Inside the Transport for London cyberattack
londoncentric.mediaSlightly OT, but really good to see London Centric on the front page of HN. Britain's local media has basically collapsed in recent years - it's now owned by three conglomerates (Reach, Gannett/Newsquest, National World) who are completely uninterested in any form of journalism, only in the sort of clickbait that would have embarrassed even Buzzfeed in its 2012 pomp.
The London Evening Standard was one of the last remnants of even slightly decent local writing, and that too has now been shut down in favour of a weekly lifestyle paper called "The Standard". But there's a small number of indie publishers who are trying to fill the gap: the Manchester Mill and Liverpool Post, Bristol Cable, Oxford Clarion, and so on. London Centric is an attempt by an ex-Guardian writer to do the same for London and I hope it succeeds.
Hey, Jim here, author of that article and long term HN reader. Never dreamed of seeing one of my pieces on the homepage!
Anyway, I’ve kinda bet the farm on making proper London coverage work, so every subscriber makes a massive difference. So please do give it a go, send any London tips you want investigating (my personal WhatsApp is on the site), and if you hate it… well please tell me why on the way out of the door.
I just looked around your website and damn, I wish it was around when I was in London. Congratulations on putting that together, it’s a bold move. I’m not in London anymore so I can’t really justify a subscription, but I hope you’ll be successful.
We loved to take the piss but the Evening Standard at least existed and London deserves much more quality local journalism.
Are people really no longer interested in what happens locally?
I would pay for local news, even about places that I no longer live, but used to live and still have a passing interest in. But perhaps I would want to receive it as XML feed.
Even events (concerts, readings, exhibitions, screenings etc.) are typically scattered across many smaller lists or mailing lists, depending on location. For example, there is way more going on in London than what is listed by Time Out: https://www.timeout.com/london/things-to-do/london-events-in... Local communities may have their own sites or still rely on paper flyers.
Some facts of communal interest are published in government outlets that are still mandatated in some jurisdictions.
It would be wonderful if more of "what's going on" could be made available in curated digital form, for us to use and enjoy, and also to preserve it for future generations so that they can see what was happening in our age.
> I would pay for local news
Most of my local papers have moved to a subscription model, often with paywalls so I currently pay for local news. Have your local papers not?
No
Agreed and interesting and good to see it has > 1k paying subs (out of 7k total) after a little more than a month - probably as a result of some great stories already. A promising start.
It's amazing how much bureaucracy they're willing to spend money on to means-test a fundamental service. If you just made transit free at the point of service you wouldn't have free cards for all under 16, and some over 16, and all over 60, and discount fares for people in poverty. Cities spend so much money outsourcing the IT for fare collection, and the administration of budget programs, and ultimately the experience is worse for the end users. It's a real case of the politically connected hoovering up tens of millions of dollars because suburban voters can't stomach a poor person getting to ride the bus for free.
TfL has built most of its fare collection systems in-house, indeed it licenses its fare collect technologies to other cities like New York. Also it’s not within TfLs or London Mayors gift to provide free transit, TfL is almost unique in that its costs are almost entirely covered by farebox collections, and they receive little to zero government subsidy.
If London made transit free, they have to find an additional £7 billion a year to cover the operating costs (most of which is mundane stuff like keeping the trains working). Total London council tax (which is the only form of tax the London mayor can control), raises about £37 billion a year. So making transit in the city free would involve increasing council tax by an additional ~20%, and council tax is a notoriously regressive tax that disproportionately impacts the poor more than anyone else.
Additionally TfL is already extremely efficient, it was audited by the previous government in an attempt to find further ammunition to discredit the London Mayor, but it seems they couldn’t find any inefficiencies worth publishing. So there isn’t much wiggle room to reduce TfL operating costs.
Regardless of how you slice it, there isn’t a practical way to provide free transit in London, and certainly removing the cost of the bureaucracy for means testing isn’t going to move the needle on the simple economic facts.
Tax cars further. They take up way more space than the average pedestrian and required more infrastructure to support and maintain.
