Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Oyster Card Hack To Be Released, In Good Time

timothy posted more than 6 years ago | from the crackers-don't-follow-injunctions dept.

Security 246

DangerFace writes "A little while ago some Dutch researchers cracked the Oyster card, meaning they could get free public transport around London. The company that makes the cards, NXP, sought and got an injunction to stop the exploit being published, but that has now been overruled by a Dutch judge. The lovely Dutch blokes are holding off from releasing the hack for the time being, to give NXP time to secure their systems."

cancel ×

246 comments

Sorry! There are no comments related to the filter you selected.

You mean... (4, Interesting)

Notquitecajun (1073646) | more than 6 years ago | (#24288045)

The People don't have a right to free public transportation in London? Somethin' oughtta be done!

Why yes, they do (5, Insightful)

Jeppe Salvesen (101622) | more than 6 years ago | (#24288323)

The sidewalks are great for walking on. At no cost!

Re:Why yes, they do (2, Informative)

Anonymous Brave Guy (457657) | more than 6 years ago | (#24288401)

<Obligatory>We don't have sidewalks in London, you insensitive clod!</Obligatory>

We do a good line in pavements, but prolonged exposure to roadside air in London isn't exactly good for your health.

Re:Why yes, they do (3, Funny)

bsDaemon (87307) | more than 6 years ago | (#24288583)

Prolonged exposure to roadside air anywhere isn't exactly a day at the spa... but then, London does have the distinction of being the only city in the world wherein you can see the air you breathe ;-)

Only London air visible? (3, Funny)

N Monkey (313423) | more than 6 years ago | (#24288909)

. but then, London does have the distinction of being the only city in the world wherein you can see the air you breathe ;-)

Sorry. You must either be colour blind to shades of brown or have never been to LA :-|

Re:Only London air visible? (3, Funny)

bsDaemon (87307) | more than 6 years ago | (#24289027)

I've never been to LA... but I do like to make references to Charles Dickens.

Re:Only London air visible? (2, Funny)

N Monkey (313423) | more than 6 years ago | (#24289187)

I've never been to LA... but I do like to make references to Charles Dickens.

So do I, but "that's Dikkens with two Ks, the well-known Dutch author." :)

Re:Why yes, they do (2, Funny)

Jeppe Salvesen (101622) | more than 6 years ago | (#24288893)

Bloody 'ell!! You let tourists walk around all day in unhealthy air?! Greedy, insensitive bastards the lot of you!

Re:Why yes, they do (5, Insightful)

Blue Stone (582566) | more than 6 years ago | (#24288559)

> The sidewalks are great for walking on. At no cost!

Until the ID card surveillance system comes in. Then we pay to walk. To breathe. To exist.

Re:Why yes, they do (-1, Offtopic)

somersault (912633) | more than 6 years ago | (#24289283)

Wow, Gordon Brown has modpoints today! I don't see how that was flamebait in any way..

Re:Why yes, they do (5, Funny)

ObsessiveMathsFreak (773371) | more than 6 years ago | (#24289147)

Sidewalks, or pavements as they are sometimes known, cost money. Billions of people walk to and fro across and over sidewalks every hour of every day. Every six seconds, 5.72 meters of sidewalk are worn down by human traffic and need to be replaced. People seem to think that sidewalks spring forth from the ground. They don't. They cost money.

And who is going to pay this money? Who is going to finance the millions of kilometers of much needed sidewalks? Who is doing it at the moment? Why _you_ are. You the humble taxpayer is being forced to hand over your hard earned wages to pay for concrete that will be worn down by other people's shoes! It's ludacrious! Does anyone pay you to tile your kitchen? Do you get free funding, materials and labor when you have to repave your drive. No. Why should sidewalks be any different!?

What we propose, is a better way, and a better future for you and your children. By forming strategic Public Private Partnerships, we can finance the creation and maintenance of sidewalks everywhere by privatizing them. Businesses can finance construction of sidewalks by modestly tolling the people who use them, passing the costs on to those actually wearing down the paths, and not onto you, the innocent taxpayer.

Through the Magic of the Free Market private enterprise will deliver better, cheaper and cleaner sidewalks to the general public with no government participation! Businesses will prosper, providing employment for millions and the savings earned in the government budget can be passed on to you through a cut in the top rate of tax. It's a win/win situation for everyone involved!

Vote yes on Proposition 22. You owe it to your Family.

Re:Why yes, they do (3, Insightful)

Random BedHead Ed (602081) | more than 6 years ago | (#24289371)

We're already doing this with roads in America [uspirg.org] so why not sidewalks? The Magic of the Free Market also worked well in bringing about prosperity in Iraq [globalpolicy.org] (imagine how badly it would have gone if we'd relied on public entities rather than contractors). I don't see how this sidewalk plan could go wrong - just make sure you stock up on quarters before you go for a walk. :)

Re:Why yes, they do (2)

gnick (1211984) | more than 6 years ago | (#24289459)

You made my morning - Thank you.

