's turning out to be, especially on ANDROID where it can't hide by "security-by-obscurity" anymore & is in the hands of non-tech users galore - & EXPLOITS ARE EXPLODING ON ANDROID, nearly daily)

... apk

Redmond Woke Up :-)

So a lot of noobs use Linux to create insecure PHP scripts that allow for SQL injection ? That is the fault of Linux how ?

Slashdot & "invulnerable Linux", eh?

Ok then - See "fine Linux security" in 2011-2012 -> http://it.slashdot.org/comments.pl?sid=3213621&cid=41795889

* Now, would you care to explain that "fine security track-record" for us? It's quite current...

APK

P.S.=> Android's the funniest one of all, lol... especially after all those years of the b.s. people like YOU spouted just now (which we've ALL HEARD YEARS OF on /., & it's falling apart around your ears Penguins):

"So hell, yeah, lock that shit behind BSD or Linux because you cannot trust it. Sorry to offend your skillset or your "nice business partners"" - by Anonymous Coward on Sunday October 28, @09:12AM (#41795831)

Funny how that link I posted above "dusts" the typical "/. b.s. that 'Linux will fix it'", eh? LMAO - yea, it'll "Fix It" alright - just like it did for CA's, right? Man... lol!

... apk

Does Engrish on the 3S Software site...

[Svartalf]

...concern anyone?

"We software Automation." is prominently put up on their website...a German company's TYPICALLY better at English than that.

Re:Does Engrish on the 3S Software site...

...

a German company's TYPICALLY better at English than that.

The hell they are. Every english documentation made by ze germans have shit loads of german in them. Most common probably being UND instead of AND. If only they didn't dub the tv shows.

That "We software Automation." doesn't really mean anything in german either though, so it seems to be missing a word or two. Unless it's meant kind of like iRobot. So that particural case isn't about the language, it's just a typo.

Not Really

We can never validate all software correct, but we can have lots of trust into the Linux kernel and IPSEC based on historic experience. From that we can build a "secure enclave" that itself contains insecure stuff. Some people have claimed to proven correct entire operating systems (e.g. L4).

It is like defending/controlling borders very strictly while having many potentially insecure situations/locations in a country's territory.

Noobz? Kernel.org = NOOBZ?? LMAO... apk

Let's examine your "list of 'noobz'" then, shall we? Ok, here we go:

---

1.) Noobz - like kernel.org, maintainers of the LINUX kernel iirc?

2.) Noobz - like STRATFOR (a security company no less, lol) ???

3.) Noobz - like London Stock Exchange????

4.) Noobz - like NUMEROUS BREACHED CA's?????

5.) Noobz - like mysql.com??????

6.) Noobz - like linux.com??

---

* Yea, lol, riiiighhtt... some "noobz" in that list above, eh?

APK

P.S.=> Fools was more like it, believing the "hype" that "Linux = invulnerable" which WE ALL HEARD HERE ON /. FOR TOO MANY YEARS now...

Funny how THAT is especially "falling apart" considering ANDROID (yes, a Linux variant itself) most of all, eh? No more hiding behind "security-by-obscurity" Penguins... your OS is OUT THERE, being torn apart, along with years of /. "FUD" too!

... apk

Any Substance From Redmond Yet ?

Now, please send me link&quote where the Linux Kernel (!) had security failures that could be exploited via "drive by" or via internet or when running Apache. Shitty PHP scripts and crappy Appstores (like that of Android, where they don't even properly establish the submitter of software) don't mean anything.

Just because the government of Iran uses Mercedes trucks to run over dissidents does not mean Mercedes trucks are evil.

Re:Any Substance From Redmond Yet ?

They got breached using Linux, so who cares about what you said? Nobody. Proof's in the pudding/results.

Re:Any Substance From Redmond Yet ?

Any substance from FUD spewing Penguins against that list of security breaches on Linux? A resounding "no" sounds throughout slashdot-land and silence reigned in heaven for about the space of an hour.

Re:Any Substance From Redmond Yet ?

All your "security breaches" are most probably breaches in software layered on top of the Linux kernel and Apache. Be more specific or your claims are zilch.