Let's say that happens, which is not at all a given. What are you going to do when car usage goes down because people are tired of being taxed excessively for them? "Just tax this thing I don't like" is not a viable strategy to fund the things you do like.
Less car usage means less money spent on car related infrastructure and better flow of existing traffic which leads to further economic growth as space freed up can be repurposed for something else which lead to increased tax revenue.
Even that won’t get close. Existing London car taxes only raise around £0.2 billion annually. Not a chance in hell you can raise that by 3500% without either public unrest, or such a dramatic change in behaviour that tax collection amounts drop, instead of raise (although I would personally love a car free London).
Are you counting fuel duties here, or only road tax?
There isn’t road tax in the UK, only vehicle tax which is based on the about a vehicle pollutes. Additionally all of that tax across the UK goes to the central government, and none of it goes to the London Mayor. There have been attempts to have vehicle taxes collected on London based vehicles be allocated to the Mayor, but it’s always been soundly rejected by central government.
Fuel duty is also collected by central government, and none of it goes to the London mayor either.
The only taxes collected and managed by London are the Congestion charge and the ULEZ charge. Everything else is beyond the reach of the London mayor.
I'm from the UK, and lived there for the first 35 years of my life. During that time, 'road tax' was a common way to refer to 'vehicle excise duty'. Doesn't anyone call it that any more?
Back to the point, though... Even though the Mayor of London doesn't have control over most tax revenue collected from drivers in London, this whole discussion is about what could be, so suggesting that the congestion and ULEZ charges are the only possible sources of revenue places an unnecessary limit on options.
Most of the people refer to VED as “road tax”, it’s usually followed by some sort of condescending comment about how non-drivers should “get off the roads”, and often used as an excuse for engaging in deliberate acts of violence. I’ve personally had people explain to me how being hospitalised for a week, and being given a permanent spinal injury by driver deliberately hitting me while cycling to work, is an acceptable cost to society, and that because I don’t pay “road tax” means I have no right to demand safer cycling conditions on the roads. So I make a point of not calling it “road tax”, because it’s a misleading name. A better name would be a “car pollution tax”, or just a “pollution tax”.
With regards to VED collected in London. Only about £0.5 billion is collected annually from London. Fuel duty does seem to be broken down by region, so it’s hard know how much is collected in London. But across the UK £24 billion of fuel duty is collected annually, so it could be possible to fund a significant chunk of London’s transit by increasing fuel duty by 30-40% across the entire UK. But such an increase would likely also cause riots or similar. Additionally if you were to increase fuel duty like this, you would presumably need to provide free transit across the entire of the UK, which would require a significantly higher fuel duty increase. Of course that tax increase plus free transit, would result in a huge modal shift away from cars, and thus drive down the collected revenue.
In all, there doesn’t seem to be a viable way to provide free transit to all. At least not without significant tax increases across the board, and maybe that’s a viable approach. But there certainly isn’t an easy and obvious no-brainer way to get rid of the “bureaucracy” and use the savings for free transit, as was originally suggested.
I agree with the overall point (the last paragraph).
Beyond the math, tube capacity at peak times is an extremely scarce resource, and should be allocated to the most valuable uses: those willing to pay, and under-16s who need it to travel to school. The "Older Person's Freedom Pass" cannot be used before 9am, which seems reasonable to me. I wonder why there's no restriction for the evening rush hour.
They could also be be referring to London's congestion charge, that drivers pay for driving in inner London.
Neither of those are London car taxes. I think the number refers to the congestion charge. ULEZ raises a similar amount though.
That would be Mayoral career suicide at this point. Most voters are car owners.
Take the 7 billion from the existing 37 billion and get rid of some existing stuff which is non-housing related.
What exactly would you get rid of?
* Bin collections?
* Social care for the young and elderly?
* Street sweeping?
* General road, pavement and cycle infrastructure maintenance?
* Sports centres, libraries, schools?
Councils are already stretched thin. Last year was the largest increase in council taxes the UK has seen in decades, and councils are going bust left right and centre as pretty much all central funding was removed over the last 14 years. Do you honestly think that reducing every London councils budget by ~19% to provide free transit is going to result in a good outcome?
