This is my thinking on what I want to do to bring IT Department to provide values to organisation.
Postscript: changed strategy to principles
Author / Pusing Musing
Wireless IFE
Recently I flew to Surabaya and took Silk Air (MI) for the return flight. It was a short flight, about 2 hours, and in the evening. I was rather tired, I arrived in Surabaya in the morning (on SQ flight) and spent few hours before flying back. I was looking forward to sleep on the plane.
The last time I took MI was a good 10+ years ago, also for flight to/from Surabaya. So, I did not expect too much from the carrier that some people referred to as “budget airline with SQ fare.”
After I boarded the plane, and while waiting for the push back, I browsed the in-flight magazine and noticed now Silk Air provided in-flight entertainment; an improvement. However, the plane had no in-flight entertainment equipment; no LCD screen at the back of the seat. Instead, the movies were streamed to mobile devices through on-board WiFi.
Such setup has becoming very common across many airlines. With everyone has mobile devices and with pervasive access to contents – including movies, many passengers would prefer to watch their own movies on their own devices. For passengers who prefer to watch airline-provided movies, streaming the movies over WiFi saves the airlines lots of money by not having the in-flight entertainment equipment. The absence of such devices also means less weight, less weight means less fuels consumed, which in turn saves the airline more money.
However, I was intrigued by the whole setup on mobile devices in order to access the in-flight entertainment. I took the picture off the page of the in-flight entertainment magazine; and after I touched down in Singapore, I posted the picture on social media, with title ‘SilkAir teaches its passengers how not to do IT security.”
There are two reasons.
For passengers with mobile devices running Android operating system, the magazine instructed the passengers to download the app and then install it directly without going through Google Play Store.
The practice of downloading and installing any applications from any sources other than the official app store is call sideloading; and it is not a recommended practice.
The official Google Play Store, while not perfect, provides some level of protection from malicious app. That may not be the case with an alternative app store or with a website or forum hosting an APK file.
By advising passenger to sideload the application, MI unintentionally is training its passengers to push past all of the warnings that Android displayed.
SilkAir may argue that they could be ‘trusted’. However, such argument simply undermines the education given by IT security professionals: “Do Always download from official stores”.
- The usage of Flash
The magazine also stated that for laptop users, Flash must be enabled in order to enjoy in-flight entertainment.
Good luck for that. Safari, Chrome and Firefox browsers have disabled access to Flash by default. Users must go through myriad setting just to have it enabled, and that only for current session.
Flash was originally a good platform for delivering multimedia content across multiple platforms. The browser plug-in was available on many platform combinations (OS, browsers). Web developer need only to develop the content once, and it was guaranteed to run and work consistently across platforms.
Flash came in the era when browser compatibility was a main issue. Using Flash, web developers could overcome browser compatibility issue with ease.
Now the issue has past with the adoption of HTML5; it could what Flash could natively on the browser, without any plug-ins.
Flash also started to decline after Apple refused to have Flash plug-in on its iOS, and even it went further downhill after strings of vulnerabilities have been discovered on Flash, even up to today. Those issues really pushed browser manufactures to disable Flash [1], [2],[3]; and indeed Adobe itself will terminate Flash support by 2020.
As modern browser has disabled Flash by default, passengers need to tweak the settings in order to enable Flash (and watch the video). It is an inconvenience to passengers; it also showed MI used an old, obsolete, soon-to-be decommissioned platform.
So, what SilkAir can do?
- Silk Air should advise passengers to download the applications ahead, before boarding. Show the instruction on the ticket, or even boarding gate.
When I took Qantas last year to Australia, the website clearly indicates that to enjoy inflight entertaintment in domestic flights, passengers need to install Qantas app.
- Change the technology used to deliver video to HTML5. This will allow any passengers to use their mobile devices, connected to on-board wifi, to access inflight entertainment content with standard browser. It is a much simpler and requires no installation whatsoever.
Post script: after checking many sites, I don’t think Silk Air is unique. KA, TR do provide similar instruction; UA requires Flash plug-in, VA even requiring a more obsolete plug-in: Silverlight. But D8 seems to do it right.
