wow.... that takes all the John Deere fuckery and ups it in a special kind of hell way.
posted by drewbage1847 at 10:49 AM on December 5, 2023 [21 favorites]

CEO: “Increase services revenue by any means necessary! I have shareholders to delight!”

SVP owning the services PnL: “This Friday there will be an open bar for the controls engineering team. I want to get to know them better.”
posted by armoir from antproof case at 10:55 AM on December 5, 2023 [4 favorites]

I haven't even read the article yet but I was yelling "whoa! WHOA!" just reading the excerpt. Looking forward to this!
posted by inexorably_forward at 10:56 AM on December 5, 2023

Now I'm reading it and I'm still yelling
posted by inexorably_forward at 11:03 AM on December 5, 2023 [16 favorites]

Me: "That's a really shitty thing for a manufacturer to do to expensive PLC-controlled model train locomotives."

The article: "These are real, full-sized passenger trains."
posted by RonButNotStupid at 11:03 AM on December 5, 2023 [50 favorites]

This is the sort of shit I would expect Lex Luthor to do in a Superman comic from the 80s.

Congratulations, you've reached actual cartoon levels of villainy.
posted by The Pluto Gangsta at 11:23 AM on December 5, 2023 [24 favorites]

Seriously evil behavior by that train company. I hope the government comes down on them, hard.
posted by grumpybear69 at 11:24 AM on December 5, 2023 [5 favorites]

So, somewhere in the world there is a shittier, more broken LRT than the one in Ottawa? But they had to do it on purpose?
posted by jacquilynne at 11:24 AM on December 5, 2023 [7 favorites]

After reading this, I am not sure any kind of commercial fuckery will surprise me. Hats off to the tech wizards who figured out the problem after, what, hundreds of hours of work? Great post!
posted by Bella Donna at 11:26 AM on December 5, 2023 [7 favorites]

Yeah except if it was Lex in a caroon when Superman caught him (presumably with Superhacking) he'd be arrested and sent to jail.

Here it seems, unsurprisingly, that no laws were broken and at absolute best there is the possibility of a contract lawsuit that the company might win depending on how cleverly they wrote the contract.

If you saw THAT in a comic you'd have thought it was over the top leftist propaganda.

"I've got you now Luthor, we found out you've been rigging Lexcorp trains to stop working if they're serviced anywhere but Lexcorp!"

"So? The contract says that in the carefully worded microprint on page 926. And even if a court finds me in breach of contract the penalty will be a fraction of my profits. Now scram Supes, I'm busy."
posted by sotonohito at 11:29 AM on December 5, 2023 [19 favorites]

"I hope the government comes down on them, hard."

Apparently, the Polish government's position is that it is legal. I'm pretty skeptical about that within a EU framework.
posted by tavella at 11:53 AM on December 5, 2023 [3 favorites]

the Polish government's position is that it is legal

briefcase_stuffed_cash.gif
posted by CynicalKnight at 12:05 PM on December 5, 2023 [10 favorites]

I could see the train accidentally disabling itself when it shouldn't, during operation, and a bunch of people are hurt or are killed, as a result. Either programmer error or malicious third-party tweaking the Newag locks, or even problems caused by removing the locks. Contract minutiae aside, some government officials would probably do well to talk with an executive or two to disable this project.
posted by They sucked his brains out! at 12:29 PM on December 5, 2023 [1 favorite]

Here it seems, unsurprisingly, that no laws were broken

Surely it’s at least fraud to secretly cripple your own products to deceive your customers?
posted by star gentle uterus at 12:38 PM on December 5, 2023 [4 favorites]

First they came for the John Deere tractors, and I did not speak out because I was not a farmer.
Then they came for the Polish light rail, and I did not speak out because I was not a Polish commuter.
Then they came for the McFlurry machines, and I was like: "Seriously? Fuck you guys!"
posted by The Bellman at 12:39 PM on December 5, 2023 [27 favorites]

The Polish government statement appears to be saying it's a civil matter (breach of contract for supplying a defective train) rather than being a regulatory or criminal matter.

(I'm reminded the Polish Central Bank currently has a giant banner on their building that says "everything we do is within the law")
posted by grahamparks at 12:46 PM on December 5, 2023 [6 favorites]

Surely it’s at least fraud to secretly cripple your own products to deceive your customers?

Grand Trunk Railroad.

We'll help you party it down
We're an American band.
posted by clavdivs at 12:52 PM on December 5, 2023 [2 favorites]

Apparently, the Polish government's position is that it is legal. I'm pretty skeptical about that within a EU framework.

the recently outwent PiS government would have given two shits for the EU framework; Tusk might be a different story.

no doubt enterprising reporters will be reexamining the awarding of the contracts to supply these trains
posted by chavenet at 12:59 PM on December 5, 2023 [3 favorites]

If any of those trains are being sold outside Poland at all, then it will become an EU matter. Possibly even if they're just being taken on tracks outside of Poland.
posted by hippybear at 1:35 PM on December 5, 2023 [2 favorites]

Surely it’s at least fraud to secretly cripple your own products to deceive your customers?

