|
|
Post by Chris W on Jul 21, 2008 11:49:58 GMT
news.bbc.co.uk/1/hi/technology/7516869.stmSo the Dutch judiciary appears IMO to be condoning/supporting (or whatever way you want to argue it) criminal activity. How can it be argued that this is 'just for information' - who, in their naive little mind, can consider that no-one will act upon it 
|
|
|
|
Post by ianvisits on Jul 21, 2008 13:29:39 GMT
Since when has reverse engineering a computer chip you have brought become a criminal activity?
Its NXP (formerly Philips) fault for designing the system in such a manner that makes the inevitable discovery of flaws so difficult to fix - and partly TfL's fault for using such a system when the proven FELiCA model was already up and running and is a lot easier to update the security for.
|
|
|
|
Post by Chris W on Jul 21, 2008 15:25:56 GMT
Its not the reverse engineering that's the issue here.... its the revealing of information how to bypass the system (clone/copy cards) and therefore enabling them commit criminal activity. Just because there's a weakness (show me a computer programme/application or system that doesn't have a weakness be that IE, Firefox or any other), doesn't mean that LU are responsible or should suffer the consequences - if the report is accurate (an important question in itself) by sharing the information with the world, you are consequently giving it to those who will want and be motivated to use it to commit criminal activity (fraud). Why not share that information with the customers of the system (LU/TfL) so that they can exert pressure on the manufacturers to deal with the issue - surely that's the right way to go  |
|
|
|
Post by cetacean on Jul 21, 2008 16:22:54 GMT
They are - they're not planning to publicly unveil the details until October, and they submitting the findings to NXP months ago.
They're are ways to design a system like this securely, or at least much more securely than they have. It's negligence on NXP's part for not designing it properly, and TfL's part for choosing a shoddy system.
|
|
mrfs42
71E25683904T 172E6538094T
Big Hair Day
Posts: 5,922
|
Post by mrfs42 on Jul 21, 2008 20:15:11 GMT
I've got a mate that works in Sheffield - his oyster and office access cards are interchangeable for opening his office door!  |
|
|
|
Post by c5 on Jul 22, 2008 8:50:06 GMT
Can they please do my Oyster card for the NR ticket gates where my Season Ticket is also valid please!
|
|
bowchurch
The next train on Platform 2 is the District Line to...
Posts: 86
|
Post by bowchurch on Jul 22, 2008 20:04:08 GMT
So the Dutch judiciary appears IMO to be condoning/supporting (or whatever way you want to argue it) criminal activity. Sorry Chris I don't agree. Full Disclosure, as long as it is done responsibly, improves the security of systems - not reduces it. From what I can see from the article Professor Jacobs was responsible, and has been trying to work with the Dutch Government and NXP to make the system secure - but NXP decided launching legal action to cover up the flaw was the best way forward. If the Oyster infrastructure has been implemented correctly then this will have little to no impact on TfL. Why? Because the system should know what validity and prepay topups should be on each card, and once a discrepancy is spotted the card should be hotlisted. Depending on how quickly the processing is done, it could happen between you touching in and touching out. The worst scanario I can see is someone using the card only with offline readers (bus ticket machines, handheld scanners on DLR and NR etc.) then the card getting hotlisted overnight once the units get docked and download their transaction logs. The TfL spokesperson is confident a dodgy card will be spotted in 24 hours, which pretty much backs up what I'm saying. All the cards have a unique serial number permanently burnt into them at manufacture, the only way this fraud could be worthwhile was if this unique serial could be changed, which would negate the card getting hotlisted. Otherwise it is a lot of effort to get upto 24 hours free travel on buses and other ungated parts of the DLR, Tube and Rail network. I reckon when they talk about copying cards in the article, they didn't actually fully copy the card. They were just able to copy the 'entitlement' from one card to another. We will have to wait for the report to be published to get the full story though. You'll have to take my word that I work on some very high profile internet projects. And I would rather know of any security flaw in our systems so that I can work on fixing it rather than having an open, unknown flaw that could be exploited without my knowledge. |
|
Deleted
Deleted Member
Posts: 0
|
Post by Deleted on Jul 22, 2008 20:07:41 GMT
There was an article in the ticketing & revenue newsletter a few months back that detailed why someone would find it very difficult to make fraudulent Oyster journeys successfully, although heaven knows I can't remember the details. *g*
|
|
|
|
Post by Chris W on Jul 22, 2008 20:56:04 GMT
