Risk Factor iconRisk Factor

FAA to Boeing: Please Show that 787 Dreamliner Can't be Hacked

In a story that appeared last week in Flight International and then got legs via Wired, the Federal Aviation Administration (FAA) is going to require Boeing "to demonstrate that certain 787 flight critical domains - digital systems and networks that for the first time will be accessible externally via wireless and other links to airline operations and maintenance systems - cannot be tampered with."


The FAA Special Conditions Notice [Docket No. NM364 Special Conditions No. 25-356-SC] effective 1 February 2008 summary states:


"These special conditions are issued for the Boeing Model 787-8 airplane. This airplane will have novel or unusual design features when compared to the state of technology envisioned in the airworthiness standards for transport category airplanes. These novel or unusual design features are associated with connectivity of the passenger domain computer systems to the airplane critical systems and data networks. For these design features, the applicable airworthiness regulations do not contain adequate or appropriate safety standards for protection and security of airplane systems and data networks against unauthorized access. These special conditions contain the additional safety standards that the Administrator considers necessary to establish a level of safety equivalent to that established by the existing standards."

The Notice goes on to state (highlighting mine):


The proposed architecture of the 787 is different from that of existing production (and retrofitted) airplanes. It allows new kinds of passenger connectivity to previously isolated data networks connected to systems that perform functions required for the safe operation of the airplane. Because of this new passenger connectivity, the proposed data network design and integration may result in security vulnerabilities from intentional or unintentional corruption of data and systems critical to the safety and maintenance of the airplane."


Again, the upshot is that the FAA is worried that passengers (or aircraft maintainers) may intentionally or by accident interfere with 787 flight systems, and wants Boeing to prove otherwise.


According to Flight, "Boeing's network architecture for the 787 includes embedded software and electronics used for flight critical control and navigation systems, called the aircraft control domain, as well as for airline business and administrative support, known as the airline information domain."


I wonder if this connectivity issue is one of the reasons for the problems with 787 software that Boeing was having a few months ago.

AMT Patch Delays Tax Refunds as Expected

The IRS announced last week that because of the Congressional delay in the passage of the Alternative Minimum Tax (AMT) patch, it will take at least until the 13th of February before the AMT tax forms can be properly processed. According to Federal Computer Weekly, 13.5 million taxpayers who will use any of the five forms related to the AMT legislation will need to wait until then to begin submitting their returns, said Acting IRS Commissioner Linda Stiff.

Taxpayers affected are those using: Form 8863, Education Credits; Form 5695, Residential Energy Credits; Form 1040A's Schedule 2, Child and Dependent Care Expenses for Form 1040A Filers; Form 8396, Mortgage Interest Credit; and Form 8859, District of Columbia First-Time Homebuyer Credit. Once the tax forms are processed, refunds if any will take another 10 to 14 days to be sent out.

Porn Websites Get Hacked

The Boston Globe reported over the weekend that some porn sites have been hacked over the past few months. While it doesn't appear that credit card details have been compromised, personal information including email addresses of tens of thousands of customers appear to have been stolen.

This news has sent a wave of fear across the on-line adult entertainment business, since privacy is supposed to be guaranteed and is a sine qua non of the business. If hacking of adult web sites becomes "routine," the business might take a major financial hit.

Hmm, I wonder if this news will get some opposed to these sites to thinking.

LAUSD Payroll Fiasco Sparks Call for Payback


As I noted a few weeks back, the Los Angles Unified School District (LAUSD) now admits that its botched and blundered payroll system will likely cost upwards of $210 million when all is said and done. LAUSD school officials have said that they are considering litigation against the contractor, and have spent some $700,000 on two law firms to look into the matter, according to today's LA Daily News.

However, the Daily News says that California State Assemblyman Kevin de Leon is unhappy about what he sees as foot dragging by the LAUSD in pursuing damages, will introduce Assembly Bill 730 on 15 January, which would prevent any contractor found by a court liable for breach of an information-technology contract worth more than $1 million - and the judgment is greater than $250,000 - from bidding on any new business with the state or any local government for five years.

This might be an interesting approach that all government may want to consider, although $1 million may be a bit too low a threshold. I do suggest, however, the money spent on lawyers be considered as part of the overrun amount.

UK Government Wastes Nearly £2 billion on Abandoned IT Projects Since 2000


The London Guardian today published an analysis which found over £1,865bn has been spent on UK government IT projects that have been abandoned since 2000. As the newspaper notes, its "survey of abandoned projects is not exhaustive and the total of £1,865bn is likely to be a considerable underestimate of the actual cost to taxpayers because neither Whitehall nor the National Audit Office, parliament's financial watchdog, keep definitive lists of which schemes go wrong."

To say that it is an underestimate is itself an understatement, if Joe Harley, chief information officer at the Department for Work and Pensions (and former ICI Paints global chief information officer) is to believed. In May 2007, he said at the Turning the Tide Government UK IT Summit 2007 that, "Today only 30%, we estimate, of our projects and programmes are successful. It is not sustainable for us as a government to continue to spend at these levels. We need to up the quality of what we do at a reduced cost of doing so."

Given that the UK has spent nearly £100bn on IT since 2000, and 70% are not considered successful, I seriously doubt that only about 3% of those unsuccessful IT programs (no matter how you define success) were abandoned.

The UK government has gone on record as saying it wants a 90% plus IT success rate - meaning on time, on budget and to specification - by 2010/11.

To "Turn the IT Tide," assuming a uniform improvement rate of 15% and using the end of 2011 as the target date, then by the end of 2008, we can expect something like 45% of UK government IT programs to be successful. I'll be watching.

