I didn’t make it to Brickvention this year, but Adrian O’Hagan did, and sent me this photo. It’s a Lego Myki reader… and on the back of it is a Metcard reader.
Adrian says when a Myki card was presented it beeped and displayed a balance (which may or may not have been the real balance; I’m assuming all the information on the card is encrypted). The Metcard version would take a presented Metcard, pretend to read it and then spit it back out again, just like in real life.
Adrian notes: “ironically the metcard worked without a hitch, but the myki was a bit buggy. Not sure if that was by design or not ;-)”
Beatlemania sweeps the world. Shortly afterwards, electronics companies devise a fifty year plan to get people to buy all their favourite music many times over, by introducing new recorded music technology every decade. This works until the 1990s, when, due to a tactical miscalculation, everyone is perfectly happy with their CDs.
I guess the joke’s on me.
Love the advert, by the way… but I’m resisting. My CDs, some going back to the late-80s, all still work (though I admit getting suckered into upgrading to the remastered Abbey Road a couple of years back).
(This could have gone to Geek Rant, but it’s not overly technical…)
Some stupid web site stuff, that would be easy to fix/avoid, that bugs me:
When you click to watch an online video, and the player shows you the video advert, but then stops working when it comes to play the actual thing you wanted to watch. (The Age and Channel 7′s site seem to do this to me a lot of the time.)
When you click to zoom on a picture, and it pops up another copy of the picture that’s the same size (or even smaller).
When the site is all written in Flash or some other method that makes it look like crap or not appear at all on some devices such as mobiles, or non-Internet Explorer browsers (despite most other sites working fine) and also gives it non-standard navigation such as scroll bars, and causes it not to be indexed by search engines. (Example: Game Traders)
Articles on a site that have no URL of their own so you can’t share/tweet/cite them properly. (Example: the “Myki tips” article currently on the Myki web site)
404 pages that wipe out the URL you were trying to get to, so you can’t see what you got wrong. (There’s no reason for this. It’s perfectly possible to set up a web site with an informative 404 page that doesn’t remove the URL.)
Clicking on a link that goes to another page on the same site, and it opens in a new window… repeatedly, as you navigate around the one site.
Search field that wisely shows you what you searched for when you see the results, but then clears itself when you go click on it to change it slightly and search again. (Example: Lasoo)
A gallery of photos where it claims you’re on Picture 9 of 10, but (every time) the 10th/last page turns out to be an ad for something else. (Example: Any News Limited photo gallery)
What bugs you?
Some people got just a little too hysterical last week when news of a security vulnerability in Myki came out.
The story broke on Monday, but it wasn’t until Wednesday that the mainstream media got hold of it, with the Melbourne Times running it first, spreading rapidly to The Age, AAP, 3AW and others — and along the way a good deal of misinformation came into play:
MORE than 1.1 million Myki cards are set to be phased out as hackers have found a method of cloning the tickets.
Two problems with this:
They weren’t hackers. “Hackers” implies bad guys sitting in darkened rooms trying to find a way to defraud the system.
They were actually scientists at a German university, doing cryptography research — what some refer to as “white hats”. They did the right thing and told the card manufacturers (NXP) about the problem some six months before publishing their results:
In April 2011 the University of Bochum, Germany, informed NXP that their cryptographic research group, led by Professor Paar, had successfully attacked the MF3ICD40. The research group also informed us of their intent to publish the attack at the annual Workshop on Cryptographic Hardware and Embedded Systems (CHES), held September 28 to October 1 2011.
What some of the reporting also missed is that it’s not a simple task to perform the hack and clone a card. It requires some sophisticated (and expensive; apparently costing $3000 or more) equipment and many hours of processing. It’s highly unlikely that in the short term, anybody will do it “in the wild”.
It’s possible the technology will get cheaper and more available, of course… that’s the nature of tech. But it’s specialised equipment that doesn’t work quite along the lines of Moore’s Law — it’s hard to conceive that within the next few years, high-end oscilloscopes will be common or cheap.
And it’s worth noting here that the earlier version of the same card, “Mifare Classic”, used in some systems including (until recently) the Transport for London network (eg Oyster card) and Brisbane and elsewhere got hacked many years ago, but these networks have not been subject to widespread fraud. In fact, a quick search around the place shows reported instances of it are very difficult to find.
