This is cute. Wired magazine reports that the Federal Aviation Administration, the US air regulator, is worried that the Boeing 787 Dreamliner’s in-flight passenger network is physically connected to the network that manages the aircraft’s control systems and also connects to ground-based maintenance and booking networks.

One might have expected the aircraft’s control network to be physically isolated from outward-facing networks, since any such connection in principle poses a security threat. Who needs box cutters when you can just hack your way into the cockpit, fire up a flight sim client, and fly the plane yourself?

Writes Wired:

Boeing’s new 787 Dreamliner passenger jet may have a serious security vulnerability in its onboard computer networks that could allow passengers to access the plane’s control systems, according to the U.S. Federal Aviation Administration.

The computer network in the Dreamliner’s passenger compartment, designed to give passengers in-flight internet access, is connected to the plane’s control, navigation and communication systems, an FAA report reveals.

The revelation is causing concern in security circles because the physical connection of the networks makes the plane’s control systems vulnerable to hackers. A more secure design would physically separate the two computer networks. Boeing said it’s aware of the issue and has designed a solution it will test shortly. […]

Currently in the final stages of production, the 787 Dreamliner is Boeing’s new mid-sized jet, which will seat between 210 and 330 passengers, depending on configuration.

Boeing says it has taken more than 800 advance orders for the new plane, which is due to enter service in November 2008. But the FAA is requiring Boeing to demonstrate that it has addressed the computer-network issue before the planes begin service.

According to the FAA document published in the Federal Register, the vulnerability exists because the plane’s computer systems connect the passenger network with the flight-safety, control and navigation network. It also connects to the airline’s business and administrative-support network, which communicates maintenance issues to ground crews.

ZDNet picked up on the report, and quotes Bruce Schneier on the subject.

(Via p2pnet.net.)

PS. The Wired article quotes one Mark Loveless, which it calls “a network security analyst with Autonomic Networks, a company in stealth mode, who presented a conference talk last year on Hacking the Friendly Skies“. If you’re in stealth mode, isn’t giving presentations at conferences a dead giveaway?

Update: Blue Crab Boulevard notes a new form of spam, which reaches printers directly from the internet, via a browser vulnerability, and demonstrates the inherent dangers of connecting networks. That they’re supposed to be separate and designed to be separate is no guarantee that they really will be separate.

There’s an interesting battle brewing that may decide the fate of Facebook, the hugely popular social networking site. The country network of which I’m a member, South Africa, has tripled in size to 300 000 in just three months. I didn’t know there were that many internet connections over here.

However, there’s a dark cloud on the horizon. A very dark cloud. Microsoft is, according to the Wall Street Journal, in talks to buy a stake in the startup:

Microsoft in recent weeks approached Facebook with proposals to invest in the startup that could value the fast-growing site at $10 billion or higher, said people familiar with the matter. If those talks bear fruit, Microsoft could purchase a stake of up to 5% in the closely held startup, at a cost in the range of $300 million to $500 million, the people said.

But Microsoft must first outgun Google, which has also expressed strong interest in a Facebook stake, according to people familiar with the matter.

Microsoft’s Passport signon technology (now rebranded as Live ID) has proved to be wide open to abuse, and not only by external miscreants. When Microsoft bought Hotmail almost ten years ago, the webmail pioneer turned into a sluggish performer and a hotbed of spam. As this page documents, Microsoft itself had for years been both negligent and willfully complicit in some of the abuse. On one occasion it changed, without notification, all users’ preferences to share information with third parties, for example. On another, it tried to claim copyright on everything sent via Hotmail. It certainly has not been particularly respectful of users’ privacy, and has burned its trust relationship with its more savvy customers.

I’m sure Microsoft has tightened up its privacy policies by now. It’s appointed a Chief Privacy Officer and its PR machine makes all the right defensive noises. However, a 3 500 word policy can hide many secrets. My reading of its copyright notice suggests that it still claims an exceptionally broad licence to copy, use and sublicence anything you post on any Microsoft service, even if it is intended only for a private community.

So I vowed never to use any Microsoft-owned online service — MSN Messenger, Windows Live, Hotmail — ever again. Publications that required Passport Network registration were simply dropped from my reading list.

