The problem with SCADA goes deeper…

[This was originally published on the OSVDB blog.]

We know SCADA is virtual swiss cheese, ready to be owned if someone can reach a device. We have preached airgaps for decades, even before we knew how bad the software was. Back then it was just, “this is so critical, it has to be separate!”

The last five years have proven how bad it is, with the rise of SCADA vulnerabilities. Sure, we can overlook the bad coding, proprietary protocols, no evidence of a SDLC, and the incredible amount of time it can take to patch. For some silly reason we put up with “forever-day bugs” because something is so critical it can’t be rebooted (forgetting how absurd that design choice is). But, what if we go a step beyond that?

An ICS-CERT 14-084-01 advisory released yesterday on vulnerabilities in Festo products is a good reminder of just how bad the problem is, and how much deeper it goes. First, the product has a backdoor in the FTP service allowing unauthenticated access (CVSSv2 9.3). This can allow a remote attacker to crash the device or execute arbitrary code. Second, the device is vulnerable due to bundling the 3S CoDeSys Runtime Toolkit which does not require authentication for admin functions (CVSSv2 10.0), and a traversal flaw that allows file manipulation leading to code execution (CVSSv2 10.0). Those two issues were reported in January of 2013, making this report as relates to Festo products over a year late.

So we have a vendor backdoor, unauthenticated administrator access, and a way to bypass authentication if it was there to gain privileges. So realistically, what type of organizations does this potentially impact? From the ICS-CERT advisory:

This product is used industrywide as a programmable logic controller with inclusion of a multiaxis controller for automated assembly and automated manufacturing. Identified customers are in solar cell manufacturing, automobile assembly, general assembly and parts control, and airframe manufacturing where tolerances are particularly critical to end product operations.

Now to dig the hole deeper. Under the “Mitigation” section, we see how serious Festo considers these vulnerabilities. Paraphrased from two lines in the advisory:

Festo has decided not to resolve these vulnerabilities, placing critical infrastructure asset owners using this product at risk … because of compatibility reasons with existing engineering tools.

The two 3S CoDeSys vulnerabilities have a fix available and just need to be integrated into the Festo products. What does “compatibility with existing engineering tools” really mean in the context of software? The ICS-CERT advisory also says:

According to the Festo product web page, other products are using newer versions of CoDeSys software and may not be vulnerable to the CoDeSys vulnerability, but this has not been evaluated by the researcher.

The researcher already spent time finding the issues, reporting them to a coordinating body, and following coordinated disclosure practices. Expecting them to also evaluate which products are not vulnerable is ridiculous. This is a case of the vendor just being lazy and irresponsible.

A company that makes vulnerable critical components that affect our infrastructure and directly impact our safety, but refuses to fix them. Why is this allowed to exist in our society?


You keep using that word… (a note on “bullying”)

As a tech editor who apparently hit the glass ceiling, perhaps my only value to the industry is reminding people what words mean. Usually that is done for the author before something is published but it is clear the industry could gain some value this time. With the terms “bully” and “bullying” being thrown around more liberally recently, it is important to remember what it really means. Like most words in the English language, that answer varies greatly. Not only with historical changes, but with social changes as words are used, reused, and co-opted. Let’s start with what Google tells us!

According to, the definition is:

Bullying is unwanted, aggressive behavior among school aged children that involves a real or perceived power imbalance. The behavior is repeated, or has the potential to be repeated, over time. Bullying includes actions such as making threats, spreading rumors, attacking someone physically or verbally, and excluding someone from a group on purpose.

Some readers are certainly homing in on this definition while glossing over an important qualifier. We are not “school-aged children” despite often acting like it on Twitter. This definition is custom-written to be suitable to kids in school that face bullies. Next up, Wikipedia defines it as:

Bullying is the use of force, threat, or coercion to abuse, intimidate, or aggressively impose domination over others. The behavior is often repeated and habitual. One essential prerequisite is the perception, by the bully or by others, of an imbalance of social or physical power.

