Misleading title: SIEMENS Mobility is looking for said Windows 3.11 admin. NOT the German Railway
Deutsche Bahn is the circus and Siemens in this case the clowns.
Clown Siemens, you say?
If the system can’t run perfectly on its own by now… I can teach them how to play the snakes game on it.
Legacy hardware and operating systems are battle tested, having been extensively probed and patched during their heyday. The same can be said for software written for these platforms – they have been refined to the point that they can execute their intended tasks without incident. If it is ain’t broke, don’t fix it. One could also argue that dated platforms are less likely to be targeted by modern cybercriminals. Learning the ins and outs of a legacy system does not make sense when there are so few targets still using them. A hacker would be far better off to master something newer that millions of systems still use.
Tell me you know nothing about cybersecurity without telling me you know nothing about cybersecurity. Wtf is this drivel?
Simple solution: Don’t connect it to the Internet. Hackers hate this one weird trick.
And said trick ends when an attacker manages to socially-engineer their way in. (But maybe they’ll drop floppies instead of flash drives around the block this time)
You really think that infrastructure IT is dumb unless it can brush off a Stuxnet-like attack by the CIA and Mosad? Most RR traffic signals in the US are run with mechanical logic, physical switches connected to circuits closed by steel wheels on steel tracks. Do you really want a “move fast and break things” tech bro to update all this stuff for us?
All kinds of infrastructure uses ancient software because it’s reliable. Updating it just to protect from hackers causing damage is likely to cause that damage unintentionally while doing little to protect from hackers anyhow.
It must be updated sometime or risk being archaic and unmanageable. Chances are high they are paying insane amounts for those legacy mechanical switches you mention.
The actual logic is usually very well portable to a more modern ecosystem.
Or these companies could pay to train (no pun intended) technicians to learn the systems they’d like to maintain. No matter how old they are.
Until entropy comes for the actual hardware (assuming they won’t invest in remanufacture or production of replacements). Re-engineering a successfully working system is more costly and might result in worse outcomes, especially in the near term.
Often these system rely on old components which are just not made anymore.
People don’t design every switch, computer and chip themselves. They buy whatever mainstream stuff is available at the time and combine it into a system
If you want to resupply those old parts you literally need to search Ebay to buy some weird outdated 2nd hand MSDOS PC to put in your “awesome reliable railway system”.
Upgrading at every new whim is of course bad, but once your system reaches legacy age it’s often necessary to fully overhaul and modernize it for the next ~15-20 years.
Every SCADA related cyber attack and incident has entered the chat.
Even if it’s archaic, a lot of these systems aren’t secure which can be done relatively easily and cheaply with things like basic firewalls and stunnel.
Akshually it was recently found that a spy from Holland I think penetrated a chip supply line and installed an infected chip which found it’s way into the centrifuge network
uses ancient software because it’s reliable
HAHAHA!
I just have to laugh at that idea, since I’ve been using computers since the days that those OSes were in common use. Reliable is not what I would call a lot of that old stuff for sure.
The bottom line is that ancient software will likely have ancient security vulnerabilities that would be trivial to exploit and take over or destroy those systems. It’s not good.
They could socially engineer their way in regardless of some machine being MSDOS or not. Basically if they can gain physical access to the device, or convince somebody to do something with the device it hardly matters what it was running since it can still be compromised.
Sure, but how likely is this in this specific scenario. We’re talking about a system that’s not even directly controlling the train but just a display on it. The worst that can happen is that those displays won’t work until the system is reinstalled. That’s hardly a lucrative target for modern hackers. There’s way easier target which are worth something.
I’m not talking about this specific instance, just that block of misinformation/generalisation. Saying that legacy systems are well-secured because they’re “battle tested” is sheer ignorance.
Take side-channel attacks for example. A timing attack is something programmers from the 60’s and 70’s would not have taken into account when writing their hashing algorithms. And speaking of hashing, what hashing algorithms were available back then? CRC32 or something similar? What about salting? You get the idea.
Not to mention that legacy operating systems don’t get security updates. Let’s assume that DOS is secure (which it definitely isn’t), but if that statement were correct, would it apply to Windows XP as well?