> Bin collections?
Slightly increase the price/tax for that for single-family homes.
> Street sweeping?
Yes, at a limit, I'd choose not having clean streets over people not being able to afford using them, even by riding a bus.
> General road, pavement and cycle infrastructure maintenance?
I'd get rid of cycle infrastructure if it's more than a token percentage of said road-focused expenditures, because it's mostly the middle class that is using bicycles and, as such, money spent that way goes directly for the only benefit of said middle-classes. But, yes, I'd personally settle for roads with more holes if that means public transportation that doesn't cost 2000+ pounds per year, you can bet on that.
> Sports centres, libraries, schools?
Yes, I'd get rid of sports centers, libraries are, I guess, just a token expenditure.
> Social care for the young and elderly?
I guess this is where, in fact, most of the money goes, and this is where Britain is, to put it mildly, fucked up, because (going by your word) that expenditure mostly falls on the local administration. It shouldn't be that way, it should fall on the central government, but I guess that's a bigger political subject to tackle.
As a point of reference, I grew up in Eastern-Europe back in the '90s back when our roads were full of holes and social care had started to accumulate holes bigger than the Bermuda Triangle, but, amidst that destituteness, public transport (both inside the cities and connecting them) was still very affordable. In fact, if it hadn't been for that I wouldn't be writing this comment right here, it is because of those small prices that I could still afford to go to uni (yes, you could tell me that "we have procedures in places for just those cases!", but that's just layers of bureaucracy over layers of bureaucracy that just don't work when you need them the most, it's way easier to not need that bureaucracy in the first place).
Like what, exactly? Be specific.
> In Gavin Newsom’s book Citizenville he talked about how, after becoming [San Francisco] mayor, he discovered that fare collection cost as much as the revenue generated from fares. He started the process of making the bus free but was told by so many advisors that the busses would become “dumpsters on wheels,” from a combination of homeless people using them for shelter and people not respecting services that are free, that the plan was scrapped.
Don’t compare TfL to buses or the BART in San Fransisco. The transit system the TfL operates makes US transit look like a toy.
London busses arrive every 5 mins not every 30 mins. At high throughput bus stops busses arrive pretty back-to-back continuously. Trains arrive every 90secs not every 15mins, often the next train is waiting just outside the station for the previous train to depart.
There are over 500 different bus services in London managed by TfL. 11 Tube lines covering over 200 miles of track and 272 stations. 6 suburban rail lines covering over 100 miles of track and a 113 station.
TfL is a major operation, and its fare collection system is one of the most efficient and technically capable systems in the world. So good they sell it to other cities like New York. I can absolutely guarantee that the cost of TfL fare collection system will be an insignificant fraction of the £2.2 billion that TfL collects annually.
(SF is 150 years old and 7x7 miles in size, we do not compare to London on any dimension. My whole city could be a borough of London!)
(This one time I was at a party (it was a long time ago) and these Italian dudes were there, and when I mentioned that I was from SF one of them said, "Nice town." ... I was a little miffed, but they were from Rome, so... *shrug* )
I would guess that technology has already caught up with that. Tie it all to a phone app to track abuse and give a city services only data plan to anyone who asks. Give it a basic three strikes where the driver logs complaints or you need a remedial how to properly use city services class.
Given the license tracking already going on for bridge tolls the infrastructure may already be there.
YEs, but in london a large part of it's budget come from ticket sales.
> can't stomach a poor person getting to ride the bus for free.
If you don't accurately measure ridership you can't accurately serve that ridership. You'll waste money on useless services and you'll waste peoples time by not creating necessary services.
The system needs to exist.
It probably doesn't need to be outsourced. We're well past the internet revolution and it's time for these core competencies to be reabsorbed by government departments. Or it's time for private companies to be held liable for their complete and total failures to serve the public.
Ideally it should just be a system that lets you scan your identification card or drivers license. If you're of the correct age it should serve as a transportation pass. Simple. Compliant. Captures useful data.
> It probably doesn't need to be outsourced. We're well past the internet revolution and it's time for these core competencies to be reabsorbed by government departments.
TfL’s ticketing system isn’t outsourced, it was built in house and is sold to other transit operators like New York’s MTA.
The UK has no official identification card (something the public have rejected countless times), and in London many people don’t drive and don’t have a driving licence.
> TfL’s ticketing system isn’t outsourced
The operation of it? Or the development of it? I'm seeing information that conflicts with this statement.
> and in London many people don’t drive and don’t have a driving licence.
My presumptions are rooted in the USA. For those that don't drive having a state ID card is still quite common. These always have barcodes on the back which would make them useful in POS like applications. You'll need a photo ID to cash a check, buy tobacco or alcohol, or when applying for most jobs. It's unusual here to not have one.
Is that also the case in the UK? Is there no similar system or demand for ID? Would those using it in this free application be less likely to have one?
> The operation of it? Or the development of it? I'm seeing information that conflicts with this statement.
Both, although it’s a little more nuanced than that. The original oyster system was bought in from a company called Cubic, and Cubic still provide all the physical gates and readers on the TfL system. But the newer contactless/Tap-to-Pay system was developed in-house by TfL, and the old oyster system has been mostly migrated onto the ticketing system.
However TfL license the new system to Cubic, who then resell it to other Transit systems around the world.
But for London, both the development and operations of the ticketing system is managed in-house (they obviously contract out parts of that work, as TfL probably shouldn’t be in the business of designing, manufacturing and performing major refits of their physical barriers themselves etc)
> Is that also the case in the UK? Is there no similar system or demand for ID? Would those using it in this free application be less likely to have one?
No it’s not the case in the UK. There is no national/state ID, beyond a passport (which you only need if you intend to leave the UK). With regards to photo ID for proof of age, it’s a little complicated. People use a mix of expired passports if they have one, there are some recognised “age ID” cards that you can purchase, in London, a TfL issued photo Zip Card (the free travel Oyster card for those under 16, or under 20 in full time education) is often used as a form of Photo ID.
You don’t present photo ID here for job applications, or opening banking accounts, and most people never need to “cash” a cheque (I’ve personally never cashed a cheque), because bank transfers are fast (i.e. sub 1 second), free and secure. If you need to prove your identity for a bank or job application, it’s done via a slightly arcane mix of providing a proof of address (bank statement, utility bill etc), and some kind of vaguely official photo ID with your name.
Proving your identity in the UK is a slightly circular problem, as you often need to have some kind of proof of ID, to get a document that you can use to prove your identity, which often causes headaches for people who’ve recently immigrated here (natives will have something like a child bank account opened by their parents to provide that initial proof). But there are various escape hatches that break the circular dependency, although they’re not obvious.
>Ideally it should just be a system that lets you scan your identification card or drivers license. If you're of the correct age it should serve as a transportation pass. Simple. Compliant. Captures useful data.
Privacy nightmare, and disenfranchises those with no paperwork.
> Privacy nightmare
The current system doesn't do this somehow? You're taking _public_ transport. Presuming privacy from the operator to be a thing is odd.
> and disenfranchises those with no paperwork.
Then if they want free public transport they should get free papers. I'm not sure the goal of an "identityless public society filled with free rides" is at all worthwhile or even agreed upon to be good.
What free papers? The UK has no national identity card, so there is no officially recognised “free paper”. Both passports and driving licenses cost money.
Then make those free. We can't stand behind other poor implementations as an excuse to avoid appropriate levels of public service. What I'm trying to project is there's no reason to cast this as "people don't want poors riding trains."
Of course people want this. It's absurd to suggest otherwise. Solve actual problems and stop giving contracts to people who abuse the public trust and effectively siphon tax money away from people who need it the most.
The level of argumentation here is bizzare. We can't use IDs because of privacy but we will give them unique smart cards? We can't let them use IDs because those cost money for historical reasons but we will pay a third party for a single use smart card?
This is why people don't engage with public service. It's absolutely punishing for no appreciable reason.
> Of course people want this. It's absurd to suggest otherwise. Solve actual problems and stop giving contracts to people who abuse the public trust and effectively siphon tax money away from people who need it the most.
