Monthly Archives: May 2009

Matkakortti, some findings

So, i’ve gathered the information from a few cards, mostly friends and family, and here’s what i’ve got (it’s not a lot!):

The second number is interesting. This is the BUSCOM number. Buscom is the company that makes the readers and other systems related to this, i suppose. The system is built around the Mifare rfid system, which is used around the world. The frequency it operates on is 13.56 Mhz, and the range is not many centimeters. There are mifare readers you can buy on ebay, just look for 13.56 or mifare or something. They cost between 30-50 dollars, which is pretty cheap in real money, e.g. euros.

Anyway, the Buscom number. It’s only four numbers long, which allows for 10 000 permutations. That’s a lot less than the amount of cards in circulation (probably in the hundreds of thousands, if not over a million). So what is this number? I’ve been suggested card revision, or location where it was bought, but that doesn’t track, at least in any way i could figure out. I’ve got a few cards that have been bought in the same place, but they have a different number. Are there over 10 000 retailers of these cards? Maybe, maybe not. But in any case, it doesn’t match. The numbers vary wildly even those bought in the same place. Any ideas are welcome.

There might be a difference between personal, and non-personal cards. I don’t have any non-personal cards yet, so i can not verify this, but it would make sense.

The third number, the actual card number always starts with F246300111, and then after that a seemingly random sequence. Probably just a manufacturing sequence, but there might be a repeating sequence in there, that is for instance area-specific.

The first number, for some reason seems to be worn out on most cards. I have a bunch of numbers, but on one card, which is apparently an early card, has an asterisk in the string, which is very interesting. All the other cards have numbers and/or letters.

About the updating, there needs to be a dynamic update that takes place on every transaction, because, the state of a card needs to be determined. A card can be blocked out by the transit authority people, if you’ve lost your card. This might happen on a daily basis (why do the readers have a buffer?), but i doubt it. I’m suspecting a wireless link, but that needs to be confirmed with a scanner or something akin to one, which can tell me if there is a frequency that is used.

The card has a buffer for a few fares, it seems. My old card, had a bug. It showed a transfer from two years ago, even if that transfer had expired. This is because, when you have a transfer, it can’t get cleared when the time runs out, before you swipe the card again. The card is unpowered when it is just sitting in your pocket. So the transfer sticks until you swipe it past a reader, and it notices that the time the transfer is valid is cleared. For some reason, either due to a garbled read/write operation, or a faulty reader, it didn’t clear the transfer, and it stuck for two years. I use my card on a daily basis, so there isn’t a long delay, except during the summer vacations.

It can keep a few transfers in the card memory (or then it could be in the system, but i doubt it), because at one of those big automats, i’ve seen two transfers on the screen. The card/system also has to store the card type, for instance, the special card types such as handicap, pensioner, student, and other such types. Mine has student on the card, even though that expired 31.8.2008. I’m not sure why that is not cleared.

The card also has a validity, which, for my card, ends 31.10.2015, probably 10 years after i got the card, since i got mine in 2005. Why this is done, im not sure. I’ll wait until 2015 rolls around, and see if they just replace the card, or just update that field. It might also be static, that is written on the cards intialization when you first buy it, or upon its creation.

The next phase i assume, is getting the mifare read/write device. I’m not at all sure about the interface, because it just looks like a pcb with no dicernible interfaces on it. It’s probably some kind of serial traffic, but .. i’ll need to read up more on it.

EDIT: The mifare system, on quick googling, seems to have some serious flaws. It uses crypto (crypto-1) that has been broken by the CCC guys over in Germany. Check out this link for more. Basically, the guys found that only a small part of the gates on the card (about 10 000 in total), are used for crypto. The random number generator is a 16-bit integer, which is seeded based on how long the card has been powered on. Using an open source reader, Openpcd, they could use the same random number over and over again.

A cryptanalysis of the crypto protocol is here, by Karsten Nohl of ccc. The gist of this is that you can recover the secret key in mere minutes using an average desktop machine. The cipher is a pretty basic 48-bit linear feedback shift register encryption. To find bits of the key, use a specific challenge sent to the card, and then examine the first bit of the response.  Using a number of test challenges, an attacker can recover the entire secret key.

Fun at the Office

Furby eats a Pentium III !
Furby eats a Pentium III !

This Furby was in our server room, but had to be removed due to it being a fire-hazard. So now i have it on my desk, munching on old hardware.

