Oyster Card Hack To Be Released, In Good Time

DangerFace writes "A little while ago some Dutch researchers cracked the Oyster card, meaning they could get free public transport around London. The company that makes the cards, NXP, sought and got an injunction to stop the exploit being published, but that has now been overruled by a Dutch judge. The lovely Dutch blokes are holding off from releasing the hack for the time being, to give NXP time to secure their systems."

Key line

[Dolohov]

While I have mixed feelings about the publishing of exploits, this line hits the nail on the head:

In its ruling, the court said: "Damage to NXP is not the result of the publication of the article but of the production and sale of a chip that appears to have shortcomings."

This is an important lesson to companies like Diebold.

Are they serious?

[Anonymous Coward]

So let me get this straight.

1. Researchers discover hole in Oystercard implementation.
2. Oystercard operator ignores warnings from researchers.
3. Oystercard operater takes researchers to court instead of working to fix identified vulnerabilities.
4. Injunction granted.
5. Injunction overturned.
5. Researchers continue to give Oystercard operator time to fix their system, in addition to the time they had prior to the court action.

Were I in their situation I would have publically released information on the hack the moment the injunction was overturned. If vendors of ANY type of system want to fuck with people who show every intention of trying to HELP them, they deserve everything they get.

Re:Key line

[Steauengeglase]

I could be wrong, but I don't think the Diebold fiasco was ever officially denounced and called a bad thing. It got certain people in office and kept others in. I think the powers that be would consider that a rousing success.

Re:let em release it

[Notquitecajun]

Wear and tear. Worse gas mileage. The attitude of freeloading, or better yet, stealing, and that it "doesn't matter." Also the matter that this is something that would get WIDESPREAD in a city like London. We wouldn't be talking the occasional computer nerd - hacked cards would make their way into PLENTY of hands, and every hoodie-with-ASBOS-and-ringtones would be getting "free" rides.

Re:Not just Oyster

[Anonymous Coward]

According to Wikipedia, the same tech is used by Atlanta, DC Metro, the L, and the T.

similar != same

This is a perfect example...

[txoof]

This is a perfect example of how hacking can benefit the greater good. While it would be great to ride Dutch trains for free, it's obviously not sustainable and therefore I don't mind paying for services I receive. It is rather frustrating however to see companies attack the hackers that have found this weakness. Fixing the weakness will obviously cost money and time, but that is far superior to months of unscrupulous individuals taking free train rides all over the country. The students could have easily distributed this to their friends and community members quietly and cost the rail system thousands (perhaps hundreds of thousands) in free trips before it was discovered.

The rail company may have been duly diligent in their security assessment of the system, but obviously missed this problem. In this case, the students have provided a very valuable service for FREE. This can potentially improve the overall quality of the rail system. Obviously the rail company needs to spend capital to repair the flaw in the system, but that is superior to discovering and repairing the flaw after thousands of free trips have already been lost. In this case, the money lost in free trips can be reinvested into the service to improve it, rather than just flushed down the drain.

If companies can change their opinion of hackers that voluntarily point out security flaws to be more positive and less adversarial, everyone can potentially benefit.

Why yes, they do

[Jeppe Salvesen]

The sidewalks are great for walking on. At no cost!

Re:let em release it

[PJ The Womble]

The cost of using public transport in London borders on the ridiculous. It's around US$2 to go 200 yards on a bus with an Oyster card. If you haven't got a card, it's over US$4.

They've cut all the bus routes into a quarter of the length they used to be - meaning that you have to take 4 times as many buses to complete your journey, at 4 times the price and a much longer journey time.

London's bus companies have been privatised. Does this mean that any efficiency savings are passed on to the passenger? I won't bother to answer that one... just have a surf around and see how much subsidy they're getting.

You'd think, then, that local taxes in London would be real cheap. Oh dear me no, that would be a wrong assumption. One pays local tax (Council Tax) to the borough in which one lives, and then a further tax to the Mayor of London's Office. The *average* charge across outer London for this year is nearly US$3000 per annum.

In London, there is no such thing as a free ride.

Re:Why yes, they do

[Blue Stone]

> The sidewalks are great for walking on. At no cost!

Until the ID card surveillance system comes in. Then we pay to walk. To breathe. To exist.

