Scheduled to begin on Jun. 5, the exhaustive maintenance program will see a majority of MetroAir’s fleet flying through one of two maintenance bases at Kansas City International Airport in Kansas City, MO, or the Southern California Logistics Airport in Victorville, CA.

“This comprehensive plan will see all of our aircraft, excluding the Boeing 777s, Airbus A330s and the new Boeing 757s, undergo heavy maintenance, otherwise known as a C-Check.” stated Zak Winnick, MetroAir’s Fleet Director. “It’s a very vigorous program that has been months in the making. Let’s just say, I’m happy to finally get it rolled out!”

A C-Check is performed approximately every 15-21 months or at a certain set of actual flight hours. This maintenance check is more extensive than both an A and B Check. On average, a C-Check requires about 6,000 man hours to complete and sees every centimeter of an aircraft being inspected. The average amount of time an aircraft is in a C-Check can vary from 1-2 weeks.

The beginning phase of the maintenance program will see the rest of the Bombardier CRJ-700 fleet complete their maintenance and will introduce the Bombardier Dash-8-Q200 and Dash-8-Q400s. From there the plan is to build up from smallest to largest aircraft, ending with the Airbus A321. At one point in the program, both maintenance bases will see a combined 10-12 aircraft a week.

The maintenance program is currently scheduled to be completed by the end of January 2014. It will see 220, or 85%, of MetroAir’s fleet in for maintenance by the end of the program.

We all hear how important security is and deep down we know what we should be doing, but do we? You may think  why do I need a complicated password for my forum account. What can a hacker really do by logging into the forum. Well unfortunately for us, we saw what happened. As an Administrator on the forums, great power comes with great responsibility (and great unfettered access to the guts of the system). So you’re a pilot. You can’t change the themes on the forums or mess around with access for others, so maybe you are wondering why password security on VA website matters to you. I guess the answer to that question depends on how much you ? MetroAir. If a hacker gains unauthorized access to your forums and begins to post using your account content that is objectionable and in violation of the rules, it’s very possible that you will be terminated and banned from the airline. While we often will allow rehires for simply being terminated due to inactivity (even tho we may ask you to prove your commitment), terminations due to behavior or failure to abide by some of our most core policies will keep you out and may take a long time before being allowed back. Can we prove that it wasn’t you? Maybe. It depends on how good the hacker was. Ultimately though, you are responsible for your accounts. It’s your job to safeguard those authentication details and make sure they aren’t shared with anyone else. Or to say it in much more direct terms, it’s your butt that is in the hotseat.

Despite how much we all care about this VA, there are much more secre details about your personal identity flying across the internet these days from financial information to medical details. If you don’t want your neighbor to know how much $ you make and why you got that suspicious blood test at the doctor’s office last week, you should probably care just as much to make sure some unscrupulous individual trolling the internet doesn’t get that information either.

Are you motivated yet to start improving your security practices? You SHOULD be!

Antivirus

First, make sure you are running an antivirus program. Viruses and trojans are hidden much more cleverly now. With websites becoming much more media intensive and running other applications like java in the background, simply visiting a website with plugins enabled can infect your machine. Trust the websites you visit but more importantly, make sure you’ve got some protection. It may not just be a website that can infect you; downloads, transferring files from a USB drive (which I have recently heard at a tech conference being equivalated to sharing needles) and via e-mail.

Second, use unique passwords for different websites. Don’t use the same password of “IROCK” on every website you visit. If someone is able to figure that you’re not rocking out so much when you create passwords, suddenly your identity has been stolen and someone has access to your finances, your most personal data, and all of the pictures you ever uploaded to Facebook. And let’s be honest, if you don’t want your mother seeing that picture of you when you were so drunk you fell to the street and probably should have used the restroom before leaving the bar, you probably don’t need the world seeing those photos either.

