- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
You must log in or register to comment.
Eternal September
Let’s hope the salary is decent.
If it were a private company I’d bet it was astronomical. But I don’t know about the German government though, it’s hard to say.
It’s a private company… and the salary is not gonna be great.
Germany doesn’t pay wagesThe Federal Government is the sole owner of DB AG.
Since its foundation in 1994, Deutsche Bahn (DB AG) has been a public limited company and accordingly has a dual management and control structure. It is wholly owned by the federal government. The Federal Ministry for Digital and Transport (BMDV) is responsible for managing the shareholding.
Shareholders gonna sharehold.
Just saw a video and certain instruments/displays on trains (original ICE 3 for example) run with Windows 3.11, so thats probably why they are searching for one
deleted by creator
SSH to a KVMoIP or IPMI?
BMC is doubtful, other sources indicate that the hardware is from 1996, so it’s not just old software. So I’ll guess a KVMoIP device is bolted on (probably a relay on the power input, VGA, USB for keyboard and ‘floppy’ (Win3.11 was well before USB, but the hardware from 96 may have USB and the BIOS would likely make it viable for a DOS to use it).
Not gonna lie, part of me wants to relive the SoundBlaster and DOS extenders era and watch stuff with QuickTime. Tinkering with config.sys and autoexec.bat was quite fun back then.
Was it really FUN or is it not just nostalgia? I would not reaaaally want to fiddle with the autostart-crap again. It often took soooo long. Even with those auto-optimizers…
just nostalgia
Surely mostly nostalgia. But I do remember feeling a sense of accomplishment whenever I managed to run a game and get the sound working 😅
With dos 5.x I started creating some fancy auroexec menu at boot that switches between several configurations depending if I wanted to run windows, need a lot of xms or a big chunk of Ems (640k was NOT enough for everything).
It was somehow fun.
But at least, if something is not working, it was entirely your fault. Now? It’s probably windows update who fucked up something you desperately need right now.
That’s a good point, yes. At least we knew what fucked up. Today you can’t. It’s too much and too complex. And nearly nothing is under your direct control anymore. Only android or ios are doing it worse and take all of your controls away.
I am so happy not to have to mess with that. LOADHIGH agony.
Aye. But then again… The fiddling with windows to make it do what u want and don’t what you don’t, is not much less time wasted. You can just use a mouse now 😂
So do you want EMS or XMS this time? I’m sorry, you had too many TSRs, you can’t run X-Wing now…
Damn, should I load the mouse driver or the CD-ROM driver? If I load both, I can’t run strike commander!
10/10 would install Doom on it.
deleted by creator
Use railroad switches as logic gates and trains as binary information?
Tbh I think people would understand why it had to be done.
That’s really fucking cool, if you ask me.
Thats the reason, why they have Problems to find drivers (If you know, what i mean) 😜
C:>WIN
Legacy hardware and operating systems are battle tested, having been extensively probed and patched during their heyday. The same can be said for software written for these platforms – they have been refined to the point that they can execute their intended tasks without incident. If it is ain’t broke, don’t fix it. One could also argue that dated platforms are less likely to be targeted by modern cybercriminals. Learning the ins and outs of a legacy system does not make sense when there are so few targets still using them. A hacker would be far better off to master something newer that millions of systems still use.
Tell me you know nothing about cybersecurity without telling me you know nothing about cybersecurity. Wtf is this drivel?
It really depends if these systems (that appear to control arrival boards) are on a network or not. If they’re not, then there is minimal risk to leave them the way they are. Somebody would need physical access to the devices to do harm. If they are on a network then that’s a pretty big deal, but some attacks could be mitigated against by tunnelling and/or additional packet filtering to ensure the integrity of messages.
Continuing on a railway theme you should be FAR more worried all the devices that run up and down the side of railway lines - PLCs that talk with each other and operations centres to control things like lights, junctions, crossings etc. If they’re more than 5 years old then chances are then all that traffic is in the clear, and because these things live in boxes by the railway line, it wouldn’t take much to break into a network and potentially kill people by running two trains into each other.
