Hacker News new | past | comments | ask | show | jobs | submit login
Berlin court used Windows 95, hit by virus, now uses typewriters&fax (German) (tagesspiegel.de)
79 points by ptaipale 11 months ago | hide | past | favorite | 56 comments

"Gamrith" comments in Tagesspiegel, and I think (s)he makes an accurate analysis of judicial behaviour which applies not only to Berlin and not only to Germany.

The problem lies in the way the judiciary sees itself and its work, and not just in Berlin. Every time you come to the judges and prosecutors with the subject of IT security and the associated user care obligations, they wave the Constitution and refer to the judiciary independence. Every time you point out that old applications have to be replaced, it is pointed out that changes in form and procedures can neither be desired nor tolerated by the employees.

IT is not a core competence of the administration, and especially not the judiciary with its absolutely obsolete professional mindset. In particular, one does not really understand that as a part of an integrated system in which the user and the applications work together, they also have duties that they must perform. They always point at the IT or IT service providers, and shy away from responsibility.

AULAK is not the only critical specialist procedure in the Berlin judiciary that needs to be renewed. However, the judiciary shies away from the costs and expenses that one would have to invest here. In particular, in such projects, any judges and prosecutors are "voluntarily" ordered as project managers, and staff who have no idea or real interest in the subject would just like to implement existing paper-based processes 1:1 in software. That the IT offers other possibilities is then always dismissed with the reference to the "laws".

Smentek and the ITDZ are not collecting any prestige from their role in the process, but the plight of the Supreme Court is homemade and is mainly due to the inability of the judiciary to renew.

The funny thing here is that regardless of what their tools are, only an idiot would consider use of their tools to be unimportant or not a core competence.

It matters not whether their tool is a feather pen or IT infrastructure, they must master and maintain the tools they select. Imagine if a carpenter did not think sharpening their chisels was something they needed to worry about. Or perhaps more relevant, maintaining their table saw.

However, it is perfectly valid to pick a simpler tool that does the job, and mechanical typewriters are definitely simpler than a network of computers and printers.

Trying to see this from the users’ perspective, why does me being secure require a completely different UI? Why can’t all the security patches for the latest version of Windows be ported back into _my_ version instead of me having to learn a new operating system?

This is the cost of the tech industry’s obsession with constantly fiddling with the UI.

I think the fundamental thing is that keeping up to date involves both user interfaces & operating system versions as well as work processes and interfaces. You cannot develop just one of them without considering the other, and because the system needs to work as a common process with unified working methods and tools, it means that everyone needs to adapt to both.

Yes, there is too much fiddling with the UI in the industry, but continuing to use 1990's operating systems without updates, just because people don't want to change their ways of working... that is not sensible.

Ok do you want to pay for that

Short recap for non German speakers.

- Berlin (city/state) court was running on Win 95.

- Trojan infected their whole network. Now they disconnected all PC’s from the internet. They run on phones and faxes now.

- Various consultancies (Accenture e.a.) warned them the situation was critical in 2017.

>> Trojan infected their whole network. Now they disconnected all PC’s from the internet. They run on phones and faxes now.

The ol' Galactica strategy

Admiral Adama had a point.

Though using that analogy Madame Airlock (MS Merkel) would had a few people spaced :-)

I think it's called the PG&E Cali-fire strategy now.

When did the Trojan outbreak occur?

According to the tabloid Berliner Zeitung, the computers were taken off net at 11:35 on Tuesday (2019-10-29). The court asks its correspondence partners to "Please quarantine (...) the entire electronic mail traffic of the Appeals Court, which has been received since 16 September 2019. "



Another article mentioning the use of faxes now that the court is disconnected from network: https://www.tagesspiegel.de/berlin/anhoerung-zu-trojaner-ang...

Summary: Berlins Court of Appeals (Kammergericht) kept using Windows 95, even though the maintenance of this OS ended in 2001.

Elsewhere, it is mentioned, that the court was hit by Emotet malware.

Some judges have stored all their documents in the official system and have now lost them, and they have literally no access to their past work except on paper printouts, if they have any. Some other judges did not obey rules and stored their documents also on USB sticks; they now do have some back-ups.

(Google Translate works reasonably well for German-English.)

Very surprising that Emotet runs on Win95.

Indeed. Kudos to the developers for maintaining support for legacy operating systems. Only half joking.

Same here. Also the USB part was mentioned in several news outlets. Iirc, Win95 had no USB support. So it either was only parts of the system that ran in it, or something got messed up during reporting. Because I faintly remember an earlier report that only mentioned Word 95, which would make a little more sense as that should run on more recent versions of Windows.

All computers probably are not running Windows 95, many are newer. But I understood the point here is that judges take files home (maybe using floppies?) and use their own computers to work on them. And when at home, they are not supposed to take local backups, but some did it anyway.

It's also suspected that the infection of malware came via a private computer handling the files.

Again, Google Translate does a decent job:

Infection may be through private computers

Many of them have in the past, also because of the often outdated service computers, taken office data on storage media such as USB sticks home and worked there in the home office. The fear of having infected the private computer with the virus is great - and apparently justified. The Federal Office for Information Security advises in case of infection with the Emotet virus to a reorganization of the affected computer. Current information about the virus further states: "Emotet is considered one of the biggest threats of malware worldwide."


This whole thing is sadly “typically Berlin”. No hard, scientific proof for that but it is extremely unsurprising when you have some experience with Berlin bureaucracy.

I recently visited a hospital in Berlin. I ended up next to a screen with a live ECG from someone in another room. This alone seemed slightly questionable, both due to privacy reasons and because it ran in some weird modified Internet Explorer.

Then the ECG was interrupted by Windows Update.

Weirdly enough, Germany in general is very very privacy conscious. In Berlin even more, due to DDR hangover.

I often feel that the main result of this privacy consciousness is that it adds to the impression caused by the OP, that is, one of being behind technologically.

E.g. when you can't do administrative tasks online or have to fetch and send some info from and to four different government agencies because they're not allowed to pass it among each other.

But who knows, maybe I'll be thankful for the extra work one day when other societies are wholly ruled by brainwave scanners and social credit systems.

An organization still using Windows 95 favors privacy just as much as the GOP favors small government.

Obviously not if they're still running Windows everywhere.

Yet they still have people register their religion choice. Ostensibly it’s because of taxes, but given Germany’s history, a government list of everyone and their religion can’t be good. Germans care about privacy, but they have seemingly a foolhardy trust of government.

"A government list of everyone" is certainly considered a good thing in most North European countries. Religion would not have to be there, but a population register is taken for granted, and is considered an essential service of the government. Things like "registering to vote" are alien, and considered a weak point in democracy in the U.S. and U.K.

> "Yet they still have people register their religion choice. Ostensibly it’s because of taxes"

Stupid question maybe, but do Germans actually comply with that law? Even the ostensible justification seems weird; why should religious beliefs be relevant to taxes owed?

They do; church membership dues are part of general taxation (if you are a member of the church).

Same arrangement in Nordics (dk, fi, is, no, se). Church membership is not mandatory, but membership of the national church or churches comes with a tax.

Because the state helpfully pulls in "membership fees" for the churches through the tax system. Really stupid system, but little political will to get rid of it.

One may call it stupid, but such a system, particularly collecting the membership dues for the Lutheran protestant churches, is in place in very many of the most-advanced nations in the world with highest rankings of human development, press freedom, strong welfare state, good public health and so on.

Is that a coincidence? I think it is not, although it is obvious that the mechanism doesn't work like "start collecting membership dues for Lutherans and you'll have a great welfare state". Rather, it's the current outcome of a long historical development.

I think you mean guilt from ww2 and also some of the sectarian episodes in Germanys Past - Bismarck locking up a large proportion of the Catholic clergy is one example not well known

I think WW2 is just a passing episode in this development, as different countries fared differently in the war but this long-standing development has ended in rather similar outcomes. Overall, it's that the secular society picked up from the administration structures and practices built by (mostly Protestant) churches.