Does This Story Sound Familiar?

The Minneapolis Star Tribune reported earlier this week that a scheme by the Minneapolis' convention bureau to make money developing and selling software for booking and managing conventions has gone slightly awry.

According to the paper, the Minneapolis City Council lent the convention bureau $2.5 million in 2004 to create the convention booking software with the idea that it would help pay for the costs of marketing the city to tourists. In fact, the bureau told the City Council that it only expected to use $1.5 million of the $2.5 million loan to develop the software.

But "a series of unexpected setbacks involving the technical work of developing the software" in 2005 led the the bureau to asked for (and get) another $2.5 million in loans to complete it.

But then in 2006, the bureau said it needed to borrow up to another $5 million to complete the software and market it. Surprisingly - or maybe not - the convention bureau got its loans because it was able to convince the City Council that the opportunity was both "tremendous" and the software was nearly finished (95% complete?). Council Member Paul Ostrow declared at the time: "We're quite confident that this is relatively low-risk."

Well, fast forward to the end of 2007, and so far, the bureau has spent $9.1 million and sales of the software, while now apparently complete (it is called the Internet Destination Sales System (IDSS)), hasn't yet turned a profit. At least $1.7 million in sales per annum are needed to just break even.

In addition, the financial resources devoted to the effort has taken money away from marketing Minneapolis to tourists - a bit ironic to say the least.

The City Council finally wised up and stopped approving any more money to the project. In addition, the person who originally sold the idea to the City Council has also decided to "move on."

According to one current City Council member, "The customers who have the product are very pleased with it. As are we. From that standpoint, it's turned out to be a great product. Time will tell how the business model is going to work." The story didn't say how many customers are using the software, but I suspect the sales price is considerably higher and the potential market size is much smaller than forecast back in 2004.

The convention bureau thinks it can make a profit on selling the software this year, while others think 2009 at the earliest. I'll keep an eye on this story and let you know how it turns out.

Sad News

Tully.gif I just found out today that Middlesex University Emeritus Professor Colin Tully, an influential British computer scientist and a long-time friend, passed away on the 26th of December.

Colin and I first met over twenty years ago when I used to live in the UK, and we had many a lively discussion on information systems and technology risks and their management over the intervening years. Our latest conversations, the last of which was just a few weeks ago, have been about the risks surrounding the NHS National Program for IT (NPfIT), which Colin was deeply concerned about.

Colin will be missed in the software engineering community.

Census Program in Serious Trouble?


In a story released this morning, Government Executive magazine reports that a MITRE Corporation talking paper implies that the Census Bureau's hand-held computer project (Field Data Collection Automation) on which the 2010 Census depends is in serious trouble. The talking paper states that the project is quickly running out of time, and that end-to-end system testing might be seriously affected.

In response the the issues raised by the MITRE paper, the Census seems to be taking a "failure is not an option" approach, although given what is in the talking paper, I definitely think it is a possibility.

Software Problems Ring In the New Year on Schedule

fireworks.gif A bad computer file forced the New Year's Eve fireworks display in Seattle to be launched manually, resulting in a show that was out of sync with its choreographed music, according to a report in ComputerWorld.

Then, right after midnight, a software problem affected the Verizon wireless network in the Washington, DC area into early New Year's day, reports the Washington Post.

Next Intuit had to announce yesterday that the "permanent patch" for a bug in QuickBooks on the Mac that erased files from users' hard drives that was released on 31 December, does not in fact completely fix the flaw, reports ComputerWorld.

Finally, some Seminole County Florida residents opened their water bills for December 2007 and found bills for both December 2007 and 2006. As the Orlando Sentinel explains, "billing information from December 2006 was not purged from the [county's automated computer-billing] computer memory, so the system generated a bill based on that information."

Glad to see that 2008 is looking a lot like 2007 in the IS&T department, or as The Who would say, "Meet the new boss, same as the old boss."

UK Doctors Don't Trust NPfIT Security


The London Times reported over the weekend that a poll it conducted sowed that more than three quarters of National Health Service (NHS) doctors, "are either 'not confident' that [patient] data will be safe or 'very worried' that data will leak once the £20 billion National Programme for IT (NPfIT) is running. Asked how well they thought that local NHS organisations would be able to maintain the privacy of data, only 4 per cent said very well. The majority, 57 per cent, said quite or very poorly."

Interestingly, the more experienced the doctor in IT, the less confident they are that the benefits of the NHS electronic health record system out weigh the risks to patient privacy.

In the London Telegraph, there are also two stories about the NHS changing how it plans to do business. The first is about a plan for millions of people suffering from "arthritis, asthma and even heart failure will be urged to treat themselves," as a means to save money. Some patients will be encouraged to report "medical information to doctors remotely by telephone or computer," which I assume will mean a big change to what will need to be captured in the NPfIT electronic health record.

The second story is also about Prime Minister Gordon Brown's desire to make people responsible for their own health, by denying medical treatment to patients that are deemed not to be taking care of themselves. The story says that, "Patients could be required to stop smoking, take exercise or lose weight before they can be treated."

Hmm, once the NPfIT is all in place, this should be easy to do. The government will be able to set up filters based on a person's medical history, and deny them access to treatments.

Brown says that, "I believe these are steps vital to securing the health of the NHS for the next 60 years."

"They will require a broadening and a deepening of reform to ensure that the NHS as a whole attaches the same priority to a personal and ­preventative service as many of you already reflect in your own day-to-day decisions."

In other words, the NHS will be there to treat you as long as you are already healthy.

I think UK doctors' might want to worry about patient privacy a bit more.


Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Willie D. Jones
Load More