This particular incident comes after another rail-related "cyber" incident, affecting TfL who run services in London. The previous incident was perpetrated by a 17-year old, and TfL have still yet to re-enable the systems they turned off back at the end of August. This means customers can no longer check their contactless journey history or claim refunds online. My understanding is that staff were also shut off from being able to access internal systems. There is no ETA for restoration of service.
I think there's a growing problem with digital competency in some of these organisations. TfL in particular have not kept up with the times, and their once revolutionary ticketing infrastructure and software (I say "their", but it's really all just outsourced to Cubic, there's very little in-house expertise or day-to-day ownership when it comes to this stuff) feels quite dated now.
> I say "their", but it's really all just outsourced to Cubic, there's very little in-house expertise or day-to-day ownership when it comes to this stuff
The original Oyster system was outsourced to Cubic. But the newer contactless system was built in-house by TfL, and is licensed to Cubic for sale to other transport systems around the world, including cities like New York.
https://en.wikipedia.org/wiki/Oyster_card#Contactless_paymen...
For various reasons, the contactless system sadly still lags behind Oyster, with basic functionality like NR discount entitlements missing and showing no signs of emerging anytime soon. The physical infrastructure, like the gatelines, are all still controlled by Cubic as well.
Even in terms of security, you have TfL deciding to adopt SMS for multi-factor authentication (no TOTP/HOTP/push-based MFA) for their contactless portal. Which they only started enforcing a year ago. I don't get how anybody can defend decisions like these. We've known SMS is unsuitable for this use-case for years.
> For various reasons, the contactless system sadly still lags behind Oyster, with basic functionality like NR discount entitlements missing and showing no signs of emerging anytime soon.
It’ll happen eventually. The Oyster system has already hit breaking point. There’s now a number of stations around London that only accept contactless and not Oyster, due to memory constrains on the Oyster cards that prevents support.
TfL’s long term goal is to migrate the entire Oyster system onto the contactless backed end, so the cards cease to be stored value cards, and simply become unique account identifiers. TfL have did part of this migration a few years ago when they phased out older Oyster cards that couldn’t correct support the new ID based system. I assume that when they introduced weekly caps on the Oyster cards, that was partly enabled by their migration efforts to the contactless backed end.
For them to complete the migration, they’ll need to support railcards on the contactless system. Although exactly how they’ll do that I have no idea. But either way the capabilities of the two different systems continue to diverge, and that’s going rapidly become unsustainable.
> The physical infrastructure, like the gatelines, are all still controlled by Cubic as well.
Sure, but so what? I don’t think TfL should be getting into the game of building and running their own barriers, there’s no point. It would be like expecting TfL to build and run all their own trains. They’re much better of contracting that work out to other companies that specialise in that work.
The only reason why TfL built its own contactless system was because there was simply no commercial offering out there that met their needs. Ticketing is probably one of TfLs most important skills, and part of building the contactless system involved negotiating with Mastercard and Visa to introduce specific new features into all card systems and contracts to support transport ticketing. Something which every other transport system in the world that also support contactless payments has directly benefited from.
SMS is the de facto standard for MFA. Everyone's favorite ISP darling Sonic recently enabled SMS MFA on all accounts with no warning. Pretty much every financial institution I deal with offers SMS MFA (few offer any way to disable it). Retailers like Home Depot eschewed passwords in favor of SMS OTP.
I wish it weren't so, but that's just how things are these days.
SMS MFA is better than no MFA. SMS as SFA is bad since it's easily spoofed.
SMS MFA is usually used to reset password so it's almost always de facto SFA. Recent Veritasium video says overtaking anyones phone number costs just hundreds of dollars
Not familiar with this particular system, but if the issue is that their whole webapp is pwnable spaghetti, then I doubt it's gonna come back online anytime soon. Those types of issues are usually endemic and no amount of whack-a-mole will fix it.
Really depends on the devs. I've seen it go both ways. But you are right, most retests I have done after the pentest issues were fixed is weird. They actively engineer around our suggested fixes instead of actually doing the work they are told to do
> I think there's a growing problem with digital competency in some of these organisations. TfL in particular have not kept up with the times, and their once revolutionary ticketing infrastructure and software (I say "their", but it's really all just outsourced to Cubic, there's very little in-house expertise or day-to-day ownership when it comes to this stuff) feels quite dated now.
