The Federal Aviation Administration has posted a request for comments related to oxygen generators in lavatories.

This document publishes in the Federal Register an amendment adopting airworthiness directive (AD) 2011-04-09 that was sent previously by individual notices to the known U.S. owners and operators of affected airplanes identified above. This AD requires modifying the chemical oxygen generators in the lavatory. This AD was prompted by reports that the current design of these oxygen generators presents a hazard that could jeopardize flight safety. We are issuing this AD to eliminate this hazard.

[…]

We must receive comments on this AD by April 22, 2011.

It looks like they are removing them to reduce the risk of someone converting the oxygen into an explosive. I noticed this AD while researching the portable electronic device controversy. Strangely, I have not yet found any humorous comments about explosive lavatories or a need for oxygen generation while in the lavatory.

I had to dig around to find the source of the latest news that tries to answer this question. Many sites are echoing that some study somewhere has evidence but none of them provide a cite. Yes, I just used site and cite in the same sentence. Grammar alert. Carefully read this sentence in an article on The Huffington Post by Christine Negroni:

The IATA report is not public, someone slipped it to me after my Times story ran to much controversy in January.

Ouch. My reading instruments just threw an error message and blew up. She must have meant too much controversy, instead of “to”. Good thing a grammar error does not really crash our brains — we may now continue reading her article.

Her point is that she has some super secret hidden file that proves to her that we all should be turning off personal electronic devices because they might interfere with aircraft safety.

I have in my possession a new confidential report from the International Air Transport Association’s safety data sharing program (STEADS) that shows over the past seven years, airlines around the world reported seventy five events in which portable electronic devices (let’s just call them PEDs, okay?) are suspected of interfering with flight deck equipment. While phones were the source of interference in 40% of the reports, iPods, other MP3 players, laptops and portable games were also implicated.

Might as well throw pacemakers on that list. That is probably why it is confidential. They do not want to upset the pacemaker lobby. Or maybe the distraction from the portable electronics is related to pilots watching movies instead of the instruments?

All joking aside, however, this is not a good reason to tell people to turn off their portable electronics. Why? Because even if you tell everyone to turn off their device they will forget or fall asleep or not understand what to do. The devices also will malfunction. That is why placing bets for a safe flight on the passengers correctly following directions is foolish. Likewise, placing bets for a safe flight on the correct functioning of passenger-owned electronics is foolish. Neither are reliable enough, at present, to ensure safety of a flight — they are far from compliant.

That is why resilience is meant to have been built into aircraft, which she admits.

The use of PEDs on board will not – I repeat – will not cause a plane to go tumbling through the sky like something in a made-for-TV-disaster movie.

Fine, nothing causing worry. And then she turns around and subtly contradicts herself.

What PEDs can and in fact have already done, is create a distraction for the flight crew. When that distraction comes at the wrong time it can lead to pants-wetting episodes and maybe even disaster. And that is why boys and girls, devices are supposed to be turned off as in OFF, below 10 thousand feet. The concept is that with sufficient altitude below us there is time to address any pesky error messages that might wind up being transmitted to the cockpit. Only now we know that those messages are pretty darn common

Fear. Panic. I thought nothing causing worry?

It seems now to say: Above 10,000 feet there is time to recover but below 10,000 feet, well, a plane may tumble into the ground like something in a made-for-PED-disaster-movie.

At the end of the story comes the real kicker. Negroni is digging for reasons to regulate the behavior of her fellow passengers.

Regulators, schmegulators, they could take forever to act. In the meantime, is it unreasonable for a woman who spends a heck of a lot of time in airplanes to ask her fellow travelers, please, Please, PLEASE, cool it with the electronics below ten-thousand feet?

Perhaps the airlines should deputize her and others officially so when they stick a nose into your seat you can laugh at the shiny star that says “PED Police” as you reply “of course I want this plane to crash”. Maybe a deputy program could actually help convince a passenger or two to take the time and trouble to guarantee their device is disabled (“the Captain says you may now put your batteries back in”, but it really does not address the core problem. Regulators would be wise to put pressure to fix a system affected by interference rather than hope passengers will suddenly and reliably (heroically?) overcome the shortcomings of their own inexpensive portable electronics.

So what would you think if you were the B777 pilot who’s radio communication with air traffic control was interrupted by a passenger’s cell phone call?

I would think it’s time to get Boeing on the horn and rip them a new exhaust hole and/or invest in an Airbus.

