In one of the coolest and more outrageous repair stories in quite some time, three white-hat hackers helped a regional rail company in southwest Poland unbrick a train that had been artificially rendered inoperable by the train’s manufacturer after an independent maintenance company worked on it. The train’s manufacturer is now threatening to sue the hackers who were hired by the independent repair company to fix it.
After breaking trains simply because an independent repair shop had worked on them, NEWAG is now demanding that trains fixed by hackers be removed from service.
You must log in or register to comment.
This reminds me of the hacked McDonalds ice cream machines. Except the shitty manufacturers won that one.
Sadly they will probably win this as well. Some claim there could safety concerns and it isn’t certified or could damage their brand… time for people’s manufacturing of products? Hehe
I think this one might go well. Company preventing a country’s trains from being serviced by a third party. I expect that train builder has already tanked their business, but it would be an interesting one to be litigated, the sort of case that can get the law changed
This is an EU country, not the US.
Things like the DMCA provisions forbidding working around IP protection mechanisms (and software is copyrighted) don’t apply here.
IANAL (so take this it with a pinch), unless the trains are legally theirs rather than the train company’s, it’s not hacking, it’s just “software maintenance” and the only right this company has here is to withdraw product warranties because of “unauthorized changes”.
There might or not be a case against the train company (for example, if the contract forbade this or the train company tried to sell those trains onwards as if they were original) but not against the people who did the software changes on the trains when authorized by the owners of said trains.
I assume EU has safety regulations and if a train suddenly loses its brakes they would be liable wouldn’t they? Now they can say someone has “hacked the train” and they can’t guarantee the brakes will work. I am not sure where the USA argument came from
The responsability of circulating with a vehicle that abides by safety regulations is of the owners, not the makers.
You’ll notice that even in the consumer auto segment (which, since run-of-the-mill consumers are not expected to be “experts”, has lots of of ways to make sure that brand new cars are sold already pre-certified “road-worthy” because normal consumers don’t have the know-how to make sure of it themselves), the actual car owners still have the responsability of having a periodic inspection done to the car and repair those things that stop it from being road-worthy and they cannot circulate with it in a public road if it’s not compliant (at least that is the case in Europe).
Outside the consumer segment, I expect that the rules for trains are pretty similar to those for commercial aviation: the manufacturer has no responsability beyond a contractual one (i.e. the purchasing entity probably demands contractually that the vehicles they get comply with regulations, the parts they buy obbey certain specifications and maintenance done by a manufacturer-certified shop delivers a compliant vehicle) and all the regulatory responsability is in the hands of the owner (more specifically the “operator”, as for example for leased planes the airline doesn’t actually own them but they do operate them hence they’re the ones with regulatory responsabilities).
The USA argument comes from the anti-circunvention legislation for software being part of the DMCA law, said legislation giving rights to the makers of the software to stop changes to it even in devices they do not own. Where such legislation does not apply there is no law forbidding somebody doing whatever changes they want to software as long as they own the device containing said software or have the authorization of the owner of the device whose software they are changing - the only applicable legislation here is Copyright and that only limits the distribution of the software, not the changing of it.
It’s not at all unusual for Americans to argue that people can’t legally circumvent software protections even in devices they own, because that is indeed the case in their country thanks to the DMCA, but expecting that to be the case in Poland doesn’t make sense as the laws there are not at all the same as in the US.
That’s a whole lot of energy spent based on completely incorrect assumptions about me or what I was saying so your argument can work. But sure whatever makes you feel like you are right.
That’s a very weird take.
You don’t know me and went all weirdly personal full of assumptions about me and without making an actual argument.
Whatever is going on there, it’s all in your head.
I’m not firm in polish law, do they have the same laws as in the USA? Because that’s what you’re comparing right?
As far as I know, there is no such thing as DMCA provisions against working around software protection mechanisms in the EU and in fact at an EU level the direction is to increase ownership rights, not decrease them.
