[HN Gopher] Polish trains lock up when serviced in third-party w...
___________________________________________________________________
Polish trains lock up when serviced in third-party workshops
Author : miki123211
Score : 770 points
Date : 2023-12-05 14:10 UTC (8 hours ago)
(HTM) web link (social.hackerspace.pl)
(TXT) w3m dump (social.hackerspace.pl)
| kozak wrote:
| This is probably perfect for some EU anti-monopoly lawsuit, am I
| right?
| izacus wrote:
| This should be a standard consumer protection law (right to
| repair), not a monopoly thing :/
| joshuaissac wrote:
| EU consumer protection laws generally do not apply to B2B
| contracts (although member states can gold-plate them to
| extend their scope).
| izacus wrote:
| Sure, but that just means it needs to be adjusted to cover
| outright sabotage after sale like this.
| Sosh101 wrote:
| More like highly criminal behaviour like fraud and extortion.
| plagiarist wrote:
| I don't see how it isn't literal fraud if the behavior
| isn't documented in the purchasing contracts.
| Glyptodon wrote:
| It seems like some mix of vandalism and fraud too.
| mardifoufs wrote:
| Seems like the trains were manufactured by a European
| corporation so probably not lol.
| sofixa wrote:
| Do you think European regulations don't apply to European
| companies? They do, it just gets less publicity when e.g.
| Criteo get fined for abusive tracking than when Google do.
| mardifoufs wrote:
| They do, just less so. It's harder to poke around big
| industrial players of member states.
| faeriechangling wrote:
| Size might let you escape with a slap on the wrist but
| it's hard to imagine Poland doesn't get its pound of
| flesh over this.
| artursapek wrote:
| Someone's definitely going to jail for this. I can't even think
| of what the defense's argument could be.
| actionfromafar wrote:
| Maybe "I am friends with the Law and Justice party"?
| TeMPOraL wrote:
| Most people in Poland don't even understand how rail has
| been privatized and shattered into half a million
| companies. To a regular person, if it's a train, it's "PKP"
| (Polish National Railways) - therefore something the
| government is responsible for.
|
| I don't think Law and Justice will be happy about some corp
| screwing with infrastructure and having the voters blame
| the government for it.
| actionfromafar wrote:
| I hope you are right. I'm maybe too cynical, thinking
| something along the tune of:
|
| _" If only more of OUR judges were in place, you
| wouldn't see such corruption, dear people."_
| TeMPOraL wrote:
| Why not both? What better way to underline the point than
| pressuring to make an example out of Newag?
|
| EDIT:
|
| PiS has been at the core of political turmoil for the
| past decade or more, but rail transportation has been an
| issue for much longer. It's _legendary_ at this point, it
| transcends politics, and portals you straight into the
| 1990s. So I feel it would be in the self-interest of
| everyone in the government to throw the book at Newag
| right now.
| actionfromafar wrote:
| This is true! It would depend on if there actually was a
| corruption link worthy of protection. I.e., bluster _and_
| results, or _only_ bluster.
|
| Edit:
|
| I didn't know the train situation had been bad so
| consistently long! My sympathies to railgoers. It
| definitely sounds like all politicians could score by
| getting Newag some well deserved justice.
| Freak_NL wrote:
| After the recent elections that might not be the safest
| thing to say if you wanted to _avoid_ litigation. PiS didn
| 't do so well and lost their majority and is likely to end
| up in the opposition.
| throwaw33333434 wrote:
| If I understand correctly apart from hardcoded `ifs` there was
| a backdoor as well.
|
| Russian agencies could use it to slow down transit of military
| aid to Ukraine.
|
| In my book you could argue a criminal case.
| tormeh wrote:
| It's not a monopoly, so no. Would make just as much sense to
| ask for a DMCA takedown of the trains.
| namaria wrote:
| Do you think anti monopoly legislation only applies when some
| company controls some market outright?
| throwaway092323 wrote:
| Help us, European Union. You're our only hope.
| faeriechangling wrote:
| I would reach for other laws like sabotage and extortion and
| something that probably exists specifically for the protection
| of public infrastructure and charge them criminally and raid
| the offices and take out the executives in cuffs.
|
| They screwed with the rich and powerful here why not throw the
| book at them?
| garyfirestorm wrote:
| i think the remote lock makes it a backdoor and probably
| criminal?
| plagiarist wrote:
| I think hacking laws only apply when a pleb causes a
| corporation device to behave other to the corporation's
| desires. The reverse is just business.
| radres wrote:
| Depends on country's laws and contracts between parties. If
| the contract does not mandate service by the manufacturer,
| only suggests it, this sounds illegal. Not because of
| hacking, because of not documenting behavior and disturbing
| state entity hence the people.
| plagiarist wrote:
| Oh, yes. I agree that this sounds like actual fraud if it
| is undocumented. I disagree that disabling the machines
| would count as "hacking."
|
| I am cynical about the latter because I personally would
| like this sort of malicious shit to qualify as hacking. I'd
| also like the telemetry and recording in all modern cars to
| be considered hacking.
| hedora wrote:
| One practical solution is to make certain clauses
| unenforceable in end user license agreements and all non-
| negotiated contracts.
|
| For starters clauses allowing the vendor to upload any
| user specific data (anonymized or not) and prohibitions
| against specific uses of the software would be
| unenforceable.
|
| The former ensures privacy, and the latter would make the
| behavior of the train manufacturer illegal (in the US),
| since it'd fall under the CFAA:
|
| https://en.m.wikipedia.org/wiki/Computer_Fraud_and_Abuse_
| Act
|
| (Sections a.5 and a.7 in the section "Criminal offenses
| under the Act")
| p_l wrote:
| Various contract provisions are illegal in Poland as
| well, for example a contract can't prevent you from
| disassembling and reverse engineering any software or
| hardware, including building a compatible device so long
| as you do not literally copy the results over.
|
| In this case, NEWAG violated contract, because they did
| _NOT_ win the bid to do servicing, and didn 't write
| anything down about being the only party able to service
| the machines.
| himinlomax wrote:
| If the contract mandated it, then the manufacturer could
| simply have filed a lawsuit. The fact that they didn't and
| did something in secret instead shows otherwise.
| masswerk wrote:
| Only, if you can provide a proof for the train not being a
| printer or that it cant be used as such. /s
| dheera wrote:
| Who are these hackers and how did they get their hands on a
| train, among all things?
| wielebny wrote:
| Here a comprehensive write-up in Polish in a somewhat
| sensationalized - but rightly so - tone:
| https://zaufanatrzeciastrona.pl/post/o-trzech-takich-co-zhak...
| HeWhoLurksLate wrote:
| https://translate.google.com/?sl=auto&tl=en&text=https%3A%2F.
| ..
|
| for those of you who like me can't quite understand literally
| anything otherwise
| meithecatte wrote:
| As explained by the linked article in Polish, the workshop
| reached out to them and asked of they could figure out why the
| train isn't working.
| mciancia wrote:
| tldr hackers are from DragonSector (one of the top CTF teams) -
| https://dragonsector.pl/
|
| They were contacted by workshop which was doing maintenance of
| those trains and had no idea why they stopped working
| jseutter wrote:
| The truth is almost stranger than fiction. They are members of
| a group called Dragon Sector and were brought in by the train
| operator after 6 of their 12 largest trains became unresponsive
| after having inspections done at a rail yard owned by not-the-
| manufacturer of the trains. The manufacturer said the trains
| became unresponsive because of malpractice at the train repair
| shop and mentioned some condition that didn't appear to be in
| the maintenance manual. The train operator made contact with
| Dragon Sector and asked for their help.
|
| It's a wild read:
| https://zaufanatrzeciastrona.pl/post/o-trzech-takich-co-zhak...
|
| It appears to be malicious code included by the manufacturer to
| prevent third party repair that at one point included
| geolocation for triggering. Given that the train operator had
| to reduce train schedules for this which impacted service and
| income, it might end up as evidence in a lawsuit against the
| manufacturer at some point.
| vidarh wrote:
| I would love to know if the checks were as brazen as
| presented in that post, or if the coordinate checks were
| obfuscated in some way. It sounds like they just assumed the
| operator would fold long before even getting at the code and
| couldn't even be bothered trying to make it look accidental.
| q3k wrote:
| The main obfuscation was the way IEC 61131-3 constructs get
| first compiled to C and then to assembly.
|
| There's a lot of indirection and zero strings in the
| resulting code, meaning it's very difficult to actually
| find whatever logic you're looking for. But once you see
| it, it is obvious and seems like it was built like any
| other logic.
| vidarh wrote:
| That's amazing. If I was going to pull a stunt like this,
| I'd like to think I'd find some way of trying to make it
| look like a bug.
|
| Must be very satisfying to find something like this.
|
| I guess this is going to provide plenty of billable hours
| for lawyers at this point...
| Pet_Ant wrote:
| Well the error message claims that they are infringing
| copyright. It very well could be that they are within their
| rights if the initial license/contract stipulated that they
| would only service the trains in their authorised locations.
| This _should_ be illegal, but very well might be.
| planede wrote:
| How would copyright be in-scope at all? At worst this
| infringes EULA.
