-
Notifications
You must be signed in to change notification settings - Fork 0
2025 Session Notes: Liberating Data
Speaker is part of a Slovenian team of 3 people freeing railway data.
They have created a journey planner for all Slovenian public transport and micromobility, without the help of the transport authority (app link: https://brezavta.si))
There is also a map of train position data, obtained mostly by web scraping (https://map.vlak.si))
Slovenian Railways tried to sabotage map by adding numbers to urls, it was circumvented using regex
After some time the old API was put behind Cloudflare and could no longer be accessed
A transport journalist wrote an article "Why do I know where my pizza is but not where my train is"
CEO got embarrassed and made the map public
Scraping returned using Cloudflare warp that bypasses Cloudflare filters
Reverse engineering of the mobile app helped to get access to data
Slovenia has very good freedom of information laws, Germany doesn't
Various shorter stories of freedom of information cases in Slovenia, like data being redacted by sharpie and being scanned again, person going with scanner into document viewing room
<RandomTangent>
Slovenia and Croatia use MAPPER system, carried over from JŽ (implementation started in 1984), Slovenia virtualized and Croatia still on mainframe
Website of Unisys Internet Commerce Enabler 12.2 was shown as an example of the MAPPER system
Some components of MAPPER in Croatia were unintentionally public, until they were hacked on Christmas day, since then there are a few endpoints available through proxies (train delay & composition, UIC lookup)
Video "BISChat, an IA Integration and demo for Unisys BIS and ChatGPT" shown as an example of MAPPER integration for Chatgpt
Slovenian Railways webservices are dotnet applications reading JSON out of MAPPER
Conclusion: MAPPER is cursed, it's amazing trains even run at all
</RandomTangent>
Some bus systems use unencrypted tetra for position, some use DMR or other protocols - could be a useful source
Laws about listening to conversations are significantly stricter than listening to just data transmissions
Slovenian SOAP API had request access button that got quickly granted and allowed to access private information
Reporting was done to related company instead of the government directly to not get police attention, API got taken down, back up with community sourced endpoint whitelist
Telling people that Russia could have access to private data makes them suddenly care about data leaks
IP whitelists can sometimes be bypassed by accessing them from station Wi-Fi
ÖBB refused to give speed restrictions under freedom of information, further steps planned
Getting ship data from the port of <> was difficult, in general in the maritime industry, every port has it's own bespoke software
Madrid transport authority made their transport map a picture. As a reaction the Android app was reverse engineered (private key fell out), hardcoded tokens and IPs were discovered
Many cases of looking at apps and secrets pouring out
- freedom of information laws (check your jurisdiction, might also include APIs!)
- public pressure (through media) often works great where asking nicely doesn't
- radio transmissions are usually unencrypted (bus or tram positions)
- apps are easy to reverse-engineer (see: the "questionable DB data session")
- when providers try to prevent you from accessing, there are always workarounds (cloudflare workers/warp bypasses bot checks, using public wifi to be in the IP whitelist...)