Slashdot Log In
Oyster Card Hack To Be Released, In Good Time
Posted by
timothy
on Tue Jul 22, 2008 08:09 AM
from the crackers-don't-follow-injunctions dept.
from the crackers-don't-follow-injunctions dept.
DangerFace writes "A little while ago some Dutch researchers cracked the Oyster card, meaning they could get free public transport around London. The company that makes the cards, NXP, sought and got an injunction to stop the exploit being published, but that has now been overruled by a Dutch judge. The lovely Dutch blokes are holding off from releasing the hack for the time being, to give NXP time to secure their systems."
Related Stories
[+]
Hardware: Hacked Oyster Card System Crashes Again 95 comments
Barence sends along PcPro coverage of the second crash of London's Oyster card billing system in two weeks. Transport for London was forced to open the gates and allow free travel for all. "There is currently a technical problem with Oyster readers at London Underground stations which is affecting Oyster pay as you go cards only," explains the TfL website. This follows the first crash two weeks ago, which left 65,000 Oyster cards permanently corrupted. Speculation is increasing that the crashes may be related to the hacking of the Oyster card system by Dutch researchers from Radboud University, though TfL denies any link. Plans to publish details of the hack were briefly halted when the makers of the chip used in the system sued the group, although a judge ruled earlier this week that the researchers could go ahead. During the court action, details briefly leaked on website Wikileaks.
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
You mean... (Score:4, Interesting)
Why yes, they do (Score:5, Insightful)
The sidewalks are great for walking on. At no cost!
Parent
Re: (Score:3, Informative)
<Obligatory>We don't have sidewalks in London, you insensitive clod!</Obligatory>
We do a good line in pavements, but prolonged exposure to roadside air in London isn't exactly good for your health.
Re:Why yes, they do (Score:4, Funny)
Prolonged exposure to roadside air anywhere isn't exactly a day at the spa... but then, London does have the distinction of being the only city in the world wherein you can see the air you breathe ;-)
Parent
Only London air visible? (Score:4, Funny)
. but then, London does have the distinction of being the only city in the world wherein you can see the air you breathe ;-)
Sorry. You must either be colour blind to shades of brown or have never been to LA :-|
Parent
Re:Only London air visible? (Score:4, Funny)
I've never been to LA... but I do like to make references to Charles Dickens.
Parent
Re: (Score:3, Funny)
I've never been to LA... but I do like to make references to Charles Dickens.
So do I, but "that's Dikkens with two Ks, the well-known Dutch author." :)
Re:Only London air visible? (Score:5, Insightful)
Parent
Re: (Score:3, Funny)
Bloody 'ell!! You let tourists walk around all day in unhealthy air?! Greedy, insensitive bastards the lot of you!
Re:Why yes, they do (Score:4, Interesting)
Hold on now just a second. Are you saying the air down in the tube is better than the air above ground? I beg to differ!
I wouldn't like to compare them, but there was a study done which found that the claim that travelling on the London Underground was as bad as smoking a cigarette was false.
The mass of material inhaled on the underground was comparable to the mass inhaled by smoking a cigarette, but the dust on the tube was mostly iron/steel (from the rails and wheels) or grit (from the tunnels), and was in relatively big lumps that were mostly stopped by the hairs in the nose (as any Londoner knows). Compare that to the pollution above ground or from smoking: tiny particulates of toxic chemicals.
I'd rather sit in a park, but given the choice of sitting by a busy road or an underground railway, I'll take the railway.
(Anecdote: I lived in a flat between one of the main railway lines into London, and one fo the main roads. The windows on the railway side didn't need cleaning very often, even though some of the trains were diesel-powered. The dirt was gritty. On the road-side of the building the windows quickly became oily.)
Parent
Re:Why yes, they do (Score:5, Insightful)
Until the ID card surveillance system comes in. Then we pay to walk. To breathe. To exist.
