Misleading title: SIEMENS Mobility is looking for said Windows 3.11 admin. NOT the German Railway
Legacy hardware and operating systems are battle tested, having been extensively probed and patched during their heyday. The same can be said for software written for these platforms – they have been refined to the point that they can execute their intended tasks without incident. If it is ain’t broke, don’t fix it. One could also argue that dated platforms are less likely to be targeted by modern cybercriminals. Learning the ins and outs of a legacy system does not make sense when there are so few targets still using them. A hacker would be far better off to master something newer that millions of systems still use.
Tell me you know nothing about cybersecurity without telling me you know nothing about cybersecurity. Wtf is this drivel?
Simple solution: Don’t connect it to the Internet. Hackers hate this one weird trick.
And said trick ends when an attacker manages to socially-engineer their way in. (But maybe they’ll drop floppies instead of flash drives around the block this time)
You really think that infrastructure IT is dumb unless it can brush off a Stuxnet-like attack by the CIA and Mosad? Most RR traffic signals in the US are run with mechanical logic, physical switches connected to circuits closed by steel wheels on steel tracks. Do you really want a “move fast and break things” tech bro to update all this stuff for us?
All kinds of infrastructure uses ancient software because it’s reliable. Updating it just to protect from hackers causing damage is likely to cause that damage unintentionally while doing little to protect from hackers anyhow.
Sure, but how likely is this in this specific scenario. We’re talking about a system that’s not even directly controlling the train but just a display on it. The worst that can happen is that those displays won’t work until the system is reinstalled. That’s hardly a lucrative target for modern hackers. There’s way easier target which are worth something.
It really depends if these systems (that appear to control arrival boards) are on a network or not. If they’re not, then there is minimal risk to leave them the way they are. Somebody would need physical access to the devices to do harm. If they are on a network then that’s a pretty big deal, but some attacks could be mitigated against by tunnelling and/or additional packet filtering to ensure the integrity of messages.
Continuing on a railway theme you should be FAR more worried all the devices that run up and down the side of railway lines - PLCs that talk with each other and operations centres to control things like lights, junctions, crossings etc. If they’re more than 5 years old then chances are then all that traffic is in the clear, and because these things live in boxes by the railway line, it wouldn’t take much to break into a network and potentially kill people by running two trains into each other.
The job might be remote, doesn’t mean the system is remote. For all you or I know they want somebody to reverse engineer the protocol of this thing, which could be some weird board & driver that hooks into an old PC so they can switch it out for something else.
Well yes. You can code software remotely. That doesn’t mean the end system is reachable through the network. Given it’s DB, I bet these systems are still patched by floppy. Until very recently they’ve used floppy’s to distribute train schedules to be displayed in the train.
What exactly is the issue? Everything mentioned is true.
It even goes further when you consider how newer technology often incorporates more technology, which means a greater attack surface.
Tell me you know nothing about cybersecurity without telling me you know nothing about cybersecurity.
Oh, the ironing. Sad how you have >100 upvotes.
Not sure how to link a reply on lemmy so I’ll just copy from another comment I wrote here:
I’m not talking about this specific instance, just that block of misinformation/generalisation. Saying that legacy systems are well-secured because they’re “battle tested” is sheer ignorance.
Take side-channel attacks for example. A timing attack is something programmers from the 60’s and 70’s would not have taken into account when writing their hashing algorithms. And speaking of hashing, what hashing algorithms were available back then? CRC32 or something similar? What about salting? You get the idea.
Not to mention that legacy operating systems don’t get security updates. Let’s assume that DOS is secure (which it definitely isn’t), but if that statement were correct, would it apply to Windows XP as well?
All I’m saying is that the article is dead wrong. As software developers in this century, we’ve come a long way. We’ve developed security best practices, written libraries and frameworks, and come up with mitigations for a lot of these security vulnerabilities. These solutions are something that closed-source legacy systems (and anything without active maintenance) would never benefit from.
The “ironing” is lost on you in this case.
Doesn’t sound like this system is safety critical. You should be more worried if some hacker can change train signs from stop to go. If you ever ride on a train and see steel boxes by the side of the track, those are control systems and they run up and down the line. They might be locked, or possibly alarmed but that’s about the extent of their protection. A simple attack would be to just take an axe to one, or set fire to it. A more sophisticated attack could snoop on the profinet traffic and do something evil.
The author’s grammar rammar isnt that great as well. Those typos can be should have been catched easily by the spellcheck.
Edit: Including me :p
The author’s rammar
Finally caught a *grammar cop doing a typo in the wild. Pure joy.
Ooh, someone is about to make BANK!
Some retired old fart who can’t be bothered to learn fancy-schmancy Web 2.0. Rock on like it’s '93
Supply and demand. The people that have a lot of experience with those systems are retired or should be retiring soon.
Supply is pretty low. So they can demand higher pay.
DB’s demand is pretty strong. If those systems go down, trains don’t run, and that costs them millions.
It’s cheaper to pay someone a lot of money vs having their systems fail.
Imagine both the annoyance and job security having to manage MS-DOS and 3.1 systems for a railroad would entail.
I would love it so much. I’d feel right at home. I miss sitting in my room and learning everything I could about DOS. That was the best time I ever had with computers.
I once built, setup, and maintained about 20 computers for a Christian school for free just because I loved doing it so much.
I wish I still had that enthusiasm for tech.
Me too.
In high school, there was a kid who was always trying to make money. Like even then, he wanted his own business. In fact he had a couple small ones back then.
One of his endeavours was massive LAN parties. He had the capital to rent spaces, hardware, and was even able to get sponsorships.
He did not have the tech chops to do it though.
Myself, and one circle of friends were THE computer nerds of the school, but it wasn’t really seen as a negative for us - then again we did orchestrate a “free day” and got away with it by taking down the schools network from inside and one person had a loud fucking mouth, but we covered our tracks.
Anyways, we got in free to these LAN parties as long as we set up and maintained shit. Surprisingly very few problems, about once a LAN party we had to fix something. And it was useful experience.
That shit was fucking amazing. I loved it.
I got home from work. Wife works from home. She has had an ongoing tech issue I can’t really touch because it’s that companies property. But I just don’t want to hear it. At all. I’m dead inside in that regard.
It’s gotten so bad that I had an issue with my gaming rig.
I needed to reseat the RAM. Not hard, except the case is mounted on the wall as a display piece that would require moving a bunch of shit before getting a ladder and yada yada.
I just didn’t game for three days. Just could not muster the energy to care about that. I hate it.
God, I feel that so much. Even with my Steam deck, if it requires too much tweaking I’ll ask my kid. If she’ll do it, great. If not, I’ll find something else to do.
People burned me out so bad. Everything they did was somehow my fault. Every relative I had called me constantly about silly problems. “My whole quickbooks is deleted. I had it on my desktop and now it’s gone!” “Ok, so I copied excel from my desktop onto usb drive and it won’t open on my other computer. The icon is there but it just won’t work. Oh, well I don’t see why not! It works fine when I click it on the other one!”
One time a guy brought me his laptop to repair. I repaired it and got the $75 bucks I charged. More than a year later I got a call, “Lithen, I don’t know what you did to my laptop, but it hathen’t worked, like, for crap, thinthe you worked on it.” I said, “ok bud, I’ve worked on hundreds. Which one was yours?” I asked him to download TeamViewer, went to his control panel, seen a pile of bullshit crapware he had recently installed, told him to kiss my ass and take it to “thomeone elthe”. I shouldn’t have made fun of his lisp, but I was ready to implode from the crap at that point.
People call me now and I play dumb and act like I just haven’t kept up with the changes. I. Hate. Computers.
And I fucking hate that, because I loved them so much when I was younger. It was like exploring a whole new universe.
Frankly that’s nothing. In the worst case a train won’t start, which for DB really isn’t something unusual. It’s far more disturbing how the whole global financial market sometimes rely on code that’s still written in COBOL.
rely on code that’s still written in COBOL.
Does this really matter? It’s more of a maintenance issue than a functional one.
It all gets compiled down to binary, anyways.
it matters because it is a language that few people learn, so the available talent is scarce, increasing the chance something bad happens. Keeping up with an evolving society is essential for the longevity of a service
Well it matters when it comes to replacing ageing programmers with very few options available. It’s definitely not something taught in schools today, so one has to be very deliberately learn it.
Don’t get me wrong, you can make a lot of money in such a position. But you also have to deal with COBOL.
