Slashdot Mirror
Oyster Card Hack To Be Released, In Good Time
DangerFace writes "A little while ago some Dutch researchers cracked the Oyster card, meaning they could get free public transport around London. The company that makes the cards, NXP, sought and got an injunction to stop the exploit being published, but that has now been overruled by a Dutch judge. The lovely Dutch blokes are holding off from releasing the hack for the time being, to give NXP time to secure their systems."
The People don't have a right to free public transportation in London? Somethin' oughtta be done!
but the Universities advocates cracked their shell and the judge clam-ped down on them ...
sorry ...
---
"The chances of a demonic possession spreading are remote -- relax."
According to Wikipedia, the same tech is used by Atlanta, DC Metro, the L, and the T.
While I have mixed feelings about the publishing of exploits, this line hits the nail on the head:
This is an important lesson to companies like Diebold.
Yuk-yuk, I'm here all week... try the veal!
So let me get this straight.
1. Researchers discover hole in Oystercard implementation.
2. Oystercard operator ignores warnings from researchers.
3. Oystercard operater takes researchers to court instead of working to fix identified vulnerabilities.
4. Injunction granted.
5. Injunction overturned.
5. Researchers continue to give Oystercard operator time to fix their system, in addition to the time they had prior to the court action.
Were I in their situation I would have publically released information on the hack the moment the injunction was overturned. If vendors of ANY type of system want to fuck with people who show every intention of trying to HELP them, they deserve everything they get.
Information wants to be free.
Luckily, so does public transport.
--Q
The London public transit system sees payment for services as damage and routes around it. Or something like that.
Syntax error: loose != lose, affect != effect, then!=than
To quote from the paper you linked:
"
This paper is not the same as the paper that is subject to a lawsuit by NXP. It is available on the web since several months and will be published officially in the proceedings of the Cardis'08 conference in september. The paper of the lawsuit builds on it.
"
So while related, it is different for some value of different..
--Q
Wear and tear. Worse gas mileage. The attitude of freeloading, or better yet, stealing, and that it "doesn't matter." Also the matter that this is something that would get WIDESPREAD in a city like London. We wouldn't be talking the occasional computer nerd - hacked cards would make their way into PLENTY of hands, and every hoodie-with-ASBOS-and-ringtones would be getting "free" rides.
This is a perfect example of how hacking can benefit the greater good. While it would be great to ride Dutch trains for free, it's obviously not sustainable and therefore I don't mind paying for services I receive. It is rather frustrating however to see companies attack the hackers that have found this weakness. Fixing the weakness will obviously cost money and time, but that is far superior to months of unscrupulous individuals taking free train rides all over the country. The students could have easily distributed this to their friends and community members quietly and cost the rail system thousands (perhaps hundreds of thousands) in free trips before it was discovered.
The rail company may have been duly diligent in their security assessment of the system, but obviously missed this problem. In this case, the students have provided a very valuable service for FREE. This can potentially improve the overall quality of the rail system. Obviously the rail company needs to spend capital to repair the flaw in the system, but that is superior to discovering and repairing the flaw after thousands of free trips have already been lost. In this case, the money lost in free trips can be reinvested into the service to improve it, rather than just flushed down the drain.
If companies can change their opinion of hackers that voluntarily point out security flaws to be more positive and less adversarial, everyone can potentially benefit.
This one's tricky. You have to use imaginary numbers, like eleventeen... --Hobbes
The sidewalks are great for walking on. At no cost!
Stop the brainwash
every hoodie-with-ASBOS-and-ringtones would be getting "free" rides.
And who will supply them, hm? Think of the money you could make!
Chavettes need rides, too, you know....
"The fight for freedom has only just begun." - Geert Wilders
Its a pity that Cherie Blair didn't know this one.
Does anyone know if the accidental wiping of 1000's of Oyster Cards a couple of weeks ago was linked to this? Just curious...
The cost of using public transport in London borders on the ridiculous. It's around US$2 to go 200 yards on a bus with an Oyster card. If you haven't got a card, it's over US$4.