Parent
Re:Why yes, they do (Score:4, Informative)
"If you take a walk, they'll tax your feet"
Harrison [wikipedia.org]
Parent
Re:Why yes, they do (Score:5, Funny)
Sidewalks, or pavements as they are sometimes known, cost money. Billions of people walk to and fro across and over sidewalks every hour of every day. Every six seconds, 5.72 meters of sidewalk are worn down by human traffic and need to be replaced. People seem to think that sidewalks spring forth from the ground. They don't. They cost money.
And who is going to pay this money? Who is going to finance the millions of kilometers of much needed sidewalks? Who is doing it at the moment? Why _you_ are. You the humble taxpayer is being forced to hand over your hard earned wages to pay for concrete that will be worn down by other people's shoes! It's ludacrious! Does anyone pay you to tile your kitchen? Do you get free funding, materials and labor when you have to repave your drive. No. Why should sidewalks be any different!?
What we propose, is a better way, and a better future for you and your children. By forming strategic Public Private Partnerships, we can finance the creation and maintenance of sidewalks everywhere by privatizing them. Businesses can finance construction of sidewalks by modestly tolling the people who use them, passing the costs on to those actually wearing down the paths, and not onto you, the innocent taxpayer.
Through the Magic of the Free Market private enterprise will deliver better, cheaper and cleaner sidewalks to the general public with no government participation! Businesses will prosper, providing employment for millions and the savings earned in the government budget can be passed on to you through a cut in the top rate of tax. It's a win/win situation for everyone involved!
Vote yes on Proposition 22. You owe it to your Family.
Parent
Re:Why yes, they do (Score:4, Insightful)
Parent
Re: (Score:3)
You made my morning - Thank you.
What frightens me though is how many people are going to read that and jump on board with your modest proposal...
Re:You mean... (Score:5, Informative)
...and as the EX-mayor of London, why would he care?
Parent
NXP said no pearls for the swines (Score:5, Funny)
but the Universities advocates cracked their shell and the judge clam-ped down on them ...
sorry ...
Re:NXP said no pearls for the swines (Score:5, Funny)
But next time, remember that taking all the jokes is shellfish.
Parent
Re:NXP said no pearls for the swines (Score:5, Funny)
Parent
Re:NXP said no pearls for the swines (Score:4, Interesting)
I believe this would be the same university that previously forbade the researchers from talking to the press.
Anhyow, the lifting of this publication ban is an excellent thing. The Dutch government has spent a lot of money in this foolhardy public transport chip card system, and is not willing to admit that it's an expensive, deeply flawed trainwreck.
After the Nijmegen investigators came out with their findings, a contra-expertise report commissioned by the government and performed by Royal Holloway University in London, was selectively edited to remove its harsh conclusions before being sent to parliament. Then, the university cracked down on the freedom of the researchers to speak to the press.
I, as a Dutch citizen, am happy that this issue is getting some serious sunshine.
Parent
Not just Oyster (Score:5, Informative)
According to Wikipedia [wikipedia.org], the same tech is used by Atlanta, DC Metro, the L, and the T.
Re:Not just Oyster (Score:4, Interesting)
Parent
Key line (Score:5, Insightful)
While I have mixed feelings about the publishing of exploits, this line hits the nail on the head:
This is an important lesson to companies like Diebold.
Re:Key line (Score:5, Insightful)
I could be wrong, but I don't think the Diebold fiasco was ever officially denounced and called a bad thing. It got certain people in office and kept others in. I think the powers that be would consider that a rousing success.
Parent
Re:Key line (Score:4, Insightful)
No, I think that the poster was hoping that the commonsense ruling and notation made by the Dutch court would somehow transcend political and oceanic boundaries to the United States. But, unfortunately, it probably never would and if it did, the judge making the ruling would be condemned as a traitor and heretic.
Parent
Are they serious? (Score:5, Insightful)
So let me get this straight.
1. Researchers discover hole in Oystercard implementation.
2. Oystercard operator ignores warnings from researchers.
3. Oystercard operater takes researchers to court instead of working to fix identified vulnerabilities.
4. Injunction granted.
5. Injunction overturned.
5. Researchers continue to give Oystercard operator time to fix their system, in addition to the time they had prior to the court action.
