 Ladies and gentlemen, in the aviation village talk, who's here to learn about a lovely, smart, wonderful person who learned to fly a plane and then learned about scary shit while learning to fly a plane? Alright, this is Tara. She is becoming a pilot. She puts up with my shit every day because she's my wife, and she's incredibly awesome. And she's going to tell you that the scariest part of being a pilot is not the fact that gravity is gravity and your plane goes down, but actually what happens with your data when it is in the other kind of cloud. Tara. There we go. Do you know, and can everybody hear me in the back? I'm going to eat this microphone. I know how frustrating it is to not be able to hear people at the front of the room, right? Everybody good? You can hear me everywhere? Okay. Hey, folks who are way back there. You know, there are seats that are available up here and folk were crowding out of there. Come on up and have a seat. All good. If you sit next to me, I'll give you stickers. There are stickers. He's very enthusiastic and a wonderful and supportive spouse. Okay. So, getting prepped for this, please note that, you know, every bit of AV is a little bit different, just like every AVation. So I'll be doing my notes off this thing and we'll figure it out as we go. Alright. Thank you so much to the organizers of Aviation Village for putting this on. This was a wonderful idea. I wasn't sure what happened when I first decided that I thought flying was so cool. I do distinctly remember Supergirl Underoos at about the age of four and a broken ankle. So any of you who ever really wanted to be in the sky, I totally get it. It's a lovely and wonderful experience. So how did I get there and who the heck am I? My name is Tara. Hello. I do stuff in corporate information security. I do stuff. Oh, hello. There's a seat. I spend my time breaking things, figuring things out, occasionally saying things that give my certified flight instructor heartburn. And yeah, I like the stuff that I do and I post projects on my GitHub and I'm always open to comments there. I want to note throughout the course of this talk that if you want to ask a question, please raise a hand. I would love to answer questions as I'm talking, if only because I know they want to move folk out of this room to do other stuff later on today. You can always, always find me on Twitter at Tara, which is where I will talk to you if you're a cool person and nice to me. And if I don't know you at all, but you know, don't be mean on the Internet. Why do I fly? This is Friny Fisher. How many people in the room know who Friny Fisher is? One, two, several of the awesome dudes in the back, right? Friny Fisher is a 1920s flapper aviatrix detective who solves crimes in Melbourne, Australia in the 1920s. She is kind of a personal hero of mine. And once I made a list about what I wanted to do before I completely kicked the bucket. It is a bucket list like many of you have. And I started writing things down and I remember going to the first convention. I went to the fan convention from Ms. Fisher-Con in San Jose last year and talked about stuff there. People were enthusiastic about talking about costumes and historical aspects of the situation and fun stuff. For those of you that know John Callis, he spoke about cryptography in love letters at the time. For those of you that know my husband Deviant, he was a picklock and master screwsman and did a talk about classic lock picking. And I realized when I got out of that one that I talked about the history and the fun and the clothes, but one of the most inspirational elements of this character and the woman who created her, Carrie Greenwood, is that she flies a De Havilland 60 Tiger Moth. That's one of the very first planes that's ever existed. De Havilland was an airplane engine manufacturer in the 1910s, 1920s and 1930s. But she's actually based on a couple of real life heroes. Are you going to do a thing? Okay, fine. Doing that one live too. Flying isn't as hard as you think it is and I'm going to give you a quick spiel on why you should do this before we talk about why you should be terrified to do this. And it's not gravity, just as we all know. A lot of flight schools out there will have an equivalent of free discovery flight. Well, they'll take you up probably in a Cessna 172. It's a small single prop airplane that lets you figure out if you're good to fly or not, if you feel comfortable. This time I was up at my home field of Renton. A couple of discovery flights went out with some people figuring out if they could handle their stomach. One plane had to turn around in the pattern and come back and apparently that discovery flight didn't go so well. There are air sick bags in Cessnas as well too, just so you know. You can rent. You can do part-time flight school. You don't have to buy a plane. It's not that expensive. And by not that expensive I mean let's all understand there's some privilege involved in this. But it's not hundreds of thousands of dollars like you might have thought. So my heroines, Olive Ann Beach, Amelia Earhart, Amy Johnson that the Feiny Fisher character was based on, who flew the first plane from England to Australia in 1928 in a De Havill and 60 Gypsy Moth. Beach as in Beachcraft Airlines. She was one of the founders and one of the first heroines of modern aviation. Andrea Lewis is a current hero of mine. She's both a Delta commercial flight attendant and she's a pilot in the National Guard. Things you can do with a student pilot cert include walking up to the door at the end of any flight and saying, I would love to watch your post flight. I'm a student pilot. They will scream. They'll love you. They'll let you into the front. And I super have so many selfies of me in inappropriate places in 737s. You can do this. There's more information out there and I'm going to let you look up this on