×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hackers Broke Into FAA Air Traffic Control Systems

CmdrTaco posted more than 4 years ago | from the those-pesky-nigerian-royals dept.

Security 124

PL/SQL Guy writes "Hackers have repeatedly broken into the air traffic control mission-support systems of the US Federal Aviation Administration, according to an Inspector General report sent to the FAA this week, and the FAA's increasing use of commercial software and Internet Protocol-based technologies as part of an effort to modernize the air traffic control systems poses a higher security risk to the systems than when they relied primarily on proprietary software, the report said. Intrusion detection systems (IDS) are deployed at only 11 of hundreds of air traffic control facilities. In 2008, more than 870 cyber incident alerts were issued to the organization responsible for air traffic control operations and by the end of the year 17 percent (more than 150 incidents) had not been remediated, 'including critical incidents in which hackers may have taken over control' of operations computers, the report said."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

124 comments

I guess this is what happens (5, Funny)

Anonymous Coward | more than 4 years ago | (#27881451)

when 4chan goes down for a week. Seems that keeping that site running is a matter of national security!

Someone call Jack Bauer (5, Funny)

Anonymous Coward | more than 4 years ago | (#27881485)

They have the CIP device.

Re:Someone call Jack Bauer (2, Interesting)

PolygamousRanchKid (1290638) | more than 4 years ago | (#27881985)

Sorry, Jack is in the slammer, for head butting some dude "to protect Brooke Shields' honor," or something like that: http://edition.cnn.com/2009/SHOWBIZ/TV/05/07/sutherland.charged/index.html [cnn.com]

Truly bizarre . . . an impromptu alcohol fueled celebrity involuntary nose job.

Re:Someone call Jack Bauer (0)

Anonymous Coward | more than 4 years ago | (#27882585)

Wow. Imagine his embarassment at learning he'd beaten up a gay guy!

Re:Someone call Jack Bauer (2, Funny)

Anonymous Coward | more than 4 years ago | (#27883503)

I hadn't heard the guy ran Mac.

Counterattacks - US Military Strikes Possible (1)

maz2331 (1104901) | more than 4 years ago | (#27882717)

The Times of India has a story about this. FTA:

"Gen Kevin Chilton, who heads US Strategic Command, said he worries that foes will learn to disable or distort battlefield communications.

"Chilton said even as the Pentagon improves its network defences against hackers, he needs more people, training and resources to hone offensive cyber war capacity. At the same time, he asserted that the US would consider using military force against an enemy who attacks and disrupts the nation's critical networks."

Basically, they are considering dispatching air strikes or commando raids at hackers if they can identify their identity and location.

(What could POSSIBLY go wrong there...)

Re:Counterattacks - US Military Strikes Possible (0)

Anonymous Coward | more than 4 years ago | (#27885395)

Why didn't you start a separate thread on this?

Or is Chilton in 24 now?

Re:Counterattacks - US Military Strikes Possible (1)

grcumb (781340) | more than 4 years ago | (#27885729)

Basically, they are considering dispatching air strikes or commando raids at hackers if they can identify their identity and location.

Cool, so this means that my NUKE FROM ORBIT button will finally work?

Question (3, Funny)

grassy_knoll (412409) | more than 4 years ago | (#27881499)

Why are critical systems not protected by a one inch air gap between the NIC and cable from remote exploit?

Seems like from TFA [cnet.com] they're not:

The attacks so far have primarily disrupted mission-support functions, but attacks could spread over network connections from those areas to the operational networks where real-time surveillance, communications and flight information is processed, the report warned.

Re:Question (1)

FooAtWFU (699187) | more than 4 years ago | (#27881615)

I'm not a huge fan of the "air gap!!!!1" solution. Sure, it's simple, but for things like air traffic control, you need to have systems which aren't right next to each other, talk to each other, sooner or later, and that means networking. And if the stuff is spread out, sooner or later it can be compromised. And when that happens you still need real security measures behind it. (Including OS security updates, which non-internetted machines have a nasty habit of missing.)

Re:Question (5, Insightful)

Rich0 (548339) | more than 4 years ago | (#27881859)

I believe in defense in depth. Even though the guards inside the castle may be trained to password challenge everybody walking around and check coats of arms, it never hurts to raise the drawbridge when there isn't anybody using it and there is a besieging army.

Sure, have firewalls all over the place, but any route into and out of the network itself needs to be HIGHLY secure. NOTHING goes IN or even OUT without a reason. Nothing wrong with the airport having a flight status board, but you have the ATC central database polled by some central server which generates an xml digest of the important info and have it dump that data across a serial line (transmit only) to another server which then puts it onto a webserver which the airports can parse. Flight plan requests come into some intermediate server on the internet (but well secured). That server validates the requests and sends xml files to some intermediate server (perhaps over serial) which otherwise isn't on any network. That server re-validates the input and then makes it available to a more trusted server that then does the application logic.