What frightens me though is how many people are going to read that and jump on board with your modest proposal...

Re:You mean... (0, Redundant)

argStyopa (232550) | more than 6 years ago | (#24288933)

I'd love to hear Red Ken's take on this.

The guy is a socialist right down to the soles of his feet, but here's an event where his city would be losing MASSIVE amounts of money.

Re:You mean... (4, Informative)

iworm (132527) | more than 6 years ago | (#24289117)

...and as the EX-mayor of London, why would he care?

Re:You mean... (1)

Joker1980 (891225) | more than 6 years ago | (#24288995)

The People don't have rights in London!.

There thats a bit more accurate.

Their paper has leaked (1, Informative)

Anonymous Coward | more than 6 years ago | (#24288051)

http://file.sunshinepress.org:54445/milfaire-classic-2008.pdf
http://www.wikileaks.org/leak/milfaire-classic-2008.pdf
http://cryptome.org/mifare-classic.pdf

Re:Their paper has leaked (5, Informative)

quarrel (194077) | more than 6 years ago | (#24288257)

To quote from the paper you linked:

"
This paper is not the same as the paper that is subject to a lawsuit by NXP. It is available on the web since several months and will be published officially in the proceedings of the Cardis'08 conference in september. The paper of the lawsuit builds on it.
"

So while related, it is different for some value of different..

--Q

No it hasn't (1)

Errtu76 (776778) | more than 6 years ago | (#24288263)

Read the first pdf you've posted. It's not the same.

public transportation is for losers. (-1, Troll)

Anonymous Coward | more than 6 years ago | (#24288055)

therefore, linux fanbois should be greatly interested!

Re:public transportation is for losers. (1)

pandrijeczko (588093) | more than 6 years ago | (#24289089)

I don't want to play the evangelist here but it could easily be argued that a system based on source code that is open to constant peer review probably wouldn't have been in this long without the hack being discovered much earlier, mayube even before it went in in the first place. Oh, and before the "Linux fanboi" replies start flooding in, please remember that Open Source software runs equally as well in Windows and other OSes also.

let em release it (0)

Anonymous Coward | more than 6 years ago | (#24288057)

i say release the crack, would be nice to travel for free.

Re:let em release it (0, Flamebait)

Notquitecajun (1073646) | more than 6 years ago | (#24288081)

Yep, it's always nice to get a "free" ride off the back of people who actually work and contribute.

Re:let em release it (1)

larry bagina (561269) | more than 6 years ago | (#24288181)

If the bus isn't full and you otherwise wouldn't have paid, then what's the problem?

Re:let em release it (5, Insightful)

Notquitecajun (1073646) | more than 6 years ago | (#24288259)

Wear and tear. Worse gas mileage. The attitude of freeloading, or better yet, stealing, and that it "doesn't matter." Also the matter that this is something that would get WIDESPREAD in a city like London. We wouldn't be talking the occasional computer nerd - hacked cards would make their way into PLENTY of hands, and every hoodie-with-ASBOS-and-ringtones would be getting "free" rides.

Re:let em release it (2)

urcreepyneighbor (1171755) | more than 6 years ago | (#24288327)

every hoodie-with-ASBOS-and-ringtones would be getting "free" rides.

And who will supply them, hm? Think of the money you could make!

Chavettes [flickr.com] need rides, too, you know....

Re:let em release it (1)

zerocool^ (112121) | more than 6 years ago | (#24289115)

Wear and tear. Worse gas mileage. The attitude of freeloading, or better yet, stealing, and that it "doesn't matter."

In london, if you choose to drive, you're going to be dealing with congestion charges, too.

See the first 2 or 3 minutes of: http://www.youtube.com/watch?v=q88CQdndNWw [youtube.com]

at £25 (pounds, if the ascii doesn't work), you're talking somewhere in the neighborhood of $50 PER DAY JUST TO DRIVE into Ken Livingston's traffic jams, BEFORE $6/gal gas and BEFORE wear and tear on your car.

~Wx

Re:let em release it (1)

somersault (912633) | more than 6 years ago | (#24289407)

What does that have to do with freeloaders on a bus that would otherwise have been travelling down the route anyway?

Congestion charges have been in place in London for a few years now. It's a bit cheaper if you get a long term pass or live inside the congestion zone. Thankfully I live at the other end of the UK so it doesn't bother me!

I don't particularly agree with all these crazy taxes posing as 'green' taxes either (even tiny cars with small engines and low emissions are taxed heavily if they have 4 wheel drive), but I don't think it has anything to do with what they were talking about!