Re:Any Substance From Redmond Yet ?

Same happens on Windows, and yet it's Windows' fault, right Penguin? Go away already. Years of /. FUD are falling apart and ANDROID is the biggest example thereof.

Ah, but the "fine Linux security" 2011-2012

Ok then - See "fine Linux security" in 2011-2012 -> http://it.slashdot.org/comments.pl?sid=3213621&cid=41795889

* Now, would you care to explain that "fine security track-record" for us?

After all - It's quite current...

APK

P.S.=> Android's the funniest one of all, lol... especially after all those years of the b.s. people like YOU spouted just now (which we've ALL HEARD YEARS OF on /., & it's falling apart around your ears Penguins):

"Only the PLC crap and their legacy Windows crap need to be physically separate. Linux and BSD can happily route secure traffic over insecure networks, including the internet. It is called IPSEC."- by Anonymous Coward on Sunday October 28, @09:12AM (#41795831)

(Windows CAN'T DO IPSEC? b.s.! More /. "1/2 truths" abound, as-per-usual... which is FINE BY ME, I just come along & SHATTER it for what it is, b.s.!)

Also, lastly - Funny how that link I posted above "dusts" the typical "/. b.s. that 'Linux will fix it'", eh? LMAO - yea, it'll "Fix It" alright - just like it did for CA's, right? Man... lol!

... apk

Ah, yes: "Fine Linux Security", right?

http://it.slashdot.org/comments.pl?sid=3213621&cid=41795889

* What made me LAUGH THE MOST, was some fool here -> http://it.slashdot.org/comments.pl?sid=3213621&cid=41796025 saying it was "NOOBS" making mistakes in Linux...

Funny - my list has MOSTLY what SHOULD BE NON-NOOBZ running things in the examples I posted in that link above!

Man - no, instead?

They were FOOLS that believed in the "/. hype" (which IS proving to be COMPLETE BULLSHIT per that link above, & ANDROID does the job most of all - no more "hiding" behind "security-by-obscurity" boys... that's all done now, & you SEE THE RESULTS!)

(So much for "spinmasters" eh?)

APK

P.S.=> The "Anti-Windows/Anti-Microsoft" stuff just doesn't CUT IT anymore, Penguins... especially after seeing the link above, and ANDROID proves it most of all...

... apk

So Getting A Cold While Drinking Coke

..is a fault of Coca-Cola Company ?

If you run crap PHP scripts on top of Linux and Apache and your database is being compromised it means nothing regarding Linux security. It means you can't write secure PHP scripts.

Malware hosted by the Android Appstore and then being executed on the Linux kernel does not mean the Linux kernel has been compromised. It means Google did no proper identification of Android software authors. All you need is a stolen Credit card to "establish" your Android Software Author identity.

Now show me the drive-by virus than pwns my kernel just by me surfing the site.

Windows can do SOME IPSEC

..but of course the code is "secret" and contains probably 200 secret bugs out of which 175 are exploitable. Courtesy of your Paymaster's paranoia and business model.

Re:Windows can do SOME IPSEC

Got proof of that, troll? Hell no, lol! Just more "Linux 'FUD'", right?? Riiight... lol!

Re:Windows can do SOME IPSEC

Elmer, please. No more "FUD", lmao! You got shot down on your 1/2 truth b.s. already, badly. Windows does IPSEC.

Doing The Fact Checking For Redmond

kernel.org does not directly control the code repository. It is actually quite distributed over various git repositories. You can break into Linus Thorvalds house, fiddle with the code secretly only to have the other kernel maintainers to realize this quite quickly.

Stratfor is a kind of consultancy. They specialize in writing poltical/national security-related papers, not at all in computer security.

LSE is Bunch Of Known Idiots. They attempted to outsource their coding to Sri Lanka and it blew up in their face. Nowadays the Brits are in most instances First Rate Idiots who have a shoddier education than Horatio Nelson had. The real leaders in electronic exchange trading is Deutsche Börse in Frankfurt and they ran on VMS and Solaris. They currently switch to Linux and Postgres. RBS is one of their happiest customers.