Exactly. And these things are on an internal bus network, but they are not connected to the internet.
the job was advertised as being remote…
Well yes. You can code software remotely. That doesn’t mean the end system is reachable through the network. Given it’s DB, I bet these systems are still patched by floppy. Until very recently they’ve used floppy’s to distribute train schedules to be displayed in the train.
The job might be remote, doesn’t mean the system is remote. For all you or I know they want somebody to reverse engineer the protocol of this thing, which could be some weird board & driver that hooks into an old PC so they can switch it out for something else.
It’s in the job description, remote access is available via a repurposed laparoscope robot and webcam placed in front of the original terminal keyboard and CRT
I think you are pulling my leg… But if that’s true that’s super cool.
A remote KVM through a portal would be the actual way an air gapped system would be accessed, yeah… Spoofing ps/2 or Din with a teensy would probably be needed to use new hardware for the KVM. Maybe a SFF PC with an analog input capture card…
Cybersecurity != Safety Critical
It is when safety-critical systems are the target of a cyberattack.
Doesn’t sound like this system is safety critical. You should be more worried if some hacker can change train signs from stop to go. If you ever ride on a train and see steel boxes by the side of the track, those are control systems and they run up and down the line. They might be locked, or possibly alarmed but that’s about the extent of their protection. A simple attack would be to just take an axe to one, or set fire to it. A more sophisticated attack could snoop on the profinet traffic and do something evil.
they can execute their intended tasks without incident
Now if only the Deutsche Bahn could do that too
The author’s grammar
rammarisnt that great as well. Those typos can be should have been catched easily by the spellcheck.Edit: Including me :p
The author’s rammar
Finally caught a *grammar cop doing a typo in the wild. Pure joy.
Love typing on the phone :p
Yeah, that’s totally on me.
“catched”
can be should have been
Yeah, Techspot is pretty trash
What exactly is the issue? Everything mentioned is true.
It even goes further when you consider how newer technology often incorporates more technology, which means a greater attack surface.
Tell me you know nothing about cybersecurity without telling me you know nothing about cybersecurity.
Oh, the ironing. Sad how you have >100 upvotes.
Not sure how to link a reply on lemmy so I’ll just copy from another comment I wrote here:
I’m not talking about this specific instance, just that block of misinformation/generalisation. Saying that legacy systems are well-secured because they’re “battle tested” is sheer ignorance.
Take side-channel attacks for example. A timing attack is something programmers from the 60’s and 70’s would not have taken into account when writing their hashing algorithms. And speaking of hashing, what hashing algorithms were available back then? CRC32 or something similar? What about salting? You get the idea.
Not to mention that legacy operating systems don’t get security updates. Let’s assume that DOS is secure (which it definitely isn’t), but if that statement were correct, would it apply to Windows XP as well?
All I’m saying is that the article is dead wrong. As software developers in this century, we’ve come a long way. We’ve developed security best practices, written libraries and frameworks, and come up with mitigations for a lot of these security vulnerabilities. These solutions are something that closed-source legacy systems (and anything without active maintenance) would never benefit from.
The “ironing” is lost on you in this case.
Simple solution: Don’t connect it to the Internet. Hackers hate this one weird trick.
And said trick ends when an attacker manages to socially-engineer their way in. (But maybe they’ll drop floppies instead of flash drives around the block this time)
You really think that infrastructure IT is dumb unless it can brush off a Stuxnet-like attack by the CIA and Mosad? Most RR traffic signals in the US are run with mechanical logic, physical switches connected to circuits closed by steel wheels on steel tracks. Do you really want a “move fast and break things” tech bro to update all this stuff for us?