All I’m saying is that the article is dead wrong. As software developers in this century, we’ve come a long way. We’ve developed security best practices, written libraries and frameworks, and come up with mitigations for a lot of these security vulnerabilities. These solutions are something that closed-source legacy systems (and anything without active maintenance) would never benefit from.
It really depends if these systems (that appear to control arrival boards) are on a network or not. If they’re not, then there is minimal risk to leave them the way they are. Somebody would need physical access to the devices to do harm. If they are on a network then that’s a pretty big deal, but some attacks could be mitigated against by tunnelling and/or additional packet filtering to ensure the integrity of messages.
Continuing on a railway theme you should be FAR more worried all the devices that run up and down the side of railway lines - PLCs that talk with each other and operations centres to control things like lights, junctions, crossings etc. If they’re more than 5 years old then chances are then all that traffic is in the clear, and because these things live in boxes by the railway line, it wouldn’t take much to break into a network and potentially kill people by running two trains into each other.
the job was advertised as being remote…
The job might be remote, doesn’t mean the system is remote. For all you or I know they want somebody to reverse engineer the protocol of this thing, which could be some weird board & driver that hooks into an old PC so they can switch it out for something else.
It’s in the job description, remote access is available via a repurposed laparoscope robot and webcam placed in front of the original terminal keyboard and CRT
I think you are pulling my leg… But if that’s true that’s super cool.
A remote KVM through a portal would be the actual way an air gapped system would be accessed, yeah… Spoofing ps/2 or Din with a teensy would probably be needed to use new hardware for the KVM. Maybe a SFF PC with an analog input capture card…
Well yes. You can code software remotely. That doesn’t mean the end system is reachable through the network. Given it’s DB, I bet these systems are still patched by floppy. Until very recently they’ve used floppy’s to distribute train schedules to be displayed in the train.
Exactly. And these things are on an internal bus network, but they are not connected to the internet.
they can execute their intended tasks without incident
Now if only the Deutsche Bahn could do that too
Lmao they don’t know all the exploits people learn first are the brutally insane and easy stuff that works on outdated machines like heartbleed and eternal blue.
What exactly is the issue? Everything mentioned is true.
It even goes further when you consider how newer technology often incorporates more technology, which means a greater attack surface.
Tell me you know nothing about cybersecurity without telling me you know nothing about cybersecurity.
Oh, the ironing. Sad how you have >100 upvotes.
Not sure how to link a reply on lemmy so I’ll just copy from another comment I wrote here:
I’m not talking about this specific instance, just that block of misinformation/generalisation. Saying that legacy systems are well-secured because they’re “battle tested” is sheer ignorance.
Take side-channel attacks for example. A timing attack is something programmers from the 60’s and 70’s would not have taken into account when writing their hashing algorithms. And speaking of hashing, what hashing algorithms were available back then? CRC32 or something similar? What about salting? You get the idea.
Not to mention that legacy operating systems don’t get security updates. Let’s assume that DOS is secure (which it definitely isn’t), but if that statement were correct, would it apply to Windows XP as well?
All I’m saying is that the article is dead wrong. As software developers in this century, we’ve come a long way. We’ve developed security best practices, written libraries and frameworks, and come up with mitigations for a lot of these security vulnerabilities. These solutions are something that closed-source legacy systems (and anything without active maintenance) would never benefit from.
The “ironing” is lost on you in this case.
Cybersecurity != Safety Critical
It is when safety-critical systems are the target of a cyberattack.
Doesn’t sound like this system is safety critical. You should be more worried if some hacker can change train signs from stop to go. If you ever ride on a train and see steel boxes by the side of the track, those are control systems and they run up and down the line. They might be locked, or possibly alarmed but that’s about the extent of their protection. A simple attack would be to just take an axe to one, or set fire to it. A more sophisticated attack could snoop on the profinet traffic and do something evil.
The author’s grammar
rammarisnt that great as well. Those typos can be should have been catched easily by the spellcheck.Edit: Including me :p
The author’s rammar
Finally caught a *grammar cop doing a typo in the wild. Pure joy.
“catched”
can be should have been
Love typing on the phone :p
Yeah, that’s totally on me.
Yeah, Techspot is pretty trash
Ooh, someone is about to make BANK!
Some retired old fart who can’t be bothered to learn fancy-schmancy Web 2.0. Rock on like it’s '93
Or a middle-aged fart who did learn new stuff but remembers the old stuff too
Web 2.0 was a mistake.
Bring back Pets.com
They’re gonna party like it’s 1989
Celebrating Ceaușescu’s death? /j
Why would someone make a lot of money from this?
Supply and demand. The people that have a lot of experience with those systems are retired or should be retiring soon.
Supply is pretty low. So they can demand higher pay.
DB’s demand is pretty strong. If those systems go down, trains don’t run, and that costs them millions.
It’s cheaper to pay someone a lot of money vs having their systems fail.
Imagine both the annoyance and job security having to manage MS-DOS and 3.1 systems for a railroad would entail.
I would love it so much. I’d feel right at home. I miss sitting in my room and learning everything I could about DOS. That was the best time I ever had with computers.
I once built, setup, and maintained about 20 computers for a Christian school for free just because I loved doing it so much.
I wish I still had that enthusiasm for tech.
Me too.
In high school, there was a kid who was always trying to make money. Like even then, he wanted his own business. In fact he had a couple small ones back then.
One of his endeavours was massive LAN parties. He had the capital to rent spaces, hardware, and was even able to get sponsorships.
He did not have the tech chops to do it though.
Myself, and one circle of friends were THE computer nerds of the school, but it wasn’t really seen as a negative for us - then again we did orchestrate a “free day” and got away with it by taking down the schools network from inside and one person had a loud fucking mouth, but we covered our tracks.
Anyways, we got in free to these LAN parties as long as we set up and maintained shit. Surprisingly very few problems, about once a LAN party we had to fix something. And it was useful experience.
That shit was fucking amazing. I loved it.
I got home from work. Wife works from home. She has had an ongoing tech issue I can’t really touch because it’s that companies property. But I just don’t want to hear it. At all. I’m dead inside in that regard.
It’s gotten so bad that I had an issue with my gaming rig.
I needed to reseat the RAM. Not hard, except the case is mounted on the wall as a display piece that would require moving a bunch of shit before getting a ladder and yada yada.
I just didn’t game for three days. Just could not muster the energy to care about that. I hate it.
God, I feel that so much. Even with my Steam deck, if it requires too much tweaking I’ll ask my kid. If she’ll do it, great. If not, I’ll find something else to do.
People burned me out so bad. Everything they did was somehow my fault. Every relative I had called me constantly about silly problems. “My whole quickbooks is deleted. I had it on my desktop and now it’s gone!” “Ok, so I copied excel from my desktop onto usb drive and it won’t open on my other computer. The icon is there but it just won’t work. Oh, well I don’t see why not! It works fine when I click it on the other one!”
One time a guy brought me his laptop to repair. I repaired it and got the $75 bucks I charged. More than a year later I got a call, “Lithen, I don’t know what you did to my laptop, but it hathen’t worked, like, for crap, thinthe you worked on it.” I said, “ok bud, I’ve worked on hundreds. Which one was yours?” I asked him to download TeamViewer, went to his control panel, seen a pile of bullshit crapware he had recently installed, told him to kiss my ass and take it to “thomeone elthe”. I shouldn’t have made fun of his lisp, but I was ready to implode from the crap at that point.
People call me now and I play dumb and act like I just haven’t kept up with the changes. I. Hate. Computers.
And I fucking hate that, because I loved them so much when I was younger. It was like exploring a whole new universe.
Frankly that’s nothing. In the worst case a train won’t start, which for DB really isn’t something unusual. It’s far more disturbing how the whole global financial market sometimes rely on code that’s still written in COBOL.
rely on code that’s still written in COBOL.
Does this really matter? It’s more of a maintenance issue than a functional one.
It all gets compiled down to binary, anyways.
it matters because it is a language that few people learn, so the available talent is scarce, increasing the chance something bad happens. Keeping up with an evolving society is essential for the longevity of a service
the available talent is scarce
I have a friend who is going to take over maintenance for a smaller regional banking system in a few years. It’s mostly COBOL and the systems themselves have not been updated in like 25-30 years. He has been apprenticing under his mother who has been in charge of maintaining the infrastructure there since the late '80s.