Re:let em release it (0)

Anonymous Coward | more than 6 years ago | (#24289421)

Widespread defeating of the payment system leads to either major police crackdowns (kinda bad) or abolishing the payment system altogether in favor of doing it in taxes (good).

Re:let em release it (0)

Anonymous Coward | more than 6 years ago | (#24288815)

If the bus isn't full...

If often is.

and you otherwise wouldn't have paid,...

You probably would have.

Re:let em release it (1, Interesting)

Anonymous Coward | more than 6 years ago | (#24289185)

Why go by public transport at all? If my car isn't in use, and you wouldn't otherwise buy one, why not borrow it? I won't mind cleaning it, repairing it and filling it up with gas. Settle into my house when you get back, I'm not using it right now, I'm too busy at work, earning money to pay pay my way in life.

Re:let em release it (5, Insightful)

totallyarb (889799) | more than 6 years ago | (#24289261)

If the bus isn't full and you otherwise wouldn't have paid, then what's the problem?

Sometimes it's hard to tell if people are posting ironically, but I'm going to go ahead an answer as though you were serious.

The philosophical reason you don't take free rides on buses is that paying your bus fare is a Kantian categorical imperative [wikipedia.org] . The ability to take a free ride on a bus presupposes the existence of a bus service, but were everybody to ride for free, the bus service would cease to run, negating the possibility of a free ride.

Actually, the real reason is a lot simpler: You're getting something of value, so you have an obligation to give something of value in return. Only parasites and slavers fail to abide by this principle. Which would you like to be?

Re:let em release it (5, Insightful)

PJ The Womble (963477) | more than 6 years ago | (#24288449)

The cost of using public transport in London borders on the ridiculous. It's around US$2 to go 200 yards on a bus with an Oyster card. If you haven't got a card, it's over US$4.

They've cut all the bus routes into a quarter of the length they used to be - meaning that you have to take 4 times as many buses to complete your journey, at 4 times the price and a much longer journey time.

London's bus companies have been privatised. Does this mean that any efficiency savings are passed on to the passenger? I won't bother to answer that one... just have a surf around and see how much subsidy they're getting.

You'd think, then, that local taxes in London would be real cheap. Oh dear me no, that would be a wrong assumption. One pays local tax (Council Tax) to the borough in which one lives, and then a further tax to the Mayor of London's Office. The *average* charge across outer London for this year is nearly US$3000 per annum.

In London, there is no such thing as a free ride.

Re:let em release it (1)

oyenstikker (536040) | more than 6 years ago | (#24288713)

What kind of living arrangements gets you a tax rate of about 3000 USD/yr in London?

In upstate NY, that would be about the rate for a modest 1400 sqft home on .1 acre.

Re:let em release it (1)

thePowerOfGrayskull (905905) | more than 6 years ago | (#24288861)

And in NJ, that would be about the annual rate for a cardboard box on an average suburban streetcorner.

Re:let em release it (0)

Anonymous Coward | more than 6 years ago | (#24289207)

And in Cali you would just default on your payments and walk away because you didn't have the proper income ratio to begin with...

Re:let em release it (1)

Silver Sloth (770927) | more than 6 years ago | (#24289333)

Cardboard box - we used to dream of a cardboard box. When I were a lad....

and no, it's not Monty Python - it's At Last The 1948 Show.

Re:let em release it (1, Interesting)

Joker1980 (891225) | more than 6 years ago | (#24288751)

Amen brother, not to mention that its extortion plain and simple. U pay double for using cash (perfectly legal tender) as uve said but of course this has nothing to do with RFID's tracking abilities (future abilities). Isnt it great to live in the UK. RFID, CCTV on every street, secret courts, secret laws, Un-elected leaders and lets not forget the extremly insidious attempt at restricting movement (both public transport and driving a car are insanely expensive).

Re:let em release it (1)

mdwh2 (535323) | more than 6 years ago | (#24288769)

The cost of using public transport in London borders on the ridiculous. It's around US$2 to go 200 yards on a bus with an Oyster card. If you haven't got a card, it's over US$4.

To add to that, the minimum tube price (even for a single stop) is £1.50 with an Oyster card, and £4 without (so about $3 and $8).

They keep increasing the price of the non-Oyster fare, so they can advertise the Oyster card as getting cheaper!

Re:let em release it (4, Insightful)

Bertie (87778) | more than 6 years ago | (#24288849)

And then there's the Tube. A single journey within Zone 1 costs four pounds. This could be as short as 100 metres if you're stupid enough to travel between Charing Cross and Embankment.

And who's stupid enough to do that when you could buy an Oyster card and save a packet? Why, tourists, of course. And tourists don't vote. So they gouge 'em.