Were I in their situation I would have publically released information on the hack the moment the injunction was overturned. If vendors of ANY type of system want to fuck with people who show every intention of trying to HELP them, they deserve everything they get.
Re: (Score:3, Interesting)
Probably, fixing the vulnerability would take years and involve a full recall of the cards. That's why NXP wanted to suppress the information. This isn't like some program where it's one auto-update away from being secure again. Now these researchers are going to release the information, chances are good that London will be flooded with cracked cards used by freeloaders. And it will take years to clear up no matter what NXP do. Not sure that's worth the release of an academic paper, to be quite honest. Unle
Re:Are they serious? (Score:4, Insightful)
And it will take years to clear up no matter what NXP do. Not sure that's worth the release of an academic paper, to be quite honest. Unless the purpose of all this is to punish people who make mistakes?
Your implication that withholding the results would prevent cracked cards being made only works if you make the assumption that only these researchers could/would work out how to break the security. As Bruce Schneier says in the BBC article: "Assume organised crime knows about this, assume they will be selling it anyway,".
Parent
Free (Score:5, Funny)
Information wants to be free.
Luckily, so does public transport.
--Q
Transportation wants to be free! (Score:4, Funny)
This is a perfect example... (Score:5, Insightful)
This is a perfect example of how hacking can benefit the greater good. While it would be great to ride Dutch trains for free, it's obviously not sustainable and therefore I don't mind paying for services I receive. It is rather frustrating however to see companies attack the hackers that have found this weakness. Fixing the weakness will obviously cost money and time, but that is far superior to months of unscrupulous individuals taking free train rides all over the country. The students could have easily distributed this to their friends and community members quietly and cost the rail system thousands (perhaps hundreds of thousands) in free trips before it was discovered.
The rail company may have been duly diligent in their security assessment of the system, but obviously missed this problem. In this case, the students have provided a very valuable service for FREE. This can potentially improve the overall quality of the rail system. Obviously the rail company needs to spend capital to repair the flaw in the system, but that is superior to discovering and repairing the flaw after thousands of free trips have already been lost. In this case, the money lost in free trips can be reinvested into the service to improve it, rather than just flushed down the drain.
If companies can change their opinion of hackers that voluntarily point out security flaws to be more positive and less adversarial, everyone can potentially benefit.
It's a pity (Score:3, Funny)
Anyone here involved in Oyster? (Score:5, Interesting)
let me see if I've got this right... (Score:5, Funny)
a haxor with skillz über-1337
wanted to ride london's fleet
but rather than paying
he found himself saying
"h4ck1n9 0y573r w0u1d b3 50 v3ry n347!"
Oh london underground (Score:4, Funny)
Poor guys.. (Score:4, Funny)
So Dutch researchers cracked the public transportation pass for London? Boy they're gonna be pretty down when they'll realise they need to travel all the way to London just to get free public transportation.
Fortunately being Dutch they'll surely find a place to forget about all of this within a walking distance.
Re:Poor guys.. (Score:5, Informative)
Parent
Wake-up call. (Score:3, Interesting)
This is a wake-up call.
The issue is public transit financing; hardasses who want the public to pay more than their fair share (public transit benefits ***EVERYONE***, including motorists, and most importantly motorists who see decreased congestion; as well as employers who can have their workforce brought on site cheaply, so they don't have to pay exorbitant salaries so the workforce has to be able to afford a car - look no further to see the reasons why jobs are going to China) will only drive fares up, and thus the incentives to cheat (where I live, I cheat all the time; illegally, of course, but in a way that's effectively very hard to catch - it would take a cop to tail me all the time).
With reasonable fares, the incentive to cheat is simply not there.
(But transit can't be free; you need a fare to insure systems don't load up with homeless winoes).
It's like music: with $20 CDs, everyone downloads. Not so when they cost $2.
Re:Their paper has leaked (Score:5, Informative)
To quote from the paper you linked:
"
This paper is not the same as the paper that is subject to a lawsuit by NXP. It is available on the web since several months and will be published officially in the proceedings of the Cardis'08 conference in september. The paper of the lawsuit builds on it.