You’re making a lot of incorrect assumptions about how TfL works here. TfL don’t outsource their ticketing system, either its development or operation, it was built by TfL and it’s operated by TfL. There no private entity making a profit off this situation.
> The level of argumentation here is bizzare. We can't use IDs because of privacy but we will give them unique smart cards? We can't let them use IDs because those cost money for historical reasons but we will pay a third party for a single use smart card?
> The level of argumentation here is bizzare. We can't use IDs because of privacy but we will give them unique smart cards? We can't let them use IDs because those cost money for historical reasons but we will pay a third party for a single use smart card?
The TfL Photo Zip card for those eligible for free transit basically is a form of free photo ID in London. Just about every institution in London, and most of the UK will accept it as a form of photo ID. In London it basically is the “free papers” you think should be used to provide free transit, and you literally do just tap it on a reader and get free transit. But like all forms of ID it expires and needs to be renewed, unfortunately this incident at TfL is preventing those renewals from happening.
For the absolute avoidance of doubt here, TfL is for all intents and purposes an arm of the London regional government. TfL chairman is the mayor of London, any state funding it gets comes via the Greater London Authority. The state of TfL, and the services it provides to Londoners is a top tier political issue in every single mayoral election, because the London mayor is the single most powerful entity when it comes to the operation and direction of TfL as a whole.
All of this IT infrastructure exists to ensure the exact opposite of what you said. It ensures that rich people don't get to ride the bus for free.
The point is it’s easier to just tax wealth a bit more and let everyone get on the bloody train… It’s mostly people just going to work/school, makes sense to be free
> easier to just tax wealth a bit more and let everyone get on the bloody train
I mean its not. If it was, they would have done it.
Wealth taxes are really fucking hard to do equitably, at least at first.
For example OAPs tend to live in very expensive hosues. take rotherhithe for example one could have bought a house in the 90s for shit all, and now its worth the best part of 1.4 million.
so now you're levying a 5% tax on a pensioner, or worse still a young couple mortgaged to the fucker.
Now, but what about the super asset rich I hear you say?
Well, they'll transfer all they own into a corporation. They can't tax assets like that on business because it'll crash the economy super quick.
> Well, they'll transfer all they own into a corporation. They can't tax assets like that on business because it'll crash the economy super quick
Thanks for that. I've always thought that wealth isn't taxed heavily because it's the wealthy that make the laws. That still may be part of it, but this surely is too.
As a side note, I'm puzzled as to where this seemingly prevalent (here, at least) sentiment of letting people ride public transport for free has suddenly come from? It makes absolutely no sense, but is being said as if it's the most obvious thing in the world!
> where this [...] sentiment of letting people ride public transport for free has suddenly come from?
It has been there since public transport has been a thing. Its popularity ebbs and flows with the years, because it's fundamentally very appealing: dealing with tickets and tariffs is a huge annoyance, and everyone resents it for one reason or another. "Surely there is a simpler way!"
Alas, ticketing systems seem to be the less-worst thing, a bit like representative democracy as a system of government. Free-for-all attempts never survive an economic or budgetary crisis, and tickets are the closest thing to an objective method to raise funds for a service. Maybe technology (and politics) will eventually evolve enough to develop fairer means-tested systems.
Wealth isn't taxed because most wealth, unlike income or other use taxes, are based on valuations that are extremely fragile.
Let's say you open a corner bakery that does very well. You are making $1m/year and paying the government $200k/yr in corporation taxes. That leaves $800k/yr in the biz. A perpetuity paying $800k/yr at 5% discount rate is worth $16m (obviously this is a bad proxy for the value of a risky business, but it's a starting point).
So the government comes along and says "ok you owe us X% of this business per year". Where do you get the money for this? You can't just give the government shares. But it's a corner bakery...nobody wants to go through the headache of buying 1% in a local business. And what happens next year when business drops, and the value drops, how do you prove to the govt what it's worth? It's a minefield, and probably not legal.
