Slashdot Mirror
Trojan-Infected Computer Linked To 2008 Spanair Crash
An anonymous reader writes "Two years ago, Spanair flight JK-5022 crashed shortly after takeoff in Madrid, killing 154 of its 172 passengers and crew. El Pais online newspaper reports that the ground computer responsible for triggering an alarm after three failures are reported in a plane failed to do so. The computer was infected with trojans (Google translation of Spanish original)."
Windows (and all Microshit in general) should be strictly forbidden in every safety-critical application.
I put the blame on governments for not having done it so far. And in the media and taxpayers, for not pressing for it.
MS is evil, but there will always be evil people. It is the fault of the rest for not fighting tirelessly against them.
Because humans are humans. Possible chain of events: "Hmmm. I want to surf in the internet but have no PC. But wait, there is our maintenance PC. If i install iTunes on it and connect it to my iPhone, i may surf during work. Hurray! I can even download the hot pics of my favorite celebrity to which i received a link from these chinese guy."
Who puts Windows on anything even remotely mission critical? If you could blame someone, it should be the person deciding that.
HTTP/1.1 400
The operating system really isn't the issue here, failure to isolate the system is. I've set up several windows systems inside a double firewall which in turn are set up with a VPN to whatever the systems needed to communicate with, and nothing else. Those did exactly what they needed to do because nothing else would get in or out. That a mission critical system gets infected at all points to a serious flaw somewhere, a goddamned alarm system shouldn't need any active usb-ports nor any access to the internet besides an encrypted line to whoever is supposed to receive the alarm and respond. I hope this is viewed as a criminal case, someone did an absolutely horrendous job or didn't do it at all and 154 people lost their lives because of it.
We run critical stuff on Windows, they don't have access to the Internet. Deal with it.
The Internet is not the only source of infection. What about removable media, removable drives, or other machines on a private network that can connect to either the Internet or removable media? Perimeter defences are part of good security, but they are not the whole of it.
I am TheRaven on Soylent News
1970s:
"I'm sorry, our computers are down." (Reality: our employees are playing NET TREK and DUNGEON on a Friday afternoon.)
2000s:
"I'm sorry, our computer has a trojan." (Reality: our employees finally found an "unused" machine to surf porn, got loaded up with Russian malware, and now it's nobody's fault.)
Futurist Traditionalism
Arent there OSes designed specifically for mission critical applications out there, for just this kind of thing? Doesnt the list NOT include off-the-shelf OSes like Windows and OSX?
Does the 'War on Trojanists', begin? But seriously, someone wrote that virus. That means that someone, somewhere (probably Estonia), is guilty of killing 154 people.
they don't have access to the Internet.
Hopefully they don't have access to USB keyrings, flash drives, thumb drives and CD/DVD ROMS that have access to the internet, either...
Seven puppies were harmed during the making of this post.
Are you new to computing? How many Mac or Linux or BSD users do you know who have ever gotten a trojan infection?
Free Martian Whores!
Its STILL not a high-availabilty OS, and should not be treated as such. Windows can be great for normal business use when properly set up, but it isnt designed for mission critical stuff-- if your graphical shell can bring down the OS, its probably not a good candidate for that kind of thing.
I'm not sure that banning Windows by name would be of too much use. A quick trip down the router aisle at any computer store will show you more degenerate abuses of embedded linux and VXworks than you care to think about, and I'm told that things don't get better nearly as fast as you would hope as prices rise in other industry segments.
Anyone, though, using Windows in an environment where it could trivially be infected(ie. internet connected or contractors doing flash drive upgrades) really needs to be shown the door, yesterday. I'm also not sure why there would be "a" computer responsible for raising the alarm. Commodity x86 gear is pretty reliable for what you pay; but it isn't that reliable. If the safety of one or more 100 million+ aircraft, and everybody on board, is at stake, why are there not multiple systems, all independently capable of raising the alarm?
If the safety of one or more 100 million+ aircraft, and everybody on board, is at stake, why are there not multiple systems, all independently capable of raising the alarm?
You're talking about an industry who would likely charge passengers for use of the bathroom, if they could get away with it. Why do you think there aren't multiple systems?
Living With a Nerd
That pilot should have had his license revoked.
Well, I think the crash took care of that.
Unless the pilot was Captain Orr from Catch-22 . . . then he and all the other passengers would be frolicking in Sweden for the rest of the war . . .
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
We had to secure a computer at a company I worked at years ago. The IT department claimed it was secure (they had put Norton AV and firewall on it) I laughed when the owner of the company told me about it. He asked if I could do better. I put the computer in a metal drawer, locked it, drilled a hole in the back for the cables to come out and handed him the key. "There, now it's secure." He thought I was kidding until I pointed out the USB ports and drive bays.
Did you remove the networkcable too?
Well its either had a hand in causing the deaths of 154 people, and therefore was a mission critical system. Or it wasn't a mission critical system and the entire article is just a load of sensationalist garbage.
Think of it as: The boss person for the "mission critical applications" area was given a nice long lunch and presented with some back of the napkin math just before an upgrade.
The savings in hardware and software over aspects of a traditional OS was amazing... and thats how an off-the-shelf OS could get into mission critical area.
Marketing has its lists of areas to wine, dine, seduce and penetrate.
Domestic spying is now "Benign Information Gathering"
i think MS also disclaims any responsability, that should tell you enough about windows' fitness for mission-critical stuff
regardless of law, putting any mission critical system (especially when lives depend on it) on a windows machine should be chargeable with criminal negligance, and in this case, manslaughter
People, what a bunch of bastards
Two words: Blowout. Preventer.
