6:42 Part of the contract to buy the trains was that the train operator got all the information needed to repair it and was allowed to go send that information to other companies. They specifically built right to repair in to the contract and the train manufacturer said "fuck that".
@@Henry_D the prosecutors office is investigating Newag for not just fraud but also industrial sabotage. A parliamentary commission is also looking into this.
I know this is to go to the extreme... but i would classify this as will full disruption of critical infrastructure... which in many countries are equated to acts of terrorism.
I heard that argument in the case of the Polish trains. Dunno by who, or how that went though. It's an argument I would get behind, and something I would vote for, if it's not already law in my country.
It’s also a risk to national security because these trains can be (and have been) updated over the air in a way that disables them. That means that someone could hypothetically hack into Newag and brick hundreds of trains across the entire country.
3:13 "It's for security" is basically the "think of the children" for tech. It's a convenient scapegoat to point to, since if anyone criticises you for it, you can just say "do you hate security??"
None of this bullshit should be tolerated. Your company should not be able to recover from pulling that kind of stunt, especially when it comes to public vital infrastructure like trains.
A company should not be able to recover from that kind of stunt PERIOD. Or at least not the people who pressed for, decided on, and made it a thing in the first place.
@@4.0.4 Auctioning away the company is a bit much, unless it can be proven that the executives that pushed for this action were actually instructed to do so by the owners/shareholders. But the executives should definitely go to prison for this. This kind of destructive greed shouldn't be tolerated in human society.
@@kahtyman7293there aren't many train manufacturers around and those deals take years to organise and sign. I'm sure any future client will take these events into consideration.
I love how the train manufacturer still tries to deny the allegations even after code that was found that would lock up the trains if their GPS coordinates where within non-manufacturer approved service centers. Obviously for security reasons.
It's Poland dude. Our president just yesterday harbored two deputies convicted by a judge for two years in prison. Newag also has ties with that political party that the president is from. Very corrupt. No one will face any consequences whatsoever.
I don't know if this "rule" is worldwide but in Poland there is this dictum: if you are cought stealing claim it's not your hand. Seriously not a single person cought on any kind of stealing lying is going to confess.
According to hacker team presentation in Germany the manufacturer site was also on the "restricted area list" but actually this location could be disabled on demand. Hacker team concluded this might be used for testing "a surprise" at manufacturer workshop.
If I remember the talk the hacker group gave correctly, those DRM measures even were being installed on sold units only after the manufacturer didn't get the bid for the first servicing contract after the warranty period. They lost the bid, and only then installed that BS.
That's one. But there is more to this - in EU you can't make it impossible for other companies to do maintenance work for your products, at least of this scale/type - it's critical infrastructure. Plus some of those were introduced by unathorized software updates.
As someone in the train industry - we make brake systems for trains. By EU laws we are required to archive everything for 25 to 30 years and provide support for the same amount of time. I have worked a number of times on trains even older then me (I am 30 btw). Newag must have the archived source code for this - and I am fairly certain that 3rd party investigators will have a look on it to confirm the claims. I think selectron can also get back the data from the PLCs that were affected. I am familiar with the system and wrote code for similar devices as well. I was intrigued about the hour long presentation about the findings of the team and how they did it. I took notes as they used techniques that I will as well in the future.
Initially at the first parts of the presentation I was thinking of Occam's razor - and thought that it must not have been malicious intent. But later during the pres it became clear this was not the case.
The geofencing made it completely clear that they wanted to drive the repair to their own locations - there is no sugar coating that. The other parts - timed shutdown, silent "kill" of trains, I can "see" reason behind. But I can not stand for the geofencing of competitors locations. Right to repair is important and will soon be enforced way more in the EU :)
@@HuntersOA Out of curiosity, what are the reasons you saw behind the other parts? And how would you justify not including those "features" in the official documentation?
@@martenkahr3365 Stupidity, lack of time, high complexity of code and several departments working together where everything is rushed and thus they have poor communication and documentation
Hey man, newag actually tried to cover their tracks by not removing but updating the blocking feature because first iteration was locking trains randomly. The dragon sector actually made backups and proven that newag was installing unsanctioned secret updates to code and when asked not to they did it anyway over the air. Lol. They charged around 20k USD to remove the software lock.
7:10 Developers are not idiots. They will develop what they're told to develop, but they absolutely know what's going on. I've got developer colleagues dotted around Europe, including Poland, and they're absolutely on the ball with cause and effect.
Oh absolutely. EVERYONE who develops/codes something absolutely knows what's going on and will do it as long as they're compensated for it. They know the effect, the risks and everything related. Unfortunately money does its thing and people will do many unethical things just to get part of the cake.
Well, this is one way for governments to finally decide that DRM has gone too far and step in. Hopefully this will lessened companies ability to use the DRM in the future all over the market.
@Dayanto Considering this is Poland with probably some corruption, either the CEO get away scot free, or gets locked up for a long time for stepping on the wrong toes
@@Demopans5990Poland is low in corruption but has ineffective slow courts. Even if newag higher ups gonna get sued the results will probably be seen in 14 years lol.
5:18 As a software developer, initially I felt offended and felt the need to defend myself, but then I remembered just how many software developers there are, and yeah, you're probably right.
i watched the presentation from the hacking team, the thing that stuck with me was Newag saying the secondary compressor failed when it didn't: the secondary compressor is what connects the train to the powerlines. they obfuscated the lockout by disabling a component necessary to turn the train on... while also having a straight up silent throttle disabler, even on a fully functional train. theres even more crazy stuff in that presentation, but others have probably commented it already
For those wondering about the 'things Lucas has done' that Linus mentions, he's talking about his role in "the basement". You see no one ever leaves LTT. A lot of people think there have been different employees that have quit but really they're all just chained up in a secret sub-basement. Linus isn't even putting them to work on anything. He just... "collects" them.
To Luke's point, its not always actually that easy to just find a new job, lol, believe me, ive tried. That and a lot of devs really, really, dont care.
Considering how the code in question looked like (in particular the date comparison) the person who was in charge of the locking features may very well not be an actual programmer.
@@ThePC007 I don't know for sure what they use in passanger trains, but we use PLC's in our heavy duty and shunting locomotives as the center that connects everything and handles the main programm and HMI. So it's a quite simple logic programm and easy to learn, compared to actual programm languages. I wonder how they managed the serial number lock out and GPS stuff. They must have used their own train protection systems and stuff like that with more detailed software. Systems we get supplied by third party companies like Granitor or Bombardier/Alstom And yes, the train and locomotive sector is tiny. If you want to change the job within the sector your options are very limited. Especialy if you don't want to move to another country
As an engineer working in the tech industry specifically in IT(networking and security)i can assure you that many companies sell their main products (routers switches firewalls...) with a low margin then recouping with selling tech support plans
I'm starting to get into the automation side of things but I'm starting to notice Allen Bradley PLCs/VFDs giving us less-and-less access to the programming. Not a lot but it's starting to get annoying. It's getting to the point already with some automation manufacturers after installing equipment that doesn't work. The manufacturer will charge $12,00 to come fix it when we used to be able to adjust timing and burn in in the EPROM.
