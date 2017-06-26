SCADA & Mobile in the IoT age Alexander ‘dark_k3y’ Bolshev Ivan ‘Steph’ Yushkevich
; cat /dev/user 2 • Alexander ‘@dark_k3y’ Bolshev – Security Consultant @ IOActive, Ph.D. • Ivan ‘Steph’ Yushkevich: – Sec...
The story so far… • The story began back in 2015, when we made the first iteration of this research. • We reviewed 20 appl...
Time changes things… • In 2014-2015, the mobile apps for SCADA still looked a bit eccentric, but now, with the all- round ...
Why are we doing such research? This research is neither about something fundamentally new nor it is another “state of art...
Agenda • Introduction & Previous research • Agenda • ICS 101 • Mobile SCADA applications & Typical threats • Testing appro...
ICS 101 7
From 101: What is ICS? • ICS stands for Industrial Control System • Today, ICS infrastructures are commonly used in factor...
Industrial Control System 9 Vulnerabilities in Industrial Control Systems | Nikoloz Kokhreidze (https://media.licdn.com/mp...
Typical ICS Infrastructure 10 Corporate network ERP MES PLC2,3… PLC1 PLC7,8… Routers/Firewalls OPC SCADA HMI Industrial bu...
ICS 101 Terms • Transmitters/RTUs – works with real world objects and parameters • PLC (Programmable Logic Controllers) - ...
MOBILE SCADA APPS TYPICAL THREATS 12
App types • MES clients • Remote SCADA clients • Remote alert applications Remote (access from Plant/Internet) • PLC confi...
Mobile apps in ICS landscape 14 Internet Corporate Network PLCs… HMI SCADA servers Remote SCADA client Local Mobile app Fi...
Local applications • Direct configuring/monitoring/supervising industrial process and/or its components • Several types: –...
Remote applications • Applications that allows remote (outside of safe perimeter or even plant network) monitoring/control...
Typical threats • Smartphone/tablet loss • “Unlocked phone on the table” • SDCARD data compromise • Application data compr...
Common attack vectors (I) 18 Control over industrial process Send data that in the end will be passed to the field network...
“Compromising” of SCADA operator by creating a false view over industrial process, e.g. by tricking him to control system ...
TESTING APPROACH OWASP TOP 10 MOBILE 20
Testing approach The testing approach was nearly same as in 2015’ research 21 Analysis and filling ‘Test checklist’ Client...
Checklist 22 Application •Purpose of app: SCADA/HMI/PLC/OPC/etc.. •Permissions •Password protection •Intents •Native code ...
OWASP TOP 10 Mobile 2016 M1 - Improper Platform Usage M2 - Insecure Data Storage M3 - Insecure Communication M4 - Insecure...
Tools used • Android: dex2jar, androbugs, mobfs • Instrumentation: Frida • Fuzzing: erlamsa & radamsa • Reverse-engineerin...
APPS TO BE REVIEWED 25
Apps list: 32 applications CyBro Mini Scada ELLAT SCADA HMI MASTER MODBUS ISWvis Mobile HMI Droid BACnet Explorer MiScout/...
FOUND ISSUES 27
Final Results 28
Final Results M OWASP M10 category/type Vulns % of Apps 1 Improper Platform Usage 3 9% 2 Insecure Data Storage 20 62% 3 In...
M1: Improper Platform Usage • Violation of published guidelines. • Violation of convention or common practice. • Unintenti...
Old Xamarin? => Dll Hijack! • Several apps had old Xamarin engine version (below 5.1). • This leads to the execution of th...
Improper Export of App Components dz> run app.provider.finduri ********************.scada Scanning ***********.scada... co...
M2: Insecure Data Storage • HMI projects – passwords, IP’s, configuration of whole controllers • Config files • Logs • Exp...
Insecure Data Storage Sometimes not even try: Official documentation. 34 Storing projects and configs on SD card.
M3: Insecure Communication Modbus, TCP – for local applications. No security, 50/50 credentials transferred. Own protocol ...
HTTPS->HTTP downgrade Cannot connect using HTTPS due to the wrong server certificate? Let’s downgrade connection to HTTP! ...