Those same readers may now be homing in on this definition based on the last line, but it is important to note that is a two-way street. If we can arbitrarily call it “bullying” solely based on one side’s perception, then we’re all equally guilty of bullying. If I call you a jerk, and you call me an ass in return, we are both potentially guilty of it. In reality, I think we can all agree that is a bit absurd. I think if you drop that last line and focus on the first two lines the definition is pretty good, especially given the next choice. According to the dictionary:

  • 1 (archaic): sweetheart or a fine chap
  • 2a : a blustering browbeating person; especially one habitually cruel to others who are weaker
  • 2b : pimp
  • 3 : a hired ruffian
  • bully verb
  • : to frighten, hurt, or threaten (a smaller or weaker person)
  • : to act like a bully toward (someone) to cause (someone) to do something by making threats or insults or by using force
  • transitive verb
  • 1 : to treat abusively
  • 2 : to affect by means of force or coercion

We can certainly agree that the archaic definition isn’t what anyone means when using the term. Similarly, a pimp or hired ruffian is probably just as archaic and not intended. Focusing on the rest you have a variety of definitions that range from “treat abusively” to the more dominant that includes the purpose of the activity. The words threat, force, and coercion appear more than once in the definitions above and are the crux of what bullying is about. Everyone who is now equating the term “bullying” with anything less than a malicious, sustained campaigns of hatefulness with the intent of coercing/threatening is the worst sort of cowardice and dishonesty. They are doing a disservice to society and themselves.

Someone stating their opinion is just that. Calling someone a name or insulting them over appearance or action makes them an ass, nothing more. They aren’t trying to coerce you, they aren’t trying to force you to do something, and they aren’t threatening you. In this country they are simply exercising their first-amendment rights. As such, you have the right not to listen to them. If someone on Twitter is saying something you don’t like, stop following them. If they are including you in the messages, block them. Add their Twitter ID to a filter so it helps ensure you don’t read anything to, from, or about them. Remember, it is a push medium that you opt into. By using the service, by following people, by subscribing to lists, or by searching for specific words, you are specifically choosing to read it.

Cliff notes for the rest of you. Simple name calling or stating opinion on Twitter is not bullying, even if it is mean and you don’t like it. Those using the term in such a fashion are the real bullies here; they are capitalizing on a social stigma and social movement to brand what has been our way of life for hundreds of years as some new form of persecution. You are trying to use social pressure to coerce us into changing our behavior. Worse, by equating simple insults and jabs as bullying, you make it harder for those who have truly been bullied to be believed. Sorry, I won’t cave into bullies, something your crowd keeps telling us to do ironically enough.

To finish this post, I want to answer a question put forth by someone crying “bully”:

Can my daughter take criticism? Yes but not publicly. You got to have a pretty tough skin to be able to take criticism publicly. Most of us don’t have that tough skin. I think that’s good because that usually goes hand in hand with compassion. If I had to choose only one thing missing in this InfoSec community, it would be compassion. The nonconstructive criticism is so public and so vicious that you end up missing that one nice person who is trying to offer the constructive criticism that could really make a difference. And that’s sad. That person who is trying to help gets lumped in with the naysayers, and no one benefits. Is this really the InfoSec community you want?

Yes! That is exactly what I want the industry to be. More importantly, that is exactly the type of industry our society needs. There are two aspects to this, and one of them is so entirely simple, but seems to be missed time after time.

First, the InfoSec industry has two fundamental sides; those who break things (attack), and those who fix things (defend). The entire attack (a.k.a red-teaming, tiger teaming, vulnerability assessment, or offense) side of it is built itself on the act of tearing others down. When you perform a penetration test, you are showing how the programmers and/or IT staff have failed in some way. In some cases, you are taking years of their work and shitting all over it in a PDF or by PowerPoint with pretty colors. That million lines of code to perform incredibly complex actions to make a seamless experience for their paying customers? You tell them it is Swiss cheese, that it shouldn’t be on a production network, and that they must go back and make it better while flippantly giving them the oh-so-helpful remediation instructions of “sanitize user input“. You get paid, handsomely even, to do just that day in and day out. Did you develop software that makes that process easier? Then you are facilitating colleagues so they can more easily tear down the work of other people. This is a simple fact and how our industry operates. You are offering what you think to be constructive criticism. The developers and admins receiving the report do not think it is constructive. You are a “naysayer” and yet both sides benefit ultimately. The notion that “no one benefits” is absurd.