Grain of Rice
I was a bit sceptical upon reading the news on China implanted tiny chip as reported by Bloomberg.
It is rather unbelievable to have such small chip to perform as what claimed. Many chips have many pins, sure whoever needs to implant the chip need to have bigger chip or multiple chips to intercept different signal pins from the motherboard?
Until I came across the article on Light Blue Touchpaper. I learned new concepts such as BMC (Baseboard Management Controller), SPI (Serial-Peripheral Interface) and how the chips are using serial, rather than parallel, signalling; which technically means they need only few wires/pins: data, clock, power and ground. It is also interesting to read that the BMC is an ARM processing running … Linux. We have embedded operating system on a motherboard without even the main OS knows about it.
So, it is technically possible that the tiny chip to modify the signals from BMC. But the question is what’s next. It needs to be able to initiate network call to the Internet and with my limited knowledge this may or may not be possible.
Unless, this chip works ‘together’ with another ‘implant chip’ embedded on the Ethernet port.
To me, the later more makes sense and probably more do-able. Intel had provided the ‘proof’ in 2017, even allowing users to remotely login to the server with embedded KVM software.
With all of these chips, it is possible to have network connection without even the operating system knows about it. People may argue the firewall should block such traffic, there are two main issues with the firewall. With the cloud and hyper-converged solutions, the firewalls are now ‘virtual’. It is a software running on the server itself. Even if there is physical firewall presence, the physical firewall itself may be compromised with implanted chips. Both have the same result: the firewall would not detect and block those extra traffics.
It is a difficult issue to solve. The supply chain is tightly integrated, it is difficult to change the manufacturer. There is no guarantee the US does not do the same. As someone said, it is a matter of choice; which intelligence agency you prefer to have your data: US Intelligence agency or Chinese Intelligence agency 🙂
Cold Call
In my work, it is a ‘routine’ for me to receive cold calls from some companies. The callers either tried to promote their companies or services, did a survey or wanted to send a ‘free’ white paper. Companies could easily find out about my DID number because my number (and so are all my colleagues in the company) is published on the Internet.
Such calls are really annoying. Firstly, unlike junk SMS or junk emails/mails, you cannot simply ignore incoming calls. Even though the calls are from the numbers you don’t know, you don’t know what’s the call about until you pick up the call and listen to what the caller says. It can be disruptive, especially when you are in the middle of work that requires concentration.
I always asked the caller to email me the information and then end the call. I don’t mind to give them my email address, I could simply read those materials anytime or quickly delete them if I don’t find it useful. If I find the materials or services are relevant to me, I would call or email the company for more information.
However, most of callers did not want to stop at email address. They continued asking questions regarding the IT in my company. The main issue with such calls is I have no way to verify the caller. I am acutely aware about social engineering. The caller may be claiming from one company, but what he wanted is to gain insight on my IT infrastructure; such insight may be useful for them to penetrate the IT system.
It does not help that I noticed number of such calls surged after I changed portfolio from Application to Infrastructure. Every day, without fail, I received at least one such cold call.
I prefer to be safe than sorry. I usually asked the caller to drop me email for the questions. If they insisted to continue with questions over the phone, I simply hung up.
But sometimes the callers can be quite daring. One day I received a call claiming that my CIO (Chief Information Officer) had a meeting with his company and my CIO asked him to call me. What puzzled me that the company has been a long vendor with us and my ICO and I just met with their management a week earlier. He asked some questions regarding our infrastructure and he became impatient when I declined to give any information. He even threatened me that he would let my CIO knows that I was not cooperative.
A few minutes later my colleague across the table received the call and from his replies, I could deduce he received similar calls and I quickly gave me the notes that the call should be terminated. Everybody in the division was alerted and true enough almost everyone received such call.
It did not stop there, one month later I received similar call, this time claiming that my Assistant Managing Director (AMD) was the one who asked him to call me. Same pattern, same alert ringing across the division. I joked that at that rate soon the caller would claim that my MD and later chairman asked him to call us. It did not happen, though.
Pusing Musing 