I mean, i resigned from my first job because i learned that my employer had a history of violating the GPL. Among other frustrating software practices.
Re Security: The manufacturer obviously installed new firmware on the trains without it being approved or even informing the owners/operators. Timestamps in the software prove that. That's how they handle security....
7:00 In Poland train market is quite regulated in terms what kind of maintenance have to be done and when - they is on level from P0 to P5 where fist is generally some kind "weekly", and P5 is generally full rebuild of train. But this is not yet most disgusting part. At beginning of history Koleje Dolnośąskie (KD) an operator, issue auction for buying new trains between dealers - it was partially publicly founded and require action by law in Poland. One of part of this auction requirements was that winner has to deliver all required documentation and tools/softwere to perform all maintenance form P0 up to P3 including by KD. Newag was winner of that action, trains were delivered, first P3 maintenance were done by Newag as it was a part of guarantee issued by them. Time pass guarantee was finished and next one P3 was not covered in original "contract". KD issue another auction for performing scheduled P3 maintancne - Newag start in this one, but SPS issue best offer. First train goes on and here story goes as in clip... Without this introduction i would consider action of Newag as just being jerk but in gray area of bussiness relationship, but requirement of first action were clear and are closer to illegal competition and fraud.
Luke seems to have misunderstood the article (he thinks the trains were taken out voluntarily while in use). The trains were taken out when being serviced at competitors. It just happens there was bad code as well in it which took out idle trains. Even in their evil genius move, they didn't think of all edge cases.
I have 7 epub files on my computer that I legally bought but cannot access because the stupid DRM forbids me to use my eBook program and forces some shit Adobe program down my throat Putting them on my tolino is just straight up impossible I don't wanna be the next Blackbeard, I just wanna read the book I bought with the program I trust Fuck DRM
Calibre plus the drm removal plugin. You just search for apprentice alf's drm removal plugin add it manually to calibre and just drag and drop the file into calibre. And magic it is done.
brute forcing ASCII is relatively easy for short passwords. but brute forcing Unicode would probably easily take the lifespan of the universe to break. ASCII has 95 printable characters, Unicode 15 has 149186 characters
I worked for a company making an app for lending money. It had pretty aggressive marketing and induced debt on tens of millions of customers. There were several brilliant developers that refused a well payed position on the project based on moral grounds. Most of us just didn't really think (or care) about the moral implications of what we were implementing...
Well, North Americans don't really have multiple units on mainlines, so they don't know that. Besides, Newag really only builds trains in the Poilsh market, so it's pretty niche. Don't forget that Bombardier is Canadian, not that that matters, but still...
@@johannessamuelsson6578 also Bomardier transportation? I thought it was mainly in Berlin... but now its another company. Yes here in germany there are many, many more trains than in most american countries.
The 737 max "Pay for all the sensors" subscription failure was a great example of choices like DRM trains not being a part of the Devs but actually being on behalf of the C level literally outsourcing the final code for that " service" to India where they literally will " click button to make money "
As a software developer I have worked at a place where they said x and after you wrote your code someone else would change it slightly to be more malicious like this so yeah def a thing. Good ole prod then after prod prod. Client value adding is what the 2nd prod was told as lol.
It’s like a car service notification locking you out your car and you only able to get it service by a certified dealer for that brand not just the popping to your local service garage to get basic service and safety check
It’s a train what kind of security would it possibly need other than basic locks to prevent any random from just taking the train with out authorization
Well most trains are connected to the internet nowadays and most are perfectly capable of being driven through software alone, ie you dont need to manually press a button So in theory although i dont believe it has ever been done you could hack into a train, speed it up to 100 mph and plow it into a station of waiting passengers,
@@randommusic4567 I would hope that train operation would be contained to a closed network that has no direct connection to the internet. Since it’s really not something that needs an internet connection to operate.
@@Mike2321x well for instance the DLR in London is entirely driverless, the trains communicate with eachother and with their central command centre, and the command centre communicates with the screens in the stations and also with the central train websites and with apps on people's phones to keep them updated on the progress of a train Given that some information about the status speed and progress of each individual train eventually makes it to end users there must be some connection somewhere Hence the need for security
My guess would be he meant a space in passwords (almost nobody brute forces that lmao), but Unicode isn't bad either. Any modern website should be able to handle both, just make sure you have a way to reset the password just in case.
Could also be a special character from the french alphabet like ë, è, é, ê or ç since they are kinda native in canada but are not geenrally used since the are only part of the extende ASCII and also not part of UTF8.
There was a heating boiler manufacturer that supplied the UK market that had a special module that would throttle the boiler output when the annual service and legally required safety inspection was overdue by a set period. This was designed for rented property so the residents would ensure access by the engineer for its annual safety checks etc. It reduced the output by about 25% and then a further amount after an extended period. The resident still had heat and hot water, but would prompt them to actually allow access. The engineer would reset the timer using a specific procedure and it would operate as normal again.
The very best part is that they generated the software that was running on the trains to include a random selection of those lockouts. It's the great train lottery !
About passwords: I was able to use extended Windows-1252 characters in passwords for some websites and services in the past. A lot of them nowadays don't seem to care for it anymore (they must be basic ASCII or go home)
utf-8 is generally used now rather than codepages, but it depends on database collations etc, and some developers don't test their software on anything but ascii.
im convinced this is why my 4th gen ipod still works. i installed rockbox six months into ownership. it took out what ever self-destruct code apple had on it.
To be fair to the train company... do we know what was disclosed? Did this country KNOW there was DRM... seems like it would be in a contract. Honestly, it also makes sense for something like a complex train. where at any given moment tens of millions of dollars of machine, people, property is on the line. If there is something special about it such that standard train mechanics could mess it up, then it makes sense to protect the company's reputation. If that train derails due to something repaired or maintained in a faulty way, the train maker and operators' names both become front and center. It might get cleared up later but nobody ever sees retractions , updates, corrections to stories.