They've cut all the bus routes into a quarter of the length they used to be - meaning that you have to take 4 times as many buses to complete your journey, at 4 times the price and a much longer journey time.
London's bus companies have been privatised. Does this mean that any efficiency savings are passed on to the passenger? I won't bother to answer that one... just have a surf around and see how much subsidy they're getting.
You'd think, then, that local taxes in London would be real cheap. Oh dear me no, that would be a wrong assumption. One pays local tax (Council Tax) to the borough in which one lives, and then a further tax to the Mayor of London's Office. The *average* charge across outer London for this year is nearly US$3000 per annum.
In London, there is no such thing as a free ride.
I'm not surprised we Dutch are trying (and apparently succeeding) to hack public transportation systems facilities if you look at the current pricing of our own system.
I am assuming that you are implying that the Dutch transport system is expensive. Clearly you have never been to the UK. I live an hour away from London by train, if I were to shop around a little and pick the budget airline flights I could fly to Schipol from Gatwick/Heathrow, get the train to Amsterdam Central and a tram to my hotel for a cheaper price than my train journey from my house to the airport!! It really is *that* bad.
I have been to Amsterdam many times (not *just* for the usual tourist reasons, my grandmother was born there, so I visit family), and I can say without a shadow of a doubt that transport around Amsterdam is many time more efficient and cheaper than transport around London, and I would much rather deal with the bizarre conversations with strangers that have 'had a little schmoke' on late night Amsterdam trams than the strangers that are looking to mug me on the London underground.
Both of our countries are culturally rich, with a fascinating history, but yours seems far superior when it comes to the management of public services.
I have to second this. IÂm Dutch and many people are claiming that the Dutch public transit system is expensive and inefficient. IÂve been to a lot of countries and I took a lot of trains and buses but our public transit compares favourably to almost any of them. Trains visit most parts of the country with metro-like frequency.
It really is a shame that the dutch national public transit card suffers from similar problems since it has been compromised too. But a chip card system offers a lot of options. Flexible pricing can incentivize off-hour travel. Chip systems will yield more comprehensive information on travel routes and habits and chip cards - if implemented properly - can be much easier to use.
I've noticed that TranSys terminals have appeared along Caltrain here in the San Francisco Bay Area in the past couple of weeks. I wonder if this means Caltrain is moving to the system - and also if they are using a version with the same flaws?
This post is licensed under the Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 License.
a haxor with skillz über-1337
wanted to ride london's fleet
but rather than paying
he found himself saying
"h4ck1n9 0y573r w0u1d b3 50 v3ry n347!"
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
And then there's the Tube. A single journey within Zone 1 costs four pounds. This could be as short as 100 metres if you're stupid enough to travel between Charing Cross and Embankment.
And who's stupid enough to do that when you could buy an Oyster card and save a packet? Why, tourists, of course. And tourists don't vote. So they gouge 'em.
. but then, London does have the distinction of being the only city in the world wherein you can see the air you breathe ;-)
Sorry. You must either be colour blind to shades of brown or have never been to LA :-|
It seems really apt to include a link to this. I waited for a long time to be able to link this on /.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
So Dutch researchers cracked the public transportation pass for London? Boy they're gonna be pretty down when they'll realise they need to travel all the way to London just to get free public transportation.
Fortunately being Dutch they'll surely find a place to forget about all of this within a walking distance.
You just got troll'd!
That reminds me of an old 'mock the week' on bbc when Andy Parsons done his train to Glasgow gag.
"It costs £98.18 to get the train from London to Glasgow, who the hell is going to do that when you can fly to Barcelona for £40, then fly whoever u wanted to visit in Glasgow to Barcelona for £40 and then spend the first £18.19 on sangria".
Well, Bart, your uncle Arthur used to have a saying: "Shoot 'em all and let God sort 'em out."
This is a wake-up call.
The issue is public transit financing; hardasses who want the public to pay more than their fair share (public transit benefits ***EVERYONE***, including motorists, and most importantly motorists who see decreased congestion; as well as employers who can have their workforce brought on site cheaply, so they don't have to pay exorbitant salaries so the workforce has to be able to afford a car - look no further to see the reasons why jobs are going to China) will only drive fares up, and thus the incentives to cheat (where I live, I cheat all the time; illegally, of course, but in a way that's effectively very hard to catch - it would take a cop to tail me all the time).