CAs breached ? Yeah, they are as shoddy as Microsoft, despite some of them using Linux. But that is not the fault of Linux, but the fault of the crap they built on top.

Mysql - the worst open source database and I fully expect them to have PHP scripts with SQL Injection possible. Real open source experts don't use a system that loses data all the time. They use Postgres instead.

Linux.com - yeah, a commercial site trying to make some ad dollars from Linux. I see it the first time, despite using Linux as a C++ developer for years. I guess they had their crap PHP content management system pwned by one of the PHP insanities or an SQL injection. Not the fault of the Linux kernel.

Re:Doing The Fact Checking For Redmond

"Sure, sure" - we keep forgetting that you, the ac troll, have more skills than the companies listed that blew it with Linux.

Ok, let me explain

I have no doubt the average programmer can hack up something we can call an "encrypted TCP session". But it probably is

- not safe against replay attacks

- reusing session keys

- not integrity-protected (switching a bit in the cipherstream will switch one or more bits in the cleartext without your app knowing)

- not safe against low-level attacks against the crypto/session establishment parameter parser

- not properly vouching for the identity of both communication partners

There has a lot of work gone into getting this correctly done in SSL and its successor TLS. Even they made a couple of mistakes which had to be fixed. Chances are 99 to 1 you cannot easily get the same security level as you can get by simply coding against OpenSSL or GnuPG. Just using OpenSSL is a challenge for many, because they don't properly understand the concepts behind Public Key crypto. But replicating SSL/TLS - that is by far out of the technical and financial reach of most developers and their bosses.

So - just take OpenSSL and integrate it properly into your product. Make your boss send you to a training regarding the basics of PK Crypto, if your experience is only superficial. Or hire an known expert and let him show and explain you how to do it.

Read and try to understand Schneier's Applied Cryptography, play with the gpg and openssl command line programs, read code samples. This is not a "quick addition of capability", it is actually the painful and time-consuming acquisition of expertise. Management idiots don't appreciate this. Redmond fucked up their crypto efforts in the first iteration. Now they are somewhat better.

More "spin"? LMAO, please... apk

They all got "nooked" running Linux & aren't noobs: So much for slashdot years of FUD on the invulnerability of Linux, cuz "New NEWS/NewFlash": It isn't!

* ANDROID proves that assertion of mine MOST OF ALL, since it too, is a Linux and yet it's being "SHREDDED" daily on the security-front...

(NO questions asked...)

APK

P.S.=> Yes, /. "penguins" - face it: , especially in light of ANDROID... Linux is no more "invulnerable" to attack & exploit than Windows is, and your YEARS OF *HIDING* BEHIND "SECURITY-BY-OBSCURITY"? All done now, thanks to Android most of all (and, of course, these examples of "fine Linux security" @ the server level too, from the past 2 yrs. now -> http://it.slashdot.org/comments.pl?sid=3213621&cid=41795889 )

... apk

Re:More "spin"? LMAO, please... apk

[mich.linux.guy]

I call bullshit. Linux and Android are not the same thing. Saying "Linux is no more 'invulnerable' to attack & exploit than Windows is" is just plain wrong.

Example Of Faulty Crypto

Use the stream cipher RC4 and a secret key. Whenever establishing a connection, the RC4 cipher is also reset, creating an identical key stream.
Attackers can

a) replay commands

b) XOR two sessions to get an XOR of the two plaintexts. From that the plaintext itself is not too difficult to get.

c) cut out parts of the stream without detection

Of course you can use AES, but that only eliminates b)

Re:Example Of Faulty Crypto

[K.+S.+Kyosuke]

As far as I am aware, session key is a feature of cryptosystems employing either public-key encryption or some secure key exchange scheme to distribute keys in a changing topology of communicating nodes. Do you actually need to do this in a fixed industrial setup with specialized HW? As far as I know, the military has no problem with using key fill devices. (Just asking, I don't pretend to be an expert on that, just an interested reader.)

Obligatory

[m1ndcrash]

Fire sail. Bruce Willis is getting old to save our asses.