You can find the original video on RUclips, it's pretty good. It's not really DRM at all it's just things like "if the train has not run for 10 days then disable it", so that only the manufacturer knows how to turn it back on. The idea being that a 3rd party would take the train to their shop, perform maintenance and then not be able to start it again. They also used GPS to say if it is within coordinates of their competitors then disable the train etc. This was all done after the maintenance contract with the manufacturer ended, and the train company signed a deal with a different company for maintenance. They basically said well if you're not going to be our customer any more then we will remotely disable your train that you already paid for.
About people who program stuff like this: I guess they just see programming sophisticated DRM measures as a competition challenge with the repair companies, as some sort of game of cat-and-mouse. I suspect they don't think that much about the greater socioeconomic consequences (creating a monopoly, making resale difficult etc.).
I used to use the alt code for the pi symbol in my passwords, then i had a device that didnt take alt codes and i justs sat there twiddling my thumbs whike i looked for a nearby dongle and full size keyboard
Trains definitely should have restrictions on who can work on them and where parts can be sourced from, just like aeroplanes, but they should be restricted by means of the parts and workers meeting strict guidance from the manufacturer not that only the manufacturer can work on them
Linus, this code was exactly what it appears to be. Train manufacturers will instantly pull the warranty if the vehicles are not serviced and inspected at the required intervals... This was all about making 3rd party maintenance difficult if not impossible... At one point NewaG even claimed that SPS the 3rd party service company was incompetent in order to scare the operator to revert service to NewaG... Shady as f*ck...
If anyone is interested in what Luke was probably hinting at, there are certain characters that have multiple key long combos to enter that is only supported on some operating systems. For example, on Macs there are special key combos that are mapped to type ridiculous and weird symbols that you would never think to type in any use case, let alone a password. Said key combos are easy to memorize and also not mapped in Windows or Linux, and since most malicious people are not the types to use expensive Apple software or difficult to set up Hackintosh, its one step above impossible for them to guess your password. Its also easy to type this password in on a phone or non-Mac since all you would need to do is look up and copy paste that symbol.
@@Micromation Mac was just an example, Windows has key combos that Mac doesn't have, so does Linux, etc. The point is its not uniform between the OSes, making it even more unlikely to be guessed.
@@robinbegley1077 All Quake engine based games did. Needless to say, Jedi Academy or CoD1/2 had very elaborate player nicknames displayed on the scoreboard.
international compressor failure day is celebrated by train manufacturers... I'd love for hackers to take a look at Siemens and Alstom train code... I'll bet NewaG are not the only ones doing this. Hopefully train and car manufacturers are paying attention... Dishonesty will always come out eventually, manufacturers are simply not clever enough to defeat determined people that only want the truth....
One good trick for making passwords is to use concepts that you find offensive and disgusting. The brain is designed to remember things that are offensive and disgusting. Going about it. That way you can make really long passwords that are super easy to remember.
The problem is that when you reject doing your work (even if it's morally questionable or illegal), you're getting fired for cause. This then puts a stain on your resume, making it very hard to get a good job again. The only way to get that stain off is to sue your ex-employer, proving in court that the work order was, without any doubt, illegal. However, this then puts the stain "of sues their employer" onto your resume, which makes it even harder to get any job.
I did work experience at a tractive motive depot.. Thats a Railway maintenance depot. We were working on Class 47 locomotives in the UK. If they had blocked a location with software there.. The locomotives would be scrapped before we had them service them. they would never get a contract to build a circuit board, let alone a locomotive unit.
alt codes in paswords? would be good idea and easy to remember.... .Also i think there could be some complications based on encoding/keyboard input or something like that
This scam was actually pioneered by Volkswagen in the 1970s (or perhaps earlier). My 1972 Volkswagen Transporter (Type II / Van) had a red "servicing required" light on the dashboard that would go off every 10,000 miles or so, regardless of how the vehicle was performing. The only way to get this annoying and worrisome warning light to turn off was to get service performed by an authorized VW mechanic, who would putz around, upsell you on oil changes and the like, and at some point hit a hidden warning light reset switch that was located in a secret recess under the front floor covering.
Not all software developers are Good Guys, but some are. You would think something egregious like this would be leaked somehow by the one developer with conscience.
@@marshmallow8709They're only allowed to be fixed by the company that made them. Kytch was being made to help diagnose and fix the issue, but they got sued out of existence
No, it's well documented that the machines give cryptic error codes for basic problems (eg, hopper too full), forcing franchisees to get expensive service from just one company that happens to be mostly owned by the same people as are making the rules.
@@marshmallow8709 to add to the above, a startup tried to make a small device that plugged into the machines and actually made them serviceable by McDonalds staff. Mcdonalds corporate cut them out and now the startup is suing McDonald's.
Using Unicode characters for passwords instead of just the ASCII-7 set that is on US keyboards is indeed a good strategy. There are a number of ways to make this feasible: (a) Using a Mac. There are dozens of extra characters available using the Alt key. Stuff like é, ö, µ, or §. (b) Installing a second, foreign keyboard layout. Most of them have different characters right of the P-L-M line and for shifted 1-0. Simply switch layouts with a hotkey when entering passwords. (c) Using the keypad (Windows). Type in the character code on the keypad while holding alt. For example, Alt-2 is ☻, Alt-0666 is š, Alt-01234 is Ò, Alt-01222 is Æ, ... (There also is a registry setting to enable hexadecimal input for full Unicode, but that's a bit annoying to enable.)
DRM should be banned across the board. Any company that has ever used it should be required to refund every customer who bought any product with DRM, and not just the initial purchase price. Everything associated with it. For something physical, that means all repairs, past and future, and rental or subscription fees. For software, like a game, the purchase price, DLC, subscription fees, and microtransactions. And just for good measure, let's also require a public domain release of everything associated with the product, including encryption keys. That means the Blue-ray master encryption key would have to be released, allowing anyone to make a valid disc that'd work in any player.
The geofencing has even a testing flag with newag location in geofencing to test if it works. Train date comparsion for failure was badly written it would fail on the 21st November but would magically start working on the first December then fail on 21 december and then start working on January 1st...
hey ltt over the holidays i was helping my parents set up car info-tainment settings, i went to a system tab and it showed like 8gb used of 20 terabytes of available storage. why the hell do cars have so much storage (it doesnt have self driving)
During the presentation in Polish parlament train manufacturer defended itself by claiming that: -they didn't wrote the code of problematic controller -they do not know who made alteration to the code, according to their claim the asked for formal investigation who did it -they claimed hacker team had no right to reverse engineering the code extracted from problematic controller -they tried to present poor quality of mechanical repair work performed by service company (this triggered angry reaction form MP's attending the presentation - they accused manufacturer for departing from cybersecurity issues to mechanical/procedural problems.) A second meeting before parlamentary comision is expected to take place in February. Same parts should attend this meeting: manufacturer, operators, hacker team, regulation authorities. Acutally the date of this meeting has not been set.