All kinds of infrastructure uses ancient software because it’s reliable. Updating it just to protect from hackers causing damage is likely to cause that damage unintentionally while doing little to protect from hackers anyhow.
deleted by creator
uses ancient software because it’s reliable
HAHAHA!
I just have to laugh at that idea, since I’ve been using computers since the days that those OSes were in common use. Reliable is not what I would call a lot of that old stuff for sure.
The bottom line is that ancient software will likely have ancient security vulnerabilities that would be trivial to exploit and take over or destroy those systems. It’s not good.
Every SCADA related cyber attack and incident has entered the chat.
Even if it’s archaic, a lot of these systems aren’t secure which can be done relatively easily and cheaply with things like basic firewalls and stunnel.
It must be updated sometime or risk being archaic and unmanageable. Chances are high they are paying insane amounts for those legacy mechanical switches you mention.
The actual logic is usually very well portable to a more modern ecosystem.
Or these companies could pay to train (no pun intended) technicians to learn the systems they’d like to maintain. No matter how old they are.
Until entropy comes for the actual hardware (assuming they won’t invest in remanufacture or production of replacements). Re-engineering a successfully working system is more costly and might result in worse outcomes, especially in the near term.
Often these system rely on old components which are just not made anymore.
People don’t design every switch, computer and chip themselves. They buy whatever mainstream stuff is available at the time and combine it into a system
If you want to resupply those old parts you literally need to search Ebay to buy some weird outdated 2nd hand MSDOS PC to put in your “awesome reliable railway system”.
Upgrading at every new whim is of course bad, but once your system reaches legacy age it’s often necessary to fully overhaul and modernize it for the next ~15-20 years.
They could socially engineer their way in regardless of some machine being MSDOS or not. Basically if they can gain physical access to the device, or convince somebody to do something with the device it hardly matters what it was running since it can still be compromised.
Sure, but how likely is this in this specific scenario. We’re talking about a system that’s not even directly controlling the train but just a display on it. The worst that can happen is that those displays won’t work until the system is reinstalled. That’s hardly a lucrative target for modern hackers. There’s way easier target which are worth something.
I’m not talking about this specific instance, just that block of misinformation/generalisation. Saying that legacy systems are well-secured because they’re “battle tested” is sheer ignorance.
Take side-channel attacks for example. A timing attack is something programmers from the 60’s and 70’s would not have taken into account when writing their hashing algorithms. And speaking of hashing, what hashing algorithms were available back then? CRC32 or something similar? What about salting? You get the idea.
Not to mention that legacy operating systems don’t get security updates. Let’s assume that DOS is secure (which it definitely isn’t), but if that statement were correct, would it apply to Windows XP as well?
All I’m saying is that the article is dead wrong. As software developers in this century, we’ve come a long way. We’ve developed security best practices, written libraries and frameworks, and come up with mitigations for a lot of these security vulnerabilities. These solutions are something that closed-source legacy systems (and anything without active maintenance) would never benefit from.
Lmao they don’t know all the exploits people learn first are the brutally insane and easy stuff that works on outdated machines like heartbleed and eternal blue.
If it ain’t broke, don’t fix it.
Too critical to be upgraded is something I wish I’d never hear or see again in my professional career.
ha, whats the failover look like???
Manual and boot a machine with the same IP somewhere else. Very robust
These probably operate completely shut from other networks/internet, so I definitely agree. But I guess a lot of folks here are Linux maniacs and can’t stand something running ancient and obsolete OS while the all-mighty Unix-based operating system could solve all of the problems, not mentioning that it would create more in the process.
Is it broke if no one is able to fix it?
The reason for it to run on such an ancient device is because nobody wants to touch the scripts running on these devices.
A lot of these systems are also always on.
Used to work at an airport that had a similar issue, turning some of these systems off simply isn’t possible. So you end up having to run the replacement system simultaneously with the old system for a few days. Can’t simply take it off line for a day.