Of course, it’s probable that authorities would be reluctant to make such fraud public if the offenders are not caught. Still, it doesn’t seem that fraudulent cards are common.
Putting the boot in
Among those putting the boot into Myki was regular Myki-kicker David Heath, in another of his “comment-disguised-as-journalism” pieces for IT Wire:
Picture this: you obtain a brand-new Myki (in some suitably anonymous name) and load a $1000 credit onto it. All fine (although a tiny bit crazy) thus far. Next, you clone the card 1,000 times and sell the clones for $200 each.
iTWire has reported extensively on the whole Myki saga on numerous occasions. Through all this history, virtually nothing positive has come out of the entire project. We have seen function contraction, cost blow-out and foolishness time and time again.
– IT Wire
Now I’m all for kicking Myki when it deserves it (heaven knows I’ve done it often enough myself). But surely anybody writing in IT must realise by now that it’s here to stay, that most of the people currently using it actually don’t mind using it, and that we’re way past the point of scrapping it and buying Oyster instead.
More importantly, a little research and rational thinking wouldn’t have gone astray here.
Firstly, you can’t load $1000 onto a Myki card. They have a limit of $999.
Secondly, it should be fairly obvious that any ticketing system with a little basic security will have safeguards against something like lots of copies of the same card being used around the system. As soon as the fraud was detected, that card number would be blocked for travel (as already happens when a card is reported lost or stolen).
Thirdly, who with a little common sense would buy a dodgy card for that amount of money? Would you even pay $100? $50? Would you buy one at all, knowing that the chances of it being detected and blocked, and worse (for you) that the ticketholder might well be caught and prosecuted? Would these theoretical criminals ever get their thousands of dollars of investment money back?
Surely punters aren’t that gullible. Hardcore fare evaders don’t use fake or cloned tickets. They jump barriers and dodge inspectors and other staff.
Hysteria aside, what’s the real situation?
ZDNet has some good coverage, which notes that in Myki’s favour (who’d have thought!) they didn’t actually skimp on the security:
Although this could have been a cost-cutting method, the TTA appears to have avoided cutting corners with respect to card security. There are four security measures that can be installed for the cards relating to key diversification, fraud detection, card blocking and card information binding. The TTA elected to include all four, pointing the issue further up the chain to the manufacturer.
Despite the cards being theoretically vulnerable, however, there isn’t a need to replace the cards as a matter of urgency. NXP stated that even if the lab equipment required to pull off the vulnerability is obtained, it could still take hours to days for the analysis of a card to be completed.
So yes, there’s a problem. But there’s no need to panic.
My take on it
Given the information available so far, it doesn’t seem to me to be necessary to go and recall the million cards issued and replace them all with the newer version straight away. The existing cards are rated for a life of four years, and that means that unless it is shown that this or another attack are actually practicable outside a laboratory it would make more sense to just replace them with the more secure version as they come up for renewal, eg from late-2012, rather than panic and rush out replacements now.
After all, rush into it now (at great effort and expense) and you might find in 12 months that another theoretical attack becomes apparent, and have to do it all again for no good reason.
From the sounds of it, this is what the TTA is doing; planning a migration rather than rushing new cards out. Unless there’s a more major problem we’re not hearing about, this seems to me to be a pretty reasonable course of action.
PS. Thursday: I’ve had it confirmed that there is checking for duplicate Myki cards, with found duplicates being blocked from use (not immediately, but pretty quickly after detection).
(Actually there have been real, major Blackberry outages this week.)
After much procrastination, I got a new camera. It’s a Canon IXUS 115, to replace the old Canon A70 I got way back in 2003. The old one still just about works (with minor problems), so I figured Canon was deserving of my loyalty. (My 4-ish year old Canon MP610 printer/scanner is going strong too.)
At the time I bought it, I thought the A70 was small. This is much smaller — about as small as I’d want. I did consider getting an SLR (the EOS1100 with lens is only about $500 now through Kogan), but decided I wanted portability over super-dooper features. And the IXUS 115 has quite a few features anyway, including slow-motion movie recording, which already the kids and I have been having fun with.