With reasonable fares, the incentive to cheat is simply not there.
(But transit can't be free; you need a fare to insure systems don't load up with homeless winoes).
It's like music: with $20 CDs, everyone downloads. Not so when they cost $2.
If the bus isn't full and you otherwise wouldn't have paid, then what's the problem?
Sometimes it's hard to tell if people are posting ironically, but I'm going to go ahead an answer as though you were serious.
The philosophical reason you don't take free rides on buses is that paying your bus fare is a Kantian categorical imperative. The ability to take a free ride on a bus presupposes the existence of a bus service, but were everybody to ride for free, the bus service would cease to run, negating the possibility of a free ride.
Actually, the real reason is a lot simpler: You're getting something of value, so you have an obligation to give something of value in return. Only parasites and slavers fail to abide by this principle. Which would you like to be?
-- Note to Mods: There is a good reason there's no "-1 Disagree" option. --
You've obviously never been anywhere else in the UK. London's bus fares are very cheap, and saying the routes are 1/4 the length is just FUD - even if you do have to get 4 buses, it won't cost 4x as much, since a daily fare is capped at £3 (i.e. once you've made 3 journeys you don't pay any more that day). If I want the same here in Oxford it would cost me well over £10 ($20). ...oh, and why exactly would you *expect* having a complicated mess of privatised companies to be any cheaper than one company which is accountable to the public, not it's shareholders?
Horseshit.
If you get on a bus and travel 200 yards with an Oyster Card it does cost 90p(about US$90). However you don't because for most people it's quicker to walk. For longer distance bus trips it costs... 90p. If you travel enough in one day on a Pay As You Go Oyster it maxes out at the cost of the cheapest travelcard for the journeys you have made. Thus you get the cheapest possible tickets without thinking about it. Compare this approach to that of mobile phone companies... The price is competitive with most other cities in the UK. Thus if you made lots of 200 yard journeys every day it wouldn't cost anywhere near 90p a ride.
I've certainly not noticed the distance of bus routes getting any shorter. Generally long distance journeys(>1.5miles) are made by Tube, DLR or Train. The Mayor of London tax is included as part of the Council Tax. House prices around outer London are very high, as some of the areas are really nice compared with some of the grottier inner city areas, thus their Council Tax is higher. Public transport in London is far better than it is in most UK cities. To find better you need to go to a city that has had predominantly Labour councils for the last few decades. A lot of the recent improvements in London are funded by the Congestion Charge.
For a free ride, get a bike...
Minor point, but the congestion charge is £8. Ken Livingstone did indeed propose a £25 charge for the "most polluting" cars (basically anything with an engine displacing over 3 litres or more than 4 years old), but that became one of the main issues in the mayoral elections earlier this year, where Ken was deservedly beaten. The new mayor, Boris Johnson, binned those plans almost as soon as he took office.
-- Note to Mods: There is a good reason there's no "-1 Disagree" option. --
The cost of using public transport in London borders on the ridiculous. It's around US$2 to go 200 yards on a bus with an Oyster card. If you haven't got a card, it's over US$4. ...
In London, there is no such thing as a free ride.
The cost of prostitutes in London borders on the ridiculous. It's around US$200 to go for a half-hour with a good pimp. If you don't know a pimp, it's over US$400.
This is how I justify forcing myself on street-walkers. I mean, if nobody's using them and I wouldn't have paid anyway, what's the harm?
Let's see... Offensively insightful? Offensively funny? Or just plain flamebait?
http://www.zdnetasia.com/news/communications/0,39044192,62040565,00.htm
When they say 'none have been discovered' its not clear if that includes the Dutch hack. While Im sure there are probably ways around that too in the future and that saying this is partly to play down the impact of 'omg free travel!' I would imagine that an organisation like TFL with the resources they've got they probably can do such scans every evening or in transit. It's interesting regardless to see how this plays out...
jaymz
The issue is that it's a 'quick touch' system. Debit cards can behave as they do because they are not reliant on pure urgency. Oyster cards work in a way that you touch it to the reader for a second or 2, then it lets you in.