Well it matters when it comes to replacing ageing programmers with very few options available. It’s definitely not something taught in schools today, so one has to be very deliberately learn it.
Don’t get me wrong, you can make a lot of money in such a position. But you also have to deal with COBOL.
Well, DOS is open source now. And that old hardware was quite reliable. Fewer moving parts, I’d expect fewer things to break.
Only MS-DOS 1.25 and 2.0 are open-sourced under MIT license, anything newer is not. These versions were pretty bare-bones, only DOS 2.0 implemented directories for example.
Unless you mean FreeDOS, which is an open-source DOS-based operating system, which generally should work with any DOS programs/games, but it still may not be 100% compatible with some proprietary software.
Yes, meant FreeDOS, and older versions of DOS. Can’t say I had issues with FreeDOS. But then again, it’s not like I use it daily.
As a young person who loves legacy software - sign me up!
We’re maintaining and developing OpenVMS OS, and both we and our customers need Cobol, Fortran, and other half-dead languages coders.
Many large companies maintain their old systems and use them for production or data processing purposes. Sometimes it’s too expensive to migrate off, but im many cases “it just works”deleted by creator
I work primarily in a Long Tail language (languages don’t die, but they have a long tail where usage slowly creeps away). I tell the business that we could ultimately solve all the problems with the platform except for one: finding new programmers to hire for it. That’s what will ultimately force us to migrate. Doesn’t have anything to do with cost or ability to take on new features or handle new ways of doing things.
deleted by creator
I feel this way about mainframes sometimes too, I had a class in mainframes but we weren’t really taught about job options or where they still fit in the industry.
Isn’t pretty much all airport scheduling based off software from the 80s or something?
Edit: Found a video about it.
Why change what isn’t broken, right?
I’ve worked in that area. It was broken back in the 90s and I doubt the crusty old parts of the system have gotten any better. I was tasked with writing a more modern wrapper for part of the legacy system, and when I asked for documentation I was told they had literally nothing to give me.
I was just an intern at the time so maybe someone with more clout could have gotten sometime to dig in a forgotten closet for old technical docs, but it still strikes me as a very bad sign when technical docs for a system every agent uses all day every day aren’t immediately available on the company’s intranet.
That’s the thing though, it is.
Probably! APOLLO and SABRE and stuff look ancient.
And in many cases if it gets replaced it’s for a system that looks fancier but actually has more problems than the original… See Phoenix for the Canadian government employees pay.
You mean I can use my decades of Fortran knowledge somewhere?! If I could get a wfh position in about 3 years, that’d be awesome.
If you actually do have decades of fortran experience, work for NOAA. Their weather models are mostly fortran and they need engineers. Specifically the NOAA EPIC contract that i worked on previously definitely needs people knowledgeable in fortran and was 100% work from home. Feel free to DM me if you want more details.
I’ve seen those postings and some executive is living in dreamland thinking they can hire someone to do that for $25/hr.
My bosses tried to ask me if I knew anyone the could hire for a full time position at a hospital. I ask for more details and eventually they relent because they aren’t having any luck on indeed/craigslist/temp recruiter.
It’s a 24 hour on call position for ‘up to’ $55,000 to be the sole IT staff for a 100 bed hospital in upstate NY.
I literally laughed at them, but they seem to insist they are gonna find someone to take the job.
I actually think the job isn’t even legal as described.
Hahahaha, what a joke.
Sorry, not interested in 24hr on call until they start talking $100k+. That’s asking a lot of someone.
Sounds like they need multiple staff, actually. You can’t do on-call without having a rotation. What happens if Bob gets hit by a bus? This tells me all I need to know about them. Typical SMB “leadership”, they lack any concept of managing systems - be it IT, finance, mechanical, whatever. All systems have their management models.
Fucking delusional pricks.
With those requirements I would expect $500k with 6 weeks paid leave. What a bunch of clowns.
Such things make me angry. LoL
It can be viewed as a success. A bridge or building that only lasts five years wouldn’t be considered successful, especially if it took monumental effort to make it in the first place. For some reason, we don’t value that in software.