That would depend on the contract they signed, wouldn't it?

For example did you know that Amazon, under certain circumstances, is entitled to up to 10% of the refund when a returned package was shipped with Prime free shipping?

It's not of course, but you don't know that because you never read the full terms and conditions.
posted by Tell Me No Lies at 1:35 PM on December 5, 2023

The Polish broke the Enigma machines in WWII. I not surprised that a bunch of Polish hackers could figure this out.

Back in the early 80s my boss instructed me to put a “kill switch” into software in case a customer tried to run it one someone else’s hardware. Customers had signed a contract saying they wouldn’t.

I made sure I had a signed memorandum telling me to do that.

I hope the software guys who wrote the original code got something in writing from the people who told them to do it to protect themselves from being made into scapegoats.
posted by jvbthegolfer at 1:43 PM on December 5, 2023 [4 favorites]

I hope the software guys who wrote the original code got something in writing from the people who told them to do it to protect themselves from being made into scapegoats.

I'm sure the company has some B.S. explanations ready to go.

"The shop GPS details are in there as a safety measure so the train won't ____ while undergoing service."

"The software was designed to shut down the train if certain maintenance procedures were not done on schedule as further wear on the parts would damage the entire system."

"Naturally we had monitoring software that relayed use and performance data back to our servers. You explicitly signed up for that in the contract."
posted by Tell Me No Lies at 2:08 PM on December 5, 2023 [2 favorites]

No denying, lawful evil is best evil
posted by DeepSeaHaggis at 2:09 PM on December 5, 2023 [6 favorites]

In fact, this whole thing is just a big misunderstanding. The extensive failsafes we put into the system merely malfunctioned. We're terribly sorry about that.
posted by Tell Me No Lies at 2:10 PM on December 5, 2023

Great post, very interesting. Thank you.
I hope the that executives involved are given jail sentences and major financial penalties.
posted by Dr Ew at 2:18 PM on December 5, 2023

Technically Tusk is getting sworn in on Tuesday. Due to procedural shenanigans and giving the outgoing party time to shred documents and give themselves raises that affect their severance payments, Duda and Morawiecki have been pretending for the last fifty days that PiS can bribe enough MPs to scrape together a majority. That's scheduled to go down in flames on Monday, seeing as PiS has lost every parliamentary vote for a month now.

I'd bet at least a month, probably closer to three before changes reach the train regulator though the current chairman is actually pretty competent. In this case he's saying that he has no clear line of attack, but the train buyers certainly do. Especially since with Tusk in charge EU funds will get unblocked including the Reconstruction Facility with funding for roughly 300 new trains that have to be delivered until end of 2026. Guess what provisions will be going into the Terms of Reference.

I work in a train adjacent field and believe it or not, Newag is actually the less shitty Polish train manufacturer. Pesa is an even worse shitshow, perennialy skirting bankruptcy and failing to deliver in both schedule and quality. Polregio, the biggest regional railway operator, has just finalised a big framework contract with both Pesa and Newag plus two others for hundreds of new trains with the provision that after the warranty period servicing will be in house - it wouldn't surprise me if the fact this hack surfaced right now is timed to make sure Newag gets a smaller slice of that cake.
posted by I claim sanctuary at 2:48 PM on December 5, 2023 [24 favorites]

If any of those trains are being sold outside Poland at all, then it will become an EU matter.

Poland's an EU member so it's an EU matter from the get-go. It's just that the outwent government tended to put its fingers in its ears and go "la la la we can't hear you" whenever EU policy went against their (often batshit insane) plans. It's why the EU funds I claim sanctuary mentions are waiting for Tusk to be sworn in before they come rushing in. Here's a potted version of the current situation: Europe Waits for the New Polish Government
posted by chavenet at 2:57 PM on December 5, 2023 [10 favorites]

As absolutely shitty as this is in every possible way, I'd be very surprised if any law has been broken. I have no doubt this 'functionality' is included in something or other that forms part of the purchase contract and the railway operator (or whoever it is that buys trains) either was or should have been well aware of it before signing. I can see all sorts of risks involved in this behaviour (eg a train suddenly coming to a halt on a busy network at peak time causing a collision), but none of those risks are going to come back on the manufacturer because they covered their arse in the original contract that nobody read properly.
posted by dg at 4:24 PM on December 5, 2023 [2 favorites]

This is the sort of shit I would expect Lex Luthor to do in a Superman comic from the 80s.

One time Lex tried to kill Lois Lane because she was writing a story about him on a LexCorp computer, and the computer contained malicious programming that detected when anyone was using his name

He also tried to destroy Metropolis
posted by Ray Walston, Luck Dragon at 4:35 PM on December 5, 2023 [2 favorites]

One of the side-effects of Capitalism's end-run around regulation is the worldwide need for a staggering number of "I can't believe we need to fucking spell this out" laws.