Unique passwords that have no significance can be hard to keep track of. Unique passwords on post-it notes all over your monitor isn’t very secure either. There are a number of password managers out there now that can help you create a password and associate it with a certain username and website. I won’t get into an argument over which the best one is. I use two, one for personal usage and one that is shared with colleagues for business: LastPass and Keypass. There are a few more out there and they are a simple google search away. If you’re worried that it will complicate things for you, put that fear away. I think it actually makes things easier with features like autofill and autologin; You won’t even need to think about authentication to a website again.

The last thing to touch upon in this post is two-factor authentication. A lot of websites are starting to introduce two-factor authentication. The simplist way of explaining it is it combines something you know with something you have to protect your accounts. Something you know is your password. Something you have is your phone (or something else on your person like a code generator or paper with pre-generated codes). If you use GMail, go into your settings and enable it. Hint Hint to MetroAir staff Recently Apple introduce two-factor authentication for iTunes accounts. Even the MetroAir blog now has an option for two-factor authentication. It’s certainly something you should be investigating if given the option.

In closing, we hope that the attacks on our beloved VA in the middle of April have really brought security to the forefront for all of you and have you questioning your security a little more and paying attention to your online transactions just a little more. Don’t get too lax because we know that you really do rock!

Following the success of least summer’s venture with Island Air of Hawaii, MetroAir announced the return of this partnership for the Summer 2013 season.  Two of our Q400 aircraft have been specially outfitted for the trip to the islands of Hawaii and will be ready for service as of May 1st.  These aircraft will serve many cities in the Hawaiian islands from bases in Honolulu and Maui, like Kona, Lanai, Lihue, and many others (shown on the route map above).  Island Air CEO, Leslie Kaneshiro issued a statement earlier that “Island Air is delighted to once again partner with MetroAir to help us offer our customers new route options in the spacious, comfortable, and quiet Dash 8-Q400 aircraft.”

Also, following the return of two A320 aircraft from Viva Columbia, who had leased them for the winter, the airline announced it would be using these aircraft on a route network connecting various cities in Alaska and the Pacific Northwest with Juneau and Fairbanks.  The Chief Operating Officer, William Hogarth earlier stated that “the new Alaskan network would offer new connection opportunities out of Seattle and especially out of our new Pacific focus city in Portland.”

MetroAir also announced a new venture today by offering service to Australia. The Service will operate on A330 aircraft currently being used on seasonal service to Europe.  These aircraft will be ferried from Baltimore to MetroAir’s hub in Ontario and will operate to Sydney and Melbourne via Auckland, NZ, as well as direct to Brisbane.  These destinations offer direct access to some of Australia and New Zealand’s largest cities.

These summer service will be supplemented by one of MetroAir’s new Boeing 757 aircraft, operating on routes from Honolulu – Ontario, and Seattle – Ontario.  “The 757 will absolutely help integrate the 3 summer route networks by allowing passengers  to directly and easily transfer between services in Alaska, Hawaii, and Australia,” said Alex Norgaard, director of Charter Operations.

The Hawaiian Hopper partnership with Island Air will launch tomorrow (May 1st), followed by the launch of the rest of the network on May 15th after the delivery of the final three 757 aircraft to MetroAir and after the A330s have been ferried from Baltimore.

Backups

Since the incident regular backups of our data has resumed. We initialized the backup services provided by our host that will backup data in 4 slots; We get a backup provided automatically every day and the last two weekly backups. We also get a manual backup slot to take a snapshot of the server at any given moment. While there is a cost associated with this; it is only $5 USD a month. The peace of mind the service provides in the event another catastrophic incident is priceless; Knowing that there is something sitting around that some recent copies of not only our data, but all of our configurations, applications, and scripts that are used everyday to provide teamspeak, up to date FAA charts, VATSIM data, US Airport delays, ACARS, and more are safe and secured is worth a lot more than $5.

In addition to the host initiated backups, we enabled other backup protocols. Twice a day snapshots of all of our databases are being output. We found some ways to improve how the dumps are taking place to minimize the impact on our normal operations. We are also getting backups of all of our web files on a daily basis. Each day we ship those backups almost 1,500 miles from MetroAir’s datacenter to a server that Lindle is running in Dallas, TX.