However depending on the contract the train company might not legally own those trains (for example, it’s structured as a Lease), but if the hackers can show proof that the train company authorized them to do those changes it would be a case against the train company, not the hackers.
But if the people controlled the means of production… that would be…
If they required the trains to be serviced by manufacturer they should have written it into a mandatory service contract at time of sales.
Is anyone else hearing Aquarela do Brasil or is it just me…
Artificially bricked?! Who the hell keeps giving Viagra to trains? Evil bastards.
Where did the independent repair shop and cracker smackers touch you on the doll NEWAG 14WE EMU
Sir Toppam Hat
The anti-circumvention clause is being abused for some years now, it’s disgusting.
Is it abuse, or is it working exactly as intended?
They mean it’s abusive in nature I guess
This is the sort of case that can fix it
So which anti-circumvention clause do you mean?
Remember, US law doesn’t apply in Europe and as much as I know there is nothing like that in the EU.
Nowadays satire can never be as good as reality is.
Trump and the whole Brexit circus have set a very high bar, but somehow someone still manages to produce quality comedy.
Every time I read about this kerfuffle, I am astounded by the sheer stupidity of the manufacturer. Even if they may be technically in the right here(I don’t know, since the contracts they have with the operator aren’t public), they effectively shoot themselves in the foot with this PR Desaster. Especially the various national rail operators across Europe will think twice about buying NEWAG, since these operators usually have their own maintenance and repair centers, and expect to service their rolling stock there. And those national operators still make up the lion’s share of the European rail market.
This aint much of a problem. NEWAG operates almost exclusively on the internal market
I sure hope that they become a political talking point where the government loses votes if they contract with them again.
The person is doing a talk about it in hamburg, germany (37c3) next week. Its on my to watch list because that sounds hella interresting.
Edit : 37c3 list of talks : https://halfnarp.events.ccc.de/#dec115da17562cebafa9ba7a150a4fc607c25c880c03593dcc8da6087c9441a4
It’s 37c3, but thx for the hint. The talk is called Breaking “DRM” in Polish trains by Redford, q3k, MrTick
I will try to watch it on stage, unfortunately still no final schedule available
Fixed the edition number. I always forget what number we are at haha. I will not be on site, but i saved it in my planner : https://halfnarp.events.ccc.de/#dec115da17562cebafa9ba7a150a4fc607c25c880c03593dcc8da6087c9441a4
The numbering got a bit messed up as there weren’t chaos covid congresses.
That actually does sound hella interesting. I’m saving your comment to try to remember but actually look it up in about two years when I scroll back though my saved posts.
I’m saving your comment to try to remember their comment to try to remember to watch that.
Does Lemmy not have a “remind me” bot yet?
Same, same.
Most ethical vehicle manufacturer:
(This is a joke)
This is good. Someone did that for printers too
And American Weight (?) digital scales. The ones that brick themselves after 2,000 uses because how dare you only pay once.
Lol. Always suspected there was a scam there, but every time I bring it up in a conversation - people just call me a conspiracy theorist.
This goes for pretty much everything though. Planned obsolescence is real, but people think it’s just the natural way of things.
is there an article about this? Would love to read about it
There is no article that I could find, so I guess you take my word for it. But I’ll fill you in on why I said it from what I remember. You can make up your mind on this:
I was looking for a digital scale during the pandemic and naturally went on Amazon. I found some within my budget (I live outside the US) but most of them had multiple reviews complaining about a weird error that they couldn’t fix. I did some digging around, yet nobody seemed to know what the error really was that was showing up after some time of prolonged use without signs of wear. Eventually, I got to a thread on some technical forum that said it was a software error that strongly hinted at planned obsolescence after so many uses.
The weird thing is that I can’t find any of the models that had this on Amazon anymore but it doesn’t surprise me after some of the shit I’ve seen on there with people manipulating reviews on other products I’ve bought. So I guess it could go either way for someone review-bombing the product or it being a real issue, but that doesn’t explain the error showing up on other sites. I wish I could remember what the error code was.