| xeeeeeeeeeeenu wrote:
| Excerpt from an Onet article[1] about this:
|
| >Until a few years ago, rolling stock manufacturers such as
| Newag from Nowy Sacz and PESA from Bydgoszcz were able to
| dominate the maintenance market. It was mainly them who
| entered tenders for compulsory maintenance of their
| vehicles, because other companies knew they were at a
| disadvantage. At the time, the dominant narrative of the
| manufacturers was that the "Maintenance System
| Documentation," a kind of manual for a given vehicle, was
| the manufacturer's secret, its intellectual property, and
| under no circumstances could this be passed on to other
| service companies. This led to a situation in which
| railroad companies across the country were forced to use
| the manufacturer's expensive service. And the latter,
| having a monopoly on repairing its trains, dictated
| outlandish prices, even tens of percent higher than another
| company would have given, the rail safety expert points
| out.
|
| >Our source adds that later, thanks to the European Union
| Agency for Railways, the interpretation of regulations
| changed, allowing other companies access to service trains.
| This led to the opening of the market to other companies in
| the industry.
|
| [1] - https://wiadomosci.onet.pl/kraj/awarie-pociagow-
| newagu-haker...
| fargle wrote:
| translated. very interesting:
|
| https://zaufanatrzeciastrona-
| pl.translate.goog/post/o-trzech...
| p_l wrote:
| They didn't win the contract for servicing, and the law
| required opening up service in the first place.
| plagiarist wrote:
| > if the day is greater than or equal to 21st and
|
| > if the month is greater than or equal to 11 and
|
| > if the year is greater than or equal to 2021
|
| > then report a compressor failure.
|
| > [...] It was probably the software author's inability to
| construct IFs that made it necessary to wait until November
| 21, 2022 for the planned failure.
|
| Oops!
| sdflhasjd wrote:
| And it magically starts working again on the 1st December.
| TeMPOraL wrote:
| And then breaks again just in time to catch Christmas
| travelers by surprise.
| ysofunny wrote:
| The most poetic part is how the train maker are merely
| looking out for their own profit margins.....
|
| Economic theory(?) would suggest that if they don't do this,
| their competition eats their lunch and drives them out of
| business.
|
| heck, Volkswagen did something much shadier to get their
| vehicle's emissions to comply
| cryptonector wrote:
| This is much shadier than what VW did. VW was working
| around unrealistic emissions standards -- illegal, sure,
| but they didn't cause big ticket items to stop working. The
| train manufacturer here appears to have done something much
| worse.
| Crosseye_Jack wrote:
| You wouldn't download a train, would you?
| flutas wrote:
| I've honestly wondered for a while how many devices (from phones
| to cars) have features like this that haven't been documented
| yet.
|
| Also how many engineers have worked on features like this without
| whistle-blowing over behavior like this.
| hedora wrote:
| I can't change the 12V lead acid battery in my EV without using
| a reverse engineered OBD-II dongle. If you don't use the dongle
| to reset the charge circuit, it fries the new battery in about
| a month.
|
| Here are incorrect directions explaining how to do it:
|
| https://www.mybmwi3.com/forum/viewtopic.php?t=17838
|
| Step 14 requires the magic dongle.
|
| Note that they are not disconnecting the main battery, so they
| are risking electrocution from the >> 100V DC batteries.
|
| There are some comments about not letting the old battery get
| into a low voltage state.
|
| That's tricking the charger into not overcharging the new
| battery to death.
| spuz wrote:
| What is the story here exactly? Is there an official way to
| replace the battery that doesn't require a dongle? What does
| the dongle do exactly? Why does a new battery get drained if
| you don't follow this process carefully?
| hedora wrote:
| The charger learns how worn the old battery is, and
| overvolts old ones to get a bit more useful life out of
| them. When you disconnect and reconnect the battery it
| doesn't reset the training algorithm, so it overvolts the
| new battery, reducing its lifespan to roughly 30 days.
|
| There's no official way to reset the charge algorithm
| without a dealer-only dongle, so you take it to the
| dealership to replace the battery (~$400 labor, $100
| parts).
|
| They could solve the problem by adding a "register 12V
| battery" option to the service menu, or by having it prompt
| the next time you start the car after 12V power is
| interrupted.
| spuz wrote:
| That makes sense. Manufacturers keep proving to us they
| don't value making maintainable products so it seems
| obvious they need to be forced to do that one way or
| another.
| physhster wrote:
| Registering batteries has been a thing for BMWs for at least
| a decade. The dance around keeping windows open etc is a
| little more annoying, but nothing out of the ordinary.
| me_me_me wrote:
| another reason not to buy BMW added to the list
| rootusrootus wrote:
| > I can't change the 12V lead acid battery in my EV
|
| Aside from that not having anything to do with it being an
| EV, it's worth mentioning that many newer EVs (most of the
| ones sold, perhaps) use a lithium 12V battery now, not lead
| acid. So in general they ought to last longer anyway. Plus
| Tesla, at least, doesn't 'register' batteries the way BMW
| does.
| delfinom wrote:
| This is actually not specific to the EVs but something all
| German car brands started doing. They made their
| alternators/chargers of the 12V battery overtly complicated
| and you have to use a dongle to tell the car you replaced the
| battery and with what kind of battery.
|
| My friend once replaced her battery, exact same one in a BMW
| X3. The car immediately went into a limp mode and would
| refuse to go faster than 5mph until we connected a dongle and
| told it that the battery was replaced with the exact model
| that was already in there.
|
| There's an argument they did it for "battery lifespan
| optimization" which there is a semblance of truth, because
| there are different kinds of lead acids. The reality is they
| found a new way to force the majority of people into
| dealerships.
| ysofunny wrote:
| .... just imagine how many instructions you can hide in a
| 64-bit address space (I'm thinking of you _intel_ hacker magic)
| Bermion wrote:
| How many similar practices actually get discovered? In a way this
| is the "right" thing to do in a capitalist society. We are
| incentivising this behaviour by making it profitable. An honest
| company cannot compete with a company doing this, unless very
| rigorous regulations and enforcement of them. This gets harder
| and harder as tech gets more opaque. Adding more regulation,
| auditing, hoping that _all_ entrepreneurs are honest, are
| crutches trying to patch a fundamentally broken economical
| system.
|
| If capitalism were a software, we would call practices like this
| code smell. We can try patching it up with some specific
| legislation and (costly) enforcement by e.g. code auditing in
| this case. But the real issue is that our economy is not
| optimizing for global (national) utility, it is optimizing for
| profits of individual business owners.
| mannykannot wrote:
| The fact that an entity can sometimes benefit from deceit has
| nothing to do with capitalism, specifically, and capitalism is
| not the simple proposition that profit justifies anything, even
| if some people sometimes suggest that it is, in order to
| advance their agenda - in a rather deceitful manner, I might
| add!
| augustulus wrote:
| do you have a counter-argument? because what I'm reading here
| is "you're wrong and lying or lied to because of an 'agenda'"
| and that's it
|
| what do you think GP or someone who has lied to GP really
| thinks?
|
| why are they lying?
|
| what's their agenda?
|
| do you agree that we (in the West) currently broadly live
| under Friedman's version of capitalism, and, if so, do you
| agree that it broadly follows the mantra of
| "profit/shareholder value above all else"?
|
| if you don't think we live under that system, what system do
| you think we live under, and what differs it from the mantra
| of "profit/shareholder value above all else"?
| mannykannot wrote:
| You have presented a preposterous and completely
| unjustifiable reading of what I actually wrote, and then
| demand me to justify it? That's not going to happen, of
| course.
| augustulus wrote:
| you don't have to justify your assertions to me or anyone
| else, but make sure you can justify them to yourself.
| have a think about what you said and see how deeply you
| can support it. you don't have to reply. you don't even
| have to bluster and make accusations. just try and think
| about it slowly and unemotionally in your own head.
|
| what agenda were you referring to?
|
| who is being deceitful?
|
| what are they trying to hide?
|
| what were the primary tenets of Friedman's capitalist
| philosophy?
|
| don't answer to me, just make sure you have solid answers
| for yourself
| mannykannot wrote:
| I don't have to justify them to myself or anyone else,
| because they are figments of your imagination that have
| no basis in anything at all. In all the articles and
| comments I have written anywhere, I have never before
| received any response so unhinged from what I actually
| wrote.
| fnimick wrote:
| The pressure to benefit from deceit because outperforming
| competition is the only way to stay alive is unique to
| capitalism, though.
|
| "capitalism is not the simple proposition that profit
| justifies anything" - of course, but it naturally leads to an
| environment where profit justifies anything. No business
| leaders avoid money-making immoral behavior unless it is
| overall unprofitable due to market conditions (a specific
| well-informed customer base, for example) or regulation.
| augustulus wrote:
| this is all true, but what is the better system? Communism has
| its merits, but it's extremely reliant on competent, benevolent
| leadership and struggles to be economically viable in an
| American-dominated world.
|
| I think that a Keynesian, well-unionised economy with strong
| regulation _is_ the solution. I'm sure they exist, but I
| struggle to think of many examples in history of over-
| regulation leading to a fault, but I can think of many, many
| examples of under-regulation managing it, and yet largely due
| to the capitalist-controlled media, over-regulation is the more
| feared of the two. This isn't to say that over-regulation isn't
| possible, of course it is, but I don't think it is in tech.