Re:let em release it (1)

locofungus (179280) | more than 6 years ago | (#24288991)

IIRC, using oyster it's 90p for a single bus journey. But your bus travel is capped at 3GBP (about $6)

Likewise, tube travel. In central London it's 1.50GBP per journey but the cap (for zones 1 and 2) is 4.80GBP. Also the bus travel counts towards this. So, if you're staying outside central London as a tourist then get a bus into the centre, travel about the centre by bus and tube and then just get a bus back to your hotel and your travel will be capped at a maximum of 4.80GBP (so long as you always touch in and out on the tube)

You can also buy a travelcard. This will be 50p more than the capped oyster fare but there's no risk of forgetting to touch in or out.

I typically use foot and bicycle in central London (because it's quicker) but provided you don't pay cash fares and use oyster or a travel card, I think the pricing for public transport is actually pretty good. Due to the fixed per journey price there are some extortionate per mile charges:
http://maps.google.co.uk/maps?f=d&hl=en&geocode=11804929658401494669,51.511495,-0.128425&saddr=A400%2FCharing+Cross+Rd+%4051.511495,+-0.128425&daddr=51.512776,-0.124133&mra=dme&mrcr=0&mrsp=1&sz=16&doflg=ptm&sll=51.51065,-0.127115&sspn=0.005863,0.012724&ie=UTF8&z=16 [google.co.uk]
would be about 12GBP/mile cash fare if you took the tube rather than walked it and about 4.50GBP/mile using Oyster but you quickly reach the cap.

Tim.

Re:let em release it (1)

CastrTroy (595695) | more than 6 years ago | (#24289385)

I think the same could be done for any municipal bus service. If you go a very short distance, you'll end up paying a lot per mile. In Ottawa, the closest stops I could think of quickly are about .1 miles apart. If you pay cash fair, it's $3. That works out to $30 per mile. However on the same $3, you can travel 25 miles. Which works out to 12 cents per mile.

Re:let em release it (4, Informative)

defnoz (1128875) | more than 6 years ago | (#24289307)

You've obviously never been anywhere else in the UK. London's bus fares are very cheap, and saying the routes are 1/4 the length is just FUD - even if you do have to get 4 buses, it won't cost 4x as much, since a daily fare is capped at £3 (i.e. once you've made 3 journeys you don't pay any more that day). If I want the same here in Oxford it would cost me well over £10 ($20). ...oh, and why exactly would you *expect* having a complicated mess of privatised companies to be any cheaper than one company which is accountable to the public, not it's shareholders?

Re:let em release it (2, Informative)

BovineSpirit (247170) | more than 6 years ago | (#24289463)

Horseshit.

If you get on a bus and travel 200 yards with an Oyster Card it does cost 90p(about US$90). However you don't because for most people it's quicker to walk. For longer distance bus trips it costs... 90p. If you travel enough in one day on a Pay As You Go Oyster it maxes out at the cost of the cheapest travelcard for the journeys you have made. Thus you get the cheapest possible tickets without thinking about it. Compare this approach to that of mobile phone companies... The price is competitive with most other cities in the UK. Thus if you made lots of 200 yard journeys every day it wouldn't cost anywhere near 90p a ride.

    I've certainly not noticed the distance of bus routes getting any shorter. Generally long distance journeys(>1.5miles) are made by Tube, DLR or Train. The Mayor of London tax is included as part of the Council Tax. House prices around outer London are very high, as some of the areas are really nice compared with some of the grottier inner city areas, thus their Council Tax is higher. Public transport in London is far better than it is in most UK cities. To find better you need to go to a city that has had predominantly Labour councils for the last few decades. A lot of the recent improvements in London are funded by the Congestion Charge.

    For a free ride, get a bike...

Hrm... (0)

Anonymous Coward | more than 6 years ago | (#24288077)

No such thing as a free lunch? ... oh wait ...

NXP said no pearls for the swines (4, Funny)

YeeHaW_Jelte (451855) | more than 6 years ago | (#24288079)

but the Universities advocates cracked their shell and the judge clam-ped down on them ...

sorry ...

Re:NXP said no pearls for the swines (4, Funny)

smussman (1160103) | more than 6 years ago | (#24288193)

No problem.

But next time, remember that taking all the jokes is shellfish.

Re:NXP said no pearls for the swines (4, Funny)

oodaloop (1229816) | more than 6 years ago | (#24288315)

He didn't use all the jokes. If he did, I'd have to mussel him around.

Re:NXP said no pearls for the swines (1)

L4t3r4lu5 (1216702) | more than 6 years ago | (#24288609)

Stop being such piddocks.

Re:NXP said no pearls for the swines (1)

nganju (821034) | more than 6 years ago | (#24288965)

Don't be so crabby. Some company is shelling out clams for you to write code (probably in Perl), not snap at someone on Slashdot.