"
So while related, it is different for some value of different..
--Q
Parent
Re:let em release it (Score:5, Insightful)
They've cut all the bus routes into a quarter of the length they used to be - meaning that you have to take 4 times as many buses to complete your journey, at 4 times the price and a much longer journey time.
London's bus companies have been privatised. Does this mean that any efficiency savings are passed on to the passenger? I won't bother to answer that one... just have a surf around and see how much subsidy they're getting.
You'd think, then, that local taxes in London would be real cheap. Oh dear me no, that would be a wrong assumption. One pays local tax (Council Tax) to the borough in which one lives, and then a further tax to the Mayor of London's Office. The *average* charge across outer London for this year is nearly US$3000 per annum.
In London, there is no such thing as a free ride.
Parent
Re:let em release it (Score:5, Insightful)
And then there's the Tube. A single journey within Zone 1 costs four pounds. This could be as short as 100 metres if you're stupid enough to travel between Charing Cross and Embankment.
And who's stupid enough to do that when you could buy an Oyster card and save a packet? Why, tourists, of course. And tourists don't vote. So they gouge 'em.
Parent
Re:let em release it (Score:4, Informative)
Parent
There goes the dollar... (Score:4, Funny)
Horseshit.
it does cost 90p(about US$90).
I hate it when I oversleep and the entire US economy collapses...
Parent
Re:let em release it (Score:5, Insightful)
Parent
Re:let em release it (Score:5, Insightful)
If the bus isn't full and you otherwise wouldn't have paid, then what's the problem?
Sometimes it's hard to tell if people are posting ironically, but I'm going to go ahead an answer as though you were serious.
The philosophical reason you don't take free rides on buses is that paying your bus fare is a Kantian categorical imperative [wikipedia.org]. The ability to take a free ride on a bus presupposes the existence of a bus service, but were everybody to ride for free, the bus service would cease to run, negating the possibility of a free ride.
Actually, the real reason is a lot simpler: You're getting something of value, so you have an obligation to give something of value in return. Only parasites and slavers fail to abide by this principle. Which would you like to be?
Parent
Re:I'm not surprised (Score:5, Interesting)
I'm not surprised we Dutch are trying (and apparently succeeding) to hack public transportation systems facilities if you look at the current pricing of our own system.
I am assuming that you are implying that the Dutch transport system is expensive. Clearly you have never been to the UK. I live an hour away from London by train, if I were to shop around a little and pick the budget airline flights I could fly to Schipol from Gatwick/Heathrow, get the train to Amsterdam Central and a tram to my hotel for a cheaper price than my train journey from my house to the airport!! It really is *that* bad.
I have been to Amsterdam many times (not *just* for the usual tourist reasons, my grandmother was born there, so I visit family), and I can say without a shadow of a doubt that transport around Amsterdam is many time more efficient and cheaper than transport around London, and I would much rather deal with the bizarre conversations with strangers that have 'had a little schmoke' on late night Amsterdam trams than the strangers that are looking to mug me on the London underground.
Both of our countries are culturally rich, with a fascinating history, but yours seems far superior when it comes to the management of public services.
Parent
Re: (Score:3)
I have to second this. IÂm Dutch and many people are claiming that the Dutch public transit system is expensive and inefficient. IÂve been to a lot of countries and I took a lot of trains and buses but our public transit compares favourably to almost any of them. Trains visit most parts of the country with metro-like frequency.
It really is a shame that the dutch national public transit card suffers from similar problems since it has been compromised too. But a chip card system offers a lot of opti
Re:I'm not surprised (Score:5, Funny)
That reminds me of an old 'mock the week' on bbc when Andy Parsons done his train to Glasgow gag.
"It costs £98.18 to get the train from London to Glasgow, who the hell is going to do that when you can fly to Barcelona for £40, then fly whoever u wanted to visit in Glasgow to Barcelona for £40 and then spend the first £18.19 on sangria".
Parent
Re:I'm not surprised (Score:4, Interesting)
Parent
Re:I'm not surprised (Score:5, Interesting)
That's how the Oyster system works!
Parent