Misleading title: SIEMENS Mobility is looking for said Windows 3.11 admin. NOT the German Railway
Deutsche Bahn is the circus and Siemens in this case the clowns.
Clown Siemens, you say?
If the system can’t run perfectly on its own by now… I can teach them how to play the snakes game on it.
Legacy hardware and operating systems are battle tested, having been extensively probed and patched during their heyday. The same can be said for software written for these platforms – they have been refined to the point that they can execute their intended tasks without incident. If it is ain’t broke, don’t fix it. One could also argue that dated platforms are less likely to be targeted by modern cybercriminals. Learning the ins and outs of a legacy system does not make sense when there are so few targets still using them. A hacker would be far better off to master something newer that millions of systems still use.
Tell me you know nothing about cybersecurity without telling me you know nothing about cybersecurity. Wtf is this drivel?
Simple solution: Don’t connect it to the Internet. Hackers hate this one weird trick.
And said trick ends when an attacker manages to socially-engineer their way in. (But maybe they’ll drop floppies instead of flash drives around the block this time)
You really think that infrastructure IT is dumb unless it can brush off a Stuxnet-like attack by the CIA and Mosad? Most RR traffic signals in the US are run with mechanical logic, physical switches connected to circuits closed by steel wheels on steel tracks. Do you really want a “move fast and break things” tech bro to update all this stuff for us?
All kinds of infrastructure uses ancient software because it’s reliable. Updating it just to protect from hackers causing damage is likely to cause that damage unintentionally while doing little to protect from hackers anyhow.
Every SCADA related cyber attack and incident has entered the chat.
Even if it’s archaic, a lot of these systems aren’t secure which can be done relatively easily and cheaply with things like basic firewalls and stunnel.
Akshually it was recently found that a spy from Holland I think penetrated a chip supply line and installed an infected chip which found it’s way into the centrifuge network
uses ancient software because it’s reliable
HAHAHA!
I just have to laugh at that idea, since I’ve been using computers since the days that those OSes were in common use. Reliable is not what I would call a lot of that old stuff for sure.
The bottom line is that ancient software will likely have ancient security vulnerabilities that would be trivial to exploit and take over or destroy those systems. It’s not good.
They could socially engineer their way in regardless of some machine being MSDOS or not. Basically if they can gain physical access to the device, or convince somebody to do something with the device it hardly matters what it was running since it can still be compromised.
Sure, but how likely is this in this specific scenario. We’re talking about a system that’s not even directly controlling the train but just a display on it. The worst that can happen is that those displays won’t work until the system is reinstalled. That’s hardly a lucrative target for modern hackers. There’s way easier target which are worth something.
I’m not talking about this specific instance, just that block of misinformation/generalisation. Saying that legacy systems are well-secured because they’re “battle tested” is sheer ignorance.
Take side-channel attacks for example. A timing attack is something programmers from the 60’s and 70’s would not have taken into account when writing their hashing algorithms. And speaking of hashing, what hashing algorithms were available back then? CRC32 or something similar? What about salting? You get the idea.
Not to mention that legacy operating systems don’t get security updates. Let’s assume that DOS is secure (which it definitely isn’t), but if that statement were correct, would it apply to Windows XP as well?
All I’m saying is that the article is dead wrong. As software developers in this century, we’ve come a long way. We’ve developed security best practices, written libraries and frameworks, and come up with mitigations for a lot of these security vulnerabilities. These solutions are something that closed-source legacy systems (and anything without active maintenance) would never benefit from.
It really depends if these systems (that appear to control arrival boards) are on a network or not. If they’re not, then there is minimal risk to leave them the way they are. Somebody would need physical access to the devices to do harm. If they are on a network then that’s a pretty big deal, but some attacks could be mitigated against by tunnelling and/or additional packet filtering to ensure the integrity of messages.