I Don't know about passenger trains as much, but the locomotives you see pulling freight here in Canada and the US, when brand new are about $2m a piece. I would hope to fuck that something so expensive has absolutely zero bullshit like this happening.
The train sector in the EU is very antiquated. Technology is very closed off and red tapped it's most probably because of corruption. They label it as safety etc. It's very hard to get into the design of trains unless you're 'in' from previous generations.
If a person being paid to do any work is told by their “employer” to do something they don’t agree with they have two choices: do it or say no and face the consequences. As long as the act is not illegal for the worker to do, any issue created needs to be taken up by the authorities or through litigation with the “employer”. That’s my generic version of: It is not up to programmers to be the conscience of their “employer”.
I personally avoid any kind of company that does shady stuff like this. Though I guess when you need a paycheck and can't go anywhere else, that would be a harder choice.
For me, there's two sides to this DRM issue, one side is that I like fixing things myself, and I think everyone should be able to fix something themselves if they want to and have the ability. The other side is that I know from experience that most people think they're more capable than they actually are, ambitions outweigh abilities, and you end up with something that's entirely fucked up and you have that much extra work to fix it, where if they'd just asked you a question or brought it in you'd be able to fix it in 5 minutes. Now because they messed with it you've got to fix their attempt as well as what the original problem is. This comes down to documentation though.
The idea of defrauding one's own country brings to light an idea that a company deeply involved with state-wide infrastructure _would_ hire persons in countries with a competing interest so that they were _more_ willing to incorporate procedures which enact betrayal of the state's own hardware. _If_ there is validity in this idea, then that means Newag may well be hiring people with a vested interest _against_ Poland to develop software for Poland. Like, this is wild stuff. What Newag is _still_ continuing to do with their trains should be tantamount to terrorism. It _is_ terroising Polish people in a quiet and insidious way for sake of corporate gain, and it should be punished _as_ terrorism, to the greatest extend Poland can muster. You may fuck with the common man in their own home, but you don't fuck with the state by putting ransom on services because of third-party repair for something that isn't a commonly-held commodity.
This is worse than John Deere 🤦♂️ Let's just brick public freakin transportation now because greed Almost borderlines terrorism to me It's one thing to penalize a customer when they become delinquent on loan or service bill, for example But penalizing them by disabling their freaking equipment because they missed a "required service interval" . . . gimme a break
I don't think Apple would have gone to the trouble of doing 15 different custom firmware versions for 30 different trains. According to the " 37C3 - breaking DRM in Polish trains" presentation: Newag was able to use different triggers for different trains; presumably so that finding and fixing the malware on one train would not work on the next. Apple operates at a scale where such shenanigans would not be feasible. They would need to pay a programmer to tamper with every second phone. The margins are just not there. Edit: 6:00 first Apple, then Hyundai with their $60,000CAD batteries costing more than the car. 9:20 I just gave up and started using randomly generated passwords to a prescribed entropy. The only issue is that sometimes a "number" is required: which actually lowers the overall entropy per character.
"Apple operates at a scale where such shenanigans would not be feasible. They would need to pay a programmer to tamper with every second phone. The margins are just not there." They would just have a cheat patches repository that auto-applies patches for each instance.
I think that's more about each train being a bespoke item (~10M $ each), customized to customer spec and produced over the period of many years, unlike a mobile phone.
A RMA on a train is a federal state level decision Fyra NS. Repair on a train is done in house RET Metro. Revisions on trains are done in house DDZ Nedtrain. That’s how infrastructure works.
6:42 Part of the contract to buy the trains was that the train operator got all the information needed to repair it and was allowed to go send that information to other companies. They specifically built right to repair in to the contract and the train manufacturer said "fuck that".
Absolutely
At that point just sue to get a full refund while keeping the trains...
That's breach of contract. What was the company thinking?
@@dnb5661 They were thinking "Fuck you, pay me".
@@Henry_D the prosecutors office is investigating Newag for not just fraud but also industrial sabotage. A parliamentary commission is also looking into this.
There's a great video for anyone interested called 37C3 - breaking DRM in Polish trains which explains what happened in the code
this, the talk was pretty interesting and funny
Now I celebrate "international compressor failure day" twice a year!
Came here to say the exact same thing, it really is a great talk.
I love the videos from CCC.
@@heyjakeay I'm not saying we should, all i'm saying that if someone made petition to make that national holiday i would sign it.
I know this is to go to the extreme... but i would classify this as will full disruption of critical infrastructure... which in many countries are equated to acts of terrorism.
I heard that argument in the case of the Polish trains. Dunno by who, or how that went though.
It's an argument I would get behind, and something I would vote for, if it's not already law in my country.
Yes, this should absolutely be treated as severely.
This kind of intentionally built-in breakage could absolutely be used as a form of blackmail, which I would consider a terroristic act
if teens glueing themselves on to the street is seen as terrorism by many now adays, bricking trains definitly is
It’s also a risk to national security because these trains can be (and have been) updated over the air in a way that disables them. That means that someone could hypothetically hack into Newag and brick hundreds of trains across the entire country.
3:13 "It's for security" is basically the "think of the children" for tech. It's a convenient scapegoat to point to, since if anyone criticises you for it, you can just say "do you hate security??"
None of this bullshit should be tolerated.
Your company should not be able to recover from pulling that kind of stunt, especially when it comes to public vital infrastructure like trains.
A company should not be able to recover from that kind of stunt PERIOD. Or at least not the people who pressed for, decided on, and made it a thing in the first place.
well, in recent months they've got orders for more trains, and don't forget, they also make some important parts for trams
Exactly, the higher ups should go behind bars and the company auctioned away.
@@4.0.4 Auctioning away the company is a bit much, unless it can be proven that the executives that pushed for this action were actually instructed to do so by the owners/shareholders. But the executives should definitely go to prison for this. This kind of destructive greed shouldn't be tolerated in human society.
@@kahtyman7293there aren't many train manufacturers around and those deals take years to organise and sign. I'm sure any future client will take these events into consideration.
I love how the train manufacturer still tries to deny the allegations even after code that was found that would lock up the trains if their GPS coordinates where within non-manufacturer approved service centers. Obviously for security reasons.
It's Poland dude. Our president just yesterday harbored two deputies convicted by a judge for two years in prison. Newag also has ties with that political party that the president is from. Very corrupt. No one will face any consequences whatsoever.
I don't know if this "rule" is worldwide but in Poland there is this dictum: if you are cought stealing claim it's not your hand. Seriously not a single person cought on any kind of stealing lying is going to confess.
