"During the height of the pandemic, I wrote an article about how a Polish hacker had developed a dongle that was being used by American repair professionals to bypass DRM on ventilators needed to keep COVID-19 patients alive."
That's extremely evil. I'm not emotionally invested in right-to-repair like many others here are, but it's corrupt that DRM is causing/has caused difficulty in operating things necessary for people's survival. Shame on these companies.
Those who want to convince others of right-to-repair should point to cases like this because it's the #1 thing that makes me want to rally behind it too.
Am I correctly reading your implication that, although this is a strong point in favor of the right-to-repair movement, you remain personally unconvinced in it as a whole? If so, what's holding you back from being fully convinced?
I think it would be good for society if right-to-repair laws were passed but I just feel indifferent towards the topic and would rather spand time and energy caring about something that I feel (to me personally) is more important.
I feel the opposite of him. I don't like DRM, I do like DRM circumvention--I like tech in genral--but if we have DRM to protect intellectual property and enforce licenses and contracts, I have no problem with ventilators also being DRMed.
If a person who decides to make pop music can DRM their work, why shouldn't a person who goes into life saving tech DRM theirs? "think of the children!" Hey, if you care so much about the children, pay your bills. Covid caused unforseen problems? you know what? they were unforeseen.
The person who created the life saving tech already saved a bunch of lives, those lives are still saved, and it seems a little ungrateful to claim they haven't done enough for you.
Also, people know about IP rights. Either it's the law of the land or a treaty obligation. Clearly documented, as are the available remedies in case of dispute. Available to everybody, in theory.
This "DRM" was unilateral. Surreptitious. Why do this if not to remove agency from the client at some later date? Why bypass the legal system? Silently?
Altruism? Maybe, but that's just as bad, idealists and coercion go hand in hand throughout human history.
Pragmatism? Seems more likely. The trains can be fixed, except they get turned off from the mothership whenever they seem to be in the shop. They don't fix them for free, presumably.
Either way, that is some snake ass shit, since it's undocumented. Poor.
I don't know why your tone is so combative in the second paragraph, and in your further reply to another user down below. No one said anything here to warrant it.
I think you point to a real conflict of interests though where some may feel less motivated to work on life-saving tech if they aren't compensated for it. Here in the UK, the government launched a scheme called "Eat Out to Help Out" to help support businesses like takeaways which had understandably had low revenue during COVID. I would have been happy to see a subsidy (and pay a tax towards it) for companies manufacturing life-saving tech if it was the only sustainable solution.
so, if I go into a frivolous profession, fashion say, I can work as little or as hard as I want? but if I go into a serious life-saving profession which you ostensibly value, my work product must belong to you as if I'm your slave? Maybe principles of individualism and autonomy are more important than the greed lust of the collectivist mob.
and btw, what you said is completely obvious to the point of dreary cliche, "things more important than the bottom line", like Phoebe's realization on Friends that she and her mother had a lot in common because turns out they both love pizza and puppies.
What I said was food for thought and unexpectedly (in an inside out sort of way) explanatory toward the question asked by the comment I was replying to.
maybe you could stop stopping and smelling the flowers on the road less taken for a minute and consider ideas with depth, it might make all the difference.
In that spirit of horrendous stories that make you want to support laws on your right to own the physical hardware you bought: have you heard about the airbag for bikers that is subscription only and doesn't activate if your subscription is not up to date.
It's not quite as bad as it sounds - the hack allowed people to buy second hand ventilators and fix them up which I guess is handy in an emergency but could create safety risks if the thing then fails when a patient is relying on it.
I don't think Newagg stands a chance. The hackers didn't hack a third party IT network/system. They hacked a train that was owned by the railway company, not Newagg.
Some railway specialist also noted that some of the trains that were publicly known to be part of this have explicit registrations that make the owners also fully in their right to decide about their maintenance.
Personally I object to calling it hacking (it the popular/mass media sense).
If a company hires me to inspect their systems, and it's not shady (i.e. everything seems legitimate), then I'm not hacking anything. It's really no different to working on a CRUD (well, it's more interesting :)).
There might be some legal provisions (DRM laws, some EULA, etc.) that muddy the water. But that doesn't change the fact, that I can't find any ethical problem with what the Dragon Sector folks did[1]. And for me hacking is something unethical--criminal aspect is secondary.
