• voodooattack@lemmy.world
    link
    fedilink
    English
    arrow-up
    148
    arrow-down
    20
    ·
    11 months ago

    Legacy hardware and operating systems are battle tested, having been extensively probed and patched during their heyday. The same can be said for software written for these platforms – they have been refined to the point that they can execute their intended tasks without incident. If it is ain’t broke, don’t fix it. One could also argue that dated platforms are less likely to be targeted by modern cybercriminals. Learning the ins and outs of a legacy system does not make sense when there are so few targets still using them. A hacker would be far better off to master something newer that millions of systems still use.

    Tell me you know nothing about cybersecurity without telling me you know nothing about cybersecurity. Wtf is this drivel?

    • ooterness@lemmy.world
      link
      fedilink
      English
      arrow-up
      85
      ·
      11 months ago

      Simple solution: Don’t connect it to the Internet. Hackers hate this one weird trick.

      • voodooattack@lemmy.world
        link
        fedilink
        English
        arrow-up
        48
        arrow-down
        6
        ·
        11 months ago

        And said trick ends when an attacker manages to socially-engineer their way in. (But maybe they’ll drop floppies instead of flash drives around the block this time)

        • yesman@lemmy.world
          link
          fedilink
          English
          arrow-up
          37
          arrow-down
          3
          ·
          11 months ago

          You really think that infrastructure IT is dumb unless it can brush off a Stuxnet-like attack by the CIA and Mosad? Most RR traffic signals in the US are run with mechanical logic, physical switches connected to circuits closed by steel wheels on steel tracks. Do you really want a “move fast and break things” tech bro to update all this stuff for us?

          All kinds of infrastructure uses ancient software because it’s reliable. Updating it just to protect from hackers causing damage is likely to cause that damage unintentionally while doing little to protect from hackers anyhow.

          • Linkerbaan@lemmy.world
            link
            fedilink
            English
            arrow-up
            9
            ·
            11 months ago

            It must be updated sometime or risk being archaic and unmanageable. Chances are high they are paying insane amounts for those legacy mechanical switches you mention.

            The actual logic is usually very well portable to a more modern ecosystem.

            • nilloc@discuss.tchncs.de
              link
              fedilink
              English
              arrow-up
              3
              ·
              11 months ago

              Or these companies could pay to train (no pun intended) technicians to learn the systems they’d like to maintain. No matter how old they are.

              Until entropy comes for the actual hardware (assuming they won’t invest in remanufacture or production of replacements). Re-engineering a successfully working system is more costly and might result in worse outcomes, especially in the near term.

              • Linkerbaan@lemmy.world
                link
                fedilink
                English
                arrow-up
                2
                ·
                11 months ago

                Often these system rely on old components which are just not made anymore.

                People don’t design every switch, computer and chip themselves. They buy whatever mainstream stuff is available at the time and combine it into a system

                If you want to resupply those old parts you literally need to search Ebay to buy some weird outdated 2nd hand MSDOS PC to put in your “awesome reliable railway system”.

                Upgrading at every new whim is of course bad, but once your system reaches legacy age it’s often necessary to fully overhaul and modernize it for the next ~15-20 years.

          • mlg@lemmy.world
            link
            fedilink
            English
            arrow-up
            5
            ·
            11 months ago

            Every SCADA related cyber attack and incident has entered the chat.

            Even if it’s archaic, a lot of these systems aren’t secure which can be done relatively easily and cheaply with things like basic firewalls and stunnel.

          • AMDIsOurLord@lemmy.ml
            link
            fedilink
            English
            arrow-up
            3
            ·
            11 months ago

            Akshually it was recently found that a spy from Holland I think penetrated a chip supply line and installed an infected chip which found it’s way into the centrifuge network

          • RaoulDook@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            11 months ago

            uses ancient software because it’s reliable

            HAHAHA!

            I just have to laugh at that idea, since I’ve been using computers since the days that those OSes were in common use. Reliable is not what I would call a lot of that old stuff for sure.

            The bottom line is that ancient software will likely have ancient security vulnerabilities that would be trivial to exploit and take over or destroy those systems. It’s not good.

        • arc@lemm.ee
          link
          fedilink
          English
          arrow-up
          9
          ·
          11 months ago

          They could socially engineer their way in regardless of some machine being MSDOS or not. Basically if they can gain physical access to the device, or convince somebody to do something with the device it hardly matters what it was running since it can still be compromised.

        • Syndic@feddit.de
          link
          fedilink
          English
          arrow-up
          2
          ·
          11 months ago

          Sure, but how likely is this in this specific scenario. We’re talking about a system that’s not even directly controlling the train but just a display on it. The worst that can happen is that those displays won’t work until the system is reinstalled. That’s hardly a lucrative target for modern hackers. There’s way easier target which are worth something.

          • voodooattack@lemmy.world
            link
            fedilink
            English
            arrow-up
            4
            ·
            edit-2
            11 months ago

            I’m not talking about this specific instance, just that block of misinformation/generalisation. Saying that legacy systems are well-secured because they’re “battle tested” is sheer ignorance.

            Take side-channel attacks for example. A timing attack is something programmers from the 60’s and 70’s would not have taken into account when writing their hashing algorithms. And speaking of hashing, what hashing algorithms were available back then? CRC32 or something similar? What about salting? You get the idea.