WW2 guilt did not stop Austria from applying this law for collecting church dues (for the Catholic church) after WW2, even if the practice was in fact brought to statute books by Adolf Hitler in 1939.


Berlin court used typewriters & fax, hit by rust and lack of paper, now uses cuneiform & clay tablets.

It's mindblowing how one getting behind even 2 years in the general ecosystem and the technological progress is basically out of the job market, yet people responsible for the functioning of the society can completely ignore all these and remain in their positions of power and authority.

Hahaha, I am glad it finally hit them. Hopefully many more official institutions including ticket selling machines using old Windows will get hit. Maybe one day they will learn, that using proprietary software (even less outdated software)is not suitable for official institutions financed by the tax payers.

I wonder if theres an inflection point where using older operating systems cause you to be more resilient to viruses - presumably because malicious software is written targetting more modern stacks

Might be true for other platforms but Microsoft's laser focus on backward compatibility probably helps viruses.

Absolutely, however that quickly goes away if anyone attempts to target you specifically.

Wouldn't that strategy make you more vulnerable to targeted attacks, as the attacker does need to have (or buy) 0-days?

I doubt it... at least not for the next hundred years or so... as there's always going to be a script kiddie in some corner of the globe trying to implement an outdated old vulnerability.

It's surprising that it took until 2017 for "Fachleute" (experts) to warn the city about the situation. Wouldn't one expect the same advice to be given ever since 2001 when Windows 95 support ended?

They probably got the warning every year every day informally, they got it formally at least once a year.

related article (also German) on heise, a more technical publication than tagesspiegel: https://www.heise.de/newsticker/meldung/Emotet-Das-Faxen-am-...

So how do you write fire-and-forget systems? Typewriters can't become hopelessly insecure by leaving the typewriter sit on a shelf for a year. On the other hand, you can't leave a Linux box unattended for more than a couple months before it's hopelessly insecure. Is the solution unikernels, or what? I think we'll have to find ways to make software that stands the passage of time a bit more. I feel like it's really hard to build software that survives on its own for even a tiny bit of time. Are we in an era that will leave no usable artifact behind?

They can be insecure if you don't dispose of your carbon papers properly

It's amazing you can still be productive with Windows 95 in 2019. It shows you how great it was. Imagine getting anything done with Mac OS 7.6, which was current in 1995.

We simply didn't know what dangers lie in connected computers back then, so it's no wonder it would be vulnerable to attack. Still, you'd think the sheer age of it would protect it (who's still attacking Windows 95?) and it probably did keep them safe for some time.

Likely all they need to do is run Word for typing and printing text documents. This worked perfectly fine with Windows95.

> Imagine getting anything done with Mac OS 7.6, which was current in 1995.


Win95 = Mac '84

I was at the Windows 95 Launch Event (hosted by Jay Leno!) and we saw Apple driving "billboard" trucks around with this message. I was sad/pathetic. Windows 95 had real virtual memory, processes with protected memory space, and file names up to 260 charaters (vs Mac's 32 character limit back then.)

If Steve Jobs didn't come back and throw away MacOS to make a new one based on NeXT, they would have been quite dead today.

I was at MacWorld '95 -- just before Windows 95's release -- and saw lots of T-shirts with those slogans. You're right. Technology-wise even cruddy old Windows 95 was superior. But Apple had a hardcore base of true believers (Bungie, for instance, was a Mac-only and then a Mac-first shop) and those were their marketing audience. Part of the dogma was that beauty and ease of use came before all other concerns, and Mac was indeed beautiful and easy to use.

And Amiga beat Apple

I can't see fax or typewriters being mentioned in this article at all, they only talk about encrypted usb drives from what I can see.

Where does this headline come from?

It’s linked in the first paragraph. Article in the same magazine https://m.tagesspiegel.de/berlin/nach-trojaner-attacke-am-ka...

I think it is important to consider that possibly computers are not the optimum solution for everything

Don't fax machines operate over phone lines though? Should be stupid easy to tap into. Not great for sensitive court docs.

Also, by removing digital docs, you make it much harder for those with visual impairments to access such documents.

Why didn't they switch to ArcaOS (modern OS/2)?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact