Aviation – Frank Leonhardt's Blog

M A G Airports web site exploitable for mailbombing attacks

Last July I was surprised to receive an email of “special offers” from Manchester Airport. I’ve only ever been to Manchester once, and I drove. It was actually sent to a random email address; was the company just sending out random spam?

I checked, and visiting their web site produced a JavaScript pop-up asking you to enter your email address to receive special offers. I wondered if I’d accidentally confirmed acceptance to be added to the wrong mailing list, so I checked. No. Apparently this sign-up doesn’t bother to confirm that you actually own the email addressed entered; it just starts spamming whoever you ask it to.

It got worse. A look at the code showed it was easy for someone to make a load of calls to their site and add as many bogus addresses as they liked at the rate of several every second.

And it gets even worse – a quick look at the sites for other airports operated by MAG had identical pop-up sign-ups (Stansted, Bournemouth and East Midlands).

Naturally I called them to let them know what a bunch of silly arses they were. After being passed around from one numpty to another, I was promised a call back. “Okay, but I’ll go public if you don’t bother”.

Guess what? That was last July and they haven’t bothered. They did, however, remove the pop-up box eventually. They didn’t disable it, however. The code is still there on a domain owned by MAG Airports, and you can still use it to do multiple sign-ups with no verification.

So what are they doing wrong? Two things:

Who in their right mind would allow unlimited sign-ups to a newsletter without verifying that the owner of the email address actually wanted it? Were they really born yesterday? Even one of the MD’s kids writing their web site wouldn’t have made such an elementary mistake.
Their cyber-security incident reporting mechanisms need a lot of work. Companies that don’t have a quick way of hearing about security problems are obviously not doing themselves or the public any favours.

One assumes that MAG Airports doesn’t have any meaningful cybersecurity department; nor any half-way competent web developers. I’d be delighted to hear from them otherwise.

In the meantime, if you want to add all your enemies to their spamming list, here’s the URL format to do it:

Okay, perhaps not but if it’s not fixed by the next time I’m speaking at a conference, it’s going on the demo list.

18-November-1517-March-17

Governments’ hacking fantasies

It’s silly season again.

Yesterday George Osborne warned that Islamists were tooling up and planning deadly cyber-attacks against the UK, targeting critical systems like ATC and hospitals, as he announced government spending on countermeasures would double from about £200M to £400M a year. Mr Osborne shown a rather tenuous grasp of technology in the past, and I fear he’s been watching too many Hollywood movies when forming his current opinion.

I know a bit about ATC, and the chances of a jihadi disrupting NAS over the internet are slight. Damaging aviation is much easier by more direct means.

Likewise, while I have little time for the design of NHS computers systems, even they’d be hard to seriously disrupt. So difficult that it really wouldn’t be worth the bother. If you want to knock out a hospital, blow up the generators and electricity feed – it’s obvious. About the only systemic damage you could do remotely would be to mess up central databases, but these seem to get messed up regularly anyway, and the world goes on.

But this seems positively sane and sensible compared to today’s report from the “US-China Economic and Security Review Commission”. They’re all exercised about those nasty Chinese guys pinching trade secrets by hacking in to US companies and their government agencies. I’m sceptical about the idea that the Chinese government is behind this, and the Commission has weakened the credibility of their claims with their suggested response to the activity:

Yes folks, their suggestion is that Americans hack in to the Chinese systems and steal back or delete the stolen data. How exactly does one steal back data? And do they really think it’s possible to locate, identify and delete stolen data found in a foreign country. Deleting all copies of data from a local system is hard enough, and if the IT department knows its stuff, it’s impossible as it won’t all be on-line.

Whilst there’s plenty of evidence that people in China, and possibly the military, are engaged in cyber-espionage, this idea reads like the plot of another Hollywood movie of the type George Osborne seems to have been watching. Everyone in the security world knows that the majority of criminal activity on the Internet actually comes from…. the USA. This doesn’t mean the US government is behind it – by the sound of the advice they’re getting, they wouldn’t know how.

People like me have been saying that cyber-crime is (going to be) a big problem for many years now, and I welcome governments waking up and taking it seriously at last. The private sector has done spectacularly badly, as the money is in the superficial stuff, and real security gets in the way of profits. It’s just a shame that governments have woken up and are groping groggily around in the dark.

13-October-1523-October-15

Is Northolt Aerodrome Dangerous?

Biggin Hill, a rival airfield to Northolt chasing executive jet traffic for London, has got hold of a 2012 report that says Northolt doesn’t meet current CAA standards for obstacle clearance, especially at the east end of the runway. Northolt has been there for a hundred years, so shame on the local council for allowing this alleged dangerous development to have taken place.