Ethical hacking is a thing. And it is definitely hacking in the sense that they did something someone attempted to prevent them to do, and from a technical standpoint, it is not much different to what criminals do. Hacking a train so that it accepts third party repairs and hacking a credit card reader to steal your money make use of the same techniques. And for me at least, hacking is about technique, not ethics.
The ethical distinction is between white hats and black hats. The people in the article are white hats, that is, they work legally, ethically, and they are open about their activities.
Note: I mean hacking as it is most commonly known now. Not MIT-style hacking.
What I meant wasn't about HN, but about the "outside" world--I don't think "hacker" is a positive word among general public. And they did positive work--they helped train companies and revealed some Bad Stuff going on. If police takes someone's computers, then it's forensic investigation performed by forensic investigators, and not hackery performed by hackers.
But of course on technical forums like HN we call it hacking ("we" includes myself).
To address some of your points:
> they did something someone attempted to prevent them to do
Well, Newag claims they didn't add any shady stuff to the firmware, i.e. they didn't prevent anyone from anything. Which means Dragon Sector didn't break any protection mechanism, they were just debugging potential glitches! :)
I've debugged a lot of software in my life and no one has ever called me "hacker" for finding that missing CSS class :)).
> Hacking a train so that it accepts third party repairs and hacking a credit card reader to steal your money make use of the same techniques.
This is a very low level discussion ("low level" as in "assembler", and not intellectually, for the lack of a better word), but in this case there's one significant different--train firmware is supposed to be unchanged (according to Dragon Sector).
And credit card reader's fw has been modified.
So for me, again, they acted as forensic investigators/"debuggers".
> The ethical distinction is between white hats and black hats. The people in the article are white hats, that is, they work legally, ethically, and they are open about their activities.
Yes, I agree. But I would still prefer if the non-tech world called them something like "forensic investigators", as white hats are still a kind of hackers.
Yeah, you can't call this hacking. This software is operating according to specifications, as far as we know. The hacking was from the guys who uncovered this, much appreciated.
However, this was a huge step backward. The company bypassed the legal system via code, to add obligations, and secret functionality to the client. How was this found? By others who would and do circumvent the law for their own reasons.
These reasons might be as noble. Just. Enlightened.
Having spent some time online, I of course, am skeptical.
They have deep pockets - all they have to do is grind them down, and they win by default. What’s legal or not is practically irrelevant when you’re dealing with individuals vs a corporation.
The legal system may be quite different in Poland to whereever you are (assuming it's not Poland). Also many products these days have a licence/EULA that supposedly prevents you doing certain things.
Exactly opposite. EU high court ruled that you are free to decompile software to fix bugs etc. Also, in Poland at least, it used to be legal to even crack software that you own for the purpose of making backup copies etc (not sure how it is now)
translation:
> The president of Newag contacted me. He claims that Newag fell victim to cybercriminals and it was not an intentional action by the company. The analysis I saw indicated something else, but for the sake of clarity, I will write about everything.
If their train software contains patches by cybercriminals that they were unable to detect but a third party hacking group without documentation were, how can we possibly believe that the train's software is safe? Surely the hackers could have put some other bugs in there.
Exactly. If they "fell victim to cybercriminals" who entered backdoors in the code (that they didn't know about for over 2 years!) then Newag should instantly recall all trains for inspection.
Contrarily, if they _knew_ about it, and didn't tell anyone, then it's even worse.
The moment I heard about this event, I knew that it was only a matter of time before the offending company executives would be blaming the developers. Interesting that their particular path forward is blaming malicious third party developers because the next thing that happens is someone interviews their devs and finds out that they in fact are the people who put this in. At the behest of middle management who behested at the behest of upper management.
My prediction is that we'll soon be hearing about how upper management would never have told a developer or middle manager to program this in and it's the lower level guys who have gone rogue which is why they blamed cybercriminals.
A lot of philosophy and poetics go into software engineering ethics that I find uncompelling at best. However, the pair of "why would you want to injure someone you don't even know" and "you will be the one blamed" feels to me to cover 95% of what software ethics claims to.
But if that's true, then what ground does the train company have for threatening the hackers? If you got hacked, then we weren't breaking your stuff. We were just undoing damage that someone else did to you as well as to your customer.
Of course they won't straight admit they've been screwing their customers, so they need a bullshit excuse.
It doesn't make any sense either: "falling victim to cybercriminals" who entered GPS coordinates of all competitors in the code, to make competitors-repaired only trains down - sounds legit! That's exactly what cybercriminals do!
