{"id":66,"date":"2008-01-16T15:59:42","date_gmt":"2008-01-16T22:59:42","guid":{"rendered":"http:\/\/www.talesfromthe.net\/jon\/?p=66"},"modified":"2008-01-16T15:59:42","modified_gmt":"2008-01-16T22:59:42","slug":"is-that-why-they-make-you-wait-till-youre-at-10000-feet-to-turn-computers-on","status":"publish","type":"post","link":"https:\/\/2024.thenexus.today\/index.php\/2008\/01\/16\/is-that-why-they-make-you-wait-till-youre-at-10000-feet-to-turn-computers-on\/","title":{"rendered":"Is *that* why they make you wait till you&#8217;re at 10,000 feet to turn computers on?"},"content":{"rendered":"<p><a href=\"http:\/\/www.wired.com\/politics\/security\/news\/2008\/01\/dreamliner_security\">Boeing just <\/a><a href=\"http:\/\/www.reuters.com\/article\/reutersEdge\/idUSN1611736420080116\">announced another delay for the 787<\/a>, its second or third so far depending on who you believe, so I wanted to go back to a story <a href=\"http:\/\/www.wired.com\/politics\/security\/news\/2008\/01\/dreamliner_security\">Kim Zetter reported<\/a> a few weeks ago on the Wired Threat Level blog:<\/p>\n<blockquote><p>Boeing&#8217;s new 787 Dreamliner passenger jet may have a serious security vulnerability in its onboard computer networks that could allow passengers to access the plane&#8217;s control systems, according to the U.S. Federal Aviation Administration.<\/p>\n<p>The computer network in the Dreamliner&#8217;s passenger compartment, designed to give passengers in-flight internet access, is connected to the plane&#8217;s control, navigation and communication systems, an FAA report reveals.<\/p><\/blockquote>\n<p>Wow.  This is a really basic mistake &#8212; and a great example of the kinds of risks we discuss in the National Academies\/CSTB report  <a href=\"http:\/\/www7.nationalacademies.org\/cstb\/pub_dependable.html\">Software for Dependable Systems: Sufficient Evidence<\/a>?  Of course one of the excellent things about the avionics certification process is that the FAA does an analysis of the &#8220;special conditions&#8221; for new designs and publishes its findings (<a href=\"http:\/\/frwebgate6.access.gpo.gov\/cgi-bin\/waisgate.cgi?WAISdocID=486816490816+0+0+0&amp;WAISaction=retrieve\">in the Federal Register<\/a>, no less; a good example of the transparency we call for).   According to Kim&#8217;s article, they&#8217;ll deny certification to the 787 until this is fixed &#8211; and well they should.<\/p>\n<p><!--more-->Boeing&#8217;s response doesn&#8217;t seem to me like they&#8217;re acknowledging the problem:<\/p>\n<blockquote><p> Boeing spokeswoman Lori Gunter said the wording of the FAA document is misleading, and that the plane&#8217;s networks don&#8217;t completely connect.<\/p>\n<p>Gunter wouldn&#8217;t go into detail about how Boeing is tackling the issue but says it is employing a combination of solutions that involves some physical separation of the networks, known as &#8220;air gaps,&#8221; and software firewalls. Gunter also mentioned other technical solutions, which she said are proprietary and didn&#8217;t want to discuss in public.<\/p>\n<p>&#8220;There are places where the networks are not touching, and there are places where they are,&#8221; she said.<\/p><\/blockquote>\n<p>Sounds to me like they&#8217;re connected.  In my opinion (and I&#8217;ve heard other security experts say the same), relying on software firewalls or even hardware firewalls for protection in a situation like this is appallingly insufficient.  And yes, I do feel strongly about this.<\/p>\n<p>How&#8217;d that get through QA?<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Boeing just announced another delay for the 787, its second or third so far depending on who you believe, so I wanted to go back to a story Kim Zetter reported a few weeks ago on the Wired Threat Level blog: Boeing&#8217;s new 787 Dreamliner passenger jet may have a serious security vulnerability in its [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[105,286,287,303,313],"class_list":["post-66","post","type-post","status-publish","format-standard","hentry","category-professional","tag-dependencies","tag-qa","tag-quality","tag-risk","tag-security"],"_links":{"self":[{"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/posts\/66","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/comments?post=66"}],"version-history":[{"count":0,"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/posts\/66\/revisions"}],"wp:attachment":[{"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/media?parent=66"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/categories?post=66"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/tags?post=66"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}