According to hacker team presentation in Germany the manufacturer site was also on the "restricted area list" but actually this location could be disabled on demand.
Hacker team concluded this might be used for testing "a surprise" at manufacturer workshop.
If you don't tell people about this DRM up front, it should be considered fraud, and all available remedies to resolve should be on the table.
If I remember the talk the hacker group gave correctly, those DRM measures even were being installed on sold units only after the manufacturer didn't get the bid for the first servicing contract after the warranty period. They lost the bid, and only then installed that BS.
That's one. But there is more to this - in EU you can't make it impossible for other companies to do maintenance work for your products, at least of this scale/type - it's critical infrastructure. Plus some of those were introduced by unathorized software updates.
As someone in the train industry - we make brake systems for trains. By EU laws we are required to archive everything for 25 to 30 years and provide support for the same amount of time. I have worked a number of times on trains even older then me (I am 30 btw).
Newag must have the archived source code for this - and I am fairly certain that 3rd party investigators will have a look on it to confirm the claims. I think selectron can also get back the data from the PLCs that were affected. I am familiar with the system and wrote code for similar devices as well. I was intrigued about the hour long presentation about the findings of the team and how they did it. I took notes as they used techniques that I will as well in the future.
Initially at the first parts of the presentation I was thinking of Occam's razor - and thought that it must not have been malicious intent. But later during the pres it became clear this was not the case.
The geofencing made it completely clear that they wanted to drive the repair to their own locations - there is no sugar coating that. The other parts - timed shutdown, silent "kill" of trains, I can "see" reason behind. But I can not stand for the geofencing of competitors locations. Right to repair is important and will soon be enforced way more in the EU :)
@@HuntersOA Out of curiosity, what are the reasons you saw behind the other parts? And how would you justify not including those "features" in the official documentation?
@@martenkahr3365 Stupidity, lack of time, high complexity of code and several departments working together where everything is rushed and thus they have poor communication and documentation
Hey man, newag actually tried to cover their tracks by not removing but updating the blocking feature because first iteration was locking trains randomly. The dragon sector actually made backups and proven that newag was installing unsanctioned secret updates to code and when asked not to they did it anyway over the air. Lol. They charged around 20k USD to remove the software lock.
7:10 Developers are not idiots. They will develop what they're told to develop, but they absolutely know what's going on. I've got developer colleagues dotted around Europe, including Poland, and they're absolutely on the ball with cause and effect.
Oh absolutely. EVERYONE who develops/codes something absolutely knows what's going on and will do it as long as they're compensated for it. They know the effect, the risks and everything related. Unfortunately money does its thing and people will do many unethical things just to get part of the cake.
Well, this is one way for governments to finally decide that DRM has gone too far and step in. Hopefully this will lessened companies ability to use the DRM in the future all over the market.
Yeah, this needs to result in jail time for all the higher-ups involved in approving this.
@Dayanto
Considering this is Poland with probably some corruption, either the CEO get away scot free, or gets locked up for a long time for stepping on the wrong toes
DRM went too far when it became more than an install time CD key, and I'd argue even that is too much
@@Demopans5990Poland is low in corruption but has ineffective slow courts. Even if newag higher ups gonna get sued the results will probably be seen in 14 years lol.
5:18 As a software developer, initially I felt offended and felt the need to defend myself, but then I remembered just how many software developers there are, and yeah, you're probably right.
DRM = DeRailment Management 😅
i watched the presentation from the hacking team, the thing that stuck with me was Newag saying the secondary compressor failed when it didn't: the secondary compressor is what connects the train to the powerlines. they obfuscated the lockout by disabling a component necessary to turn the train on... while also having a straight up silent throttle disabler, even on a fully functional train.
theres even more crazy stuff in that presentation, but others have probably commented it already
For those wondering about the 'things Lucas has done' that Linus mentions, he's talking about his role in "the basement".
You see no one ever leaves LTT. A lot of people think there have been different employees that have quit but really they're all just chained up in a secret sub-basement. Linus isn't even putting them to work on anything. He just... "collects" them.
To Luke's point, its not always actually that easy to just find a new job, lol, believe me, ive tried. That and a lot of devs really, really, dont care.
Maybe don't that well paid
Also if you don't do, they will find someone who does anyway.
@@neociber24 what?
Considering how the code in question looked like (in particular the date comparison) the person who was in charge of the locking features may very well not be an actual programmer.
@@ThePC007 I don't know for sure what they use in passanger trains, but we use PLC's in our heavy duty and shunting locomotives as the center that connects everything and handles the main programm and HMI. So it's a quite simple logic programm and easy to learn, compared to actual programm languages. I wonder how they managed the serial number lock out and GPS stuff. They must have used their own train protection systems and stuff like that with more detailed software. Systems we get supplied by third party companies like Granitor or Bombardier/Alstom
And yes, the train and locomotive sector is tiny. If you want to change the job within the sector your options are very limited. Especialy if you don't want to move to another country
As an engineer working in the tech industry specifically in IT(networking and security)i can assure you that many companies sell their main products (routers switches firewalls...) with a low margin then recouping with selling tech support plans
I'm starting to get into the automation side of things but I'm starting to notice Allen Bradley PLCs/VFDs giving us less-and-less access to the programming. Not a lot but it's starting to get annoying. It's getting to the point already with some automation manufacturers after installing equipment that doesn't work. The manufacturer will charge $12,00 to come fix it when we used to be able to adjust timing and burn in in the EPROM.
@garcjr Yeah basically the majority of fields operate like this now
I mean, i resigned from my first job because i learned that my employer had a history of violating the GPL. Among other frustrating software practices.
The security pitch is literally how it's sold to stake holders that's why it's used as a defense so often.
Dragon Sector is unironically a badass name
Re Security: The manufacturer obviously installed new firmware on the trains without it being approved or even informing the owners/operators. Timestamps in the software prove that.
That's how they handle security....
7:00 In Poland train market is quite regulated in terms what kind of maintenance have to be done and when - they is on level from P0 to P5 where fist is generally some kind "weekly", and P5 is generally full rebuild of train. But this is not yet most disgusting part.
At beginning of history Koleje Dolnośąskie (KD) an operator, issue auction for buying new trains between dealers - it was partially publicly founded and require action by law in Poland. One of part of this auction requirements was that winner has to deliver all required documentation and tools/softwere to perform all maintenance form P0 up to P3 including by KD. Newag was winner of that action, trains were delivered, first P3 maintenance were done by Newag as it was a part of guarantee issued by them.
Time pass guarantee was finished and next one P3 was not covered in original "contract". KD issue another auction for performing scheduled P3 maintancne - Newag start in this one, but SPS issue best offer. First train goes on and here story goes as in clip...
