I just donated 133,7€ and will gladly do it again if further legal costs arise. Please consider also making a generous donation and post about it in this thread.
What Newag is doing here is absolutely vile. They want to charge 20.000€ per train to “reactivate” them after they have been serviced at third party workshops. We must not let them win and set a precedent.
According to the schedule [1], there's a presentation from that team titled "We've not been trained for this: life after the Newag DRM disclosure" that will start at 23:00 local time (in about 30 minutes at the time of this writing) on this livestream [2].
The Luigi-related reference of the talk at 37:03 of the livestream, "Delay, Deflect, Derail" (referring to the response by the Newag train manufacturer representatives, including the president and vice-president of the company, at the parliamentary committee meetings) got a round of applause from the audience.
The "...Derail" portion of the slogan references Newag's handout shown a few seconds earlier in the presentation.
Thank you! I have to say that my favorite in their latest update is the 60 day counter can be reset after closing the cabin door and hitting the SOS in the toilet. Now I want interview with the engineers sharing these product requirements...
... so a version of the train unlock logic looks at door status and WC emergency button?
You do NOT fuck with the safety system.
Sure, it's not the mission critical safety system and you're only reading it, so what's the harm? Well, one of these days someone doing that is going to typo == into a =, or whatever the PLC version of one-character oopsie is.
Precedent isn't as big a concern as many might think, most of Europe does not operate under a precedent-based justice system: it doesn't matter what were the previous decisions of courts on similar cases, the law is the only thing that matters.
Can you elaborate? I'm not a lawyer, but my understanding of the value of precedent is to have courts rule on matters in a manner that is consistent with past rulings. Are you suggesting that courts can interpret the law completely differently from how past courts have ruled? Do you feel like that makes court decisions unpredictable?
To be clear, the law changes over time, so newer laws have less precedence, and I expect courts to respect new laws even though no courts have made ruling based on such a law before.
When electric scooters were reclassified as «small electric vehicles» they suddenly came under the same drunk drive laws as motorbikes and cars. So the lower courts ruled a bunch of drunk driving of electric scooters as severely as they would drunk driving of a 2000 kg car that can go 200 km/h. Essentially they just followed the precedence of previous rulings on drunk driving without taking into consideration the intent of the law. People got huge fines and lost their car licenses for several months on the assumption that if they were careless enough to drink and drive an electric scooter they would be just as likely to drink and drive their car.
Eventually a case went all the way to the Supreme Court where they actually thought it through and and decided that there wasn’t any reason to assume that a person would drink and drive a car just because they did so with an electric scooter.
We need to fight for the Right to Repair to be in legislation for ALL products! If we buy a product, we should have full access to all software and have the ability to fix it!
I don't suppose they have any other published, easier methods?
I spent almost an hour trying to jump through the fiery, spinning hoops being dangled by my bank website only to finally at the end be given an "It looks like this part of our site isn't working. Please try again later."
Thank you, bank /s
For anyone else wanting to try their hand and weather the gauntlet, I found slightly more detail of their published bank acct info at: https://www.ccc.de/en/membership
I'd love all participants in this thread to provide their countries.
As a Belgian (EU), I love how I can pay them just by sending them money, without all these weird intermediate companies stealing your personal details and sometimes even your money.
To answer some contras:
In my experience, the process takes about 10 seconds before the payment confirmation appears in the destination bank. Outside business hours and for some bank combinations, the actual money might be in a reservation/underway/unspendable state until the next business day starts. You can not cancel the transfer once it's gone, so most businesses don't care about that delay.
Typing the IBAN is a tiny bit annoying. I see QR codes appearing, containing bic+iban+amount+message to autofill. You pay by scanning the QR code and pressing OK.
AFAIK bic+iban+amount+message is all you need to pay from anywhere in the world. The BIC can be derived from the IBAN if you have the right and up to date database, but outside the EU it is smart to know it, just to be sure.
Sometimes, reading HN, I wonder if I should write a loooong blog post about how Belgium does its money transfers(iban) and buys bread (Bancontact). I suspect most of the EU will answer: duh, boring! Meanwhile, the average USAian brain goes poof.
> If you're trying to send from America, it's still the normal way to send a payment to Europe
It’s not; SWIFT is, and that requires additional information not shown there (although some of it is encoded in the IBAN if you know how to decode it).
SWIFT is not a payment system. It’s only a messaging system. It’s generally used to send initiating orders between financial institutions but they then have to be cleared or directly settled through something else.
IBAN isn't a payment system either, but I'm talking about the end user experience: insert account number, insert amount, click send. Sometimes you also need the SWIFT code which specifies the receiving bank.
I have to contradict this, as an American. Don’t attempt to send from your bank as it is likely to be difficult and complicated and involve huge fees. Use Wise instead.
It literally doesn't. And why would Europeans use venmo? That type of app arose in the USA specifically, to work around not having a convenient way to send money from one bank account to another - much like bulletproof school backpacks, it solves a uniquely American problem.
As an Australian we have payid to transfer free and instantly between banks instead of needing a 3rd party app but I think he's right that if you are relying on IBAN and needing to do an individual bank transfer then it's not ideal.
It should be as easy as possible to donate, imo it would be better even setting up a basic kofi or buy me a coffee account, or I see the Ukrainians using paypal all the time.
It should be a 3 click payment not a bank transfer requiring copying and pasting IBAN numbers and bank account numbers etc
To poke fun at the Germans at least they are not requesting we fax a copy of the money in :P
> As an Australian we have payid to transfer free and instantly between banks
That... is what SEPA is, but built into the european banking system directly.
> I think he's right that if you are relying on IBAN and needing to do an individual bank transfer then it's not ideal.
It's not ideal that you can do a simple transfer by inputting the recipient's IBAN and an amount and be done with literally no third party involved? What?
> imo it would be better even setting up a basic kofi or buy me a coffee account, or I see the Ukrainians using paypal all the time.
You think it's easier to require setting up a third party account, adding your card to it, getting the card authorised, and doing the payment that way, with fees.
Than putting 20 digits in your own bank's application and pressing "send"?
> It should be a 3 click payment not a bank transfer requiring copying and pasting IBAN numbers and bank account numbers etc
It's a SEPA transfer, it's super common and nothing very complicated. There is no bank account number involved: the BIC is the bank's own identifier, and while it was commonly required 10 years ago it's been optional for a long time, my bank's application doesn't even have a field for that anymore.
> You think it's easier to require setting up a third party account, adding your card to it, getting the card authorised, and doing the payment that way, with fees.
- You don't have to setup an account
- You don't have to get the card authorised (I don't know what this means)
- Adding your card numbers in takes me 10 seconds, in the case of Paypal, it's already there so no time
- Fee's are minimal, not even worth wondering about
In terms of donation, entering in the amount to donate and clicking submit is yes, easier than going into my bank's website, bringing up the international transfer, and it's asking me for SMS confirmation that I want to do this, and I can't be bothered going further.
edit: I think maybe we are fighting the wrong battle.
You think IBAN is super easy, and maybe in Europe it is.
I'm not in Europe though and neither is the other chap, so maybe the donations are very easy in Europe but not so much out of it.
I've never done an IBAN payment in my life but I've donated thousands and thousands of dollars to loads of places all over the world without issue for years including Ukraine, this is the first time I've seen a place only accepting an IBAN donation, which feels like a friction that is not there for other places.
You're donating to a European place. For Ukraine they let you send money directly to the US account of the entire country of Ukraine (an account held at JPMorgan Chase by the way!! That's right, having the world's reserve currency allows American private entities to fractional-reserve entire countries) and earmark it a certain way, and the National Bank of Ukraine would figure it out. That's a highly unusual way to do things. If you want to send a payment to a specific person inside Ukraine, normally you would give their Ukrainian account number to your bank and let your bank figure it out, just like you are doing here.
This feels like an "American discovering the outside world for the first time and discovering that American systems aren't very good" moment.
> You think it's easier to require setting up a third party account, adding your card to it, getting the card authorised, and doing the payment that way, with fees.
> Than putting 20 digits in your own bank's application and pressing "send"?
Posting from U.S. (and admittedly a very U.S.-centric response), but in the case of Venmo/Paypal/buymeacoffee/Patreon/gofundme, yes.