I get it. People want to eat the rich. It's easier to point to other people as the problem (even if they pay 40x more proportionately in tax than someone else) instead of saying "Christ, maybe we spend too much". But the ideas to kick the can are really getting silly.
I think I get it, but it doesn't help the image that there are some who are so obviously abusing the system.
Everybody knows who they are. Everybody can see what they're doing, how they're using their position to avoid putting anything back in to the society that's made them all that wealth. And nobody can point to something and say "There! That exact thing right there they're doing should be illegal! Make a law!".
It's frustrating.
What do you mean "can't", this is exactly what already happens in countries that already implement a wealth tax (eg, Switzerland). If you own a corporation that has assets worth millions, then the corporation is the asset that you're paying wealth taxes on (as part of your personal tax return).
Doesn't matter if the company is based abroad either, you'll still need to supply the companies balance sheet as part of your personal tax return. Last time I checked, the Swiss economy (unsurprisingly) has not come crashing down.
Tax dodging is the national sport of the Swiss. This is a horrendous example.
We need a housing policy reset, the OAPs shouldn't have the majority of their retirement assets tied up in a 1.4M illiquid house. They need an affordable off-ramp to downsize, and we need to build more affordable housing to deflate the market. This is wildly unpopular because lots of people are already over-leveraged trying to get onto the property ladder, but objectively it's the correct course to start to unfuck things.
The purpose of a house or apartment should be shelter for a family, not a retirement plan or an investment for a corporation.
Okay Mao.
> This is wildly unpopular.
Case in point. No one's suggesting confiscating anything, yet some people can't contain themselves at the suggestion that maybe housing policy is broken.
The policy of people paying for homes then keeping those homes, even when, gasp, they get old?!
Demanding that older people "downsize" is a policy, and not one that's very savoury.
> more affordable housing to deflate the market
hard yes
> affordable off-ramp to downsize,
I mean yes, but the hidden cost is moving outside of your support network. Downsizing is often very lucrative.
> I mean yes, but the hidden cost is moving outside of your support network. Downsizing is often very lucrative.
If we had a sensible housing policy, it would be possible to downsize within your local community. Towns and villages would be made up of a good mix of different types of housing, for different parts of life. Then people could move into appropriately sized houses without having to leave their support networks.
What's the problem with rich people riding the bus for free? All bus-riding should be as close to free as possible.
Rich people get to use the library for free.
Rich people get to visit Hyde Park for free.
I've no problem letting them also ride the bus for free.
Not the opposite, but the complementary, to be precise.
Ah yes all those billionaires trying to jump the turnstiles. Between that and trying to sleep under bridges they're a menace.
With that many tourists using and abusing London public transport, why should only Londoners pay for the service (via taxes - the money must come from somewhere)?
I think lots of people who lack the experience have no idea quite how large and difficult cybersecurity is for a massive organisation whose systems span 20-30+ years or possibly even longer. There is no standardised tooling and very little that can be retrofitted to older systems. Firewalls are fine if the attack is against a port you do not need to use but otherwise you are left with a myriad of commercial offerings and a lot of "risk analysis".
The one basic tool that does seem lacking, however, is just basic network segmentation. I could understand a single system being hacked, especially an old system that is massively complex to replace but having to shutdown multiple systems including WiFi and office networks just smells like lazy "just connect all the wires together to make my IT life slightly easier". Having air gaps with separate computers, separate networks (even vlans) etc. is probably the most cost effective way to reduce your attack surface.
> Cybersecurity experts claim TfL’s software may have not been up to scratch, with some public-facing systems coded to be compatible with long-defunct browsers such as Internet Explorer 6.
This is rubbish, public-facing websites being compatible with defunct browsers is not indicative of any security issue
It sure sounds like this "highly sophisticated" attack was a run of the mill cryptolocker.
As soon as you read "outsourced their IT", one can always assume the aftermath would be a shitshow, as it is always done in response to the previous team not being able to run it, which means it is a goddamn mess. Having worked enough state and city government IT contracts in the past 25 years, you just assume the worst about everything and are often not disappointed. It's not a matter of if but when they'll be owned really, and most really wouldn't know what to do if they were still today.