Of course the internal network has a firewall at every WAN connection that only passes the minumum defined data to make the system work. That still doesn't mean that you shouldn't keep the actual traffic on the mission critical network down to the minumum necessary. There shouldn't be a single packet on that ATC network that doesn't originate from an FAA-validated piece of software. Any connection to the outside should be sanitized, and they should be few in number.

This isn't about being smarter than the hackers - it is about being thorough and having a fully specified architecture.

Re:Question (1)

ender- (42944) | more than 4 years ago | (#27882287)

Thank you for posting that. It seems like a valid, workable solution, that still for the most part takes advantage of the cost-savings by using modern products. There's definitely secure ways to handle their computing needs without it opening the network up to every script kiddie that comes along. Yes, it will cost a bit more than just buying a bunch of computer and networking gear off the shelf, but it can be every bit as secure as the previous setup, while being much cheaper to implement and maintain.

I haven't read the articles, just the summary but I have to say, using non-proprietary hardware/software doesn't make it any less secure than the proprietary stuff that was used in the past. What makes it less secure is that it wasn't properly designed. Those proprietary systems were designed to be secure, not just slapped together and thrown up.
Only 11 sites were using IDS? Did they hire a bunch of mafia-connected eastern European hackers to design their system?

Re:Question (2, Insightful)

Absolut187 (816431) | more than 4 years ago | (#27882341)

True they need to talk to other towers. But each tower should have at least one failsafe system that is totally offline that can at least handle the local critical stuff.

I would think that would be basic common sense...?

Re:Question (1)

ImYourVirus (1443523) | more than 4 years ago | (#27885459)

That can still be done, even without the internet. Sure it may take some more time, but it still can be done. Besides I don't really see why they would need updating if they are never going to be on the internet. Just a thought...

Re:Question (1)

Reece400 (584378) | more than 4 years ago | (#27881683)

While these systems obviously need to be connected to a network, I really can't see the need for connection to a public network, or even their internal company network.

They should have a separate, secured network for these systems to communicate with each other. I can see the convenience of management/support staff having access to these networks, but it's clearly not worth the risk.

Re:Question (4, Informative)

Anonymous Coward | more than 4 years ago | (#27881875)

Trust me, any NAS equipment doesn't remotely come close to the public network. This article is misleading as they are talking about websites that 'aid' in landing aircraft. Trust me, these websites don't land aircraft.

Re:Question (2, Funny)

dangle (1381879) | more than 4 years ago | (#27882117)

Posting to delete accidental mod "funny" instead of "informative." I've only had one drink, sorry.

Re:Question (1)

Starlon (1492461) | more than 4 years ago | (#27885649)

You are right. Humans still do the landing with computer aid, and these critical computers are not connected to an accessible network.

Re:Question (2, Informative)

boaworm (180781) | more than 4 years ago | (#27882955)

Why are critical systems not protected by a one inch air gap between the NIC and cable from remote exploit?

I'm honestly not sure. I work with ATC, although not in the US. The systems I have installed (Europe and Asia) have all been closed systems, there are very few physical connection between the servers and software working on radar- and flight data, and any equipment used to communicate externally.

Almost all communication is done via VCCS equipment (radio etc), so the controllers have screens with radar- and flight data, and separate screens and terminals for external data, such as flight plan processing terminals.

But since the US is large, and one authority is in charge of it all, I guess they saw the need for interconnectivity. Still, many things don't need to be interconnected anyway, and the networks are often easily fragmented so that the few systems being exposed to public networks are isolated from the important ones.

Re:Question (1)

jddj (1085169) | more than 4 years ago | (#27885129)

Why are critical systems not protected by a one inch air gap between the NIC and cable from remote exploit?

Won't help. The 12AX7s the air traffic control system ENIAC runs on are microphonic. Brings a whole new meaning to the term "ping" ;)

Yes, I'm old. You will be too - if you're lucky.

The sky fell. (0)

Anonymous Coward | more than 4 years ago | (#27881505)

windows is going to kill everyone, I keep tripping on these winged pigs.

We need John McClane (0)

Anonymous Coward | more than 4 years ago | (#27881507)

Seriously WTF

The was a coordinated hacker protest (-1, Troll)

Anonymous Coward | more than 4 years ago | (#27881529)

Against requiring fatties to pay for 2 seats.

Re:The was a coordinated hacker protest (0)

Anonymous Coward | more than 4 years ago | (#27885897)

I think they should have to pay for all three.

Then use IPv6. (4, Insightful)

jd (1658) | more than 4 years ago | (#27881569)

It's non-proprietary, the applications should work just fine, but most skript-kiddies don't have any idea on how to set up the necessary tunnels. It's also designed from the start to be secure, IPv4 has had all security back-ported in.