Their bellicose behavior will only further tarnish their reputation. And the Barbara Streisand effect will ensure that everyone knows about it. Not a very wise move in a liberalized European market where news travel fast and competition is ruthless.
This time around corrupting the national politicians won't cut it to get the contracts — the European regulator is keeping a close eye on this and it's not known for being complacent with attempts to bypass its oversight.
The manufacturer is trying to evoke "murky status".
But both national law states it's OK, and there is a ruling by Court of Justice of the European Union stating that Reverse Engineering done by owner even of a program license (EULA style) to make it work or fix errors is legal.
> But in Europe, the legality of what Dragon Sector did is murkier. [...] Cory Doctorow explained in his excellent Pluralistic blog that Article 6 of Europe's 2001 Copyright and Information Society Directive is generally stricter on DRM circumvention than Section 1201 of the DMCA, and does not have a specific repair exemption. Because of this law, Doctorow told 404 Media that "there is now an extra layer of jeopardy for these researchers. They were brave to come forward..."
If the law is huge and complex, and a large company wants to make your life hell...
I think this should be filled under sabotage of critical infrastructure.
It is either that or DRM means the OEM gets to remotely shut down entire train network whenever they like? Imagine the money one could make with such a service.
yeah screw this. if they are claiming that they hacked their DRM they should absolutely counter sue that this DRM counts as sabotage and/or domestic terrorism. There was literally code in there that told the trains to stop working after X date if it sat still for X amount of time.
Prosecution started working from statues that talk about crimes of preventing someone from operating, as well as manipulation or prevention of proper handling of data relevant to national security and/or transportation.
Neither cares about breaking DRM or IP, but third party (including vendor) manipulation.
I don't think that you are reading that like a lawyer would.
For example article 6, part 2 (a) does not allow the information retrieved to be used for any purpose other than establishing interoperability. The hackers stepped over that line when they released some of what they discovered for the purpose of publicly criticizing the manufacturer.
DRM is, generally, about whether or not you can copy the files, or how you use the software (whether it's licensed use).
This isn't DRM (though that's bad too). It's far worse. It's ransomware, they hijacked trains. Everyone involved should be locked in a dungeon for the better part of a century.
In some EU countries it's also legal to reverse engineer computer programs fully when compatibility with other computer systems is the goal. Without the need from any authorisation of the copyright holder and it doesn't have to be buggy or broken.
The person having a right to use a copy of a computer program shall be entitled, without the authorisation of the rightholder, to observe, study or test the functioning of the program in order to determine the ideas and principles which underlie any element of the program if he does so while performing any of the acts of loading, displaying, running, transmitting or storing the program which he is entitled to do.
But those articles in no way gives one the right to harm the rightholder's business practices. For example by exposing them to public criticism. That potential limitation is implied in both 5.3 and 6.2.a.
I don't know what other provisions of EU law might apply here. But it is literally the job of the lawyers issuing the threats to find potential gotchas like that. I would assume that they are competent.
Not only that, the article being from American media, even with the footnote, the commenters, miss the whole point about copyright being exclusively American concept and we don’t have this in EU. We have IP and authorship rights that work differently. See last part for explanation: https://thehftguy.com/2020/09/15/french-judge-rules-gpl-lice...
I suspect that the legal differences are less than claimed.
The first test of an open source license in court was https://en.wikipedia.org/wiki/Jacobsen_v._Katzer. It was initially lost on a somewhat similar argument. Namely that it was a contract, not a copyright license, and then was an unenforceable contract and therefore invalid. This decision was reversed on appeal.
I have no particular reason to believe that the first French judge to rule on an open source license did a better job than the first US judge to do the same. Both ruled against the license.
For instance, in Poland (which is in Europe) you have all rights to create copies of software, music, movies, for your personal use after paying for the original copy. You cannot do this under copyright which strictly forbids you from creating copies of the original media. Copy-right, as a right to create copies.
In this meaning, copyright is not the same as authorship rights, which is a basis of intellectual property protection in Europe.
Similarly for software patents, they do not work in EU.
It's badly expressed (and not exactly relevant to the train lockout issue), but no, Copyright as in the american sense does not exist in Poland, and similarly in many other European countries.
That's why we have the relevant legal act discuss separate aspects of "moral" and "financial" "Author's rights" to a creation, instead of just singular "copyright", and why American-style "public domain" does not exist in Polish legal system, or that of many other EU countries (US' style public-domain involves effectively losing all rights to the creation, including moral ones, whereas those are non-dismissible, non-transferable and permament in Polish law).