I’m happy to report that those backup have been running flawlessly for almost 2 weeks now.  While both servers have seen a dramatic increase in bandwidth being used, they are still well under our hosts caps thanks to a recent upgrade earlier this year. This is just another example of keeping peace of mind just in case.

Software Updates

The forum software that was running pre-hack was an older version. While in the past we had kept up with security updates, we recently stopped patching the forums when an update that was done stopped playing nicely with our forum theme. In hindsight, that was silly;  like most things in life, appearance is usually not as important as what is underneath the surface. The hack was a great opportunity to upgrade to the newest version and put the issues of updating the look of the forums out of mind since the priority was restoring access. While we do have plans to update the theme associated with the forums, we aren’t rushing to get that project completed, especially since both of our graphics experts, Rob & Alex, are either on vacation or busy working on other important projects that have a higher priority.

Password & General Security Practices

The importance of general security practices came rumbling into our views. An informal poll of our execs who have unlimited access to our forums which can cause debilitating effects in the wrongs hands showed no one had updated their passwords in more than 2 years; for some of us it was even longer since they were hired on as staff members. We all hear that we should update our passwords often but rarely do unless forced to. Because of the hacking incident, all of the staff members changed their passwords before going back online. We are also looking into policies of requiring executives to reset their passwords for all MetroAir systems on a recurring basis.

We also expired passwords for all pilots to ensure that the hackers weren’t able to impersonate any of our pilots. If you still haven’t restored your access to the forums or are having issues because your forum email account is no longer active, you should contact staff.

We also cleaned up a number of accounts on the forums that were never activated by pilots or which were dormant for a while. Removing unused accounts is a good security practice since for each account removed is one less method of unauthorized entry. That is also a good reminder for everyone that your forum account and pilot account should be using the same email address. If they differ your forum account may be purged by the system. This has always been policy but was not always enforced. That is going to be more important going forward. It is the pilot’s responsibility to maintain their contact information in both systems.

In summary, we’re feeling more confident about what we are doing now. While it was a painful few days of dealing with the attack, we were grateful for the not-so-subtle reminder that we were not impervious to an attack and to step up our security policies and practices.

“So what are they losing” I hear you all ask, we’ll we will see reduction in service to the following Destinations: Barbados, Cancun, Dallas Fort Worth,  Jacksonville, Montego Bay,  New Orleans, Punta Cana, Nassau and St Maarten.

The following cities will be lost from FLL:
Cincinnati, Cleveland, Freeport Bahamas, Key West, Montevideo, Myrtle Beach and Norfolk.

Along side these changes the new list of gates are as follows. Mainline Domestic will operate out of: E6, E8, E9 and E10. Allegius Dash 8 flights will now operate out of F2 and international flights will remain on the H concourse but they will  now operate out of  H2,H4, H6 and H8. These news flights and gates will take effect on May 1st. Following the review in FLL a full schedule review will also take place in Chicago and then Ontario.

After a busy Saturday enjoying the the 74°F (23°C) temperatures taking a walk on the beach at Back Bay Refuge and finishing the day off with some NC style barbecue with friends, I returned home at around 9pm to find Skype messages from Sara and James alerting me of an issue with the forums; This is when it all started to go downhill.

Upon first inspection it seemed that only our forum database had been attacked. We were left with about 10 forums messages but everything prior to that was wiped clean from the database. At the time, the forums were not even loading. After fixing a configuration file to get the forums working and with what was thought to be a limited scope at the time, I began focusing on looking for backups of the forum database. After about 4 hours of searching through every nook & cranny of my hard disks and on the MetroAir server, I was left with 2 possible backups, neither of which were promising. The last full backup of the database was in July of 2012. In November we had done another export of the forums in an investigative move to try looking at alternative forums. Unhappy with the results and with drooping eyelids, I decided to call it a night and try to find a better backup the next morning. What no one knew at the time was that the website was still under attack.