|
| To go on a tangent, I personally don't believe in the
| untrammelled progress of tech. I can understand why people are
| so vehemently against that idea, of course it's frustrating to
| restrict human ingenuity, and there's a lot of money to be
| made, but tech is quantifiably making people's lives worse.
| Smartphones are a fucking travesty. IQ scores are down
| something like 10% from the 90s. The internet isn't great, but
| at least when you had to be at home logged into a desktop there
| was some friction. Now an entire generation is plugged into it
| permanently. An entire generation that doesn't really read
| books, rarely thinks alone and in many ways hasn't had to learn
| organisational or navigational skills.
|
| AI doesn't look like it's going to make any of this much
| better. Even if we don't achieve AGI, which I hope, neural
| networks are only going to get better and better, the best and
| most powerful ones in the hands of the richest people, who will
| simply use them to worsen inequality even more.
|
| What else is next? Neuralink? Human genetic engineering? You
| would hope regulation would stand up to them, especially
| aesthetic genetic engineering, but who knows?
|
| What we need is a nice big solar flare EMP. Something like the
| Carrington event
| fnimick wrote:
| What's next is AI operated lethal weapons. You best believe
| all the elites are racing for those as fast as they can. As
| soon as those are a reality, all revolution against economic
| inequality becomes impossible.
|
| The U.S. army wouldn't fire on civilian protestors,
| regardless of what a general ordered. An AI army would have
| no such restrictions or be vulnerable to appeals to morality
| and ethics.
| AnimalMuppet wrote:
| > What's next is AI operated lethal weapons. You best
| believe all the elites are racing for those as fast as they
| can. As soon as those are a reality, all revolution against
| economic inequality becomes impossible.
|
| Except for revolution by the AIs. AIs may not like selfish
| rich jerks any better than biological intelligences do.
| Roark66 wrote:
| >The U.S. army wouldn't fire on civilian protestors,
| regardless of what a general ordered.
|
| World doesn't work like this. You'd think human sanity
| would prevail if given an order like that as some sort of
| built it "safety", but people who want to give orders like
| this can do it in a way that ensures they are complied
| with. Imagine the soldiers are told there are people with
| hidden guns in the crowd. Then you get few snipers to take
| out few soldiers from the crowd's direction and vice versa.
| The crowd starts shooting back as well as the soldiers.
|
| Do you think this scenario is far fetched? That's exactly
| what happened during the EuroMaidan protests in Ukraine
| some years ago except instead of soldiers there was police.
| https://www.researchgate.net/publication/266855828_The_Snip
| e...
|
| People are fully capable of killing each other with no help
| from AI.
| vidarh wrote:
| For B2B contracts of this kind of size a solution is to insist
| on clauses with _very_ steep damages in the event of evidence
| of specific measures to prevent third party service or similar,
| coupled with never again dealing with a manufacturer like this.
|
| The bigger problem is when manufacturers pull stunts like this
| on customers who can't afford and/or don't have sufficient
| financial incentive to figure out the underlying problem.
| Bermion wrote:
| Steep damages is in many cases not enough because the
| likelihood of being found out is so low. The damages then
| have to be extremely steep for this behavior to not be
| incentivised. Basically to bring the expectation value
| negative, the damages has to be larger than the profit gain
| by this behavior, divided by the probability to be caught.
| Often this will be more than the value of the company, and
| then the damages do not matter as they simply bankrupt. In
| that case, the rational business practice is to go for it and
| hope to not get caught. Any other behavior will eventually
| lead to bankruptcy in a competetive market.
| vidarh wrote:
| Which is why it's only really helpful for B2B contracts
| where there's reasonable power parity to the point where
| you can realistically 1) refuse to sign a contract unless
| the damages are significant enough, 2) any resistance to
| doing so is a strong signal they're up to no good, and 3)
| you as the buyer can actually afford to do what the
| operator did in this case and put significant effort into
| identifying the cause.
|
| I don't think there are many actual cases of manufacturers
| pulling this without ensuring it's covered in their
| contract, because being caught out even once will trigger a
| lot of 1,2 _and_ 3 from future buyers if they still
| consider you an option at all.
|
| And remember in this case the maximum potential gain is
| only maintenance contracts from that subset of operators
| that opt to have other companies do the service.
| atticora wrote:
| It would be so easy to get away with this kind of extortion at my
| work. Nobody reads my code that carefully, or cares if I don't
| get it reviewed and just merge it. Only one other person could
| understand it if he tried, and he has no interest or involvement
| in it. It could easily look like just a bit of incompetence on my
| part that requires some additional consulting from me after I
| have moved on.
|
| That's not how I roll ... or sleep well, so my employer is in no
| danger from me. But there are many short-term devs who come
| through here, and I don't have the time to police them in detail.
|
| But conceivably an LLM could do it. It could be just another step
| in a build pipeline. But, when LLMs can do this well, they can
| also write most of the code going into the pipeline.
| justinclift wrote:
| > But conceivably an LLM could do it.
|
| It'd be kind of funny if an LLM did that "unintentionally", and
| wasn't able to unlock the code it wrote... ;)
| ceejayoz wrote:
| This doesn't sound like the sort of thing some rogue developer
| secretly slips into the codebase.
| fnimick wrote:
| Exactly. This is a company initiative to increase company
| profits. It's smart business, as long as it's not illegal or
| the fine is insufficiently high.
| Flammy wrote:
| Yup that is how I read it as well. Product decision.
| nerdbert wrote:
| Is it smart business though? Once disclosed it provides
| future purchasers with a strong reason to avoid your
| products. Who wants to spend millions on trainsets that
| could become unserviceable in the event that the seller
| goes out of business or makes some mistake in authorizing
| service centres or gets into a dispute with us over another
| matter?
| fnimick wrote:
| It can be smart business if the probability of it being
| disclosed is low enough. Using fake numbers as an
| example, if you can make an extra $1 million on repairs
| and will suffer $100 million in fines / lost business if
| it becomes known, as long as the probability of it
| becoming known is less than 1%, it's a net positive
| expected value.
| serf wrote:
| it's just tight-rope walking at that point. If your
| company has sufficient leverage within the market they
| can get away with murder.
|
| see: John Deere
| JAlexoid wrote:
| Ahem... Boeing 737 MAX, which was literal murder.
| silvestrov wrote:
| I would guess this is also why the code was found: it's
| parallel construction.
|
| Somebody was told to take a closer look.
|
| Otherwise it would be very weird to have 3rd party
| developers disassembling firmware code. I've never heard of
| that happening because a train didn't want to start.
| TeMPOraL wrote:
| When the trains your company serviced start experiencing
| failures, you look at your workers. When the trains your
| company was supposed to service, but _didn 't manage to
| touch yet_ start experiencing failures, you might begin
| wondering about alternative explanations.
|
| I imagine someone in the company was someone who knew (or
| was a parent of someone who knew) someone in Warsaw
| Hackerspace, and introductions were made.
| Thorrez wrote:
| But how would you profit off of it? In the case here the
| company profits by forcing trains to use first-party workshops.
| vidarh wrote:
| "Last time this failed, Bob was the only one who could fix
| it."
|
| "Bob resigned a few months ago."
|
| "See if he is willing to do some consulting. We'll pay
| whatever rate he demands."
|
| I still occasionally have past employers call about things
| years after I left, and if I'd have been immoral enough to
| pull something like this, those systems could have been full
| of time bombs.
| JoshuaRogers wrote:
| This mindset reminds me of the policies we use in the dev
| team at work. Any policy access that I suggest starts with
| the thought "If future me were to go rogue one day, how
| would present me stop me?"
| bombcar wrote:
| It's kind of amazing how blatant it was, they weren't even
| really trying to hide it much.
|
| Similar to the VW emissions thing; if they'd been intentional
| about it they could have made it look much more like a mistake.
| SSLy wrote:
| > A rather amusing situation was encountered with another train
| set that refused to work on November 21, 2022, despite not being
| in service at the time. The computer reported a compressor
| failure, although the mechanics determined that there was nothing
| wrong with the compressor. Unfortunately, the train still did not
| raise its pantographs. The analysis of the computer code revealed
| a condition enforcing the failure, which read as follows:
|
| > if the day is greater than or equal to 21, and
|
| > if the month is greater than or equal to 11, and
|
| > if the year is greater than or equal to 2021
|
| > then report a compressor failure.
| serf wrote:
| I guess a charitable interpretation is that the compressor
| manufacturer set an 'expiry date' to ensure replacement of a
| vital component.
|
| (but it's probably just shady business.)
| Ukv wrote:
| Also the wrong way to implement an expiry data, since it'd
| work fine again when the day goes below 21 or month below 11,
| even if the year is 2021 or greater - which seems to be what
| happened if they only noticed it in November 2022 rather than
| 2021.
| garblegarble wrote:
| It might lead to a fault that appears more realistic -
| it'll go away for a bit in December before coming back
| again... if the engineers say the compressor's good but the
| computer fails it intermittently, that seems like a good
| point to get the manufacturer involved which is what they
| wanted to force
| TeMPOraL wrote:
| Yeah, that's not a component expiry date. This reads more
| like "fire a warning shot in November, and then fuck the
| operator over during Christmas". It feels like trying to
| _maximize damage_ , as 21-31 December is exactly where a huge
| chunk of population travels to visit their family homes, and
| many of them do so via trains.