Continuing on a railway theme you should be FAR more worried all the devices that run up and down the side of railway lines - PLCs that talk with each other and operations centres to control things like lights, junctions, crossings etc. If they’re more than 5 years old then chances are then all that traffic is in the clear, and because these things live in boxes by the railway line, it wouldn’t take much to break into a network and potentially kill people by running two trains into each other.
the job was advertised as being remote…
The job might be remote, doesn’t mean the system is remote. For all you or I know they want somebody to reverse engineer the protocol of this thing, which could be some weird board & driver that hooks into an old PC so they can switch it out for something else.
It’s in the job description, remote access is available via a repurposed laparoscope robot and webcam placed in front of the original terminal keyboard and CRT
I think you are pulling my leg… But if that’s true that’s super cool.
A remote KVM through a portal would be the actual way an air gapped system would be accessed, yeah… Spoofing ps/2 or Din with a teensy would probably be needed to use new hardware for the KVM. Maybe a SFF PC with an analog input capture card…
Well yes. You can code software remotely. That doesn’t mean the end system is reachable through the network. Given it’s DB, I bet these systems are still patched by floppy. Until very recently they’ve used floppy’s to distribute train schedules to be displayed in the train.
Exactly. And these things are on an internal bus network, but they are not connected to the internet.
they can execute their intended tasks without incident
Now if only the Deutsche Bahn could do that too
Lmao they don’t know all the exploits people learn first are the brutally insane and easy stuff that works on outdated machines like heartbleed and eternal blue.
Cybersecurity != Safety Critical
It is when safety-critical systems are the target of a cyberattack.
Doesn’t sound like this system is safety critical. You should be more worried if some hacker can change train signs from stop to go. If you ever ride on a train and see steel boxes by the side of the track, those are control systems and they run up and down the line. They might be locked, or possibly alarmed but that’s about the extent of their protection. A simple attack would be to just take an axe to one, or set fire to it. A more sophisticated attack could snoop on the profinet traffic and do something evil.
What exactly is the issue? Everything mentioned is true.
It even goes further when you consider how newer technology often incorporates more technology, which means a greater attack surface.
Tell me you know nothing about cybersecurity without telling me you know nothing about cybersecurity.
Oh, the ironing. Sad how you have >100 upvotes.
Not sure how to link a reply on lemmy so I’ll just copy from another comment I wrote here:
I’m not talking about this specific instance, just that block of misinformation/generalisation. Saying that legacy systems are well-secured because they’re “battle tested” is sheer ignorance.
Take side-channel attacks for example. A timing attack is something programmers from the 60’s and 70’s would not have taken into account when writing their hashing algorithms. And speaking of hashing, what hashing algorithms were available back then? CRC32 or something similar? What about salting? You get the idea.
Not to mention that legacy operating systems don’t get security updates. Let’s assume that DOS is secure (which it definitely isn’t), but if that statement were correct, would it apply to Windows XP as well?
All I’m saying is that the article is dead wrong. As software developers in this century, we’ve come a long way. We’ve developed security best practices, written libraries and frameworks, and come up with mitigations for a lot of these security vulnerabilities. These solutions are something that closed-source legacy systems (and anything without active maintenance) would never benefit from.
The “ironing” is lost on you in this case.
The author’s grammar
rammarisnt that great as well. Those typos can be should have been catched easily by the spellcheck.Edit: Including me :p
The author’s rammar
Finally caught a *grammar cop doing a typo in the wild. Pure joy.
“catched”
can be should have been
Love typing on the phone :p
Yeah, that’s totally on me.
Yeah, Techspot is pretty trash
Ooh, someone is about to make BANK!
Some retired old fart who can’t be bothered to learn fancy-schmancy Web 2.0. Rock on like it’s '93
Or a middle-aged fart who did learn new stuff but remembers the old stuff too
Web 2.0 was a mistake.
Bring back Pets.com
They’re gonna party like it’s 1989
Celebrating Ceaușescu’s death? /j
Why would someone make a lot of money from this?
Supply and demand. The people that have a lot of experience with those systems are retired or should be retiring soon.
Supply is pretty low. So they can demand higher pay.
DB’s demand is pretty strong. If those systems go down, trains don’t run, and that costs them millions.
It’s cheaper to pay someone a lot of money vs having their systems fail.
Imagine both the annoyance and job security having to manage MS-DOS and 3.1 systems for a railroad would entail.
I would love it so much. I’d feel right at home. I miss sitting in my room and learning everything I could about DOS. That was the best time I ever had with computers.
I once built, setup, and maintained about 20 computers for a Christian school for free just because I loved doing it so much.
I wish I still had that enthusiasm for tech.
Frankly that’s nothing. In the worst case a train won’t start, which for DB really isn’t something unusual. It’s far more disturbing how the whole global financial market sometimes rely on code that’s still written in COBOL.
rely on code that’s still written in COBOL.
Does this really matter? It’s more of a maintenance issue than a functional one.
It all gets compiled down to binary, anyways.
it matters because it is a language that few people learn, so the available talent is scarce, increasing the chance something bad happens. Keeping up with an evolving society is essential for the longevity of a service
the available talent is scarce
I have a friend who is going to take over maintenance for a smaller regional banking system in a few years. It’s mostly COBOL and the systems themselves have not been updated in like 25-30 years. He has been apprenticing under his mother who has been in charge of maintaining the infrastructure there since the late '80s.
Time 2 years top, there will be an AI that converts perfectly COBOL into JavaScript.
Well it matters when it comes to replacing ageing programmers with very few options available. It’s definitely not something taught in schools today, so one has to be very deliberately learn it.
Don’t get me wrong, you can make a lot of money in such a position. But you also have to deal with COBOL.
deleted by creator
Well, DOS is open source now. And that old hardware was quite reliable. Fewer moving parts, I’d expect fewer things to break.
Only MS-DOS 1.25 and 2.0 are open-sourced under MIT license, anything newer is not. These versions were pretty bare-bones, only DOS 2.0 implemented directories for example.
Unless you mean FreeDOS, which is an open-source DOS-based operating system, which generally should work with any DOS programs/games, but it still may not be 100% compatible with some proprietary software.
Yes, meant FreeDOS, and older versions of DOS. Can’t say I had issues with FreeDOS. But then again, it’s not like I use it daily.
As a young person who loves legacy software - sign me up!
We’re maintaining and developing OpenVMS OS, and both we and our customers need Cobol, Fortran, and other half-dead languages coders.
Many large companies maintain their old systems and use them for production or data processing purposes. Sometimes it’s too expensive to migrate off, but im many cases “it just works”deleted by creator
I work primarily in a Long Tail language (languages don’t die, but they have a long tail where usage slowly creeps away). I tell the business that we could ultimately solve all the problems with the platform except for one: finding new programmers to hire for it. That’s what will ultimately force us to migrate. Doesn’t have anything to do with cost or ability to take on new features or handle new ways of doing things.
deleted by creator
I feel this way about mainframes sometimes too, I had a class in mainframes but we weren’t really taught about job options or where they still fit in the industry.
Isn’t pretty much all airport scheduling based off software from the 80s or something?
Edit: Found a video about it.
Probably! APOLLO and SABRE and stuff look ancient.
Why change what isn’t broken, right?
I’ve worked in that area. It was broken back in the 90s and I doubt the crusty old parts of the system have gotten any better. I was tasked with writing a more modern wrapper for part of the legacy system, and when I asked for documentation I was told they had literally nothing to give me.
I was just an intern at the time so maybe someone with more clout could have gotten sometime to dig in a forgotten closet for old technical docs, but it still strikes me as a very bad sign when technical docs for a system every agent uses all day every day aren’t immediately available on the company’s intranet.
That’s the thing though, it is.
Oof.
I know for sure several airports are using OpenVMS, and there are more we don’t know about, as some companies keep running yheir stuff for decades not asking anyone for support.
And I’m sure There are multiple other old systems out there, it’s too hard to replace them.