If anybody knows anything more about this, I’d love to hear it. It certainly was a strange surprise that ended up costing me a bit more than I was planning to spend. But I guess bullet dodged?
Spewing bs about how they can’t guarantee the safety and other outrageous shit pouring out their mouths as they provide clearly practiced lawyerspeak to squeeze money from public service into their owners pockets which will then be invested probably in war and killing children for profit.
But let’s discuss ethics and shit! Fuck faces need to be brought to moral justice for the evil they commit every day of their brainwashed miserable hateful lives where they pretend to not harm people because they don’t do it themselves but via money grabbing schemes. One day all of this shit will seem to be as stupid as hitting kids are these days
Apparently there was some kind of gps geo fencing going on - that the software detected the train went into an uncertified repair yard and bricked the thing. So I assume the hackers just purged that info, or unset the flags that denoted the brick condition so as far as the train software was concerned it was operating normally.
It’s an interesting hack but there is a safety aspect to this too. A train is a complex machine that could go catastrophically wrong and kill a bunch of people. It’s not quite Boeing 737 levels of safety criticality but neither is it something that should be taken lightly with regards to service procedure or parts procurement. So the manufacturer were being dicks to brick the train. But the train operator using an unauthorised repairer who might not have access to, let alone follow the correct servicing procedures or parts is not good either.
SPS became desperate and Googled “Polish hackers” and came across a group called Dragon Sector, a reverse-engineering team made up of white hat hackers.
Hilarious. I hope 404 continues with this level of high quality journalism.
Dragon sector, who they hired, is a security capture the flag team.
Edit: Socials of those who worked on it
https://social.hackerspace.pl/@q3k
https://infosec.exchange/@mrtick
https://infosec.exchange/@redfordTIL that [security CTF](https://en.m.wikipedia.org/wiki/Capture_the_flag_(cybersecurity\)) is
an exercise in which participants attempt to find text strings, called “flags”, which are secretly hidden in purposefully-vulnerable programs or websites
Never heard of this and I may not be alone in that. Thanks for pointing this out.
I did one before. They are SO MUCH FUN. Now I have too many children.
sob
edit: There are other ways of capturing the flag like having your team name on the home page of a local web server or whatever.
You make it sound like the event ends in an orgy.
The good ones do
Finally, hackers with a cool name, like Bellingcat or Oryx. It’s all I’m asking for, but the Russian and North Korean hackers are so disappointing in so many ways.
When the government bankrolls you, you’re not allowed to have fun.
I thought white hat hackers only do their shitty CTF exercise everyday. Wouldn’t hacking a DRM’ed national train be a black hat interaction? I’d like to know if that company can press charges.
If the train owner allowed it, it’s just maintenance that happens to affect software.
Hacking would be if it was not authorized by the owner.
Any maintenance not authorized by the train maker entitles them at most to suspend the Warranty.
deleted by creator
Depends on your definition of “ethical”
This story should be on every newspaper front page right below war correspondents.
Yeah, especially in the EU where apparently their laws regarding circumventing DRM might make the people who fixed this the bad guys instead of this comically evil manufacturer who put GPS kill switches on public passenger trains.
right below war correspondents
Eh, they should report war on the same page as the weather if you ask me.
in the sport section
Go Team Go.
Put the election polling there too.
That does make more sense.
deleted by creator
Let us know what country you’re in, so the next time you’re invaded and genocided we’ll remember it’s barely as important as the weather forecast.
I think the idea is that people check the weather So they will actually see it. Like, I never read the sports section, but if there was a tidbit on the weather page I might click it.
That’s generous but their user history makes it pretty obvious that they’re mad about aid being sent at all when it could go to paying off their student loan debt instead.
Why not both?
Ask them, I think it’s stupid as shit to frame them as mutually exclusive choices.
My reading of that was “climate change will kill most of our species in the long term if we don’t take it seriously, so that’s also something very important to track and belongs on the same page as wars.”.
