A Dutch judge has ruled that researchers can publish details of how to crack the oyster card used on London’s public transport system. NXP, which makes the oyster card, had taken out an injunction to stop Professor Bart Jacobs and colleagues from Radboud University in Nijmegen from publishing their research into the security flaws in the Oyster card.The university welcomed the ruling, saying "...in a democratic society it is of great importance that the results of scientific research can be published". NXP is arguing that it will take months before it finds out a way to fix the flaw that allows the cards to be cloned. It has reportedly said that publishing the detailed research will serve no useful purpose.
View: The full story @ vnunet
I cannot understand what is wrong with visiting Mr Patels and buying a weekly or monthly card from him.
My mother is always moaning about people moaning about the freakin thing to her and how bad it is.
I cannot understand what is wrong with visiting Mr Patels and buying a weekly or monthly card from him.
My mother is always moaning about people moaning about the freakin thing to her and how bad it is.
How is it "bad"? One card, and you're set. It cuts down on rubbish, and means less worry about getting a card before you travel. All you have to do is make sure it's topped up.
The person who is announcing it may not even be the first person to discover the crack, and many others could be exploiting it already if it exists. Many shady people hold onto these discoveries and even sell them on the black market for a high price, and announcing the details will prevent them from getting any funds. At the same time, those who use the method of protection need to be aware of it so they can apprehend fraudsters.
If you have a house and the security method is broken, do you want that discovery to be kept safe by the one scrupulous person that told you they discovered it, or do you want the company to get off its ass and fix it, and even start putting extra emphasis on preventing bugs like this? It may not even happen if it's not publicized. The less people know about it, the less reason the company has to spend money and do something about it.
How about the US elections, do you want the electronic voting bugs to be kept private so a few people can control the exploits, or should everyone be aware of it and take the appropriate cautions and securities? The fewer people aware, the fewer can observe or respond to a threat that can have far reaching implications.
Now granted, the only harm that can come here is a few people getting free rides, but if this were kept underground, the fraudulent cards could be circulated and used maybe without authorities knowing, and then everyone else would have to pay for it. Even then, this transportation system is not the only one to use smart cards for protection, perhaps the exploit can even be used elsewhere. It's very important to know about this. Smart card users should also be able to protect themselves from any liability or implication of wrongdoing, and they can't without knowing the circumstances of the exploit. They could have unknowingly bought a fraudulent card and be using it, and be held liable. However if they know the characteristics of such a card, perhaps they could even help point out the guilty party, and avoid supporting any criminal activities.
Why don't they give NXP the few months they need... and if its still not been fixed by a specific date then they can release the information to the public.
Argueably the research and the method of exploit could exist in other systems, but realistically there is no urgency in why the inforamtion needs to be instantly available to everyone.
a quote from the BBC report on it
BBC Oyster Hack
By that logic only a crook would have tried to discover the information in the first place. You can't have security through obscurity, and crooks are going to abuse it whether or not the exploit is public. The person who is trying to make it public in the first place is just showing they are no crook. The erroneous part was to sell a system as being secure in the first place when clearly it is not. If that much is riding on it, you should be able to trust it even if it's transparent.
The sad part is reverse engineering is starting to be made illegal in the first place where only the legitimate parties are being harmed by keeping these discoveries underground where they can be abused. Also obscurity is being encouraged and people are less diligent and slower to respond without the help of others were the exploit to be publicized. If people are encouraged to release the details in the first place instead of being suppressed by threats of being legally implicated then progress will be faster. Other researchers could even have the chance to lend their abilities and work on the problem.
What I don't understand is why can't they just add some authentication devices on it (eg: a holograph for each type of card/date of issue) so that the ticket inspectors can determine which are fake or not, a fake ticket is as good as no ticket.
Can also monitor the serial numbers to see which cards are being used in two places at once so they can be blacklisted.
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.