Insecure Communication (SSL pinning) 3 shades of pinning 1) It is. Normal 2) No pinning. Bad, but no illusions. 3) “Own” r...
Insecure Communication “Normal”: If(array[0].getIssuerX500Principal().getName().contains(“***** SCADA"))return true; “Wron...
FTP project upload • Why not use FTP for uploading projects to the device? It has password, should be completely secure! 39
M4: Insecure Authentication • Storing passwords on a device • Password is not required to get access to a device/server • ...
M5: Insufficient Cryptography • Using hardcoded passwords/keys/IVs – Array.Copy(Encoding.UTF8.GetBytes("fldsjfodasjifu dsl...
IVs directly from StackOverflow 42
Client Code (IN)Quality 43
M6: Insecure Authorization • Lack of password protection • IDORS – uncommon, case must be “account” management. In most ap...
M6: Password protection Get access to the device direct actions. • Not being stolen – no warnings • Easy get access to co...
M7: Client Code (IN)Quality • DoS – During communication – Project open – Wrong key pushing – Everywhere • RCE – Even HTTP...
M7: Client Code (IN)Quality • Handle exceptions in 2k17 47
Client Code (IN)Quality Custom HTTP Server in native code? Denial of service! 48
Client Code (IN)Quality • Transferring/storing WHATEVER using ZIP? What can goes wrong when you’ll try to unpack?... Every...
Typical code with ZIP unpacking Somehow application get ZIP achieve and try to unpack it: localZipInputStream = new ZipInp...
Typical code with ZIP unpacking https://github.com/ptoomey3/evilarc 51 /App1/config.json /App2/app.xml Get HMI config App....
Typical code with ZIP unpacking 52
Client side injection • Create adaptive UI web app • Put WebView in app • … • FAIL – HTTP – “Nothing to hide” – JS – “Popp...
Client side injection Several applications gets from backend pure HTML code that goes unfiltered into the application WebV...
M8: Code Tampering Rooted device – “with great power comes great responsibility” © Spider-man It’s good NOT to run it on r...
M9: Reverse Engineering Code obfuscation. + Easy to turn on + Complicates researching + Easier to hide bugs 56
M10: Extraneous Functionality Typical application rights: • Internet access • R/W external storage (Optional) • Gather som...
Bonus!: Server side bugs In most cases – typical web applications. • SQL injections • Directory traversal • Arbitrary file...
Server side bugs (SQL injections) Where to find? • BackEnd’s • Main sites 59
Server side bugs (Traversal) Lack of authorization allows unauthorized user to read schemes… and all the files on remote h...
Server side bugs Only today – find one crash,get second for free! 61
INTERESTING & FUNNY THINGS 62
Bonus 2.0: Getting demo’s Some demo applications, are just nothing but “useless trash”. If it was needed we would bought s...
“C00l UI” 64
CONCLUSION 65
Best approaches* • Make unit tests for app and backend • Password/pin protection – do not store them on a device • Try not...
Conclusions 67 • 2 years passed… and things has changed: – ~50 issues in 20 apps in 2015 – ~130 issues in 32 apps in 2017....
QUESTIONS? 68
Upcoming SlideShare
Loading in …5
×

Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexander Bolshev)

2 views

Published on

Several years ago we made a security assessment of SCADA & ICS mobile clients. We reviewed remote HMIs, historian and MES clients and even PLC configuration and programming applications for your Android smartphone. The results were a little scary: through all reviewed apps, only one(!) was without major security flaws. By that time mobile SCADA client was a kind of caprice, however now, with the widespread IoT, which even touched ICS infrastructures, more and more vendors start to create mobile application for their industrial software and hardware.

