What is Digg?99 Comments
- WiseWeasel, on 06/24/2008, -0/+58Um, no. That's the most effective way to actually get them to fix the problem, thus decreasing the amount of time they remain vulnerable. If they use the same system to protect access to restricted sites, then it's in everyone's interests to apply pressure to close the hole ASAP. This also highlights the risk of having human checks and balances totally out of the loop, and completely trusting automated security measures.
- Pottypotsworth, on 06/25/2008, -1/+48I wish i knew how to do this, saving £120 a month on tube costs would come in handy.
- ironeus, on 08/01/2008, -23/+57The real security flaw was letting this info leak onto the media and probably getting hundreds of copycat criminals to follow. I suppose this will mount the pressure on the Brits to seal the crack real fast.
- MasterThief117, on 06/25/2008, -4/+28Ah, so your money is going down the tubes.
- speedk0re, on 06/25/2008, -2/+242600 did this with the Metrocard a WHILE ago
http://www.2600.com/mta/MetroCard
(wow, is that the nerd equivalent of "Simpsons Did It?" - cheezintern, on 06/25/2008, -2/+19Hackers do their victims, and the public, a very important service whether it's exposing a security flaw in IE or the smartcards. If nobody were trying to hack OS's and Smartcards, then companies/governments would have no reason to fix those flaws and secure their products.
- scrumpy, on 06/25/2008, -0/+12Those of us without smartcard writers just jump the turn styles.
- solonGFX, on 06/25/2008, -4/+16"If nobody were trying to hack OS's and Smartcards, then companies/governments would have no reason to fix those flaws and secure their products."
Yes, that's because trying to secure against a non-existant threat would be pointless... - Zedizdead, on 06/25/2008, -1/+12Mind the Hack
- litheon, on 06/25/2008, -1/+10"At the technical level there are currently no known countermeasures."
Total BS, the problem here is the implementation. A smart card is capable of using public/private key encryption to make this nearly impossible. It can operate just as HTTP over SSL does. When a person purchases the card they will be given a private key good only for their card, and the issuer stores an identifier for that individual card (unencrypted) along with the corresponding public key in a database. Person swipes card to get through a gate, which gives the reader the ID of the card. The reader looks up the public key for the card, and encrypts the public key to communicate with the reader (for only that session). Both the card and the reader now have a secure communication channel to perform any sort of accounting that needs to be done.
That solution completley eliminates the ability to just clone the card, or intercept any communication between it and the card reader. - warholsbluecat, on 06/25/2008, -3/+11IT'S A SERIES OF TUBES
- inactive, on 06/25/2008, -1/+8These and other RFID cards have been reprogrammed/cloned from distances of up to 100 feet away. This was proven in front of many people at Defcon over three years ago. There are even videos showing them doing it. There is no need to bump into someone.
RFID has never been secure; nor will it ever be. You could spend infinite amounts of money to make a new RFID system and some kid will bypass/reprogram it using a small perl, python or C script the same day it is released. - BossKey, on 06/25/2008, -1/+8Can't believe you're getting dugg up...you basically advocate the proven-to-be-ineffective technique of "security through obscurity."
- stfucupcake, on 06/26/2008, -1/+7Listen: bees have enough problems just trying to survive lately.
Don't always look to bees to solve the world's problems. - Barackalypse, on 06/25/2008, -0/+6Yeah, and in this day and age if they catch you they'll charge you with a terror plot, because why else would you need free untraceable access to the Tube, if not to blow something up?
- cheezintern, on 06/25/2008, -0/+6Unless metrocards(NYC) were changed in the past month, then nope. Metrocards are swiped to read the magnetic strip. Smartcards use rf. The danger with smartcards is you just have to stand next to the person to read their card.
Then of course there was that trick to bend a crease down the middle of the card to trick the turnstyle readers.. - dianebl, on 06/25/2008, -0/+6better the hacker who is doing it for fun, and thus points out the problem, than the person who is doing it to gain access to a building for criminal purposes.
- grantHamNeck, on 06/25/2008, -1/+7http://www.silicon.com/research/specialreports/dat ...
"Stallman criticised the use of open-source software, such as Red Hat Linux, JBoss middleware and Apache web-server software, in the online payment system for the Oyster contactless cards used on London's underground rail network." - ptFoe, on 06/25/2008, -6/+11Another one to the long line of British IT disasters.
- leerayIG88, on 06/25/2008, -1/+5For King and Country.
---Red Alert - beesaretasty, on 06/25/2008, -6/+10I hacked the security system in NYC subways back in the day. On a related note I can jump 3 feet in the air.
- neocr0n, on 06/25/2008, -0/+4First off there is no ID card system in the UK as we speak and I don't think problems with a scheme still in the planning can count as a "disaster". Retinal scanning at UK airports was only trialed by under 100,000 passengers and I can't remember hearing of any problems. As for the NHS its a massive ambitious system and while it does have problems that are causing delays its again not implemented and is not planned to enter into use until 2012. Problems while still putting systems together are pretty standard and if you want problems to surface your going to want them before your systems are up and running. I just don't see how any of those are disasters.
- P5ycHo, on 06/26/2008, -0/+4To all businesses & goverments:
Drop the whole RFID *****. It's not safe for you & and it's not safe for us.
Why does there need to be a wireless exchange of information?
We pay you to use your services. Not to have you track our personal data which is on or is linked to the rfid chips.
What's wrong with paying for a ticket with no personal data on it, and use that ticket to authenticate? - balazs, on 06/25/2008, -1/+5These are Oyster cards I believe, which use a system based on the RFID standard.