Well, DOS is open source now. And that old hardware was quite reliable. Fewer moving parts, I’d expect fewer things to break.
Only MS-DOS 1.25 and 2.0 are open-sourced under MIT license, anything newer is not. These versions were pretty bare-bones, only DOS 2.0 implemented directories for example.
Unless you mean FreeDOS, which is an open-source DOS-based operating system, which generally should work with any DOS programs/games, but it still may not be 100% compatible with some proprietary software.
We’re maintaining and developing OpenVMS OS, and both we and our customers need Cobol, Fortran, and other half-dead languages coders.
Many large companies maintain their old systems and use them for production or data processing purposes. Sometimes it’s too expensive to migrate off, but im many cases “it just works”
I work primarily in a Long Tail language (languages don’t die, but they have a long tail where usage slowly creeps away). I tell the business that we could ultimately solve all the problems with the platform except for one: finding new programmers to hire for it. That’s what will ultimately force us to migrate. Doesn’t have anything to do with cost or ability to take on new features or handle new ways of doing things.
Isn’t pretty much all airport scheduling based off software from the 80s or something?
Edit: Found a video about it.
I’ve worked in that area. It was broken back in the 90s and I doubt the crusty old parts of the system have gotten any better. I was tasked with writing a more modern wrapper for part of the legacy system, and when I asked for documentation I was told they had literally nothing to give me.
I was just an intern at the time so maybe someone with more clout could have gotten sometime to dig in a forgotten closet for old technical docs, but it still strikes me as a very bad sign when technical docs for a system every agent uses all day every day aren’t immediately available on the company’s intranet.
I know for sure several airports are using OpenVMS, and there are more we don’t know about, as some companies keep running yheir stuff for decades not asking anyone for support.
And I’m sure There are multiple other old systems out there, it’s too hard to replace them.
And they work! Our VMS stuff runs great, it’s fast, and the uptime is measured in decades sometimes. So the problem is hardware: we rolled out the first production x86 version this year, so our users are fine (it’s still an issue of porting your software, but it’s not as terrible as building everything from scratch), but before that OpenVMS could run on Itanium servers at latest, and the platform was dying off since the beginning of 2000s, so it is a problem to find a normal replacement machine now.
You mean I can use my decades of Fortran knowledge somewhere?! If I could get a wfh position in about 3 years, that’d be awesome.
If you actually do have decades of fortran experience, work for NOAA. Their weather models are mostly fortran and they need engineers. Specifically the NOAA EPIC contract that i worked on previously definitely needs people knowledgeable in fortran and was 100% work from home. Feel free to DM me if you want more details.
I’ve seen those postings and some executive is living in dreamland thinking they can hire someone to do that for $25/hr.
My bosses tried to ask me if I knew anyone the could hire for a full time position at a hospital. I ask for more details and eventually they relent because they aren’t having any luck on indeed/craigslist/temp recruiter.
It’s a 24 hour on call position for ‘up to’ $55,000 to be the sole IT staff for a 100 bed hospital in upstate NY.
I literally laughed at them, but they seem to insist they are gonna find someone to take the job.
I actually think the job isn’t even legal as described.
Hahahaha, what a joke.
Sorry, not interested in 24hr on call until they start talking $100k+. That’s asking a lot of someone.
Sounds like they need multiple staff, actually. You can’t do on-call without having a rotation. What happens if Bob gets hit by a bus? This tells me all I need to know about them. Typical SMB “leadership”, they lack any concept of managing systems - be it IT, finance, mechanical, whatever. All systems have their management models.
both we and our customers need Cobol, Fortran, and other half-dead languages coders
Visual Basic? (fingers crossed)
Oh, I’m sorry man. I don’t know everything, I’m working there less than a year, but I only heard of VB a couple of times. In order of popularity it’s like: C, C++, Java, then everything else
It can be viewed as a success. A bridge or building that only lasts five years wouldn’t be considered successful, especially if it took monumental effort to make it in the first place. For some reason, we don’t value that in software.
I wrote a Classic ASP app in 1999 that placed a web UI atop a mainframe application that dated to the late '70s and allowed easy navigation of really enormous data structures. I learned last year that it’s still in use at that company; amazing not just because my code is still around but because that fucking mainframe code is still running.
