[kbrosnan]

This train DRM is crazy. At the beginning of the month they found geofences

> We (@redford, @mrtick and I) have reverse engineered the PLC code of NEWAG Impuls EMUs. These trains were locking up for arbitrary reasons after being serviced at third-party workshops. The manufacturer argued that this was because of malpractice by these workshops, and that they should be serviced by them instead of third parties.

> We found that the PLC code actually contained logic that would lock up the train with bogus error codes after some date, or if the train wasn't running for a given time. One version of the controller actually contained GPS coordinates to contain the behaviour to third party workshops.

> It was also possible to unlock the trains by pressing a key combination in the cabin controls. None of this was documented.

> The key unlock was deleted in newer PLC software versions, but the lock logic remained.

> After a certain update by NEWAG, the cabin controls would also display scary messages about copyright violations if the HMI detected a subset of conditions that should've engaged the lock but the train was still operational.

> The trains also had a GSM telemetry unit that was broadcasting lock conditions, and in some cases appeared to be able to lock the train remotely.

https://social.hackerspace.pl/@q3k/111528162462505087

[klausa]

A tiny note: they found the geofences over a year ago, a month ago was when they went public.

[sureglymop]

My question: Who wrote this software? Software engineers with 0 moral and ethical qualms or with an extreme incentive to get rich?

[krisoft]

> Software engineers with 0 moral and ethical qualms

I would like to challenge this. The ethical problem comes from this two facts: they had code which disabled the vehicle in certain conditions AND this was not communicated in the manuals/contracts.

The two together is what is extremely dubious. If you implement a time based expiry system, and tell about it to the customers that I think is fair. The customer might of course opt to not buy the equipment under those terms, or only pay a significantly reduced fee, but that is just business. And it might be good business for both participants if everything is well documented and transparent, and these restrictions are reflected in the price, and everyone enters into the agreement with full knowledge and consent.

Why does this matter: Look at it from the developer’s perspective. Imagine that they are told by their bosses that they need to implement technological measures to disable the product when the licence expires. Would developing that be unethical? I don’t think so. It becomes unethical at the later point when the train operator is not told about this. How much of that is in or out of the view of the developers is an other question.

I’m not saying this is what happened. Clearly the gps based lockdown is not consistent with this story even under the most charitable interpretation. Something is fishy here and needs investigating. (The kind of investigation where the police with a warrant takes the repo and the communications of the company, and interviews everyone separately to figure out who did what and when, and who known what and when.)

But while the overall conduct of the company appears to be unethical, it is not necessarily true that the software engineers in question were also unethical. It depends on what they did know, and what they were asked to deliver.

[_heimdall]

They weren't selling software licenses here, they were selling a very real piece of hardware. It would be ethical to disable noncritical software updates under some time based constraints, its completely unreasonably to disable the use of the hardware all together. The customer bought it, that's their hardware to use however they wish.

It would be completely unacceptable to me if an auto manufacturer baked in a time lock in a car I purchased. Heck, Apple got slapped for appearing to throttle performance based on age. Why is it reasonable for a train manufacturer to pull this stunt?

To be clear, plausible deniability is also a big gray area when it comes to moral or ethical questions. It a timelock in the software seems unusual, engineers aren't off the hook simply because they didn't ask. If they did push back or ask for an explanation and were given false answers, sure they likely didn't do anything most would consider immoral. But if they just wrote the time lock because it was in a spec and didn't ask why a train should include a time bomb? Totally unethical in my book.

[krisoft]

> They weren't selling software licenses here, they were selling a very real piece of hardware.

I don’t know. I didn’t read the contract. Neither did you I suspect nor did the developers.

Jet engines are leased by the hour. Yes they are very real pieces of hardware bolted to your airplane. That has nothing to do with the business model. Why can’t the same be true for trains?

Even if I would know how trains are usually sold/purchased, which I don’t, I could be convinced by a boss that we are trying a different model.

Why is this important? Two reasons: if your mental model is that these kind of things are done by “unethical developers” then you are not looking for the real culprits, and your interventions trying to prevent such things will be inefective.

[Eisenstein]

Do they turn off the jet engines if they don't pay, or do they send them a bill? There is a huge difference.

Also, writing it in a contract doesn't make it ethical or even legal. Just because someone writes it in a license agreement doesn't mean that we as a society should blindly accept it. We don't allow people to sell lots of things, why should we just say 'well it was in the license' because someone tried to sell 'being able to have turn off your own passenger train for more than 10 days'?

[krisoft]

> Just because someone writes it in a license agreement doesn't mean that we as a society should blindly accept it.

People who buy trainsets are sophisticated buyers. They have lawyers, accountants and engineers advising them. You don’t sucker a semi-senile grandma into buying your trains unseen. Nobody buys trains on a drunken dare, or as an impulse purchase.

