[HN Gopher] Polish trains lock up when serviced in third-party w... ___________________________________________________________________ Polish trains lock up when serviced in third-party workshops Author : miki123211 Score : 770 points Date : 2023-12-05 14:10 UTC (8 hours ago) (HTM) web link (social.hackerspace.pl) (TXT) w3m dump (social.hackerspace.pl) | kozak wrote: | This is probably perfect for some EU anti-monopoly lawsuit, am I | right? | izacus wrote: | This should be a standard consumer protection law (right to | repair), not a monopoly thing :/ | joshuaissac wrote: | EU consumer protection laws generally do not apply to B2B | contracts (although member states can gold-plate them to | extend their scope). | izacus wrote: | Sure, but that just means it needs to be adjusted to cover | outright sabotage after sale like this. | Sosh101 wrote: | More like highly criminal behaviour like fraud and extortion. | plagiarist wrote: | I don't see how it isn't literal fraud if the behavior | isn't documented in the purchasing contracts. | Glyptodon wrote: | It seems like some mix of vandalism and fraud too. | mardifoufs wrote: | Seems like the trains were manufactured by a European | corporation so probably not lol. | sofixa wrote: | Do you think European regulations don't apply to European | companies? They do, it just gets less publicity when e.g. | Criteo get fined for abusive tracking than when Google do. | mardifoufs wrote: | They do, just less so. It's harder to poke around big | industrial players of member states. | faeriechangling wrote: | Size might let you escape with a slap on the wrist but | it's hard to imagine Poland doesn't get its pound of | flesh over this. | artursapek wrote: | Someone's definitely going to jail for this. I can't even think | of what the defense's argument could be. | actionfromafar wrote: | Maybe "I am friends with the Law and Justice party"? | TeMPOraL wrote: | Most people in Poland don't even understand how rail has | been privatized and shattered into half a million | companies. To a regular person, if it's a train, it's "PKP" | (Polish National Railways) - therefore something the | government is responsible for. | | I don't think Law and Justice will be happy about some corp | screwing with infrastructure and having the voters blame | the government for it. | actionfromafar wrote: | I hope you are right. I'm maybe too cynical, thinking | something along the tune of: | | _" If only more of OUR judges were in place, you | wouldn't see such corruption, dear people."_ | TeMPOraL wrote: | Why not both? What better way to underline the point than | pressuring to make an example out of Newag? | | EDIT: | | PiS has been at the core of political turmoil for the | past decade or more, but rail transportation has been an | issue for much longer. It's _legendary_ at this point, it | transcends politics, and portals you straight into the | 1990s. So I feel it would be in the self-interest of | everyone in the government to throw the book at Newag | right now. | actionfromafar wrote: | This is true! It would depend on if there actually was a | corruption link worthy of protection. I.e., bluster _and_ | results, or _only_ bluster. | | Edit: | | I didn't know the train situation had been bad so | consistently long! My sympathies to railgoers. It | definitely sounds like all politicians could score by | getting Newag some well deserved justice. | Freak_NL wrote: | After the recent elections that might not be the safest | thing to say if you wanted to _avoid_ litigation. PiS didn | 't do so well and lost their majority and is likely to end | up in the opposition. | throwaw33333434 wrote: | If I understand correctly apart from hardcoded `ifs` there was | a backdoor as well. | | Russian agencies could use it to slow down transit of military | aid to Ukraine. | | In my book you could argue a criminal case. | tormeh wrote: | It's not a monopoly, so no. Would make just as much sense to | ask for a DMCA takedown of the trains. | namaria wrote: | Do you think anti monopoly legislation only applies when some | company controls some market outright? | throwaway092323 wrote: | Help us, European Union. You're our only hope. | faeriechangling wrote: | I would reach for other laws like sabotage and extortion and | something that probably exists specifically for the protection | of public infrastructure and charge them criminally and raid | the offices and take out the executives in cuffs. | | They screwed with the rich and powerful here why not throw the | book at them? | garyfirestorm wrote: | i think the remote lock makes it a backdoor and probably | criminal? | plagiarist wrote: | I think hacking laws only apply when a pleb causes a | corporation device to behave other to the corporation's | desires. The reverse is just business. | radres wrote: | Depends on country's laws and contracts between parties. If | the contract does not mandate service by the manufacturer, | only suggests it, this sounds illegal. Not because of | hacking, because of not documenting behavior and disturbing | state entity hence the people. | plagiarist wrote: | Oh, yes. I agree that this sounds like actual fraud if it | is undocumented. I disagree that disabling the machines | would count as "hacking." | | I am cynical about the latter because I personally would | like this sort of malicious shit to qualify as hacking. I'd | also like the telemetry and recording in all modern cars to | be considered hacking. | hedora wrote: | One practical solution is to make certain clauses | unenforceable in end user license agreements and all non- | negotiated contracts. | | For starters clauses allowing the vendor to upload any | user specific data (anonymized or not) and prohibitions | against specific uses of the software would be | unenforceable. | | The former ensures privacy, and the latter would make the | behavior of the train manufacturer illegal (in the US), | since it'd fall under the CFAA: | | https://en.m.wikipedia.org/wiki/Computer_Fraud_and_Abuse_ | Act | | (Sections a.5 and a.7 in the section "Criminal offenses | under the Act") | p_l wrote: | Various contract provisions are illegal in Poland as | well, for example a contract can't prevent you from | disassembling and reverse engineering any software or | hardware, including building a compatible device so long | as you do not literally copy the results over. | | In this case, NEWAG violated contract, because they did | _NOT_ win the bid to do servicing, and didn 't write | anything down about being the only party able to service | the machines. | himinlomax wrote: | If the contract mandated it, then the manufacturer could | simply have filed a lawsuit. The fact that they didn't and | did something in secret instead shows otherwise. | masswerk wrote: | Only, if you can provide a proof for the train not being a | printer or that it cant be used as such. /s | dheera wrote: | Who are these hackers and how did they get their hands on a | train, among all things? | wielebny wrote: | Here a comprehensive write-up in Polish in a somewhat | sensationalized - but rightly so - tone: | https://zaufanatrzeciastrona.pl/post/o-trzech-takich-co-zhak... | HeWhoLurksLate wrote: | https://translate.google.com/?sl=auto&tl=en&text=https%3A%2F. | .. | | for those of you who like me can't quite understand literally | anything otherwise | meithecatte wrote: | As explained by the linked article in Polish, the workshop | reached out to them and asked of they could figure out why the | train isn't working. | mciancia wrote: | tldr hackers are from DragonSector (one of the top CTF teams) - | https://dragonsector.pl/ | | They were contacted by workshop which was doing maintenance of | those trains and had no idea why they stopped working | jseutter wrote: | The truth is almost stranger than fiction. They are members of | a group called Dragon Sector and were brought in by the train | operator after 6 of their 12 largest trains became unresponsive | after having inspections done at a rail yard owned by not-the- | manufacturer of the trains. The manufacturer said the trains | became unresponsive because of malpractice at the train repair | shop and mentioned some condition that didn't appear to be in | the maintenance manual. The train operator made contact with | Dragon Sector and asked for their help. | | It's a wild read: | https://zaufanatrzeciastrona.pl/post/o-trzech-takich-co-zhak... | | It appears to be malicious code included by the manufacturer to | prevent third party repair that at one point included | geolocation for triggering. Given that the train operator had | to reduce train schedules for this which impacted service and | income, it might end up as evidence in a lawsuit against the | manufacturer at some point. | vidarh wrote: | I would love to know if the checks were as brazen as | presented in that post, or if the coordinate checks were | obfuscated in some way. It sounds like they just assumed the | operator would fold long before even getting at the code and | couldn't even be bothered trying to make it look accidental. | q3k wrote: | The main obfuscation was the way IEC 61131-3 constructs get | first compiled to C and then to assembly. | | There's a lot of indirection and zero strings in the | resulting code, meaning it's very difficult to actually | find whatever logic you're looking for. But once you see | it, it is obvious and seems like it was built like any | other logic. | vidarh wrote: | That's amazing. If I was going to pull a stunt like this, | I'd like to think I'd find some way of trying to make it | look like a bug. | | Must be very satisfying to find something like this. | | I guess this is going to provide plenty of billable hours | for lawyers at this point... | Pet_Ant wrote: | Well the error message claims that they are infringing | copyright. It very well could be that they are within their | rights if the initial license/contract stipulated that they | would only service the trains in their authorised locations. | This _should_ be illegal, but very well might be. | planede wrote: | How would copyright be in-scope at all? At worst this | infringes EULA. | xeeeeeeeeeeenu wrote: | Excerpt from an Onet article[1] about this: | | >Until a few years ago, rolling stock manufacturers such as | Newag from Nowy Sacz and PESA from Bydgoszcz were able to | dominate the maintenance market. It was mainly them who | entered tenders for compulsory maintenance of their | vehicles, because other companies knew they were at a | disadvantage. At the time, the dominant narrative of the | manufacturers was that the "Maintenance System | Documentation," a kind of manual for a given vehicle, was | the manufacturer's secret, its intellectual property, and | under no circumstances could this be passed on to other | service companies. This led to a situation in which | railroad companies across the country were forced to use | the manufacturer's expensive service. And the latter, | having a monopoly on repairing its trains, dictated | outlandish prices, even tens of percent higher than another | company would have given, the rail safety expert points | out. | | >Our source adds that later, thanks to the European Union | Agency for Railways, the interpretation of regulations | changed, allowing other companies access to service trains. | This led to the opening of the market to other companies in | the industry. | | [1] - https://wiadomosci.onet.pl/kraj/awarie-pociagow- | newagu-haker... | fargle wrote: | translated. very interesting: | | https://zaufanatrzeciastrona- | pl.translate.goog/post/o-trzech... | p_l wrote: | They didn't win the contract for servicing, and the law | required opening up service in the first place. | plagiarist wrote: | > if the day is greater than or equal to 21st and | | > if the month is greater than or equal to 11 and | | > if the year is greater than or equal to 2021 | | > then report a compressor failure. | | > [...] It was probably the software author's inability to | construct IFs that made it necessary to wait until November | 21, 2022 for the planned failure. | | Oops! | sdflhasjd wrote: | And it magically starts working again on the 1st December. | TeMPOraL wrote: | And then breaks again just in time to catch Christmas | travelers by surprise. | ysofunny wrote: | The most poetic part is how the train maker are merely | looking out for their own profit margins..... | | Economic theory(?) would suggest that if they don't do this, | their competition eats their lunch and drives them out of | business. | | heck, Volkswagen did something much shadier to get their | vehicle's emissions to comply | cryptonector wrote: | This is much shadier than what VW did. VW was working | around unrealistic emissions standards -- illegal, sure, | but they didn't cause big ticket items to stop working. The | train manufacturer here appears to have done something much | worse. | Crosseye_Jack wrote: | You wouldn't download a train, would you? | flutas wrote: | I've honestly wondered for a while how many devices (from phones | to cars) have features like this that haven't been documented | yet. | | Also how many engineers have worked on features like this without | whistle-blowing over behavior like this. | hedora wrote: | I can't change the 12V lead acid battery in my EV without using | a reverse engineered OBD-II dongle. If you don't use the dongle | to reset the charge circuit, it fries the new battery in about | a month. | | Here are incorrect directions explaining how to do it: | | https://www.mybmwi3.com/forum/viewtopic.php?t=17838 | | Step 14 requires the magic dongle. | | Note that they are not disconnecting the main battery, so they | are risking electrocution from the >> 100V DC batteries. | | There are some comments about not letting the old battery get | into a low voltage state. | | That's tricking the charger into not overcharging the new | battery to death. | spuz wrote: | What is the story here exactly? Is there an official way to | replace the battery that doesn't require a dongle? What does | the dongle do exactly? Why does a new battery get drained if | you don't follow this process carefully? | hedora wrote: | The charger learns how worn the old battery is, and | overvolts old ones to get a bit more useful life out of | them. When you disconnect and reconnect the battery it | doesn't reset the training algorithm, so it overvolts the | new battery, reducing its lifespan to roughly 30 days. | | There's no official way to reset the charge algorithm | without a dealer-only dongle, so you take it to the | dealership to replace the battery (~$400 labor, $100 | parts). | | They could solve the problem by adding a "register 12V | battery" option to the service menu, or by having it prompt | the next time you start the car after 12V power is | interrupted. | spuz wrote: | That makes sense. Manufacturers keep proving to us they | don't value making maintainable products so it seems | obvious they need to be forced to do that one way or | another. | physhster wrote: | Registering batteries has been a thing for BMWs for at least | a decade. The dance around keeping windows open etc is a | little more annoying, but nothing out of the ordinary. | me_me_me wrote: | another reason not to buy BMW added to the list | rootusrootus wrote: | > I can't change the 12V lead acid battery in my EV | | Aside from that not having anything to do with it being an | EV, it's worth mentioning that many newer EVs (most of the | ones sold, perhaps) use a lithium 12V battery now, not lead | acid. So in general they ought to last longer anyway. Plus | Tesla, at least, doesn't 'register' batteries the way BMW | does. | delfinom wrote: | This is actually not specific to the EVs but something all | German car brands started doing. They made their | alternators/chargers of the 12V battery overtly complicated | and you have to use a dongle to tell the car you replaced the | battery and with what kind of battery. | | My friend once replaced her battery, exact same one in a BMW | X3. The car immediately went into a limp mode and would | refuse to go faster than 5mph until we connected a dongle and | told it that the battery was replaced with the exact model | that was already in there. | | There's an argument they did it for "battery lifespan | optimization" which there is a semblance of truth, because | there are different kinds of lead acids. The reality is they | found a new way to force the majority of people into | dealerships. | ysofunny wrote: | .... just imagine how many instructions you can hide in a | 64-bit address space (I'm thinking of you _intel_ hacker magic) | Bermion wrote: | How many similar practices actually get discovered? In a way this | is the "right" thing to do in a capitalist society. We are | incentivising this behaviour by making it profitable. An honest | company cannot compete with a company doing this, unless very | rigorous regulations and enforcement of them. This gets harder | and harder as tech gets more opaque. Adding more regulation, | auditing, hoping that _all_ entrepreneurs are honest, are | crutches trying to patch a fundamentally broken economical | system. | | If capitalism were a software, we would call practices like this | code smell. We can try patching it up with some specific | legislation and (costly) enforcement by e.g. code auditing in | this case. But the real issue is that our economy is not | optimizing for global (national) utility, it is optimizing for | profits of individual business owners. | mannykannot wrote: | The fact that an entity can sometimes benefit from deceit has | nothing to do with capitalism, specifically, and capitalism is | not the simple proposition that profit justifies anything, even | if some people sometimes suggest that it is, in order to | advance their agenda - in a rather deceitful manner, I might | add! | augustulus wrote: | do you have a counter-argument? because what I'm reading here | is "you're wrong and lying or lied to because of an 'agenda'" | and that's it | | what do you think GP or someone who has lied to GP really | thinks? | | why are they lying? | | what's their agenda? | | do you agree that we (in the West) currently broadly live | under Friedman's version of capitalism, and, if so, do you | agree that it broadly follows the mantra of | "profit/shareholder value above all else"? | | if you don't think we live under that system, what system do | you think we live under, and what differs it from the mantra | of "profit/shareholder value above all else"? | mannykannot wrote: | You have presented a preposterous and completely | unjustifiable reading of what I actually wrote, and then | demand me to justify it? That's not going to happen, of | course. | augustulus wrote: | you don't have to justify your assertions to me or anyone | else, but make sure you can justify them to yourself. | have a think about what you said and see how deeply you | can support it. you don't have to reply. you don't even | have to bluster and make accusations. just try and think | about it slowly and unemotionally in your own head. | | what agenda were you referring to? | | who is being deceitful? | | what are they trying to hide? | | what were the primary tenets of Friedman's capitalist | philosophy? | | don't answer to me, just make sure you have solid answers | for yourself | mannykannot wrote: | I don't have to justify them to myself or anyone else, | because they are figments of your imagination that have | no basis in anything at all. In all the articles and | comments I have written anywhere, I have never before | received any response so unhinged from what I actually | wrote. | fnimick wrote: | The pressure to benefit from deceit because outperforming | competition is the only way to stay alive is unique to | capitalism, though. | | "capitalism is not the simple proposition that profit | justifies anything" - of course, but it naturally leads to an | environment where profit justifies anything. No business | leaders avoid money-making immoral behavior unless it is | overall unprofitable due to market conditions (a specific | well-informed customer base, for example) or regulation. | augustulus wrote: | this is all true, but what is the better system? Communism has | its merits, but it's extremely reliant on competent, benevolent | leadership and struggles to be economically viable in an | American-dominated world. | | I think that a Keynesian, well-unionised economy with strong | regulation _is_ the solution. I'm sure they exist, but I | struggle to think of many examples in history of over- | regulation leading to a fault, but I can think of many, many | examples of under-regulation managing it, and yet largely due | to the capitalist-controlled media, over-regulation is the more | feared of the two. This isn't to say that over-regulation isn't | possible, of course it is, but I don't think it is in tech. | | To go on a tangent, I personally don't believe in the | untrammelled progress of tech. I can understand why people are | so vehemently against that idea, of course it's frustrating to | restrict human ingenuity, and there's a lot of