Also, use Active IDS, not passive. It's no good telling the operators that the last three planes crashed into a mountain because a system cracker decided it would be fun to use the radar computer for a game of Netrek. You're much better off by detecting the intrusions in real-time and countering them right then. Particularly if actual mission-critical systems are being broken into.

Third, Stop Using Windows! Gaah! The chances are that the software can be modded to work under Linux or OpenBSD just fine.

Re:Then use IPv6. (1)

Rich0 (548339) | more than 4 years ago | (#27881771)

The only issue with an Active IDS is having zero false positives. You don't want some TRACON to go down when some IDS update causes a router to alarm and shut down JFK approach with 18 aircraft enroute to final on 3 runways.

Re:Then use IPv6. (1)

jd (1658) | more than 4 years ago | (#27883007)

That's very true. As things stand, though, that could potentially happen through computer misuse and (to judge from TFA) the level of security breeches already makes this a practical possibility.

It's a question of choosing the least-worst option, since all options are going to have problems. The solution they are actually migrating to (a totally insecure option) is the worst possible world, so all others will be at least equal and probably better.

Now, there are many approaches to Active IDS, some more likely to meet your requirements than others. Let's say, for example, that all authorized connections must use strong authentication and must use IPSEC (or S/WAN, or some other authenticated encrypted communication system of your choosing). The IDS can then look for any other type of connection and slam the door on it.

eg: It's unlikely that a legit connecting server is going to do a portscan or use source-based routing. Those would be obvious ones for an Active IDS to look for. If you require SASL2 for authentication, then any stream that doesn't start with a layer 7 connection showing a suitable authentication request is much more likely rogue than innocent.

Equally, if you mandate that all FCC computers must be Unix/Linux, then any passive OS fingerprint showing that an incoming connection is from a Windows box is also going to be a hostile. (The same is true in reverse. If you mandate Windows, and passive fingerprinting shows the remote connection is from OS/X, you know immediately that it's not from one of the Good Guys.)

So, I think Active IDS can get zero false positives (although it may get non-zero false negatives under some circumstances), if the specification for how things are done is good enough and actually followed.

Re:Then use IPv6. (1)

turbidostato (878842) | more than 4 years ago | (#27884055)

"Let's say, for example, that all authorized connections must use strong authentication and must use IPSEC (or S/WAN, or some other authenticated encrypted communication system of your choosing). The IDS can then look for any other type of connection and slam the door on it."

And here we have a glaring example of the "buzzword du-jour". "active IDS" in this case. Let's say, for example, that all authorized connections must look like X. Then you don't need "active IDS" you just don't open these kinds of connections and that's all. For each and every case you can spout a precise a priori diagnostic factor, you don't need "active IDS". The "active" part is to deal with the unpredicted. Now: two things:
1) What the hell is doing some unpredicted traffic pattern on a highly secured network? No need for "active nothing" then.
2) On a highly secured network will you really allow for an unmanned software to take decisions out of a software developed by somebody that wasn't able to foresee such situation (or else no need for the "active" part)?

"Active nonsense" are only of use on so uncritical paths that even thinking on the risks would be more expensive than some "after the fact" action so you allow for the machine to make the decision since it's faster and cheaper than a human's one. That, or a dumb CIO did believe the infomercial on bright brouchers after the golf round from the vendor, of course.

Re:Then use IPv6. (4, Insightful)

raddan (519638) | more than 4 years ago | (#27882087)

Air traffic control systems should not be connected to the Internet. Period. Use of IPv4 as a messaging system in that case should be fine-- because all that address space will be private.

I love OpenBSD. We use it everywhere at work. But our computers do not control airplanes. A general-purpose OS is appropriate in the kind of environment where you have hard real-time limits and where bounds-checking errors have the potential to kill lots of people. This is a case where rolling-your-own is actually a good idea, and worth the money.

If you're trying to decide what kind of IDS to put on your air-traffic-control net, you need to back up and undo some of your decisions.

Re:Then use IPv6. (1)

jd (1658) | more than 4 years ago | (#27883061)

Well, yes, arguably you are correct on all points.

Ok, for the absolutely rigorous, there ARE pared-down versions of Linux which are considered "carrier-grade" and even one or two that are "FCC-approved" for limited applications. It's also hard to get a general-purpose OS to respect Hard Real-Time, the best you can really get is Soft Real-Time.

But aside from a couple of minor exceptions and a quibble over the real-time, yes, mission-critical systems should NOT be on the Internet. They should not even have USB slots or any other form of support for removable drives if they're running an insecure OS.

And, yes, I'd agree entirely that rolling your own under such circumstances is the wisest option.

However, the FCC wants open protocols and appears to want open networks. If we've got this as an a-priori constraint (and it's a typical PHB-sort of a-priori constraint), then the next step is to establish how to get it secure enough that even the morons running/ruining the FAA would be challenged to screw things up further.