Funny that she mentions a B777. I have seen speculation that a B777-236 ER, G-YMMM crashed in 2008 because of cell phone interference. The actual Air Accidents Investigation report, which is not confidential, points only to a problem in the fuel system.

Restrictions in the fuel system between the aircraft fuel tanks and each of the engine HP pumps, resulting in reduced fuel flows, is suspected.

I searched all the other AAIB reports and found no mention of portable electronics as a cause of interference. Hopefully the IATA report will be released or at least discussed more transparently. While we can assume some older fleets with lack of maintenance in deprecated electronics could have interference issues, the solution is a rapid patch/upgrade to those systems.

Regulate the lack of resilience to interference to force airline behavior changes and don’t expect passengers to be perfect, especially if fear is based on secret memos seen by airlines that can’t be discussed in public.

Apparently Google wanted to help earthquake victims but gave them a tool that lacked even the most basic protection against abuse. It quickly attracted mischievous and hurtful anonymous comments. It then came under harsh criticism. Japan Probe, for example, issued this warning:

If you are using Google’s Person Finder App to search for information about people who were in Japan during the 2011 Tohoku Earthquake, please be warned: the site has fallen victim to dozens of trolls. Legitimate inquiries by family members are being met with untruthful death notice responses from mean-spirited jerks.

The comments are too awful to repeat here — racist and graphic — but can be found on the Japan Probe site.

I am not surprised that some people in the world are cruel and will try to attack or take advantage of those who are most vulnerable. That is a sad reality.

I am surprised, however, that Google developers would post an application for victims that exposes them and makes them targets of obvious/known threats and abuse. It did not filter on harmful language, it did not require any confirmation. Did Google allow a product to launch without even the most basic security review?

Google provides a disclaimer on the data entry page:

PLEASE NOTE: All data entered will be available to the public and viewable and usable by anyone. Google does not review or verify the accuracy of this data.

Obviously, however, they have responded after criticism. Japan Probe has posted an update: the fake death reports and fraud messages (asking for contact and personal information) they reported have been removed.

Note the URL, designed for easy abuse automation:

http://japan.person-finder.appspot.com/create?add_note=&age=&author_email=&author_name=&author_phone=&clone=&confirm=&content_id=&date_of_birth=&description=&dupe_notes=&email_of_found_person=&error=&first_name=&flush_cache=&found=&home_city=&home_country=&home_neighborhood=&home_postal_code=&home_state=&home_street=&id=&id1=&id2=&id3=&key=&lang=&last_known_location=&last_name=&max_results=&omit_notes=&operation=&person_record_id=&phone_of_found_person=&photo=&photo_url=&query=&role=provide&sex=&signature=&skip=&small=&source_date=&source_name=&source_url=&status=&style=&subdomain_new=&target=&text=&utcnow=&version=

An interesting Blogger exploit has just been highlighted by Nir Goldshlager, in his first blog post on his new blog. It already has been fixed.

Along with gushing compliments for Google’s security team is an example of HTTP Parameter Pollution (HPP), a growing class of web application problems. HPP is when an attacker injects a parameter with a value inside an application-generated URL. The impact of pollution depends on the application and so the best known way to test and find HPP is fuzzing for possible injections in links and forms.

Nir’s example shows, in three phases, how an Author can be added to any Blogger site and then elevated to Administrator privilege:

1. The attacker Use the invite author options in blogger (add authors):

Vulnerability location:

POST /add-authors.do HTTP/1.1

Request:

security_token=attackertoken&blogID=attackerblogidvalue&blogID=victimblogidvalue&authorsList=goldshlager19test%40gmail.com(attacker email)&ok=Invite

As you can see I added two blogid value in my post request (blogID=attackerblogidvalue&blogID=victimblogidvalue)

The server checks the first blogid value and executes the second blogid value of the attacker

2. After that the attacker receives a mail to confirm him as a author (author invitation link), After that, the attacker will be added as an author on the victim account.
3. At this step it becomes possible to modify the attacker permission from an author to an administrator,

Vulnerability Location:

POST /team-member-modify.do HTTP/1.1

Request:

security_token=attackertoken&blogID=attackerownblogid&blogID=victimblogidvalue&memberID=attackermemberid&isAdmin=true&ok=Grant+admin+privileges

as you can see there is Another field in this request called memberID, Any users in blogger have a memberID value, so the attacker also need to provide his memberId value in this post request, In Blogger service, any Administrator, Author have a memberid value, So to make a successful attack (become administrator), an attacker must add himself first as a author on the victim account, To perform the next step that will add himself as an administrator on the victim account.

Video of an attack: