CCC Mods Rent-a-Bike To Allow Free Rides

Autoversicherung writes "Germany has an activated by phone bike rental system across all major cities. At 6 cent a minute quite pricey, germanys famous Chaos Computer Club thought a free ride every now and then couldnt hurt. Optimizing the original system in the process, modifying the blink code to be easier found and changing the logo. About 10% of Berlins bikes are patched already. A detailed description of how they did it, and how the system works."

Partial translation from German

[RickyRay]

Hacking biometric systems

Overcoming capacitive sensors

After a report of penetrability of different biometric systems came in the middle of 2002 (http://www.heise.de/ct/02/11/114/) from various sources, the complaint was that it would have worked only in lab tests. Above all the companies of the tested systems planned that such successes would not be feasible in real life.

These statements became the focus of further experimentation to be able to accomplish such "attacks" in public locations, unnoticed. Successes are represented here, through the example of a successful "attack" on a paid system of the Offiscom Shops in Open Castle.

The deployment of the fingerprint system was started ("digiPROOF") at the beginning of of 2003. The company "it-werke" equipped additionally for the Officecom Shop (http://www.officecom-shop.de/index1.php) a capacitive sensor. Everyone who has an account records their fingerprint characteristics. In addition one fills out a form connected to their bank account, later proving their identity on the basis of fingerprint identification.

If one wants to purchase any item, the buyer indicates indicates his/her name and places a finger on the sensor. The purchase amount is then deducted automatically from the account.

Scenarios of "identity theft"

With use of biometric systems for the authentication of a paymention procedure two scenarios of the "identity theft" are conceivable. In the first case an unauthorized person steals the data of a regular user to buy at their expense. In the other possibility they steal data from entitled users and passes it on to other persons.

Scenario 1: For execution one needs both the name of a regular user and a copy of the fingerprint used for verification. One obtains the name and the fingerprint by spying on payments.

(.....not done yet....)

Re:No more bikes out there

[quigonn]

P.S.: I submitted this story on Saturday.

Angeber. ;-) Und, ist deine Einreichung akzeptiert oder abgelehnt worden?

Re:No more bikes out there

[tmk]

Wonach sieht es aus?

Re:No more bikes out there

[quigonn]

Naja, weiss net. Mir ist es schon oefters passiert, dass meine Story rejected wurde, und ein paar Tage spaeter hat jemand anders dasselbe submitted, und das wurde accepted. Und da tmk != Autoversicherung... aber egal.

On using AVR Studio / STK500

[anubi]

( Warning! Pissed off developer! )

I have been developing some test applications on the AVR 2313 and MEGA16 using the STK500 development kit. I have their Studio 3.56 and latest Studio 4.whatever software. It turns out the 3.56 was the only one of the softwares I could get to work in my machine. Even then I had to go find weird versions of some Microsoft DLL's of the same name as the one I had by random download off the net before I found one that would work with their code. ( and then using that one broke yet more existing apps. But I keep both versions and give the version I need at the moment the proper name. Yeh, I have to drop to DOS, change the names of the MFC42.dll files around, then reboot Windows to change apps, but I consider such as part of the joys of running a Microsoft box.)

Their Studio 4.whatever stuff insists that IE be present on the machine. And apparently connected to the web as well.

Trouble is, where I work, I have my machine completely under my control as a development engineer with the strict understanding that I will NOT connect to the net!!! The system administrator flat does not want responsibility for all the problems I can cause by running unknown softwares. I do not blame him. I am quite aware of how much problems I can cause with an experimental machine on the net, especially on our side of the firewall. My ass is on the line here, fellas. If I violate his trust, do you have any idea of how much hell I will catch? Decisions on which products to use may have completely different outcomes depending on who is responsible for the problems.

When I was having my problems using their tools, I contacted ATMEL advising them of my problems and could they consider developing their software on anything OTHER than the very LATEST Microsoft stuff... as anything developed on the latest Microsoft tools likely won't run on anything other than the latest Microsoft OS.

They returned me a nice email thanking me for my input but also reassuring me that such a change would be unlikely.

Geez. Here I am, a soldier in the field, trying to win sockets for them, and I am telling the commanding generals that the bullets they are giving me don't fit the gun ... and I get letters of condolence. I know this kind of thinking is gonna cost them sockets. But how do we little guys get across to the big-time executive decision-makers when they insulate themselves from realities of the field with an insulative layer of hired "tech support" people?

I never had that much trouble with MPLAB (Microchip PIC software).

I really like the hardware, as I think ATMEL has a winner with the level of system integration they got on a chip... and the guys who did the documentation are super. But how can you get the guys to consider that there are those of us out there which may be under the gun because of security issues with Microsoft products that we can not connect to the net with experimental systems?

I have yet to be able to program the "fuses" ( including lock bits ) with my STK500 using the software I have. Yeh, I will go ahead and develop my application using this software, but I would be quite leery of releasing anything which the company's future depended on keeping it secure using this software. I get the idea "Call-A-Bike" had the same problems, and just decided - like me - to go on despite not being able to program the fuse bits which select things like security levels. The MEGA-16 project is on indefinite hold because it defaults to an onboard RC oscillator, and I need to switch it to external crystal, as I have some DSP work for it.. but all their tech support can tell me is I gotta load IE and their latest software, and hope it works. Geez, I can't even LOAD their Studio4.something software without IE! So, if the chip is not shipped with the default fuses blown in the correct state, I can't use it. I simply can not afford the time to keep trying to find out why my tools no longer work after bei

Re:bah!

[alc6379]

Does anyone else not find the In Korea... bit funny anymore? I mean, why aren't we spending our time imagining Beowulf clusters of these things? I for one, am keeping myself busy welcoming our new h4>0r3d bike overlords.