Like, for instance:

"I can't belive we need to fucking spell it out that you shouldn't put a kill switch into national infrastructure in order to maintain your monopoly"
posted by tigrrrlily at 8:05 PM on December 5, 2023 [13 favorites]

If Russia did this, there'd be hell to pay.

There should still be hell to pay.
posted by ChurchHatesTucker at 8:22 PM on December 5, 2023 [2 favorites]

Surely it’s at least fraud to secretly cripple your own products to deceive your customers?

No, what's criminal is for those customers to defeat any protection measures you've put in place to keep your products crippled.

See also: BMW heated seats.
posted by flabdablet at 9:28 PM on December 5, 2023 [6 favorites]

After a certain update by NEWAG, the cabin controls would also display scary messages about copyright violations if the HMI detected a subset of conditions that should've engaged the lock but the train was still operational.

Yep. There it is. DRM for trains, baby!
posted by flabdablet at 9:36 PM on December 5, 2023 [6 favorites]

So they... reverse engineered the Polish notation?
posted by BiggerJ at 1:42 AM on December 6, 2023 [3 favorites]

One of the smartest people i've ever met in my life, like one of the few people i would consider an actual genius always told me to get into programming PLCs. That it's "the world will always need this unless we're reduced to rocks and clubs" sort of knowledge and skill to have.

I cracked up reading this because god, he's so right.
posted by emptythought at 1:56 AM on December 6, 2023 [3 favorites]

As a reverse engineer myself, reading stuff like this always makes me feel that there is a need for some kind of independent, non-profit organization that reverses stuff for the public good. It's investigative journalism, basically. But the problem, as usual, is that there isn't a good way to fund such an organization. Ideally it would be subsidized by the government, but I don't see most governments being interested in supporting an outfit that might stick their noses into their software.
posted by destrius at 4:13 AM on December 6, 2023 [4 favorites]

Worse shit like the DMCA can make it illegal to even try.
posted by Mitheral at 5:31 AM on December 6, 2023 [1 favorite]

I hope the software guys who wrote the original code got something in writing from the people who told them to do it to protect themselves from being made into scapegoats.

All having a signed memorandum does is spread blame around. It's not really a defence and in fact it points to premeditation that you were aware you were doing a bad.
posted by srboisvert at 6:06 AM on December 6, 2023 [2 favorites]

The word you are looking for is not fraud, it's sabotage.

It's no different to a tyre manufacturer going round slashing people's tyres so that they'll buy new ones. And then trying to frame their competitors for their own criminal damage.
posted by automatronic at 7:19 AM on December 6, 2023

Clearly, if an independent tyre repair shop doesn't have access to the secret API keys that are required to keep the inbuilt auto-slash feature inhibited while balance weights are being relocated, they're simply not competent to work on our safety tyres and it would be a disservice to the public to let them.
posted by flabdablet at 8:31 AM on December 6, 2023 [7 favorites]

> Ray Walston, Luck Dragon: One time Lex tried to kill Lois Lane because she was writing a story about him on a LexCorp computer, and the computer contained malicious programming that detected when anyone was using his name

*** Elon42069 has entered the chat
posted by mhum at 12:35 PM on December 6, 2023 [2 favorites]

Update from 404 Media: Repaired Trains the Manufacturer Artificially Bricked. Now The Train Company Is Threatening Them
posted by AlSweigart at 9:59 AM on December 13, 2023 [2 favorites]

Wow. Usually corporate entities have at least the rudamentary self awareness to know that arguing A and Not A in the same sentence is bad PR. They have no shame or honor or concept of right and wrong, but usually the PR people stop things from being quite so nakedly self contradictory.

"We didn't put in code to shut down the trains if anyone other than us serviced them, also bypassing the code we put in to shut down the trains and stop other people from servicing them is very very dangerous"

Like, dang.
posted by sotonohito at 11:17 AM on December 13, 2023 [1 favorite]

The prosecution office (I guess the equivalent of a DA in US terms) is investigating now, but that doesn't mean they'll decide a crime was committed until charges are brought. The government just changed like today and firing the head of the Agency for Internal Security - the guy who filed the notice of possible crime with the prosecution office - is already in motion. I suspect we won't know how this shakes out for at least a year, the new Minister of Infrastructure has a whole forest fire of more urgent conflagrations to put out first.

Incidentally, Newag might be a prime target for a false flag thing because it's the main rival of the state owned, many-bankrupted PESA. Newag just did the impossible and delivered 8 new trains in Gdansk literally nine months since the contract was signed (delivery by end of the year was necessary to save a sizeable EU grant). So I'm reserving judgement.
posted by I claim sanctuary at 11:40 AM on December 13, 2023 [2 favorites]

37C3 - Breaking "DRM" in Polish trains (Chaos Computer Club, YouTube/Piped, 1h1m45s)
posted by flabdablet at 6:26 AM on January 2 [1 favorite]