            Not to mention that legacy operating systems don’t get security updates. Let’s assume that DOS is secure (which it definitely isn’t), but if that statement were correct, would it apply to Windows XP as well?

            All I’m saying is that the article is dead wrong. As software developers in this century, we’ve come a long way. We’ve developed security best practices, written libraries and frameworks, and come up with mitigations for a lot of these security vulnerabilities. These solutions are something that closed-source legacy systems (and anything without active maintenance) would never benefit from.

    • arc@lemm.ee
      link
      fedilink
      English
      arrow-up
      31
      arrow-down
      1
      ·
      11 months ago

      It really depends if these systems (that appear to control arrival boards) are on a network or not. If they’re not, then there is minimal risk to leave them the way they are. Somebody would need physical access to the devices to do harm. If they are on a network then that’s a pretty big deal, but some attacks could be mitigated against by tunnelling and/or additional packet filtering to ensure the integrity of messages.

      Continuing on a railway theme you should be FAR more worried all the devices that run up and down the side of railway lines - PLCs that talk with each other and operations centres to control things like lights, junctions, crossings etc. If they’re more than 5 years old then chances are then all that traffic is in the clear, and because these things live in boxes by the railway line, it wouldn’t take much to break into a network and potentially kill people by running two trains into each other.

        • arc@lemm.ee
          link
          fedilink
          English
          arrow-up
          11
          ·
          11 months ago

          The job might be remote, doesn’t mean the system is remote. For all you or I know they want somebody to reverse engineer the protocol of this thing, which could be some weird board & driver that hooks into an old PC so they can switch it out for something else.

          • bane_killgrind@lemmy.ml
            link
            fedilink
            English
            arrow-up
            14
            ·
            11 months ago

            It’s in the job description, remote access is available via a repurposed laparoscope robot and webcam placed in front of the original terminal keyboard and CRT

            • XTornado@lemmy.ml
              link
              fedilink
              English
              arrow-up
              3
              arrow-down
              1
              ·
              edit-2
              11 months ago

              I think you are pulling my leg… But if that’s true that’s super cool.

              • bane_killgrind@lemmy.ml
                link
                fedilink
                English
                arrow-up
                1
                ·
                11 months ago

                A remote KVM through a portal would be the actual way an air gapped system would be accessed, yeah… Spoofing ps/2 or Din with a teensy would probably be needed to use new hardware for the KVM. Maybe a SFF PC with an analog input capture card…

        • Syndic@feddit.de
          link
          fedilink
          English
          arrow-up
          5
          ·
          11 months ago

          Well yes. You can code software remotely. That doesn’t mean the end system is reachable through the network. Given it’s DB, I bet these systems are still patched by floppy. Until very recently they’ve used floppy’s to distribute train schedules to be displayed in the train.

      • nexusband@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        11 months ago

        Exactly. And these things are on an internal bus network, but they are not connected to the internet.

    • mlg@lemmy.world
      link
      fedilink
      English
      arrow-up
      13
      arrow-down
      1
      ·
      11 months ago

      Lmao they don’t know all the exploits people learn first are the brutally insane and easy stuff that works on outdated machines like heartbleed and eternal blue.

    • maness300@lemmy.world
      link
      fedilink
      English
      arrow-up
      19
      arrow-down
      9
      ·
      11 months ago

      What exactly is the issue? Everything mentioned is true.

      It even goes further when you consider how newer technology often incorporates more technology, which means a greater attack surface.

      Tell me you know nothing about cybersecurity without telling me you know nothing about cybersecurity.

      Oh, the ironing. Sad how you have >100 upvotes.

      • voodooattack@lemmy.world
        link
        fedilink
        English
        arrow-up
        7
        arrow-down
        12
        ·
        edit-2
        11 months ago

        Not sure how to link a reply on lemmy so I’ll just copy from another comment I wrote here:

        I’m not talking about this specific instance, just that block of misinformation/generalisation. Saying that legacy systems are well-secured because they’re “battle tested” is sheer ignorance.

        Take side-channel attacks for example. A timing attack is something programmers from the 60’s and 70’s would not have taken into account when writing their hashing algorithms. And speaking of hashing, what hashing algorithms were available back then? CRC32 or something similar? What about salting? You get the idea.

        Not to mention that legacy operating systems don’t get security updates. Let’s assume that DOS is secure (which it definitely isn’t), but if that statement were correct, would it apply to Windows XP as well?

        All I’m saying is that the article is dead wrong. As software developers in this century, we’ve come a long way. We’ve developed security best practices, written libraries and frameworks, and come up with mitigations for a lot of these security vulnerabilities. These solutions are something that closed-source legacy systems (and anything without active maintenance) would never benefit from.

        The “ironing” is lost on you in this case.

        • arc@lemm.ee
          link
          fedilink
          English
          arrow-up
          3
          ·
          11 months ago

          Doesn’t sound like this system is safety critical. You should be more worried if some hacker can change train signs from stop to go. If you ever ride on a train and see steel boxes by the side of the track, those are control systems and they run up and down the line. They might be locked, or possibly alarmed but that’s about the extent of their protection. A simple attack would be to just take an axe to one, or set fire to it. A more sophisticated attack could snoop on the profinet traffic and do something evil.

    • Appoxo@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      10
      ·
      edit-2
      11 months ago

      The author’s grammar rammar isnt that great as well. Those typos can be should have been catched easily by the spellcheck.

      Edit: Including me :p