In this talk we want to make another review of current status of mobile applications for ICS systems. One task is to compare the security of today's applications and how it's changed in accordance to the previous years. Also, we will discuss the most common vulnerabilities in such systems, however with main targeting on risks that arise with using mobile apps in your industrial infrastructure. In the end of the talk, possible attacks on ICS infrastructure through compromised smartphone with mobile SCADA/whatever client will be shown, along with discussion whether it is SAFE to allow mobile applications to interact with your ICS infrastructure. Also, we will provide the detailed statistics of found flaws and invalid security(& safe!) approaches.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
no profile picture user

  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexander Bolshev)

  1. 1. SCADA & Mobile in the IoT age Alexander ‘dark_k3y’ Bolshev Ivan ‘Steph’ Yushkevich
  2. 2. ; cat /dev/user 2 • Alexander ‘@dark_k3y’ Bolshev – Security Consultant @ IOActive, Ph.D. • Ivan ‘Steph’ Yushkevich: – Security Auditor @ Embedi
  3. 3. The story so far… • The story began back in 2015, when we made the first iteration of this research. • We reviewed 20 applications and all of them had at least one security issue 3
  4. 4. Time changes things… • In 2014-2015, the mobile apps for SCADA still looked a bit eccentric, but now, with the all- round IoT and IIoT (Industrial IoT), they became part of ICS landscape. • So we had a question to be answered: what have been changed during this two years? 4https://ciowatercooler.co.uk/wp-content/uploads/2017/02/IIoT-Are-We-Ready.jpg https://www.forbes.com/forbes/welcome/?toURL=https://www.forbes.com/sites/louiscolumbus/2016/11/27/roundup-of-internet-of-things-forecasts-and-market-estimates-2016
  5. 5. Why are we doing such research? This research is neither about something fundamentally new nor it is another “state of art” exploit. It’s just a review of 32 applications security state. So why to do it? • It allows getting the picture of current understanding of security by developers • It keeps us in a good shape in the mobile security area • Just coz we can! 5
  6. 6. Agenda • Introduction & Previous research • Agenda • ICS 101 • Mobile SCADA applications & Typical threats • Testing approach & OWASP Top 10 Mobile • Applications to be reviewed • Discovered Issues • Interesting & funny things • Conclusion 6
  7. 7. ICS 101 7
  8. 8. From 101: What is ICS? • ICS stands for Industrial Control System • Today, ICS infrastructures are commonly used in factories, plants, and even in your house, too! • ICS collects data from remote stations (also called field devices), processes them and uses automated algorithms or operator-driven supervisory to create commands to be sent back 8https://en.wikipedia.org/wiki/Industrial_control_system
  9. 9. Industrial Control System 9 Vulnerabilities in Industrial Control Systems | Nikoloz Kokhreidze (https://media.licdn.com/mpr/mpr/p/6/005/0a1/25d/08578a9.jpg) https://www.averna.com/wp-content/uploads/2016/08/industrial-control-panel-700px.jpg http://sse.com/ImageGen.ashx?image=/media/252742/Apprentice-Power-at-Fiddlers-Ferry2.jpg&compression=70&width=800
  10. 10. Typical ICS Infrastructure 10 Corporate network ERP MES PLC2,3… PLC1 PLC7,8… Routers/Firewalls OPC SCADA HMI Industrial bus(es) AMS Field devices ProcessFieldPlant
  11. 11. ICS 101 Terms • Transmitters/RTUs – works with real world objects and parameters • PLC (Programmable Logic Controllers) - digital system used for automation of typically industrial electromechanical processes • SCADA – systems operating with coded signals over communication channels to provide control over remote equipment • OPC – Open Platform Communications • HMI – Human-machine interfaces • MES – Manufacturing executioning system 11
  12. 12. MOBILE SCADA APPS TYPICAL THREATS 12
  13. 13. App types • MES clients • Remote SCADA clients • Remote alert applications Remote (access from Plant/Internet) • PLC configuration/interaction app • SCADA client • Mobile HMI panel • OPC/Historian client Local (access from Field/Process) 13
  14. 14. Mobile apps in ICS landscape 14 Internet Corporate Network PLCs… HMI SCADA servers Remote SCADA client Local Mobile app Field&Process
  15. 15. Local applications • Direct configuring/monitoring/supervising industrial process and/or its components • Several types: – PLC configuration/interaction app – SCADA client – Mobile HMI panel – OPC/Historian client 15 • Device where application is running is placed inside “safe” (at least firewalled and separated) control room network Application have direct full or partial view and/or control of industrial process
