Article 254a of the Polish Penal Code addresses the obstruction of railway operations and other critical infrastructure. Violating this law can result in a prison sentence ranging from 6 months to 8 years.
It doesn't matter whether the act was committed as part of a company's operations or as an individual's private endeavour.
To all software engineers: please refrain from engaging in criminal activities. If you are instructed to do something illegal, it is important to report it to the relevant authorities.
I think jakozaur is correct, and don't know why they're being downvoted. Here is the legal statute they are referencing:
Art. 254a. Disruption of a network; damage. Anyone who takes, destroys, damages or renders unfit for use an element of a water supply, sewage, heating, electricity, gas or telecommunications network, or a railway, tramway, trolley bus or metro line, thereby causing a disturbance in the operation of all or part of such network or line, is liable to imprisonment for six months to eight years.
I certainly think that this malware meets the criteria set forth in that law: "renders unfit for use an element of ... a railway ... , thereby causing a disturbance in the operation of all or part of such network or line".
Seems pretty cut & dry to me. I hope some people face real jail time for this. As another comment mentioned, it will probably be a "fall guy" (perhaps a middle manager) but that will still deter future managers from authorizing such fraud, even if the orders come from above. Future managers might reject such orders since it's not worth jail time.
As a person very familiar with Polish legal system and code I would be far from saying it's a cut & dry case.
What we have in this case is a company doing something that is wrong, not an individual. To sentence somebody with the statute you and the parent are referring to you need to have a case against an individual, not a company. Secondly, except for this specific statute you have to take into consideration the general rules of the penal code (Zasady odpowiedzialności karnej) and in this case you have to assign blame, find out that the intent, the knowledge of what they were doing etc.
In general, in best case this will be a breach of contract, a civil case, there probably won't be jail time. Don't get your hopes up.
Don't get me wrong, what they did is nefarious, but at the same time I don't think there should be Jail time, just huge fines and some scrutiny (maybe NIK, ABW, CBA etc. - other polish three later agencies) on Newag, maybe barring them from some future deals.
Deter middle managers from what? Implementing shady business practices that skirt the edge of legality? That's day-to-day business, the only way to avoid that would be to quit. Sure, no one would commit this exact offense again, but (a) the practice will (would, if any conviction actually happens, big if) be changed just enough to make it legally ambiguous again, and (b) the law would probably be changed to make it legal.
Yes, you might get the odd Schindler every now and then who tries to do just that, but most are probably in it for the money and not to fight some uphill battle.
> Dear software engineers, please do not commit a crime
Yes, developers shouldn't knowingly write code to commit crime, but developers don't tend to receive instructions that directly. Unsurprisingly, the company doesn't mention to every employee that they are knowingly breaking the law.
Instead, developers receive a request to build a feature, and it typically won't be at all obvious that the intended use of that feature is to commit a crime. There might even be a legitimate use of the feature, and then someone finds it can be abused to commit a crime.
Sometimes it may not be obvious but the feature still might seem super suspicious. For example, suppose that the malware discussed in this article was broken down into two sub-features assigned to different people: geofencing detection, and bricking the train. The person writing the "bricking the train" part should have realized that there is practically no legitimate reason for that code to be written, and if they ask their manager for a reason and are told "don't worry about why, just write the code", they should report this suspicious activity to law enforcement. There are many reasons that law enforcement would want to know, including that the engineer's manager might not even be acting in the company's own interests but might have taken a bribe from a hostile foreign power.
> The person writing the "bricking the train" part should have realized that there is practically no legitimate reason for that code to be written
Hey Janusz, can you build a safety feature that prevents the train from operating under certain conditions. We don’t know all the conditions yet, so leave it flexible.
Even so, wouldn't someone still have to write either an if-then statement, or a database entry, to connect the geofencing capability to the bricking capability? Even if that was only a single line of code or SQL, it seems like a smoking gun and whoever did it can't possibly plead ignorance. No one who can operate a keyboard is that dumb.
Hey Czesław, I cannot leave it flexible, because it's a train that can run over 100km/h with 500 passengers inside, so I need to know the details to perform the required safety analysis. All in all, my name will be in the commit log if someone runs... git blame.
I think I owe you an explanation, as I was referring to the fact that in Poland "Januszex" is a meme.
Back in the 90s, when market economy started here, many many businesses' names had the "-ex" suffix, as apparently it sounded western.
And Janusz is a popular first name, which became a meme for a specific type of a businessman, I suspect that because years ago when the meme started, many of those businessman actually had that name (i.e. it was very popular in that generation).
Now, when you open januszex.com, what's there is a meme of "Janusz Alfa" [1] (I think it should be self-explicable), and a related long-nosed monkey meme (I guess they could be thought of as "Janusz Beta" ot sth like that).
EDIT: [1] The real person from the photo is a Polish politician. I couldn't find if he somehow "triggered" the whole meme situation, so I guess it was just a coincidence--someone stumbled upon his photo, used it, and the rest is history.
Let's repeat this one for the parts of the peanut gallery harping on irrelevant issues such as whether object orientation was part of the design methodology or SEL4 part of the firmware runtime stack:
"To all software engineers; please refrain from engaging in criminal activities. If you are instructed to do something illegal, it is important to report it to the relevant authorities."
It doesn't matter whether the act was committed as part of a company's operations or as an individual's private endeavour.
To all software engineers: please refrain from engaging in criminal activities. If you are instructed to do something illegal, it is important to report it to the relevant authorities.