[Crew] Oyster card crash leaves cards corrupted

Minus Q minusq.uk at gmail.com
Mon Jul 14 10:07:41 BST 2008


2008/7/14 Richard Rothwell <richard at caliban.org.uk>:
> 2008/7/14 Stephen Parkes <sparkes at westmids.biz>:
>> On Mon, Jul 14, 2008 at 8:33 AM, Re-LoaD <reload at brum2600.net> wrote:

>>> The group announced that it would be publishing details of the
>>> vulnerability at a security conference in October, but have now been
>>> sued by the makers of the chip to prevent this.
>> Thank fuck for that the network is secure after all because nobody
>> knows it's insecure.  I can understand that logic

It doesn't sound like you do ;)

The network is insecure, as shown by the research group.

However that insecurity is not being actively exploited by a large
group of people, because the research group has been prevented from
publishing their findings.

Therefore while the network is technically insecure, the impact on the
network is minimal.  The impact is what's important here.  It doesn't
matter whether the network is insecure or not, what matters is whether
people can take advantage of that insecurity.

I would expect TFL have squashed the research for one of two reasons:

a) Delay the impact of this research so they can work on a fix.

b) They're hoping to stop the research ever being released.

>From friends who used to work as part of the project team, I suspect
the latter approach.

> So to add to "security through obscurity"

"improved security through obscurity", or "less insecurity through
obscurity", whichever you prefer.  Insecurity isn't binary.

> we have "security through gagging order".

Well it appears to be working, I'll still be paying for my tickets
when I'm in London this week.

"If you can't go through the firewall...
...go through the secretary."

More information about the Crew mailing list