bowchurchI've heard via the media that LU/TfL could track and stop a card fairly quickly via tracking movement/transactions etc. etc. Good - perhaps TfL aren't as idiotic and stupid and the press hope they are! Yes I agree that NXP seem to have over-reacted (assuming more didn't happen behind the scenes that we are not aware of/hasn't been reported), but if they have been made aware of the flaw and are probably investigating a solution, the only motivation I can see for releasing information to the general public is to force NXP to resolve the defect quicker - please correct me if you disagree. IMO knowingly releasing the information to the world at large in an effort to try to force NXP's hand, you are doing so in the expectation that they will be worried about fraudulent activity/loss of money etc. Following that train of thought through, the person releasing the information expects criminals to take advantage of their research and as a result aren't they therefore an accomplice by association (they are the source of the leak,without which no fraud or attempt to defraud would take place). Its an opinion - that's all
|
|
Chris M
Global Moderator
Forum Quizmaster
Always happy to receive quiz ideas and pictures by email or PM
Posts: 19,775
|
Post by Chris M on Jul 22, 2008 22:04:08 GMT
One thing I've seen elsewhere is that you must not assume that the Dutch researchers are the only people who have figured out the crack, apparently it is more than likely that organised crime has figured it out as well less publicly and that they will sell/will be selling the information to others of their ilk. If the information is out there in the public domain then this is one income stream for organised crime that has been shut down.
As others in this thread have explained, making security flaws publicly known is beneficial for the security of the system. In forcing the hand of NXP you are making sure the flaw is closed as soon as possible. If they were already working on the fix as fast as they can, then nobody looses. If, in the more likely scenario, the priority was not as high as it could be then the users of the system win.
Taking the analogy of the computer software market, closed source programs (e.g. Microsoft Windows) can have security holes that are known about for months or years before a fix is released - and its not uncommon that people have to pay to get the update. Open source also contains security holes, but these are fixed much quicker as anyone can fix it, and if company X wants people to pay for the update, some other person/group/company can implement their own fix, or even release company X's, for free. The result is that everybody wins.
|
|
bowchurch
The next train on Platform 2 is the District Line to...
Posts: 86
|
Post by bowchurch on Jul 22, 2008 22:18:31 GMT
Chris it might be helpful to read this interview with the researchers. The researchers want to engage with system integrators worldwide to help them assess the vulnerabilities in their systems, as they have already done with the Government and transport operators in Holland. I've not seen any evidence that they have, or want to disclose the full set of algorithms they have obtained when they publish their report. Don't be under any illusion that the research not being published makes MiFare more secure, it doesn't. The Dutch team are not the only people who have been investigating MiFare security, and the fact that they have announced a successful hack will be sufficient for others on both sides of the legal fence to try and emulate their work. So IMHO NXP were going to court to try and protect their reputation and sales of the product not the security of their customers. |
|
bowchurch
The next train on Platform 2 is the District Line to...
Posts: 86
|
Post by bowchurch on Jul 22, 2008 22:22:37 GMT
Something else that has just occurred to me. I wonder if the faulty software update earlier in the month that accidently disabled some Oyster cards was in any way connected to this?
I'm not expecting anyone to know the answer - but it's something to think about.
|
|
mrfs42
71E25683904T 172E6538094T
Big Hair Day
Posts: 5,922
|
Post by mrfs42 on Jul 22, 2008 23:55:51 GMT
It ceratinly disabled mine! Mayhap because I'm a priv Oyster, but I'm not utterly sure of this.
|
|
|
|
Post by gypsy78 on Jul 23, 2008 4:42:32 GMT
When im short of cash I just sneak through behind someone!
|
|
|
|
Post by ianvisits on Jul 23, 2008 20:32:57 GMT
When im short of cash I just sneak through behind someone! When I suspect someone is trying to do that with me, I pause suddenly after I get past the gates and trap the other person behind them as they slam shut. |
|
Deleted
Deleted Member
Posts: 0
|
Post by Deleted on Jul 24, 2008 8:13:30 GMT
Something else that has just occurred to me. I wonder if the faulty software update earlier in the month that accidently disabled some Oyster cards was in any way connected to this? I'm not expecting anyone to know the answer - but it's something to think about. According to recent news it was no accident! |
|
