WingNews logo WingNews
top | item 41394683

(no title)

timdorr | 1 year ago

Based on the language on their site about requiring an existing CASS subscription, my guess is there was no approval at all. It appears this person has knowledge of the CASS/KCM systems and APIs, and built a web interface for them that uses the airline's credentials to access the central system. My speculation is that ARINC doesn't restrict access by network/IP, so they wouldn't directly know this tool even exists.

Some quick googling shows the FlyCASS author used to work for a small airline, so this may piggyback off of his prior experience working with these systems for that job. He just turned it into a separate product and started selling it.

The biggest failure here is with ARINC for not properly securing such a critical system for flight safety.

discuss

order

AndrewKemendo|1 year ago

This right here people need to pay attention to gut the following reason:

One person can make a lot of impact

The most common thing I hear people say with respect to their jobs is: “I’m just one person, I can’t actually do anything to make things better/worse…”

But it’s just wrong and there’s thousands of examples of exactly that over and over and over

In this case, if this is true, it’s both amazing that:

One person, or a small number of people, could build something into the critical path as a sidecar and have it work for a long time and

And second, the consequences of “hero” systems that are not architecturally sound, prove that observability has to cover all possible couplings

feoren|1 year ago

Oh, everyone knows that one single person can make things a lot worse. That's all that's happening here. That doesn't say anything about how much one single person can make things better. In the former case, your powers are amplified by the incompetence of everyone else involved; in the latter case, they are diminished.

mattgreenrocks|1 year ago

Good observation! This person is obviously meeting a need, and probably doing pretty well for themselves, SQL injection and all.

> The most common thing I hear people say with respect to their jobs is: “I’m just one person, I can’t actually do anything to make things better/worse…”

Yup. This is something on the order of a large-scale blackpill meme lately. Comment sections are usually rife with low-agency thinking. Which is quite something in tech, given that devs are the means of production for tech. True, tech as of late seems to be veering into more capital-heavy ventures (AI), probably to head off existential risk from the fact that a few skilled individuals can still really make a dent.

It all comes down to belief and will.

amelius|1 year ago

Yeah but this is not very actionable. It is like saying that one person can win the lottery.

You have to be in the right place at the right time.

raxxorraxor|1 year ago

Why is it critical for flight safety? It is critical for security theatre we have to endure at airports because some people have heightened neuroticism.

Be that as it may, of course the error needs correction. If it really is a one man show for tool like this, it isn't even surprising that there are shortcuts.

jamesharding|1 year ago

Gaining access to the normally-locked flight deck jump seat seems like a pretty big potential flight safety threat to me.

sydd|1 year ago

Because your luggage is not checked at all. I'm sure that a state level actor could circumvent TSA but an amateur could not, and they pose a huge threat too, see the recent bombing attempt at the Tailor Swift concert or the Trump assassination attempt

Laaas|1 year ago

Imagine if you could bring your own water, and drown in it! Horrifying!

CPLX|1 year ago

Allowing literally anyone to get into any airport and into any locked cockpit without any screening is critical to flight safety. If you can’t immediately see why I’m not sure what to tell you.

kva-gad-fly|1 year ago

If this were the case, then it seems quite plausible that the website itself was just a passthrough, and the APIs provided by ARINC would be exposed.

THis then begs the question of how ARINC passed security audit.