I spent another half-hour trying to go the route of Wise suggested by a sibling comment but got stuck in the KYC hurdles. I already sent them my I.D. several times, but the selfie-verification flow won't complete for me, and I'm drawing the line at choosing not to install their app. (And well, I bit the bullet and installed app. It refuses to take a clear selfie, no matter how clear the the preview is /shrug)
Yes if you're trying to use SEPA from the US I can see that, no issue there.
But from the perspective of a very euro/german centric CCC[0], SEPA is really not complicated, and almost certainly free (I understand that a few banks still charge for those but most don't, possibly to a limit). So that's likely a blind spot of theirs: SEPA is probably the cheapest and most straightforward method for 95% of their donations or more.
Even more so as this is the central organisation, but the CCC is mostly a network of local clubs[1], so revenue to the national CCC is I assume almost entirely from the clubs shunting some of their income up
[0] if you check their front page, 1/2 to 2/3 the posts are in german, so are several of the pages
You're trying to send money internationally. It sounds like your bank doesn't want you to send money internationally. This is your problem with your bank.
I don't see why you'd need Wise for a one-off payment. Just go to the international transfer page at your bank and enter the details? Do they not have one?
I believe this is par for the course for US banking and why so many alternate payment systems exist. And in all fairness, it does very much remind me of european banking 15-20 years ago, before the spread of smartphones and banks getting on with the program and making SEPA a (and later EPC) a baseline feature, undoubtedly prodded on by member states.
And I can understand having to translate from SEPA to SWIFT and then needing to deal with that to be less than ideal. When I had to send money to a friend outside the EU I had to go through the bank's website (not available at all from the mobile application) and to register & wait for validation of their account as beneficiary (24h delay IIRC).
At the same bank, SEPA transfers is a button on the home screen of the mobile application, and doesn't require any setup, just input the IBAN or scan the EPC and go (and god would I like more businesses to accept SEPA / use EPC instead of requiring inputting my credit card every time or going through third party payment providers)
The most popular way to transfer money between friends in Poland is a BLIK-to-phone-number transfer. Those transfers are done from the banking app. I don’t need to know someone’s account number, I just need their phone number. BLIK transfers are instant, unlike regular bank transfers, which may take up to 1 business day (specifically, they are done via batch processing 3 times in a business day), and they are always free, unlike instant bank transfers (though that depends on your bank/account type).
What I meant is that in BLIK, phone number gets resolved to a bank account number and a regular (express) transfer gets made, which can be seen in your account history.
This is a registered European association using fee-less European payment standards to fund a lawsuit entirely in Europe involving only European parties.
Do you see the rest of the world complaining when no-one can send free uncomplicated transfers to fund a U.S. non-profit because the U.S.A. prefers to run a draconian consumer banking system?
The shier American arrogance in this comment thread gives me an aneurism. Fix your banking system, ours works.
i am doing little more than lamenting the hurdles placed in front of me that i couldn't figure out how to overcome (albeit with a dash of frustrated snark), after having spent north of three hours of my time today. i am not rich, nor well off by many reasonable measures. i rent a small room in a small town, hardly making ends meet, but i simply wanted to donate a couple bucks toward a cause i believe in, out of principle, as i'm not usually a donating type (see bit about renting a small room and barely making ends meet).
i wanted to leave some breadcrumbs for anyone else in a similar situation (that is, trying to donate from U.S., not the bit about wealth) trying to figure out how to make it work, because i sure expended some effort digging it up.
this specific discussion thread is a call to donate and to write here in solidarity in having done so. i may not have successfully donated cold, hard cash, but i'll dare say my pledge of most of my afternoon trying to move mountains in order to send some scratch their way fits in here. it may have barely registered as a drop in the bucket had i been successful, but i believe this is what the thread is about.
Hey, thank you for trying to donate and sorry it was more difficult than it should be. I think even writing about the effort that you put into it helps. <3
> This is a registered European association using fee-less European payment standards to fund a lawsuit entirely in Europe involving only European parties
Okay, but surely you can appreciate that making it easier for Europeans and non-Europeans to contribute to this cause would achieve the goal of the donation campaign more efficiently?
My personal opinion is that it would be very much worth it to accept payments via PayPal, Stripe, or other global electronic payment methods[^1]. And show how much money has been received to date.
I would rant about being content with “it works for us, people will donate if they really want to” but I’ve already done that too many times this year.
^1: yes there are some fees associated with this. But it’s also more convenient and probably more people would donate. But for some people the convenience argument does not compute.
Stripe is not free and neither is PayPal. Assume at least 5 to 10℅ gets lost on the way and for smaller transactions it is more. For small non profits sepa is the way to go.
This German association funds a lawsuit entirely in Poland involving only Polish parties. And sadly, we don’t use the Euro, but rather have our own trash currency, so at least a currency conversion will be involved.
SEPA transfers are generally as easy as it gets - a free direct transfer straight from your bank, avoiding unnecessary intermediaries. You paste the number, confirm and it's done. Sounds like you need to complain to your particular bank for its subpar service.
I guess you can use something like https://wise.com to make the IBAN transfer locally, and pay them using a more convenient payment method for you, like ACH, PayPal, Credit Card, etc
If you are American the easiest way to send money to a European bank account is Wise. If you’re European you should be able to do it through your bank.
> Not an option for businesses that need equipment.
On the flip side, it can often be the only option for businesses that need equipment. The US has a longstanding trend of hacking John Deere tractors to accept third-party servicing since John Deere's first-party offerings are both expensive and often unavailable.
This isn't a software issue. This is a hackers-found-out-they-were-cheating-and-deactivated-their-train-DRM-and-now-these-hackers-are-getting-sued-issue.
And getting sued by a train manifacturer is typically a asymmetrical battle for a private person. Consider watching the original talk (very entertaining and insightful, probably one of the best hacking related videos I watched in 2024), and if you like them toss them a tenner or so.
Rather than Cheating, don't you mean tortuous interference, followed by vexatious litigation?
When you intentionally design systems with purpose to delay, but overall sabotage, you show malice and you defraud the purchaser (after-the-fact), you also interfere with their business with third-parties, and impose coercive costs that have never been acceptable.
Coercion is generally not accepted by any civilized society that still follow its original founding principles, and coercion and corruption tend to go hand-in-hand.
I remember they said in the last talk last year that there is a "cheat code" that resets the software locks, but almost every train also had slightly different software to obfuscate that they are sabotaging their competition.
Looks like train manufacturers are taking a page out of the playbooks of many other companies today. The practice of manufacturers remotely disabling products after the time of purchase (for whatever reason) is becoming a scourge in many other product areas. The device's manufacturer should have no say about how a product is used once money is handed over in exchange for it. This really has to stop. Regulatory agencies around the world are asleep to this problem.
If you want to have a say in how software works, then you have to control how companies run.
If Technical folk are not on the Boards or have controlling share in an org, or don't know how to get into such positions then they have very little to no say in how anything works.
There are countless examples were technical people object and get replaced, sidelined or fired, cuz they are totally unprepared in how to win such age old political and financial fights. If Oppenheimer, Engelbart and the Google brainiacs who protested recently got pushed aside, then its beyond obvious how the story will end for anyone else.
The lesson from history for anyone serious about this stuff is - develop business+finance acumen, or develop alliances with business+finance power.
You speak like working at a company exists in a vacuum. It doesn't. You are (generally, in Western society) free to stop working for that company. If everyone refuses to write the code, then the company won't have that code. Easily said than done, of course, because life has many pressures. But I dislike this "oh can't do anything about it individually, let's give up and double down on unethical behaviour" attitude (meanwhile we are conveniently paid a high salary for it). We always have a choice.
You dont have to either blame one set of people or another. You could put the blame in the right place instead, the design of the system which all but dictates the individuals choices.
I am physically there at C3 right now and one of the prevalent themes this year is "being nice didn't work". You can see it in this year's tagline: "illegal instructions"
Yea, every time I read one of these articles, I can’t help but think: “A software engineer sat down and wrote this remote kill switch." We, as a profession are responsible for this shit, or at the very least, complicit. Regulation is one thing, but also, software engineering as a profession is in dire need of ethical standards. Just because we can code something doesn’t mean we should.
I remember one of Asimov's stories involved a human defeating the Laws of Robotics by distributing work among multiple robots with imperfect information. I wonder if something analogous doesn't happen with software engineers nowadays.
When it comes to something like a "remote kill switch" for software, it's hard to imagine any alternate beneficial use. But generally I assign the blame to the users of software who put it to a malicious use, not to authors.
There was an anecdote shared on HN of someone claiming to be ethically employed by the military to develop a system for planes to automatically land on unmarked runways without engine power.
They didn't tell her the planes were elongated spherical and filled with powerful explosives and the runways weren't flat - at least not before the plane landed on them.
>When it comes to something like a "remote kill switch" for software, it's hard to imagine any alternate beneficial use.
The obvious alternate beneficial use is the ability to immediately disable the hardware in case a serious safety issue (the kind that triggers product recall) is discovered.
One of the great and terrible things about the software industry is that there's no certifying body, no professional ethics code to sign and adhere to, no government regulation around how you can sell your services.
This is one of the best parts: many software people have gotten in through circuitous routes, have no formal training, and have done great things despite that.
On the other hand, because of that, we don't have any consensus and ability to shun or disposess companies that act unethically.
Quite frankly, I don't think any board of ethics would step in here. I don't see anything in the IEEE code of ethics that would be clear here. I don't think that professional licensing or better professional organizations are the way to stop this behavior.
I think disabling the firmware in circumstances that are clearly defined but not disclosed to the customer is very much outside existing IEEE ethical rules.
And making a Professional Engineer sign on to the software release before the release would be a good way to prevent shit like this.
To have what you're asking for requires transparency.
It wasn't just a faceless and nameless software engineer it was a real human being with a name.
Until it is mandated that public infrastructure is developed in the open so we know precisely who attempts to add features to render a product defective by design we will not be able to fix this.
In this case, probably? I'm not a fan of excessive regulation, for this particular problem, I don't see how it could be solved without some kind of "right to repair" law, or at least a "right to be thoroughly informed about repairability before buying" law. Even if copyright was scaled back to 20 years and explicit registration, that still would be long enough to screw customers. In fact, even if copyright didn't exist, the problem would still exist for devices that are hard to reverse-engineer.
If businesses are unable to regulate themselves, it must be done by law.
If copyright is the root of the problem, it may be time to remove that protection; or at least revert it so it is more in-line with patent law expiration.
No more author's life + 75. Lets try 15-20 once again, and no derivative protection, unless significantly different, receive protection.
Also, different terms for different works. Having the same rules for software, drugs, books, paintings etc. is ridiculous.
Software should require disclosure of details of what is protected (e.g. the source) so it can be public used post expiry - just as patents give you a monopoly only what is disclosed in the patent.
I'd add that functionally dependent software that is used for the items primary purpose, or its features, should also receive little to no protection, and be disclosed up-front.
It's not wholly a good or bad thing. It's a complex thing, with large secondary effects that people habitually overlook.
One typical effect of increasing any kind of regulation is that large incumbents tend to benefit disproportionately compared to small operators and newcomers, for several reasons: (1) larger operations can amortise compliance costs more easily; (2) larger operations legitimately contain people with useful expertise in helping government decide the shape of the regulations (and will propose kinds of regulation that correspond as far as possible to their own existing practices, and to practices that competitors would find costly to implement); (3) larger operations have the wherewithal to lobby for regulations that are to their benefit and to competitors' detriment, irrespective of how good those regulations are for other stakeholders. (2) and (3) together lead towards regulatory capture, at which point the regulations are almost purely a drain on all other participants with no upside.
intellectual property law is regulation. regulators always get bought out because regulators career advance to the companies they worked with. remove intellectual property and the market fixes the problem.
It is, and as much as we all want to pretend this is always about rent seeking.
There can be other reasons.
Some systems are bought in manners that include service contracts and outs liability on manufacturers. In such scenarios one man's kill switch could be a safety feature.
You don't want unauthorized personel messing about a medical x-ray device. Because (a) you want it to work, (b) there might be 10k+ volts sitting in giant capacitors.
I'm guessing it's similar with airplanes.
---
In complex enterprise systems, right to repair might not always be simple.
But if it comes to your home appliances, a tractor, car, etc. I'd be a lot less worried.
This is simply solved through liability. If someone can provide the service and liability guarantees for less than the manufacturer then you hire them.
John Deere is proof that the manufacturer alone can't be trusted because they can't provide timely service in a time-critical industry.
Such liability issues are usually solved with a warning label. "Warning: 10000 volts. No user-serviceable parts inside." If the customer chooses to unscrew the cover and carelessly electrocute themselves, that's on them. It's much cheaper, too, than making the train brick itself if it's detected in specific geographical areas.
What we want is results. Whatever mechanism is most efficient at producing those results should be used.
> Copyright is the root of the problem.
If you sell me a device that relies on copyrighted software for operation then you must also grant me a limited non-transferable license tied to that specific device to modify that software however I please. Perhaps DMCAs anti tampering provisions are really the issue here.
The bottomless pits of greed that opened up in the software industry with subscription models are also attracting hardware manufacturers. Effectively, you don't buy their stuff any more, you only rent it. If “the market” accepts this BS, regulatory agencies will do nothing.
Newag is also after the Chairwoman of the Parliamentary Team for Combating Transport Exclusion, MP Paulina Matysiak and filed for revoking her immunity. She's been looking into the matter since the news broke last year.
That rule is essentially about "what will get you in trouble politically". But today you have a fair number of large and monopolistic operations that just ignore such effects - the press is underfunded and corrupt and politicians are simply corrupt (in a broad sense).
Presumably that rule isn’t profitable to follow, and so the prime directive (maximize money in any legal or quasi legal way possible) takes precedence.
Aha, thanks for the explanation. Bit tedious to do manually, but helpful. Perhaps one day I'll sit down and attempt to make a greasemonkey script for that.
Can someone please summarize (for those of us who don't know the full story) why the government(s) that bought these trojaned trains isn't ripping the train vendor a new orifice, and pinning medals on the hackers who exposed this?
This is almost universal. If manufacturers are not already doing this they are planning it.
There is a lot of anxiety around the business model because a lot of the world is advancing and manufacturers are popping up everywhere with cheaper machines on offer. The moats are disappearing and durable goods manufacturers are clamoring for the next wave in the business model: subscription services for maintenance and support.
Ford has a connected fleet service offering that is picking up steam and could prove very lucrative in the commercial vehicle space.
A lot of this is rooted in an eroding labor pool that is lacking in bodies, training and experience.
This train fiasco is definitely bordering on criminal but it isn't far off from the wave of "progress" that is taking place.
Sadly, I suspect discoveries like this will only cause other companies to learn from it --- by making it even more difficult to discover their "plausible-deniability" tricks, and hiding them under the guise of "security". Big Tech has been playing that game for a while:
Newag is acting like the mafia here: "Wouldn't it be a shame if your trains stopped working..?"
Not that I want to tell the Polish how to do things (I don't), but a satisfying outcome would be one where they found out precisely who gave the order to program Newag trains like that and then jail them. Add to their jailtime for each train that is found running the software and force Newag to do free maintenance on those trains.
If Poland wants to show a hard stance on how to deal with people trying to fuck over the public to earn money that's as good as its gonna get. If Poland wants to tell everybody that fucking the polish public pays off even if there is overwhelming evidence that you did it — ok.
NewAg is clearly acting with malice and sabotage in mind (as well as extortion), and when it comes to trains and railways this is not just a business matter, it becomes a strategic national security issue.
"Wouldn't it be a shame if the trains filled with perishable food stuffs stopped working in route..., and the harvests rot"
Do you know of any country where food security doesn't impact the government's ability to keep order?
If any non-service operator, did this, like a third-party, they would reasonably be considered a terrorist organization, and the members of such a cohort should be treated as such.
Even if the claim is made its only for small specific things which you had to agree to, its an inserted vulnerability into the supply chain that is both non-essential for regular function, which has been designed to be essential.
At a bare minimum, they pave the way for such groups even if they don't act on it themselves.
> It was also revealed that the Polish Internal Security Agency (ABW) had, in October 2022, submitted a case against Newag regarding the abovementioned software manipulation incidents to the prosecutor's office in Nowy Sącz, which initially downplayed the incident until said findings publicly came to light, after which, the investigation was taken over by the regional prosecutor's office in Kraków on suspicion of crimes committed under Article 269 §1 and Article 286 §1 of the Polish Penal Code.
> The Sejm's [Sejm is "the lower house of the bicameral parliament of Poland"] Parliamentary Committee for Combating Transport Exclusion subsequently convened three hearings regarding the abovementioned allegations on 17 January, 27 February and 26 March 2024, whose participants included representatives of the Dragon Sector team, Newag, railway operators and members of the Sejm.[19]
They are. Both sides that are interchangeably leading the country. Nothing really changed since at least 50+ years. Same names, same stories.
Both groups did some PR moves showing police, CBA and ABW being successful catching some poor guys fighting with the system.
Note that the CCC is more-or-less just a container organization for people who actually do stuff individually. These particular hackers are heroes. Even things like the Congress are run by some people who more-or-less decided to run the Congress each year. There substantial inertia in how things like that are done, of course.
I wonder why there are no lawsuits from the companies that had to pay to unlock the trains and did not get any documentation what was fixed/replaced to get it running (in 10min) especially that it was not a single train that had to be unlocked. It's like having ransomware on the plc.
we live in a post intellectual property age. its about manufacturing and resources now. it is overwhelmingly used to suppress upstarts and remove diverse competition in the market before they can get their legs. regulators go on to work for the companies they regulated. The conflicts of interest create an oligopoly that is more about lawyers than about engineering.
its time we repealed it all. no one gets to own an idea of the universe. especially not a faceless org created for tax purposes.
> If more than the € 30,000 required to date is donated, if the legal costs are lower or if court costs are repaid, all payments received in excess will be used for the statutory purposes of the Chaos Computer Club e.V.. Please note that the CCC e.V. is not formally recognised as a non-profit organisation.
That is one sure way to make people not donate to the cause. I want to support the people, but I don't want my money to go elsewhere, and there is no way of knowing how much has been raised to date or guarantees to get the funds back when the legal costs eventually get covered by Newag. The only guarantee stated is that they will definitely use money for something else. Not OK.
The "Please note that the CCC e.V. is not formally recognised as a non-profit organisation" part is a bad translation - this one is related to the German tax code.
To put it short: there are two different kinds of NPOs, first "regular" e.V. and then those e.V. that fulfill exclusively "aims for the common good" ("gemeinnützige Zwecke", the full list is in §52 AO [1]) - they carry a special benefit: donations can be deducted from your income for tax purposes.
The CCC is a non-profit organization, but since it (among other things) engages in taking political stances while at the same time not being a political party, it is not seen as a "gemeinnützig" organization - a fate that hit quite a few organizations in the last years [2] or is looming over their head [3].
I kind of envy Germany's large array of possible corporate charters for non-profits, for-profits and kinda-sorta-nonprofits. I wish America had the same menu to pick fro.
I'll add some more confusion to your mental list: the "gemeinnützige GmbH" aka "common-good LLC" - it is allowed to undertake commercial (income-generating) activities as its main activity (unlike the e.V. which may only do commercial activities like selling stuff on a very limited basis, stuff like selling swag for example), but the proceedings must be used only for activities in the list in §52 AO as well.
I’m assuming they have to say this from a legal perspective. In reality what they are saying is “we don’t know how much the legal fees will come to, could be less, could be more. However, once we have proper accounting, if there is money left over this will support CCC”
I’m not familiar with German governance for quasi not for profits, but I suspect the idea that funds are conditional for one specific purpose probably breaches governance, and returning funds to donors if certain conditions are/are not met could be problematic from a tax point of view. I know this would be the case in other European jurisdictions with which I am more familiar.
an e.V. is by its very nature very non-profit-y. I am not an expert, so I encourage you to look up e.V. aka "eingetragener Verein", but basically, its similar to a nonprofit and a lot of rules and laws apply. Its not formally a non-profit in any country because e.V. is a specific German thing. You can, however, rely on that being very rock solid and not for-profit.
That’s a fair point and I had to re-read that sentence multiple times to understand what they are saying. They should indeed say how much money towards this cause has been received.
What Newag is doing here is absolutely vile. They want to charge 20.000€ per train to “reactivate” them after they have been serviced at third party workshops. We must not let them win and set a precedent.
I highly encourage everyone to watch the previous presentation: https://media.ccc.de/v/37c3-12142-breaking_drm_in_polish_tra...