This is your relative tax dollars hard at work.
Where does it say they outsourced their IT? The article mentions city hall outsourcing their IT to TfL, but city hall is sister organisation to TfL, they’re both organs of London regional government. The London Mayor is the chairman of TfL and the head of London regional government.
It’s not like they’re outsourcing to some private organisation, every single organisation is either a state organisation, or a state owned company.
I think they just read it backwards. Near the beginning in the bulleted list is:
>Sadiq Khan’s office and the Greater London Authority outsourced their IT services to TfL this summer, meaning they were also badly impacted, paralysing services at the top of the capital’s devolved government.
Which means TfL is the one doing other people's IT in addition to its own, not the reverse.
always done in response to the previous team not being able to run it, which means it is a goddamn mess.
:
This is your relative tax dollars hard at work.
I think you are underestimating the gross lack of realistic investment and corresponding demoralization and qualitative decline in some public services; which latter is then used by the decision-makers who've created the situation as justification for swashbuckling "transformation" projects - advised by and given to overpriced consultants - they can put on their CVs before hopping to the next gig.
That's your tax dollars at work.
I agree. Public sector IT becomes a huge sprawl of technologies and cottage industry applications which makes administering these often rarely touched interfaces difficult to do properly when department budgets are tight and resources are busy fire fighting the processes that failed the night before.
It is also difficult to hire because wages are generally low compared to similar roles in private industry, yet they need skilled staff to manage these complex environments. A lot of services don't get the attention they need, not just patching and upgrades but development, requirements capture and usability all kept to a minimum cost to keep the sinking ship afloat.
All these constraints also lean to a culture of poor security, JFDI, rip and replace, insufficent hardware etc... just so the business can operate on whatever computer on wheels in the shipping depot or relatively expensive to replace electronic gate system with intergration to their custom fleet management software.
Government outsourcing to another related body has its cost advantages but the many domain administrator users, the huge flat VmWare estate and the hardware well beyond warranty doesn't dissapear.
Designed to serve immediate needs but without long-term maintenance or holistic design in mind. Outsourcing amplifies the issue.
> Earlier this month Andy Lord, the boss of Transport for London, sat down at a scheduled board meeting and praised his organisation’s response to a “highly sophisticated” cyberattack, which began with reports of “suspicious activity” on Sunday 1st September.
> “The vast majority of Londoners would not know this attack has happened,” the TfL commissioner told board members including mayor Sadiq Khan. Lord later added: “Because it’s been so well-managed people didn’t understand the scale and impact.”
Are these people completely delusional? They've taken away passenger's visibility to see what they were being charged for; they killed all of the open data feeds (though a few of these have just now been restored in the last couple of days). Back in September, they disrupted all of their staff's productivity by locking everybody out and forcing them to try and do their jobs without any access to technology. And.. there's still no end in sight for a restore of the contactless portal.
The way they've managed the incident and the collateral damage suggests there were not nearly enough security controls present in the first place (in terms of containing the breach). How many weeks on are we now without service restoration? For a cyberattack perpetrated by one seventeen year old?
If it was an SME who didn't do anything technical and had been caught completely unprepared, I might be more understanding.
I can believe, I live in London and depend on TfL all the time. It’s last 10 or so years, I’ve probably only bothered looking up my travel data a dozen or so times. 99% of the time I’m charged the right amount, and I don’t have to think about it.
What exactly is it about supporting IE6 that makes it a security risk?
Lots of people who should have been establishing effective security practices and monitoring and improving it were doing … something … but not that.
Total failure of management and governance at TfL and the British Library (which even had a “private sector security leader” on its board of governors for a decade or more before their total shitshow of a breach last year)
But as usual, there will be no consequences.
TFL are better than most public bodies but are likely hamstrung on being able to pay anything like market rates for competent security people.
Totally get it that budgets are tight. But making sure that stuff happens isn’t highly correlated to tech staff or manager salaries.
Unless they’re hiring inexperienced high-schoolers, it’s a failure of will and competence in management. And even that would actually be a failure of managrnent.