I've noticed this too. Tend to visit the UK annually or so over the last 15 years and the general quality of the machine interfaces goes down over time. The good ones are almost no different from how they were in 2005.
The part they have improved on is the contactless integration with phones which does just work so dramatically reducing the need to use the rest.
"worse" doesn't ring true, they have really just stayed the same. IMO this is fine, as I've not needed to use a machine in a year or two. You buy rail tickets on your phone with QR code tickets and tap in and out of TFL with your choice of phone/watch/card/oyster. We don't need to revamp the buying a physical ticket machines, why? Who do they serve, only really tourists who don't know they just need to use thier card to tap in or use a website or app to buy either QR code or pick up train tickets.
No, they are absolutely worse. I can still recall the GWR machines glitching out by themselves on my last visit, even without anyone near them. The absence of quality control was immediately obvious.
The other thing that is obvious is the attention to detail in signage has declined. The electronic displays on the Elizabeth Line are flat out amateurish.
I can understand how if you live there you wouldn’t notice as it is like the boiling frog.
Oh yes, to be fair those are bad - they're the ones where they've removed the physical keyboard if I remember correctly.
Elizabeth Line - the move to LCD screens was probably a move to make it feel more modern, no doubt at great cost. I never really have an issue with them though, maybe boiling a frog thing :)
There's a slight perverse incentive in that not having access to Contactless history makes it harder for the customer to see overcharging and to make claims for a refund.
The TfL contactless system doesn’t generally overcharge, as long as you properly tap-in and tap-out.
The system as a whole seems to be designed to prevent overcharging at all costs. In situations where is ambiguous what you should be charged (there’s a number of interesting edge-cases), the system always charges you the lowest possible amount. Even in the event of user error (such as forgetting to tap-out), the system does it best the guess what you did, such as looking at your history and assuming you meant to tapped out at a station you normally use, or looking for a station where the gates where left open (due to a major event, overcrowding concern, evacuation etc), and assuming you left the system there.
The contactless system is substantially more capable for handling these issues correctly, and generally better at charging less, than the older Oyster system.
>In situations where is ambiguous what you should be charged (there’s a number of interesting edge-cases)
I'm very curious to know more about those edge cases.
There are some interesting issues with the old oyster system when handling certain routes that involve out of station interchanges.
Out of station interchanges effect make two sets of barriers behave like they’re part of the same physical station, allowing you to temporarily exit the system, re-enter, but only get charged once, as if you never exited the system at all.
On the old oyster system this plays very badly with how the system handles you tapping in and out at the same station, at the start and end of a single journey. The Oyster systems assumes that you’ve made two trips, and not tapped out one way, and not tapped in the other way, and thus charges you two maximum fairs. Normally this isn’t an issue, but with out-of-station interchanges, it’s possible for you make a journey, leave the station, re-enter the station 20-30mins later, for your return journey (say you went to pick something up, and then went straight home), get caught within the out-of-station interchange, which effectively connects your return journey with your outbound journey. On the Oyster system, the out-of-station interchange is implemented by the re-entry barrier basically updating your card so it looks like you never left the system at all, as a consequence, when you tap out at your home station, the tap-out barrier thinks you’ve made two trips without properly tapping in and out, and charges you two maximum fairs.
With the contactless system, every single tap in and out is recorded by the barriers in their backend system, and an end of day batch system then looks at all of your tap ins and outs, and computes your final fair. Because it can see every single tap, it’s capable of recognising that you made two legitimate journeys, that shouldn’t be linked to by the out of station interchange, and thus charge you two correct fairs. Unlike the Oyster system, which has to make fair charging decisions at each tap, and due to limited memory on the card, can’t accurately track every single tap, as a result it has to be more aggressive in it fair calculation approach, otherwise it would be trivial to exploit its limitations to defraud TfL.
Although even the Oyster system will try and correct these issues. There are batch jobs that run on all the uploaded tap data collected by the barriers themselves, and those jobs do their best to try and spot errors like this, and perform automatic refunds. But it harder to perform those refunds because somehow the system has to the get the data on to the physical Oyster card, which uploading the patch into the barriers the system thinks you’re likely to use, so your card can be patched on the tap there.
I know it's designed quite well and operates mostly without error but TfL as a whole is not perfect
> as long as you properly tap-in and tap-out
And this is far from straight forward everywhere. E.g. Waterloo & City at Waterloo and its lack of barriers
Some believe Waterloo is actually long-standing money-maker for TfL ...
> The system as a whole seems to be designed to prevent overcharging at all costs
But not the physical UX
> And this is far from straight forward everywhere. E.g. Waterloo & City at Waterloo and its lack of barriers
Lack of barriers is to prevent overcrowding, and maximise passenger flow at one of the busiest stations in London. If you use that link regularly, then you don’t actually need to tap out at all. The contactless system will spot the missing tap-out, and automatically add a virtual tap-out for you at the end of the day.
> But not the physical UX
Including the physical UX. Lack of barriers is the exception, not the rule. If the physical UX wasn’t designed to prevent overcharging, then TfL wouldn’t bother installing so many purple interchange readers around the system, and keep reminding people to use them. The only purpose of those readers is to allow people to get a lower fair by demonstrating they’ve avoided zone 1.
> In situations where is ambiguous what you should be charged (there’s a number of interesting edge-cases), the system always charges you the lowest possible amount.
Not always, you can still be charged a Zone 1 fare if you don't use a pink route validator to prove that you went around the outside of Zone 1.
> The TfL contactless system doesn’t generally overcharge, as long as you properly tap-in and tap-out.
> The contactless system is substantially more capable for handling these issues correctly, and generally better at charging less, than the older Oyster system.
Nonsense, everyone with a railcard is routinely overcharged, by design.
You’re talking about something completely different. The fact that the contactless system doesn’t support railcards doesn’t change the fact that it’s much better at performing the core task of computing people’s movements through TfLs systems, and charging the correct amount.
Oyster system is fundamentally limited by its use of stored values on the physical cards, making it hard for the system to correctly issues retroactive refunds. TfL does its best to automate this, if you regularly use the same station, buts it’s an imperfect system.
TfL have long acknowledged the issue with railcards, and not supporting them on contactless is hardly “by design”. It’s substantially harder to support railcards, and perform correct enforcement of them, with contactless cards. There’s no way of meaningfully marking a contactless card as being paired with a railcard, which would allow ticket inspectors to actually know that when performing enforcement. It would be come trivial for people to defraud TfL using railcards, if there was no mechanism for allowing spot checks on people travelling.
To make the argument that not supporting railcards is “by design”, you also need to explain why TfL accept railcards on the Oyster system. TfL are under no obligation whatsoever to support national railcards. So if the lack of support for railcards on contactless was a revenue maximisation choice, why don’t they just get rid of the railcard discount entirely?
> It’s substantially harder to support railcards, and perform correct enforcement of them, with contactless cards. There’s no way of meaningfully marking a contactless card as being paired with a railcard, which would allow ticket inspectors to actually know that when performing enforcement. It would be come trivial for people to defraud TfL using railcards, if there was no mechanism for allowing spot checks on people travelling.
I'm not sure I buy this. Aren't TfL given privileged access to be able to retrieve back the FPAN (or if not that, a customer-specific Payment Account Reference, as defined by EMVCo)? If they weren't, the Contactless travel history portal wouldn't be able to display travel journey undertaken using Apple/Google Pay - and yet this usecase does work, so clearly there is a capability to associate payments made using different DPANs and the underlying physical card and to recognise those transactions are belonging to a single customer.
Subsequently, there is clearly a customer-specific identifier that TfL could, if it desired to do so, tie together with a record which states the customer owns a railcard (after validating the railcard number using the National Rail API).
Why do you think RID2 wouldn't be able to ask a server to check this at inspection time?
> Aren't TfL given privileged access to be able to retrieve back the FPAN
Yes they are.
> Why do you think RID2 wouldn't be able to ask a server to check this at inspection time?
I don’t. But RID2 is brand new, and they only finished the complete rollout last year. I don’t know why you expect TfL to immediately start supporting railcards, and it doesn’t change the fact that for the majority of the time that TfL has supported contactless, it’s not been possible for them to validate railcard association with their original RID.