Running two systems simultaneously for a couple of days, that’s a huge problem, not solvable
It’s an expensive problem, especially if it’s a system that’s being used all across the airport by regular staff.
You need to train thousands of employees to use the new software, you need to have one person using the old software as a backup, while the other uses the new software, often while surrounded by hundreds of often angry customers.
And if something goes wrong, which it invaribly does (even if it’s user error or someone snagging a cable), shit can get very expensive. Small delays, add up to larger delays, and cascade through the entire system. Delayed flights, tens of thousands of euros in costs, hotels for thousands of passengers, missed flights, missed meetings, damages, lawsuits, penalties for missed landing/take-off slots, missed time windows for certain cities which don’t allow flights after a certain time, etc. And often you discover legacy stuff while you’re upgrading that needs fixing, stuff that no one knows how to replace anymore or is physically hard to access.
Sometimes it is genuinely better to leave it. COBOL is 60 years old. There’s still plenty of stuff running on it, exactly because it’s often too expensive and too risky to replace.
Until it becomes obsolete, unsupportable, the crux of your operation, and/or the basis for all of your decisions 😬
(Yes, I read the article, it’s just the signs, but yes, the above still applies!)
Not to mention when you want to change the entire system it becomes a huge operation and problem.
Massive risk to that change too.
So many people don’t understand how risk informs everything a business does.
What cost is there to a given system being down for one hour? A day? Any regulations around it?
Often it’s better to pay a known quantity up front than risk potential outages where you can’t predict all the downstream affects.
I’d consider those various states of not working. So… Don’t fix it if it’s not broken!
COBOL has entered the chat
e: good for legacy employment though. A relative of mine is a Z80 programmer by trade, and he can effectively walk into a job because the talent pool is so small now. Granted - the wages are never great but never poor, and the role is maintenance and troubleshooting rather than being on the leading edge of development - but it’s a job for life.
Every time I hear about COBOL I feel like I should try to learn it as a backup plan…
Let COBOL die, it’s terrible.
In what way is it terrible?
It wasn’t for me, too wordy and felt more like something for accounting/corporate than a programmer. I was offered a good-paying job programming COBOL out of college but turned it down because I didn’t want to spend my life with it. But that’s just me.
deleted by creator
If it works, why would we want to go through the trouble of switching to another language that will also eventually be regarded as needing to be retired? There’s decades of debugging and improvement done on their system, start over with a new system and all that work needs to be done again but with a programming language that’s probably much more complex and that leaves the door open to more mistakes…
I’m all for that I just never personally liked COBOL.
You have to unlearn everything you know to learn it, go look its bad.
deleted by creator
I’m in two minds about that. One the one hand, yes, of course - as all the original COBOL folks die off, the skills will be even rarer and thus worth more.
On the other hand, if we keep propping up old shit, the businesses will keep relying on it and it’ll be even more painful when they do eventually get forced to migrate off it.
On the other other hand, we know it works, and we don’t want to migrate everything into a series of Electron apps just because that’s popular at the moment.
Part of the problem is the cost of moving off it. Some companies simply can’t pay what that would cost, and that’s before you consider the risk.
Tough spot to be in.
🥲
Oh, everyone who ever travels by train in Europe will tell you that the German infrastructure is very much broken. You’re lucky if your delay is less than a day travelling through Germany.
Afaik Deutsche Bahn loses 5 mil a day: https://www.theguardian.com/business/2023/oct/14/its-the-same-daily-misery-germanys-terrible-trains-are-no-joke-for-a-nation-built-on-efficiency
Germany doesn’t really seem like a very efficient country, they still use fax for things and every person has to manage like 10,000 different insurances for everything. Seems like an old (and inaccurate) ww2 trope.
It’s mostly a misunderstanding of what is valued in German society. The common trope is that German society covets precision. This is not the case. German society covets unwavering precision in the adherence to norms. To the point where innovation is akin to revolution in the negative sense, and pigheadedness in procedure is considered a workplace virtue. In the mean time nothing gets done. Source: expat in Germany.