I wrote a Classic ASP app in 1999 that placed a web UI atop a mainframe application that dated to the late '70s and allowed easy navigation of really enormous data structures. I learned last year that it’s still in use at that company; amazing not just because my code is still around but because that fucking mainframe code is still running.
both we and our customers need Cobol, Fortran, and other half-dead languages coders
Visual Basic? (fingers crossed)
Do I get to move to Germany for this?
You might, actually. Provided there is no available EU applicant.
There are probably many people in Japan with this skillset given that they’re only now getting off disks for certain government processes.
There’s lots of people all over the world in their 30s and 40s and older with this experience.
Not particularly, based on my experience. Now, if you want AS/400 people and such…
I used AS400 at a financial company I used to work out. You could almost pretend that you were in Fallout.
The article itself says the listing has been removed :(
AND you get to enjoy the DB Verspätungen all the time! Possibly even cause them!
Better hope those systems are not network enabled
They’re probably still running on their own Netware network. Is there still Win16 compatible malware going around?
Johnny Castaway can live on at least.
Don’t forget MOPY ;)
Hey, I have a wall-mounted tablet that runs Johnny all the time. My 5-year old loves him.
Nice. Mine runs on top of the fish tank on an old netbook. What sort of tablet?
Nice :)
Just some cheap, cheap 10" Android tablet (which runs Dosbox). I had bought a few to use as HA controllers around the house but that didn’t really work out well. But great as digital photo frames and as the Johnny player.
If it’s in a current metasploit package you can be sure that someone is scanning the IP at some point.
So say we all.
Remote? Do you connect yourself over telnet or what?
SSH to a KVMoIP or IPMI?
BMC is doubtful, other sources indicate that the hardware is from 1996, so it’s not just old software. So I’ll guess a KVMoIP device is bolted on (probably a relay on the power input, VGA, USB for keyboard and ‘floppy’ (Win3.11 was well before USB, but the hardware from 96 may have USB and the BIOS would likely make it viable for a DOS to use it).
10/10 would install Doom on it.
deleted by creator
Use railroad switches as logic gates and trains as binary information?
Tbh I think people would understand why it had to be done.
Not gonna lie, part of me wants to relive the SoundBlaster and DOS extenders era and watch stuff with QuickTime. Tinkering with config.sys and autoexec.bat was quite fun back then.
Was it really FUN or is it not just nostalgia? I would not reaaaally want to fiddle with the autostart-crap again. It often took soooo long. Even with those auto-optimizers…
I am so happy not to have to mess with that. LOADHIGH agony.
So do you want EMS or XMS this time? I’m sorry, you had too many TSRs, you can’t run X-Wing now…
Damn, should I load the mouse driver or the CD-ROM driver? If I load both, I can’t run strike commander!
With dos 5.x I started creating some fancy auroexec menu at boot that switches between several configurations depending if I wanted to run windows, need a lot of xms or a big chunk of Ems (640k was NOT enough for everything).
It was somehow fun.
But at least, if something is not working, it was entirely your fault. Now? It’s probably windows update who fucked up something you desperately need right now.
That’s a good point, yes. At least we knew what fucked up. Today you can’t. It’s too much and too complex. And nearly nothing is under your direct control anymore. Only android or ios are doing it worse and take all of your controls away.
just nostalgia
Surely mostly nostalgia. But I do remember feeling a sense of accomplishment whenever I managed to run a game and get the sound working 😅
Why use MS-DOS? Why don’t we just re-write it in Rust?
Edit: I should have mentioned /s in my comment. It’s never a good idea to rewrite a mission-critical software.
The fact they’re still running on dos is a clue that either they can’t figure out how to upgrade or they don’t want to upgrade or they simply won’t allocate the budget to upgrade.
It generally boils down to money. Shops like that are toxic. They somehow don’t have the budget to keep their business afloat, means you’re not getting a raise.
If you take this job, you’re obsolete. Getting the next job will be tough. You’re interview at the next potential role what did you do at your current role? I ran dos on 30 year old machines. Interviewer: I’m sorry, but we need someone with experience in Windows ME.