your own. I just want to encourage you to give it a try if nobody has encouraged you to give it a try before. A couple of caveats. You can't be deaf. You can't be blind. But almost anything else you can figure out. An Airman third class certificate is not that hard to get. I remember the FAA medical examiner in Seattle, Washington said, well, and now we need to do a urine test. And I believe I looked at him like, for what? And he said, blood sugar. And I went, okay, cool. It's legal. All right. What did shock the ever loving hell out of me when I first started to fly planes? I'm going to pull up my notes here and make sure that I've got them all because I can't see them on my machine here. The very first thing that is a little scary, plain scary, you might say, is that your personal data is going to be released in public in a way that's going to shock you. And by the end of this talk, hopefully will cause you to lobby to have some of this changed. Your personal data is available to just about anybody. And there's one good piece of this, which is that you can find information about people flying, flying planes, and track them for one specific reason you might have in this room. Has anyone ever been on a plane before with an incredibly intoxicated passenger or been on a plane before with a really intoxicated passenger? You can, as a passenger on a plane, request that the pilot come back and personally examine the situation themselves because it is very illegal to fly with an intoxicated passenger who cannot express their own needs and wishes. This is the regulation you're looking for if you've got somebody that no one is handling in the middle of the plane before you take off. It's 9117, right? A pilot can throw anybody off the plane and they should. So, you know, don't get drunk, but this is your cheat code on that one. I am allowed to make puns that are just plain bad, but people that are drunk and belligerent aren't and you can boot them off of planes for it. Not just the bad jokes. When I started doing this talk, what I realized as I started clicking through insecure links and posting my personal information online and seeing the databases that were available is that actually this is a talk a lot more about privacy than about security. This is about understanding who has your data, where it is and what you can do with other people's data that is publicly available by compliance code on the internet. So, pilots don't get privacy and I'm going to demonstrate some of that over the course of the next couple of minutes in a way that I'm going to ask you to follow along with on the internet. We'll start with pilots don't get privacy. Do you see the URL right up there at the top? Feel free to visit it on your computers, on your laptops, on your phones right now and search for Terra Wheeler. I'm out there. Now, am I a sharp person who opted out of releasing my public address? Yes. This is a Delta pilot and that's his home address and his home information. And of course I have blocked it out here, but if you Google search for the name of any commercial pilot and search them on that database, you will come up with their home phone number, their home address. Anything you want to know about that person and we all know in this room, that's halfway to identity theft, right? That I find to be incredibly dangerous. I think we all know what this information can be used for. So when I searched Delta pilot and he came up in the top results, I blinded out, but this is medical information. It's anything that you might need and what's more, this registry for the FAA is a database full of commercial airline pilots. These are wealthy world travelers who are being trusted with the safety of hundreds of other wealthy human beings at a time and their personal information is available to anybody who wants it and anyone who grabs the name. You can search yourself and find it. Somebody who knew this, a bit more savvy. How many of you know who AeroSavvy is on Twitter? Have you ever heard of AeroSavvy before? His name is Ken Hoke and he does great tweets about what it's like to be a commercial airline pilot. He did the same thing here. He opted out of releasing his address, but this information is available on one of the top people who tweets about aviation in the world, right? So he's savvy enough, I'm going to need you to become savvy enough as well, but be aware that this information is pretty devastating. We're concerned about aviation security and I don't know about you, but I'm less worried about three ounces of lotion than I am about the fact that my pilot's home information and medical information is available to anybody that wants to look for it. So what about the plane? What about the plane itself? I happen to know that Exploding Lemur is going to talk, I think on Sunday, about specifically avionics and wireless signals that can be reached, breached, hacked. None of them are encrypted. So what I'm going to talk about specifically is pilot aid software instead. The kind of thing that you use to fly a plane that is available for download on your iPad or iPhone. It's not the same thing as what you'd use for avionics. For instance, a Garmin 1000 avionics system. Those I know we're talking about over the course of aviation village as well. So the FAA and the Airmen's Registry and Certification are compliant, but they're not secure when it comes to taking your data and storing it on the internet. I remember when I first had to register for IACRA, and this right here is the first thing that I saw when I opened up my laptop. A whole lot of red text telling me that I needed to downgrade my security, so I got a JavaScript permit, pop-ups. And that was right, of course, after I had downloaded my Jepsen pilot training, which required that I use Flash everywhere. So these are sites that have compliance from years ago and for years at a time, but do