Newag [train maker] claims that the Dragon Sector [whitehat hacker] team endangered passengers’ safety by modifying the software without proper experience. But Newag then turns right around and claims that Dragon Sector did not modify the software at all. They point out that EU law only allows reverse engineering of software in order to fix bugs. And if Dragon Sector did not actually modify the software, it cannot have fixed any bugs, in which case their reverse-engineering must be illegal.
So if they just say they were gonna get to the bug fixing part but haven’t yet they’re in the clear. Boom, another decisive victory for the Dragon Sector.
It’s worse. They are saying that the EU copyright law, as written, only allows decompiling/reverse engineering to “fix bugs”. A bug fix would involve a software patch of some sorts. But the security researchers did not have time to write a patch yet, what they did is tell the customer “Yep, it’s fucked. Your vendor put in a killswitch to make the trains brick themselves.” So that does tell them where the problem is, but it is not a bona fide bug fix from the Bugfix region of France, and therefore illegal.
But the security researchers did not have time to write a patch yet
This is not true. They never intended, and said would never try to make any modifications to the train software, because it would be very illegal, you can’t make modifications to the trains without the train having to go through recertification again and they have no credentials to be making any modifications to trains.
They only analysed a copy of the software, and found secret undocumented unlock codes that could just be typed in at the cabin without having to modify anything.
So if they just say they were gonna get to the bug fixing part but haven’t yet they’re in the clear. Boom, another decisive victory for the Dragon Sector.
Train company response: it’s a feature, not a bug, so you’re still guilty
Do they… not know what reverse engineering means?
It’s worse. They are saying that the EU copyright law, as written, only allows decompiling/reverse engineering to “fix bugs”. A bug fix would involve a software patch of some sorts. But the security researchers did not have time to write a patch yet, what they did is tell the customer “Yep, it’s fucked. Your vendor put in a killswitch to make the trains brick themselves.” So that does tell them where the problem is, but it is not a bona fide bug fix from the Bugfix region of France, and therefore illegal.
This is not true. They never intended, and said would never try to make any modifications to the train software, because it would be very illegal, you can’t make modifications to the trains without the train having to go through recertification again and they have no credentials to be making any modifications to trains.
They only analysed a copy of the software, and found secret undocumented unlock codes that could just be typed in at the cabin without having to modify anything.
Ah so it’s just sparkling engineering