I’m guessing - based on historic contacts with TfL - that this failure of management is probably manifest in too many meetings and intermediate products valorised over and above culture, knowledge and tech improvements.
Avoidance of outcome-based monitoring and governance, and instead a focus on “process execution” like reorgs, agonisingly-slow checkbox actions and deckchair relocations is pretty common in low-ambition, low-performance orgs. Again, you don’t get this because you’re being cheap on security people.
I’m not really sure how you’ve ended up classifying TfL as a “low-ambition, low-performance” org. As transit agencies go TfL is one of the best on the planet, they’re constantly innovating and pushing the envelope of what’s possible. Every time they build a new line, or order new rolling stock, they use it as an opportunity to invent something new (which doesn’t always succeed). Everything from automated trains, to more complex and capable signaling systems, improved cooling and better customer signage.
A “low-ambition, low-performance” transit organisation doesn’t run train services with a train every 90 seconds at peak, transporting 4 million people per day without a major incident or loss of life. There are nine Underground stations with annual passenger counts larger than the entire BART system in the larger Bay Area.
The Underground system alone (only part of TfL responsibility) is the world fifth largest metro system outside of china by ridership.
TfL built its own ticketing system, and invented the entire idea of using contactless bank cards for ticketing, including negotiating with Visa and Mastercard to create brand new rules for transit agencies. A system that it now sells to other mayor transit systems, such as the New York Subway.
TfL isn’t without faults and problems, like any large public organisation. But to dismiss it as “low-ambition, low-performance” is to ignore many decades of safety operating the worlds oldest metro system, and developing and exporting new ways of improving transit for the travelling public.
> no consequences.
I recommend "repercussions" ;)
Why is the Mayor not even talking about this?
What is there for the Mayor to say? The trains still run, the busses still turn up, the traffic lights still go red, yellow, green.
For the vast majority of people, there little to no impact day-to-day. Sure the loss of live data is annoying, but trains still turn up every 2 mins, and busses every 5-10mins during the day. Even at night, busses still turn up every 15-20mins, so checking live data doesn’t give you that much of an edge.
Because there is no political gain for him in this story.
> Hundreds of thousands of Londoners are being overcharged for travel, while London Centric spoke to one teenager who is having to skip meals because of cashflow issues brought on by the cyberattack.
This is just crazy, why not make public transport as cheap as peanuts to begin with? Why does everything have to be so damn expensive? Why the heck does a monthly transport pass have to cost, let me check, around 200 pounds?, what the fricking fuck?!?! Why don't the common people in the West rise up against this perverted shit? 2400 pounds per year just to have the privilege to take the bus/metro?
I don't live in London, but most people I've talked to who do don't have any monthly transport pass or anything like that. They just tap in with contactless. The transport is cheap enough that if you don't travel many times per day, there is really no need. As one example - a bus journey is 1.75 GBP regardless of the distance and number of individual buses taken, as long as all initial tap-ins are within one hour.
Looking at the TfL website, people on benefits get 50% rate discounts; students get 30% off; pensioners and children get completely free travel. It's really quite a good system actually.
Not so fast. Contactless accounts for a huge volume of compensation claims due to faulty or badly-designed interchanges. I've lost count of the number of times my partner has been overcharged when travelling from Wimbledon to Waterloo.
Is your partner not following the signs saying where to tap in?
Been there. Done that. Even the guards admit it's unreliable.
> Why don't the common people in the West rise up against this perverted shit? 2400 pounds per year just to have the privilege to take the bus/metro?
Still cheaper than owning a car. The average driver in London pays £3200 a year for the privilege. Most Londoners don’t bother, cars are slowest, most expensive, and least pleasant way to move around the city.
As for the cost, that because a series of Tory governments stripped TfL of all its government funding. TfL has to cover all its cost from fares, advertising, and some other ancillary business. Hence the higher than average ticket prices.
I would also say that there’s nothing wrong with taking the bus/metro. Busses turn up every 5 mins, metros every 90s-180s. Everything is clean, comfortable (we have fabric and padding on our busses and metro seats) and reliable. Although rush hour can get very cramped and sweaty at its peak.