Facebook is already over-cluttered with applications. Some are useful, some cool, some annoying, and some just downright offensive. I don’t mean in the prurient sense; I mean in the spam hotbed sense. I usually decline to install them, but I accepted a fun one involving beer just yesterday. Contrary to explicit instructions not to, it invited a random selection of friends, some of which I really didn’t want invited. This kind of spamware can kill Facebook.

But not as quickly as Microsoft can. If Google buys Facebook, I’ll live with it. The Googleplex 0wnz me already, and I’m not even a heavy user of its services. However, it has yet to show the kind of negligence or nefarious activity that will compromise my trust. For now, the convenience of its online tools outweigh the very real privacy risks. But if Microsoft buys Facebook, I’m outta there like a shot. The Hotmail fiasco alone was enough for me to never trust Microsoft with private information of any sort again. Through negligence, incompetence and deliberate action, Microsoft has abused the trust of users too often in the past. Here’s hoping Facebook doesn’t become the latest victim.

Update: In good Facebook tradition, I’ve created a group: If Facebook sells to Microsoft, we’re leaving.

Om Malik reports on a Facebook development that worries some privacy advocates.

Access to the profile information of a user of Facebook, a hyper-popular social network, has traditionally been limited to other Facebook members, and then restricted further by a fairly comprehensive set of privacy controls. Soon, however, Facebook will permit anyone to search its database and find people by name. The information provided will be limited, and users can opt out on their privacy settings page. However, once found, a searcher can send messages or “poke” someone, which, if the recipient responds, could reveal much or all of their profile.

Read the rest of this entry »

That’s not my opinion, of course. I would never argue such a daft thing. Or say this:

You can’t just rely on individuals to take responsibility for their own security. They will always be outfoxed by the bad guys.

This is the genius emerging from the UK House of Lords today, in the words of Lord Broers. Just like when your car is stolen you claim compensation from the manufacturer (don’t you?), the Lords Science and Technology Committee believes that victims of online fraud committed by criminals who exploit security holes should be compensated by the makers of the affected software.

Read the rest of this entry »

I understand how people can make a lot of money if just one in ten thousand fools click on a spam link for cut-price medication paid for by Canadian taxpayers, or buy a dodgy video of Hilton family entrepreneurs. I didn’t expect to see someone punting history articles, however.

This one (valiantly caught by Akismet) must have seen the history tag on my blog, because it is pushing a short, addictive biography on Benjamin Franklin. The same site contains this gem: Civil War Uniform Buttons - The Small Details Make All the Difference! Now I won’t sneer. Considering the small details I’m fussy about in my hobby, I guess all hobbyists are the same. And it’s true I  have received spam when the International Guild of Knot Tyers website was hacked. Why I’m receiving mail from them in the first place I’ll leave as an exercise for the reader, but in their defence, the spam wasn’t their fault and didn’t punt a short but thrilling history of scouting knots.

If this is a trend, I might start looking more favourably upon spam. After all, I’ve long said that too few modern pundits read history, and too many pay attention to Ms Hilton. Will this reverse the trend? Will the spam mafia and pr0n kings tolerate the competition from bearded professors and bespectacled geeks?

This TV show dates from 1996. I’ve since met all the protagonists, although I can’t recall having met Kriek face-to-face to this day. Most amusing. The intro in Afrikaans is deceptive - the rest is in English. Fifteen minutes of fame for kokey:

Patricia De Lille, all is forgiven. It appears the idiots that run our government aren’t any worse than the idiots that run the US Congress. Perhaps if you’re too stupid and unselfconscious for any real job, you put on a big toothy grin and get voted into a position where you can spend your days proving to the world just how Luddite and illiterate you really are. Check out this bizarro hearing of the Committee of Oversight and Government Reform, chaired by Henry A. Waxman (D-Calif.):

On Tuesday, July 24, 2007, the Committee held a hearing to examine recent developments regarding inadvertent file sharing over peer-to-peer (P2P) networks, the impact of such sharing on consumers, corporations and government entities, and whether such sharing creates privacy or security risks for users.

No, seriously. They want to pass laws to make sure that “inadvertent file-sharing does not jeopardize the public’s privacy and security”. CNET News.com reports:

Also at the hearing, Mark Gorton, the chairman of Lime Wire, which makes the peer-to-peer software LimeWire, was assailed for allegedly harming national security through offering his product.

Wait till these people hear about e-mail. They’d have to ban the internet.