Fortune 100-500 companies say otherwise

Running Windows, managing 99.999% 'Fabled "5-9's"' secure uptime, vs. your TOTAL b.s., troll (eat your words, phool):

---

38 HIGH TPM & 99.999% "uptime" examples:

---

XEROX: Managing 7++ million transactions a day for office devices for its customers using Windows Server 2003 + SQLServer 2005 64-bit with 99.999% uptime!

NASDAQ: The U.S.' LARGEST STOCK EXCHANGE, Since 2005 has had Windows Server 2003 + SQLServer 2005 in failover clusters running the "official trade data dissemination system" for them in 24x7 fabled "5-9's" 99.999% uptime, doing 64,000 transactions PER SECOND (compare London Stock Exchange using Linux @ 3,000 per second)

FUJIFILM GROUP: Tracks data for its imaging, information, & documentation for its products & services using Windows Server 2003 w/ a custom SAP solution on SQLServer 2005, achieving 99.999% uptime.

HILTON HOTELS: Manages 1.4 Billion records a day for customers in 1000's of their hotels worldwide - for 370,000 rooms & catering services forecasts (switching from 6 *NIX systems to 1 Windows Server 2003 + SQLServer 2005 clustered failover system using a data warehouse with 7 million rows & 99.998% uptime).

MEDITERRANEAN SHIPPING COMPANY: Manages & Tracks 7 million containers out of 116 countries daily using Windows Server 2003 + SQLServer 2005 in failover clusters with 99.999% uptime.

SWISS INTERNATIONAL AIRLINES: Serves 70 airport destinations worldwide, with 6,500 employees + 110 branch offices via Windows Server 2003 & Active Directory with 99.95% uptime (all while growing their business 30% per year). THEIR PREVIOUS LINUX SYSTEM COULD ONLY HANDLE 250 concurrent users - the Windows one handles over 500++ users concurrently/simultaneously!

UNILEVER: Global consumer good leader, migrated to mySAP on SQLServer 2005 + Windows Server 2003 & scaled UP their operations by over 200% & yet saved money + have 99.999% uptime!

MOTOROLA: Using System Management Server, Windows Server 2003 & SQLServer 2005 to conduct inventory of 65,000 desktops from a single location (e.g. for system updates corporate & worldwide).

NISSAN: Uses Windows Server 2003 to manage 50,000 employees' email & calendaring (w/ out VPN, & using Exchange Server 2003) for local AND remote + mobile users.

TOYOTA MOTOR SALES: Reduced the # of techs needed per dealership (1,000's worldwide) from 7, to 1 using Windows Server 2003.

SIEMENS: 420,000++ people, 130 business units over 190 countries managed in Windows Active Directory

REUTERS: Managing 3,000 servers worldwide @ customer sites internationally (using only 4 managers to do so, remotely).

DELL COMPUTER: Managing 130,000 servers & 100,000 PC's worldside using Windows Server 2003 + 40 million customers' data worldwide.

LEXIS NEXIS: Searches BILLIONS of documents each second delivering news, legal, & business information.

HSBC: Deploys System Center solutions to 15,000 Servers worldwide & 300,000 desktops using Windows Server 2003.

RAYOVAC: Chose Windows Server 2003 over Linux to manage their infrastructure - saving 1 million dollars estimated in software, staffing, & support costs.

JETTAINER/LUFTHANSA/U.S. AIRWAYS: managing shipping to 3,000 flights to 400 airports every day.

CONTINENTAL AIRLINES: Manages crew communication systems, log on/log off, schedules, & shifts using Windows Server 2008 worldwide.

JET BLUE AIRWAYS: Managing 12 million flights & their data annually + ticketing, finance, & personnel too.

TIMEX: Using Windows + Exchange Server for remote personnel & executives (for their ENTIRE workforce)

7 ELEVEN STORES: Chose Windows Server 2003 over Linux with a 20% TCO (total cost of ownership savings not only ESTIMATED, but actually REALIZED!), managing 1,000's of in-store servers via AD worldwide.

They were just talking about a digital pearl harbo

[davydagger]

"Worse, many of these systems are unneccessarily connected to the Internet,"

Instead of spending the oodles of money for those worthless airport scanners, department of defense boondoggles, and useless shit, flame, etc...

we could have spent the money to develop an ultra secure replacement for hardware controllers, and manditory audits of mission critical systems, and unplugged needlessly internet connected components from the internet.

Instead we spent our money foolishly on shit we don't need.

I am calling for the same people in the NSA who do the SHA and AES competitions to do something along these lines, because they've already proved themselves competitant, where other branches fail.

What happen?

[Hognoxious]

They might want to describe custom chemical mixtures by means of an Excel file and that information has to be somehow communicated to the PLCs.

Somebody load us up the bomb.

Re:Just an Iranian terrorist attack

[Hognoxious]

My solution to that problem was simply to subscribe to the same magazines my boss reads, peruse them for articles supporting my case and getting him to read it.

Or start your own magazine.

I did consider bringing out "Management Fad Monthly" but I was worried that some silly bugger might try to implement an obvious spoof like TQM, stand-up meetings or employing Indian programmers, and then where would we be?

Windows vs Linux

Windows is a complex mess where you cannot easily turn off single components to get rid of their security issues. It runs stuff in kernel mode which don't belong there - increasing the attack surface. For example, it parses font and image files in kernel mode because a bozo decided everything else "would be too slow". Windows needs IE as an integral part.

The Linux kernel can be stripped down to a minimum, it can be hardened with several sandboxing/capability frameworks and most importantly researchers can inspect everything. You can't sneek crap into the kernel and let it rot forever as easily as a Microsoft employee can do that with Windows.

Windows is being pwnd at the kernel level on a regular basis and that is why even Windows 7 PCs are regularly infected by viruses. You need the virus scanner band-aid.

Nice Work, Redmond Propaganda

A nice list of clueless corporations right out of the Dilbert comics. Corporations who judge computers by looks instead of the innards - these are loyal Windows users. Those who have a clue avoid it like the plague:

+ Google

+ Facebook (yeah, stupid business, but they have more teenagers hooked than everyone else; enormous scale issues)

+ Tokio Stock Exchange

+ CERN

+ Deutsche Börse / Eurex

+ Skype until M$ pwned them

+ French National Police

+ City of Munich

+ Your DSL router

Re:They were just talking about a digital pearl ha

they've already proved themselves *competitant*

Indeed, they have.

Time to UTTERLY blow you away #1 of 2

1st of all, I outnumbered the hell out of you already, here -> http://it.slashdot.org/comments.pl?sid=3213621&cid=41797255

Secondly, per my subject-line above? Here goes (they won't all fit in this post even, it has another part still):

367++ TOP FORTUNE 100/500 Part #1 of 2 (or best 100 to work for per CNN Money) COMPANIES, EDUCATIONAL INSTITUTIONS, &/or GOVERNMENT AGENCIES USING WINDOWS (over other solutions like Linux) both in HIGH TPM ENVIRONS, & FROM "TOP 100 COMPANIES TO WORK FOR" (per CNN Money 2011):

---

TRAVELERS INSURANCE: Runs their domain on Windows -> http://uptime.netcraft.com/up/graph?site=www.travelers.com

PHILIPP MORRIS: Runs their domain on IIS (mix) -> http://uptime.netcraft.com/up/graph?site=www.pmi.com

ENTERPRISE HOLDINGS: Runs their domain on Windows -> http://uptime.netcraft.com/up/graph?site=www.enterpriseholdings.com

TYSON FOODS: Runs their domain on Windows -> http://uptime.netcraft.com/up/graph?site=www.tyson.com

HESS: Runs their domain on Windows -> http://uptime.netcraft.com/up/graph?site=www.hess.com

SUNOCO: Runs their domain on Windows -> http://uptime.netcraft.com/up/graph?site=www.sunocoinc.com

HONEYWELL: Runs their domain on Windows -> http://uptime.netcraft.com/up/graph?site=honeywell.com

HUMANA: Runs their domain on Windows -> http://uptime.netcraft.com/up/graph?site=www.humana.com

