I've used these apps before in the UK, and it is great being able to generate a ticket offline, but it appears they've achieved that by including the private keys in the app. Oh dear.<p>Would there be any fool proof alternative to allow for offline ticket creation in a mobile app when that app can be reverse engineered?
"The reason we’ve decided not to go down the responsible disclosure path is being strong believers in public transportation being a common good that should be free for everyone, and this research is our contribution to get us closer to that end."<p>This is trolling, right?
If this is activism, what is political goal here? It seems like all this does is enable people with a highly-paid skill (accessing tor, then deploying/running scripts) to not pay for transport.
Technical cock-up aside, why the term "activists"?<p>Not questioning the title of the HN post, rather, wondering if I missed something going on I have missed in the news which would justify the term (instead of "hackers" or, even "security researchers", though the later seems to stretch the definition of responsible disclosure)
People complaining might note that there is already a free bus service in central Manchester: <a href="https://tfgm.com/public-transport/bus/free-bus" rel="nofollow">https://tfgm.com/public-transport/bus/free-bus</a>
I've run the app through Immuniweb to see if the keys show up. There's quite a few issues but I don't see the private keys.<p>Link here: <a href="https://www.immuniweb.com/mobile/?id=hprUh4hL" rel="nofollow">https://www.immuniweb.com/mobile/?id=hprUh4hL</a>
Ahh, this reminds me of BT Cellnet storing those first pay-as-you-go credit ledgers locally on the Philips C12 / Diga handsets, and just hoping nobody would notice.
I’m sympathetic to the idea that public transit should have means tested fares, but outright free is a bad idea. It costs something to provide, quite a bit actually, and has limited capacity so there needs to be some mechanism to gate access. Price, which forces users to consider trade-offs, is the most straightforward way to do so.