If you take this job, you’re obsolete. Getting the next job will be tough.
There is a meme that COBOL programmers still make bank to this day because no one learns COBOL and old enterprise systems run on COBOL. How much of this is true?
We should just re-implement DOS in Rust and call it RS-DOS.
DROS (DISC and Rust based Operating System)
You think the existing system is documented?
It’s going to be a mess of things written in 6 different languages, magic numbers all over the place. Unit tests? Predates all that. Even if you tried, the first you’ll know about an error is when you turn the news on and there’s two trains upside down and on fire.
Migrating to FreeDOS might be feasible for them.
At least it’s not windows 8.
Sign me up if you’re paying $300k+
lmao, 60k eur tops. wages in Germany suck ass, earning at least something is possible if you are running independent consulting or climbing corporate ladder, having some unique expertise or going extra mile as an employee is pretty much pointless.
How much of that 60k is left after taxes? Is it enough to live on, or buy a home, or buy a home and support a family, or none of the above?
EDIT: Thanks for the responses everyone, very informative and interesting. That’s the kind of perspective that may not often be shared and helps understand costs of living.
For the Deutchlanders wondering about the USA’s taxes and my question… 60k would be enough to live on in most of the USA but might not be enough to buy a home or raise a family. But it’s highly dependent on your area’s cost of living, and the USA is massive with many different areas and tiers of costs of living.
My example for tax costs: I make more than 60k and I only had to pay about 20% of it to taxes and retirement for 2023, in the USA. In my low cost of living area, 60k would be enough to buy a house and support a family but it would have to be on a very frugal budget. I bought my house when I was making about 45k but my spouse also had an income of almost that much.
Depends extremely on where you live. In Bremen you will be fine, in Schwerin you will be comparably wealthy, in Munich you might have to start collecting bottles on the street for some extra money.
Assuming single with no kids, you’d get:
Gross 60.000,00 €
Net 37.209,78 €
Taxes 11.262,97 € (includes 929,97 € church-tax that you can get rid off by leaving your church)
Pension insurance 5.580,00 €
Unemployment insurance 780,00 €
Health insurance 4.847,85 €
Long-term care insurance 1.249,37 €
Those are all the compulsory insurances.
Having a partner in marriage who earns less than you and / or children will increase your net.
For the average German in your average City that’s somewhere between just short of wealthy and wealthy. There are poorly paid IT specialists who earn gross what you would take home net. It’s definitely enough that you can live quite good if your significant other works too and more than enough to raise a family. The median household income in Germany is 42k gross.
Also remember this is only the employee side of what you cost your employer, because they’ll have to double up your insurances, so you would cost them 75k a year.
35 to 40k (if your spouse is choosing tax class with a higher rate) after taxes or around so, depends on many factors - German tax code is complicated.
Is it enough to live on
Generally - barely above “paycheck to paycheck” level, but highly depends on location. In Munich you’ll be fucked with this type of salary.
or buy a home
lmao no. Houses are mainly for older and retired people or rich, vast majority of active workforce are apartment renters, more fortunate ones were able to save/get help from relatives for mortgage. Total home ownership rate in Germany is 46.7%, lowest of all OECD countries - and that’s including older people who got their homes during better economic times. Neat trick about Germany is that you have to have both stable job at big company and a lot of cash on your hands to cop a mortgage, since 20% downpayment + taxes/fees and other bullshit that run at around 10% of the total price make good barrier.
buy a home and support a family
Not really, adults in the household have to work, 60k is not ‘breadwinner’ type of salary at all. In general, tech workers aren’t special in Germany, if not for US companies branches they’d be earning the same as everyone else and in many industries (like transportation), where pressure from international market is not present that much, they still do.
It was good while it lasted, but Germany is heading into some pretty interesting times in general, younger population is absolutely fucked.
60k is about 30-35k after taxes and mandatory insurances, depending on your tax class (Single, Main earner in a marriage, …). Your questions: Yes if you’re not in a particular expensive town., No, unless you’ve got huge savings or an inheritance. Depends on what you want for your family - you might get by well if you’re living in a LCOL area, otherwise… Not so much.
That’s really fucking cool, if you ask me.