Because of this, if the financing is more viable that way, companies should be able to purchase, rent or lease their trains under whatever model makes the most sense in their particular circumstances. This of course assumes that the manufacturer deals fairly and the purchaser is properly informed about what they are buying, leasing or renting. (Which does not seem to be the case here, and that is unethical and a problem. The kind where people should go to prison in my opinion.)

[klausa]

>Jet engines are leased by the hour.

I'm... very surprised by this, do you have any resources I could read about it?

[schiffern]

https://aviation.stackexchange.com/questions/12528/jet-engin...

https://www.sps-aviation.com/story/?id=2623&h=Engine-Leasing

The engines also have an always-on connection back to the mothership via satellite, eg:

https://www.forbes.com/sites/johngoglia/2014/03/13/aircraft-...

[TomaszZielinski]

This was very informative, thanks! It's so easy to assume a very simplified (or outright incorrect) model of how the world works and then point fingers in the wrong direction...

[roughly]

This is not an argument I necessarily believe, but to steel-man this one:

You know your trains will need service after 12 months in service or some number of miles. Absent that service, the train could fail, the failure could be catastrophic, and a catastrophic failure on a train kills people. You also know that municipal train operators in a great many parts of the world will absolutely run their trains until they kill someone rather than pay for downtime and maintenance. Therefore, you put in a lock on the train that if it hasn’t been serviced after 12 months, the train disables itself to force the owner to get the train serviced.

[p_l]

The background to this is European Union mandating unbundling of maintenance from purchase contracts.

Specifically, it's been no longer possible for manufacturers to claim that maintenance documentation is trqde secret or otherwise not possible to be made available to third parties, which opened the door for third party workshops to do deeper maintenance.

And the train manufacturer started losing tenders for maintenance.

[roughly]

Yeah, no part of the rest of this story suggests the charitable interpretation is the right one. I can see a case for being more aggressive about ensuring large machines get serviced before they can do harm, but I don’t actually think that’s what this company was doing.

[_heimdall]

Thank you for taking the time to steel-manning this one!

If this were the situation I would expect the train to show operators clear warning messages that service is due, and ultimately a message that says something to the affect of the train has been disabled or put into limp mode until it is serviced. I wouldn't expect these triggers to disable a train to only be discovered later when, for example, a train won't start without warning or stops running when its parked at a different shop to have the service done. I also would expect the service warnings to be based on something like hours of operation rather than calendar time, all heavy equipment I've ever heard of or worked on tracks service schedules this way.

This argument also gets to a more common trend we've had in recent decades where those with authority step on others freedoms because they believe they know better. Individuals should be able to make their own choices and be responsible for the consequences. In this case, the train operator should be aware if the service needs and risks if it is missed. If anything goes wrong they are responsible for it. Even if the triggers to disable the train were put in with the best of intentions, if I were the manufacturer I would worry that installing such a system could potentially put me entirely liable for anything that goes wrong.

[roughly]

> This argument also gets to a more common trend we've had in recent decades where those with authority step on others freedoms because they believe they know better. Individuals should be able to make their own choices and be responsible for the consequences. In this case, the train operator should be aware if the service needs and risks if it is missed. If anything goes wrong they are responsible for it. Even if the triggers to disable the train were put in with the best of intentions, if I were the manufacturer I would worry that installing such a system could potentially put me entirely liable for anything that goes wrong.

This, specifically, is the piece where I think there's some moral ambiguity, and specifically I do not think one has the moral ability to completely disavow the outcomes that the use or misuse of one's product causes, especially when they affect third parties. If you know that use of your product under certain circumstances will cause a large amount of harm to people other than the owner or operator, and you know those circumstances are likely, and you don't do anything to prevent that, I think you have some moral culpability. Whether or not you care is a different story, and this certainly isn't a legal argument, but I think you're responsible for the outcomes of the use of your labor and resources, especially when those are easily foreseeable. I think specifically in the case of selling a train to a municipal train operator - if I told you that the trains in Poland were known for derailing because the national train operations service was financially underwater and never repaired them, would that change your opinion? (It's not true, as far as I know, but would you find it surprising if it were?)

And, absolutely to your first point - if the goal of what you're doing is to prevent unsafe operation of your product in a situation where you legitimately believe it can cause grievous harm to third parties, then yes, you do all the things you say in paragraph one. That's why I'm saying I don't think that's what the train operator was doing, but I don't think the argument is totally cut and dry that the manufacturer has no moral right to stop the trains, and I don't buy the argument that the moment you sell the products of your labor to someone else you fully absolve yourself of the moral liability for the outcomes of the use of that product.

(And again, I'm repeatedly using the word "moral" in here, because this isn't a legal, statutory, or contractual argument, it's purely a moral one. I also recognize the world's a complicated place, we all have to make decisions in which there's not a clear good answer, and nobody lives a truly pure and moral life, so take this in the spirit of an old fashioned debate about how one can live one's best life, and not a specific condemnation or Twitter-esque outlining of what precisely a witch is while one gathers kindling.)

[chiggsy]

Or, you'd make sure that your liability was limited to one year, absent of any servicing. Maybe you'd have a renewable service contract, yearly, and one of the requirements is local inspection.