  16. 16. Remote applications • Applications that allows remote (outside of safe perimeter or even plant network) monitoring/controlling of the industrial process 16 For ALL applications in this group, we find pictures/schemes/architecture sketches/documents from a vendor where mobile app is shown as a remote control client outside of the industrial network
  17. 17. Typical threats • Smartphone/tablet loss • “Unlocked phone on the table” • SDCARD data compromise • Application data compromise by other app Unauthorized physical/”virtual” access to device • Fake WiFi/GSM AP • Public AP/network • Private network compromise • VPN compromise Communication channel compromise (MITM) • ACL problem, RCE or data leak on backend • Various client vulnerability Application compromise 17
  18. 18. Common attack vectors (I) 18 Control over industrial process Send data that in the end will be passed to the field network and directly or indirectly through incorrect ACLs or insufficient input data validation
  19. 19. “Compromising” of SCADA operator by creating a false view over industrial process, e.g. by tricking him to control system using modified or fake HMI panel Common attack vectors (II) 19original pic source: http://www.smartcityexpo.com/new_products/-/newness/955751/Afcon-s-Pulse-Mobile-2-0-for-cities?return=microsite
  20. 20. TESTING APPROACH OWASP TOP 10 MOBILE 20
  21. 21. Testing approach The testing approach was nearly same as in 2015’ research 21 Analysis and filling ‘Test checklist’ Client fuzzing (with a little help of server) Deep analysis with reverse- engineering (if needed)
  22. 22. Checklist 22 Application •Purpose of app: SCADA/HMI/PLC/OPC/etc.. •Permissions •Password protection •Intents •Native code •Code obfuscation •Web-based components Protocol •Authentication •Tokens/cookies/sessions •TLS/SSL setting •XML •Server APIs Storage •Connection strings/passwords •Data/Projects/HMI interfaces etc.. •Encryption and signing Other issues
  23. 23. OWASP TOP 10 Mobile 2016 M1 - Improper Platform Usage M2 - Insecure Data Storage M3 - Insecure Communication M4 - Insecure Authentication M5 - Insufficient Cryptography M6 - Insecure Authorization M7 - Client Code Quality M8 - Code Tampering M9 - Reverse Engineering M10 - Extraneous Functionality 23https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10
  24. 24. Tools used • Android: dex2jar, androbugs, mobfs • Instrumentation: Frida • Fuzzing: erlamsa & radamsa • Reverse-engineering: IDA Pro, Hopper, jd-gui, radare2, bytecodeviewer • Protocol analysis: Wireshark, ProxyDroid, BurpSuite, Erlamsa built-in proxy • Other: evilarc, various Modbus/PLC/etc. server simulators 24
  25. 25. APPS TO BE REVIEWED 25
  26. 26. Apps list: 32 applications CyBro Mini Scada ELLAT SCADA HMI MASTER MODBUS ISWvis Mobile HMI Droid BACnet Explorer MiScout/CONN ECT24•7 Movicon Web Client OPC XML DA Explorer Pro-face Remote HMI Prosys OPC UA Client BACnet HMI HMI5 WHS Live (Light) EisBaer SCADA 2.1 HMI LOGO! OBA7 Premium HMI Mobile Fernhill Scada Scada Touch Lite Movicon.NExT Web Client TeslaSCADA2 Runtime PLC Viewer TeslaMulti SCADA S7 PLC HMI Lite SIMATIC S7 PLC-5 HMI Express iPlc - Android Modbus HMI Micro SCADA Pocket IGSS Mobile Easy SCADA And Home Automation weMX HMI/SCADA MELSOFT MC Mobile Siemens LOGO! App 26 Remote Local
  27. 27. FOUND ISSUES 27
  28. 28. Final Results 28
  29. 29. Final Results M OWASP M10 category/type Vulns % of Apps 1 Improper Platform Usage 3 9% 2 Insecure Data Storage 20 62% 3 Insecure Communication * 11 34% 4 Insecure Authentication 6 18% 5 Insufficient Cryptography 8 25% 6 Insecure Authorization 20 63% 7 Client Code Quality 10 31% 8 Code Tampering 30 94% 9 Reverse Engineering 17 53% 10 Extraneous Functionality 7 22% Backend bugs* 5 9% 29
  30. 30. M1: Improper Platform Usage • Violation of published guidelines. • Violation of convention or common practice. • Unintentional Misuse. Or just: 30
  31. 31. Old Xamarin? => Dll Hijack! • Several apps had old Xamarin engine version (below 5.1). • This leads to the execution of the arbitrary code in app context by storing malicious DLLs in <SDCARD>/Android/data/ap p_id/files/.__override__/ • 4 of 32 reviewed apps has this vulnerability 31
  32. 32. Improper Export of App Components dz> run app.provider.finduri ********************.scada Scanning ***********.scada... content://***********Provider/objects ... content://***********Provider/settings ... $ content query --uri content://*********** Provider/settings/ Row: 0 startscreen=0, res2=, certificate=******Scada, username=User, timeinterval=1000, adminpass=123, res1=1, userpass=, debug=1, _id=1, orientation=512, adminname=Admin 32 Using <uses-sdk minSdkVersion="9">? Got all providers exported by default!