Second, the more emotional answer. Our industry, and society at large, need more people that are not afraid to speak their mind, tell the truth, and demand better from everyone. That is how things get fixed, and that is how we improve as a society. Your friend being a douche-nozzle? Do you think they intend to act that way? No, so you tell them in whatever terms are needed so they stop acting like one. Your customer running insecure software that would allow little Bobby Tables to expose all of their client data? You tell them so they can fix it. Your report can soften the blow a bit, but ultimately you are telling them they have failed in a spectacular fashion. This isn’t some circle-jerk hug fest. This is an industry largely based on critique, which is a vehicle to improve.

When your day job is based on leveling criticism at other people, it is your responsibility to be able to take criticism. If you release software to the world, you are a vendor so to speak. Someone reporting a vulnerability in your software is not them “picking on you”. That is them making a sincere effort to help you improve your software, just as you are trying to help your customers (or students) improve. If you don’t understand how these are fundamentally the same, then you don’t belong in this industry. That is not a threat, force, or coercion. That is a fact.

(Courtesy of

(Courtesy of

What the Harlem Globetrotters Really Teach Kids

A couple weeks ago, friends and I attended a Harlem Globetrotters game. It started out as a joke over football about underdog teams, when my friend Amanda reminded me of the poor Washington Generals. If that name rings a bell but you can’t quite place it, they are the go-to team that plays the Harlem Globetrotters. From their web page: “The Washington Generals are the most well known and recognized opponents of the World Famous Harlem Globetrotters.” The header graphic even shows a chalkboard and their amazing number of losses, with a single win. We figured it would be fun to attend a Globetrotters game and root for the Generals.

This began the descent into the ego and madness that is the Harlem Globetrotters. As a kid, you only remember black basketball players doing tricks, spinning balls, doing fancy dunks, and always winning. Yes, I used “black” as an an adjective. Show me a “white” Globetrotter. This exclusion actually carries forward to present day. There are still no white Harlem Globetrotters, despite white people living in Harlem. In 2014, they still proudly boast about their ninth black female Globetrotter taking the court several times throughout the game, turning her into a feature. But no whites. We’ll get back to that in a bit.

The Generals’ web site ‘Player Opportunities‘ page has an important reminder, and why we showed up to root for them. “The Generals serve an important role in the Globetrotters tours and realize the final score does not always define winners.” That is awesome, and really sums up what kids sports should be about. While I don’t think every player in a league deserves a trophy, I think that kids should be reminded that effort matters, even if they didn’t win.

But now, we have to back up again. I went to order the tickets for the three of us and noticed something. The Harlem Globetrotters were playing! Err, OK I got that. But who were they playing? It wasn’t listed. I checked the Harlem Globetrotter page hoping their line-up would have it. Nope. I Tweeted to them asking who they were playing, asking they bring the Generals. To this day, the assholes never answered. That level of disrespect is very telling about the organization. So I did what any logical fan would do, I called the ticket-seller and asked. I spoke with a nice young lady who checked her information and was surprised to find she couldn’t answer my question. She took down my information and said she would get to the bottom of it by calling the Globetrotter organization to find out. Hours later she called back and reported that the Globetrotters would be facing the “World All Stars”. Hrm, never heard of them, so Google their name. I don’t see anything front page indicating that is a viable option. Tack on the word “basketball” and they only show up as the 5th result in a loss to the Globetrotters. What kind of shitty game is this where the opponents aren’t even mentioned anywhere? Where I can’t easily find out they are playing their almost 100-year rival?

The All Stars don’t have a web site. I can’t order a jersey to wear to support them. Other than “lost to the Globetrotters”, they are nothing. “What the shit is that?!

So we did what any fan would do. We ordered and wore our Washington Generals clothing to the game, and we made signs to support the All Stars. To be effective, we had to make sure they would see us, so we got court-side seats.


Granted, being the cheapskate I am, there was one row of people before us. But at a Globetrotter game, that is actually a layer of protection from being drug on the court and embarrassed by them. From courtside, we were in a position to support our team.