| JAlexoid wrote:
| Nah... I just bet that this is some dev, that doesn't know
| how to deal with dates.
|
| I had a recently "senior" dev give me a SQL query with
| similar where clause, when asked to query data after Sept
| 1, 2022 (where moy >= 9 and dom => 1 and year => 2022)
| CryptoBanker wrote:
| What good reason is there for hard coding dates that
| shutdown trains?
| thaumasiotes wrote:
| That's when the compressor's going to fail, obviously. ;D
| TeMPOraL wrote:
| Right. How did that famous adage go? "The best way to
| predict the future is to invent it."
| raphman wrote:
| The best way to predict a crime is to commit it.
|
| (with apologies to Alan Kay who coined the original
| saying)
| lstamour wrote:
| In case anyone is confused, the problem is that dates
| loop, such that moy=1, dom=1, year=2023 will not match
| despite being greater than Sept 1, 2022. Technically,
| then, if you wanted this logic to work you would have to
| add a second "or" clause that handles the edges missed,
| e.g. (moy >= 9 AND year = 2022) OR (year > 2022) though
| you would need a different edge case if your dom wasn't
| 1. The easier approach, of course, is to just compare
| dates or timestamps directly.
| pixel8account wrote:
| Very charitable. The "expiry date" was set to the next
| servicing date _and there was no way for competition to fix
| this hardcoded date_ and this was not documented in the
| official documents. Clearly a way to force buyers to use the
| "official" service.
| idonotknowwhy wrote:
| Reminds me of those work arounds for share ware in the
| 2000s,when I you had to say the system time back
| bombcar wrote:
| The real crime is not using a standard date time library and a
| simple > 2021-11-21
| p_l wrote:
| Can be often problematic on PLCs and the programming
| environment exposed to programmer.
| cj wrote:
| Personally I prefer measuring time as seconds that have
| passed since January 1st, 1970.
| Faaak wrote:
| And then your train is 32bits and stops working in 2038 ;-)
| rollcat wrote:
| Even being evil requires a certain level of competence. It's
| how we actually catch any of them.
| pixel8account wrote:
| This is a reason why it was detected a year later - the train
| service was delayed and it spent late November and whole
| December in service. So the "expiration" intended for 2021
| only manifested in 2022.
| delfinom wrote:
| This was programmed into a PLC, not traditional code.
|
| PLCs are basically environments designed for mere technicians
| being able to adjust code in very clear concise fashion. It
| can be way more verbose, but the logic is clear and solid for
| decades of operation.
|
| It doesn't require reading an api documentation on version X
| of a library downloaded from NPM 15 years ago nor rebuilding
| an entire project to the latest dependencies.
| drra wrote:
| So these trains are exclusively used in Poland by quite a big
| number of regional train companies. There are 5 servicing levels
| starting from P1 up to most complex P5. It used to be that only
| these major companies would do P3+ but since a few years tenders
| were won by several smaller competitors at much lower prices all
| thanks to European Union Agency For Railways that opened that
| market.
|
| It started with 4 trains that were serviced by SPS Mieczkowski
| and just wouldn't start. The company was forced to pay EUR0.5m in
| penalties and trains were sent back to Newag. At the same time
| several other trains from different companies that didn't even
| got to service but spent a bit too much time in one place became
| immobilized. This all led to SPS Mieczkowski hiring Dragon Sector
| to investigate and they found several separate routines to
| disable trains.
|
| This case is investigated by Central Anti-Corruption Bureau in
| Poland but I doubt it'll do much harm to Newag. The Office of
| Rail Transport of Poland that would spam rail company with
| complaints and orders for a small mistake in train schedule
| washed it's hands from intervening in this case and train
| purchases have highly regulated tender process and very little
| wiggle room for rail companies.
| KptMarchewa wrote:
| >This case is investigated by Central Anti-Corruption Bureau in
| Poland but I doubt it'll do much harm to Newag. The Office of
| Rail Transport of Poland that would spam rail company with
| complaints and orders for a small mistake in train schedule
| washed it's hands from intervening in this case and train
| purchases have highly regulated tender process and very little
| wiggle room for rail companies.
|
| It's clearly a crime of sabotage under Art. 254a kk. Tender
| process does not matter in this case. We just need a competent
| prosecutor.
|
| https://sip.lex.pl/akty-prawne/dzu-dziennik-ustaw/kodeks-kar...
| TomaszZielinski wrote:
| Having read only that kk article, I'm not certain if trains
| are considered parts of the infrastructure?
| KptMarchewa wrote:
| It works for train vandalism - why wouldn't it work on
| industrial scale?
|
| For example, someone stole active train parts:
| https://orzeczenia.gdansk-
| poludnie.sr.gov.pl/content/$N/1510...
| TomaszZielinski wrote:
| I don't know, that's why I asked--for me "infrastructure"
| sounds like the immovable parts. Similarly to road
| infrastructure, which doesn't include cars. But it's just
| my armchair impression, I have no idea how the law works
| in this context.
|
| I quickly scanned the sentence you linked to, and art.
| 254a seems to be applied only to the theft of wires from
| tracks? Or am I missing something?
|
| I've tried googling "infrastruktura kolejowa", and it
| seems that Ustawa o transporcie kolejowym defines it in
| art. 4.1, referencing Appendix 1. And that Appendix only
| lists immovable stuff. But again, I'm not a lawyer and
| I'm aware that definitions from one act often don't apply
| to a different act, in different branch of law.
| myself248 wrote:
| In the usage I'm familiar with (in the US), the entire
| rail network is considered "transportation
| infrastructure", from a national perspective.
|
| But from the perspective of just the rail network, the
| track and other infrastructure is considered separate
| from the rolling stock.
|
| I wonder: If the rolling stock becomes immobilized, does
| it now count as immovable stuff?
| TomaszZielinski wrote:
| Ah, that's a very good distinction between the national
| perspective and the rail perspective!
|
| > I wonder: If the rolling stock becomes immobilized,
| does it now count as immovable stuff?
|
| Assuming it's a philosophical question, and not a legal
| one, how about: - A runner that's currently running is
| obviously a runner - A runner that finished running for
| today is still a runner - A runner with serious knee
| problems is a former runner ?
| TeMPOraL wrote:
| Also practical question: how much of the rolling stock
| has to become immobilized before the immovable parts of
| the infrastructure become useless? At which point you can
| start throwing the book at whoever's responsible?
| p_l wrote:
| Locking up (or causing possibility of doing so) a non-
| siding line sounds like Denial-of-Service on rail line.
| reactordev wrote:
| If that were true, Amtrak wouldn't be leasing railways as
| it's nationally run. Railroad companies like Union
| Pacific, Norfolk Southern, CSX, own their rails. They own
| their rolling stock. They own their locomotives. They
| lend you, the business person, a rolling stock to load
| and ship to where you need it to go. There it will be
| unloaded and sold/shipped by truck to final destination.
|
| Rail companies own the right-of-way AND the rails. They
| control what runs on their rails, who runs on their
| rails, when they run, etc.
|
| It's quite something to think that 97% of the rail tracks
| in the USA are privately owned.
|
| https://public.railinc.com/about-railinc/blog/who-owns-
| railr...
| bitcharmer wrote:
| Being a 40+ year old Pole I am yet to see a single case of
| corruption in public sector be prosecuted.
| ajuc wrote:
| Maciej Zalewski (a co-creator of Kaczynski's first party -
| Porozumienie Centrum) remains the only high-level
| politician I know of in Poland that was sentenced for
| corruption and actually went to jail.
|
| https://pl.wikipedia.org/wiki/Maciej_Zalewski_(filolog)
|
| He warned Bagsik and co. (who stole millions of public
| money through the famous Art-B company and escaped to
| Israel) that the police wants to imprison them - so they
| managed to escape. Bagsik later confirmed that they shared
| some of that money with Porozumienie Centrum's business
| named Telegraf. Somehow only the less important guy
| (Zalewski) went to jail, but Kaczynski brothers weren't
| prosecuted.
|
| But there's a lot of low level corruption that is exposed,
| it's just usually ignored by country-wide media, because
| that corruption is local. For one example:
| https://samorzad.pap.pl/kategoria/prawo/prawomocny-wyrok-
| byl...
| KptMarchewa wrote:
| I haven't seen any evidence of corruption here - just pure
| malice and monopolistic behavior.
| ska wrote:
| There is corruption everywhere (though obviously not
| uniformly distributed). It requires active, dynamic
| efforts to counteract. If you don't see _some_ evidence
| of successful prosecution, that itself is informative.
| pixel8account wrote:
| It is also investigated by the Agency of Internal Security and
| I really doubt they _don 't_ have huge problems out of this.
| This is taken extremely seriously internally.
|
| There's a ton of evidence to prove what happened and they have
| no chance to somehow wiggle out of this. They're trying... by
| saying they were hacked. Yeah, the hackers somehow flashed
| firmware of trains services by competition, to brick the
| trains. GPS coordinates of competition rail segments were
| literally hardcoded.
| jaymzcampbell wrote:
| This brought to mind the AARD "crash" which Microsoft used to
| basically destroy competition from DR-DOS back in the day.