The exact way things differ would probably require a philosopher and a lawyer to discuss differences of.
European Railway Agency, through EU directives, secured unbundling of maintenance& repair operations from vendors. Vendors no longer are allowed to claim trade secrets or IP as reason for not providing complete and effective maintenance & repair documentation suitable for performing all levels of maintenance.
Since then, MRO is purchased through separate tender process - and NEWAG didn't win several times.
This is a consequence of the train operator winning a court judgement to permit them to use third parties for servicing the trains, followed by "technical measures" of the manufacturer to cripple the trains if this was actually done.
Trains are often, somehow or another, public infrastructure. (In Poland it looks like they are run by state-owned companies, mostly?) Countries should work in the interest of their populations, so really we hope David vs Goliath here, except Goliath is the good guy and also hopefully wins.
I will say my takeaway from this story is manufacturers screwing over their users to make more money isn't a "you are too small to fight back problem" but unmitigated greed.
I'm fine if DRM cuts both ways. Manufacturer is free to try locking things down as long as that's disclosed, I'm free to tamper with something I own. They own the trains.
Trains are critical infrastructure. Intentionally introducing vulnerabilities deserves the corporate death penalty and prison time for those involved. Best make an example out of them, lest the others get ideas.
It's only DRM if it's from the Article 11 region of the WIPO Copyright Treaty; otherwise, it's just sparkling obfuscation.
> Contracting Parties shall provide adequate legal protection and effective legal remedies against the circumvention of effective technological measures that are used by authors in connection with the exercise of their rights under this Treaty or the Berne Convention and that restrict acts, in respect of their works, which are not authorized by the authors concerned or permitted by law.
(DRM's a silly name, anyway; it should be called "technological measures" or "technological protection measures" or something.)
I think it's meant as a derogatory term cause people hate DRM. Like, I don't feel entitled to pirate movies, but plenty of times DRM has gotten in the way of legally watching movies I paid for.
Digital Restrictions Management is a backronym popularised by the EFF, but DRM is the actual legal term used in the US, and doesn't necessarily carry a derogatory meaning.
I disagree, DRM actually is seen as an extremely negative thing. Perhaps people who work to create DRM don't think it's a negative but saying someone's work is DRM is actually a pejorative statement.
I don't know, I've never happily acknowledged the existence of DRM. I'm from the US and, as far as I can tell, I and people in my periphery see it as a negative and use it as basically "This f-ing DRM is always preventing me from watching my movies in 4K even though I paid for 4K" kinds of situations
One that challenges traditional notions of property rights when attempted to be enforced in this manner.
They might win in the short term but I can't imagine that would serve the train company well in the long term - lawmakers (who are typically octogenarians) often don't understand how software restrictions limit use of equipment traditionally enjoyed under property rights until they're interfered with. Like a train being geofenced.
From the articles in relevant media, I gather they have got themselves a very good attorney. There's a possibility Newag might be in hot water, because sabotaging trains like this smells of criminal offense. Which is why they huff, puff, and try to employ scare tactics.
The story is missing a lot of details. It says very little about the role of Lower Silesian Railway, the company that that purchased the train from NEWAG and hired SPS to repair the train. Did Lower Silesian Railway (LSR) know that NEWAG expects that the trains need to be repaired at NEWAG facilities? Did LSR know about the technological measures implemented by NEWAG? What was in the original procurement contract between LSR and NEWAG? What is in the repair contract between LSR and SPS? Why is NEWAG still providing updates/LSR installing NEWAG updates for trains that are no longer under NEWAG's maintenance?
This is sure to backfire and increase attention to NEWAG's own alleged criminal behavior.
NEWAG executives & those responsible should face criminal charges for conspiracy to defraud in addition to libel.
It's clear that NEWAG knowingly lied about alleged malfeasance from the third party repair shops, and took advantage of their sabotage to incentivize if not require their customer to pay for service at NEWAG's own repair shops.
That would be lovely, but it depends on how the media presents it (I can see the image of a hooded “hacker” being used and the story being “hackers intrude into trains, face criminal charges, government demands investigation and hardening of DRM to prevent future illegality which poses a risk to the public”), and on how much cash they’re willing to throw at it to crush the hackers with civil and criminal suits.