money to be | made, but tech is quantifiably making people's lives worse. | Smartphones are a fucking travesty. IQ scores are down | something like 10% from the 90s. The internet isn't great, but | at least when you had to be at home logged into a desktop there | was some friction. Now an entire generation is plugged into it | permanently. An entire generation that doesn't really read | books, rarely thinks alone and in many ways hasn't had to learn | organisational or navigational skills. | | AI doesn't look like it's going to make any of this much | better. Even if we don't achieve AGI, which I hope, neural | networks are only going to get better and better, the best and | most powerful ones in the hands of the richest people, who will | simply use them to worsen inequality even more. | | What else is next? Neuralink? Human genetic engineering? You | would hope regulation would stand up to them, especially | aesthetic genetic engineering, but who knows? | | What we need is a nice big solar flare EMP. Something like the | Carrington event | fnimick wrote: | What's next is AI operated lethal weapons. You best believe | all the elites are racing for those as fast as they can. As | soon as those are a reality, all revolution against economic | inequality becomes impossible. | | The U.S. army wouldn't fire on civilian protestors, | regardless of what a general ordered. An AI army would have | no such restrictions or be vulnerable to appeals to morality | and ethics. | AnimalMuppet wrote: | > What's next is AI operated lethal weapons. You best | believe all the elites are racing for those as fast as they | can. As soon as those are a reality, all revolution against | economic inequality becomes impossible. | | Except for revolution by the AIs. AIs may not like selfish | rich jerks any better than biological intelligences do. | Roark66 wrote: | >The U.S. army wouldn't fire on civilian protestors, | regardless of what a general ordered. | | World doesn't work like this. You'd think human sanity | would prevail if given an order like that as some sort of | built it "safety", but people who want to give orders like | this can do it in a way that ensures they are complied | with. Imagine the soldiers are told there are people with | hidden guns in the crowd. Then you get few snipers to take | out few soldiers from the crowd's direction and vice versa. | The crowd starts shooting back as well as the soldiers. | | Do you think this scenario is far fetched? That's exactly | what happened during the EuroMaidan protests in Ukraine | some years ago except instead of soldiers there was police. | https://www.researchgate.net/publication/266855828_The_Snip | e... | | People are fully capable of killing each other with no help | from AI. | vidarh wrote: | For B2B contracts of this kind of size a solution is to insist | on clauses with _very_ steep damages in the event of evidence | of specific measures to prevent third party service or similar, | coupled with never again dealing with a manufacturer like this. | | The bigger problem is when manufacturers pull stunts like this | on customers who can't afford and/or don't have sufficient | financial incentive to figure out the underlying problem. | Bermion wrote: | Steep damages is in many cases not enough because the | likelihood of being found out is so low. The damages then | have to be extremely steep for this behavior to not be | incentivised. Basically to bring the expectation value | negative, the damages has to be larger than the profit gain | by this behavior, divided by the probability to be caught. | Often this will be more than the value of the company, and | then the damages do not matter as they simply bankrupt. In | that case, the rational business practice is to go for it and | hope to not get caught. Any other behavior will eventually | lead to bankruptcy in a competetive market. | vidarh wrote: | Which is why it's only really helpful for B2B contracts | where there's reasonable power parity to the point where | you can realistically 1) refuse to sign a contract unless | the damages are significant enough, 2) any resistance to | doing so is a strong signal they're up to no good, and 3) | you as the buyer can actually afford to do what the | operator did in this case and put significant effort into | identifying the cause. | | I don't think there are many actual cases of manufacturers | pulling this without ensuring it's covered in their | contract, because being caught out even once will trigger a | lot of 1,2 _and_ 3 from future buyers if they still | consider you an option at all. | | And remember in this case the maximum potential gain is | only maintenance contracts from that subset of operators | that opt to have other companies do the service. | atticora wrote: | It would be so easy to get away with this kind of extortion at my | work. Nobody reads my code that carefully, or cares if I don't | get it reviewed and just merge it. Only one other person could | understand it if he tried, and he has no interest or involvement | in it. It could easily look like just a bit of incompetence on my | part that requires some additional consulting from me after I | have moved on. | | That's not how I roll ... or sleep well, so my employer is in no | danger from me. But there are many short-term devs who come | through here, and I don't have the time to police them in detail. | | But conceivably an LLM could do it. It could be just another step | in a build pipeline. But, when LLMs can do this well, they can | also write most of the code going into the pipeline. | justinclift wrote: | > But conceivably an LLM could do it. | | It'd be kind of funny if an LLM did that "unintentionally", and | wasn't able to unlock the code it wrote... ;) | ceejayoz wrote: | This doesn't sound like the sort of thing some rogue developer | secretly slips into the codebase. | fnimick wrote: | Exactly. This is a company initiative to increase company | profits. It's smart business, as long as it's not illegal or | the fine is insufficiently high. | Flammy wrote: | Yup that is how I read it as well. Product decision. | nerdbert wrote: | Is it smart business though? Once disclosed it provides | future purchasers with a strong reason to avoid your | products. Who wants to spend millions on trainsets that | could become unserviceable in the event that the seller | goes out of business or makes some mistake in authorizing | service centres or gets into a dispute with us over another | matter? | fnimick wrote: | It can be smart business if the probability of it being | disclosed is low enough. Using fake numbers as an | example, if you can make an extra $1 million on repairs | and will suffer $100 million in fines / lost business if | it becomes known, as long as the probability of it | becoming known is less than 1%, it's a net positive | expected value. | serf wrote: | it's just tight-rope walking at that point. If your | company has sufficient leverage within the market they | can get away with murder. | | see: John Deere | JAlexoid wrote: | Ahem... Boeing 737 MAX, which was literal murder. | silvestrov wrote: | I would guess this is also why the code was found: it's | parallel construction. | | Somebody was told to take a closer look. | | Otherwise it would be very weird to have 3rd party | developers disassembling firmware code. I've never heard of | that happening because a train didn't want to start. | TeMPOraL wrote: | When the trains your company serviced start experiencing | failures, you look at your workers. When the trains your | company was supposed to service, but _didn 't manage to | touch yet_ start experiencing failures, you might begin | wondering about alternative explanations. | | I imagine someone in the company was someone who knew (or | was a parent of someone who knew) someone in Warsaw | Hackerspace, and introductions were made. | Thorrez wrote: | But how would you profit off of it? In the case here the | company profits by forcing trains to use first-party workshops. | vidarh wrote: | "Last time this failed, Bob was the only one who could fix | it." | | "Bob resigned a few months ago." | | "See if he is willing to do some consulting. We'll pay | whatever rate he demands." | | I still occasionally have past employers call about things | years after I left, and if I'd have been immoral enough to | pull something like this, those systems could have been full | of time bombs. | JoshuaRogers wrote: | This mindset reminds me of the policies we use in the dev | team at work. Any policy access that I suggest starts with | the thought "If future me were to go rogue one day, how | would present me stop me?" | bombcar wrote: | It's kind of amazing how blatant it was, they weren't even | really trying to hide it much. | | Similar to the VW emissions thing; if they'd been intentional | about it they could have made it look much more like a mistake. | SSLy wrote: | > A rather amusing situation was encountered with another train | set that refused to work on November 21, 2022, despite not being | in service at the time. The computer reported a compressor | failure, although the mechanics determined that there was nothing | wrong with the compressor. Unfortunately, the train still did not | raise its pantographs. The analysis of the computer code revealed | a condition enforcing the failure, which read as follows: | | > if the day is greater than or equal to 21, and | | > if the month is greater than or equal to 11, and | | > if the year is greater than or equal to 2021 | | > then report a compressor failure. | serf wrote: | I guess a charitable interpretation is that the compressor | manufacturer set an 'expiry date' to ensure replacement of a | vital component. | | (but it's probably just shady business.) | Ukv wrote: | Also the wrong way to implement an expiry data, since it'd | work fine again when the day goes below 21 or month below 11, | even if the year is 2021 or greater - which seems to be what | happened if they only noticed it in November 2022 rather than | 2021. | garblegarble wrote: | It might lead to a fault that appears more realistic - | it'll go away for a bit in December before coming back | again... if the engineers say the compressor's good but the | computer fails it intermittently, that seems like a good | point to get the manufacturer involved which is what they | wanted to force | TeMPOraL wrote: | Yeah, that's not a component expiry date. This reads more | like "fire a warning shot in November, and then fuck the | operator over during Christmas". It feels like trying to | _maximize damage_ , as 21-31 December is exactly where a huge | chunk of population travels to visit their family homes, and | many of them do so via trains. | JAlexoid wrote: | Nah... I just bet that this is some dev, that doesn't know | how to deal with dates. | | I had a recently "senior" dev give me a SQL query with | similar where clause, when asked to query data after Sept | 1, 2022 (where moy >= 9 and dom => 1 and year => 2022) | CryptoBanker wrote: | What good reason is there for hard coding dates that | shutdown trains? | thaumasiotes wrote: | That's when the compressor's going to fail, obviously. ;D | TeMPOraL wrote: | Right. How did that famous adage go? "The best way to | predict the future is to invent it." | raphman wrote: | The best way to predict a crime is to commit it. | | (with apologies to Alan Kay who coined the original | saying) | lstamour wrote: | In case anyone is confused, the problem is that dates | loop, such that moy=1, dom=1, year=2023 will not match | despite being greater than Sept 1, 2022. Technically, | then, if you wanted this logic to work you would have to | add a second "or" clause that handles the edges missed, | e.g. (moy >= 9 AND year = 2022) OR (year > 2022) though | you would need a different edge case if your dom wasn't | 1. The easier approach, of course, is to just compare | dates or timestamps directly. | pixel8account wrote: | Very charitable. The "expiry date" was set to the next | servicing date _and there was no way for competition to fix | this hardcoded date_ and this was not documented in the | official documents. Clearly a way to force buyers to use the | "official" service. | idonotknowwhy wrote: | Reminds me of those work arounds for share ware in the | 2000s,when I you had to say the system time back | bombcar wrote: | The real crime is not using a standard date time library and a | simple > 2021-11-21 | p_l wrote: | Can be often problematic on PLCs and the programming | environment exposed to programmer. | cj wrote: | Personally I prefer measuring time as seconds that have | passed since January 1st, 1970. | Faaak wrote: | And then your train is 32bits and stops working in 2038 ;-) | rollcat wrote: | Even being evil requires a certain level of competence. It's | how we actually catch any of them. | pixel8account wrote: | This is a reason why it was detected a year later - the train | service was delayed and it spent late November and whole | December in service. So the "expiration" intended for 2021 | only manifested in 2022. | delfinom wrote: | This was programmed into a PLC, not traditional code. | | PLCs are basically environments designed for mere technicians | being able to adjust code in very clear concise fashion. It | can be way more verbose, but the logic is clear and solid for | decades of operation. | | It doesn't require reading an api documentation on version X | of a library downloaded from NPM 15 years ago nor rebuilding | an entire project to the latest dependencies. | drra wrote: | So these trains are exclusively used in Poland by quite a big | number of regional train companies. There are 5 servicing levels | starting from P1 up to most complex P5. It used to be that only | these major companies would do P3+ but since a few years tenders | were won by several smaller competitors at much lower prices all | thanks to European Union Agency For Railways that opened that | market. | | It started with 4 trains that were serviced by SPS Mieczkowski | and just wouldn't start. The company was forced to pay EUR0.5m in | penalties and trains were sent back to Newag. At the same time | several other trains from different companies that didn't even | got to service but spent a bit too much time in one place became | immobilized. This all led to SPS Mieczkowski hiring Dragon Sector | to investigate and they found several separate routines to | disable trains. | | This case is investigated by Central Anti-Corruption Bureau in | Poland but I doubt it'll do much harm to Newag. The Office of | Rail Transport of Poland that would spam rail company with | complaints and orders for a small mistake in train schedule | washed it's hands from intervening in this case and train | purchases have highly regulated tender process and very little | wiggle room for rail companies. | KptMarchewa wrote: | >This case is investigated by Central Anti-Corruption Bureau in | Poland but I doubt it'll do much harm to Newag. The Office of | Rail Transport of Poland that would spam rail company with | complaints and orders for a small mistake in train schedule | washed it's hands from intervening in this case and train | purchases have highly regulated tender process and very little | wiggle room for rail companies. | | It's clearly a crime of sabotage under Art. 254a kk. Tender | process does not matter in this case. We just need a competent | prosecutor. | | https://sip.lex.pl/akty-prawne/dzu-dziennik-ustaw/kodeks-kar... | TomaszZielinski wrote: | Having read only that kk article, I'm not certain if trains | are considered parts of the infrastructure? | KptMarchewa wrote: | It works for train vandalism - why wouldn't it work on | industrial scale? | | For example, someone stole active train parts: | https://orzeczenia.gdansk- | poludnie.sr.gov.pl/content/$N/1510... | TomaszZielinski wrote: | I don't know, that's why I asked--for me "infrastructure" | sounds like the immovable parts. Similarly to road | infrastructure, which doesn't include cars. But it's just | my armchair impression, I have no idea how the law works | in this context. | | I quickly scanned the sentence you linked to, and art. | 254a seems to be applied only to the theft of wires from | tracks? Or am I missing something? | | I've tried googling "infrastruktura kolejowa", and it | seems that Ustawa o transporcie kolejowym defines it in | art. 4.1, referencing Appendix 1. And that Appendix only | lists immovable stuff. But again, I'm not a lawyer and | I'm aware that definitions from one act often don't apply | to a different act, in different branch of law. | myself248 wrote: | In the usage I'm familiar with (in the US), the entire | rail network is considered "transportation | infrastructure", from a national perspective. | | But from the perspective of just the rail network, the | track and other infrastructure is considered separate | from the rolling stock. | | I wonder: If the rolling stock becomes immobilized, does | it now count as immovable stuff? | TomaszZielinski wrote: | Ah, that's a very good distinction between the national | perspective and the rail perspective! | | > I wonder: If the rolling stock becomes immobilized, | does it now count as immovable stuff? | | Assuming it's a philosophical question, and not a legal | one, how about: - A runner that's currently running is | obviously a runner - A runner that finished running for | today is still a runner - A runner with serious knee | problems is a former runner ? | TeMPOraL wrote: | Also practical question: how much of the rolling stock | has to become immobilized before the immovable parts of | the infrastructure become useless? At which point you can | start throwing the book at whoever's responsible? | p_l wrote: | Locking up (or causing possibility of doing so) a non- | siding line sounds like Denial-of-Service on rail line. | reactordev wrote: | If that were true, Amtrak wouldn't be leasing railways as | it's nationally run. Railroad companies like Union | Pacific, Norfolk Southern, CSX, own their rails. They own | their rolling stock. They own their locomotives. They | lend you, the business person, a rolling stock to load | and ship to where you need it to go. There it will be | unloaded and sold/shipped by truck to final destination. | | Rail companies own the right-of-way AND the rails. They | control what runs on their rails, who runs on their | rails, when they run, etc. | | It's quite something to think that 97% of the rail tracks | in the USA are privately owned. | | https://public.railinc.com/about-railinc/blog/who-owns- | railr... | bitcharmer wrote: | Being a 40+ year old Pole I am yet to see a single case of | corruption in public sector be prosecuted. | ajuc wrote: | Maciej Zalewski (a co-creator of Kaczynski's first party - | Porozumienie Centrum) remains the only high-level | politician I know of in Poland that was sentenced for | corruption and actually went to jail. | | https://pl.wikipedia.org/wiki/Maciej_Zalewski_(filolog) | | He warned Bagsik and co. (who stole millions of public | money through the famous Art-B company and escaped to | Israel) that the police wants to imprison them - so they | managed to escape. Bagsik later confirmed that they shared | some of that money with Porozumienie Centrum's business | named Telegraf. Somehow only the less important guy | (Zalewski) went to jail, but Kaczynski brothers weren't | prosecuted. | | But there's a lot of low level corruption that is exposed, | it's just usually ignored by country-wide media, because | that corruption is local. For one example: | https://samorzad.pap.pl/kategoria/prawo/prawomocny-wyrok- | byl... | KptMarchewa wrote: | I haven't seen any evidence of corruption here - just pure | malice and monopolistic behavior. | ska wrote: | There is corruption everywhere (though obviously not | uniformly distributed). It requires active, dynamic | efforts to counteract. If you don't see _some_ evidence | of successful prosecution, that itself is informative. | pixel8account wrote: | It is also investigated by the Agency of Internal Security and | I really doubt they _don 't_ have huge problems out of this. | This is taken extremely seriously internally. | | There's a ton of evidence to prove what happened and they have | no chance to somehow wiggle out of this. They're trying... by | saying they were hacked. Yeah, the hackers somehow flashed | firmware of trains services by competition, to brick the | trains. GPS coordinates of competition rail segments were | literally hardcoded. | jaymzcampbell wrote: | This brought to mind the AARD "crash" which Microsoft used to | basically destroy competition from DR-DOS back in the day. | | > The AARD code was a segment of code in a beta release of | Microsoft Windows 3.1 that would determine whether Windows was | running on MS-DOS or PC DOS, rather than a competing workalike | such as DR-DOS, and would result in a cryptic error message in | the latter case. This XOR-encrypted, self-modifying, and | deliberately obfuscated machine code used a variety of | undocumented DOS structures and functions to perform its