not patch and do not update in a way that we would ever remotely consider safe. All right. The same thing happens in the FAA that happens in the medical industry. Each time you do an upgrade to the kind of software that is used for pilots to help fly planes, it must be both compliant and certified by the FAA. It is very difficult to do that in a timely fashion. And as a result, you might have this happen. You'll get wireless over-the-air upgrades to the kind of software that pilots are using to fly their plane. This is a screenshot I asked my certified flight instructor to take when she got it as we were in the middle of a flight. So you can update and upgrade. I'm sorry about the popping, I hope this, I'm trying to eat it so folk can hear me. Okay. You can get updates like this while flying the plane. And for those of us that have ever rolled to production on a Friday before, that's a little nerve-wracking. So I asked her to take that screenshot and demonstrate that we have these ongoing problems about the servicing of the kind of software that we are using for people to fly planes. Here's the one that I think is probably the biggest. I'm not dropping information here. Anybody doesn't know or that isn't publicly available. But this is the one that my offensive security brain freaks out about a little bit. Your FAA license can get doxxed. Hotline.FAA.gov, if you want to hit there, take a look at that site. You can see the kind of information that can be added here to an FAA report of an incident. Why does this matter? If you know the name of a pilot or you know the tail number of a plane or you can match those two things together to a flight plan, easily available with flight tracking apps like FlightAware, you can file false reports against someone's FAA license. Now the problem is that, as we all know, triggering automatic investigations is a great thing when you want to check up. But I don't know that the FAA has ever dealt with a case of a doxxed FAA license with multiple false reports against it because that would trigger dozens of investigations. That scares the crap out of me. As you'll see here, this is me flying with my flight instructor. She's awesome. No, I won't tell you her name. But if you ever want, like, a recommendation and you live in Seattle, I'm more than happy to pass you on. I don't give her information. I don't give my flight school. I don't give the tail numbers of my planes. And the most I really ever say is that I fly Cessnas at this point. Where is the tail number on the inside of a cockpit probably going to be? Right. I'm seeing you pointed it right now. I wish I could kind of point here, but where you see the little white tab on the side over here, the avionics switch, right? Right above that is going to be a small placard with the tail number on the inside of the cockpit. I like my social media, but that information is sufficient to find me and file multiple reports of complaints of low-flying aircraft, unsafe flight, anything someone might want to do. And that makes me a little bit nervous. I don't think that there is any infrastructure right now for the FAA to handle. What I know, I and certainly many other people and women on internet have faced before, which is multiple claims of problems. I've had my Twitter account blocked before because people reported on multiple occasions that I had violated the terms of service, right? For those of you who have been here, you've seen or dealt with this problem before, it's pretty trivial what you need to do is file a ticket and they go, oh, oops, and turn it back on again. I don't think the FAA has a ticketing system like that, and I don't think that they would understand the nature of Doxy and FAA license. So be aware that this is a vector of attack. You can see the obscuration of the tail number there, but here's the deal. You can pseudonymously report someone via a tail number to the FAA and trigger that automatic investigation. What I don't know is how they handle it because they are opaque. At the same time, I am here to tell you that the NTSB, part of the incident response arm of the FAA, does things way better than we do in information security in terms of post mortems, in terms of understanding issues, in terms of providing reports and after action understanding, as well as as much bling-free investigation as possible. So for all that this one is a scary one, that's actually an organization that has figured out really well how to handle the unexpected. I don't know of any pilot that has been DDoS'd yet. I can only imagine that there must have been multiple false reports filed against pilots in the past as a result of relationship problems, issues, but what we all do know is that the advent of the internet makes it possible to spread someone's information in a dramatic way. This is a thing I think is going to happen one day and I'm not sure how to prevent it other than to give you some tips and tricks about what you can do to protect yourself. I was just going to ask you a question, ask me. I'm going to repeat the question for the folks in the room. The question was we have this NTSB which will do investigations of issues with national traffic, correct, and investigations of incidents, problems, crashes. Why is that so different than driving a car? We have those investigations on the ground. Why is the NTSB so much better? What is the unique thing that makes pilots more vulnerable than drivers to this kind of attack? Does that make sense? Did I repeat it well? I'm going to answer that question because I find it to be a really, really interesting one. I'm going to show you how you can do it and why it doesn't matter as much for drivers. Okay. I'm going to show you something fun here. This is a flight plan, or more accurately it is a flight path that I recorded on my four-flight software here, my avionics software. I have you in the room who