
Activists release code to generate free public transportation tickets in U.K - baloki
https://reddit.com/r/manchester/comments/cyefu5/activists_release_code_to_generate_free_public/
======
stevecat
I've used these apps before in the UK, and it is great being able to generate
a ticket offline, but it appears they've achieved that by including the
private keys in the app. Oh dear.

Would there be any fool proof alternative to allow for offline ticket creation
in a mobile app when that app can be reverse engineered?

~~~
matthewmacleod
I don’t understand how offline ticket creation could work in any scenario,
full-stop. Surely you need to have a data connection in order to purchase the
ticket in the first place, right?

~~~
mjlee
You could carry a balance on the app that gets reconciled when you're online.

Alternatively, Apply Pay works offline for NFC transactions - I've not tried
doing an in-app purchase offline but that might work too.

~~~
matthewmacleod
Oh, sure - I mean you _could_ carry a balance, but that would be inherently
insecure (clearly not something they are particularly fussed about).

Apple Pay is a little different in that the terminal is online - I was under
the impression all contactless terminals perform auth in real-time, but I may
be mistaken.

~~~
mjlee
I've used Apple Pay completely offline - on trains, buses and planes for
example.

The terminals in London Underground stations might be constantly online, but I
doubt very much there's a 100% guarantee for London Buses.

~~~
Reason077
London Underground and London Buses are both "semi-online". They _don 't_
generally try to immediately validate a transaction with your bank the moment
you touch your card. Transactions are batched and applied overnight, after
applying any discounts like daily/weekly fare caps, out-of-station
interchanges, and the bus "hopper fare". The batching means that transactions
can still be accepted if the terminal is offline for some reason.

However, there is also a blacklist of card numbers that have outstanding
balances against them. If you try to use a card that is declined, it will work
the first day but not on subsequent days. If you go on TfL's website and clear
the outstanding balance, the card will work again after 30 minutes (or in
practice, less) once it is removed from the blacklist.

------
Jonnax
"The reason we’ve decided not to go down the responsible disclosure path is
being strong believers in public transportation being a common good that
should be free for everyone, and this research is our contribution to get us
closer to that end."

This is trolling, right?

~~~
crispyporkbites
Get on a bus in the middle of the day and count the number of people paying.

I.e those not on benefits, over the age of 18, under the age of 60 etc.

Now count how long the bus idles while people line up so the driver can
validate their ticket / check they tapped in on their Oyster card.

Now add in all of the infrastructure and staff required to collect fees and
account for them.

Then add in all of the external costs of charging for public transport (more
cars, less productivity)

The argument for charging isn’t that strong.

~~~
chumali
Have you even bothered to check the figures?

You mention Oyster cards so I'll assume you're talking about London in which
case the operator (TfL) clearly states that "Fares are the single largest
source of our income (projected to be 47% in 2019/20)". [0]

This income more than covers the operational costs, with the difference being
used to support new infrastructure projects and upgrades such as the Elizabeth
Line (as well as concessions for students, the elderly, etc).

Clearly there is a very strong argument for charging.

[0] [https://tfl.gov.uk/corporate/about-tfl/how-we-work/how-we-
ar...](https://tfl.gov.uk/corporate/about-tfl/how-we-work/how-we-are-funded)

~~~
AnthonyMouse
What percentage of operating costs are paid for with fares has basically
nothing to do with what percentage _should_ be paid for with fares. If paying
100% with taxes results in lower costs per rider because you don't have to pay
for fare collection costs and higher use of public transport because there is
less friction (which benefits even those who don't use it via lower traffic
and pollution etc.), why _shouldn 't_ we do that instead?

~~~
chumali
Fare collection in London is almost frictionless. Almost all public transport
can be paid for with contactless debit/credit or prepaid cards. Drivers have
no requirement to verify fares and all stations have self-service terminals.

Although the administration cost is not zero, it is almost certainly
negligible enough that moving to a taxpayer funded model would increase these
costs. This is particularly true given that transport budgets are operated at
the regional level and would require the introduction of new regional taxes
rather than simply relying on exiting tax revenue. (The politics of passing
any new tax legislation would be a monumental hurdle in the first instance).

Then there is the question of whether a broad tax is more equitable then the
current model. I fail to see how this could be the case given the current
system retains the price signal and through a system of concessions ensures
that those who most benefit from the provision (e.g. professional working in
the inner city) contribute the most and effectively subsidise fares for the
rest of society.

~~~
crispyporkbites
Actually bus drivers can’t move the bus until all passengers have tapped in.

Then you have all the ticket machines, barriers, stations, staff etc that
would be completely unnecessary.

The only real bonus of collecting fares is that tfl acts as a treasury with
millions of pounds in funds to invest.

~~~
dx034
Not in London. You can use card readers at all doors and drivers tend to start
driving once everyone is on board, not only once everyone has checked in.