work. | | https://en.wikipedia.org/wiki/AARD_code | | https://www.geoffchappell.com/notes/windows/archive/aard/drd... | | https://news.ycombinator.com/item?id=36042213 | sonicanatidae wrote: | This tracks for Microsoft. The very same company that told | Compaq that if they sold any PCs with OS/2 Warp, they would | never sell another one with Windows. | | Humans are why we can't have nice things. OS/2 Warp was a great | OS. | pmarreck wrote: | all this looks like points for open source. You can't exactly | stop someone from putting an open source OS on their | hardware, and if the train software was open-source, then | this "clawback code" nonsense would have been impossible to | keep secret. | | and you're right, OS/2 Warp WAS a great OS. As soon as it | started losing market viability, it should have gone open | source as a defensive self-preservation tactic. | | When LLaMa was released for free, it basically guaranteed it | would never die a corporate death | Workaccount2 wrote: | Now we just need a a good open source OS made for lifelong | windows/macOS users. Not one made for lifelong linux users. | sonicanatidae wrote: | Sorry, best I can do is a Elementry OS Linux. | goodpoint wrote: | Or not. | pmarreck wrote: | IMHO, Apple should have open-sourced their OS a long time | ago while offering "best" compatibility with their | hardware. They would have expanded both markets | tremendously. | | I'm currently a "NixOS" guy, and it feels like the "last | distro hop" for me. There's a learning curve but it's | kind of like "you get ALL the customization, plus seat | belts in case something screws up". I still like Macs but | I don't really like the direction Apple's taken recently | with regards to locking down macOS hardware and system | software. I'm a fan of things like Asahi Linux but even | that depends on Apple's permission to work | malermeister wrote: | ReactOS is the best we've got. | sonicanatidae wrote: | OS/2 Warp is still used today, albeit in very limited | situations. | | I managed IT at hospitals for a large part of my career. At | one of them, they had a "Lanier transcription cluster". It | was 6 systems. One of them was an OS/2 Warp install that | managed the modem cards. | | It's apparently used to manage hardware, like those modem | cards. Evidently, it does a great job of it. | | I agree with you though. I think that Open Source would | have made it much more of a competitor to Windows, today. | | Then again, throw enough resources at anything and it could | contend...ok.. not TempleOS, but everything else. ;) | ta1243 wrote: | > You can't exactly stop someone from putting an open | source OS on their hardware | | Of course you can. Have secure boot requiring a signed | bootloader. Currently Microsoft are good enough to sign a | linux bootloader so you can run things like ubuntu. | | Doesn't mean that in 73 years you'll have a situation where | OSS is not only illegal, but you could not install one if | you had one, without knowing your computer's root password. | And neither the FBI nor Microsoft Support would tell you | that [0] | | [0] https://www.gnu.org/philosophy/right-to-read.en.html | pmarreck wrote: | Coreboot (which System76 and Framework use): Exists | | Love the GNU mentality though, but you don't need FUD to | promote your ideas. Lots of problems would just disappear | if most things went open-source, and the value | proposition might shift but would still be there. The | most valuable part of code is the people that create, | understand and maintain it; not the code itself. The code | itself is ephemeral. (I hate to admit this. Us coders | love our brain-babies.) | | Note: I own a System76 Thelio Major and have a Framework | laptop on order, so I am not just a non-participating | bystander in my beliefs here | trinsic2 wrote: | I agree. GNU rhetoric does not help their case. Much of | it sounds very confrontational and whinny. | | I am a supporter of free software and open hardware, but | I would never try to forcibly try to convince people with | half-truths. | | BTW I don't think coreboot is really helpful in that it | appears to me is more about controlling hardware access. | ta1243 wrote: | That page was written way before most people had ever | heard of linux, a decade before things like secureboot | became a thing, and way before the most common personal | computing device in the world was a choice of two locked | down devices. | rollcat wrote: | > You can't exactly stop someone from putting an open | source OS on their hardware [...] | | Of course you can. It's a train, not a PC. Its primary | function is to *safely* get me from point A to point B. No | safety certification for the _whole_ thing (including | software), means it doesn 't go on tracks. The freedom of | your fist ends where my nose begins, which means your | freedom to mess up the train's software ends where I step | on board. | | Poland has had its share of railroad catastrophes, and I | very narrowly avoided being a victim - I got late for this | train: <https://www.bbc.com/news/world-europe-17248735>. I | no longer live there - I like trains, but the trains in | Poland are an unmitigated disaster every single time I | visit. | | > [...] and if the train software was open-source, then | this "clawback code" nonsense would have been impossible to | keep secret. | | There's two problems with that: | | 1. Just because it's open source, doesn't mean you get to | load your own modified version (see above); which means the | software that's _actually_ running on the train can | trivially be made different from the sources you were | delivered; | | 2. Just because it's open source, doesn't mean it can't | have a hardware backdoor, or some sort of manufacturer- | installed APT. | | You can't even buy an Intel CPU that doesn't include an | entire separate core, with its own Ethernet controller and | OS - and that is the stuff that's actually documented and | sold as an "enterprise" feature. Imagine an entire train of | nooks and crannies to hide this sort of nonsense. | pmarreck wrote: | Good thing we have open-source hardware out there and | open-source CPU's on deck. And makers like System76 and | Framework that at least use Coreboot. | | Wow re: train near-miss. Glad you're still here with us! | That must have been terrifying to learn. | rjmunro wrote: | > Good thing we have open-source hardware out there and | open-source CPU's on deck. | | Read "Reflections on Trusting Trust" by Ken Thompson. It | describes how even recompiling all the sources isn't | enough. | IcyWindows wrote: | Google has agreements with TV manufacturers that provent | it. | | https://www.techspot.com/news/84374-google-android- | license-r... | greiskul wrote: | We really need to have much stronger anti trust legislation | and enforcement. It is absolutely ridiculous to allow | companies to behave this way. | | And before someone says that "free market is always good and | government is bad", the optimum free market strategy if there | is no government is to hire hitmen to assassinate the | executives of competidor companies. A real competitive free | market will always require the government to prohibit | companies from forming artificial mottes around their | monopolies. | sonicanatidae wrote: | We simply need meaningful penalties that involve jail time | and % fines, on top of the ill gotten gains. The current | model is steal $1 million, get fined $250k, enjoy the | profits. | | Sadly, that'll never happen, because CU made bribery legal | and who's congress going to listen to? The 100s of millions | they allegedly govern or the guy that handed them $25k for | a kitchen remodel. | | Spoiler: It's not the citizens. | denton-scratch wrote: | > Sadly, that'll never happen, because CU made bribery | legal | | Citizens United was a USSC ruling; TFA is about Poland. | | Poland is in the EU; NEWAG seems to be a formerly state- | owned company, that was fully privatized in 2003. | | https://en.wikipedia.org/wiki/Newag | | I'm awfully worried about both Poland and Hungary, and | their place in the EU even though I'm a brit, and now out | of the EU. I think both countries should have had their | EU membership suspended years ago, for corruption; | meddling with judicial appointments; and generally not | allowing free media. I suspect Hungary is much worse, but | for me, a major reason for supporting Brexit was that I | didn't want to be in a political alliance with countries | that didn't comply with international treaties, which the | EU was so reluctant to enforce. | SAI_Peregrinus wrote: | The optimal free market with no government is for | corporations (collections of people) to use violent force | to enforce their goals. A sufficiently powerful corporation | is indistinguishable from a government. | sonicanatidae wrote: | A sufficiently powerful corporation is worse than a | government, because the current government at least | pretends to play by the rules and in a lot of cases, | does. The issue is the rules themselves, which were | crafted by? Corps. | | Corps are entirely different. They push harder and harder | and harder for PROFITS and will inevitably cross lines. | When crossing those lines not only has no meaningful | penalty, but actually turns a profit, after the fines are | subtracted, they will not only continue to do it, but | push even harder. After all, there's no real | consequences, so why worry? | marcosdumay wrote: | Authoritarian governments exist, and are more common than | democratic ones. | | Besides, democratic corporations exist too. They are just | incredibly rare. | xp84 wrote: | > A sufficiently powerful corporation is worse than a | government, because the current government at least | pretends to play by the rules | | The most despotic and scary governments of history would | probably like a word with you. Maintaining a believable | pretense of following any rules is a luxury we take for | granted in many countries today, but Mao and Stalin | didn't worry about the appearance of propriety. | | Not really arguing against your main point though, I | think you're right. Just don't forget how bad | totalitarian governments can be. | sonicanatidae wrote: | You are citing outliers. A majority of the countries in | the world aren't run by people like Stalin, or Pol Pot. | | Yes, in those instances nothing is worse than the | government, but a majority of the world doesn't live in | those places. For most people, it's the tyranny of | corporations that affect our lives in outsized ways. | robertlagrant wrote: | > For most people, it's