|
| > The AARD code was a segment of code in a beta release of
| Microsoft Windows 3.1 that would determine whether Windows was
| running on MS-DOS or PC DOS, rather than a competing workalike
| such as DR-DOS, and would result in a cryptic error message in
| the latter case. This XOR-encrypted, self-modifying, and
| deliberately obfuscated machine code used a variety of
| undocumented DOS structures and functions to perform its work.
|
| https://en.wikipedia.org/wiki/AARD_code
|
| https://www.geoffchappell.com/notes/windows/archive/aard/drd...
|
| https://news.ycombinator.com/item?id=36042213
| sonicanatidae wrote:
| This tracks for Microsoft. The very same company that told
| Compaq that if they sold any PCs with OS/2 Warp, they would
| never sell another one with Windows.
|
| Humans are why we can't have nice things. OS/2 Warp was a great
| OS.
| pmarreck wrote:
| all this looks like points for open source. You can't exactly
| stop someone from putting an open source OS on their
| hardware, and if the train software was open-source, then
| this "clawback code" nonsense would have been impossible to
| keep secret.
|
| and you're right, OS/2 Warp WAS a great OS. As soon as it
| started losing market viability, it should have gone open
| source as a defensive self-preservation tactic.
|
| When LLaMa was released for free, it basically guaranteed it
| would never die a corporate death
| Workaccount2 wrote:
| Now we just need a a good open source OS made for lifelong
| windows/macOS users. Not one made for lifelong linux users.
| sonicanatidae wrote:
| Sorry, best I can do is a Elementry OS Linux.
| goodpoint wrote:
| Or not.
| pmarreck wrote:
| IMHO, Apple should have open-sourced their OS a long time
| ago while offering "best" compatibility with their
| hardware. They would have expanded both markets
| tremendously.
|
| I'm currently a "NixOS" guy, and it feels like the "last
| distro hop" for me. There's a learning curve but it's
| kind of like "you get ALL the customization, plus seat
| belts in case something screws up". I still like Macs but
| I don't really like the direction Apple's taken recently
| with regards to locking down macOS hardware and system
| software. I'm a fan of things like Asahi Linux but even
| that depends on Apple's permission to work
| malermeister wrote:
| ReactOS is the best we've got.
| sonicanatidae wrote:
| OS/2 Warp is still used today, albeit in very limited
| situations.
|
| I managed IT at hospitals for a large part of my career. At
| one of them, they had a "Lanier transcription cluster". It
| was 6 systems. One of them was an OS/2 Warp install that
| managed the modem cards.
|
| It's apparently used to manage hardware, like those modem
| cards. Evidently, it does a great job of it.
|
| I agree with you though. I think that Open Source would
| have made it much more of a competitor to Windows, today.
|
| Then again, throw enough resources at anything and it could
| contend...ok.. not TempleOS, but everything else. ;)
| ta1243 wrote:
| > You can't exactly stop someone from putting an open
| source OS on their hardware
|
| Of course you can. Have secure boot requiring a signed
| bootloader. Currently Microsoft are good enough to sign a
| linux bootloader so you can run things like ubuntu.
|
| Doesn't mean that in 73 years you'll have a situation where
| OSS is not only illegal, but you could not install one if
| you had one, without knowing your computer's root password.
| And neither the FBI nor Microsoft Support would tell you
| that [0]
|
| [0] https://www.gnu.org/philosophy/right-to-read.en.html
| pmarreck wrote:
| Coreboot (which System76 and Framework use): Exists
|
| Love the GNU mentality though, but you don't need FUD to
| promote your ideas. Lots of problems would just disappear
| if most things went open-source, and the value
| proposition might shift but would still be there. The
| most valuable part of code is the people that create,
| understand and maintain it; not the code itself. The code
| itself is ephemeral. (I hate to admit this. Us coders
| love our brain-babies.)
|
| Note: I own a System76 Thelio Major and have a Framework
| laptop on order, so I am not just a non-participating
| bystander in my beliefs here
| trinsic2 wrote:
| I agree. GNU rhetoric does not help their case. Much of
| it sounds very confrontational and whinny.
|
| I am a supporter of free software and open hardware, but
| I would never try to forcibly try to convince people with
| half-truths.
|
| BTW I don't think coreboot is really helpful in that it
| appears to me is more about controlling hardware access.
| ta1243 wrote:
| That page was written way before most people had ever
| heard of linux, a decade before things like secureboot
| became a thing, and way before the most common personal
| computing device in the world was a choice of two locked
| down devices.
| rollcat wrote:
| > You can't exactly stop someone from putting an open
| source OS on their hardware [...]
|
| Of course you can. It's a train, not a PC. Its primary
| function is to *safely* get me from point A to point B. No
| safety certification for the _whole_ thing (including
| software), means it doesn 't go on tracks. The freedom of
| your fist ends where my nose begins, which means your
| freedom to mess up the train's software ends where I step
| on board.
|
| Poland has had its share of railroad catastrophes, and I
| very narrowly avoided being a victim - I got late for this
| train: <https://www.bbc.com/news/world-europe-17248735>. I
| no longer live there - I like trains, but the trains in
| Poland are an unmitigated disaster every single time I
| visit.
|
| > [...] and if the train software was open-source, then
| this "clawback code" nonsense would have been impossible to
| keep secret.
|
| There's two problems with that:
|
| 1. Just because it's open source, doesn't mean you get to
| load your own modified version (see above); which means the
| software that's _actually_ running on the train can
| trivially be made different from the sources you were
| delivered;
|
| 2. Just because it's open source, doesn't mean it can't
| have a hardware backdoor, or some sort of manufacturer-
| installed APT.
|
| You can't even buy an Intel CPU that doesn't include an
| entire separate core, with its own Ethernet controller and
| OS - and that is the stuff that's actually documented and
| sold as an "enterprise" feature. Imagine an entire train of
| nooks and crannies to hide this sort of nonsense.
| pmarreck wrote:
| Good thing we have open-source hardware out there and
| open-source CPU's on deck. And makers like System76 and
| Framework that at least use Coreboot.
|
| Wow re: train near-miss. Glad you're still here with us!
| That must have been terrifying to learn.
| rjmunro wrote:
| > Good thing we have open-source hardware out there and
| open-source CPU's on deck.
|
| Read "Reflections on Trusting Trust" by Ken Thompson. It
| describes how even recompiling all the sources isn't
| enough.
| IcyWindows wrote:
| Google has agreements with TV manufacturers that provent
| it.
|
| https://www.techspot.com/news/84374-google-android-
| license-r...
| greiskul wrote:
| We really need to have much stronger anti trust legislation
| and enforcement. It is absolutely ridiculous to allow
| companies to behave this way.
|
| And before someone says that "free market is always good and
| government is bad", the optimum free market strategy if there
| is no government is to hire hitmen to assassinate the
| executives of competidor companies. A real competitive free
| market will always require the government to prohibit
| companies from forming artificial mottes around their
| monopolies.
| sonicanatidae wrote:
| We simply need meaningful penalties that involve jail time
| and % fines, on top of the ill gotten gains. The current
| model is steal $1 million, get fined $250k, enjoy the
| profits.
|
| Sadly, that'll never happen, because CU made bribery legal
| and who's congress going to listen to? The 100s of millions
| they allegedly govern or the guy that handed them $25k for
| a kitchen remodel.
|
| Spoiler: It's not the citizens.
| denton-scratch wrote:
| > Sadly, that'll never happen, because CU made bribery
| legal
|
| Citizens United was a USSC ruling; TFA is about Poland.
|
| Poland is in the EU; NEWAG seems to be a formerly state-
| owned company, that was fully privatized in 2003.
|
| https://en.wikipedia.org/wiki/Newag
|
| I'm awfully worried about both Poland and Hungary, and
| their place in the EU even though I'm a brit, and now out
| of the EU. I think both countries should have had their
| EU membership suspended years ago, for corruption;
| meddling with judicial appointments; and generally not
| allowing free media. I suspect Hungary is much worse, but
| for me, a major reason for supporting Brexit was that I
| didn't want to be in a political alliance with countries
| that didn't comply with international treaties, which the
| EU was so reluctant to enforce.
| SAI_Peregrinus wrote:
| The optimal free market with no government is for
| corporations (collections of people) to use violent force
| to enforce their goals. A sufficiently powerful corporation
| is indistinguishable from a government.
| sonicanatidae wrote:
| A sufficiently powerful corporation is worse than a
| government, because the current government at least
| pretends to play by the rules and in a lot of cases,
| does. The issue is the rules themselves, which were
| crafted by? Corps.
|
| Corps are entirely different. They push harder and harder
| and harder for PROFITS and will inevitably cross lines.
| When crossing those lines not only has no meaningful
| penalty, but actually turns a profit, after the fines are
| subtracted, they will not only continue to do it, but
| push even harder. After all, there's no real
| consequences, so why worry?
| marcosdumay wrote:
| Authoritarian governments exist, and are more common than
| democratic ones.
|
| Besides, democratic corporations exist too. They are just
| incredibly rare.
| xp84 wrote:
| > A sufficiently powerful corporation is worse than a
| government, because the current government at least
| pretends to play by the rules
|
| The most despotic and scary governments of history would
| probably like a word with you. Maintaining a believable
| pretense of following any rules is a luxury we take for
| granted in many countries today, but Mao and Stalin
| didn't worry about the appearance of propriety.
