Turns out both me and the CEO got sick at the same time... Thursday at 11:30 it is.

@alina apktool works, then just run ubersigner in overwrite mode over all the apks

Getting a call inviting me to a meeting with the CEO of Slovenian Railways-Passenger Transport was not on my to-do list for today...
Will update as the story develops.

Time to head to FOSDEM! Lmk if anyone wants to meet up. Expect me at the railways and open transport track at least and feel free to ask me about modernizing your ticket barcodes, we have some great stuff coming out of the UIC recently.

@h0m54r @q they have the same UTN but different outbound and return contents. I think zugli only uses the UTN as the unique key though.

I lost it today after getting a decision from the ICO on extending the deadline for SZ to deliver the specifications to the court expert, but not why you probably think.

SZ requested a whole extra 90 days to be able to produce such documents and the ICO was not having it. They only got an extra 3 weeks (until February 16th).

Here is a direct (translated with DeepL and checked) quote:

(2) Before the expiry of the aforementioned deadline, on January 23, 2025, the public authority requested the Information Commissioner to extend the deadline by 90 days. In its request, it stated that the preparation of the documents had revealed that the data was very extensive, which significantly increased the amount of work, and therefore requested that the deadline be extended by 90 days due to the complexity and volume of the data.

(4) The Information Commissioner notes that the public authority submitted a request for an extension of the deadline before its expiry. In its request, the authority did provide specific reasons justifying the extension of the deadline, but not for the proposed 90-day period, as the authority should have allowed the court expert access to the aforementioned documentation already during the preparation of the expert opinion, which is why the proposed deadline is completely unjustified and the IP cannot grant it to that extent.

@taavi Just make sure it is well documented as the primary *stares at Matrix and Gitlab outages*

OH: “3-phase LAG”

#LeftClickLeaks #PlacLeaks #OH

So, good news and bad news.
Good news: The expert witness seems to have agreed with me that the increased risk upon release would be minimal.
Bad news: We have found out that even SZ does not posses the specification, as it was never made. It was made by the external firm that made their ticketing system.
This means that we will now have to wait for SZ to request the specification from the software firm (which is not maintaining the system anymore, as it is now maintained by someone else) and send it to the expert witness for evaluation if there is any risks to their systems upon public disclosure. The expert witness already said at the hearing that if the barcodes only contain data that should be in there, like dates of validity, price, station IDs etc, there is basically no increased risk to the SZ system.
He also said that basically any database/key-value store for the data in the tickets does not increase the risk. Since we already sort of reverse engineered the tickets, we know that they don't contain any sensitive information that the expert witness deems sensitive (he said that would basically be DB connection strings, firewall configs etc, which should never be in a publically scannable barcode).
The really bad news is that it seems we will probably have to pay for the expert witness work, even though SZ gave them the wrong documents. Altogether we expect this to probably be around 2-2.5k EUR, for which we have already paid a 1k EUR deposit. Hopefully the ICO at least decides in our favour in the end.

Getting ready for the hearing about my Slovenian Railways FoI appeal and have just prepared and printed "half a kilo of procedure" (we are expecting the hearing to not allow digital devices due to procedure law). Wish me luck, reporting back tomorrow after the hearing.

@hl Doesn't hvv have Apple and Google wallet support? I thought their passes allowed sharing. Otherwise, there is this great tool I helped create called Zügli :) https://xn--zgli-0ra.app/

@maya has it considered our lord and savior Club Mate

@paeiro they still offer it, but only via the app…

@m They can also manually board you with your passport, just takes a little longer.

@m They literally can't. IATA BCBP standards don't allow it. Also, the app only pulls their official Google/Apple Wallet passes, so they still also pass the "looks like one of ours'" check by the gate agent. We learned somewhere that blue pass background apparently means priority boarding and they don't have that enforced in any other way...

@bovine3dom CORS. I rather then do them myself than use a sketchy CORS proxy.

Since Ryanair now requires you to use their app to get a boarding pass or stand in line at the counter I got fed up with their BS.
I made an app that allows you to get the Google Wallet link and Apple Wallet pkpass (that you can also add to Android wallet apps) without their shitty app (online check-in still has to be done on the Ryanair website, I might make a tool that does that at some point as well).

Feel free to try it at https://ryanair.anze.dev.

You can find the source code at https://github.com/craftbyte/ryanair-bp

@CauseOfBSOD you can also use interrail on all UK domestic trains

@bovine3dom @moof @q Just don't look at the source of that website or you will see what it was made in :D

@interrailinfosvenska Other providers also check the digital signature and will fall back to that. There is also now the UIC eTCD database that stores IDs of revoked tickets (in case you screenshot an Interrail barcode and then cancel the travel day).