Re:NXP said no pearls for the swines (1)

Pig Hogger (10379) | more than 6 years ago | (#24289315)

This sounds to me like a rather limpet argument.

Re:NXP said no pearls for the swines (2, Funny)

clone53421 (1310749) | more than 6 years ago | (#24288479)

Q: What does an oyster do when it's hacked?
A: It gives you the shell.

Q: How did they hack the oyster card?
A: They found its chilly seal.

Hmm... now to get the obligatory ones out of the way...

In Soviet Russia, the government takes all the jokes.

Wow! Imagine a beowulf cluster of hacked oyster cards...

All I want to know is, are there sharks? with frikkin' laser beams? Cause that would be so cool...

Ok, so they've hacked the Oyster system... but will it run Linux?

It's simple really... it's like a rental car with voice recognition, and you can fool it with a tape recording of the mechanic...

Hacking oyster cards? Yeah, there's an EMACS command for that...

There, I've hogged most of the jokes I think... hurry, somebody else get the ones I missed so nobody else can have them...

Re:NXP said no pearls for the swines (0)

Hognoxious (631665) | more than 6 years ago | (#24288571)

In Korea, only old people ride the tube.

Re:NXP said no pearls for the swines (1)

Saint Gerbil (1155665) | more than 6 years ago | (#24288895)

if you spend 6 months in London you feel old, regardless of your age.

Re:NXP said no pearls for the swines (0)

Anonymous Coward | more than 6 years ago | (#24288677)

I, for one, welcome our new joke stealing overlords.

Re:NXP said no pearls for the swines (0, Offtopic)

thePowerOfGrayskull (905905) | more than 6 years ago | (#24288899)

Could you print that out and put it on a wooden table? Aw, crap! Wrong meme! Wrong site! Epic fail!

Re:NXP said no pearls for the swines (4, Interesting)

hkz (1266066) | more than 6 years ago | (#24288665)

I believe this would be the same university that previously forbade the researchers from talking to the press.

Anhyow, the lifting of this publication ban is an excellent thing. The Dutch government has spent a lot of money in this foolhardy public transport chip card system, and is not willing to admit that it's an expensive, deeply flawed trainwreck.

After the Nijmegen investigators came out with their findings, a contra-expertise report commissioned by the government and performed by Royal Holloway University in London, was selectively edited to remove its harsh conclusions before being sent to parliament. Then, the university cracked down on the freedom of the researchers to speak to the press.

I, as a Dutch citizen, am happy that this issue is getting some serious sunshine.

Not just Oyster (5, Informative)

jnik (1733) | more than 6 years ago | (#24288109)

According to Wikipedia [wikipedia.org] , the same tech is used by Atlanta, DC Metro, the L, and the T.

Re:Not just Oyster (1)

Notquitecajun (1073646) | more than 6 years ago | (#24288147)

Just cause you can get a hack for MARTA (the Atlanta system) doesn't make it easier to get around. VERY non-user friendly for first-time or non-often users. Instructions/directions are non-intuitive.

Re:Not just Oyster (1)

Captain Splendid (673276) | more than 6 years ago | (#24288365)

Ah, the old "security through obscurity" trick, then?

Re:Not just Oyster (1)

zappepcs (820751) | more than 6 years ago | (#24289205)

It's done that way on purpose. If you don't know how to get where you are going, you probably shouldn't be going there in the first place. I believe that MARTA made sense *BEFORE* the Olympics, then much of the city changed. I watched some of the pre-games construction. 10lbs of shit and only a 4lb bag. I think the MARTA looks much like it was designed for a city that the city planners had a map of rather than the actual city. Nobody knows which city they had a map of. Perhaps it was Atlanta: from 1936?

Re:Not just Oyster (1, Insightful)

Anonymous Coward | more than 6 years ago | (#24288283)

According to Wikipedia, the same tech is used by Atlanta, DC Metro, the L, and the T.

similar != same

Re:Not just Oyster (3, Interesting)

JaredOfEuropa (526365) | more than 6 years ago | (#24288473)

Not just that, very similar technology is used for the Dutch national public transport card that is under development (and currently piloted in Rotterdam). In a case of weird reciprocity, the Royal Holloway University of London wrote a report on the Dutch card system, initially recommending immediate replacement but later changing that to "recommend further investigation".

Re:Not just Oyster (1)

yincrash (854885) | more than 6 years ago | (#24288507)

This just means they all use Automated Fare Collection systems. It doesn't mean they all use the same company with the same vulnerabilities.

Re:Not just Oyster (0)

Anonymous Coward | more than 6 years ago | (#24288647)

They recently made some arrests in DC and the method to trick the system was very low level.