- yuanzhoulu, on 06/26/2008, -0/+3in that case, we look to fire ants.
- jemka, on 06/25/2008, -1/+4...Jerk alert
- rac1234, on 06/26/2008, -0/+3Depends what British accent you have.
- inactive, on 06/25/2008, -1/+4Dugg for the proper use of the term crack
- dontaskagain, on 06/26/2008, -0/+3This happened months ago, i even did a presentation on this breach for university in April
- RevEng, on 06/26/2008, -0/+3I believe they mean there's nothing they can do to prevent existing cards from being copied or existing readers from accepting those copies. Yes, a better implementation wouldn't have allowed this to happen (though using public-key cryptography doesn't immediately mean it's secure -- a bad implementation of such a system can still easily be broken), but the existing cards can't just be reprogrammed; the program is physical hardware on the card. To fix this problem, the card has to be redesigned and manufactured. That's going to take time.
- Tyrghast, on 06/25/2008, -0/+2You can do this at gas stations that use the RFID devices. You can overload the signal and start pumping til you're done, the problem is it's a federal offense.
- geoboy, on 06/26/2008, -0/+2"What tubes? Have you seen any tubes? Where are these tubes? And where do they go? And how come there's more than one tube?"
RIP Carlin :( - uberduger, on 06/26/2008, -0/+2I thought he was going to refer to the ridiculous number of times that someone has lost a CD / laptop full of people's names and addresses and stuff. I really wish the UK government would hurry up and google 'encryption'. It's not rocket science.
- inactive, on 06/25/2008, -1/+3In case you didn't know, the internet, is a series of tubes
- inactive, on 06/25/2008, -0/+2tubes, lol
- BillE3, on 06/26/2008, -0/+2Not to worry, the criminals and terrorists would never think to use this gain access to anything of importance. Doh, I forgot, terrorists do not really exist, I mean they have not done anything in the U.S. have they.
- kd1s, on 06/25/2008, -0/+2Ok, our public transit provider, RIPTA just installed all now E-Fare boxes last summer. It uses magnetic cards for passes and transfers, RIPTIKS, 15-Ride, and change cards.
I passed a 15-ride pass through a reader. They just write a 1 on the strip each time you use the card. When you insert it the fare box counts the 1's which also give it the position on which to print the ride data.
Easily hackable. - HanSolo69, on 06/26/2008, -0/+2Knowing enough to be able to call "Simpson's did it" is pretty nerdy itself.
- virtualball, on 06/25/2008, -0/+2I met British guys the other day and they said the tube is pronounced "chube," anyone want to verify for me?
- sporg, on 06/26/2008, -0/+2Whether the card is magnetic stripe, rfid or a combination card you can buy a reader for it somewhere. It is still called a reader thats not a term specific to magnetic cards.
- dullnation, on 06/26/2008, -0/+2For the record, I loved Red Alert ;)
- neocr0n, on 06/25/2008, -2/+4What's the rest in this long line?
- glensvodka, on 06/25/2008, -0/+2http://www.scdeveloper.com/Readers/ACR120.htm
- Enigma776, on 06/25/2008, -0/+2Yeah I read this ages ago too, Wired are really slipping behind but then again when ain't they.
- workharderscum, on 06/26/2008, -0/+1I think that the vulnerability in the mifare cards is a weakness in the random number generator used to create keys - instead of providing a huge number of possible keys, its actually quite limited, allowing them to be broken in seconds rather than weeks/years
Mifare uses a proprietary, non-published algorithm that was not reviewed by independent security experts. This is not a good idea. - agitpropre, on 06/26/2008, -0/+1Quite right. My snotty Oxford-trained ex would never have said 'chube' ("tyube, darling") but speakers of Estuarian English (living on/near the Thames Estuary) tend to take the 'chube'.
- workharderscum, on 06/26/2008, -0/+1Can't you also buy things with your oyster card now? Not big purchases, but I'm sure I heard that you can use them in some shops.
Also, the £100 part of the analogy is a one off cost - its more like spending £100 on the equipment for copying keys. - RevEng, on 06/26/2008, -0/+1This is what happens when companies insist on using secret, proprietary protocols. As Bruce Schneier is quick to point out, "Cryptography is hard." We have existing systems (DES, RSA, AES) that have been tried and tested; just use them! Instead, companies insist on making up their own, thinking that it is somehow better (or perhaps because they can charge more for propriety), and then they act surprised when somebody reverse-engineers it and discovers its weaknesses. We see it all the time: satellite cards, cell phones, DVDs; any technology which becomes valuable will be attacked and its flaws found.
Perhaps one day the customers themselves (like London's tube) will do the research and choose products that use well-studied, well-known, sound methods to protect their secrets. In the mean time, hackers will continue to have a field day exploiting them. - kirado4, on 06/26/2008, -1/+2more useless technology
- abrasion, on 06/25/2008, -0/+1That may be the case for London but here in Australia it works differently.
We have some train stations and all trams where you can get on without having your ticket checked by anyone, they do however have inspectors on random trips, if they catch you using public transport without a valid ticket they give you a bloody expensive fine (200$ or more)
Sometimes people in Melbourne try to validate their ticket but the broken machines cause them to get on the train with an invalid ticket, when they reach their destination, if there is inspectors there - ouch....
http://www.theage.com.au/national/train-journey-en ... -
Show 51 - 100 of 102 discussions
The Digg Toolbar for Firefox lets you Digg, submit content, and keep track of Digg even when you're not on the Digg site. Download the official 
© Digg Inc. 2009
— Content created and posted by Digg users is