Nothing you’ve said in anyway support your original assertion that TfL’s contactless system was deliberately designed to not support railcards, and certainly doesn’t support your implied assertion that TfL doesn’t support railcards on contactless for nefarious purposes, as opposed to simply not having the technology developed.
> Yes they are.
Right, so when you said "there’s no way of meaningfully marking a contactless card as being paired with a railcard", there was nothing of substance to actually support that assertion.
What you've proven to me is that TfL are in exactly the position where they could deliver this if they wanted to and put their minds to it, but it nonetheless hasn't happened. Just like Oval (how late is that now?)
I am quite cynical about TfL, yes, and suspect that they just see this as likely to cause a financial hit when it comes to revenue, which is probably why it hasn't been prioritised. The status quo is a convenient one. I'm sure it'll happen one day when the tech debt of Oyster forces it to happen, but it won't be done proactively for passenger benefit.
> Right, so when you said "there’s no way of meaningfully marking a contactless card as being paired with a railcard", there was nothing of substance to actually support that assertion.
Yes there is, if you bother to actual read my comment, you’ll note I was referring to the ability to store the railcard flag on the actual card, so it’s easy for the RID to know if person is travelling with a discount.
> What you've proven to me is that TfL are in exactly the position where they could deliver this if they wanted to and put their minds to it, but it nonetheless hasn't happened.
Well that’s simply not true[1]. Also you might have been aware of a recent global pandemic that occurred, and completely flattened TfLs finances, and has basically forced them to abandon any future looking projects, and focus on just keeping the lights on. You seem to expect an awful lot from a transport agency that just spent 3 years fighting for its own survival, while central government did everything in its power to destroy it.
> I am quite cynical about TfL, yes, and suspect that they just see this as likely to cause a financial hit when it comes to revenue, which is probably why it hasn't been prioritised. The status quo is a convenient one. I'm sure it'll happen one day when the tech debt of Oyster forces it to happen, but it won't be done proactively for passenger benefit.
That’s unfortunate, but it say more about you, than it does about TfL. Go and spend any serious amount of time in any other major city, and you’ll be much more grateful for what TfL provides. Even more so when you realise that TfL is the only transit agency in the developed world that is inexplicably required to cover all its costs from the fair box and advertising. Even US transit agency, in a country notorious for its strong cultural dislike for public transit, provides more government support to its transit agencies than the UK does to TfL.
[1] https://www.ianvisits.co.uk/articles/more-railway-stations-a...
The link you've provided (August 2024) pre-dates TfL's announcement of an indefinite delay to Oval Phase 1 [1] which was originally scheduled to happen by the end of 2022.
The switch on did not happen on September 22nd, 2024 - and the previous date in March was also missed.
Are you trying to suggest that TfL are using are a cyber attack as cover to permanently cancel Oval?
Also, once again you seemed have forgotten that COVID happened 2020-2022. Are you also trying to seriously suggest that TfL pausing all non-essential services and projects during a pandemic was a nefarious act to avoid rolling out project Oval, and by extension avoid having to support railcards on contactless transactions?
You honestly don’t seem to have any real grasp of how long project like Oval actually take to implement. A large transport project overrunning deadlines by a few years is hardly unusual. It’s certainly no evidence of some grand conspiracy to avoid supporting railcards (which again, TfL are under no obligation to support anyway).
> Are you trying to suggest that TfL are using are a cyber attack as cover to permanently cancel Oval?
I'm suggesting it likely would've been delayed anyway, based on how the project was going prior to the cyber attack, and the cyber attack is the latest convenient reason for it not being rolled out according to the (already behind) schedule.
It's not just Oval, it very much appears from an external perspective that most projects that TfL touch don't get done on time or completed to the promised standard. There are countless examples, the 4G/5G coverage rollout on the underground is yet another: https://www.railforums.co.uk/threads/lu-elizabeth-line-4g-up...
It's tiresome to see repeatedly happening.
