HAL would be proud of his offspring

ralphbsz

Daemon

Thanks: 742
Messages: 1,262

#2
Nothing new. Old joke from and old friend of mine (he is the designer of one of the most interesting supercomputers, and an amateur pilot):

What are the last words of the pilot before a fatal crash on most planes? "Oh shit!"
What are the last words of the pilot before a fatal crash on {Boing,Airbus} planes? "What is is doing now?"

The same friend refers to helicopters as "10,000 parts, temporarily flying in close formation."
 
OP
OP
Phishfry

Phishfry

Son of Beastie

Thanks: 925
Messages: 2,900

#3
refers to helicopters as "10,000 parts, temporarily flying in close formation."
Very eloquent. I was plane captain on Sikorsky SH-3 Sea King and it is one of the most durable helo's ever made.
It does use over 60 grease fittings in the rotorhead alone. It has a hand pump so you can keep hydraulic systems pressurized in case all 3 hydraulic pumps fail. It will bring you down safely in an autorotation.
They really knew how to design things in the late 'fiftys.
3 hydraulic systems and a manual backup. Now we can't fly without GPS or electronics.
 

sko

Well-Known Member

Thanks: 206
Messages: 407

#4
If you heard some of the horrors that is avionics software, you try to avoid sitting in any of these things. (Or you finally realize why there is at least one bar at any airport...)

E.g. some planes have an automated collision avoidance system, hard-wired into the controls without any way of override. Sounds like a good idea, except the broadcasts that are used to identify other planes and their movements aren't authenticated in any way. These broadcast signals consist of a flight number, position coordinates, height, speed and movement vector. The format is very easy to understand and the messages aren't encrypted. So anyone with a somewhat strong antenna and radio kit (or living near an airport...) could easily send such a broadcast to any plane to get his personal airshow...
There was an interesting talk about this broadcast system (and how horribly insecure it is) ~2 or 3 years ago at defcon IIRC. Living near an airport back then I couldn't resist using my cheap 5EUR DVBT-dongle and gnuradio to have a look myself - and actually it's even more terrifying if you see how much more is being sent over the air unencrypted and very likely processed without any form of valitadion...

Anyone remember the incidents at LaudaAir where planes engaged the thrust reversal in mid-flight? One of my professors back at university ~10 years ago was in the engineering/software team they hired to investigate and try and find/fix that problem. The code turned out to be a horrible mess of years or even decades of patchwork, hotfixes and additions; most of the code was written in the form of dozens of nested if/when/while checks on existing conditions from the very old, basic/crude code that it seemed no one dared to touch later on...
Of course available time and budget was way too low to actually find and fix the actual problem, so the final solution that actually went airborne for the remainder of the lifetime of these planes was to just add yet another hotfix far down the codepath: if the thrust reversal wants to activate, check if the gear is engaged/locked and if we are below a given altitude, else don't activate TR. (I bet there was a comment much like the now infamous "temporary, i hope hope hope")

Oh yes, and most planes still use one single (often even completely flat) network for all communication on board. Yes, that includes the buggy android phones of pimply-faced teenagers on the as well as the engine control systems... Of course, this has only been pointed out constantly since at least 6 or 7 years. In public. By dozens of people. And on social media. So there's no need to fix that anytime soon :rolleyes:


There are some very interesting talks nearly every year at defcon/blackhat/<other con> about such avionics software horrors. If someone wants to develop a serious aviophobia, they should absolutely watch some of them ;)
 
OP
OP
Phishfry

Phishfry

Son of Beastie

Thanks: 925
Messages: 2,900

#5
The military's V-22 Opsrey is probably the worst aircraft we have recently designed.
They have it mostly working but that transition from flight to hover must be a 'hold your breath' moment.
A driveshaft that connects both turbines over top the cabin. Just so many gearboxes that it's bound to fail. Too much complexity.

https://www.aopa.org/news-and-media/all-news/2008/march/01/endurance-test-circa-1958
64 days aloft in a Cessna. Woke up once at the stick in a canyon. Talk about luck.
 

Sevendogsbsd

Member

Thanks: 6
Messages: 71

#6
If you heard some of the horrors that is avionics software, you try to avoid sitting in any of these things. (Or you finally realize why there is at least one bar at any airport...)