Re:Key line

[garcia]

No, I think that the poster was hoping that the commonsense ruling and notation made by the Dutch court would somehow transcend political and oceanic boundaries to the United States. But, unfortunately, it probably never would and if it did, the judge making the ruling would be condemned as a traitor and heretic.

Re:let em release it

[Bertie]

And then there's the Tube. A single journey within Zone 1 costs four pounds. This could be as short as 100 metres if you're stupid enough to travel between Charing Cross and Embankment.

And who's stupid enough to do that when you could buy an Oyster card and save a packet? Why, tourists, of course. And tourists don't vote. So they gouge 'em.

Re:let em release it

[totallyarb]

If the bus isn't full and you otherwise wouldn't have paid, then what's the problem?

Sometimes it's hard to tell if people are posting ironically, but I'm going to go ahead an answer as though you were serious.

The philosophical reason you don't take free rides on buses is that paying your bus fare is a Kantian categorical imperative [wikipedia.org]. The ability to take a free ride on a bus presupposes the existence of a bus service, but were everybody to ride for free, the bus service would cease to run, negating the possibility of a free ride.

Actually, the real reason is a lot simpler: You're getting something of value, so you have an obligation to give something of value in return. Only parasites and slavers fail to abide by this principle. Which would you like to be?

Re:Why yes, they do

[Random BedHead Ed]

We're already doing this with roads in America [uspirg.org] so why not sidewalks? The Magic of the Free Market also worked well in bringing about prosperity in Iraq [globalpolicy.org] (imagine how badly it would have gone if we'd relied on public entities rather than contractors). I don't see how this sidewalk plan could go wrong - just make sure you stock up on quarters before you go for a walk. :)

Re:Only London air visible?

[Langfat]

I have been to London and LA...

...as well as Beijing and Cairo. Gimme a call when you've left the Western world and we'll really talk about air pollution ;)

Re:Are they serious?

[JustKidding]

Personally, I'd publish the details the very same day, just because they tried to screw them with a court case. They could have just asked nicely.

On the other hand, these are not a bunch of semi-anonymous hackers, these are academics who have to think about their own future as well, which may explain this "no hard feelings" attitude.

The good news in this story is that we somehow seem to have at least one sensible judge left.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:let em release it

[Anonymous Coward]

"You're getting something of value, so you have an obligation to give something of value in return"

Yet when you replace 'bus ride' with 'music', 'films', 'software', I think you will find many who say that getting something for free is a-ok and it's the developer/publisher's fault for being in a business in which bits can be copied for zero or near-zero cost by the copier.

See also:
http://tech.slashdot.org/comments.pl?sid=619989&cid=24265233 [slashdot.org]

More seriously...

[cardpuncher]

... these cards are widely used in physical access control systems: determining who is allowed into buildings or parts thereof. As one of the researchers explained today, part of the delay is to allow extra physical security to be deployed at sensitive locations. I don't think anyone has started to calculate the potential cost of all this, though there are probably one or two lawyers ordering yacht catalogues...

Re:cards will be cancelled within a day (maybe!)

[xaxa]

TFL have been saying that whilst the hack does work and is a concern they'll be able to identify cloned or reloaded cards and cancel them, so the most you'd get for your effort is a free travel card for the day.

If they increase the deposit on an Oyster card to £5 that should deter people who just want a free travelcard for a day.

Re:I'm not surprised

[CastrTroy]

Well then why not just go after the people who are cheating the system. Either the card should be hooked up to someone's identity, in which case you can give them a large fine, or in the very least, if you don't know who has the card, you can just store the card ID in some list of disabled cards so busses don't accept it anymore.

Re:let em release it

[blackest_k]

You realise that London is trying to reduce car usage and a possible effect might be to reduce traffic congestion and pollution. Why drive when you can get a free bus?

back in the mid 80's sheffield had a fairly unique bus service with 5p adult fares the result was packed buses going into and out of the city center and free flowing traffic. often you would have to wait 10 minutes for a bus since the first 3 that came were full.

unfortunately Margret thatcher deregulated the buses and privatized them resulting in higher fares more and mostly empty buses and the return of traffic jams to Sheffield streets.

While free rides might be wrong after all its theft of service, for london it could be a very good thing. reducing pollution and congestion.
Incidentally pensioners (65 60 years +) tend to get a free bus pass in most of the uk so already there are some existing free rides.