
All United Flights Grounded Due to Mysterious Problem - throughnothing
http://www.wired.com/2015/06/united-flights-grounded-mysterious-problem/?mbid=social_twitter
======
krschultz
I was flying from Dublin to Newark on Saturday on a United flight. At some
point during our flight the entertainment system needed to be rebooted. When
it came back up, the splash screen hit me with a huge amount of nostalgia. It
was RedBoot with a kernel build date from 2004.

Obviously this is the entertainment system and not something more critical,
but it's telling. There is a huge cadence mismatch between software cycles and
capital good replacement cycles. Airplanes, factories, HVAC systems, even home
appliances last for decades. Software on these systems needs to get upgraded,
I can't even imagine the number of security patches that have gone into the
Linux kernel in the last 11 years.

~~~
theandrewbailey
This is the Achilles heel of the entire Internet of Things and smart appliance
trend, and I think this will bite everyone bad. After 50+% of these vendors go
out of business in the next decade, their products won't get updated, and
people will wonder why their "smart" TV can't watch movies from whatever
replaced Netflix/new whizbang video service. They won't be as likely to buy
any "smart" thing again.

~~~
rcraft
This is exactly why I prefer buying "dumb" tvs and simply adding
chromecast/appletv/firetv, etc. Much better experience.

~~~
sliverstorm
It doesn't really matter that much if it's dumb or smart. You can use a
Chromecast with either, and refusing to buy one kind limits your choices.

~~~
wutbrodo
I think his point is based on the (very reasonable) assumption that an
equivalent quality Smart TV is going to be more expensive, which isn't worth
it in general since you're not using the features that cause the difference in
cost.

There of course may be realities of the market to cause it to not work out
this way, but it's a pretty sensible assumption.

~~~
caskance
That assumption is not reasonable at all. Not only are "dumb" TVs no cheaper,
hardly anyone even sells them anymore.

~~~
hullo
Picking a manufacturer (Samsung) and size (32") at random, I see the smart TV
for $499 and non-smart options for 219, 269, 299.
[http://www.samsung.com/us/video/tvs/all-
products](http://www.samsung.com/us/video/tvs/all-products)

Just for example.

~~~
mikeryan
Its not a direct comparison.

The Smart TV even without the "Smarts" are generally higher end TVs.

Though not indicated on the main screen the $299 option is actually a SmartTV
if you click through. You have to get down to the $269 option to get to non-
smart TV.

The difference between the $269 and $299 seems to be about the difference for
putting a processor in a TV and making it smart....

(Note I don't make the claim that the SmartTVs are cheaper but for the most
part its being absorbed in the cost of higher end devices so you get the
Smarts "for free" on better sets)

~~~
hullo
Oh that's a good spot I missed the 299. But still $30 is the cost of a
chromecast or fire stick, to the gp's original point.

------
clmns
Interesting. I worked on the support team for the software that creates and
files the flightplans for UAL. It was a horrible piece of SW/architecture with
many outages. We tested in production daily and had direct access to the
databases. I'm pretty sure they never changed their policies.. So yeah, this
sounds very much like it!

Edit: Just got confirmation, this software was the root cause. No
hacks/whatsoever!

~~~
tfe
This is what I love about HN. There are people that _actually worked on_ x
system-in-the-news wandering around. Thanks!

~~~
dopamean
Good thing no one on the internet ever lies.