Without this introduction i would consider action of Newag as just being jerk but in gray area of bussiness relationship, but requirement of first action were clear and are closer to illegal competition and fraud.
Great news : It's compressor failure day !!
Luke seems to have misunderstood the article (he thinks the trains were taken out voluntarily while in use). The trains were taken out when being serviced at competitors. It just happens there was bad code as well in it which took out idle trains. Even in their evil genius move, they didn't think of all edge cases.
Not quite. The code was: if not driven above 60kph in the last 10 days then lock train. They did a talk at 37c3, where you can see a lot of details
@@Hennue There was also a block on some geographic locations and remote control just in case. The bad code I talked about was that 10 days lock.
@@ExilumDragon Sector haven't confirmed remote control as of yet
@@Hennue A bit like VW, if driven in certain ways with no steering input it must be an emissions test, so run clean.
I have 7 epub files on my computer that I legally bought but cannot access because the stupid DRM forbids me to use my eBook program and forces some shit Adobe program down my throat
Putting them on my tolino is just straight up impossible
I don't wanna be the next Blackbeard, I just wanna read the book I bought with the program I trust
Fuck DRM
You should have a look at Calibre and it's plugins
Calibre plus the drm removal plugin. You just search for apprentice alf's drm removal plugin add it manually to calibre and just drag and drop the file into calibre. And magic it is done.
Calibre might help you
@@mskiptr I know it could
I just don't understand how it works
@@Soguwe alf's drm removal plugin calibre. I do not know why my first answer was deleted.
brute forcing ASCII is relatively easy for short passwords.
but brute forcing Unicode would probably easily take the lifespan of the universe to break.
ASCII has 95 printable characters, Unicode 15 has 149186 characters
I worked for a company making an app for lending money. It had pretty aggressive marketing and induced debt on tens of millions of customers. There were several brilliant developers that refused a well payed position on the project based on moral grounds. Most of us just didn't really think (or care) about the moral implications of what we were implementing...
The train on the thumbnail is a Bombardier (now Alstom) Talent 2 from the „Deutsche Bahn“ (Germany).
Well, North Americans don't really have multiple units on mainlines, so they don't know that. Besides, Newag really only builds trains in the Poilsh market, so it's pretty niche. Don't forget that Bombardier is Canadian, not that that matters, but still...
@@johannessamuelsson6578 also Bomardier transportation? I thought it was mainly in Berlin... but now its another company. Yes here in germany there are many, many more trains than in most american countries.
dont forget the "international compressor failure day!"
This is fucked. Why is it a fine? They should face criminal charges.
The 737 max "Pay for all the sensors" subscription failure was a great example of choices like DRM trains not being a part of the Devs but actually being on behalf of the C level literally outsourcing the final code for that " service" to India where they literally will " click button to make money "
My experience is most software developers are actually morally good people, you forget near all of them grew up watching star trek etc.
As a software developer I have worked at a place where they said x and after you wrote your code someone else would change it slightly to be more malicious like this so yeah def a thing. Good ole prod then after prod prod. Client value adding is what the 2nd prod was told as lol.
It’s like a car service notification locking you out your car and you only able to get it service by a certified dealer for that brand not just the popping to your local service garage to get basic service and safety check
It’s a train what kind of security would it possibly need other than basic locks to prevent any random from just taking the train with out authorization
Well most trains are connected to the internet nowadays and most are perfectly capable of being driven through software alone, ie you dont need to manually press a button
So in theory although i dont believe it has ever been done you could hack into a train, speed it up to 100 mph and plow it into a station of waiting passengers,
@@randommusic4567 I would hope that train operation would be contained to a closed network that has no direct connection to the internet. Since it’s really not something that needs an internet connection to operate.
@@Mike2321x well for instance the DLR in London is entirely driverless, the trains communicate with eachother and with their central command centre, and the command centre communicates with the screens in the stations and also with the central train websites and with apps on people's phones to keep them updated on the progress of a train
Given that some information about the status speed and progress of each individual train eventually makes it to end users there must be some connection somewhere
Hence the need for security
My guess would be he meant a space in passwords (almost nobody brute forces that lmao), but Unicode isn't bad either. Any modern website should be able to handle both, just make sure you have a way to reset the password just in case.
keyword "should"
I was thinking he might have meant windows alt codes. Then again, no idea how you would input those on a phone...
@@Junebug89 windows "alt codes" are just a fancy way to input any Unicode character
Could also be a special character from the french alphabet like ë, è, é, ê or ç since they are kinda native in canada but are not geenrally used since the are only part of the extende ASCII and also not part of UTF8.
There was a heating boiler manufacturer that supplied the UK market that had a special module that would throttle the boiler output when the annual service and legally required safety inspection was overdue by a set period. This was designed for rented property so the residents would ensure access by the engineer for its annual safety checks etc. It reduced the output by about 25% and then a further amount after an extended period. The resident still had heat and hot water, but would prompt them to actually allow access. The engineer would reset the timer using a specific procedure and it would operate as normal again.
"don't get normally typed for passwords" *proceeds to stare tilde dead in the eye*
The very best part is that they generated the software that was running on the trains to include a random selection of those lockouts.
It's the great train lottery !
My bet is that they keep a dozen or so of internal forks. Ah… the joys of proprietary firmware
@@mskiptr I would bet on conditional compilation. (#ifdef AUTO_DESTROY)
They all had the common lock out, but a few random trains also had unique lock outs
About passwords: I was able to use extended Windows-1252 characters in passwords for some websites and services in the past. A lot of them nowadays don't seem to care for it anymore (they must be basic ASCII or go home)
utf-8 is generally used now rather than codepages, but it depends on database collations etc, and some developers don't test their software on anything but ascii.
Why even store passwords in a database? Unless you're making a password manager.
for me as a developer if the user can put it into a textbox and I can hash it, it is a password
Gotta pirate my trains now
Lower Silesian Railway - Koleje Dolnośląskie. Ok, now I get why the're late 50 minutes+ when my ride to work normally takes only 5.
im convinced this is why my 4th gen ipod still works. i installed rockbox six months into ownership. it took out what ever self-destruct code apple had on it.
I love that they did that in Polen, most polish people i know are so tech sevi that they know all the methods of getting around any DRM.
Gotta pirate those games!
To be fair to the train company... do we know what was disclosed? Did this country KNOW there was DRM... seems like it would be in a contract. Honestly, it also makes sense for something like a complex train. where at any given moment tens of millions of dollars of machine, people, property is on the line. If there is something special about it such that standard train mechanics could mess it up, then it makes sense to protect the company's reputation. If that train derails due to something repaired or maintained in a faulty way, the train maker and operators' names both become front and center. It might get cleared up later but nobody ever sees retractions , updates, corrections to stories.