"I guess the moral of the story is, don't paint your airship with rocket fuel." -- Addison Bain
You're talking about an industry who would likely charge passengers for use of the bathroom, if they could get away with it.
And why would they blame their own, if it's easier to blame it on the OS?
This is a one-way ticket to the cessation of all innovation in the field of computing.
Rubbish.
Windows is easier. It's a byproduct of sloppy architecture.
It doesn't mean the others can't be compromised, but it's a fallacy to assume all OS's can be infected with the same level of difficulty.
The Kruger Dunning explains most post on
https://launchpad.net/bugs/+bugs?field.searchtext=remote+code+execution&search=Search+Bug+Reports&field.scope=all&field.scope.target=
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1252
http://news.softpedia.com/news/Critical-Vulnerability-Silently-Patched-in-Linux-Kernel-152678.shtml
http://projects.info-pull.com/moab/MOAB-20-01-2007.html
http://projects.info-pull.com/moab/MOAB-14-01-2007.html
http://projects.info-pull.com/moab/MOAB-01-01-2007.html
http://projects.info-pull.com/moab/MOAB-01-01-2007.html
they don't have access to the Internet.
Hopefully they don't have access to USB keyrings, flash drives, thumb drives and CD/DVD ROMS that have access to the internet, either...
USB keyrings, flash drives (same thing), thumb drives (Same thing again).
Do you just type things to make your post look longer so that people will have the belief implanted into their head that you are not dumb.
Why is it so hard to only have politicians for a few years, then have them go away?
I worked for many years in the security industry. We had to do this to prevent security guards turning off the machine when they alarmed as it would interrupt their naps. Probably the best story I heard about a secure room was in Australian Defence. A contractor was installing a secure door to make a secure room(where you store your import and documents and hard disks after hours). Once completed a senior military guy comes down and is really impressed by this thick steel door with massive bolts etc. The contractor said its pretty good, but he reckoned he could get inside within 10 seconds. The military guys cannot believe it and bets the guy $100 he cant do it. They lock the door and the contractor then proceeds to go to the side of the secure room and put his foot thru the plaster board panelling, kicking out a large chunk and allowing him to crawl into the room in about 5 seconds.
Right. We should all use Ubuntu and OS X. I'm sure Canonical and Apple would be more than happy to accept liability for any damage caused by users installing malware onto the respective operating systems.
He forgot # 8: When a news article mentions a computer fault without going into specific details, assume it must have been Windows, because every other OS is of course perfect.
Yeah because Linux is totally 100% immune to malware and never ever crashes!
If they couldn't properly isolate a mission critical windows system, guess what? They almost certainly wouldn't be able to properly secure a Linux or OSX system either. Relying on the small amount of Linux based malware for security? That sounds an awful lot like security by obscurity to me. Relying on the rights system? There's plenty that you could do without admin rights that would potential suppress or interfere with an alarm.
But LinuxIsPerfect(TM)
Considering that 154 people died because this system did not issue the warning it was supposed to, I would say it most certainly IS a mission critical system, it just isn't treated as one.
Of course, it sounds like the whole thing was a tragedy of errors. The pilot should have seen that slats and flaps were in the wrong position, the computer in question should have flagged the plane for grounding, the on board computer should have raised the alarm. There should have been maintenance records independent of the computer that should have raised the flag on pre-flight. Not one of those things happened and people died as a result.
I would call it a comedy of errors except that it's hard to call 154 deaths a comedy.
It's odd to me how easily you write off a system that caused the death of ~150 people as "not really ... mission critical."
Work with me here. This is complicated.
Someone posted:
"That's not regulation, that's cost minimization. (A free toilet is significantly cheaper than cleaning up after the alternative...)"
Flight safety and maintenance are not cost issues per se. For an airline with a clue, they are about maximizing profit and reducing inefficiency.
If a plane crashes due to maintenance issues, you have these consequences:
- Lost revenue. Passengers will be wanting refunds. The aircraft is not available for future flights, which will reduce revenue. Many airlines don't have capacity problems today, so this is not a big issue for them right now. Others however are sensitive to equipment availability.
- Inefficiency. It's generally cheaper to maintain the equipment than it is to replace it, insurance and spare equipment notwithstanding.
- Lost business. Perceptions of poor maintenance can lead to public image issues and potentially lost revenue. This is very hard to recover from. Note that the industry as a whole agrees to avoid taking advantage of competitors' safety issues to gain market share. Sharks apparently also do not eat each other, except in dire circumstances.
This particular incident is , at the root of it, not much different than a credit-card data disclosure, or dropping the bakcup tapes down the stairs, or failing to submit a bid because the computer crashed due to some malware. With the salient exception that people died. More reason to have redundant systems, backup manual processes, and even more rigorous IT security practices. We might, just might, see an effort by the FAA and aircraft manufacturers to require airlines and other operators to take aditional steps to secure their critical ground systems.
???
deleting the extra space after periods so i can stay relevant, yeah.
A computer controlling in-flight operations infected with trojans translates to a computer running MS windows. Why the fuck would anyone even think of this? This is like building a suspension bridge using legos and 6 year olds doing the assembly.
So when I fly, is my life really dependent on a tinker toy OS? That's fucked up! Someone should be beaten to death for this idea.
"Suppose you were an idiot...and suppose you were a member of Congress...but I repeat myself." Mark Twain
I don't know why you think this demonstrates any particular excess expense of government. It is no more complex or restrictive than any of hundreds of private sector construction specifications and design criteria that I have read.