Wow, they didn’t look thrilled to be here. The game started out all about the Globetrotters. They did their warm up, their comedy banter, got introduced one-by-one. When it came time for the All Stars to come in, they barely got their name mentioned. Both teams warmed up to get ready for the game. Just before the game started, Big Easy, with a microphone pinned to his jersey so the entire stadium could hear him, taunted the All Stars. The only taunt I remember was him pointing out that one of the five All Stars on the court was white, mocked him for it, and ended by laughing at him. The other nine players on the court were black. Do I need to remind anyone the definition of racism and that it goes every direction?

The game proceeded, now with ‘fan voted rules’ that were put into effect each quarter. This included a “trick shot challenge” and a “special jersey double point” benefit. So on top of the four point rings (yes, these games have four-point shots), the player wearing the red jersey could do a four-point shot and gain eight points for it. The All Stars tried several times but only made one of them. As best I recall, that was one more than the ‘talented’ Globetrotters. Speaking of, the world famous Globetrotters have a second career as brick layers if it comes down to it. Those dumbasses threw up more bricks and missed more dunks than I have seen in my life. Yes, they missed set-up dunks where the other team wasn’t defending. Absolutely pathetic.

Halftime rolls around and the Globetrotter mascot, Globie, comes out. He did his little dance routine and entertained the crowd.


As he left the court, he pointed at Amanda and my Generals’ attire and shook his head. For a brief moment I thought he might take a diving leap and try to tackle us. He seemed pretty pissed we were there supporting the opposite team. That said, during the “trick shot challenge” quarter, the coach of the All Stars noticed us and pointed to us twice smiling. At least someone recognized our efforts and appreciated some support from the crowd.

During the game, we also got to witness a variety of things that ranged from “what…” to “oh jesus avert your eyes”. It started with an All Star going to make a slam dunk, only to find the Globetrotters stripped him of his shorts and jersey in the process. Leaving him in his underwear to scream out loud and run in a panicked manner toward the locker room. The Globetrotters followed this up with their “slow-mo replay” gag that not only had them reaching between an All Star’s legs and sexually assaulting him, but doing it repeatedly in slow motion. But that was absolutely nothing compared to the half-time show.

I honestly could not watch a majority of the show because of social “norms”. Seriously. They had four local dance troupes doing their dance routines to music. Each wave was full of underage girls wearing revealing skin-tight outfits, doing sexually suggestive dances. Some of their moves and gestures I have seen in strip clubs. I feared that if I watched them like any other person, someone might think me a sexual deviant in all the wrong ways. That was the most uncomfortable 20 minutes I have suffered in years. Back to basketball…

While the All Stars did their share of missing shots, like the Globetrotters, I started to take notice of the scoreboard more often in hopes they would catch up. That is when I noticed that the rigged game is more rigged than I realized. Sure, we know they are told to lose the game and that is expected. The ego-filled Globetrotters have to win, except that one time where the Generals beat them (and we’d love to know the story behind that!). Yes, the Generals’ sweatshirt I wear proudly displays their motto, “Over 12,000 losses since 1926!” Remember the four-point shots, and the bonus with the red jersey due to the special per-quarter rule announced shortly before? At least one time when the All Stars scored an eight-point shot, they were only credited with four. Because the Globetrotters were throwing up so many bricks, and missing so many set-up dunks, the score-man had to further help throw the game.

What does that leave us with?


The Harlem Globetrotters holding the bag. Kids show up and have a fun time. In reality, they leave with a long list of subtle messages driven into their head. That racism is OK because it is humorous. That the underdog can’t win, and that the name-brand will cheat in multiple ways to win. That being a female in this sport is a ‘rare thing’ and makes you a two-minute highlight during the game. That physically and sexually assaulting the opposing team is humor, not a bad thing. Is that really what our kids should be learning growing up? I don’t think so. If anyone else did this on the school playground, they might face being expelled.

That is why I proudly show up and support the opponents. I even retained the serves of a local artist to make sure my signs were high-quality, because I care. Washington Generals or All Stars, doesn’t matter. They need our support to help them win their second game in almost one-hundred years. I encourage you to attend your next Globetrotter game, wave signs, and proudly support the other team.