You can find the original video on RUclips, it's pretty good.
It's not really DRM at all it's just things like "if the train has not run for 10 days then disable it", so that only the manufacturer knows how to turn it back on. The idea being that a 3rd party would take the train to their shop, perform maintenance and then not be able to start it again. They also used GPS to say if it is within coordinates of their competitors then disable the train etc.
This was all done after the maintenance contract with the manufacturer ended, and the train company signed a deal with a different company for maintenance.
They basically said well if you're not going to be our customer any more then we will remotely disable your train that you already paid for.
The train in the thumbnail looks like a Bombardier Talent 2 - which has nothing to do with this story.
Apple: "Write that down! Write that down!"
About people who program stuff like this: I guess they just see programming sophisticated DRM measures as a competition challenge with the repair companies, as some sort of game of cat-and-mouse. I suspect they don't think that much about the greater socioeconomic consequences (creating a monopoly, making resale difficult etc.).
LOL I heard of this from Louis Rossman like a month ago
I work at an AASP and have actively offered to give "insider" info to LMG, nobody took me up on it.
I used to use the alt code for the pi symbol in my passwords, then i had a device that didnt take alt codes and i justs sat there twiddling my thumbs whike i looked for a nearby dongle and full size keyboard
I like in the actual video where it is programmed in to just stop the train from working at 1 million km or miles on the odometer.😂😂
Trains definitely should have restrictions on who can work on them and where parts can be sourced from, just like aeroplanes, but they should be restricted by means of the parts and workers meeting strict guidance from the manufacturer not that only the manufacturer can work on them
Abolish privatized public transportation. It should be run as a public service at a loss. And thats a good thing. This level of monetization is wrong.
Linus, this code was exactly what it appears to be. Train manufacturers will instantly pull the warranty if the vehicles are not serviced and inspected at the required intervals... This was all about making 3rd party maintenance difficult if not impossible... At one point NewaG even claimed that SPS the 3rd party service company was incompetent in order to scare the operator to revert service to NewaG... Shady as f*ck...
Some devs might see it as a challenge, how can they come up with ways to accomplish the goal of only 1st party repair.
Didn't know Newegg made trains now
If anyone is interested in what Luke was probably hinting at, there are certain characters that have multiple key long combos to enter that is only supported on some operating systems. For example, on Macs there are special key combos that are mapped to type ridiculous and weird symbols that you would never think to type in any use case, let alone a password. Said key combos are easy to memorize and also not mapped in Windows or Linux, and since most malicious people are not the types to use expensive Apple software or difficult to set up Hackintosh, its one step above impossible for them to guess your password. Its also easy to type this password in on a phone or non-Mac since all you would need to do is look up and copy paste that symbol.
How is this any different from RAlt+NumPad on Windows? The same signs can be created on Linux with different key combinations.
@@Micromation Mac was just an example, Windows has key combos that Mac doesn't have, so does Linux, etc. The point is its not uniform between the OSes, making it even more unlikely to be guessed.
A game I played years ago supported them and it was a big deal if you knew how to use them.
@@robinbegley1077 All Quake engine based games did. Needless to say, Jedi Academy or CoD1/2 had very elaborate player nicknames displayed on the scoreboard.
Luke at the end started sounding like Thor from PirateSoftware lmao
international compressor failure day is celebrated by train manufacturers... I'd love for hackers to take a look at Siemens and Alstom train code... I'll bet NewaG are not the only ones doing this. Hopefully train and car manufacturers are paying attention... Dishonesty will always come out eventually, manufacturers are simply not clever enough to defeat determined people that only want the truth....
One good trick for making passwords is to use concepts that you find offensive and disgusting. The brain is designed to remember things that are offensive and disgusting. Going about it. That way you can make really long passwords that are super easy to remember.
The problem is that when you reject doing your work (even if it's morally questionable or illegal), you're getting fired for cause. This then puts a stain on your resume, making it very hard to get a good job again. The only way to get that stain off is to sue your ex-employer, proving in court that the work order was, without any doubt, illegal. However, this then puts the stain "of sues their employer" onto your resume, which makes it even harder to get any job.
I did work experience at a tractive motive depot.. Thats a Railway maintenance depot. We were working on Class 47 locomotives in the UK. If they had blocked a location with software there.. The locomotives would be scrapped before we had them service them. they would never get a contract to build a circuit board, let alone a locomotive unit.
alt codes in paswords? would be good idea and easy to remember.... .Also i think there could be some complications based on encoding/keyboard input or something like that
DRM has become and will likely continue to be the new corporate self-rights control feature...
This scam was actually pioneered by Volkswagen in the 1970s (or perhaps earlier). My 1972 Volkswagen Transporter (Type II / Van) had a red "servicing required" light on the dashboard that would go off every 10,000 miles or so, regardless of how the vehicle was performing. The only way to get this annoying and worrisome warning light to turn off was to get service performed by an authorized VW mechanic, who would putz around, upsell you on oil changes and the like, and at some point hit a hidden warning light reset switch that was located in a secret recess under the front floor covering.
Not all software developers are Good Guys, but some are. You would think something egregious like this would be leaked somehow by the one developer with conscience.
Hmm, anyone else noticing parallels with the ice cream machines at McDonalds?
isn't it well documented that the icecream machines are simply never designed to work 24/7? it's not really a grand conspiracy iirc
@@marshmallow8709They're only allowed to be fixed by the company that made them. Kytch was being made to help diagnose and fix the issue, but they got sued out of existence
No, it's well documented that the machines give cryptic error codes for basic problems (eg, hopper too full), forcing franchisees to get expensive service from just one company that happens to be mostly owned by the same people as are making the rules.
@@marshmallow8709 to add to the above, a startup tried to make a small device that plugged into the machines and actually made them serviceable by McDonalds staff. Mcdonalds corporate cut them out and now the startup is suing McDonald's.
They should go straight into jail. DRM should be punished by jail.
Using Unicode characters for passwords instead of just the ASCII-7 set that is on US keyboards is indeed a good strategy. There are a number of ways to make this feasible:
(a) Using a Mac. There are dozens of extra characters available using the Alt key. Stuff like é, ö, µ, or §.
(b) Installing a second, foreign keyboard layout. Most of them have different characters right of the P-L-M line and for shifted 1-0. Simply switch layouts with a hotkey when entering passwords.
(c) Using the keypad (Windows). Type in the character code on the keypad while holding alt. For example, Alt-2 is ☻, Alt-0666 is š, Alt-01234 is Ò, Alt-01222 is Æ, ... (There also is a registry setting to enable hexadecimal input for full Unicode, but that's a bit annoying to enable.)