GENERAL DYNAMICS: Runs their domain on Windows -> http://uptime.netcraft.com/up/graph?site=generaldynamics.com

STATE FARM INSURANCE: Runs their domain on Windows -> http://uptime.netcraft.com/up/graph?site=www.statefarm.com

COMCAST: Runs their domain on Windows -> http://uptime.netcraft.com/up/graph?site=www.comcast.com

DISNEY: Runs their domain on IIS -> http://uptime.netcraft.com/up/graph?site=disney.go.com

SYSCO: Runs their domain on Windows -> http://uptime.netcraft.com/up/graph?site=sysco.com

KRAFT FOODS: Runs their domain on Windows -> http://uptime.netcraft.com/up/graph?site=www.kraftfoodscompany.com

PEPSI: Runs their domain on Windows -> http://uptime.netcraft.com/up/graph?site=www.pepsico.com

INTERNATIONAL HOLDINGS CORP.: Runs their domain on Windows -> http://uptime.netcraft.com/up/graph?site=intlfcstone.com

DOW CHEMICAL: Runs their domain on IIS (mix) -> http://uptime.netcraft.com/up/graph?site=www.dow.com

MARATHON OIL: Runs their domain on Windows -> http://uptime.netcraft.com/up/graph?site=www.marathon.com

UNITED TECHNOLOGIES: Runs their domain on Windows -> http://uptime.netcraft.com/up/graph?site=www.utc.com

WELLPOINT: Runs their domain on Windows -> http://uptime.netcraft.com/up/graph?site=www.wellpoint.com

COSTCO: Runs their domain on Windows -> http://uptime.netcraft.com/up/graph?site=www.costco.com

BRISTOL MYERS SQUIBB: Runs their domain on Windows -> http://uptime.netcraft.com/up/graph?site=www.bms.com

AMERISOURCE-BERGEN: Runs their domain on IIS (mix) -> http://uptime.netcraft.com/up/graph?site=www.amerisourcebergen.com

KROGER: Runs their domain on IIS (mix) -> http://uptime.netcraft.com/up/graph?site=www.kroger.com

UNITED HEALTH GROUP: Runs their domain on Windows -> http://uptime.netcraft.com/up/graph?site=www.unitedhealthgroup.com

MCKESSON: Runs their domain on Windows -> http://uptime.netcraft.com/up/graph?site=www.mckesson.com

BERKSHIRE HATHAWAY: Runs their domain on Windows -> http://uptime.netcraft.com/up/graph?site=www.berkshirehathaway.com

CONOCO-PHILLIPS: Runs their domain on Windows -> http://uptime.netcraft.com/up/graph?site=www.conocophillips.com

CHEVRON: Runs their domain on IIS (mix) -> http://uptime.netcraft.com/up/graph?site=www.chevron.com

EXXON-MOBIL: Runs th

Android smartphones use a Linux kernel

Do ANDROID smartphones use a Linux kernel?

* If so (and Yes, it IS SO), then, they're using a Linux (or will you tell me they're really Microsoft Windows now too??).

APK

P.S.=> You fail, but... that's NOT REALLY YOUR FAULT - you were faced with a superior mind (mine), lol...

... apk

Are you on drugs, or what? LMAO... apk

"You can't sneek crap into the kernel and let it rot forever as easily as a Microsoft employee can do that with Windows..".." - by Anonymous Coward on Sunday October 28, @03:03PM (#41798239)

LMAO - tell THAT, to "Kernel.org" -> http://linux.slashdot.org/story/11/08/31/2321232/Kernelorg-Compromised (the linux kernel repository iirc)...