|
| Not really arguing against your main point though, I
| think you're right. Just don't forget how bad
| totalitarian governments can be.
| sonicanatidae wrote:
| You are citing outliers. A majority of the countries in
| the world aren't run by people like Stalin, or Pol Pot.
|
| Yes, in those instances nothing is worse than the
| government, but a majority of the world doesn't live in
| those places. For most people, it's the tyranny of
| corporations that affect our lives in outsized ways.
| robertlagrant wrote:
| > For most people, it's the tyranny of corporations that
| affect our lives in outsized ways.
|
| No, for most people it's corporations that enable our
| current best-in-history lifestyle. The hardest things we
| face are scarcities created by government policy.
| rootusrootus wrote:
| > A sufficiently powerful corporation is
| indistinguishable from a government.
|
| Only if the government is a dictatorship. A sufficiently
| powerful corporation will never look like a functional
| democracy.
| sonicanatidae wrote:
| _looks around for an example of a functional democracy_
| CamperBob2 wrote:
| How about the one that decided that a New York con man
| and money launderer was the right choice for president?
|
| I'm concerned that democracy as a general concept has a
| showstopping bug with no obvious fix. A bug that's always
| been there but has recently become fatally easy to
| exploit. Essentially, giving stupid people the same
| political power as smart people is mandatory in a
| democracy, but problematic because the former are much
| easier for "smart" minorities on all sides to corral into
| blocs.
|
| The whole system then devolves into a battle for control
| over the easily-led, which is equivalent to any other
| form of government by minority interests. Regardless of
| who is on top at any given time, they aren't there to
| represent the interests of the majority.
| devbent wrote:
| Boards appoint executives, boards are voted in by
| shareholders, shareholders are determined by $, the more
| money you have the more votes you can buy.
|
| Companies are, in theory, dysfunctional representative
| republics.
| mrguyorama wrote:
| Having to BUY a vote explicitly removes any consideration
| of it being any form of democracy. Democracy requires
| suffrage as a right, not a commodity.
| logifail wrote:
| > Democracy requires suffrage as a right, not a commodity
|
| There are plenty of "democracies" where suffrage depends
| on one having the appropriate citizenship.
|
| Full disclosure: I have permanent residency - and pay my
| taxes - in a country where I'm neither allowed to stand
| for election nor allowed to vote...
| semiquaver wrote:
| Indeed, Democracy originated in an environment where
| suffrage was highly limited.
|
| https://education.nationalgeographic.org/resource/democra
| cy-...
| JoshTriplett wrote:
| > A sufficiently powerful corporation will never look
| like a functional democracy.
|
| True, but neither will a sufficiently powerful
| government.
| TeMPOraL wrote:
| No, if you remove either corporations or governments from
| the equation, the remaining thing will morph and split to
| recreate this. Corporations aren't fixed in stone - a
| sufficiently powerful one may be indistinguishable from a
| dictatorship, but it'll also evolve the same way.
| lo_zamoyski wrote:
| That wouldn't be a free market. It would be some kind of
| oligarchic corporatism. Government is necessary to truly
| enable free markets. The key to understanding that is to
| understand what "free" truly means [0]. It isn't "do what
| thou wilt".
|
| [0] https://news.ycombinator.com/item?id=38537665
| rootusrootus wrote:
| > And before someone says that "free market is always good
| and government is bad"
|
| I've never really understood that dichotomy myself. The
| free market IS good, that is for sure. But it won't exist
| unless the gov't uses its power to create it. Companies
| have to be kept small enough that there will always be a
| bunch of choices. And that won't happen by itself.
| JoshTriplett wrote:
| > the optimum free market strategy if there is no
| government is to hire hitmen to assassinate the executives
| of competidor companies
|
| There's a huge difference between opposing regulation and
| permitting murder. Equating the two is a strawman, given
| that there are a large number of people who oppose various
| regulations and very few who would want to legalize murder.
| sonicanatidae wrote:
| I mean.. I'm not up for outright legalizing murder, but
| as the world turns, I understand it more and more. Some
| people just need a killin.
| thegrimmest wrote:
| Funny that your optimum free market strategy is murder. A
| market where murder is a legitimate strategy is anything
| but free. In fact a good litmus test as to the freedom of a
| market (or any social structure) is the legitimacy of
| murder.
|
| Comparing murder to antitrust therefore seems to be a
| pretty weak argument. Deontological libertarians would view
| the use of force required to enforce antitrust as
| authoritarian overreach. They would see no moral
| justification in the enforcement of arbitrary limitations
| on the voluntary transactions of consenting parties. They
| would see these as tyrannical.
|
| This stems from a core disagreement about the nature of
| society. Some people see it a as a collective project for
| the good of all participants (the sticky points being the
| definition of "good", and the non-optionality of
| "collective"). Others see it as simply an agreement to
| coexist peacefully and cooperate only voluntarily, while
| embracing the Darwinian nature of said coexistence.
|
| Each side is well meaning I'm sure, but I find it hard to
| reconcile these two worldviews.
| discreteevent wrote:
| Coexistence - peaceful - darwinian. A circle that's hard
| to square.
| thegrimmest wrote:
| I don't see why. It's basically what happens in any free
| society - we (as individuals, organizations, social
| orders) compete over finite resources. Disputes are
| resolved via due process. Winners win and losers lose.
| The difference between civilized and uncivilized is only
| in which actions are available to the players, not in the
| nature of the game.
| lo_zamoyski wrote:
| The problem is that competition for resources is taken as
| the essence of markets, which it is not. Competition
| exists in markets, sure, but it's not the point of the
| market per se. That's psychotic. This is the problem when
| decontextualized practicalities become enshrined as
| abstracted ideological and moral tenets of the highest
| order. According to your view, if I were starving, and
| you had a warehouse full of food, then I would be
| stealing if I were to break in and take some food to
| survive. Theft is always wrong by definition (you cannot
| say it is _sometimes_ justified in ad hoc sense while
| remaining coherent; if the law just is competition for
| resources, full stop, then the starving man is just a
| loser, full stop), so I, the starving man, am morally
| obligated to accept my death outside the walls of that
| warehouse.
|
| But as I said, this would be an incorrect view of
| markets, which occur _within_ societies, to enable the
| good. Human beings are social animals, and so our good
| depends on society. The common good is also _prior_ to
| private property. A scenario where people are starving,
| but where there are warehouses full of food, is one that
| demonstrates some degree of dysfunction.
| thegrimmest wrote:
| > _Competition exists in markets, sure, but it 's not the
| point of the market per se. That's psychotic._
|
| Competition is _the point_ of every ecosystem, insofar as
| there is a point. The properties of an ecosystem are
| fundamentally emergent wherever living things interact,
| in markets or otherwise.
|
| > _so I, the starving man, am morally obligated to accept
| my death outside the walls of that warehouse_
|
| Why is this view so foreign? I don't expect you to adopt
| it per se, but surely you can see that yours is not the
| only perspective. There are many people who would prefer
| to commit suicide in dignity rather than live to seem
| themselves become a burden on others. There are even
| those who would rather die screaming in agony rather than
| pry greedily into the pockets of strangers.
|
| > _enable the good_
|
| Ah yes but then the you have to define "the good" which
| is notoriously challenging, and also be sufficiently
| comfortable in your definition to impose it by force on
| others who may disagree. I'm just not sufficiently
| comfortable with anyone's definition of "the good", my
| own included, to make that leap.
|
| > _A scenario where people are starving, but where there
| are warehouses full of food, is one that demonstrates
| some degree of dysfunction_
|
| I disagree, this scenario exists all over the natural
| world, and is fundamental to all ecosystems. In a
| competitive environment (which again, is inevitable),
| it's optimal to ruthlessly defend the maximum you are
| capable of, rather than the minimum you need to survive.
| ablob wrote:
| As far as I understand the conditions of a free market are
| not met in this case:
|
| According to the english Wikipedia: * A capitalist free-
| market economy is an economic system where prices for goods
| and services are set freely by the forces of supply and
| demand [...]
|
| Here one can argue that the available services (i.e.
| maintaining a train) are not set freely by the forces of
| supply and demand, but by the constructor of the train; at
| least to some extend.
|
| You said that "[a] real competitive free market will always
| require the government to prohibit companies from forming
| artificial mottes around their monopolies". I partially
| agree in this case. A free market that contains competitors
| that are able to fully satiate it will always require a
| government that hinders it from working towards a
| controlled market. By a controlled market I mean monopoles,
| oligopoles, cartels, or otherwise controlled
| environments(1). So if there's no competitor I can walk to
| in case I am unhappy with my trading partner the market
| isn't free by definition. I can hardly think of bakeries in
| town requiring governmental intervention (unless they form
| a cartel, that is).
|
| Not every market should be free, however. I guess you've
| just met too many hard-liners arguing for shady business
| practices in the name of the free market. I'd argue that a
| shady business will cease to exist in a free market due to
| the customers running away.
|
| PS: Funny enough, I am fully onboard with stronger anti-
| trust enforcement (legislation only if that proves to be
| insufficient), only that I am doing it as a proponent to
| regain market freedom.
|
| (1) Intentionally left broad as I can't be bothered to come
| up with a definition that fits what I have in mind.