E.g. some planes have an automated collision avoidance system, hard-wired into the controls without any way of override. Sounds like a good idea, except the broadcasts that are used to identify other planes and their movements aren't authenticated in any way. These broadcast signals consist of a flight number, position coordinates, height, speed and movement vector. The format is very easy to understand and the messages aren't encrypted. So anyone with a somewhat strong antenna and radio kit (or living near an airport...) could easily send such a broadcast to any plane to get his personal airshow...
There was an interesting talk about this broadcast system (and how horribly insecure it is) ~2 or 3 years ago at defcon IIRC. Living near an airport back then I couldn't resist using my cheap 5EUR DVBT-dongle and gnuradio to have a look myself - and actually it's even more terrifying if you see how much more is being sent over the air unencrypted and very likely processed without any form of valitadion...

Anyone remember the incidents at LaudaAir where planes engaged the thrust reversal in mid-flight? One of my professors back at university ~10 years ago was in the engineering/software team they hired to investigate and try and find/fix that problem. The code turned out to be a horrible mess of years or even decades of patchwork, hotfixes and additions; most of the code was written in the form of dozens of nested if/when/while checks on existing conditions from the very old, basic/crude code that it seemed no one dared to touch later on...
Of course available time and budget was way too low to actually find and fix the actual problem, so the final solution that actually went airborne for the remainder of the lifetime of these planes was to just add yet another hotfix far down the codepath: if the thrust reversal wants to activate, check if the gear is engaged/locked and if we are below a given altitude, else don't activate TR. (I bet there was a comment much like the now infamous "temporary, i hope hope hope")

Oh yes, and most planes still use one single (often even completely flat) network for all communication on board. Yes, that includes the buggy android phones of pimply-faced teenagers on the as well as the engine control systems... Of course, this has only been pointed out constantly since at least 6 or 7 years. In public. By dozens of people. And on social media. So there's no need to fix that anytime soon :rolleyes:


There are some very interesting talks nearly every year at defcon/blackhat/<other con> about such avionics software horrors. If someone wants to develop a serious aviophobia, they should absolutely watch some of them ;)
This is why they should force engineers to learn basic cybersecurity principles in school. Most people designing systems like this don't even consider basic cybersecurity design principles. Which is why people like me will always have a job...;)

My father was an electrical engineer for Boeing for nearly 40 years starting in the 50's. Been around aviation my entire life - seems the old days of analog everything have long gone - some advantages to computerized flight but manual backup is still needed as you mentioned. Nothing is foolproof.

Great post, thanks!
 

sko

Well-Known Member

Thanks: 206
Messages: 407

#7
This is why they should force engineers to learn basic cybersecurity principles in school. Most people designing systems like this don't even consider basic cybersecurity design principles. Which is why people like me will always have a job...;)
I'd propose a much simpler solution: Software/Firmware (especially for critical systems) should either be fully open source so problems can be found and fixed; or if the software is proprietary/closed, the company selling it has to take _full_ responsibility for any accidents and damages.
No more EULA bullsh*t like "you have to pay us big $$$ every month, but you can't sue us if our software kills your business or a bunch of people" and I guess most/all of the big software-dinosaurs with such antiquated business models would be out of business within a few days....
 

Crivens

Moderator
Staff member
Moderator

Thanks: 644
Messages: 1,607

#9
My dad worked for several aerospace companies, he brought home the crash reports in circulation for a young engineer to be for reading. He was pleased when he did not need to explain, because said grasshopper was already asking who'd greenlighted this mess. Stuff like the F22, whose nav core curls up and dies when you cross the +/-180 line came later. Must be great to be over the pacific somewhere when this happens...

Once I got a PHB from airbus in a university speech to admit that plugging your laptop into the seat ethernet gives you a direct electrical link to the flight control system. But no worries, they have a fire wall... why is half the audience banging the head into the desk? Oh, and this flight control box was meant to be updated over air, while running. Whoops, there goes the other half.

I'd prefer a MIG29 any day.

But compared with automotive code, avionics is still pretty good. Sad, but true.
 

Sevendogsbsd

Member

Thanks: 6
Messages: 71

#10
Yeah, this stuff makes travel scary...my truck is filled with computers too. Fortunately I don't drive much any more since I work at home, but still...
 

bookwormep

Active Member

Thanks: 111
Messages: 203

#11
U.S. Air Force has triple locked storage areas for avionics, and good reason; from what you all
are describing is not that encouraging.
 
