Trojan-Infected Computer Linked To 2008 Spanair Crash

An anonymous reader writes "Two years ago, Spanair flight JK-5022 crashed shortly after takeoff in Madrid, killing 154 of its 172 passengers and crew. El Pais online newspaper reports that the ground computer responsible for triggering an alarm after three failures are reported in a plane failed to do so. The computer was infected with trojans (Google translation of Spanish original)."

Re:What operating system was used?

[mseeger]

Because humans are humans. Possible chain of events: "Hmmm. I want to surf in the internet but have no PC. But wait, there is our maintenance PC. If i install iTunes on it and connect it to my iPhone, i may surf during work. Hurray! I can even download the hot pics of my favorite celebrity to which i received a link from these chinese guy."

What?

[miffo.swe]

Who puts Windows on anything even remotely mission critical? If you could blame someone, it should be the person deciding that.

Re:Shit.

[TheRaven64]

The Internet is not the only source of infection. What about removable media, removable drives, or other machines on a private network that can connect to either the Internet or removable media? Perimeter defences are part of good security, but they are not the whole of it.

A result of employee loafing

[hessian]

1970s:

"I'm sorry, our computers are down." (Reality: our employees are playing NET TREK and DUNGEON on a Friday afternoon.)

2000s:

"I'm sorry, our computer has a trojan." (Reality: our employees finally found an "unused" machine to surf porn, got loaded up with Russian malware, and now it's nobody's fault.)

So, when...

[Titan1080]

Does the 'War on Trojanists', begin? But seriously, someone wrote that virus. That means that someone, somewhere (probably Estonia), is guilty of killing 154 people.

Re:Shit.

[Dunbal]

they don't have access to the Internet.

      Hopefully they don't have access to USB keyrings, flash drives, thumb drives and CD/DVD ROMS that have access to the internet, either...

Re:What operating system was used?

[LordLimecat]

Its STILL not a high-availabilty OS, and should not be treated as such. Windows can be great for normal business use when properly set up, but it isnt designed for mission critical stuff-- if your graphical shell can bring down the OS, its probably not a good candidate for that kind of thing.

Re:Shit.

[fuzzyfuzzyfungus]

I'm not sure that banning Windows by name would be of too much use. A quick trip down the router aisle at any computer store will show you more degenerate abuses of embedded linux and VXworks than you care to think about, and I'm told that things don't get better nearly as fast as you would hope as prices rise in other industry segments.

Anyone, though, using Windows in an environment where it could trivially be infected(ie. internet connected or contractors doing flash drive upgrades) really needs to be shown the door, yesterday. I'm also not sure why there would be "a" computer responsible for raising the alarm. Commodity x86 gear is pretty reliable for what you pay; but it isn't that reliable. If the safety of one or more 100 million+ aircraft, and everybody on board, is at stake, why are there not multiple systems, all independently capable of raising the alarm?

Re:Shit.

[Pojut]

If the safety of one or more 100 million+ aircraft, and everybody on board, is at stake, why are there not multiple systems, all independently capable of raising the alarm?

You're talking about an industry who would likely charge passengers for use of the bathroom, if they could get away with it. Why do you think there aren't multiple systems?

Re:Shit.

[Charliemopps]

We had to secure a computer at a company I worked at years ago. The IT department claimed it was secure (they had put Norton AV and firewall on it) I laughed when the owner of the company told me about it. He asked if I could do better. I put the computer in a metal drawer, locked it, drilled a hole in the back for the cables to come out and handed him the key. "There, now it's secure." He thought I was kidding until I pointed out the USB ports and drive bays.

Re:Shit.

[Vectormatic]

i think MS also disclaims any responsability, that should tell you enough about windows' fitness for mission-critical stuff

regardless of law, putting any mission critical system (especially when lives depend on it) on a windows machine should be chargeable with criminal negligance, and in this case, manslaughter

Re:Complimentary 7 point Slashdot troll guide...

[geekoid]

Windows is easier. It's a byproduct of sloppy architecture.

It doesn't mean the others can't be compromised, but it's a fallacy to assume all OS's can be infected with the same level of difficulty.

Re:Shit.

[Xiaran]

I worked for many years in the security industry. We had to do this to prevent security guards turning off the machine when they alarmed as it would interrupt their naps. Probably the best story I heard about a secure room was in Australian Defence. A contractor was installing a secure door to make a secure room(where you store your import and documents and hard disks after hours). Once completed a senior military guy comes down and is really impressed by this thick steel door with massive bolts etc. The contractor said its pretty good, but he reckoned he could get inside within 10 seconds. The military guys cannot believe it and bets the guy $100 he cant do it. They lock the door and the contractor then proceeds to go to the side of the secure room and put his foot thru the plaster board panelling, kicking out a large chunk and allowing him to crawl into the room in about 5 seconds.

Re:Shit.

[sjames]

Considering that 154 people died because this system did not issue the warning it was supposed to, I would say it most certainly IS a mission critical system, it just isn't treated as one.

Of course, it sounds like the whole thing was a tragedy of errors. The pilot should have seen that slats and flaps were in the wrong position, the computer in question should have flagged the plane for grounding, the on board computer should have raised the alarm. There should have been maintenance records independent of the computer that should have raised the flag on pre-flight. Not one of those things happened and people died as a result.

I would call it a comedy of errors except that it's hard to call 154 deaths a comedy.

Re:Shit.

[scribblej]

It's odd to me how easily you write off a system that caused the death of ~150 people as "not really ... mission critical."

Re:Mission Critical

[tuxgeek]

A computer controlling in-flight operations infected with trojans translates to a computer running MS windows. Why the fuck would anyone even think of this? This is like building a suspension bridge using legos and 6 year olds doing the assembly.

So when I fly, is my life really dependent on a tinker toy OS? That's fucked up! Someone should be beaten to death for this idea.