It wouldn’t be the only airfield to lose its CAA license since new rules came in (e.g. Sandown and Bembridge on the IoW) but then again it’s a military/government field and is regulated by the MAA instead. The civil operators of Biggin Hill and Oxford reckon the CAA should take over regulation, and (presumably) shut their rival down. They would say that, wouldn’t they?

Of course, a cynic like me may wonder whether the value of a huge plot of land next to the A40 had a bearing on what interested parties have to say on the subject.

8-April-1514-April-15

Blackbushe Cybersquatting Club

Today the nice people at Blackbushe Flying Club decided to register the ICAO airfield designator for Popham Airfield in Hampshire (eghp.co.uk) and redirect it to their flying school at Blackbushe. Nominet claims to have validated Blackbushe Flying Club Ltd as the rightful owners, which is interesting.

I used to be a member of the flying club at Popham for many years, but I’m not now. Still friendly though. I’m also a member of Nominet. If anyone from Popham would like to get in touch for backup in getting these juvenile scallywags at Blackbushe dealt with appropriately, I should be flying in some time tomorrow morning.

FWIW, here’s chapter and verse:

Domain name:
 eghp.co.uk

Registrant:
 Blackbushe Flying Club

Registrant type:
 UK Limited Company, (Company number: 00000)

Registrant's address:
 11 The Close
 College Town
 Sandhurst
 Berkshire
 GU47 0RE
 United Kingdom

Data validation:
 Registrant contact details validated by Nominet on 08-Apr-2015

Registrar:
 Mesh Digital Limited t/a Domainmonster.com [Tag = MONSTER]
 URL: http://www.domainmonster.com

Relevant dates:
 Registered on: 08-Apr-2015
 Expiry date: 08-Apr-2017
 Last updated: 08-Apr-2015

Update 13-Apr-2015

I did some investigating and I know exactly who is behind this, and it was nothing to do with Popham or a joke. It looks like something that seemed like a good idea at the time to someone. It’s not actually Blackbushe airfield that’s behind it, it’s an outfit calling itself Blackbushe Flying Group (and I won’t get personal by naming the individual).

Judging from the hit-count on this page, and a the result of a few phone calls, “someone” has realised the error of his ways and changed it to a redirect sending all traffic to Popham’s real web site. If that someone wishes to get in touch I can help make it right permanently, at least as far as Popham is concerned. His landlord, Blackbushe Airport Ltd, may be less forgiving as, in addition to associating the Blackbushe name in some skulduggery, he’s only gone and registered eglk.co.uk too. Ouch.

If the idea behind the wheeze was there’s no such thing as bad publicity, I’d say that was only partly true.

3-January-157-January-15

Sad to hear of aircraft down at Popham

So sad to hear of the loss of life at Popham today when a small light aircraft came down south of the A303 in poor weather, almost certainly attempting a descent to land on runway 26. One of the three on board survived, and was driven to Southampton hospital in critical condition. Apparently the aircraft wasn’t based at Popham, but had left from Bembridge and was presumably diverting there due to the weather.

Another aircraft came down in about the same place in September 2012, but with no loss of life.

I was flying yesterday in a similar aircraft but thought better of today due to visit; and it’s both sad and sobering. My thoughts are with their relatives and everyone else at the Spitfire Club.

Update: 04-Jan-2015

The names of the occupants have been released as Lewis and Sally Tonkinson, with their six-year-old son as the sole survivor. Looking at the photographs of the crash site in the Isle of Weight County Press, the aircraft in question appears to be very “light”, consistent with a Pioneer 300 Hawk registration G-OWBA, of which Mr Tonkinson is a connected and on which 37 hours have been logged. Curiously, this is a two-seater with a 20Kg luggage capacity. LAA registration number is LAA 330-15155

Update 07-Jan-2015
I’ve seen reported elsewhere that the aircraft in question was a Pioneer 400 G-CGVO, but can’t tie this to Mr Tonkinson. The 400 is a “stretched” 300, with four seats, which would make more sense, but I’ve seen no official confirmation. There’s an AAIB report on G-CGVO (door opened on takeoff), but it was in Herefordshire, and the aircraft was based in Wales. It’s obviously possible that it subsequently changed hands.

17-July-1420-July-14

Malaysian flight MH17 “shot down” over Ukraine?

Updated 17th July at 2320

Since writing this, I’ve been watching the superior BBC journalism on Newsnight where they had the sense to interview someone from Jane’s. Apparently the separatists do have Buk missile launchers in the area, which is surprising. Did the Russian government really provide such a dangerous weapon? And apparently (I didn’t know this) a single launcher can operate in autonomous mode using on-truck forward-facing radar. Basically a goon with no overall tactical view – watching a blip on the radar can decide to shoot down the blip. There are rumours that the US tracked such a missile. This is scary, and derails the following conjecture. I’ve kept it for historical interest.