OP
OP
Phishfry

Phishfry

Son of Beastie

Thanks: 925
Messages: 2,900

#12
This story is getting really bad..

"Incorrect data readings can set off the automated anti-stall system to force the plane into a nose-dive, even if the plane is not on autopilot."

My mind can't even comprehend that they did not consider errant sensor readings? Take over the controls and dive.

This article is really very unflattering from the local newspaper.
https://www.seattletimes.com/busine...grown-in-renton-despite-boeings-reassurances/
We’re ripping apart some of the electronics racks already assembled to replace wire bundles that aren’t right,” he said.
Having worked on the Sea-King I can't even imagine what a cable bundle for a 737 looks like.
Let alone trying to debug it in the parking lot.
Usually wiring harnesses are laid out on a jig, tested and wrapped before even hitting the aircraft.
That was my experience 30 years ago.
http://www.bmpcoe.org/bestpractices/internal/north/north_12.html
 

Crivens

Moderator
Staff member
Moderator

Thanks: 644
Messages: 1,607

#13
Having seen how the wireing for an A320 is done, I can tell you... Imagine an XY plotter the size of a football field. The cables are put down automatically, each endpoint has each color coding exactly once, so even if the stickers fall off... Then after some hours a team with zip ties comes in and carries the thing out. Repeat.
Then some PHB comes around and has a cheaper offer, more flexible too. Some company in a low-paying country wants to be faster, by doing it all by hand. PHB does not understand why engineers with flaming pitchforks are taking up position on the parking lot.

And that usually is how shit happens.
 

Rigoletto

Daemon
Developer

Thanks: 748
Messages: 1,654

#14
I'd propose a much simpler solution: Software/Firmware (especially for critical systems) should either be fully open source so problems can be found and fixed; or if the software is proprietary/closed, the company selling it has to take _full_ responsibility for any accidents and damages.
That is not really applicable because high-integrity safety critical software are by rule written based on given specifications and design, and just accepted after being formally verified (mathematically proving it 100% match the given specifications and design) and all certificated against avionics specific certification parameters (that's why Ada/SPARK and now also OCaml are the preferred languages; however `High Integrity C++` seems to be the most used these days).

So, almost always the software issues are actually related with wrong given hardware specifications and/or poor design, and not about bugs in the code itself.

[EDIT]

By poor design I actually mean design mistakes. Calling those designs poor is quite too strong.
 

Crivens

Moderator
Staff member
Moderator

Thanks: 644
Messages: 1,607

#15
Also, given the price tag of a verification by the authorities, I would stay away from messing with the code. You as a single person can forget about having your changes used anywhere. So why would you do that? And forget about going up without any green light from there, as there will be no insurance.
 

ralphbsz

Daemon

Thanks: 742
Messages: 1,262

#16
I'd propose a much simpler solution: Software/Firmware (especially for critical systems) should either be fully open source so problems can be found and fixed;
Two problems with this. Who would go an voluntarily read the source code for something as complex as an airplane or something of that magnitude, without getting paid a lot of $$$ for it? It must have zillions of lines of code. A few years (maybe 15) I heard that the Boing 767 or 777 was the first airplane that wasn't able to lift a printed copy of its own software documentation. Clearly, documentation is an integral part of the work product of a software development organization, so this documentation would have to be released too, right? Do you think you would read a dozens of tons of requirements and design documents, before reviewing the code?

Second: there is a problem with releasing source code that is not often talked about by the religious fanatics of open source: vulnerabilities are exposed. Sure, a white hat hacker (a good guy) could read the source code for the plane's software, find a bug, and then quickly tell Boing or Airbus about it, so they can fix the bug (ha ha, if only it were that easy). But a black hat hacker with the same skill could also find the same bug. And then he could for example take Airbus or Boing hostage, and demand $$$ to tell them about the bug, or else he's going to go to the New York Times and embarrass them in public. Or tell their competitors, so they can optimize their planes to do better in certain competitive evaluations. That wouldn't be all that bad, just a terribly expensive way of finding bugs. But the black hat hacker could instead exploit the bug to crash the airplane.

I'm not saying that Open Source Software is always bad, in all cases. I'm just saying that it comes with certain drawbacks, and in the case of safety-critical software, the drawbacks probably outweigh the benefits.
 
Top