After a restful night of sleep and working out frustrations of the hack at the gym early Sunday morning, I started my work on a plan of restoration. We had different options but none were great. Do we restore the really old backup and lost 8 months worth of content or do we see if we can somehow export data from the testing forum back into the old version of the forums that we were running? Going back and forth and researching options it became apparent the attack was not limited to just the forums or the forum database. During the morning the main MetroAir website homepage was hacked leaving a a marker saying we were attacked by a Kurdish group. Restoring the main page seemed to fix things temporarily but I had no idea while I was taking steps to move forward that there was an unscrupulous individual working to undermine my attempts halfway around the world.

While the website was being attacked I had attempted to log in to the forums. I immediately noticed that I no longer had administrative access to the forums. After correcting that directly in the database and logging in I found that there was only 1 administrator account left. All of the other executives were “demoted”. I was able to reset the password on the account in hopes that the hacking would cease at that point. Unfortunately the hacker had already left a trail and secured backdoors to get back in to cause more havoc.

Before talking about backups I should probably offer a history of how backups worked. For a long time MetroAir had fairly impressive backup routines, for a VA anyway. Around 5 years ago MetroAir would FTP backups to one of Lindle’s servers. At the time MetroAir and Lindle were both using Windows based servers and were in the same datacenter. We moved MetroAir’s server off of a full dedicated server shortly after that and it went to a new virtual private server. It was linux based with a better price point than paying the monthly fees of a full dedicated server. The servers were no longer in the same datacenter, bandwidth caps were a little tighter and Lindle was in the process of considering alternative servers as well. After moving MetroAir we ended up changing the backups so that it would all be stored on the Amazon Cloud. This worked really well. We were backing up not only regular files but snapshots of the databases every 12 hours. After about 8 months though the backups were starting to get out of hand and the monthly fees for storing backups surpassed the monthly cost of  running the server. We ended up switching those cloud backups off. Around the same time our host began offering its own backup service for a simple and flat $5 a month plan. We were all signed up and never needed the service. The backup service handled everything on the server, but for good measure we were still doing snapshots of the databases every 12 hours. As the MetroAir databases grew, taking the snapshots started to undermine performance of the website. You can probably imagine that 5,676,500+ records (1.1GB) of just ACARS positional data could cause some slowdowns when the database is being locked for backup and the website and ACARS is still trying to access it. We ended up cutting the db backups to be less frequent and eventually stopped them altogether when the performance suffered too much. Early this year we switched all of our services to a brand new server. We wanted to update everything to one of the newest versions of Linux. In doing so, everything had to be set back up again. One of those things was the automated backups with our host. Since it was a different server, it was not automatically backed up. Unfortunately, it was never re-enabled meaning we had no backups. Aghhh!

Early Sunday morning I had got a call from Lindle asking if I had known about the hack and offering his assistance. He also reminded me of the automated backup service from Linode saying that he was going to enable that on his own server in light of recent events. It was a good reminder to get things re-enabled and start the backups on the MetroAir server again.

During all of this, in hopes of restoring the forums an installation of the newest version of the forums was in progress. We had began importing some of the older posts into the newly created forums. William was able to help set up some of the back end of the forums by assigning permissions to certain boards and removing some of the older members who had never logged into the forums. Derrick worked on cleaning up some of the forum accounts as well while James helped to poke his head around trying to find things that were broken in the forums and website.

By 8pm on Sunday it looked like we one of the most devastating blows of the attack was in progress. This time the hacker was deleting files. The entire website was nonfunctional and some of the core files needed to provide services had been deleted from the system. The hacker replaced the website with links to adult websites and lewd images. It was the one time that I wished there was a “recycle bin” I could use to get things back quickly and painlessly. Luckily, that reminder from Lindle to re-enable the backup service couldn’t have been at the most perfect time. I was able to restore the entire server from the very first backup that it had done a mere 7 hours earlier. It was backed up to a completely new server and the IP addresses of the server were changed. We were hoping this would keep the attacker away.