~~~
crispyporkbites
That’s only on the new route masters in zone1, outside of zone 1 there’s one
door and everyone must enter through that door, tap in while the driver
watches and the driver will not leave until everyone who gets on has paid

------
afarrell
If this is activism, what is political goal here? It seems like all this does
is enable people with a highly-paid skill (accessing tor, then
deploying/running scripts) to not pay for transport.

~~~
kitd
The public version is to demonstrate that large enterprises looking after
public infrastructure & contracts still fail spectacularly to implement basic
security practices in their products.

Under the covers, it's an invitation to have a go at transport operators who
are unpopular and have a reputation for offering low-quality services at high
cost.

~~~
dgellow
So the goal is to say "look, your security is stupid, we will all have free
rides until you fix it"? That's most likely to result in more money being
spent by the public transport company to counter the bad PR and fix the issue.

------
T3OU-736
Technical cock-up aside, why the term "activists"?

Not questioning the title of the HN post, rather, wondering if I missed
something going on I have missed in the news which would justify the term
(instead of "hackers" or, even "security researchers", though the later seems
to stretch the definition of responsible disclosure)

~~~
dagw
They're ostensibly doing this as a political statement to start a debate and
affect political change. Thus "activists".

------
fredley
Seems like they baked secrets into their app bundle (RSA keys). Basic
engineering fuckup.

~~~
gentaro
Not even a basic engineering fuckup. That's just an "I don't know what the
hell I'm doing" fuckup.

~~~
Illniyar
I doubt it a "I don't know what the hell I'm doing" fuckup. Probably more of a
"I warned my higherups, and they overruled me because they wanted the feature
more than they wanted the app to be secure, and so they can handle the
fallout" fuckup.

~~~
gentaro
> and so they can handle the fallout" fuckup.

Even if this guy objected to it, unless he quit his job straight after
implementing this, you can be sure it came back down on him.

This is the kind of situation where you have to clearly argue your case and
stand your ground.

~~~
fredley
In my head, it went like this:

Mgmt: Can we do this? Eng: Yes, but... Mgmt: [Tunes out after Yes] Do it

Saying 'No' instead of 'Yes, but' is hard but a really valuable ability.

~~~
dragonwriter
I've seen that work out the opposite way, where “Yes, but” gets the part after
“but” listened to, and “No, because” with a reason that isn't really a can’t
be done reason but a cost to consider gets you not only ignored on the
specific point but also frozen out of being involved in business and upper
management contact because you are seen as projecting an air of
laziness/inflexibility.

------
gnufx
People complaining might note that there is already a free bus service in
central Manchester: [https://tfgm.com/public-transport/bus/free-
bus](https://tfgm.com/public-transport/bus/free-bus)

------
tomglynch
I've run the app through Immuniweb to see if the keys show up. There's quite a
few issues but I don't see the private keys.

Link here:
[https://www.immuniweb.com/mobile/?id=hprUh4hL](https://www.immuniweb.com/mobile/?id=hprUh4hL)

------
boomskats
Ahh, this reminds me of BT Cellnet storing those first pay-as-you-go credit
ledgers locally on the Philips C12 / Diga handsets, and just hoping nobody
would notice.

------
mehh
So who was the developer of this app, I assume the transport company
outsourced it?

~~~
ovi256
Seems to be [https://www.corethree.net](https://www.corethree.net). Just look
at their customer list.

~~~
flukus
It's just a blank page without loading external javascript, which says all you
need to know about their technological competency.

------
CodeBiscuit
Looks like it's been removed, anyone take a copy of the post?

~~~
maxfan8
It just links to an onion address.

[http://2dpue32kldx6sm24r2lbisilqhzlglffssgyjgqwwq7masm74rliw...](http://2dpue32kldx6sm24r2lbisilqhzlglffssgyjgqwwq7masm74rliwoid.onion/)

I'm not sure if I'm allowed to post this on HN – I think it should be legal to
post a link.

------
Smithalicious
Holy mother of entitlement. Taking something without paying for it because you
think it should be free isn't activism, it's, well, theft.

------
bradleyjg
I’m sympathetic to the idea that public transit should have means tested
fares, but outright free is a bad idea. It costs something to provide, quite a
bit actually, and has limited capacity so there needs to be some mechanism to
gate access. Price, which forces users to consider trade-offs, is the most
straightforward way to do so.

~~~
CapacitorSet
Gates access to whom? Trade-offs in favour of what?

Introducing a fixed price gates the poor the most (eg. a wealthy individual
can afford to spend a couple hundred pounds on a yearly subscription without
much thought), and often incentivises trade-offs in favour of individual
transportation (i.e. cars), which is less desirable in terms of pollution and
traffic.

~~~
purple_ducks
> a fixed price gates the poor the most

The poor already get free travel. As do pensioners.

~~~
DanBC
How do poor people in the UK get free travel please?