DRM should be banned across the board. Any company that has ever used it should be required to refund every customer who bought any product with DRM, and not just the initial purchase price. Everything associated with it. For something physical, that means all repairs, past and future, and rental or subscription fees. For software, like a game, the purchase price, DLC, subscription fees, and microtransactions. And just for good measure, let's also require a public domain release of everything associated with the product, including encryption keys. That means the Blue-ray master encryption key would have to be released, allowing anyone to make a valid disc that'd work in any player.
From the navy cyber security was literally the joke of death by powerpoint. It didnt make you care but it did provide quality memes
The geofencing has even a testing flag with newag location in geofencing to test if it works. Train date comparsion for failure was badly written it would fail on the 21st November but would magically start working on the first December then fail on 21 december and then start working on January 1st...
i love that hackers already disabled the killswitch
The trains must be run by McDonald's ice cream machines.
This is exactly why the stocks and the pillory need to come back.
hey ltt over the holidays i was helping my parents set up car info-tainment settings, i went to a system tab and it showed like 8gb used of 20 terabytes of available storage. why the hell do cars have so much storage (it doesnt have self driving)
During the presentation in Polish parlament train manufacturer defended itself by claiming that:
-they didn't wrote the code of problematic controller
-they do not know who made alteration to the code, according to their claim the asked for formal investigation who did it
-they claimed hacker team had no right to reverse engineering the code extracted from problematic controller
-they tried to present poor quality of mechanical repair work performed by service company (this triggered angry reaction form MP's attending the presentation - they accused manufacturer for departing from cybersecurity issues to mechanical/procedural problems.)
A second meeting before parlamentary comision is expected to take place in February. Same parts should attend this meeting: manufacturer, operators, hacker team, regulation authorities. Acutally the date of this meeting has not been set.
It was in the news in Poland for a while now, but it's a first time I hear the Apple-likeness mentioned. Would never think about that.
On Luke's suggestion a lot of websites don't take non normal characters so may not work for everything.
I Don't know about passenger trains as much, but the locomotives you see pulling freight here in Canada and the US, when brand new are about $2m a piece. I would hope to fuck that something so expensive has absolutely zero bullshit like this happening.
Is Newag perhaps an Apple subsidiary?
The train sector in the EU is very antiquated. Technology is very closed off and red tapped it's most probably because of corruption. They label it as safety etc. It's very hard to get into the design of trains unless you're 'in' from previous generations.
the station in the thumbnail is the central station in my city of nuremberg!
put brackets around your password - nice.
Newegg sells TRAINS now?!
*Newag
no
It's Polish, pronounced like nay-vog
@@sycration more like neh-vuk
It wouldn't be the first time for an employer to use the developer as a scape goat. They did code it after all.
If a person being paid to do any work is told by their “employer” to do something they don’t agree with they have two choices: do it or say no and face the consequences. As long as the act is not illegal for the worker to do, any issue created needs to be taken up by the authorities or through litigation with the “employer”. That’s my generic version of: It is not up to programmers to be the conscience of their “employer”.
Next up: Boeing installs software which causes its planes to deliberately crash if serviced by 3rd party
Oh wait, 2019 just called
I personally avoid any kind of company that does shady stuff like this.
Though I guess when you need a paycheck and can't go anywhere else, that would be a harder choice.
For me, there's two sides to this DRM issue, one side is that I like fixing things myself, and I think everyone should be able to fix something themselves if they want to and have the ability. The other side is that I know from experience that most people think they're more capable than they actually are, ambitions outweigh abilities, and you end up with something that's entirely fucked up and you have that much extra work to fix it, where if they'd just asked you a question or brought it in you'd be able to fix it in 5 minutes. Now because they messed with it you've got to fix their attempt as well as what the original problem is.
This comes down to documentation though.
The sort of people who buy trains, national and regional transit agencies, have people on staff who know how to fix them.
If it's important enough for our ink cartridges it's important enough for transportation.😂
The idea of defrauding one's own country brings to light an idea that a company deeply involved with state-wide infrastructure _would_ hire persons in countries with a competing interest so that they were _more_ willing to incorporate procedures which enact betrayal of the state's own hardware. _If_ there is validity in this idea, then that means Newag may well be hiring people with a vested interest _against_ Poland to develop software for Poland.
Like, this is wild stuff. What Newag is _still_ continuing to do with their trains should be tantamount to terrorism. It _is_ terroising Polish people in a quiet and insidious way for sake of corporate gain, and it should be punished _as_ terrorism, to the greatest extend Poland can muster. You may fuck with the common man in their own home, but you don't fuck with the state by putting ransom on services because of third-party repair for something that isn't a commonly-held commodity.
The fine they got is peanuts. $450k? Nothing to them. Also I'm guessing Luke's tech tip is something like including a space in your password.
hes obviously talking about that center button on your keyboard, most people in my circle do that, but not all pages accept it
This is worse than John Deere 🤦♂️
Let's just brick public freakin transportation now because greed
Almost borderlines terrorism to me
It's one thing to penalize a customer when they become delinquent on loan or service bill, for example
But penalizing them by disabling their freaking equipment because they missed a "required service interval" . . . gimme a break
How long ago was the canada line built... would it blow your mind its all souped up with drm, even if its just proprietary slow buggy bs apparently
I don't think Apple would have gone to the trouble of doing 15 different custom firmware versions for 30 different trains. According to the " 37C3 - breaking DRM in Polish trains" presentation: Newag was able to use different triggers for different trains; presumably so that finding and fixing the malware on one train would not work on the next.
Apple operates at a scale where such shenanigans would not be feasible. They would need to pay a programmer to tamper with every second phone. The margins are just not there.
Edit:
6:00 first Apple, then Hyundai with their $60,000CAD batteries costing more than the car.
9:20 I just gave up and started using randomly generated passwords to a prescribed entropy. The only issue is that sometimes a "number" is required: which actually lowers the overall entropy per character.
"Apple operates at a scale where such shenanigans would not be feasible. They would need to pay a programmer to tamper with every second phone. The margins are just not there."
They would just have a cheat patches repository that auto-applies patches for each instance.
I think that's more about each train being a bespoke item (~10M $ each), customized to customer spec and produced over the period of many years, unlike a mobile phone.
A RMA on a train is a federal state level decision Fyra NS. Repair on a train is done in house RET Metro. Revisions on trains are done in house DDZ Nedtrain. That’s how infrastructure works.
Man I’m really surprised Wabtec didn’t try this first.
Taylor has branched out from McDonald's icecream machines