| trinsic2 wrote:
| > We really need to have much stronger anti trust
| legislation and enforcement. It is absolutely ridiculous to
| allow companies to behave this way.
|
| You think? I have been wondering the same thing myself for
| years and i'm still flabbergasted that people don't treat
| this stuff more seriously.
| gosub100 wrote:
| > We really need to have much stronger anti trust
| legislation and enforcement
|
| The Microsoft disaster you are replying to could just as
| easily be blamed on the government in the first place. Why
| were they so slow to react? Why couldn't the FTC have seen
| that, or been alerted and acted immediately? There is no
| legitimate reason, other than the government is a socialist
| organization that has no incentive to actually get anything
| done. This is why USPS, VA, Amtrak, etc all suck. Throwing
| _more government_ at the problem will have the opposite
| effect: _less_ will get done!
| lo_zamoyski wrote:
| > "free market is always good and government is bad"
|
| This view seems especially American, but it is also a very
| liberal view (in the philosophical sense, not the somewhat
| weird partisan sense). Liberalism reconceives the common
| good, private property, and freedom dramatically. Whereas
| traditionally, the state is viewed as _steward_ of the
| common good (that is its essential function), and private
| property as something instituted _for the sake of the
| common good_ , liberalism conceives of private property as
| primary and the common good as something grudgingly ceded
| from the private good. Freedom is traditionally understood
| as the ability to do what one ought (the freedom to be what
| you are by nature, that is, a human being), but liberalism
| construes it as the ability to do whatever you please.
| (It's an odd idea. If I happen to want to gouge my eyes out
| and cut my arms off for no reason, doing so does not make
| me free. It makes me _less_ free, because now I am less
| capable of functioning fully as a human being. I am
| confined and prevented from doing all sorts of good things.
| Human nature is the yardstick by which freedom is
| measured.)
|
| What does this all mean? Well, it means government becomes
| construed as an artificial, even malicious construct that
| stands in the way of freedom. Certainly corruption exists,
| but this is not a valid argument against government as
| such. And besides, without government, something fills the
| vacuum. The absence of authority isn't freedom, but
| exposure to power _that lacks authority_.
|
| So, yeah, free markets are good, as long as freedom (and
| thus the good) is construed in the traditional, not the
| liberal sense. That means that government, properly
| understood, is not an obstacle to free markets, but a _sine
| qua non_ of truly free markets.
| stevage wrote:
| No one literally says that.
| bitcharmer wrote:
| > Humans are why we can't have nice things
|
| _MBAs_ are why we can 't have nice things
|
| FTFY
| neilv wrote:
| Don't attribute to humans, malice that can be adequately
| explained by Microsoft.
| IcyWindows wrote:
| Google forbids competing android TV OS for their hardware
| customers. Maybe this happens with every large company?
| JAlexoid wrote:
| It's not really the same, in this case.
|
| The AARD crash was an intentional break in compatibility, while
| this is more like planned obsoleteness.
|
| Leaving a train stationary for "too long" would disable it?
| Microsoft would have loved to control the platform to that
| level :D
| thaumasiotes wrote:
| > This brought to mind the AARD "crash" which Microsoft used to
| basically destroy competition from DR-DOS back in the day.
|
| Given that, according to the article, the functionality was
| never enabled, how did it get used to destroy competition from
| DR-DOS?
| pseudosavant wrote:
| DR-DOS must have already been on the brink if some code in a
| 'beta release of Microsoft Windows 3.1' finished them off.
| l0b0 wrote:
| $280 million settlement for securing global OS domination for a
| few years. Pretty cheap.
| mistrial9 wrote:
| William Gates was The World's Richest Man for what, twenty
| years without fail?
| InsomniacL wrote:
| > "The manufacturer argued that this was because of malpractice
| by these workshops"
|
| Is this intended to say: - The manufacturer
| says the locks are caused by malpractice of the 3rd party
| workshops
|
| or - The manufacturer says they lock the trains
| because of past malpractice of the 3rd party workshops
|
| The poster also states
|
| > "One version of the controller actually contained GPS
| coordinates to contain the behaviour to third party workshops."
|
| This seems oddly specific, there are better ways to determine if
| the train has been serviced by the manufacturer or not, such as
| using PKI.
|
| I can imagine a scenario where this isn't for greed of servicing
| fees, perhaps the brakes need replacing every x miles and if this
| isn't performed the train locks for safety. If the 3rd party
| workshops specified thought "there's more life
| left in these pads, I'll just reset the counter and make the
| train think the pads are new"
|
| The manufacturer would have significant backlash should the train
| then crash and kill people, regardless if the 3rd party workshop
| was at fault.
|
| I'm all for right to repair for most things, however commercial
| public transport isn't one of them unless there's some
| vetting/accreditation process.
| celticninja wrote:
| I disagree. The owner should be able to get them repaired
| without needing the manufacturer to approve.
| Zak wrote:
| It's certainly reasonable for governments to require some sort
| of licensing or accreditation to work on safety-critical public
| infrastructure. It is not reasonable for another service
| provider to have the final say over that, especially through
| the use of undisclosed software locks.
| SahAssar wrote:
| Any of those reasons should then have been documented in
| public, which the poster said it was not.
| p_l wrote:
| The workshops were already accredited and vetted, and followed
| official documentation that was supposed to cover the
| maintenance.
|
| And the intended meaning of the sentence was that NEWAG implied
| that the workshops "did something wrong" and that's why the
| train didn't run.
| hex4def6 wrote:
| I think you're putting very little weight into the ability of
| government organizations like the NTSB or equivalent to
| determine root cause of a crash. Just think of the situation
| with aircraft crashes. They have to deal with something that
| smeared into the ground at 400 miles an hour. And they're often
| still able to root cause with a high degree of confidence. I
| have a feeling train crashes are trivial in comparison to root
| cause (with rare exception).
|
| You either require (and train) your NTSB to be able to
| independently diagnose accidents (in which case they would be
| able to tell who fudged the records about the fake brake
| overhaul) or you rely on the manufacturer for the diagnosis.
| Which to me is a concerning conflict of interest, since they
| will invariably want to shift the blame to the operator of the
| vehicle. I'm sure they could in the most honest case, point to
| excursions outside of recommended operating conditions during
| the life of the train and say "see? Your operator has been
| consistently taking this turn ed 10 mph faster than recommended
| by the manufacturer. Warranty void".. worst case they fudge the
| records and you have no competent independent examiner to
| dispute that.
| Symbiote wrote:
| I think your point is fine, but I don't think we should say a
| root cause analysis of a rail accident is "trivial".
|
| For example, the most recent serious report from the UK has
| 113 pages, and detail on technical (friction, braking etc)
| and organizational issues just like an aircraft accident
| report:
|
| https://www.gov.uk/government/news/report-122023-collision-b.
| ..
| JAlexoid wrote:
| > I'm all for right to repair for most things, however
| commercial public transport isn't one of them unless there's
| some vetting/accreditation process.
|
| That is where you literally have a contract written up, stating
| this. In some cases that contract is ratified by the parliament
| (making it effectively the law)
| wafflemaker wrote:
| How can somebody even attempt to find faults like these without
| being a magician? Are people reading tons of assembly code in the
| process?
| shadowgovt wrote:
| On an open source architecture, many eyes hypothetically leave
| few places for malicious action to hide. This is not always
| 100% foolproof, but it seems to work out pretty well most of
| the time.
|
| On a closed source architecture, this sort of thing is
| generally safeguarded by contract and law. Company can get away
| with it once, but if the law and contracts were properly
| crafted there will be fines and jail time that discourages them
| from doing it again.
| bombcar wrote:
| Reading decompiled (reverse-engineered) code is not as insanely
| hard as it sounds. You can usually find functions, and then
| it's a matter of finding _what_ a function does.
|
| If you can somehow attach a debugger or get breakpoints, it's
| even easier.
| TomaszZielinski wrote:
| The world is such a small place--I open HN and read a movie-grade
| story about trains that I took many times. In fact, it's even
| possible I was going by one of those grounded trains..
|
| In any case, either there was no code review, or the reviewers
| accepted that for one reason or another. Not sure which case is
| more scary..
| jrochkind1 wrote:
| Code review by a _third party_? Does that usually happen?
|
| It's clear this was intended by the manufacturer of the trains,
| who directed the writing of the code, it's not like a hacker
| put this in without their manager knowing, right?
|
| What kind of code review are you thinking of by whom?
|
| [Wait, reading other comments, I'm thinking HN switched the
| article at the top, and some of these comments were written
| when the article at the top had much less information? That may
| explain why these comments are so confusing!]
| TomaszZielinski wrote:
| I have no idea how software for trains is (or should be)
| created.
|
| So I meant a regular code review you would do for anything
| else.
|
| I can see two scenarios at play:
|
| 1. either it's "free for all" and someone (anyone?) can put
| arbitrary shady stuff in the code
|
| 2. or there's a process for adding shady stuff to the
| codebase (some "stakeholder" creates a ticket, someone
| creates a PR, and the it's reviewed, etc.)
| jrochkind1 wrote:
| OK, I think someone's manager _told_ them to add this to
| the codebase. After the manager's boss told _them_ to make
| it so. And then it maybe got code reviewed, sure, and the
| code reviewer confirmed that it was bug-free and did what
| was intended. It is doing what the manufacturer wanted it
| to do.
