The Wall Street Journal reports here on the recent Lion Air 737 crash and the existence of an undisclosed feature of the 737 MAX that may have contributed to the crash. Aviation Week reports here on the 737 MAX maneuvering characteristics augmentation system and insufficient documentation of the feature.
I noticed this round connector as part of my AV display on a recent flight. It seems to be a DIN connector but I’m not sure that the arrangement of leads is common. It doesn’t seem to be a PS/2 connector. I have no idea why the aircraft designers thought this connector was a good use of weight on their airplane. Did anyone ever use this thing?
Chip Rebel reports here on a teardown of the Huawei Mate 20. Thanks to AnandTech for the pointer to Chip Rebel.
FireEye reports here on the TRITON framework for industrial attacks.
This photo is from a recent flight on a Delta airplane—a 777 as I recall. That sure looks like an Ethernet receptacle, doesn’t it? Was there a time when people were so obsessed with Internet connectivity that they carried Ethernet cables on board?
I must unfortunately disagree with parts of Bruce Schneier’s recent post. His subject is cyber-physical systems although he doesn’t seem to use that term. His point of view is firmly rooted in information technology (IT). As I have said before, that approach is inadequate to create and maintain safe and secure cyber-physical and IoT systems. He characterizes computational control of physical systems as new; in fact, embedded control was an early application of computers. He also characterizes embedded devices as inexpensive; not so when car engines are operated by vector multiprocessors. And cost is not the causal factor for insecurity—we have plenty of very expensive IT systems that embody security flaws.
As one example, he praises NIST’s cybersecurity guidelines. NIST’s approach can be summarized as treating sensors and actuators as I/O devices attached to a traditional IT system. NIST and Mr. Schneier don’t take into account that these systems are real-time distributed computing systems. Security mechanisms designed for transaction-oriented IT are inadequate for timing-critical control systems.
In order to make CPS and IoT systems safe and secure, we need to consistently apply what we already know and develop new methods. CPS and IoT can no longer treat safety and security as separate concerns. Safety people need to learn more about computer security; security folks need to learn more about safety. Mr. Schneier is firmly planted in the security side. I hope that he continues to expand his knowledge base.
The U. S. Government Accountability Office released here a report on vulnerabilities in Department of Defense weapons systems and processes. A sample quote:
In operational testing, DOD routinely found mission-critical cyber vulnerabilities in systems that were under development, yet program officials GAO met with believed their systems were secure and discounted some test results as unrealistic. Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications. In addition, vulnerabilities that DOD is aware of likely represent a fraction of total vulnerabilities due to testing limitations. For example, not all programs have been tested and tests do not reflect the full range of threats.