Slightly OT, but really good to see London Centric on the front page of HN. Britain's local media has basically collapsed in recent years - it's now owned by three conglomerates (Reach, Gannett/Newsquest, National World) who are completely uninterested in any form of journalism, only in the sort of clickbait that would have embarrassed even Buzzfeed in its 2012 pomp.<p>The London Evening Standard was one of the last remnants of even slightly decent local writing, and that too has now been shut down in favour of a weekly lifestyle paper called "The Standard". But there's a small number of indie publishers who are trying to fill the gap: the Manchester Mill and Liverpool Post, Bristol Cable, Oxford Clarion, and so on. London Centric is an attempt by an ex-Guardian writer to do the same for London and I hope it succeeds.
It's amazing how much bureaucracy they're willing to spend money on to means-test a fundamental service. If you just made transit free at the point of service you wouldn't have free cards for all under 16, and some over 16, and all over 60, and discount fares for people in poverty. Cities spend so much money outsourcing the IT for fare collection, and the administration of budget programs, and ultimately the experience is worse for the end users. It's a real case of the politically connected hoovering up tens of millions of dollars because suburban voters can't stomach a poor person getting to ride the bus for free.
I think lots of people who lack the experience have no idea quite how large and difficult cybersecurity is for a massive organisation whose systems span 20-30+ years or possibly even longer. There is no standardised tooling and very little that can be retrofitted to older systems. Firewalls are fine if the attack is against a port you do not need to use but otherwise you are left with a myriad of commercial offerings and a lot of "risk analysis".<p>The one basic tool that does seem lacking, however, is just basic network segmentation. I could understand a single system being hacked, especially an old system that is massively complex to replace but having to shutdown multiple systems including WiFi and office networks just smells like lazy "just connect all the wires together to make my IT life slightly easier". Having air gaps with separate computers, separate networks (even vlans) etc. is probably the most cost effective way to reduce your attack surface.
> Cybersecurity experts claim TfL’s software may have not been up to scratch, with some public-facing systems coded to be compatible with long-defunct browsers such as Internet Explorer 6.<p>This is rubbish, public-facing websites being compatible with defunct browsers is not indicative of any security issue
As soon as you read "outsourced their IT", one can always assume the aftermath would be a shitshow, as it is always done in response to the previous team not being able to run it, which means it is a goddamn mess. Having worked enough state and city government IT contracts in the past 25 years, you just assume the worst about everything and are often not disappointed. It's not a matter of if but when they'll be owned really, and most really wouldn't know what to do if they were still today.<p>This is your relative tax dollars hard at work.
> Earlier this month Andy Lord, the boss of Transport for London, sat down at a scheduled board meeting and praised his organisation’s response to a “highly sophisticated” cyberattack, which began with reports of “suspicious activity” on Sunday 1st September.<p>> “The vast majority of Londoners would not know this attack has happened,” the TfL commissioner told board members including mayor Sadiq Khan. Lord later added: “Because it’s been so well-managed people didn’t understand the scale and impact.”<p>Are these people completely delusional? They've taken away passenger's visibility to see what they were being charged for; they killed all of the open data feeds (though a few of these have <i>just</i> now been restored in the last couple of days). Back in September, they disrupted all of their staff's productivity by locking everybody out and forcing them to try and do their jobs without any access to technology. And.. there's still no end in sight for a restore of the contactless portal.<p>The way they've managed the incident and the collateral damage suggests there were not nearly enough security controls present in the first place (in terms of containing the breach). How many weeks on are we now without service restoration? For a cyberattack perpetrated by one seventeen year old?<p>If it was an SME who didn't do anything technical and had been caught completely unprepared, I might be more understanding.
Lots of people who should have been establishing effective security practices and monitoring and improving it were doing … something … but not that.<p>Total failure of management and governance at TfL and the British Library (which even had a “private sector security leader” on its board of governors for a decade or more before their total shitshow of a breach last year)<p>But as usual, there will be no consequences.
> Hundreds of thousands of Londoners are being overcharged for travel, while London Centric spoke to one teenager who is having to skip meals because of cashflow issues brought on by the cyberattack.<p>This is just crazy, why not make public transport as cheap as peanuts to begin with? Why does everything have to be so damn expensive? Why the heck does a monthly transport pass have to cost, let me check, around 200 pounds?, what the fricking fuck?!?! Why don't the common people in the West rise up against this perverted shit? 2400 pounds per year just to have the privilege to take the bus/metro?