I’ve just been listening to the BBC reporting that “someone” in the Ukraine has shot down a Malaysian airliner flying overhead at 35,000′. Okay, it’s possible, and the fact it’s crashed is certainly a tragedy, but are any of these hacks aware that this is a long way up?

There are basically three kinds of Surface to Air Missiles. Before blaming the separatists, you have to realise that the hand-portable types (MANPADS) you’d associate with rebels aren’t really any good at shooting down much apart from attack helicopters or slow things close to the ground. Basically, don’t bother if it’s more than 10,000′ up. It’s possible that they have Igla Russian systems, but they couldn’t have used them.

There are portable systems that can hit targets that high – such as the Russian Buk. These are big beasts, built in to a truck. The separatists may have got tanks from somewhere, possibly with a nod and a wink from the Russian military – but are they going to really going to let a bunch of rebels have a Buk (SA-24)? It’s not something you’re going to miss like an old tank.

Could the Ukrainian government have done it? I don’t know whether the Ukrainian military has such a system; it probably does. But again, it’s not the kind of thing you’d fire off by mistake. Shooting at high-altitude jets isn’t going to be an accident, and why would they do it in purpose? Did they think it was a Russian military aircraft? I think not, but if they did, there are some complete idiots with dangerous weapons out there.

That leaves the Russian government – did they order it shot down? The same applies – why would they do that deliberately, and if it was an accident, it beggars belief.

The BBC is talking about missiles, but it could have been shot down “old school” with a fighter. Are the Ukrainians or Russians really going to shoot down a Malaysian airliner filling the windscreen of their MiG? That’d be crazy.

So I’m taking all this “shot down” news with a pinch of salt. Perhaps it suffered a failure and crashed; perhaps it was an on-board terrorist or bomb.

I think the BBC thinks the separatists (whom they don’t like) dunnit with a Stinger.

21-March-1424-March-14

MH370 – One week later, wreckage found. Really?

So, an Australian satellite has potted debris in the Indian Ocean at the far end of the arc MH370’s engine data fixed the aircraft on for seven hours. There’s now going to be a rush to find it, no doubt.

Fuzzy picture of what Australia hopes is wreckage of MH370 — Its it a plane? Is it a wave? It is a statistical certainty

Apparently these images are four days old and have only just come back from analysis.

I think this could well be a wild goose. What we’re looking at is a cluster of white dots in a texture of black and white. Experts have declared this likely debris; to me it looks more like waves. Or perhaps it’s a container washed off a ship, or who knows what? That’s it’s part of MH370 seems very unlikely. Probability is against it.

Let’s look at that probability. Firstly, why is the aircraft presumed to be on this arc leading north and south from Malaysia? It’s actually the line of equal distance (more or less) from the Inmarsat satellite collecting the data from the engines, and this is based on a 1d fix; namely the elevation. I believe it’s known to be 40 degrees declination from the satellite. That’s sound.

The arc ends where the aircraft stopped transmitting, which is also when it is likely to have run out of fuel, and the maximum distance it could have flown along the arc.

However, to get to the far end of the arc, someone would have to have flown it there – or set the autopilot to follow THAT course. Not any of the other courses it could have taken from the point, but that precise arced course. It’s not impossible; it could have taken this course. But is it likely? Probability says “no”.

What seems more probable to me is that the aircraft hung around in a holding pattern close to where it was lost. That’s where to look. If the satellites have found it, great – and the explanation as to why it followed that precise course will be interesting, but I’m not hopeful.

If you’re working on a conspiracy theory, the data sent to Inmarsat could have come form a ground-based transmitter; it could be fake to throw investigators off the scent.

13-March-1414-March-14

Missing Malaysian Airliner

I’ve got more interest than usual in this, as I happened to be on a ‘plane in the same airspace a few hours afterwards. It makes you think while waiting to board in Singapore.

Three days later, no wreckage has been found and there are rumours of the aircraft changing course. Hijack? That’s what it looks like to me, based on the facts released. First off, there was no distress call. The same was true of the Air France 477 in 2009 (discounting the automated transmissions), but that was way out over the ocean a long way in to the flight; MH370 had only recently departed and was in crowded airspace, in range of ATC and showing up on civil radar.

Much was made of the passengers travelling on stolen passports; given that part of the world I’d be surprised if there weren’t several on every flight out of KL. If it was a terrorist attack, someone would have claimed it by now anyway. And if it was external hijackers, the crew would have raised the alarm.