|
| I'm wondering if you read the same posts at the top, or if
| maybe HN has switched the link since you read it and
| commented? Or if you just reached different conclusions!
|
| My conclusion was that it doesn't appear there is any
| reason to think this was a "rogue" employee. What
| motivation would they have to do this? The motivation
| belonged to the train company that made the trains and
| owned the the software, the company did it on purpose to
| try and make other repair facilities look bad and make
| their train repair facilities look like a better value.
|
| I'm surprised that you seem to be considering that, maybe,
| like a programmer just put this in there without being told
| to. For fun? Just out of their own individual motivation to
| secretly help the company's profits?
| TeMPOraL wrote:
| > _I 'm surprised that you seem to be considering that,
| maybe, like a programmer just put this in there without
| being told to. For fun? Just out of their own individual
| motivation to secretly help the company's profits?_
|
| Considering this isn't a some random webshit SaaS, but a
| piece of critical national infrastructure, such a rogue
| programmer would - in my books - be committing _treason_.
|
| (Keep in mind that functioning rail system is of military
| importance, and _there 's a literal war being fought just
| over our eastern border_.)
| TomaszZielinski wrote:
| Ah OK! No, the top link seems to be the same as before.
|
| My Scenario 1. wasn't about some rogue employee, only
| about unstructured development process, possibly even
| with no version control.
|
| So there's this one developer that adds the shady code,
| asked by a higher-up, but other developers don't even
| know about it if they don't look into those files. And so
| no-one has a chance to analyze if it's safe to add the
| code.
|
| Or maybe there's version control, but anyone can commit
| to `develop`. And so you see a weird commit from someone
| else, but that's it.
|
| The only _maybe_ non-criminal but still very shady and
| unethical way to do it that I can quickly come up with,
| is if there was a formal process for adding those "hacks"
| would be to implement it as any other feature, perform a
| full safety analysis, etc., just as I can imagine it's
| done for regular stuff.
|
| But then I cannot really imagine how I would answer the
| question about deliberately messing with train
| subsystems, in a train that could be running >100km/h,
| full of passengers...
| lutorm wrote:
| In aerospace it definitely does happen. For example, NASA, as
| a customer, has the right to independently review flight
| software implemented by contractors.
| tester756 wrote:
| Holy shit those aren't some random ass hackers
|
| They are members of top CTF team of last decade - Dragon Sector
|
| Also, the story is wild as fuck!
| faeriechangling wrote:
| So these manufacturers literally ransomed Poland by crippling
| critical infrastructure?
|
| This is an incredibly brazen crime and I'm not so confident they
| will get away with it.
| p_l wrote:
| Manufacturer, not repair workshops - the repair workshops just
| won the bid and vendor decided to retaliate.
| mistrial9 wrote:
| any bridges in Philly available for comparison?
| brohee wrote:
| Newag stock price falling quite a bit after the post, is that the
| first Mastodon induced price correction?
|
| https://g.co/kgs/WVku4C
| Sayrus wrote:
| They are still at +10% over 1 month and +25% over 3 months.
| freedude wrote:
| This answers the question, How can I define corporate level
| malicious protectionism?
| cryptonector wrote:
| Well, it gives you an example, not quite a definition.
| hnthrowaway0315 wrote:
| I think the way to fix this is to make sure manufacturers follow
| certain standards so that the products can be serviced by anyone
| who holds certificates in those standards.
|
| This is mostly to break the liability/insurance barrier.
| TeMPOraL wrote:
| That's approximately what the EU forced to happen - third party
| repair shops were approved and allowed access to the service
| documentation. But that means nothing when the manufacturer
| decides to sabotage the trains in firmware _and_ even install
| an Internet-connected hardware backdoor.
| CKMo wrote:
| Ugh, please do not give car manufacturers any ideas!
|
| ...or Boeing.
| crazygringo wrote:
| Generally I'm not part of the crowd that wants to send CEO's and
| management to jail for what are ultimately just bad business
| decisions.
|
| But _this_ should absolutely result in jail time. This is
| literally no different from if the managers of the company
| physically snuck into trainyards and snipped wires and removed
| valves or whatever.
|
| It's literally just sabotage. It's a crime that should result in
| _years_ of jail time for everyone in management who participated
| in this decision.
| TeMPOraL wrote:
| Yup. And this isn't sabotaging some random webshit SaaS. This
| is sabotaging critical national infrastructure - infrastructure
| that's of military relevance, and need I remind anyone, there's
| a hot war being waged over our eastern border right now.
|
| I feel a good enough prosecutor could pin charges of _treason_
| here.
| gruez wrote:
| As much as I like to rake the executives over the coal for
| this, I'm disturbed by the trend of calling anything vaguely
| against the national interest as "treason". Nowadays if I
| hear someone is accused of treason absent any context, it
| could mean anywhere between "knowingly selling nukes to iran"
| to "lobbied for/against a policy that the accuser thinks is
| bad". In this case they're arguably scamming the government
| out of money, but that can hardly be compared to the crime
| knowingly aiding a known adversary.
| cangeroo wrote:
| People are tired and demand better. It's a spectrum for
| sure, but crossing the line is crossing the line.
| inetknght wrote:
| > _In this case they 're arguably scamming the government
| out of money, but that can hardly be compared to the crime
| knowingly aiding a known adversary._
|
| If you're crippling infrastructure then you are inherently
| then you're most certainly aiding adversaries. You cannot
| fight an adversary if you cannot get goods moved.
|
| If you're scamming the government out of money then you are
| inherently aiding adversaries. You cannot fight an
| adversary if you are penniless.
|
| It sounds very comparable to me.
| garaetjjte wrote:
| It's passenger train. No more "critical national
| infrastructure" than city bus.
| TeMPOraL wrote:
| It's some two dozen passenger trains.
| bboozzoo wrote:
| It's not like you couldn't transport troops on a passenger
| train, so I'd say may they never see the light of day again
| -\\_(tsu)_/-. In reality though, I doubt this will result
| in any serious repercussions for whoever called the shots.
| TulliusCicero wrote:
| > Generally I'm not part of the crowd that wants to send CEO's
| and management to jail for what are ultimately just bad
| business decisions.
|
| This attitude is rare. Much more common is wanting to send them
| to jail for deliberately breaking the law -- or presiding over
| widespread flouting of the law by other management. E.g. The
| Wells Fargo cross selling scandal created literally millions of
| fraudulent accounts, and nobody went to jail.
| gruez wrote:
| >or presiding over widespread flouting of the law by other
| management. E.g. The Wells Fargo cross selling scandal
| created literally millions of fraudulent accounts, and nobody
| went to jail.
|
| "presiding over widespread flouting of the law" isn't a crime
| though, and it's difficult to make that a crime without
| running into due process issues (eg.
| https://en.wikipedia.org/wiki/Mens_rea)
| pixel8account wrote:
| There are update logs of the train software. Because of them it
| is known that workers of the company literally snuck into
| waiting trains and updated the software _without the owners
| knowing_. So really, but far from that.
| praptak wrote:
| I wonder who coded the malware clauses and who knew about them.
| Didn't anyone think of whistleblowing?
|
| Btw, here's the page with anonymous opinions about the company
| from (unvetted) employees
| https://www.gowork.pl/opinie_czytaj,19587
|
| They seem to have a pretty toxic work environment.
| dark-star wrote:
| In this case, they probably got the trains cheaper by agreeing to
| have them services only at official service stations.
|
| Still a shady practice but not worse than having expiring license
| keys for unlocking features or similar things
| sundvor wrote:
| Oh you want _brakes_ with that? Sorry you forgot to renew your
| license.
| p_l wrote:
| Nope, there was separate tender for just trains, and for the
| servicing. NEWAG (manufacturer) won the train contract, but
| lost the servicing contract tender.
|
| Under current rules they had to provide as part of the first
| contract complete documentation for servicing that any
| legitimate (vetted & certified) 3rd party company could then
| use. By servicing I mean literally taking the train apart and
| handling individual assemblies to original manufacturers at
| times.
|
| So it is very shady, unethical, and illegal.
| jakub_g wrote:
| Buried in the comments are links to longer write-ups with
| additional details:
|
| Polish:
|
| https://zaufanatrzeciastrona.pl/post/o-trzech-takich-co-zhak...
|
| https://wiadomosci.onet.pl/kraj/awarie-pociagow-newagu-haker...
|
| English:
|
| https://zaufanatrzeciastrona-pl.translate.goog/post/o-trzech...
|
| https://wiadomosci-onet-pl.translate.goog/kraj/awarie-pociag...
|
| For context: Poland is split into 16 voivodships, and after a
| reform from early 2000s, pretty much each of them has its own
| local railway company (which cooperate).
|
| Basically "everyone knew" for over a year something was fishy
| with Newag trains, after a series of faults in trains owned by
| different companies which used a 3rd-party service company
| instead of servicing with Newag, so the service company hired the
| hacker guys, it took a while for the folks to reverse engineer
| things and understand what's precisely going on.
| RicoElectrico wrote:
| It's quite unfortunate as Newag trains are rather higher quality
| than Pesa (other Polish manufacturer). I suppose so reliable,
| they needed to generate artificial faults :D
___________________________________________________________________
(page generated 2023-12-05 23:00 UTC)