Re:Then use IPv6. (0)

Anonymous Coward | more than 4 years ago | (#27883985)

Sorry. I have this annoying habit of leaving out word like NOT. A general-purpose OS is NOT appropriate here.

Posting AC because I'm on my cellphone.

No, use IBM's SNA . . . (4, Funny)

PolygamousRanchKid (1290638) | more than 4 years ago | (#27882473)

. . . it's proprietary, so no one, not even IBM, understands how it works.

The script kiddies will have to learn JCL. Have fun, you little rotten bastards!

And even if they manage to break into a machine, they will be confronted with z/OS ISPF . . . can they get their tn3270 sessions to work? Hee, hee! Find your PA1 key!

The best choice for a truly secure system, is to use some weird shit, that nobody else wants to use. And thus, there are not a lot of folks hacking about trying to poke holes in it.

Wait for a script kiddie post, on how to use nmap to probe for ports on LU6.2.

Re:No, use IBM's SNA . . . (1)

jd (1658) | more than 4 years ago | (#27882603)

JCL? You want the FAA to be prosecuted for crimes against humanity? You're sick! That's even more perverted than networking using X.25 PADs!

Re:No, use IBM's SNA . . . (0)

Anonymous Coward | more than 4 years ago | (#27885967)

You say that as though JCL were substantially worse to use/learn than JOVIAL ... which wikipedia says http://en.wikipedia.org/wiki/JOVIAL/ [wikipedia.org] is the language in which "the flight data processing program at the heart of the US and UK Air Traffic Control System" was written.

Frankly its hard to tell if OP was trying for funny-because-its-absurd or funny-because-its-practically-true.

Re:No, use IBM's SNA . . . (1)

Alex Belits (437) | more than 4 years ago | (#27883865)

The best choice for a truly secure system, is to use some weird shit, that nobody else wants to use. And thus, there are not a lot of folks hacking about trying to poke holes in it.

Yeah. So the only people that will try to break into that will be people who know it better than its admins. That will end well, indeed...

Remote Control (1)

Cult of Creativity (1548333) | more than 4 years ago | (#27881599)

Glad they don't have commercial planes with complete remote control. Or do they?

Re:Remote Control (-1, Troll)

Anonymous Coward | more than 4 years ago | (#27881813)

They do. That's how they did 911.

That was proposed. (3, Interesting)

Ungrounded Lightning (62228) | more than 4 years ago | (#27881977)

Glad they don't have commercial planes with complete remote control. Or do they?

That was proposed after 9/11 as a solution to hijacked planes. Remote control devices that could take over a hijacked plane, remotely, locking out control by those on board and allowing it to be landed safely. Remote devices strategically located at all major commercial airports - or at least those near high-value targets (which is pretty much all of 'em).

When the trial balloon went up it was soon pointed out that, with such a system, hijackers could use it to hijack the planes without even being on board. And the tech would be distributed to many locations (worldwide) from which it could be stolen.

Haven't heard much about it since. B-) Of course that means that it will fall off the mental horizon for decision makers and they might decide to do it after all. B-(

Re:That was proposed. (0)

Anonymous Coward | more than 4 years ago | (#27882101)

If such a device could be activated only by the pilot, it wouldn't be so unreasonable.

Re:That was proposed. (1)

Ungrounded Lightning (62228) | more than 4 years ago | (#27884217)

If such a device could be activated only by the pilot, it wouldn't be so unreasonable.

If such a device could be activated only by the pilot it would mean:
  a) The hijackers would keep the pilot from activating it as their first act upon storming the cabin.
  b) If it got activated the pilot, minimum, would be far more likely to be killed than if he had no hand in activating it.

Also: If such a device existed, even if it required activation by the pilot, malfunctions could lead to a non-controllable plane or a plane that is remotely-hijackable even without pilot consent.

Doing this all for the benefilt of the consumer! (-1, Offtopic)

TropicalCoder (898500) | more than 4 years ago | (#27881601)

"Consumers face potential identity theft, system failures and unrecoverable data loss," he said.

"Windows 7 will include new methods of protecting consumers from software piracy..."

"Customers want to know that they are using the genuine high-quality Microsoft product..."

"Counterfeit software delivers a poor experience and impacts customer satisfaction with our products..."

"Customers running genuine Windows Vista Service Pack 1 are protected from that experience."

"We see many cases of customers who wanted to buy genuine software and believed they did, only to find out later that they were victims of software piracy. We want to prevent that kind of thing in the first place."

"Windows Genuine Advantage [in] Windows 7 will make it harder to ignore repeated messages."

Williams also hinted at tools pitched at enterprises designed to improve and speed up company-wide systems authentication. "When customers see and use the tools we are providing to support Windows Vista and Windows 7 deployments, we think they will be impressed," he said.

Well that would explain (5, Funny)

mandark1967 (630856) | more than 4 years ago | (#27881603)

Why my last 4 flights arrived on time.

Re:Well that would explain (1)

Virtucon (127420) | more than 4 years ago | (#27881861)

Why my last 4 flights arrived on time.

That has more to do with the fact that the Airline doesn't want to pay for overtime...

Re:Well that would explain (0)

Anonymous Coward | more than 4 years ago | (#27882241)

Whoosh!

Re:Well that would explain (0)

Anonymous Coward | more than 4 years ago | (#27882365)

My airline employer seems more interested in paying me double time overtime al over the place rather than hiring additional staff at normal pay rates...

I usually laud hacker hijinks (3, Insightful)

Taibhsear (1286214) | more than 4 years ago | (#27881637)

As it tends to enlighten people to the necessity of better computer security... but when it involves things like airport control towers and hospital equipment and files it is totally not cool.

Re:I usually laud hacker hijinks (1)

YourMissionForToday (556292) | more than 4 years ago | (#27881901)

As it tends to enlighten people to the necessity of better computer security... but when it involves things like airport control towers and hospital equipment and files it is totally not cool.

Yeah, it's "totally not cool." Just like drinking the last beer. Or wearing a Nehru jacket. Dude, they crashed a plane into the World Trade Center, I might just have to leave a note on the fridge next time.

Re:I usually laud hacker hijinks (1)

NewbieProgrammerMan (558327) | more than 4 years ago | (#27881903)

I dunno...do you really think they'd have addressed things like "only 11 out of hundreds" of facilities having intrusion detection measures unless somebody did this?

Re:I usually laud hacker hijinks (2, Informative)

pjt33 (739471) | more than 4 years ago | (#27881949)

Hacking into government computers is old hat. I'm more concerned that someone seems to have hacked /. and changed the front page to be an RSS feed.

Re:I usually laud hacker hijinks (0)

Anonymous Coward | more than 4 years ago | (#27882547)

Oh come on now. That would never happen.

Re:I usually laud hacker hijinks (0)

Anonymous Coward | more than 4 years ago | (#27882639)

Well, at least it wasn't a hijacker.

Re:I usually laud hacker hijinks (1)

felipekk (1007591) | more than 4 years ago | (#27883031)

Yeah, it is not cool, but if it weren't for them, those systems would be left untested and, probably, insecure.

As long as they keep testing without killing anyone or causing major financial losses...

This is Crazy (1)

Clipless (1432977) | more than 4 years ago | (#27881695)

This was just a partial look at the ATC's systems and these are the kinds of numbers that come up?

"Our test identified a total of 763 high-risk, 504 medium-risk, and
2,590 low-risk vulnerabilities, such as weak passwords and unprotected critical
file folders."

This is just unacceptable, and I bet this get little to no mainstream media attention.

Quick, throw money at the problem (0)

Anonymous Coward | more than 4 years ago | (#27881741)

Fact is they can fly planes into buildings by gaining access with box cutters. This is more pre-budget fear mongering for the new 'Cyber-Security Czar' and bureaucracy.

Ineptitude (4, Informative)

s-whs (959229) | more than 4 years ago | (#27881767)

increasing use of commercial software and Internet Protocol-based technologies as part of an effort to modernize the air traffic control systems poses a higher security risk to the systems than when they relied primarily on proprietary software, the report said.

That's what's usally called ineptitude, but those FAA guys like to spin it round so someone else, or circumstances beyond their control, are the problem.

From what I've read about air-industry people in the US they are no different from in the Netherlands: People who almost invariable have a superiority complex and think they're doing tremendously important work while not having justify why they make so much noise, are so inept at sound calculations (dBA which is pointless for noise as related to annoyance, contrary to Sone for example), produce reports with incorrect units (upper and lower case wrong showing they don't have a proper education in elementary physics) etc.

Recently small aircraft were prohibited from flying near Schiphol. Reason was transponders are now in all of them, the LVNL (dutch airtraffic control) couldn't handle all those signals. A tremendous display of ineptitude again as they had plenty of time to prepare their systems (software), but being the sort of people they are, this is actually logical. Because they feel superior, they don't actually consider they might be doing things badly or need to change. In other words, despite them feeling they are superior, they are in fact amateurs...

You can find more on the web on this (in dutch).

Re:Ineptitude (1)

Locke2005 (849178) | more than 4 years ago | (#27882217)

Small aircraft aren't allowed near LAX or in other high-traffic air corridors in the US either. Is it possible that if you've got too many transponders for the air traffic controllers to keep track of, then you've also got too many aircraft for the planes themselves to avoid running into each other? In other words, don't assume that once they upgrade the software, that you'll automatically be able to fly your small aircraft anywhere you want -- too many planes in too small an air space will ALWAYS be a safety hazard, no matter how competent your controllers are.

As far as the sound levels, you are probably correct. The objective of the studies is not to document the annoyance caused by airplanes, but rather to make the citizen's complaints go away. When you start out with a pre-determined conclusion, then your methodology really isn't all that important.