So what could have happened? The release of the final radio message is a huge clue – they were handing over from Malaysia to Vietnam, mid-way across the sea. Hand-overs are important – they say goodbye, change frequency and says hello. Only the goodbye happened.

If the aircraft had suffered a very sudden and catastrophic failure, the wreckage would be floating on the ocean below at that point. So that leaves the aircrew. They could have turned off the transponder and done what they liked.

If external agents had hijacked an aircraft the pilots would have triggered the hijack alarm on the transponder and made a distress call. They were in radar range, and radio range. And the security on the cockpit door would have allowed them time.

If I was flying an aircraft and wanted to take it over, mid-sea on ATC handover would be the obvious place to do it. Malaysia wouldn’t expect contact because they’d left; Vietnam wouldn’t notice loss of contact because none had been made; they’d assume they were still talking to Malaysia. Just speculating out loud…

Only military radar would be taking any interest in the aircraft, and in that part of the world you bet they were watching but don’t really want to talk about it.

24-May-1320-September-14

Airbus A319 Emergency Landing at Heathrow

It’s all over the news, with mobile phone pictures and everyone being interviewed. Although it’s clear one engine was in flames, one of the interviewees mentioned something really interesting that the main news media hasn’t picked up on yet…

Apparently the engine cowling became detached from both engines, after which the pilot assessed the situation with both engines running properly without covers. Only after one of the engines caught fire was the emergency landing made back at Heathrow. (This is reasonable – there are other places to land for less of an emergency and the crew might have wanted to assess the situation as to why they’d lost the covers before landing).

To lose one cover is unfortunate; to lose both is starting to look like carelessness.

It could be that the passenger being interviewed was a poor observer, or it could be that the covers were simply not latched on properly. It’s been said by the BBC people that “the covers were blown off” – engine explosion? Not likely, as apparently the engines remained running.

25-February-1316-April-13

787 Batteries Included – Why Li-Ion and aircraft shouldn’t mix

Poor Boeing – its 787 “Dream liner” fleet looks like it’s grounded for at least another month following fires in its Li-Ion battery. Many years ago I found myself researching and writing several articles on battery technology, and at the time I really didn’t like Li-Ion, even though it was being pushed as the latest thing. So I’m not that surprised that Boeing has had trouble. I’m only surprised that they used such risky technology in an aircraft, assuming it hadn’t been refined since I last looked at it. Given the problems they’ve had, it clearly hasn’t been refined.

Li-Ion batteries can actually be made from a very wide range of chemistries, all with different characteristics. The anode is normally carbon, but the cathode can be various metal oxides and the electrolyte a lithium salt – plenty of combinations to try. I understand that Boeing went for lithium cobalt oxide, which has one of the highest energy densities (better power-to-weight ratio) but is also considered one fo the most flaky. It’s the same chemistry as is commonly found in consumer devices with Li-Ion batteries. It’s the battery technology that the airlines felt so strongly was unsafe that they initially banned it from your luggage (only allowing later so business travellers could still use their laptops). It’s the type of cell that UPS won’t allow on international flights. And Boeing decides it’s a good idea to make a great big one and fit it in the heart of its new aircraft!

Apparently their plan is very much to mitigate the battery problems by encasing the cells in ceramic, put it in a strong metal box and venting it to the outside in case it starts smoking again. The FAA will be asked to sign this off as safe – potentially it could be considered unable to bring down the aircraft, although one has to wonder how well it will operate once the battery has self-destructed in a contained environment. If it’s not important to the operation of the aircraft, why’s it there at all?

Li-Ion does have an advantage over less exotic technologies in that you can store more power in a smaller, lighter package. But at a cost. Apart from the cells costing a lot more and needing fancy charge controllers to operate them safely(!), they’re also quite fragile in the short term; and in the long term they don’t survive for long.

Did you know, for example, that Li-Ion batteries decay badly when they’re fully charged? This means that if you keep your battery topped up it will lose capacity. If you leave it run down it will decay more slowly, but what’s the point of lugging a flat battery around? This characteristic makes it ideal for companies like Apple to fit into products like the iPhone. Whatever you do regarding charging the battery, your iPhone will die in a few years, forcing you to buy a new one (if you’re stupid enough).

Conventional battery technologies, like NiCd, are far more robust. You can discharge them, fast-charge them, trickle-charge them and generally abuse them. They last for years, with no need for fancy controlling electronics. Lead acid is even tougher, and has been used for decades in hundreds of millions of motor vehicles. Yes, it’s heavy but it’s cheap, there when you need it and has a very good record for not self-destructing.

Yet Boeing seems to be struggling on getting Lithium-Ion to work. They probably have a reason, but I can’t see what it is other than not wishing to back down on what’s looking like a bad decision.