Key line (5, Insightful)

Dolohov (114209) | more than 6 years ago | (#24288143)

While I have mixed feelings about the publishing of exploits, this line hits the nail on the head:

In its ruling, the court said: "Damage to NXP is not the result of the publication of the article but of the production and sale of a chip that appears to have shortcomings."

This is an important lesson to companies like Diebold.

Re:Key line (5, Insightful)

Steauengeglase (512315) | more than 6 years ago | (#24288233)

I could be wrong, but I don't think the Diebold fiasco was ever officially denounced and called a bad thing. It got certain people in office and kept others in. I think the powers that be would consider that a rousing success.

Re:Key line (3, Insightful)

garcia (6573) | more than 6 years ago | (#24288659)

No, I think that the poster was hoping that the commonsense ruling and notation made by the Dutch court would somehow transcend political and oceanic boundaries to the United States. But, unfortunately, it probably never would and if it did, the judge making the ruling would be condemned as a traitor and heretic.

The crack is written in Perl (2, Funny)

ActusReus (1162583) | more than 6 years ago | (#24288149)

Yuk-yuk, I'm here all week... try the veal!

Re:The crack is written in Perl (0)

Anonymous Coward | more than 6 years ago | (#24288415)

I've seen dead calves that are livelier than your act.

Re:The crack is written in Perl (1)

Muad'Dave (255648) | more than 6 years ago | (#24289295)

Hence the suggestion to try the veal. 8-)

Anarchy! (1)

Evildonald (983517) | more than 6 years ago | (#24288153)

Once the London Underground is extended to Holland there will be anarchy!!1!

Are they serious? (5, Insightful)

Anonymous Coward | more than 6 years ago | (#24288215)

So let me get this straight.

1. Researchers discover hole in Oystercard implementation.
2. Oystercard operator ignores warnings from researchers.
3. Oystercard operater takes researchers to court instead of working to fix identified vulnerabilities.
4. Injunction granted.
5. Injunction overturned.
5. Researchers continue to give Oystercard operator time to fix their system, in addition to the time they had prior to the court action.

Were I in their situation I would have publically released information on the hack the moment the injunction was overturned. If vendors of ANY type of system want to fuck with people who show every intention of trying to HELP them, they deserve everything they get.

Re:Are they serious? (0)

Anonymous Coward | more than 6 years ago | (#24288791)

Yes

You see, they started checking out the project from source control when they announced the vulnerability, but it's still not finished. Darn Clearcase!

Re:Are they serious? (2, Interesting)

IamTheRealMike (537420) | more than 6 years ago | (#24289271)

Probably, fixing the vulnerability would take years and involve a full recall of the cards. That's why NXP wanted to suppress the information. This isn't like some program where it's one auto-update away from being secure again. Now these researchers are going to release the information, chances are good that London will be flooded with cracked cards used by freeloaders. And it will take years to clear up no matter what NXP do. Not sure that's worth the release of an academic paper, to be quite honest. Unless the purpose of all this is to punish people who make mistakes?

I'm not surprised (1)

Errtu76 (776778) | more than 6 years ago | (#24288217)

I'm not surprised we Dutch are trying (and apparently succeeding) to hack public transportation systems facilities if you look at the current pricing of our own system. Provides for a good motivation. But the most recent exploit was also the main reason why the introduction of the so-called chipcard is delayed again. Which in turn leads to more development, therefor more costs and thus the prices increase ;)

Re:I'm not surprised (4, Interesting)

D-Cypell (446534) | more than 6 years ago | (#24288461)

I'm not surprised we Dutch are trying (and apparently succeeding) to hack public transportation systems facilities if you look at the current pricing of our own system.

I am assuming that you are implying that the Dutch transport system is expensive. Clearly you have never been to the UK. I live an hour away from London by train, if I were to shop around a little and pick the budget airline flights I could fly to Schipol from Gatwick/Heathrow, get the train to Amsterdam Central and a tram to my hotel for a cheaper price than my train journey from my house to the airport!! It really is *that* bad.

I have been to Amsterdam many times (not *just* for the usual tourist reasons, my grandmother was born there, so I visit family), and I can say without a shadow of a doubt that transport around Amsterdam is many time more efficient and cheaper than transport around London, and I would much rather deal with the bizarre conversations with strangers that have 'had a little schmoke' on late night Amsterdam trams than the strangers that are looking to mug me on the London underground.

Both of our countries are culturally rich, with a fascinating history, but yours seems far superior when it comes to the management of public services.

Re:I'm not surprised (0, Flamebait)

Hognoxious (631665) | more than 6 years ago | (#24288645)

To the Cheeseheads [unternehmen.com] anything that's not free is expensive.

Re:I'm not surprised (2)

Da Fokka (94074) | more than 6 years ago | (#24288685)

I have to second this. IÂm Dutch and many people are claiming that the Dutch public transit system is expensive and inefficient. IÂve been to a lot of countries and I took a lot of trains and buses but our public transit compares favourably to almost any of them. Trains visit most parts of the country with metro-like frequency.