And they work! Our VMS stuff runs great, it’s fast, and the uptime is measured in decades sometimes. So the problem is hardware: we rolled out the first production x86 version this year, so our users are fine (it’s still an issue of porting your software, but it’s not as terrible as building everything from scratch), but before that OpenVMS could run on Itanium servers at latest, and the platform was dying off since the beginning of 2000s, so it is a problem to find a normal replacement machine now.
And in many cases if it gets replaced it’s for a system that looks fancier but actually has more problems than the original… See Phoenix for the Canadian government employees pay.
You mean I can use my decades of Fortran knowledge somewhere?! If I could get a wfh position in about 3 years, that’d be awesome.
If you actually do have decades of fortran experience, work for NOAA. Their weather models are mostly fortran and they need engineers. Specifically the NOAA EPIC contract that i worked on previously definitely needs people knowledgeable in fortran and was 100% work from home. Feel free to DM me if you want more details.
I’ve seen those postings and some executive is living in dreamland thinking they can hire someone to do that for $25/hr.
My bosses tried to ask me if I knew anyone the could hire for a full time position at a hospital. I ask for more details and eventually they relent because they aren’t having any luck on indeed/craigslist/temp recruiter.
It’s a 24 hour on call position for ‘up to’ $55,000 to be the sole IT staff for a 100 bed hospital in upstate NY.
I literally laughed at them, but they seem to insist they are gonna find someone to take the job.
I actually think the job isn’t even legal as described.
Hahahaha, what a joke.
Sorry, not interested in 24hr on call until they start talking $100k+. That’s asking a lot of someone.
Sounds like they need multiple staff, actually. You can’t do on-call without having a rotation. What happens if Bob gets hit by a bus? This tells me all I need to know about them. Typical SMB “leadership”, they lack any concept of managing systems - be it IT, finance, mechanical, whatever. All systems have their management models.
Fucking delusional pricks.
With those requirements I would expect $500k with 6 weeks paid leave. What a bunch of clowns.
both we and our customers need Cobol, Fortran, and other half-dead languages coders
Visual Basic? (fingers crossed)
Oh, I’m sorry man. I don’t know everything, I’m working there less than a year, but I only heard of VB a couple of times. In order of popularity it’s like: C, C++, Java, then everything else
I was just kidding - I haven’t touched Visual Basic in almost 20 years now. I’m not sure I could still code in it even if I wanted to.
Such things make me angry. LoL
It can be viewed as a success. A bridge or building that only lasts five years wouldn’t be considered successful, especially if it took monumental effort to make it in the first place. For some reason, we don’t value that in software.
I wrote a Classic ASP app in 1999 that placed a web UI atop a mainframe application that dated to the late '70s and allowed easy navigation of really enormous data structures. I learned last year that it’s still in use at that company; amazing not just because my code is still around but because that fucking mainframe code is still running.
Do I get to move to Germany for this?
You might, actually. Provided there is no available EU applicant.
There are probably many people in Japan with this skillset given that they’re only now getting off disks for certain government processes.
There’s lots of people all over the world in their 30s and 40s and older with this experience.
Not particularly, based on my experience. Now, if you want AS/400 people and such…
I used AS400 at a financial company I used to work out. You could almost pretend that you were in Fallout.
The article itself says the listing has been removed :(
AND you get to enjoy the DB Verspätungen all the time! Possibly even cause them!
Better hope those systems are not network enabled
So say we all.
At least it’s not windows 8.
10/10 would install Doom on it.
deleted by creator
Use railroad switches as logic gates and trains as binary information?
Tbh I think people would understand why it had to be done.
Migrating to FreeDOS might be feasible for them.
Remote? Do you connect yourself over telnet or what?
SSH to a KVMoIP or IPMI?
BMC is doubtful, other sources indicate that the hardware is from 1996, so it’s not just old software. So I’ll guess a KVMoIP device is bolted on (probably a relay on the power input, VGA, USB for keyboard and ‘floppy’ (Win3.11 was well before USB, but the hardware from 96 may have USB and the BIOS would likely make it viable for a DOS to use it).