have never touched an avionics suite before. I am more than happy to show you what four-flight looks like. This is my glass pane for avionics, okay? It's why I got to get a new iPad and it's always a good excuse to get a new iPad. Here is a flight path that if you were watching online and you knew my tail number or you didn't know anything else other than the fact that I was in the air and there were probably 20 other planes around, one of the reasons I don't share on social media. Here is one of my flight paths. All right. This is what this looked like. I left from Renton. You can see me flying to the northeast practice area after I circled out of the Bravo, out of Renton's Delta and then I avoided the Bravo, the Bravo shelves for SeaTac, right? You see the diamond-based shape right there? That's SeaTac and I'm next to it so I have to fly around it a little bit and then up and over the bridge and out into the northeast practice area. That's why I got to do things like full 180 turns and rotations. You can see me doing things like rotating around an axis and doing some ground maneuvers as I'm practicing there, right? And then I came back and it looks to me an awful lot like the east channel approach to Renton Tower. Here's a question for you. What am I practicing right here? It's a good guess. It's a super, super good guess. I'm right back here at Renton again and you can see me looping around and around and around and around again, right? What am I touching goes right there, right? You can see my airspeed dropping, my altitude dropping. I'm coming right back up to 1,000 feet, up to 1,000 feet and down again. I'm back and forth in the pattern and that's like nine more landings in my logbook, right? This information right here, if someone has it, means that they could match it to my tail number and file a credible report of me conducting myself poorly in a plane. Perhaps that I dropped a beer can out of it, right? You could do that. I could do that. I have offensive security brain. I'm thinking about all the way somebody can screw with me with this thing. And I'm pretty scared that there doesn't seem to be any pattern to report abuse of the FAA hotline system right now. Let me make sure that I've got this. Apologies. I don't have notes on this thing, so I'm just kind of going back and forth. Oh, and Face ID can tell it's me even with a microphone in my face. Imagine that. All right. Given these three points, why am I talking about this right now? The systems of systems that we all exist in are inherently related. Who remembers sneakers in that moment where they first got the black box and started figuring out how they could listen to air traffic control? And I think it was Mother said, anybody want to crash a passenger jet? It's all the same system, and we're using all of the same data. Just because we're calling it different bandwidths doesn't mean we're not exchanging data through the air. Wireless isn't magic, and this is all happening over multiple bandwidths, but accessible and hackable as I think the esteemed founders of Aviation Village would agree, as well as those of us who've been listening to these talks. The Internet is not different than Aviation, and I believe Aviation is about to start understanding some of the problems of the Internet as well as some of the conveniences of the Internet. So, understand that these attacks are a vector against you. Some of the ways you can protect yourself are. You can be cautious about how you reveal your home and attempt to shield that. Just because I show that I have opted out of displaying my address publicly doesn't mean that it's not in the FAA database. That is insecure with an outdated and or expired security certificate on a system where you've got to use Flash and Internet Explorer 11 to access information. You'll see that I'm incredibly cautious about sharing my tail numbers in public fora or on social media. Obfuscate your data, tell people you flew when you didn't, don't let them begin to build a pattern, and don't let people associate your name, as is very easy, I think, for most of us in this room, with your flight plans. Spread the word about the ease of this vector to your flight schools and your CFA and your FAA check-ride instructor. You'll go through check-rides. Getting a pilot's license is a lot like getting a driver's license, frankly. You'll have to learn how to do it. And then somebody who isn't your mom teaching you to do donuts in the parking lot is going to find out whether or not you can parallel park. Same thing will happen here. Tell your check-ride instructor and make them aware of it. The more people that know about this who opt to remove their information from that database or to obfuscate it, the more safe those people will be. The last thing you can do is lobby to have the FAA database behind a reasonable, I mean, let's not ask for miracles here, people, but a reasonable username and password for people who have some business getting this information in aviation or anybody who's requested a user account in some fashion or another. Add a barrier. We all know that adding a barrier makes it more expensive for people to attack. Just make it more expensive. Cheaply. So none of this is foolproof, but requiring the people hide the information that half of what it would take to steal their identity is a good first step. All right. I'm going to take questions after this if anybody wants it, but yeah, thank you so much for this. It's been a while since I've done this and been nervous in front of a crowd, but this is a whole new thing for me to talk about and I'm excited about it. Come hang out with me. I post pictures and goofy stuff about me flying on Instagram. Talk to me on Twitter anytime you want to. I am super, super enthusiastic to be here. And if anybody's in Seattle, I will totally take you on a ride. It's so cool up there. Thanks so much.