the tyranny of corporations that | affect our lives in outsized ways. | | No, for most people it's corporations that enable our | current best-in-history lifestyle. The hardest things we | face are scarcities created by government policy. | rootusrootus wrote: | > A sufficiently powerful corporation is | indistinguishable from a government. | | Only if the government is a dictatorship. A sufficiently | powerful corporation will never look like a functional | democracy. | sonicanatidae wrote: | _looks around for an example of a functional democracy_ | CamperBob2 wrote: | How about the one that decided that a New York con man | and money launderer was the right choice for president? | | I'm concerned that democracy as a general concept has a | showstopping bug with no obvious fix. A bug that's always | been there but has recently become fatally easy to | exploit. Essentially, giving stupid people the same | political power as smart people is mandatory in a | democracy, but problematic because the former are much | easier for "smart" minorities on all sides to corral into | blocs. | | The whole system then devolves into a battle for control | over the easily-led, which is equivalent to any other | form of government by minority interests. Regardless of | who is on top at any given time, they aren't there to | represent the interests of the majority. | devbent wrote: | Boards appoint executives, boards are voted in by | shareholders, shareholders are determined by $, the more | money you have the more votes you can buy. | | Companies are, in theory, dysfunctional representative | republics. | mrguyorama wrote: | Having to BUY a vote explicitly removes any consideration | of it being any form of democracy. Democracy requires | suffrage as a right, not a commodity. | logifail wrote: | > Democracy requires suffrage as a right, not a commodity | | There are plenty of "democracies" where suffrage depends | on one having the appropriate citizenship. | | Full disclosure: I have permanent residency - and pay my | taxes - in a country where I'm neither allowed to stand | for election nor allowed to vote... | semiquaver wrote: | Indeed, Democracy originated in an environment where | suffrage was highly limited. | | https://education.nationalgeographic.org/resource/democra | cy-... | JoshTriplett wrote: | > A sufficiently powerful corporation will never look | like a functional democracy. | | True, but neither will a sufficiently powerful | government. | TeMPOraL wrote: | No, if you remove either corporations or governments from | the equation, the remaining thing will morph and split to | recreate this. Corporations aren't fixed in stone - a | sufficiently powerful one may be indistinguishable from a | dictatorship, but it'll also evolve the same way. | lo_zamoyski wrote: | That wouldn't be a free market. It would be some kind of | oligarchic corporatism. Government is necessary to truly | enable free markets. The key to understanding that is to | understand what "free" truly means [0]. It isn't "do what | thou wilt". | | [0] https://news.ycombinator.com/item?id=38537665 | rootusrootus wrote: | > And before someone says that "free market is always good | and government is bad" | | I've never really understood that dichotomy myself. The | free market IS good, that is for sure. But it won't exist | unless the gov't uses its power to create it. Companies | have to be kept small enough that there will always be a | bunch of choices. And that won't happen by itself. | JoshTriplett wrote: | > the optimum free market strategy if there is no | government is to hire hitmen to assassinate the executives | of competidor companies | | There's a huge difference between opposing regulation and | permitting murder. Equating the two is a strawman, given | that there are a large number of people who oppose various | regulations and very few who would want to legalize murder. | sonicanatidae wrote: | I mean.. I'm not up for outright legalizing murder, but | as the world turns, I understand it more and more. Some | people just need a killin. | thegrimmest wrote: | Funny that your optimum free market strategy is murder. A | market where murder is a legitimate strategy is anything | but free. In fact a good litmus test as to the freedom of a | market (or any social structure) is the legitimacy of | murder. | | Comparing murder to antitrust therefore seems to be a | pretty weak argument. Deontological libertarians would view | the use of force required to enforce antitrust as | authoritarian overreach. They would see no moral | justification in the enforcement of arbitrary limitations | on the voluntary transactions of consenting parties. They | would see these as tyrannical. | | This stems from a core disagreement about the nature of | society. Some people see it a as a collective project for | the good of all participants (the sticky points being the | definition of "good", and the non-optionality of | "collective"). Others see it as simply an agreement to | coexist peacefully and cooperate only voluntarily, while | embracing the Darwinian nature of said coexistence. | | Each side is well meaning I'm sure, but I find it hard to | reconcile these two worldviews. | discreteevent wrote: | Coexistence - peaceful - darwinian. A circle that's hard | to square. | thegrimmest wrote: | I don't see why. It's basically what happens in any free | society - we (as individuals, organizations, social | orders) compete over finite resources. Disputes are | resolved via due process. Winners win and losers lose. | The difference between civilized and uncivilized is only | in which actions are available to the players, not in the | nature of the game. | lo_zamoyski wrote: | The problem is that competition for resources is taken as | the essence of markets, which it is not. Competition | exists in markets, sure, but it's not the point of the | market per se. That's psychotic. This is the problem when | decontextualized practicalities become enshrined as | abstracted ideological and moral tenets of the highest | order. According to your view, if I were starving, and | you had a warehouse full of food, then I would be | stealing if I were to break in and take some food to | survive. Theft is always wrong by definition (you cannot | say it is _sometimes_ justified in ad hoc sense while | remaining coherent; if the law just is competition for | resources, full stop, then the starving man is just a | loser, full stop), so I, the starving man, am morally | obligated to accept my death outside the walls of that | warehouse. | | But as I said, this would be an incorrect view of | markets, which occur _within_ societies, to enable the | good. Human beings are social animals, and so our good | depends on society. The common good is also _prior_ to | private property. A scenario where people are starving, | but where there are warehouses full of food, is one that | demonstrates some degree of dysfunction. | thegrimmest wrote: | > _Competition exists in markets, sure, but it 's not the | point of the market per se. That's psychotic._ | | Competition is _the point_ of every ecosystem, insofar as | there is a point. The properties of an ecosystem are | fundamentally emergent wherever living things interact, | in markets or otherwise. | | > _so I, the starving man, am morally obligated to accept | my death outside the walls of that warehouse_ | | Why is this view so foreign? I don't expect you to adopt | it per se, but surely you can see that yours is not the | only perspective. There are many people who would prefer | to commit suicide in dignity rather than live to seem | themselves become a burden on others. There are even | those who would rather die screaming in agony rather than | pry greedily into the pockets of strangers. | | > _enable the good_ | | Ah yes but then the you have to define "the good" which | is notoriously challenging, and also be sufficiently | comfortable in your definition to impose it by force on | others who may disagree. I'm just not sufficiently | comfortable with anyone's definition of "the good", my | own included, to make that leap. | | > _A scenario where people are starving, but where there | are warehouses full of food, is one that demonstrates | some degree of dysfunction_ | | I disagree, this scenario exists all over the natural | world, and is fundamental to all ecosystems. In a | competitive environment (which again, is inevitable), | it's optimal to ruthlessly defend the maximum you are | capable of, rather than the minimum you need to survive. | ablob wrote: | As far as I understand the conditions of a free market are | not met in this case: | | According to the english Wikipedia: * A capitalist free- | market economy is an economic system where prices for goods | and services are set freely by the forces of supply and | demand [...] | | Here one can argue that the available services (i.e. | maintaining a train) are not set freely by the forces of | supply and demand, but by the constructor of the train; at | least to some extend. | | You said that "[a] real competitive free market will always | require the government to prohibit companies from forming | artificial mottes around their monopolies". I partially | agree in this case. A free market that contains competitors | that are able to fully satiate it will always require a | government that hinders it from working towards a | controlled market. By a controlled market I mean monopoles, | oligopoles, cartels, or otherwise controlled | environments(1). So if there's no competitor I can walk to | in case I am unhappy with my trading partner the market | isn't free by definition. I can hardly think of bakeries in | town requiring governmental intervention (unless they form | a cartel, that is). | | Not every market should be free, however. I guess you've | just met too many hard-liners arguing for shady business | practices in the name of the free market. I'd argue that a | shady business will cease to exist in a free market due to | the customers running away. | | PS: Funny enough, I am fully onboard with stronger anti- | trust enforcement (legislation only if that proves to be | insufficient), only that I am doing it as a proponent to | regain market freedom. | | (1) Intentionally left broad as I can't be bothered to come | up with a definition that fits what I have in mind. | trinsic2 wrote: | > We really need to have much stronger anti trust | legislation and enforcement. It is absolutely ridiculous to | allow companies to behave this way. | | You think? I have been wondering the same thing