Source: expat in Germany.
Is this the same as a migrant?
deleted by creator
Migrant implies the non permanent kind because a permanent migrant is referred to as an “immigrant”.
What’s the technical difference between a migrant and an expat?
I believe the difference is that an expat moved there non-permanently, while an immigrant moved there permanently
Though if I ever somehow became an expat, I wouldn’t use the word because of how people associate it.
What you call an expat is a temporary immigrant. “Expats” fill immigration forms in their country of migration, not expatriation forms. Politicians pass laws that govern immigration, not expatriation.
That word is meant to differentiate rich (and white, often) workers from the poor, because “immigrant” has a negative connotation. That’s why I take issue with it.
The truth is, the poor might be temporary migrants too (cf Pakistanis in Dubai). The media still uses the word migrants for those. We don’t know if they’re “expats” or not, we just assume because they’re not rich or white enough.
Quick disclaimer here: I’m not saying you are racist for using the word. I just wanted to explain why I react so strongly when I hear it.
No it’s just about moneymaking and education level. If you’re a foreigner and highly educated and get a good paying job like IT consultant or doctor, you’re an expat. If you’re low educated and get a low paying job like construction or factory or no job, you’re a migrant. One is liked more than the other, hence the difference they make. The first doesn’t speak local language, but does speak English, and few people care. The second doesn’t speak local language and no English and is disliked for it.How long you stay is not very relevant. AfD doesn’t hare expats as much as other migrants, for example…
Immigrant = Someone who has moved to another country permanently. Migrant = Someone who has moved to another country temporarily.
Expat is often used by western migrants who don’t like the word “migrant”.
I take issue with it because people classify an Indian doctor moved to the US as a migrant but an American doctor eho has moved to Europe is an expat.
No, the way it’s often used is closer to “posh guest worker”.
Yes, as long as they’re also white and middle/upper class!
As an outside observation, Germans seem to make things better than they need to be in a detrimental way. For example, we redid one of our bathroom showers using the Schluter Kerdi waterpoofing system. They have very specific instructions on how to space the screws, how to seal the screws, how to seal the edges, how to mix the thinset, and probably some other things I can’t remember off the top of my head. They put it through a battery of tests, including going under 100’ of water. Who needs that? Don’t worry about it.
This stuff replaces cement board, which isn’t strictly waterproof, at least not on its own. It’s also significantly more expensive.
I do think it’s worthwhile for a home DIYer to get. The instructions are clear and it’s less likely you’ll screw something up that could result in disaster. That said, this thing is just waiting for a Japanese company to come along and make something 90% as good for 50% of the price. That’s basically what happened in the German vs Japanese car market, and there’s already some products on this market like that.
An old mechanic friend of mine used to say “German cars are over-engineered and under-designed”, lol.
Having worked on every brand of car out there, his description, and your explanation make a lot of sense together.
I’ve never seen such a clear and concise comparison of German/Japanese manufacturing, you really nailed it.
Both approaches have their place, the key is to know when to apply them.
Also bureaucracy is through the roof in everything, i have no idea who the fuck thinks of germany as efficient.
I have no doubt their bureaucrats perform world-class efficiency in their handing out, filling in, faxing and archiving a sophisticated system of paper forms.
I guess it’s the trap of getting complacent and stopping modernizing as soon as you’ve convinced yourself you have the best system in the world.
It’s more that the bureaucracy is so complex and fragmented that it’s incredibly hard to digitalize. Lots of small fiefdoms that are entitled to make IT purchasing decisions themselves means paper is the only universal interchange format. In addition there is an unwillingness to change how things have always been done, or to simplify procedures. So there you have it: The German bureaucracy is too fat to move.
He’s actually German.
I work for german government agencies from time to time and they are working on it… It’s just really slow because there is so much of it, and due to organizational overhead. Also, there is not a single push for the entirety of Germany, but some things everyone does for themselves.
