180 Followers
192 Following
421 Posts

Security researcher, pentester, bounty hunter, broadcast engineer, train ticket nerd

🏳️‍⚧️

feel free to follow request, but have at least something on your profile

Websitehttps://anze.dev
Pronounsshe/they
OH: "I am all for reinventing the wheel, if the wheel is a square"
Anyone got contacts at TfL/Cubic to talk about a possible vulnerability on Oyster cards? I am not sure if this is a vuln, but I want to run it by someone just in case. Boosts welcome
Turns out both me and the CEO got sick at the same time... Thursday at 11:30 it is.
Getting a call inviting me to a meeting with the CEO of Slovenian Railways-Passenger Transport was not on my to-do list for today...
Will update as the story develops.
Time to head to FOSDEM! Lmk if anyone wants to meet up. Expect me at the railways and open transport track at least and feel free to ask me about modernizing your ticket barcodes, we have some great stuff coming out of the UIC recently.

I lost it today after getting a decision from the ICO on extending the deadline for SZ to deliver the specifications to the court expert, but not why you probably think.

SZ requested a whole extra 90 days to be able to produce such documents and the ICO was not having it. They only got an extra 3 weeks (until February 16th).

Here is a direct (translated with DeepL and checked) quote:

(2) Before the expiry of the aforementioned deadline, on January 23, 2025, the public authority requested the Information Commissioner to extend the deadline by 90 days. In its request, it stated that the preparation of the documents had revealed that the data was very extensive, which significantly increased the amount of work, and therefore requested that the deadline be extended by 90 days due to the complexity and volume of the data.

(4) The Information Commissioner notes that the public authority submitted a request for an extension of the deadline before its expiry. In its request, the authority did provide specific reasons justifying the extension of the deadline, but not for the proposed 90-day period, as the authority should have allowed the court expert access to the aforementioned documentation already during the preparation of the expert opinion, which is why the proposed deadline is completely unjustified and the IP cannot grant it to that extent.

OH: “3-phase LAG”

#LeftClickLeaks #PlacLeaks #OH

So, good news and bad news.
Good news: The expert witness seems to have agreed with me that the increased risk upon release would be minimal.
Bad news: We have found out that even SZ does not posses the specification, as it was never made. It was made by the external firm that made their ticketing system.
This means that we will now have to wait for SZ to request the specification from the software firm (which is not maintaining the system anymore, as it is now maintained by someone else) and send it to the expert witness for evaluation if there is any risks to their systems upon public disclosure. The expert witness already said at the hearing that if the barcodes only contain data that should be in there, like dates of validity, price, station IDs etc, there is basically no increased risk to the SZ system.
He also said that basically any database/key-value store for the data in the tickets does not increase the risk. Since we already sort of reverse engineered the tickets, we know that they don't contain any sensitive information that the expert witness deems sensitive (he said that would basically be DB connection strings, firewall configs etc, which should never be in a publically scannable barcode).
The really bad news is that it seems we will probably have to pay for the expert witness work, even though SZ gave them the wrong documents. Altogether we expect this to probably be around 2-2.5k EUR, for which we have already paid a 1k EUR deposit. Hopefully the ICO at least decides in our favour in the end.
Getting ready for the hearing about my Slovenian Railways FoI appeal and have just prepared and printed "half a kilo of procedure" (we are expecting the hearing to not allow digital devices due to procedure law). Wish me luck, reporting back tomorrow after the hearing.

Since Ryanair now requires you to use their app to get a boarding pass or stand in line at the counter I got fed up with their BS.
I made an app that allows you to get the Google Wallet link and Apple Wallet pkpass (that you can also add to Android wallet apps) without their shitty app (online check-in still has to be done on the Ryanair website, I might make a tool that does that at some point as well).

Feel free to try it at https://ryanair.anze.dev.

You can find the source code at https://github.com/craftbyte/ryanair-bp

Ryanair Boarding Pass Extractor