> You honestly don’t seem to have any real grasp of how long project like Oval actually take to implement
I don't think the timeframes in the original tender were that unrealistic, and to be clear, the tender was published well after the lifting of the Covid-19 lockdown restrictions in the UK. If TfL didn't think those timescales were realistic, it shouldn't have bid for the contract.
What I have heard are - if true - some truly ridiculous stories (manual fares data entry, instead of automated ingest of the NR fares data, which already has all of the PAYG fares) about how this is being implemented, which would explain a lot about some of the reasons behind the delays if correct. It's certainly not the fault of the TOCs involved, that's for sure.
Any facts to back up this assumption ?
"TfL said the amount refunded equated to less than 0.001% of annual fare £3bn revenue collected via pay as you go with contactless."
It's not an assumption. If you have a railcard, you cannot associate it with a contactless card. That's just not a supported task. Therefore if you travel off-peak, you will be charged more than you would if you had used an Oyster card because you will be charged the public rate instead of the discounted fare you were actually entitled to pay. It's very simple.
https://tfl.gov.uk/fares/free-and-discounted-travel/national...
Another reason to use Oyster (in addition to the fact that people can access their Oyster history currently, it's just Contactless that can't AIUI)
I imagine big tech companies and startups in the UK pay better salaries, and are better at evaluating talent. That creates adverse selection in the remaining employee pool, which the public sector is fishing in. Same as in the US.
What puzzles me is how Estonia managed to avoid this problem. https://www.youtube.com/watch?v=I5krZBe0Dck
The theory is right but in practice none of this is really run by the public sector anything remotely difficult is just contracted out to the private sector and they go with basically the cheapest bid from a "big" company. In this case it's telent and they probably just brought a captive portal product (the cheapest, of course ;)) and it got hacked.
I'm just thinking about this. If they were to give it to a "public sector" style org who would it be?
It would be interesting just to give the job to Jisc actually, eduroam at all mainline stations and for normal users a captive portal w/wpa3 for fist time registration/use then option of kicking you to 802.11x would be a fine solution and one they're enormously experienced at.
Another option is giving it to TFL to run or some kind of joint procurement with them as TFL for whatever reason are vastly more agile and competent then national rail.
Final option GDS get involved and come up with a standard solution, open source of course and managed in house.
I'd agree with this. At some point in the past, a final-salary defined benefit pension and the job security may have gone some way to levelling the playing field a bit.
Even before that cyberattack I was never able to get TfL online services working properly.
Luckily it's not needed, you can just buy an Oyster from a corner shop and top it up at the machines in the station (all with cash if you're concerned about privacy, which is nice).
The level of advancement isn't the issue here.
What happened is that some kid phoned up helpdesk and said they were x and they had lost their phone, can you please help me to reset my password and 2fa (because the phone was nicked, its standard operating procedure right?)
From there they managed to SSO into critical shit.
Now, they've had to reset _everyone's_ password and 2fa (after an ID check)
They also now need to go through _everything_ to make sure there aren't any backdoors, boobytraps or any unknown exfiltration events.
that shit is _hard_, even harder for a safety critical place like TFL. They have something like 40k employees, and a whole bunch of disparate systems.
> What happened is that some kid phoned up helpdesk and said they were x and they had lost their phone, can you please help me to reset my password and 2fa (because the phone was nicked, its standard operating procedure right?)
Do you have a source for this?
https://cyberplace.social/@GossiTheDog/113075051598780302
(its about half way down the thread, look for scattered spider.)
> What happened is that some kid phoned up helpdesk and said they were x and they had lost their phone, can you please help me to reset my password and 2fa (because the phone was nicked, its standard operating procedure right?)
Then the policies that they had in place for these eventualities were insufficient.
> From there they managed to SSO into critical shit.
We're all speculating here without many details of what actually happened, but the questions I'd be asking are:
- Was the person whose account was compromised somebody that needed to routinely have access to Oyster card refund information?
- Was the person whose account was compromised somebody that needed to routinely have access to Oyster card refund information for a handful of customers, as part of working in a support role?
- Was the person whose account was compromised somebody that needed to have access to Oyster card refund for five thousand distinct customers, accessed in a very short timeframe? Why didn't security controls exist that prevented exfiltration of those volumes of data?