>force the owner to get the train serviced.

This is coercion, implemented via subterfuge. It's no different than if they sent guys with sacks full of door handles or whatever to take control of the trains, to accomplish the same result. Or if the client hired staff to crack the provider's server, and either installed ransomware, or stole the solution. Ridiculous. The way to operate is through the laws in question, rather than removing agency from the client.

If the client does not want to pay, you warn them of possible consequences, ask them if they would like to purchase an extra diagnostics package, and remind them that after a year, maintenance of the product is required to bring you back into the picture formally.

[duckmysick]

It should be the job of a rail or a transportation agency (like the FAA does with aviation). They should decide which trains operators can run which trains in a public space. If some of the operators are reckless with maintenance, they would lose the license to operate.

[p_l]

And in fact that's how it's (supposed to be) done.

With the maintenance and repair shops having railway equivalent of Part 145 certification, just without type ratings IIRC.

[TomaszZielinski]

I'm curious if the "12-month if-s" could activate in a running train. Hopefully not, but somehow I wouldn't be surprised...

[tasuki]

Not bad, can you steel man the geo fencing too?

[smegger001]

There are reasons you might legitimately geofence your product, to.prevent them being stoken a war spoils like the Ukrainian tractors and harvesters were by Russia last year, or to prevent them being used in a sanctioned country like Iran. I could see a upper level manager looking at a geofence to made for complying with sanctions and turning around and using it as a anticompetitive tool to prevent third party repairs without a second thought.

[RecycledEle]

> If you implement a time based expiry system, and tell about it to the customers that I think is fair.

I remember a discussion of ethics on HN a few weeks or months back.

I said there are actions that promote the common good, actions that do not affect the common good, and actions that harm the common good.

I believe you view of "business" is in the category of harming the public good.

[xnzakg]

I like how these arguments always seem to imply that the software engineers are the ones who have to care way more about morals and ethics than whoever came up with the morally questionable "feature" to implement.

[vimax]

The alternative is that software engineers are resolved of responsibility for only following orders.

Also, I don't understand why so many software engineers are willing to write code that is clearly adverse to users so their managers can get their performance bonuses. What's the upside? Narrowly escape the next round of layoffs so you can do it all over again?

The tech companies are not our friends any more than they are the users friends, they collude against us and treat us as disposable. This will continue as long as engineers do not take a stand.

[RecycledEle]

> I don't understand why so many software engineers are willing to write code that is clearly adverse to users so their managers can get their performance bonuses.

In my experience, the young engineer is hired and bets his/her career on this one position, then they are told to do the dirty work or leave. That's why I resigned from my first software engineering job.

[vimax]

You might be right, and thank you for doing that.

I remember hearing that the number of software engineers doubles every 5 years, meaning that most software engineers will always have less than 5 years of experience. I think it was Bob Martin.

[Too]

Outsource to the cheapest bidder.

You know the type, that without question mechanically implements exactly what is written in the specification, no matter how wrong it is, technically or morally. If you are lucky that is, and not only get back a steaming pile of bugs.

The bugs in the date checking hints this wasn’t written by the sharpest guy in the room, unless it was deliberately made confusing, to not be easily pattern detected.

[thejazzman]

Or heroes who simultaneously reported what they were hired to do

Not saying they were -- but not a bad alternative to declining the work outright

[klausa]

If they did, none of the moths-long reverse engineering would have been required.

[brokenmachine]

Ever heard of parallel construction?

[p_l]

Yes, it's "Technique not appearing in this episode", to paraphrase.

[brokenmachine]

The heroes also wrote heroically bad date checking code.

[p_l]

If they had reported things... well, it wouldn't take over a year to deal with this.

[blcknight]

Nobody frames it as an evil thing. It’s spun to sound good the engineers don’t put any critical thought into it.

[luxuryballs]

am I correct to assume that none of this was in the manual?

[kbrosnan]

The people investigating this claim that much of this is undocumented. I don't speak Polish nor have access to any of the primary documentation for the train.

We may see more info next week as they are scheduled to present at the 37th CCC. https://events.ccc.de/congress/2023/infos/index.html

Q3k is active here, https://news.ycombinator.com/threads?id=q3k

[p_l]

At least one of the trains had its DSU (Dokumentacja Systemu Utrzymania - Maintenance System Manual) linked online (it's specific to that one train). It should be enough to perform full maintenance.

Nowhere in it any of the "lockouts" are documented.

[p_l]

That's effectively the core of the accusations against NEWAG.

The manual was supposed to allow comprehensive maintenance and repair, without requiring manufacturer's input.

[rcxdude]

It's very hard to see what legitimate reason would be used to document such a check in the manual.

[luxuryballs]

the reason would be so you’re not being dishonest and selling a misleading product

[SenAnder]

> The manufacturer argued that this was because of malpractice by these workshops, and that they should be serviced by them instead of third parties.

So libel on top of computer sabotage.