German re-unification cost trillions. It’s entirely unsurprising.
That’s another part of the infrastructure, though: We just don’t have enough rail as well as backup rolling stock.
And as the federation finally decided to spend some money it’s going to get worse in the next decade or so due to outages due to new constructions being linked up to the old stuff.
As to the age of the infrastructure – I mean it’s the railway. If a rarely-used branch line still uses mechanical interlocks and there’s no need to upgrade the capacity then the line is going to continue using infrastructure build in the times of the Kaiser. It’s not like those systems are unsafe, it just might be the case that unlike in the days of ole those posts with a gazillion levers aren’t manned all the time so you’ll see an operator drive to it with a car while the train is on its way. Which really isn’t that much of a deal when the branch line goes to a, what, quarry maybe sending out a train every two months or so. Certainly better than to demolish the line and use trucks instead.
Well I live in germany and therefore use the train network on short and long distance frequently and while it is unreliable, “a day” of delay is something I have never experienced.
Most of the delayed trains are late by less than one hour (still atrocious, but not a day’s worth by any means).
I actually experienced only once a situation where we were given the choice of a hotel or a continuation of our travels by taxi (which we chose) because the train we were in was late one hour or something and the other (last for the day) train could not wait.Well, it’s based on experiences travelling through Germany proper - for example Denmark to France or Italy, including transfers. Often the delay will just be a couple of hours, but then you miss your transfer and you’re screwed.
Also if you’re on your way to Switzerland the Swiss have no patience for disruptions in their services, so if a train is delayed coming from Germany they’re likely to just not accept it into the country at all.
I have also heard from people who were told to spend the night in the train, which DB just parked in the outskirts of the city for the night. That way they could offer passengers a place to sleep in the cheapest possible ways. Pregnant women or families with young children were asked to check in to hotels.
Misleading title: SIEMENS Mobility is looking for said Windows 3.11 admin. NOT the German Railway
Deutsche Bahn is the circus and Siemens in this case the clowns.
Clown Siemens, you say?
If the system can’t run perfectly on its own by now… I can teach them how to play the snakes game on it.
Better hope those systems are not network enabled
So say we all.
They’re probably still running on their own Netware network. Is there still Win16 compatible malware going around?
If it’s in a current metasploit package you can be sure that someone is scanning the IP at some point.
own Netware network
Johnny Castaway can live on at least.
Hey, I have a wall-mounted tablet that runs Johnny all the time. My 5-year old loves him.
Nice. Mine runs on top of the fish tank on an old netbook. What sort of tablet?
Nice :)
Just some cheap, cheap 10" Android tablet (which runs Dosbox). I had bought a few to use as HA controllers around the house but that didn’t really work out well. But great as digital photo frames and as the Johnny player.
Don’t forget MOPY ;)
Time for a rewrite
Rewriting a legacy system that’s been patched and amended for 30 years… Good luck with that. It seems simple on paper but it’s anything but.
Just make it from scratch?
For sure there is so much useless shit in there, that’s why nobody gets their head around it anymore.
Just make it from scratch?
And miss some tricky edge cases, which were covered in old code?
It’s a railroad. Those edge cases could be disastrous.
Ok, keep it for the next 100 years and get custom build hardware which can run that stuff, that’s cheap and safe.
Never touch anything
No. What I mean is rewriting it part by part, not from scratch, but following the old algorithms as possible.
As long as it’s not à la Musk where the new versions will be inferior to the previous one because “no modern trains should rely on antiquated technology so we’re scrapping everything from before to start from scratch”.
It’s the only way to keep the trains free from cylon interference.
Battletrain Deutchlandica
Eventually AI’s gonna be so cheap, someone reading this thread could just be like “eh fuck let’s see if the first episode is good” and then just paste that comment into a website somewhere, wait ten seconds, and click the big play button next to “Season 1, Episode 1”