---

"Windows is a complex mess where you cannot easily turn off single components to get rid of their security issues." - by Anonymous Coward on Sunday October 28, @03:03PM (#41798239)

Spoken by a fool that doesn't KNOW how to use it, apparently: THIS -> http://www.google.com/#hl=en&output=search&sclient=psy-ab&q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&oq=%22HOW+TO+SECURE+Windows+2000%2FXP%22&gs_l=hp.3..0i30.2185.13160.0.13347.49.35.6.0.0.2.434.5664.0j13j10j2j1.26.0.les%3Bcqn%2Cfixedpos%3Dfalse%2Cboost_normal%3D40%2Cboost_high%3D40%2Ccconf%3D1-2%2Cmin_length%3D2%2Crate_low%3D0-035%2Crate_high%3D0-035%2Csecond_pass%3Dfalse%2Cignore_bad_origquery%3Dtrue..0.0...1c.1.nUoK9GkR220&pbx=1&bav=on.2,or.r_gc.r_pw.r_qf.&fp=d3ddaee4ee84f1b4&bpcl=35466521&biw=1024&bih=608

Shows you QUITE differently (I know, I wrote it, & it's from the very 1st security guide for Windows ever that I wrote also -> http://web.archive.org/web/20020205091023/www.ntcompatible.com/article1.shtml )

---

"It runs stuff in kernel mode which don't belong there - increasing the attack surface.." - by Anonymous Coward on Sunday October 28, @03:03PM (#41798239)

Like what? The video subsystem (since Windows NT 4.0, before that it was in usermode)?? So what - it's built of SOLID, PROVEN templates from the DDK (device driver kit) & WHQL tested!

Clue - running in kernelmode/ring 0/rpl 0 makes a process MUCH faster than usermode/ring 3/rpl 3!
---

"For example, it parses font and image files in kernel mode because a bozo decided everything else "would be too slow".." - by Anonymous Coward on Sunday October 28, @03:03PM (#41798239)

For gaming yes, post Windows NT 3.51 - before Windows NT 4.0, video subsystems (GDI & Win32 + drivers) ran in usermode... but, see above, you know why (AND, why they're stable as well as fast).

---

"Windows needs IE as an integral part.".." - by Anonymous Coward on Sunday October 28, @03:03PM (#41798239)

And, this means what?

---

"The Linux kernel can be stripped down to a minimum, it can be hardened with several sandboxing/capability frameworks and most importantly researchers can inspect everything. " - by Anonymous Coward on Sunday October 28, @03:03PM (#41798239)

See that security guide I wrote... same with Windows!

---

"Windows is being pwnd at the kernel level on a regular basis - by Anonymous Coward on Sunday October 28, @03:03PM (#41798239)

Really? Show us a kernel level exploit that's not patched then (good luck, there aren't any remotely exploitable ones there (they're what count)).

---

"and that is why even Windows 7 PCs are regularly infected by viruses. You need the virus scanner band-aid. - by Anonymous Coward on Sunday October 28, @03:03PM (#41798239)

Yea, & what about ANDROID (a Linux on smartphones since it uses a Linux kernel)?

---

* Man, lmao - You FAIL...

Now - IF Linux is "so good", then WHY does it only command what? 1.5% of the desktop market & roughly 50% of the server market split with Windows (even though Linux is GIVEN AWAY FREE, defying business logic, since something JUST AS GOOD FOR FREE SHOULD HAVE "BLOWN AWAY" WINDOW, & it hasn't... not by a LONG shot of about 95% of marketshare overall on PC's + Servers combined over Linux!)

APK

P.

Re: the Challenger Disaster?

[sjames]

What do you think will happen when managers learn how much software that gets signed off by a PE costs and how long it takes to develop?

Addendum on "kernelmode" subsystems... apk

"It runs stuff in kernel mode which don't belong there - increasing the attack surface." - by Anonymous Coward on Sunday October 28, @03:03PM (#41798239)

Earlier in the post I am replying to of mine, in regards to that quote above? Since VISTA &/or Windows 7 moved to the AeroGlass interface driven by DirectX?? Video IS in usermode, again (as it was in NT 3.5 - 3.51) & thus, UNABLE to "Crash" the system completely...

* Any takers on that?

APK

P.S.=> The fool trolling me's disappeared in defeat so... there you go!

... apk

Re:Just an Iranian terrorist attack

[Opportunist]

Hey, stop that! You're threatening my job, because coming up with harebrained ideas how to hack our security IS my job!

And damn, I love it!