myself for | years and i'm still flabbergasted that people don't treat | this stuff more seriously. | gosub100 wrote: | > We really need to have much stronger anti trust | legislation and enforcement | | The Microsoft disaster you are replying to could just as | easily be blamed on the government in the first place. Why | were they so slow to react? Why couldn't the FTC have seen | that, or been alerted and acted immediately? There is no | legitimate reason, other than the government is a socialist | organization that has no incentive to actually get anything | done. This is why USPS, VA, Amtrak, etc all suck. Throwing | _more government_ at the problem will have the opposite | effect: _less_ will get done! | lo_zamoyski wrote: | > "free market is always good and government is bad" | | This view seems especially American, but it is also a very | liberal view (in the philosophical sense, not the somewhat | weird partisan sense). Liberalism reconceives the common | good, private property, and freedom dramatically. Whereas | traditionally, the state is viewed as _steward_ of the | common good (that is its essential function), and private | property as something instituted _for the sake of the | common good_ , liberalism conceives of private property as | primary and the common good as something grudgingly ceded | from the private good. Freedom is traditionally understood | as the ability to do what one ought (the freedom to be what | you are by nature, that is, a human being), but liberalism | construes it as the ability to do whatever you please. | (It's an odd idea. If I happen to want to gouge my eyes out | and cut my arms off for no reason, doing so does not make | me free. It makes me _less_ free, because now I am less | capable of functioning fully as a human being. I am | confined and prevented from doing all sorts of good things. | Human nature is the yardstick by which freedom is | measured.) | | What does this all mean? Well, it means government becomes | construed as an artificial, even malicious construct that | stands in the way of freedom. Certainly corruption exists, | but this is not a valid argument against government as | such. And besides, without government, something fills the | vacuum. The absence of authority isn't freedom, but | exposure to power _that lacks authority_. | | So, yeah, free markets are good, as long as freedom (and | thus the good) is construed in the traditional, not the | liberal sense. That means that government, properly | understood, is not an obstacle to free markets, but a _sine | qua non_ of truly free markets. | stevage wrote: | No one literally says that. | bitcharmer wrote: | > Humans are why we can't have nice things | | _MBAs_ are why we can 't have nice things | | FTFY | neilv wrote: | Don't attribute to humans, malice that can be adequately | explained by Microsoft. | IcyWindows wrote: | Google forbids competing android TV OS for their hardware | customers. Maybe this happens with every large company? | JAlexoid wrote: | It's not really the same, in this case. | | The AARD crash was an intentional break in compatibility, while | this is more like planned obsoleteness. | | Leaving a train stationary for "too long" would disable it? | Microsoft would have loved to control the platform to that | level :D | thaumasiotes wrote: | > This brought to mind the AARD "crash" which Microsoft used to | basically destroy competition from DR-DOS back in the day. | | Given that, according to the article, the functionality was | never enabled, how did it get used to destroy competition from | DR-DOS? | pseudosavant wrote: | DR-DOS must have already been on the brink if some code in a | 'beta release of Microsoft Windows 3.1' finished them off. | l0b0 wrote: | $280 million settlement for securing global OS domination for a | few years. Pretty cheap. | mistrial9 wrote: | William Gates was The World's Richest Man for what, twenty | years without fail? | InsomniacL wrote: | > "The manufacturer argued that this was because of malpractice | by these workshops" | | Is this intended to say: - The manufacturer | says the locks are caused by malpractice of the 3rd party | workshops | | or - The manufacturer says they lock the trains | because of past malpractice of the 3rd party workshops | | The poster also states | | > "One version of the controller actually contained GPS | coordinates to contain the behaviour to third party workshops." | | This seems oddly specific, there are better ways to determine if | the train has been serviced by the manufacturer or not, such as | using PKI. | | I can imagine a scenario where this isn't for greed of servicing | fees, perhaps the brakes need replacing every x miles and if this | isn't performed the train locks for safety. If the 3rd party | workshops specified thought "there's more life | left in these pads, I'll just reset the counter and make the | train think the pads are new" | | The manufacturer would have significant backlash should the train | then crash and kill people, regardless if the 3rd party workshop | was at fault. | | I'm all for right to repair for most things, however commercial | public transport isn't one of them unless there's some | vetting/accreditation process. | celticninja wrote: | I disagree. The owner should be able to get them repaired | without needing the manufacturer to approve. | Zak wrote: | It's certainly reasonable for governments to require some sort | of licensing or accreditation to work on safety-critical public | infrastructure. It is not reasonable for another service | provider to have the final say over that, especially through | the use of undisclosed software locks. | SahAssar wrote: | Any of those reasons should then have been documented in | public, which the poster said it was not. | p_l wrote: | The workshops were already accredited and vetted, and followed | official documentation that was supposed to cover the | maintenance. | | And the intended meaning of the sentence was that NEWAG implied | that the workshops "did something wrong" and that's why the | train didn't run. | hex4def6 wrote: | I think you're putting very little weight into the ability of | government organizations like the NTSB or equivalent to | determine root cause of a crash. Just think of the situation | with aircraft crashes. They have to deal with something that | smeared into the ground at 400 miles an hour. And they're often | still able to root cause with a high degree of confidence. I | have a feeling train crashes are trivial in comparison to root | cause (with rare exception). | | You either require (and train) your NTSB to be able to | independently diagnose accidents (in which case they would be | able to tell who fudged the records about the fake brake | overhaul) or you rely on the manufacturer for the diagnosis. | Which to me is a concerning conflict of interest, since they | will invariably want to shift the blame to the operator of the | vehicle. I'm sure they could in the most honest case, point to | excursions outside of recommended operating conditions during | the life of the train and say "see? Your operator has been | consistently taking this turn ed 10 mph faster than recommended | by the manufacturer. Warranty void".. worst case they fudge the | records and you have no competent independent examiner to | dispute that. | Symbiote wrote: | I think your point is fine, but I don't think we should say a | root cause analysis of a rail accident is "trivial". | | For example, the most recent serious report from the UK has | 113 pages, and detail on technical (friction, braking etc) | and organizational issues just like an aircraft accident | report: | | https://www.gov.uk/government/news/report-122023-collision-b. | .. | JAlexoid wrote: | > I'm all for right to repair for most things, however | commercial public transport isn't one of them unless there's | some vetting/accreditation process. | | That is where you literally have a contract written up, stating | this. In some cases that contract is ratified by the parliament | (making it effectively the law) | wafflemaker wrote: | How can somebody even attempt to find faults like these without | being a magician? Are people reading tons of assembly code in the | process? | shadowgovt wrote: | On an open source architecture, many eyes hypothetically leave | few places for malicious action to hide. This is not always | 100% foolproof, but it seems to work out pretty well most of | the time. | | On a closed source architecture, this sort of thing is | generally safeguarded by contract and law. Company can get away | with it once, but if the law and contracts were properly | crafted there will be fines and jail time that discourages them | from doing it again. | bombcar wrote: | Reading decompiled (reverse-engineered) code is not as insanely | hard as it sounds. You can usually find functions, and then | it's a matter of finding _what_ a function does. | | If you can somehow attach a debugger or get breakpoints, it's | even easier. | TomaszZielinski wrote: | The world is such a small place--I open HN and read a movie-grade | story about trains that I took many times. In fact, it's even | possible I was going by one of those grounded trains.. | | In any case, either there was no code review, or the reviewers | accepted that for one reason or another. Not sure which case is | more scary.. | jrochkind1 wrote: | Code review by a _third party_? Does that usually happen? | | It's clear this was intended by the manufacturer of the trains, | who directed the writing of the code, it's not like a hacker | put this in without their manager knowing, right? | | What kind of code review are you thinking of by whom? | | [Wait, reading other comments, I'm thinking HN switched the | article at the top, and some of these comments were written | when the article at the top had much less information? That may | explain why these comments are so confusing!] | TomaszZielinski wrote: | I have no idea how software for trains is (or should be) | created. | | So I meant a regular code review you would do for anything | else. | | I can see two scenarios at play: | | 1. either it's "free for all" and someone (anyone?) can put | arbitrary shady stuff in the code | | 2. or there's a process for adding shady stuff to the | codebase (some "stakeholder" creates a ticket, someone | creates a PR, and the it's reviewed, etc.) | jrochkind1 wrote: | OK, I think someone's manager _told_ them to add this to | the codebase. After the manager's boss told _them_ to make | it so. And then it maybe got code reviewed, sure, and the | code reviewer confirmed that it was bug-free and did what | was intended. It is doing what the manufacturer wanted it | to do. | | I'm wondering if you read the same posts at the top, or if | maybe HN has switched the link since you read it and | commented? Or if you just reached different conclusions! | | My conclusion was that it doesn't appear there is any | reason to think this was a "rogue" employee. What | motivation would they have to do this? The motivation | belonged to the train company that made the trains and | owned the the software, the company did it on purpose to | try and make other repair facilities look bad and make | their train repair facilities look like a better value. | | I'm surprised that you seem to be considering that, maybe, | like a programmer just put this in there without being told | to. For fun? Just out of their own individual motivation to | secretly help the company's profits? | TeMPOraL wrote: | > _I 'm surprised that you seem to be considering that, | maybe, like a programmer just put this in there without | being told to. For fun? Just out of their own individual | motivation to secretly help the company's profits?