- Why were TfL directly storing bank account details in the first place when there are better-equipped partners who have experience securing data that could have handled this?
- Why is TfL so awful at providing Oyster refunds in the first place? They could very easily make it so you could get refunds back onto a Debit/Credit card (without needing to store the PAN), but instead the only options they give you are bank account/sort code (which have to be given over the phone) or back onto the Oyster card - needing to be physically collected within 3 to 4 days or the refund gets "lost" - completely useless if you don't live in London.
> that shit is _hard_, even harder for a safety critical place like TFL. They have something like 40k employees, and a whole bunch of disparate systems.
I don't care, it's not good enough. Everybody in London has no choice but to share some amounts of data with TfL if they want to use the transport system. They've shown they're incompetent time and time again. They can't do the work they've committed to do on-time either, and we pay them shedloads of public funds for this level of service.
> They could very easily make it so you could get refunds back onto a Debit/Credit card (without needing to store the PAN), but instead the only options they give you are bank account/sort code (which have to be given over the phone) or back onto the Oyster card - needing to be physically collected within 3 to 4 days or the refund gets "lost" - completely useless if you don't live in London.
Absolutely this.
The reply sounds quite harsh and angry towards TfL but people pay A LOT money for the system. It is the most expensive metro system in the world. Expectations are understandably high.
>London Euston, Manchester Piccadilly and Birmingham New Street among those targeted with terrorism message
Makes it sound like the message itself was 'terrorist'. Also abhor the fact that we're never trusted with being able to see the actual source content. We MUST be told what we should think about it by 3rd parties.
Indeed, the headline is… technically accurate but seems clearly designed to mislead. The article body is a bit more clear:
> The Manchester Evening News reported that passengers accessing the wifi at Piccadilly station were directed to a webpage titled “we love you, Europe”, which contained Islamophobic messages and details of several terrorist attacks that have taken place in the UK and in Europe.
I think "[Stations] among those targeted with Islamophobic message" would have been a more informative wording.
Major UK train stations have turned off their wifi?
Should result in slightly improved performance :-P
(Actually, to be fair, some of those stations have working and viable wifi. Only some have wifi where connection simply doesn't work - and by this I mean consistently over a couple of years.)
Extremely rare I use public wifi - there's a couple of places where phone signal doesn't work and I want/need some internet (underground, planes, actually on board the trains, some cafes etc), but at major stations? It's not like they offer wifi at stations where there's no phone signal (and if they did it would be better all round for the phone companies to offer 4g service instead)
What is the value proposition for wifi at stations?
I'd guess there are still a subset of people with very limited data plans, or who don't have plans at all and use tablets or laptops.
If you can offload an amount of those people from asking your staff questions about train times and connections and get them checking online instead, I would guess that could be a cost saving?
I suppose it is also something that helps make the train more appealing than other forms of transport. If I know I can turn up 30 mins early and get some work done (or just browse the web), then that help cement the train as a nicer way to travel compared to a bus, or even a car where you cannot work at all if you are the driver.
also tourists, which there's plenty of in London. Roaming is expensive.
Especially nowadays, with Britain out of the EU and "roam like at home" policies no longer in effect.
> Especially nowadays, with Britain out of the EU and "roam like at home" policies no longer in effect.
I thought they were generally still in effect. The multiple UK and non-UK networks I'm aware of still allow free roaming across UK and EU etc.
Tourism - and if you've run out of roaming data or are being charged per MB then it's actually very useful.
We need a better way of doing it though, this unauthenticated network with a captive portal running on some embedded device or some php on a cloud server somewhere is total junk.
There is wifi that is authed via your mobile provider on TFL (now mostly redundant as lines now have 4g/5g) but I think it's actually also piped back to your mobile provider and usage comes out of your allowance if you've got one. What if we were able to do the auth step via sim (so we know who is on the network if there's bad traffic) but terminated the traffic ourselves (i.e doesn't come out of your mobile allowance or get piped to them in the first place).
Not a technical problem. The technical solution is 4g.
It's a financial consideration - mobile companies charge what they think people will pay. You can't have a technical solution to that.
Visitors to the UK might be charged roaming fees by their foreign mobile provider.
The underground platform wifi from mobile companies seems better than main London terminal "Free Station Wifi".