You're talking about picking an account out of ~8 million accounts on a server somewhere, checking it's balance. That's got to be a good second of simple database system look up as it is (from 'request' to 'result') even if you optimise it hugely. You then have the actual latency from the reader all the way down to the mainframe.
You then get the authentication issue - the card needs to send Name, Hash, UID, anything else to make sure someone can't just 'make their own card'... this increases lookup times... and even then, someone can just use a pocket scanner to nick a few people's card signals.
It would be a bold achievement!
Horseshit.
it does cost 90p(about US$90).
I hate it when I oversleep and the entire US economy collapses...
[UID-HeinzIntel]
You don't have to do a database lookup every time they get on the bus. Just store in the bus that they got on, and then debit the amount from the account when the bus returns to the garage at the end of the day. You could even store the amount available on the card, but also have the numbers centrally, so you could run a job that checked for inconsistencies.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
That's how the Oyster system works!
A point to bear in mind.
If you are using an Oyster card on the buses the charge is capped at £3.00 per day no matter how many bus trips you take.
Oh and do you expect local taxes to be just used to subsidise mass transport? Who pays for all the other services that local authorities provide?
I call bullshit on this, either you live in scotland, in which case your trip to london will be longer than your trip from london to amsterdam, or you are comparing bought on the day open tickets to pre-booked cheap tickets, which is just bullshit. Your amsterdam train ride is 7 miles, which if you went the same distance in london is like a zone 2 tube trip for £3.50.
To be fair, you are correct, I was comparing the lowest possible journey price to Amsterdam with the highest possible journey price to London. I would accept that this might have been a little misleading, but it is not 'bullshit', just a bit dramatic.
The point still stands though, I am fairly certain that we have one of the most expensive public transport systems in the developed world and at the same time are one of the most heavily taxed people in the developed world. Someone is clearly doing *something* wrong.
I am assuming that you are implying that the Dutch transport system is expensive. Clearly you have never been to the UK. I live an hour away from London by train, if I were to shop around a little and pick the budget airline flights I could fly to Schipol from Gatwick/Heathrow, get the train to Amsterdam Central and a tram to my hotel for a cheaper price than my train journey from my house to the airport!! It really is *that* bad.
Bollocks. I doubt you could fly to _anywhere_ from London without paying at least 30 quid or so in taxes, surcharges and fuel fines.
I've been living in Zurich for 6 months now, which is about as good as public transport gets, and I wouldn't say London's was especially bad.
... these cards are widely used in physical access control systems: determining who is allowed into buildings or parts thereof. As one of the researchers explained today, part of the delay is to allow extra physical security to be deployed at sensitive locations. I don't think anyone has started to calculate the potential cost of all this, though there are probably one or two lawyers ordering yacht catalogues...
Looks like she already had one...
Well then why not just go after the people who are cheating the system. Either the card should be hooked up to someone's identity, in which case you can give them a large fine, or in the very least, if you don't know who has the card, you can just store the card ID in some list of disabled cards so busses don't accept it anymore.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
And the reason you have £40 + £40 + £18.19 = £98.19 instead of £98.18 is because you put in you 2 cents worth (£0.01) in?
You realise that London is trying to reduce car usage and a possible effect might be to reduce traffic congestion and pollution. Why drive when you can get a free bus?
back in the mid 80's sheffield had a fairly unique bus service with 5p adult fares the result was packed buses going into and out of the city center and free flowing traffic. often you would have to wait 10 minutes for a bus since the first 3 that came were full.
unfortunately Margret thatcher deregulated the buses and privatized them resulting in higher fares more and mostly empty buses and the return of traffic jams to Sheffield streets.
While free rides might be wrong after all its theft of service, for london it could be a very good thing. reducing pollution and congestion.
Incidentally pensioners (65 60 years +) tend to get a free bus pass in most of the uk so already there are some existing free rides.
Blarney Quality Restaurant, Plants