Re:Ineptitude (2, Informative)

GooberToo (74388) | more than 4 years ago | (#27882421)

That's what's usally called ineptitude, but those FAA guys like to spin it round so someone else, or circumstances beyond their control, are the problem.

Their not happy until your not happy! You can't blame them for living their moto.

In all seriousness, the FAA is in the middle of a huge political game right now, which is actually very complex to explain. They are working overtime trying to get out from under Congressional oversight. I wouldn't be surprised if they're looking the other way in an attempt to juice their lobbying. Obviously they can't secure things if their budget isn't drastically increased. And the only way they can do that is to be empowered to both raises taxes and collect them any means they see fit while endangering the skies for everyone. Basically everyone credible (both Rs and Ds) has stepped forward and stated the FAA's proposal is bad for everyone and they can't even make their current funding with their proposal. Only the FAA and *cough* the major carriers support the FAA's plan.

http://www.aopa.org/advocacy/articles/2008/081002faa.html [aopa.org]
http://www.aopa.org/advocacy/articles/2009/090507trustfund.html [aopa.org]

Do some searches. Its actually pretty scary. The FAA is working hard to become their own taxing authority, independent of Congressional oversight, while becoming buddy-buddy with the major carriers. Mmmmm....isn't that a good recipe for safety. And did I mention every year they are unable to account for millions even with oversight. Even worse, Obama is demanding legislation be put forward which supports this disastrous model. And worse yet, such legislation would be horrific to our economy; more accidents: fewer fliers; cost to fly, from drastically higher taxes, goes through the roof: less revenue at airports; less revenue at airports means fewer jobs; fewer jobs: loss of up to hundreds of millions to local economies (even loss of hundreds of thousands to millions at smaller airports) all over the country.

Re:Ineptitude (1)

jwhitener (198343) | more than 4 years ago | (#27883015)

"despite them feeling they are superior, they are in fact amateurs"

This reminds me of the years I spent in IT for a large hospital chain.

Replace air-industry with medical-industry.
Replace air traffic controller with doctor, etc..

In many ways, they ARE superior in their field of expertise, they just seem to have a problem understanding that they are not experts in everything.

I've had many a highly trained physician do idiotic things on computers, and, left to their own devices, I'm sure they would have made horrible system choices. Thankfully at our hospital, the IT choices were centralized with the experts (trained system analysts, programmers, etc..)

I wonder how their IT gets done. All contracted, all in house, some mix?

If most of it is contracted, they need to get some highly trained computer experts to work in-house long enough to know both air-industry and software/architecture design. Contractors that I have worked with pretty much ignore the long term. And often they are not privy (or the client, not knowing computers, neglects to mention some critical piece of info) to what changes over time are happening in the air industry.

If most of their IT needs are done in-house, then they need better HR practices to get the right people.

This is a serious break down in Security (1)

Virtucon (127420) | more than 4 years ago | (#27881795)

SCADA systems should always be disconnected from Intranets and the Internet. Sorry, this is a serious architectural and national security issue.

Whoever came up with this architecture and authorized it should be terminated.

Yup (2, Funny)

mkcmkc (197982) | more than 4 years ago | (#27882089)

I'm not sure it gets much worse than this. I guess the local nuke plant could install a "whack-a-rod" live webcam game and secure it with DMCA technology...

Commercial software (0)

Anonymous Coward | more than 4 years ago | (#27881799)

...the FAA's increasing use of commercial software and Internet Protocol-based technologies as part of an effort to modernize the air traffic control systems poses a higher security risk to the systems than when they relied primarily on proprietary software.

On the plus side, it makes it easier for the controllers to run iTunes on their consoles.
 
...WTF!? Why are they doing this? This is one of the places where you want proprietary software.

Missing Forest for the Trees? (5, Informative)

PK Tech Guy (1310715) | more than 4 years ago | (#27881821)

from the CNET article "Last year, hackers took control of FAA critical network servers and could have shut them down, which would have seriously disrupted the agency's mission-support network, the report said"

"However, Brown dismissed the notion that hackers could get access to critical air traffic control operational systems."

It's OK everybody, the hacker's have shut down the network but they havent gained any critical access.

Re:Missing Forest for the Trees? (0)

Anonymous Coward | more than 4 years ago | (#27882285)

Shutting down the mission-support network is very different from shutting down the ATC system. The worst bringing down the support system could do is prevent any new commercial flights from taking off. In no case could such a shutdown impact the ability of the system to handle the planes already in the air.

Re:Missing Forest for the Trees? (2, Interesting)

haus (129916) | more than 4 years ago | (#27882503)

Air traffic controllers are quick to tell you that they do not care about the ATC system that sit in front of them.

If they are unreliable, or go down, they will continue to perform their job, by slowing everyone down, increasing the gaps, limiting the number of new plans onto the grid.