_ | | Considering this isn't a some random webshit SaaS, but a | piece of critical national infrastructure, such a rogue | programmer would - in my books - be committing _treason_. | | (Keep in mind that functioning rail system is of military | importance, and _there 's a literal war being fought just | over our eastern border_.) | TomaszZielinski wrote: | Ah OK! No, the top link seems to be the same as before. | | My Scenario 1. wasn't about some rogue employee, only | about unstructured development process, possibly even | with no version control. | | So there's this one developer that adds the shady code, | asked by a higher-up, but other developers don't even | know about it if they don't look into those files. And so | no-one has a chance to analyze if it's safe to add the | code. | | Or maybe there's version control, but anyone can commit | to `develop`. And so you see a weird commit from someone | else, but that's it. | | The only _maybe_ non-criminal but still very shady and | unethical way to do it that I can quickly come up with, | is if there was a formal process for adding those "hacks" | would be to implement it as any other feature, perform a | full safety analysis, etc., just as I can imagine it's | done for regular stuff. | | But then I cannot really imagine how I would answer the | question about deliberately messing with train | subsystems, in a train that could be running >100km/h, | full of passengers... | lutorm wrote: | In aerospace it definitely does happen. For example, NASA, as | a customer, has the right to independently review flight | software implemented by contractors. | tester756 wrote: | Holy shit those aren't some random ass hackers | | They are members of top CTF team of last decade - Dragon Sector | | Also, the story is wild as fuck! | faeriechangling wrote: | So these manufacturers literally ransomed Poland by crippling | critical infrastructure? | | This is an incredibly brazen crime and I'm not so confident they | will get away with it. | p_l wrote: | Manufacturer, not repair workshops - the repair workshops just | won the bid and vendor decided to retaliate. | mistrial9 wrote: | any bridges in Philly available for comparison? | brohee wrote: | Newag stock price falling quite a bit after the post, is that the | first Mastodon induced price correction? | | https://g.co/kgs/WVku4C | Sayrus wrote: | They are still at +10% over 1 month and +25% over 3 months. | freedude wrote: | This answers the question, How can I define corporate level | malicious protectionism? | cryptonector wrote: | Well, it gives you an example, not quite a definition. | hnthrowaway0315 wrote: | I think the way to fix this is to make sure manufacturers follow | certain standards so that the products can be serviced by anyone | who holds certificates in those standards. | | This is mostly to break the liability/insurance barrier. | TeMPOraL wrote: | That's approximately what the EU forced to happen - third party | repair shops were approved and allowed access to the service | documentation. But that means nothing when the manufacturer | decides to sabotage the trains in firmware _and_ even install | an Internet-connected hardware backdoor. | CKMo wrote: | Ugh, please do not give car manufacturers any ideas! | | ...or Boeing. | crazygringo wrote: | Generally I'm not part of the crowd that wants to send CEO's and | management to jail for what are ultimately just bad business | decisions. | | But _this_ should absolutely result in jail time. This is | literally no different from if the managers of the company | physically snuck into trainyards and snipped wires and removed | valves or whatever. | | It's literally just sabotage. It's a crime that should result in | _years_ of jail time for everyone in management who participated | in this decision. | TeMPOraL wrote: | Yup. And this isn't sabotaging some random webshit SaaS. This | is sabotaging critical national infrastructure - infrastructure | that's of military relevance, and need I remind anyone, there's | a hot war being waged over our eastern border right now. | | I feel a good enough prosecutor could pin charges of _treason_ | here. | gruez wrote: | As much as I like to rake the executives over the coal for | this, I'm disturbed by the trend of calling anything vaguely | against the national interest as "treason". Nowadays if I | hear someone is accused of treason absent any context, it | could mean anywhere between "knowingly selling nukes to iran" | to "lobbied for/against a policy that the accuser thinks is | bad". In this case they're arguably scamming the government | out of money, but that can hardly be compared to the crime | knowingly aiding a known adversary. | cangeroo wrote: | People are tired and demand better. It's a spectrum for | sure, but crossing the line is crossing the line. | inetknght wrote: | > _In this case they 're arguably scamming the government | out of money, but that can hardly be compared to the crime | knowingly aiding a known adversary._ | | If you're crippling infrastructure then you are inherently | then you're most certainly aiding adversaries. You cannot | fight an adversary if you cannot get goods moved. | | If you're scamming the government out of money then you are | inherently aiding adversaries. You cannot fight an | adversary if you are penniless. | | It sounds very comparable to me. | garaetjjte wrote: | It's passenger train. No more "critical national | infrastructure" than city bus. | TeMPOraL wrote: | It's some two dozen passenger trains. | bboozzoo wrote: | It's not like you couldn't transport troops on a passenger | train, so I'd say may they never see the light of day again | -\\_(tsu)_/-. In reality though, I doubt this will result | in any serious repercussions for whoever called the shots. | TulliusCicero wrote: | > Generally I'm not part of the crowd that wants to send CEO's | and management to jail for what are ultimately just bad | business decisions. | | This attitude is rare. Much more common is wanting to send them | to jail for deliberately breaking the law -- or presiding over | widespread flouting of the law by other management. E.g. The | Wells Fargo cross selling scandal created literally millions of | fraudulent accounts, and nobody went to jail. | gruez wrote: | >or presiding over widespread flouting of the law by other | management. E.g. The Wells Fargo cross selling scandal | created literally millions of fraudulent accounts, and nobody | went to jail. | | "presiding over widespread flouting of the law" isn't a crime | though, and it's difficult to make that a crime without | running into due process issues (eg. | https://en.wikipedia.org/wiki/Mens_rea) | pixel8account wrote: | There are update logs of the train software. Because of them it | is known that workers of the company literally snuck into | waiting trains and updated the software _without the owners | knowing_. So really, but far from that. | praptak wrote: | I wonder who coded the malware clauses and who knew about them. | Didn't anyone think of whistleblowing? | | Btw, here's the page with anonymous opinions about the company | from (unvetted) employees | https://www.gowork.pl/opinie_czytaj,19587 | | They seem to have a pretty toxic work environment. | dark-star wrote: | In this case, they probably got the trains cheaper by agreeing to | have them services only at official service stations. | | Still a shady practice but not worse than having expiring license | keys for unlocking features or similar things | sundvor wrote: | Oh you want _brakes_ with that? Sorry you forgot to renew your | license. | p_l wrote: | Nope, there was separate tender for just trains, and for the | servicing. NEWAG (manufacturer) won the train contract, but | lost the servicing contract tender. | | Under current rules they had to provide as part of the first | contract complete documentation for servicing that any | legitimate (vetted & certified) 3rd party company could then | use. By servicing I mean literally taking the train apart and | handling individual assemblies to original manufacturers at | times. | | So it is very shady, unethical, and illegal. | jakub_g wrote: | Buried in the comments are links to longer write-ups with | additional details: | | Polish: | | https://zaufanatrzeciastrona.pl/post/o-trzech-takich-co-zhak... | | https://wiadomosci.onet.pl/kraj/awarie-pociagow-newagu-haker... | | English: | | https://zaufanatrzeciastrona-pl.translate.goog/post/o-trzech... | | https://wiadomosci-onet-pl.translate.goog/kraj/awarie-pociag... | | For context: Poland is split into 16 voivodships, and after a | reform from early 2000s, pretty much each of them has its own | local railway company (which cooperate). | | Basically "everyone knew" for over a year something was fishy | with Newag trains, after a series of faults in trains owned by | different companies which used a 3rd-party service company | instead of servicing with Newag, so the service company hired the | hacker guys, it took a while for the folks to reverse engineer | things and understand what's precisely going on. | RicoElectrico wrote: | It's quite unfortunate as Newag trains are rather higher quality | than Pesa (other Polish manufacturer). I suppose so reliable, | they needed to generate artificial faults :D ___________________________________________________________________ (page generated 2023-12-05 23:00 UTC)