Shouldn't systems Like LZB or ETCS bei mostly protected against radio interference as only the Last section (centimeters) needs to bei transmitted wirelessly? Are they used in the line or did they opt for something else?
By my understanding the RCE part of the exploit should not apply to recent java versions if the default options are used (minecraft shipped older version afaik, and all bets are off for unmaintained enterprise applications).
The data extraction however will work on any java version if the server in question has the capability to connect to a server under the control of an attacker, as the network request will be performed even if the JVM options that should avoid the RCE are enabled. Big problem for client applications (as usually most outgoing connections are allowed).
A bit harder to evaluate the impact in the enterprise context as many companies will not allow their servers to connect to "random" endpoints or at least require target-specific proxies to connect to the internet/intranet which makes this harder to exploit.
Classic .net deployments are regarded as system components, they will receive security updates as long as the supporting OS is supported(that's at least the sales pitch we received) So 4.6 on Windows 10 will be supported at least till 14th October 2025 and 4.7 on Windows 10 at least until 13th October 2026 (if you are willing to pay Microsoft for that)
The Coradia LINT platform this train is based on is built in Germany. Alstom has two locations within Lower Saxony (which is the state funding a lot of this).
No enforcement agency is required to enforce this law. Rightholders will sue non-filtering platforms over potentional lost sales due to their "wilful negligence".
And if the offending platform has any business in Germany (or another country with similar laws) this will be a gold mine for any law business issuing cease and desist letters in the name of competing plattforms.
Unlikely. Yes, this is a political decision as most actual users of the systems were ok with the linux client. However, the article is a bit misleading. They are bringing the systems used by a subdepartment of the states department of finance in line with the stack used within the remainder of the department (about 1/3 were linux clients, the state already owns over 50.000 other windows clients (lower estimate, most likely more if you include organization which manage their own infrastructure (like universities)), they know what to expect from microsoft). While the systems worked it always required special attention when interoperating with other states (for example: certain informationrequests by other states are standardized between all states (based on a shared windows solution). Lower saxonian employees could not interact with it directly and had to rely on their inhouse solution instead of reusing the existing and proven solution used by all other states). There are notable costs associated to beeing a special flower while maintining conformance to financial regulations.
Yes, I believe that biting the bullet and migrating more departments to open systems would be the better longterm solution (which would also force vendors to port their solutions). But there will be several elections before that pays off and would require a significant investment before the benefits show (and possible coordination between the states) and in the midterm moving to Windows might be the better option. Moving to linux doesn't win an election, but failing to move to linux might loose you one.
However, even after the move about 1/4 to 1/3 of the computers/servers owned by the state will run linux/bsd (iirc).
Even under current rules the common household IP-Address appears to be (in combination with any other relevant data (a timestamp for example)) personal data.
> Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as meaning that a dynamic IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data within the meaning of that provision, in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person. [ECLI:EU:C:2016:779]
https://www.postgresql.org/docs/current/storage-hot.html