------
georgeglue1
Interesting, United recently added a pretty lucrative bug bounty program (a
rarity among airlines) a couple of weeks ago. [http://www.united.com/web/en-
US/content/Contact/bugbounty.as...](http://www.united.com/web/en-
US/content/Contact/bugbounty.aspx)

It would be ironic if the bug bounty program directly/indirectly lead to this.

~~~
lucaspiller
Except:

    
    
      Bugs that are not eligible for submission:  
      * Bugs on internal sites for United employees or agents (not customer-facing)  
      * Bugs on onboard Wi-Fi, entertainment systems or avionics

~~~
saryant
The onboard wi-fi and IFE are provided by external vendors (Panasonic, LiveTV,
etc) and United probably doesn't want to pay for their bugs.

~~~
jfaat
More importantly, I think they are trying to avoid giving any incentive to
hack a plane mid-flight. The policy also stated that criminal actions may be
persued in cases of attempting to access these systems.

------
djcapelis
A lot of people seem to be jumping to the conclusion that their systems are
malfunctioning because of being hacked rather than their systems
malfunctioning on their own. Hard to know what is happening from the outside,
but their systems may just merely be bad.

That said, the plane communication protocols aren't terribly secure, so it's
certainly feasible someone is playing around with them. Maybe they'll decide
it's in our interest for us to know at some point.

------
cryoshon
Is this what an actual cyberattack / cyberwar looks like?

Imagine how much money is being lost right now as a result of this disruption.
Somewhere hackers are popping champagne.

~~~
chatmasta
UAL stock took a $1 nosedive (hah) at 10am.

~~~
glesica
Find out who made money by shorting it, there's your list of suspects, or at
least co-conspirators (if this turns out to be a hack).

~~~
caskance
Or people who use twitter and like to gamble.

~~~
getsat
Or bots who subscribe to Twitter feeds and open trades based on sentiment

~~~
chatmasta
In that case the suspects could be the ones buying it after it dropped $1,
since it went up afterward.

As long as securities react to hacks, there will be a massive incentive to 1)
hack, and 2) overstate the hack's significance. Furthermore, as bots become
more sophisticated, confusing them becomes easier. If you know bots will short
CompanyX when "CompanyX hacked" hits the headlines, then you have an unfair
advantage just by being the first to know of the hack.

------
netizzio
It's interesting that the Wired article mentions the recent controversy about
claims that aircraft systems can be hacked, but explicitly ignores the
incident last week as having any possible relation to these events, where a
bigoted employee denied a Muslim passenger an open can of Diet Coke because it
"might be used as a weapon", while giving the passenger in the adjacent seat
an open can of beer.

The response from United was unapologetic and absolutely disgraceful:
[https://hub.united.com/en-us/News/Company-
Operations/Pages/s...](https://hub.united.com/en-us/News/Company-
Operations/Pages/shuttle-america-flight-3504.aspx).

~~~
saryant
A few things about that:

1) The beer isn't free, the passenger paid for the entire can or used a 1K
drink chit.

2) UA flight attendants are famous for making up rules and many try to avoid
handing out entire cans of soda, and this one wasn't even a United flight
attendant.

3) What on earth would that have to do with today's event?

~~~
netizzio
Whether or not the beer was free has absolutely nothing to do with this. It's
not about the beer or diet coke, but about the blatant bigotry exhibited by an
employee against a passenger on a United flight, as well as inexcusable
behavior by another passenger.

Similarly, whether or not this was a United flight attendant is also of
absolutely zero relevance. They may have technically been an employee of
Shuttle America, but were part of the cabin crew and a representative of
United on that flight, working under the United brand and wearing United
uniforms. Therefore, when United releases a statement making no apology for
abhorrent behavior exhibited by their representative, it reflects directly on
them.

It may have nothing to do with this event, just as Chris Roberts tweeting that
he hacked into the in-flight entertainment system may have nothing to do with
this event. It's merely interesting that Wired explicitly ignored the actions
of United as having any possible relationship to this event.

------
cgy1
Hope it's not due to people using unopened cans of Diet Cokes as weapons.

------
gkanapathy
Pretty sure that if it was a hack or credible bomb threat, that they would not
have been flying again after only an hour. A scenario like that would suggest
just a normal IT glitch and a reboot/restart to fix and validate that it's
back to normal.

------
philip1209
I'm honestly surprised that critical software at the core of more operations-
heavy companies does not go down more often. Possible causes range from a
software bug to database master failover to a data center outage, but
realistically there are single points of failure at delivery companies,
airline companies, and more that could stall everything. I'm surprised this
software doesn't break more often. When was the last time that UPS had
delivery delays due to a software outage?

------
dmazin
I was one of the people grounded this morning. They said they were having
mechanical problems. They took the plane out to the runway and taxied it
around "to try to figure out what's wrong," then let us on.

------
arca_vorago
From what I understand of the Chris Roberts fiasco, their avionics systems
weren't airgapped from the other systems. If that is the case and not just
hype, then no fucking wonder shit like this can happen.

~~~
rubicon33
What does "air gapped" mean?

~~~
josephmosby
"Air gapped" means that there is a physical separation between two networks
(i.e., there's "air" between them). If two networks are physically connected,
there is always a chance that someone could bypass any software security
restrictions. If the two networks aren't physically connected, there's no way
to gain access to one network from another.

In this instance, the inflight entertainment network and the avionics network
were physically connected, and the security researcher was able to gain access
to the avionics network by connecting to the inflight entertainment network.

~~~
tobinfricke
The phrase no longer makes literal sense in this day of ubiquitous wireless
communications.

"If the two networks aren't physically connected, there's no way to gain
access to one network from another" is no longer true.

~~~
sliverstorm
That's true, it's a bit of an anachronism. But everyone knows what it means.

Like skeuomorphism. Nobody uses floppy disks anymore, yet the floppy logo is
universal for "save".

~~~
vacri
It's depressing that the various rounds of Win 10 logos floating around all
use the floppy-for-save concept. Floppies haven't been in vogue at all this
century.

~~~
dragonwriter
But "floppy for save" has been ubiquitous. Its not so much a skeumorph as a
well-recognized ideograph.

------
simonebrunozzi
What I really HATE about things like this one is that United will not refund
us (I was heavily affected yesterday), or will offer offensive amounts of
dollars/miles as refund.

------
jsingleton
Could be a similar issue to the recent electronic flight bag issue. Certainly
reads that way from the article. They seem very quick to blame a hack when it
could very easily be a bug in the system or an administrator error.

[http://www.theguardian.com/technology/2015/apr/29/apple-
ipad...](http://www.theguardian.com/technology/2015/apr/29/apple-ipad-fail-
grounds-few-dozen-american-airline-flights)

~~~
a3n
Have they actually officially blamed anything?

------
onyxraven
The initial descriptions sound more like someone pointed a testing tool at the
wrong environment, rather than a hack.

------
jobu
Not sure if it's related, but the United website was down this morning for a
while as well.

~~~
dredmorbius
Spoke to folks at another airline a couple of years back. Flight registration,
SABRE, and aircraft maintenance were all managed through the same systems. I
found that both surprising and unacceptably risky.

------
vonklaus
Well, if 9/11 is any indication, commercial jets can deliver pretty
destructive payloads. Avi Rubin summarized some hacks in his TED talk[0],
where hackers gain complete control of vehicles. It is unwise to just spread
FUD this early, however, if these systems bare any resemblance to cars (and it
is likely that they have many of the same characteristics i.e digital control
of key steering/speed/avionics) then it is possible someone has the
information to control a fleet of missiles on American soil. Unlike 9/11,
these people will not be the US government, and could be actual terrorists.

Who knows, maybe this is just a 16 year old who got accosted going through
security and wanted to burn off some steam.

[0]
[https://www.youtube.com/watch?v=BHHCvcCUOWU](https://www.youtube.com/watch?v=BHHCvcCUOWU)

------
evo_9
Could this be related to the resent articles about a researcher taking control
of a play via the entertainment system?

[http://www.wired.com/2015/05/feds-say-banned-researcher-
comm...](http://www.wired.com/2015/05/feds-say-banned-researcher-commandeered-
plane/)