It gums up the works a bit, but everyone gets to walk away.

In other news... (0)

Anonymous Coward | more than 4 years ago | (#27882091)

The only difference the pilots noticed was that suddenly, the vectors they got from Washington Center didn't suck...

"The Good Ole Days" (4, Insightful)

erroneus (253617) | more than 4 years ago | (#27882099)

Being a programmer meant you could make a lot of money, not because you could make something that could be sold, but because you make programs that were useful for a purpose. Bill Gates and people like him turned computing into a software industry and this is more or less the result of that.

There was nothing "wrong" with systems maintained by professional programming teams and for those people to work at the same job for their entire lives earning a good wage. "Industry" has not only weakened systems everywhere with their homogenous nature, but cheapened the industry and lowered wages for everyone in the profession.

Re:"The Good Ole Days" (2, Insightful)

phantomfive (622387) | more than 4 years ago | (#27882635)

You can still make a lot of money. $80k for a programmer is pretty normal, and if you manage to specialize in something you can easily swing a six digit salary.

If you want to look at it a different way, look at starting salaries for college graduates. [cnn.com] Computer Science graduates on average make $49,000 right out of college. This is compared to English majors who make $31,000 right out of college, or psychology majors who make $28,000 right out of college. Ouch. Keep in mind that the per capita GDP in the US is $47,000.

So I'm not sure where you're getting the idea that programmers don't make a lot of money, and I'm also not sure why you see the software industry as a problem. I have benefited greatly from it, and use software from that industry nearly every day.

On the other hand if you're thinking about job security, yeah, software is the wrong industry. The best job security as a programmer is developing the ability to find a new job quickly.

Re:"The Good Ole Days" (1)

jwhitener (198343) | more than 4 years ago | (#27883071)

I know what you mean.

Around 15 years ago, I recall a couple small programming shops that employed ~5-6 people each in my original home town.

Each of the offices supported only a handful of industrial clients, creating unique software for them. They had been doing so for over 10 years (might have been a bit less, I forget).

One office, for instance, produced the software that 2-3 of the biggest fruit warehouses in the country used. Very very specific software. Sold pre-installed on the server, which was basically a closed system/appliance.

Fast forward to today. The couple small programming shops are gone, and the last I heard, the fruit warehouses hired a small team of younger computer'ish people. I'm pretty sure they aren't very experienced programmers. I think they patched a bunch of open source + commerical stuff together to mimic what the propriety programs used to do.

I'd be willing to bet that it is very insecure.

Request Clearance To Land: +1, Informative (-1, Troll)

Anonymous Coward | more than 4 years ago | (#27882125)

On the war criminal President-Vice Richard B. Cheney's spider-hole [youtube.com].

Yours In Socialism,
Kilgore Trout

Why is this stuff connected to the internet? (1)

amiga3D (567632) | more than 4 years ago | (#27882193)

I fail to understand why government systems like this are connected to the internet. The military industrial complex and FAA and other critical government systems should be tied into a seperate network. This harks back to the story about classified info for the Joint Strike Fighter getting stolen from an internet attack. WTF!? I can't believe how inept....I take that back, I can believe how inept these guys are. This has to stop. There is no need for these systems to be connected to yahoo and myspace for crying out loud.

Re:Why is this stuff connected to the internet? (1)

Burkin (1534829) | more than 4 years ago | (#27882333)

But the controller needed to download the latest episode of Monk from iTunes!

Event counts for IDS are mostly useless.. (3, Interesting)

haus (129916) | more than 4 years ago | (#27882481)

Anyone who has worked with IDS/IPS systems will realize that unless very carefully managed you will have a large number of events that amount to nothing, even some with some very scary sounding titles.

I am actually surprised to see the count levels so low, even for systems that are believed to be somewhat out of the way.

ATC is not actually a single system within the FAA this function is broken up over several different systems, each with their own silo of responsibility. My understanding from talking with traffic controllers is that the systems are not a requirement for controlling traffic. If the systems are down, or are believed to be unreliable the controllers will simply continue with a more conservative approach, although this can have the effect of gumming up the works as everyone is slowed down and larger gaps are used.

Real danger would be if information was off in some subtle way that was not detected, but as soon as it was determined that something was wrong, the system in question would be taken out of the work flow and further issues with it would not matter.

Crafting such a problem would take not only the IT info to gain access to the system, but at least some level of ATC understanding on how to alter a situation without tipping your hand. While far from impossible, it is not what I would suspect would be a common skill set.