The story I read said that the repair delays impacted train schedules (owing to fewer trains in operation). Potentially millions of people had their life disrupted because of corporate greed.
I would love to see criminal charges on this one, especially if they come under a computer hacking law, as that might set a great precedent for consumer protections. Unfortunately it will probably be more like a fine if anything.
Fasten your seatbeats, it seems there's a lot more details this time. For instance, the say they have a before/after Newag service diff of the firmware, and there are interesting changes there.
If that's true, then the "rogue hackers" must be sprinkled inside Newag :).
The issue is complicated. So far there's no proof for Newag involvement. It's very different to how security researchers publish their results. All is based on hearsay.
i think people should be allowed to tinker with stuff. why not. it is ok to.memif.that voids the warranty tho. fair enough.
its a bit funny in.this case the company first claims.it doesnt brick stuff, and subsequently threatens these guys.. did they lie first? that seems bordering criminal for a company to do... just admit it :/. 'yes we drm our crap and brick stuff with anti tamper detections'. how hard is it...
hope dragon sector doesnt get into trouble, they do amazing work!
While I understand DRM problem, there should be concerns about safety indeed. Unauthorized access to operating system of public transport could be abused in many bad ways.
Companies bought trains with „full technical documentation and service instructions” - I put it in quotes because all the locks and „DRM” stuff was undocumented and producer is claiming they never put anything like that in the first place.
I think it's fair to say the manufacturer is intentionally introducing vulnerabilities to a nation's critical infrastructure. Is it possible for a sufficiently motivated actor to shutdown trains in Poland remotely? I'm doubtful the engineers used best practices when implementing such a function.
Hide a GPS spoofer (illegal) at a central train station to make all trains believe they are at the forbidden workshop location and make them brick themselves? Could it be that easy?
The target doesn't need to be airborne for such an attack to work.
>A "proof-of-concept" attack was successfully performed in June 2013, when the luxury yacht White Rose of Drachs was misdirected with spoofed GPS signals by a group of aerospace engineering students from the Cockrell School of Engineering at the University of Texas in Austin.
> The target doesn't need to be airborne for such an attack to work.
I mean, the spoofing signal needs to usually come from sky. You want to hinder the original signal and makes yours stronger. Of course, signal can be reflected and there are other means to reach this.
Can you elaborate on why you think that "the spoofing signal needs to usually come from sky"? As far as I understand, it literally never comes from the sky, in every single case it involved ground-based transmitters.
The GPS system doesn't use the direction to the GPS satellite for localization but rather only the distance i.e. timing, so spoofing GPS is based on accurate control of the time of the transmitted (or replayed!) signals.
> The GPS system doesn't use the direction to the GPS satellite for localization but rather only the distance i.e. timing, so spoofing GPS is based on accurate control of the time of the transmitted (or replayed!) signals
GPS uses Signal-to-Noise ratio for determinating the signal quality and integrity. Horizontal signal will suffer pretty fast. Especially if your receiver is sophisticated and could actually detect the signal strength (power) outliers. If you want to spoof GPS signal very well, it should be also weak. But weak signal will quickly disappear with ground-based transmitters.
I used ”strength” incorrectly on the previous comment.
GPS spoofing is generally done at limited range and line of sight so the fact that "horizontal signal will suffer pretty fast" and having the range limited by terrain and curvature of the earth is not a problem but a feature that the spoofers generally want - affecting the target, but not affecting people 500 miles away; and sometimes even explicitly doing that from a pit so that spoofing or jamming affects airborne targets but not those on the ground.
And regarding "If you want to spoof GPS signal very well, it should be also weak" the scenarios I've seen (e.g. targeting drones in current conflicts) often explicitly target non-sophisticated commercial off-shelf GPS modules that don't attempt to detect spoofing and will gladly accept a signal that's 100 times louder than the actual satellites, so I think the spoofers often have no desire to do it "well" according to your criteria.
If it was a documented anti-theft feature it could be legit. A state could theoretically have some use for the proverbial 'blow up your own bridges when you are invaded' sort of measures.
Ignoring the lack of disclosure of what should be a selling point and that there hasn't been a case of trains being stolen for later illicit reuse in recent memory.
That's extremely evil. I'm not emotionally invested in right-to-repair like many others here are, but it's corrupt that DRM is causing/has caused difficulty in operating things necessary for people's survival. Shame on these companies.
Those who want to convince others of right-to-repair should point to cases like this because it's the #1 thing that makes me want to rally behind it too.