  33. 33. M2: Insecure Data Storage • HMI projects – passwords, IP’s, configuration of whole controllers • Config files • Logs • Export/import data – From logs to projects, in some cases there is no other options. • …application libraries Impact – slealing configs 33
  34. 34. Insecure Data Storage Sometimes not even try: Official documentation. 34 Storing projects and configs on SD card.
  35. 35. M3: Insecure Communication Modbus, TCP – for local applications. No security, 50/50 credentials transferred. Own protocol based on TCP – RA, encryption in most cases. HTTP – RA, no security. HTTPS – RA. Problems in certificate pinning 35 Secure connections L insecure R insecure L/R secure
  36. 36. HTTPS->HTTP downgrade Cannot connect using HTTPS due to the wrong server certificate? Let’s downgrade connection to HTTP! 36
  37. 37. Insecure Communication (SSL pinning) 3 shades of pinning 1) It is. Normal 2) No pinning. Bad, but no illusions. 3) “Own” realization. Worst. False illusions. Only 10% has certificate pinning 37
  38. 38. Insecure Communication “Normal”: If(array[0].getIssuerX500Principal().getName().contains(“***** SCADA"))return true; “Wrong”: private KeyPinStore() throws CertificateException, IOException, KeyStoreException, NoSuchAlgorithmException, KeyManagementException{ CertificateFactory cf = CertificateFactory.getInstance("X.509"); InputStream caInput = new BufferedInputStream(MainActivity.context.getAssets().open(“CA.crt")); Certificate ca; … https://www.owasp.org/index.php/ Certificate_and_Public_Key_Pinning 38
  39. 39. FTP project upload • Why not use FTP for uploading projects to the device? It has password, should be completely secure! 39
  40. 40. M4: Insecure Authentication • Storing passwords on a device • Password is not required to get access to a device/server • Transferring password in clear text via insecure protocol (HTTP) Impact – device lost, traffic sniffing in network 40
  41. 41. M5: Insufficient Cryptography • Using hardcoded passwords/keys/IVs – Array.Copy(Encoding.UTF8.GetBytes("fldsjfodasjifu dslfjdsaofshaufihadsf"), 0, array, 0, this._writer.BlockSize); 41
  42. 42. IVs directly from StackOverflow 42
  43. 43. Client Code (IN)Quality 43
  44. 44. M6: Insecure Authorization • Lack of password protection • IDORS – uncommon, case must be “account” management. In most applications there is a single user that is administrator. • Hidden endpoints are so hidden. • Role managements … as mentioned user=administrator. 44
  45. 45. M6: Password protection Get access to the device direct actions. • Not being stolen – no warnings • Easy get access to configs Password protection: • App access(only) • No pass, but every time one must enter password to connect – RA. • All encrypted with pass/pin. If you forget it, say hello to new configs… 45
  46. 46. M7: Client Code (IN)Quality • DoS – During communication – Project open – Wrong key pushing – Everywhere • RCE – Even HTTP server in your app! 46
  47. 47. M7: Client Code (IN)Quality • Handle exceptions in 2k17 47
  48. 48. Client Code (IN)Quality Custom HTTP Server in native code? Denial of service! 48
  49. 49. Client Code (IN)Quality • Transferring/storing WHATEVER using ZIP? What can goes wrong when you’ll try to unpack?... Everything 49
  50. 50. Typical code with ZIP unpacking Somehow application get ZIP achieve and try to unpack it: localZipInputStream = new ZipInputStream(new BufferedInputStream(new FileInputStream(filename))); ZipEntry localZipEntry = localZipInputStream.getNextEntry(); str = localZipEntry.getName(); localFileOutputStream = new FileOutputStream(PATH + str); localFileOutputStream.write(arrayOfByte, 0, i); 50 1) Supposed to be zipEntry=data.png Output=sdcardAppdata.png 2)Also can be zipEntry=..App2data.png Output=sdcardApp..App2data.png
  51. 51. Typical code with ZIP unpacking https://github.com/ptoomey3/evilarc 51 /App1/config.json /App2/app.xml Get HMI config App.zip Entry 1: ..App2app.xml Entry 2: config.json
  52. 52. Typical code with ZIP unpacking 52
  53. 53. Client side injection • Create adaptive UI web app • Put WebView in app • … • FAIL – HTTP – “Nothing to hide” – JS – “Popping alert boxes for fun and profit” – CORS – “Share your settings” – file:// - you can view files even without Total commander 53
  54. 54. Client side injection Several applications gets from backend pure HTML code that goes unfiltered into the application WebView, e.g.: 54 For additional convenience, app on the screenshots using Apache Cordova and HTTP- only backend connection!