Despite our hopes, we were finding despite the IP address change and restoring things back, the attacker had found us once again. The main website page was left with a simple message for us saying “You all suck.” Finally late Sunday night after combing through webserver access logs I was able to find the source of the continued attempts. The hacker was able to hide his backdoor by naming a new file on the system something that looked like it should be there. Would you have seen something wrong with twittter.php? While I would love to think that our pilots were checking out MetroAir’s twitter feed as much as the access logs were indicating, it was a little skeptical. I went to the page and was quickly devastated seeing just how much access the hacker had to the server’s filesystem. I changed the page around leaving a simple message for the hacker. At that point it seemed as if the backdoor was closed and we would be on the road to recovery.

With everything patched up, we thought we were good to go. Early the next morning while continuing with cleanup efforts we had scoured the system to see if there was any other telltale evidence the hacker left behind. While we were searching for him, he was using one of his last backdoors that he had placed on the server. Twittter wasn’t the only one he had left; it was found in some other innocuous spots on the server as well. This hacker was smart. He wanted to make sure he had access after we had repaired each hole. This time we were a step ahead and found each backdoor that was left on the system and worked to remove them all. For one and for all, order was restored and we were finally confident that things had been cleaned up and we were able to keep the hacker out. We also employed some firewall tactics on the hackers IP range; If you’re in Turkey anytime soon don’t expect to be visiting the MetroAir webpages.

So what exactly did the hacker have his dirty hands on? First he used the forum software itself to purge “old” posts. Unfortunately old for the hacker was everything that wasn’t in the last day. Technically he could have backed up the database and seen email addresses, this hacker seemed to be much more concerned with being malicious and leaving a trail then silently trying to access user data. He wiped files in the forums and main websites. He managed to clean out every single resource we have like gate charts, every download available that we offer, and our latest Monthly Updates. Even the images and scripts used to generate our forum signatures for pilots and the static signatures used for staff were missing. Almost no stone was left unturned but I’m confident that better days are ahead as we complete our restoration efforts of ensuring everything is back to normal. The last big challenge we have is “prettying” the forums with our own spin, though we are just happy with the simple knowledge that it’s back up and running and our pilots can post again without issue.

Part 2 where we discuss what we are doing differently will be out later this week and part 3 discussing your own online security will be out shortly after that.

If you have made it this far, thank you. I’d also like to take the opportunity to thank Sara, James, William, Derrick and Lindle for their concern and cleanup efforts taken to restore the MetroAir that we all know and love!

Photo by DAVID ILIFF. License: CC-BY-SA 3.0

KANSAS CITY – MetroAir Virtual Airlines will offer Airbus A330 service from Ontario, Calif., to Hong Kong beginning Apr. 1.

The new Hong Kong flight is the newest in a recent batch of long-haul flights added from MetroAir’s Ontario hub, which were made possible by the addition of new A330 aircraft and the reintroduction of Boeing 757s in recent months.

A city on China’s south-eastern coast, Hong Kong is home to more than 7 million people and is one of the most densely-populated areas in the world. Hong Kong International Airport, VHHH, is ranked as the 10th busiest airport in the world for passenger traffic, handling more than 53 million passengers in 2011. It is also the world’s busiest airport for cargo traffic.

The airport takes up an entire island off the coast of Hong Kong, adding a new challenge for MetroAir pilots at the end of the nearly 14-hour flight.

Congratulations to Andri Kristjansson for being the first to correctly guess the destination. Andri will receive 100 MetroMiles and a the Sporting Kansas City A319 livery when it becomes available.

The flights, which will be flown in a special Sporting Kansas City livery for the Airbus A319, will be available beginning March 22 with service to Boston for the team’s match against the New England Revolution.

“We’re very pleased to team up with Sporting Kansas City – our hometown team,” Matt Calsada, the airline’s chief executive officer said. “We’re going to give the team our world-class charter service so they can perform their best while away from home.”

The charter flights will only be available for short periods and to a variety of destinations, keeping with the team’s schedule.

The custom livery will be available in the downloads section soon.

Ad Hoc Charters are unique flights available for a short period, often designed to push pilots to the limits of their skills, and this flight to Bhutan is no different – Paro Airport is at 7,300 feet and has a very precise approach. Pilots can review the approach charts here and here.