Not gonna lie, part of me wants to relive the SoundBlaster and DOS extenders era and watch stuff with QuickTime. Tinkering with config.sys and autoexec.bat was quite fun back then.
Was it really FUN or is it not just nostalgia? I would not reaaaally want to fiddle with the autostart-crap again. It often took soooo long. Even with those auto-optimizers…
I am so happy not to have to mess with that. LOADHIGH agony.
So do you want EMS or XMS this time? I’m sorry, you had too many TSRs, you can’t run X-Wing now…
Damn, should I load the mouse driver or the CD-ROM driver? If I load both, I can’t run strike commander!
Aye. But then again… The fiddling with windows to make it do what u want and don’t what you don’t, is not much less time wasted. You can just use a mouse now 😂
With dos 5.x I started creating some fancy auroexec menu at boot that switches between several configurations depending if I wanted to run windows, need a lot of xms or a big chunk of Ems (640k was NOT enough for everything).
It was somehow fun.
But at least, if something is not working, it was entirely your fault. Now? It’s probably windows update who fucked up something you desperately need right now.
That’s a good point, yes. At least we knew what fucked up. Today you can’t. It’s too much and too complex. And nearly nothing is under your direct control anymore. Only android or ios are doing it worse and take all of your controls away.
just nostalgia
Surely mostly nostalgia. But I do remember feeling a sense of accomplishment whenever I managed to run a game and get the sound working 😅
Thats the reason, why they have Problems to find drivers (If you know, what i mean) 😜
Why use MS-DOS? Why don’t we just re-write it in Rust?
Edit: I should have mentioned /s in my comment. It’s never a good idea to rewrite a mission-critical software.
The fact they’re still running on dos is a clue that either they can’t figure out how to upgrade or they don’t want to upgrade or they simply won’t allocate the budget to upgrade.
It generally boils down to money. Shops like that are toxic. They somehow don’t have the budget to keep their business afloat, means you’re not getting a raise.
If you take this job, you’re obsolete. Getting the next job will be tough. You’re interview at the next potential role what did you do at your current role? I ran dos on 30 year old machines. Interviewer: I’m sorry, but we need someone with experience in Windows ME.
If you take this job, you’re obsolete. Getting the next job will be tough.
There is a meme that COBOL programmers still make bank to this day because no one learns COBOL and old enterprise systems run on COBOL. How much of this is true?
We should just re-implement DOS in Rust and call it RS-DOS.
DROS (DISC and Rust based Operating System)
You think the existing system is documented?
It’s going to be a mess of things written in 6 different languages, magic numbers all over the place. Unit tests? Predates all that. Even if you tried, the first you’ll know about an error is when you turn the news on and there’s two trains upside down and on fire.
It is definitely the exact opposite of this. Even though I understand why you would think this.
The thing with systems like these is they are mission critical, which is usually defined as failure = loss of life or significant monetary loss (like, tens of millions of dollars).
Mission critical software is not unit tested at all. It is proven. What you do is you take the code line by line, and you prove what each line does, how it does it, and you document each possible outcome.
Mission critical software is ridiculously expensive to develop for this exact reason. And upgrading to deploy on different systems means you’ll be running things in a new environment, which introduces a ton of unknown factors. What happens, on a line by line basis, when you run this code on a faster processor? Does this chip process the commands in a slightly different order because they use a slightly different algorithm? You don’t know until you take the new hardware, the new software, and the code, then go through the lengthy process of proving it again, until you can document that you’ve proven that this will not result in any unusual train behavior.
Because they like their OS to be Dirty
I know a guy fitted for the job. He’s well versed in MS-DOS, Win 3.1, 3.11 etc. Hell, he’s even fluent in German, but he’s due a hip and knee replacement this month…
That’s all I’m gonna say.
Good luck with the robot joints!