It really is a shame that the dutch national public transit card suffers from similar problems since it has been compromised too. But a chip card system offers a lot of options. Flexible pricing can incentivize off-hour travel. Chip systems will yield more comprehensive information on travel routes and habits and chip cards - if implemented properly - can be much easier to use.

Re:I'm not surprised (5, Funny)

Joker1980 (891225) | more than 6 years ago | (#24289083)

That reminds me of an old 'mock the week' on bbc when Andy Parsons done his train to Glasgow gag.

"It costs £98.18 to get the train from London to Glasgow, who the hell is going to do that when you can fly to Barcelona for £40, then fly whoever u wanted to visit in Glasgow to Barcelona for £40 and then spend the first £18.19 on sangria".

Re:I'm not surprised (1)

Oktober Sunset (838224) | more than 6 years ago | (#24289417)

I call bullshit on this, either you live in scotland, in which case your trip to london will be longer than your trip from london to amsterdam, or you are comparing bought on the day open tickets to pre-booked cheap tickets, which is just bullshit. Your amsterdam train ride is 7 miles, which if you went the same distance in london is like a zone 2 tube trip for £3.50.

As for you flight, the cheapest flight will b with a UK airline, and KLM is £122, whereas BMI can get you there for £53, tho they can get you between UK cities for £38, and the cheapest is easyjet for £26, which is also a UK company, so your relying on the UK transport industry for your cheap transport, not the dutch. Even coming from Glasgow, (which is a longer train ride than your flight), your ticket is £31 in advance, so if you fly for £26, your dutch rail journey and tram journey will have to be only £5 to reach your claim, which would compare well to the underground which would take you the same distance for only £3.50 or £2 off peak. So actually, you completely failed to prove your point. I check the dutch train, and it cost £3, so even if your tram journey is 50p, you only draw with the UK transport system.

Incidently, there is no way to compare the price of a train ride form london to glasgow, as the distance is almost twice as long as the entire Netherlands at it's widest point. Considering that the Netherlands is only 16,033 sq miles, with no hills, whereas the UK is 94,526 sq miles, with a mountain range diving the country in two, and Amsterdam has only 1.4 million urban population and 6.5 million metropolitan and it urban district is about 14 miles across, whereas London has 8 million urban and 18 million metropolitan, and it's urban district is about 30 miles across, it is not surprising that it seems very easy to get around as the distances you are travelling are so small compared to the UK

Re:I'm not surprised (0, Flamebait)

Pig Hogger (10379) | more than 6 years ago | (#24289439)

Both of our countries are culturally rich, with a fascinating history, but yours seems far superior when it comes to the management of public services.

The thing is, the britshit have been totally subverted by the bourgeois, and those only want everyone to use their own motorcars, so they can enslave the people into being utterly dependent on the bourgeois selling petrol and tyres so the people can get along, as well as putting up with anorak bosses so they can make their car payments.

Those very same bourgeois do not want any State involvement in any thing at all, so public transportation is being inefficiently doled-out to private operators that will give less bang for the pound as they have to divert operating/maintenance funds to their bottom-line (inexistent in publically-operated systems), and it is thus priced in a very anticompetitive manner so people will want to get their own motorcars.

Re:I'm not surprised (0)

Anonymous Coward | more than 6 years ago | (#24288493)

Higher costs? In volume those chips cost 30 cents. I know. My company buys them for different purposes than transportation. Its a big public transit gouging. It costs a buck to produce that card. And please don't tell me the readers are expensive. They can be had anywhere for nothing.

Re:I'm not surprised (1)

CastrTroy (595695) | more than 6 years ago | (#24289183)

I think the only way to truly hack the system is to have a system more like debit cards. The card is actually connected to the identity of the person. All information goes back to a central system to verify the card has sufficient funds. Even if the bus just stored the info for later retrieval when they returned to the terminal, I think that would be a big step towards getting rid of any hacks. Any system where the value on the account is located on the card, is bound to be hacked.

Free (4, Funny)

quarrel (194077) | more than 6 years ago | (#24288219)

Information wants to be free.

Luckily, so does public transport.

--Q

Transportation wants to be free! (3, Funny)

frenchgates (531731) | more than 6 years ago | (#24288225)

The London public transit system sees payment for services as damage and routes around it. Or something like that.