The flight will be flown in an Airbus A319 and will fly from Baltimore to Manchester and Dubai before arriving in Bhutan.

There is a complete pilot brief for this Ad Hoc Charter here. Please review the brief before attempting the flight, as it contains important information regarding passenger loading and layovers.

Enjoy the flight!

The freeware Project Opensky 757 is quite good, but the panel systems are quite basic, and it flies much like many of the other multi-engine jets in the MetroAir fleet.

On the other hand, the QualityWings 757 is one of the most in-depth aircraft systems we have here at MetroAir. The QW757 offers a fully functional flight management computer with an advanced autopilot. To get the most out of this payware aircraft, it is important to understand how to fully utilize the FMC and autopilot – which has a couple of quirks which may throw off pilots new to the system.

The aircraft comes with a detailed manual, but if you’re like me, you’ll want to dive right in and figure it out as you go, only cracking opening the manual when something doesn’t work the way you’d expect.

Before takeoff, the FMC can load a flight plan from a separate file, but it can also import the flight plan from FSX. To load the FSX flight plan, open the FMC and go to the Index page and choose LOAD ATC RTE. On Boeing FMCs, it is important to remember that one must click the EXEC button to save any changes to the computer.

Once the flight plan is loaded, it’s time to choose the departure and arrival procedures and runways. Clicking the DEP ARR will allow you to choose the proper procedures for the airports in your flight plan.

Here’s the first quirk I noticed comes into play: If your flight plan already includes the waypoint for the SIDs and STARs, adding them through the FMC will duplicate those waypoints. To remove the duplicates, go to the LEGS page and find the first waypoint in the procedure you’d like to delete, then click DEL and the button next to the waypoint you want to remove. When you’ve finished removing duplicate waypoints, remove any discontinuities by typing in the fix following the discontinuity and clicking the button for the blank space in the LEGS page. Remember to press EXEC when you are finished.

Finish setting up the flight as you normally would – the next quirk comes after takeoff.

Engaging the autopilot: I’ve found the smoothest way to engage the autopilot is to manually setup the desired IAS and vertical speed for immediately after takeoff. For example, I’ll have 240kts and +4100 set in the MCP when I engage the autopilot. Once the autopilot is engaged, I’ll press the VNAV button to have the FMC take control of the pitch and speed. I’ve noticed that if VNAV is already pressed when the autopilot is engaged, it doesn’t actually take control – I can’t explain why that is.

So, now we’ve got the 757 climbing and maintaining speed – next, let’s get it to follow the LNAV course.

The LNAV will not engage until the aircraft is on an intercept course AND within 2nm of the planned route – depending on your departure route, it may take some hand-flying or HDG input to get LNAV engaged.

The HDG button on the MCP actually has two different settings – the SEL button in the middle of the dial will hold the heading dialed into the MCP display, while the HOLD button below the knob will hold the current aircraft heading. When you first engage the autopilot, HOLD is active, so it will be necessary to either disable HOLD to hand-fly the aircraft or press SEL to have it fly the course intercept heading you plugged into the MCP.

Once LNAV is engaged, you’ll be on your way to the top of descent. Once the QW757 reaches T/D, it will automatically descend if the desired altitude in dialed into the MCP. So, it is important to remember to dial it in before reaching T/D.

If your STAR includes altitude and speed restrictions, which you can verify on the LEGS page of the FMC, it will automatically follow those restrictions, e.g. for the EMI5 STAR into BWI, you can dial the final approach fix altitude into the MCP before T/D, and the aircraft will cross all the waypoints at the proper altitude before reaching the final altitude – at the final fix – exactly the way you’d want it to.

Speaking of final, the QW757 makes it easy to do an ILS approach: the NAV and Course are right there on the MCP – dial it in and engage LOC/APP to make the landing.

My final tip: just like every other landing, it is important to keep the power up until the wheels touchdown – don’t glide to a landing. Doing this will make your landings a lot smoother – try it, I dare you.