General stuff, and the Matkakortti

A new machine was added today, a Sun Netra X1. It’s basically like a weak version of the Netra T1 that i got earlier. I’m not sure what i’ll do with it, but those Sun machines are pretty cool looking, so i couldn’t pass it by.

The specs are basically, a 500 Mhz Ultrasparc IIi, 512 RAM, and two IDE disks. No floppy or CD, and two NIC ports plus a serial interface and two USB ports. It could run something like Sun Solaris 8, 9 or 10, or it could run say, the Debian SPARC port. It would take up a light network task perhaps.

In other news, i’m thinking of ditching Windows 7, because it sucks. I’m serious. The transfer speeds with any drivers that are available, are appalling. I was moving a file and it was doing it at around 2.6 MB/s. Booting to ubuntu, i got speeds between 25 and 40MB/s. How can this be? And in Ubuntu, i don’t even have to install drivers, or think about write caching, or anything else. It just works. So i can’t understand how this shit can be that difficult? I have a modern motherboard, with a modern chipset. The disks are capable of more.

I’m probably replacing the P4 rig inside Agrippa, with the Athlon 64 3700+, simply because i think there’s something wrong with the IDE controller on that P4 board. The two drives in one of the IDE-busses keep disappearing randomly, which makes booting anything from them very challenging.

I’m working on making a server for the intranet, as Agamemnon took a place in the DMZ. The inside server would take care of DHCP allocation, and DNS. There would also be a pf machine (possibly one of the Sun machines?) that would handle traffic coming in and going out from my internal network.

I’m starting in earnest to investingate the Matkakortti system that we use here in Finland. It’s equivalent to the US and Chicago Metrocard system, except that system is primitive, and based on a magstripe and reader, where as Matkakortti uses an RFID chip to send and receive data.

What i’ll start doing now is the following: I’ll collect the numbers of cards and compare them to see if there’s a difference in the two main card types. The types are the personal card, which is bound (and contains) the information of the cardholder, and the non-user-specific card, which is more expensive, but can be transfered between people in a family for instance. The card numbers should contain some information, as it’s a very long string; a lot longer than the amount of cards in circulation.

The card is only used in the capital region. There has been talk of making it Country-Wide, but financial hurdles have so far prevented them from deploying it everywhere. Figures…

Another thing i want to investigate is, getting a device that can tell me if a frequency is transmitting or not. Then,  i could see how long the burst of data is between the reader and the card when you show it to the reader. The next part would be to get a reader, and look at the actual data, i.e. send out 13.xx mhz to the card, and watch what it sends back. It’s probably encrypted, but it can’t be too encrypted, since we are dealing with a very simple, quick system.

Also, i’d like to find out how the busses communicate with some central entity, in order to keep track of what’s on your card. A personal card can be recovered at certain service desks, and they have the exact up to date information on what is on your card. For a fee of 5 euro, to recoup the cost of the card, they’ll give you a clone of your lost/missing/stolen card, and deactivate the old card. This tells me they can do a system wide lock of a certain card number, as well as know the specifics of your card.

The readers themselves have a buffer, because i’ve encountered one beeping constantly and displaying a “Buffer full” message on the screen. The device was locked out and could not be used. Supposedly, the beeping only stopped once the thing was turned off, and then needed to be emptied/reset by a technician. I’ve only seen it once, which leads me to believe that there is a set buffer for a device, and that it perhaps uploads once or twice a day, depending on the line. But how does that work then? It wouldn’t be completey up to date in that case.

The other alternative is that it does send data constantly through some wireless link (the trains are bound to have a link for control purposes, some RF thing), and that the reader had just faulted somehow and not handled the buffer as usual, filling it up with people’s swipes.

It’s an interesting system. As an example, here are the three numbers displayed on the backside of my card:

In the top left edge: 042405535

In the middle: BUSCOM 0523

In the top right corner: F2463001111154998100

If you have a card and want to help me out, send me the info from your card to grelbar ( äet ) grelbar (dot) net.


When you have a powerful processor such as the AMD Phenom, you really want to use the full fucking force of that thing. It’s kind of like keeping a Ferrari in the garage the whole year if you don’t.

So i figured, how much difference would it make, if you benchmarked one core (out of four), versus the full four cores. I ran some tests using John The Ripper, which should be fairly good at loading the processor, as it’s mostly just grunt-work. I added on the MPI patch, which allows you to use the mpich2 framework to run John on multiple processors/threads and even on a cluster of machines over the network.