  55. 55. M8: Code Tampering Rooted device – “with great power comes great responsibility” © Spider-man It’s good NOT to run it on rooted device, to decrease attack surface. It’s bad because USABILITY may decrease in this case. Tradeoff. 55
  56. 56. M9: Reverse Engineering Code obfuscation. + Easy to turn on + Complicates researching + Easier to hide bugs 56
  57. 57. M10: Extraneous Functionality Typical application rights: • Internet access • R/W external storage (Optional) • Gather some stats - BATTERY_STATS, VIBRATE Rights, rights everywhere: android.permission.BLUETOOTH_ADMIN android.permission.GET_ACCOUNTS android.permission.USE_CREDENTIALS android.permission.MODIFY_AUDIO_SETTINGS android.permission.RECORD_AUDIO android.permission.ACCESS_COARSE_LOCATIO android.permission.READ_LOG android.permission.RECEIVE_BOOT_COMPLETED android.permission.C2D_MESSAGE 57
  58. 58. Bonus!: Server side bugs In most cases – typical web applications. • SQL injections • Directory traversal • Arbitrary file reading • XML injections • DOS • Tons of other OWASP TOP 10 stuff 58
  59. 59. Server side bugs (SQL injections) Where to find? • BackEnd’s • Main sites 59
  60. 60. Server side bugs (Traversal) Lack of authorization allows unauthorized user to read schemes… and all the files on remote host. 60
  61. 61. Server side bugs Only today – find one crash,get second for free! 61
  62. 62. INTERESTING & FUNNY THINGS 62
  63. 63. Bonus 2.0: Getting demo’s Some demo applications, are just nothing but “useless trash”. If it was needed we would bought some app to see the difference. Also got some demo servers and soft to create own projects. Sometimes it not so easy. 63 Any documentation? How can I create project? “Too long to describe, we offer seminars to train the tool.” Seems app uses different port that dev software. How can I upload project to my device? Use USB, put it on SD card. Rather, exceptions, many vendors are willing to help you to understand how their apps and dev tools works.
  64. 64. “C00l UI” 64
  65. 65. CONCLUSION 65
  66. 66. Best approaches* • Make unit tests for app and backend • Password/pin protection – do not store them on a device • Try not to put anything on SDcard • Encrypt all communications • Catch exceptions • Limit rights • Obfuscation and root detection are friends • Good examples: Siemens LOGO! and S7 applications. 66
  67. 67. Conclusions 67 • 2 years passed… and things has changed: – ~50 issues in 20 apps in 2015 – ~130 issues in 32 apps in 2017. • Things became WORSE. • >20% of discovered issues allows “compromising” of operator or direct/undirect influence against industrial process. • In 2015 we wrote: “SCADA and ICS comes to the mobile world recently, but brang old approaches and weaknesses. Hopefully, due to the rapidly developing nature of mobile software, all this problems will soon be gone” • That was a mistake. What could we say here? Just .
  68. 68. QUESTIONS? 68

×