Re:Event counts for IDS are mostly useless.. (0)

Anonymous Coward | more than 4 years ago | (#27885901)

My understanding from talking with traffic controllers is that the systems are not a requirement for controlling traffic. If the systems are down, or are believed to be unreliable the controllers will simply continue with a more conservative approach

Your understanding is both accurate and out-of-date. A key, long-term initiative of the FAA has been "Free Flight" to support the goals such as: handling more traffic, reducing per-flight fuel costs of the airlines, etc. http://www.wired.com/wired/archive/4.04/es.faa.html [wired.com]

Each step towards that goal reduces the ability of controllers to handle the planes already in the sky if their computers ever die. Heck, when the old round-tube, green-screen ATC monitors were replaced the controllers lost the desk-space they would have used to track planes without the computers (the consoles with the old round-tube, green-screen monitors could be rotated down to a horizontal plane to provide a surface on which the controller could revert to the pre-computer "shrimp boat" method of ATC but that ability was dumped when the color monitors replaced them).

Remind me again why we are replacing it? (1)

Suzuran (163234) | more than 4 years ago | (#27882679)

Was there ever a real need to screw with the ATC other than giving airlines more control of the system so they can adjust things to maximize their profits?

I'm not suprised. (4, Informative)

fhage (596871) | more than 4 years ago | (#27882721)

I worked as a engineer for NCAR, building and installing high-tech weather systems for the FAA (AWRP) for over a decade in the mid-90's-00's. I found the FAA leadership is filled with bunches of Republican partisan hacks who spent their time telling AL Gore Jokes in their technical meetings rather than getting things done. It literally takes them 10 or more years to get technology to their employees in the trenches. (officially). Because of upper mgt incompetence, the local level tech is a free-for-all, running in the closet. When I installed our sanctioned equipment in the Long Island FAA TRACON, I found a shift supervisor had brought his old PC in and got an AOL account so that the "super secure war room" could see what the weather was like outside as they managed 40% of the air traffic in the US. The FAA literally watches the weather channel with the sound off and competes with all the every day Joes for Nexrad images on accu weather. One of our (NCAR) systems under rigid performance evaluation at the FAA Technical Center (NJ) kept "hanging" several times per week, and we received poor evaluations and threats of funding cuts. I finally discovered that the reason for the failures was one of their staff had opened a shell terminal, ran Mosaic (remember that) and went porn surfing.(up our dedicated 64kbps line back to NCAR in Boulder and out through our .edu POP). The FAA has lots of ad-hoc systems installed everywhere. Can anyone say "Pass your USB key over here Bob - Ya gotta watch this". Maybe Obama's administration will clean the rot out of the FAA. I lost any hope many years ago.

Re:I'm not suprised. (0)

Anonymous Coward | more than 4 years ago | (#27885009)

Maybe Obama's administration will clean the rot out of the FAA. I lost any hope many years ago.

I doubt it. I used to work for an outfit that sold you folks at the FAA crap. They depended heavily on that 'rot' to sign off on our proposals. And they have have enough clout to invite Obama for a limo ride through Dealey Plaza should he stick his nose in things.

Likewise, Microsoft depends on the rot in my old outfit to resell Windows desktops and back office junk instead of actually building something appropriate.

Re:I'm not suprised. (0)

Anonymous Coward | more than 4 years ago | (#27885447)

I have to laugh at this post since one of the applications that was hacked is called JAWS and it is an NCAR built and managed application. The FAA, although sponsering it does not even use it. http://juneau-winds1.rap.ucar.edu/JuneauOps/

It seems a lot has changed since the mid 90's.

proprietary systems (0)

Anonymous Coward | more than 4 years ago | (#27882877)

"poses a higher security risk to the systems than when they relied primarily on proprietary software"....Someone actually put this into an FAA IG report? That's ridiculous. Correlation and causation are two ENTIRELY different things. You'd think the FAA, of all people, would understand that.

Exhibit A: Microsoft products. A huge collection of proprietary software which are security swiss cheese. Sorry, that's not fair to swiss cheese.

These are mainly issues with data access and transfer. As noted by many others, it is about being thorough and having security features integrated into a fully specified architecture.

It is not accurate or responsible to say that this is based on "FAA's increasing use of commercial software and Internet Protocol-based technologies". There is NO such evidence.

Fire the incompetent acquisition managers who contracted for a low-bid "slap random technologies together" solution over a well-engineered and disciplined system development. Then fire the FAA IG report writer. They generate trash.

Airport hacking in the 1990s. (1)

GWBasic (900357) | more than 4 years ago | (#27884617)

I have connections to someone who accidentally hacked an airport in the 1990s. Back then, the thing that board teenagers did was run programs that would find phone numbers answered by modems.

Anyway, as the story goes, this teenager came across a phone number, answered by a modem, that behaved very differently then any other phone number. There was NO password or security whatsoever. The interface was very foreign; however, this board teenager spent a few months hacking at the system, trying to learn what it did and how to operate it.

As the story goes, he eventually came across some form of a manual, and decided to test the reboot command. A few days later, when the feds showed up at his door, he found out that he was responsible for bringing an airport down for an entire afternoon.

The irony of the matter is that the board teenager was a well-meaning, curious, upstanding teenager. He had no malicious intentions whatsoever.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...