On train wifi is bad every time I've tried it.
The issue with on train wifi is the companies see it as a pure cost centre and aren't incentivised to provide a quality product there. Some have even turned it off!
The on train hardware is usually half decent but they typically go with the cheapest tender for the operation of it.
This is the kind of BS you get when you have private companies run parts of your infrastructure. Imagine the productivity gain of millions of journeys where users can reliably access fast internet. In most cases stumping for a quality multi sim provider, maybe a 5G upgrade and decent bandwidth allowance and support would get you most the way to that. WCML for example already has really decent coverage on my phone doing tethering but somehow onboard wifi is unusable, despite the train having multi sim multi radio hardware and special external antennas.
And on parts of the Northern Line (between Euston and Charring Cross) there's now even 5G down there.
Yeah. I get better cellular reception on the Jubilee Line than I do on South Eastern trains.
Where are these teens learning these easy hacks from? I say easy because the police seem to have no problem tracking them down after the incident, hinting at a degree of slopiness in covering their tracks.
You can buy/sell copy/paste loads of different scripts and stuff from loads of different places.
It could be as simple as they found a single way in dropped a randosomware and left. Never covered their tracks, used a VPN and so the IP address went straight to their address.
Teenagers are inherently reckless, but arguably can have lots of technical experience/knowledge by the time they're 17. If you've been messing with computers as a hobby and a passion since you were 11, you already have ~6 years of self directed experience, and a bunch of free time outside of school (and if you're a smart kid, inside of school too, winging classes and skipping homework).
Where teens fall down is their own overconfidence / arrogance / hubris / doing things impulsively, or generally just not considering (or possibly even comprehending) the full impact or risk of stuff they are doing. Like, understanding the technical side really well, but with a severely impaired frontal lobe.
So I feel it's a bit of a disservice to say it's "kids doing easy hacks". Without extra context we don't know what exploits they used or what they discovered. Could've been something easy and well known, could've discovered something novel.
I think the 17yo in question was indeed arrogant and I don't agree with their politics and I think it's unfortunate they've been indoctrinated by the right wing, but I would argue that they're probably pretty technically competent and motivated and I hope later on in life it serves them well and they make a whitehat career out of it.
I've seen many people using LLM autohackers.
Basically provide a system interpreter for LLM to run all hack functions on and off you go.
Please give me a link, I highly doubt that.
There are easily usable apps that do ARP spoofing and render your own HTTP replies.
Doctoring web requests with Burp and the like in order to circumvent arbitrary input restrictions on the client side is an absolute godsend when dealing with crappy web forms, legacy software, etc.
If it’s anything like it was 10-15 years ago, YouTube.
These days they can use ChatGPT and whatnot to track down all the pesky errors and omissions you encounter when trying to use those guides on anything but the exact setting the person making the guide is showcasing in their example.
But yeah, script kiddies learn their skills online, same as it's always been.
There seems to me to be a lot of misplaced trust involved in connecting to Wifi networks. It's easy to set up your own public AP and why not call it "Netork Rail Free Wifi" or something?
https://naich.net/wordpress/index.php/abusing-public-wifi-ac...
On the uk tfl ones it’s phone carrier configured and authenticated. You don’t select it like a normal wifi point
Yes but mainline stations it's captive portal open wifi. I think it literally is called network rail free wifi or something.
Phew! Someone is lucky they are not liable via the CRA
Does anybody in the UK ever use the free wifi at stations? It never works anyway.
Yeah I use it ever day. Slightly slower browsing but totally usable.
Vodafone though I see there is a BT managed wifi on my phone too. Not sure which one it actually uses since it’s automatic
Once again, the UK gov refuses to pay more than like 30k a year for engineers and then plays shocked Pikachu when things aren't done properly.
[flagged]
Sorry are you advocating death as punishment for hacking a captive portal?
No, obviously not! Last case was horrible accident! Death for a piece of bacon does not belong into civilized society!
I just hope this hacker gets put into high security prison, and every inmate finds out what they did! Stunts like this are threat to our democracy!
Provided they are an adult and can go to adult jail.
Going to Feltham YOI is 10x worse than going to adult jail