Back when I bought the A70, it was at JB Hifi through a friend of a friend who worked there. Coincidentally I did this again — at a different JB Hifi, through different friends. Said friend of friend admitted that Canon’s build quality isn’t as good as it once was — the race to cost-cut makes this inevitable I suppose — but at a third of the price of the old camera, and demonstrably better photos (well, eight years later, it’d have to be, wouldn’t it) I’m still happy with it so far. Will be interesting to see if it lasts as long.
Here’s a selection of photos taken at lunchtime yesterday, all using the Auto setting — haven’t figured out all the controls yet.
(Zoom) — This one was at maximum optical zoom, cropped, sharpened and darkened a tad.
(Zoom) — Just a crop and slight sharpen on this one.
(Zoom) — Just cropped.
By the way, what a shame Flickr isn’t a bit more flexible with its embedding. The 640 pixels across size is great for me using this blog template, but it has problems with it if the photo is taller than it is wide (as two of these are) — then it gives you the choice by height instead, so you only get 640 pixels across if the photo height is 1.6 times the width (eg you’re choosing 1024 pixels high).
I was looking at what DVD/Blu-Ray 5.1 systems I can get on my credit card points (because this is not something I want to or can afford to spend Real Money on).
Some options include (eg the highest-specced ones I have enough points for):
Samsung HTD5300 5.1CH 3D Blu-Ray Home Theatre System — which gives the impression of looking ugly and perhaps being under-powered, with piddly little speakers, though it does claim to be 1000W. Has an iPod dock. FM-only tuner; I like to listen to AM, but that’s not fatal, as I can use another radio or listen online.
LG HB806TGW 5.1ch 3D Blu-Ray Home Theatre System — 850W. Aesthetically pleasing. Only has FM tuning. Seems to be able to playback off USB. No mention of an iPod dock.
Panasonic Home Theatre System SC-BTT370GNK — Aesthetically pleasing. Appears to only have FM. Includes iPod dock.
I’m pondering three questions:
1. (Most importantly) which might give the best sound? They seem to retail in the $400-700 range, so I know they’re not going to be as high fidelity as $1000+ systems, but that would be out of my budget. Of course it’s become impossible to search the web for reviews of consumer electronics, because Google tells you about eleventy billion web sites which claim to have reviews, but in fact merely announce when you visit that you can “Be the first to review this product!”
All things being equal, I’d probably lean towards the Panasonic.
2. CEC appears to be a technology that allows devices to control one another via HDMI cables. If my Samsung TV has AnyNet(which is their version of CEC), would a Panasonic Blu-Ray receiver with VieraLink (which is their version) or an LG with SimpLink be able to control it?
3. Hmm, I wonder if the two with iPod docks are compatible with my (relatively ancient) fourth-generation iPod, which I got in 2005 and is still going strong? (Panasonic lets you download manuals, but that part of their web site appears not to be working.)
Anybody got any advice for me?
I’d heard ages ago that there was a Samsung ABC iView app in the works. It’s now out, but some kind of screw-up means it’s visible to newer (2011) Samsung television owners, but not owners of last year’s models.
Thanks to wiser people than me on the ABC iView forums, here’s how you do it, by changing the TV’s country and thus getting it to re-install the default apps:
(Note: take care here; this is at your own risk. As noted in the comments, MitH had problems with this after misreading the instructions. If things go wrong, you may need to contact Samsung support.)
1. Start @Internet TV
2. Press Fast-Forward, 2, 8, 9, Rewind. Leave about half-a-second between each button press and it should go to a menu that allows you to choose the country.
3. Choose something other than Australia. Go through the terms and conditions and wait for it to install the default apps for that country.
4. Do steps 2 and 3 again but this time choose Australia.
You should find the ABC iView app has appeared.
Yes, it’d be nice if it just appeared automagically on its own. Perhaps Samsung just aren’t publicising it yet, getting ready for some big launch.
I’ve played around with it, and it looks excellent. The navigation is never going to be as easy as via a computer, and unfortunately it’s not on iiNet’s free zone, but it’s much nicer to be able to watch programmes on the couch than sitting by the computer.
There’s only one puzzling thing: why do the Internet@TV apps (any of them) occasionally refuse to start, citing “Network interference”?
It’s not wireless interference, as I’ve got a LAN cable plugged into the back of my TV. It doesn’t seem to kick-in when there’s particularly high usage of our internet connection.
Just one of those mysteries; something I’ll investigate further as I get time.