Re:Transportation wants to be free! (1)

Anonymous Brave Guy (457657) | more than 6 years ago | (#24288503)

If the London public transport system can route around planned maintenance, you're doing pretty well. Unexpected damage is pretty much always a show-stopper. :-(

Pwnie award (0)

Anonymous Coward | more than 6 years ago | (#24288273)

This was not a hack of the Oyster system. It was a single instance of a card being manipulated.

http://pwnie-awards.org/2008/awards.html#lamestvendor

This is a perfect example... (4, Insightful)

txoof (553270) | more than 6 years ago | (#24288301)

This is a perfect example of how hacking can benefit the greater good. While it would be great to ride Dutch trains for free, it's obviously not sustainable and therefore I don't mind paying for services I receive. It is rather frustrating however to see companies attack the hackers that have found this weakness. Fixing the weakness will obviously cost money and time, but that is far superior to months of unscrupulous individuals taking free train rides all over the country. The students could have easily distributed this to their friends and community members quietly and cost the rail system thousands (perhaps hundreds of thousands) in free trips before it was discovered.

The rail company may have been duly diligent in their security assessment of the system, but obviously missed this problem. In this case, the students have provided a very valuable service for FREE. This can potentially improve the overall quality of the rail system. Obviously the rail company needs to spend capital to repair the flaw in the system, but that is superior to discovering and repairing the flaw after thousands of free trips have already been lost. In this case, the money lost in free trips can be reinvested into the service to improve it, rather than just flushed down the drain.

If companies can change their opinion of hackers that voluntarily point out security flaws to be more positive and less adversarial, everyone can potentially benefit.

Re:This is a perfect example... (2, Informative)

shabble (90296) | more than 6 years ago | (#24288569)

While it would be great to ride Dutch trains for free...

You do realise that the Dutch only cracked the Oyster card, and that the card itself is used in London.

Which isn't in Holland.

Re:This is a perfect example... (1)

txoof (553270) | more than 6 years ago | (#24289067)

Whoops! I guess I didn't RTFA carefuly enough. Thanks for pointing that out.

It's a pity (2, Funny)

Chrisq (894406) | more than 6 years ago | (#24288341)

Its a pity that Cherie Blair didn't know [independent.co.uk] this one.

Anyone here involved in Oyster? (5, Interesting)

BovineSpirit (247170) | more than 6 years ago | (#24288397)

Does anyone know if the accidental wiping [bbc.co.uk] of 1000's of Oyster Cards a couple of weeks ago was linked to this? Just curious...

Up for Pwnie award : Lamest vendor response (1)

Mathinker (909784) | more than 6 years ago | (#24288483)

An AC posted it above, but he was lame enough to quote the vendor's response without commentary!

      http://pwnie-awards.org/2008/awards.html#lamestvendor [pwnie-awards.org]

The response from Transport of London to the news of successful cloning of Oyster cards includes this priceless comment:

This was not a hack of the Oyster system. It was a single instance of a card being manipulated.

Link to the paper. (0)

Anonymous Coward | more than 6 years ago | (#24288641)

http://cryptome.org/mifare-classic.pdf

TranSys on Caltrain? (2, Informative)

lscotte (450259) | more than 6 years ago | (#24288705)

I've noticed that TranSys terminals have appeared along Caltrain here in the San Francisco Bay Area in the past couple of weeks. I wonder if this means Caltrain is moving to the system - and also if they are using a version with the same flaws?

let me see if I've got this right... (5, Funny)

clone53421 (1310749) | more than 6 years ago | (#24288799)

a haxor with skillz über-1337
wanted to ride london's fleet
but rather than paying
he found himself saying
"h4ck1n9 0y573r w0u1d b3 50 v3ry n347!"

Oh london underground (3, Funny)

A beautiful mind (821714) | more than 6 years ago | (#24288945)

It seems really apt to include a link to this [backingblair.co.uk] . I waited for a long time to be able to link this on /.

Poor guys.. (3, Funny)

4D6963 (933028) | more than 6 years ago | (#24288981)

So Dutch researchers cracked the public transportation pass for London? Boy they're gonna be pretty down when they'll realise they need to travel all the way to London just to get free public transportation.

Fortunately being Dutch they'll surely find a place to forget about all of this within a walking distance.

Wake-up call. (2, Interesting)

Pig Hogger (10379) | more than 6 years ago | (#24289235)

This is a wake-up call.
The issue is public transit financing; hardasses who want the public to pay more than their fair share (public transit benefits ***EVERYONE***, including motorists, and most importantly motorists who see decreased congestion; as well as employers who can have their workforce brought on site cheaply, so they don't have to pay exorbitant salaries so the workforce has to be able to afford a car - look no further to see the reasons why jobs are going to China) will only drive fares up, and thus the incentives to cheat (where I live, I cheat all the time; illegally, of course, but in a way that's effectively very hard to catch - it would take a cop to tail me all the time).
With reasonable fares, the incentive to cheat is simply not there.
(But transit can't be free; you need a fare to insure systems don't load up with homeless winoes).

It's like music: with $20 CDs, everyone downloads. Not so when they cost $2.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?