The result on one core was i think 4400 raw MD5 hashes per second (correct me if i’m wrong here), where as on all four cores, using 8 threads, the result was an impressing 27400 hashes per second. I have no idea how it technically works, but i can say from the ./john –test benchmark mode that it was indeed faster.

Comparing to an older machine, Agamemnon, which was two 3.0 Ghz Xeon’s (the first 64 bit ones i think), the result on both cores, 4 threads, was ~11 000 hashes per second.

It was nice seeing all four cores at 100% load for the duration of the test. Normally, just one is used, and the others do “something”, between 0-20% in load, while one core is used more fully.

To run john the ripper like this, i did the following (i’ll document this here, because MPI’s site didn’t have all that good a documentation):

  1. Use your favorite package-manager to download at least OpenSSL, and the mpich libraries (do a search, and get the ones listed -dev), or download and compile if you do it that way
  2. Download and compile john the ripper, with all necessary patches (such as the MPI and Jumbo-patch). Be sure to use the machine-type as correctly as possible when you issue make, e.g. make clean linux-x86-64, for a 64 bit version. Issuing the make command alone will give you a list of the supported architechtures.
  3. Download and compile the mpich2 set. Download any dependencies, should you need them.
  4. After this, create in your home directory the file .mpd.conf, and chmod it to 600.
  5. Start mpd using mpd &
  6. Go to the run directory under the John main directory, and issue for instance mpiexec -n 8 ./john –test . This will run the benchmark mode of John the Ripper, using the mpiexec plaform, and running 8 processes. Depending on your processor, you may want to change this number.
  7. PROFIT!

Off the Hook!

Yesterday was Wednesday, and that means, at 2 AM Thursday’s Finnish time, 7PM Eastern Standard Time in New York, “It’s time once again, for Off the Hook”. Yeah, that’s the show I’ve listened to for a good number of years, regularly. Now, I’ve been downloading the old episodes, since 1988 up to today, so that I can say I’ve heard it all. I’m presently listening to the June 2005 episodes, which means I have a few more years to go.

Yesterday was a fund raising episode, which means they ask callers to call in and support the radio station (WBAI 99.5 Mhz in New York). The station is entirely listener sponsored, and with a donation of 25 dollars (approx. 18 euro) you become a member of the station. This means that you get to vote in the elections for the board of the station. Also, you usually get a premium for your troubles. A premium is a gift of sorts, something to help ease the process of parting from your hard-earned cash.

Different shows on WBAI offer different premiums. This episode, Off the Hook offered the following pledges: For pledges 25 dollars and above, you get the Off the Hook t-shirt, and you become a member of the station. For 75 dollars, you could get the t-shirt, the membership and a set of DVD’s with video from this years Notacon convention. For 125 dollars and above, you got the aforementioned, plus a DVD set that contains all the episodes of Off the Hook. I pledged 25 dollars, and i hope they’ll ship the t-shirt to Finland…

But really, the station is worth keeping on the air, so I’d donate just for that. If they don’t make enough money to pay for the transmitter fees and licenses to keep a station like that in the middle of the dial in New York (with transmitters on top of the Empire State Building (previously the WTC…)). I’ve listened to about a thousand episodes, and I can vouch for those guys.

Take a listen at

New Additions to La Familia

Oh and what a great day it is. Why, you may ask? Well the reason is rather simple. I’ve got new hardware.

Let me lay it down in terms that are easy to comprehend. Three new machines, all of them in working condition, some perhaps in need of cleaning or minor overhauls, but three solid machines none the less. I’ll post pictures tomorrow or something. It’s getting rather late, and i don’t wanna crack out the camera anymore.

The machines will be named according to Babylon 5 space-ship names. No, i don’t have a series going, i just pick whatever sounds cool. I have one other space-ship named computer from before, my Sun Netra T1, called Sulaco, after the ship in Aliens. The new computers, in order of greatness are: Agamemnon, Agrippa, and Damocles. Let’s break those down in to main specs:

Agamemnon: This is a very nice piece of work. An HP Proliant ML350, that hosts two 3.0 Ghz Xeon procecssors, and 4 gigs of DDR. It all sits in a sleek dark grey case, that really looks like a server. It has two redundant power supplies, and a four disk RAID array.

Agrippa: A custom built “server”. Actually it’s just an old workstation. A 2.8 Ghz Pentium 4, with 2GB or RAM, sitting in a nice Antec Full Tower. It has five disks. Nothing fancy, but it has a nice case!

Damocles: This is an interesting little thing. It’s a Sun Blade 100. Despite the name, it’s not a Blade-server (i wish it were, trust me!), but a Sun workstation, that has a 64-bit Sun UltraSPARC IIi, running at 500Mhz. In a previous life, it used to run backups or something. It looks pretty cool, and i think i’ll put something like OpenSolaris (if it fits) on the machine, or.. just try something neat.

So that concludes today’s hardware roundup. Tomorrow: pictures of these puppies, and maybe i’ll have made up some kind of uses for these. I’m pretty certain Agamemnon will replace Dorsia as the main server on the network for a few reasons. It’s more modern, eats less power, and it’s quite a bit more silent than the 6 disk Dell Poweredge, which can be a noisy bitch. Agrippa will probably be converted in to a test workstation for the network, with a nice amount of memory and HD. Damocles on the other hand will become some secondary side-project, that will take place at a later date.

From the left: Damocles, Agamemnon and Agrippa
From the left: Damocles, Agamemnon and Agrippa

Plantronics 925 Bluetooth handsfree

At work today, i was tasked connecting a US bought (AT&T i was told) Plantronics 925 bluetooth headset, with a Finnish bought Nokia E71. This is an easy howto, to start with, so don’t expect magic. To connect the two in a bluetooth pair, you need to power on the Plantronics headset. This happens by pressing the multifunction button, that has the plantronic logo on it. You need to press it, and hold it for a good 5+ seconds. First, it turns on, displaying a blue light. Keep holding the button, until the device starts blinking in an alternating red and blue. This is the bluetooth-pairing mode, and the only state where you can even find the device.

This is only necessary for the initial pairing of device and headset. After this, it’s enough to just turn it on, by pressing and holding until the first blue light.

Your phone will ask for a pin-code, which in plantronic devices appears to be 0000 by default. Not sure you can change it, as the headset lacks any sophisticated controls, or screen. Once you have entered the four-zero pin-code, the devices will be paired, and you will be asked to confirm whether it’s okay to automatically establish the connection in the future.

The BBS Documentary

I was listening to Off the Hook (episode of May 14, 2009) and they had on there a premium for people pledging money for the station, where if you pledged 75 dollars or more, you could have the BBS Documentary on DVD.

This is a documentary on the BBS age. They interview a bunch of people who lived through that era during the 70’s and 80’s where people dialed in to these computers and could talk to people, share files and so on. It’s a whole culture, that existed before the graphical world wide web, which really kicked off in the early 90’s. I remember that time, though i wasn’t using BBS’s in the 70’s or 80’s, i was using them in the early 90’s.

The documentary looks amazing, i was looking at some clips from it. It’s for sale here, and you can get it in some cool-looking bundles, such as the DVD collection of ANSI art called “Dark Domain”, and another documentary called “Commodorks” for a total price of 60 US dollars, plus shipping.

The documentary is licenced under Creative Commons Attribution Sharealike licence (1), meaning: “Licensees may copy, distribute, display and perform the work and make derivative works based on it only if they give the author or licensor the credits in the manner specified by these. Derivative works have to be released under the same licence.” Because of this, you can download this documentary legally. But, if you like it (like i did), consider supporting the author, and getting the DVD or bundles from their site, which can be found here. If you want the download, you could use this torrent, or this site which offers a lot of formats, such as the open-source friendly OGG.

(1) Source:  Wikipedia, Creative Commons Licenses

Sneaky fuckers evade ad-blocking

The guys at , an otherwise great site for news on servers and datacenters, has invented some sneaky-ass way to prevent users from using adblockers. I had the adblock plugin on in Firefox, as i always do (the web is a fucking cesspool of spam), and i was reading the news on that site, when i noticed the layout was completely fucked.

I reloaded the page, and the same repeated, so it wasn’t a case of some elements not loading properly. I turned off adblock for that site, reloaded, and presto: the site looked as it usually does, but with ads. So i figured i’d block the ads only, and keep the site unfiltered in a general sense. Doesn’t work. The ads are dynamically generated, and the elements are never called the same, even if it’s the same exact ad-banner.

So i have to give up at the moment. I can’t block those ads.

There has been a lot of discussion on the consumers right to block a sites ads. Site owners claim adblockers are stealing their revenue possibilities. How can this be? People download adblockers for a reason…

A recent survey also finds that up to 20% of all internet users have purchased products advertised in spam-emails. That’s a crazy figure! Seems that spammers are the richest fuckers of the entire .com wastelands!