Cycling in the UK – Dispelling some myths

Those of you who know me are likely aware of my (un)healthy obsession with cycling. I regularly commute to work on my trusty steed, and will soon be upping my distance from a respectable 25 miles round trip to approximately 34 miles.

There are several reasons for my preference for the velocipede as a form of transport, which I should probably write a separate blog post on. For now, here are some highlights:

  1. Exercise
  2. Not being stuck on public transport
  3. Not being stuck in a car

Many myths abound regarding cycling the UK, and so I thought I would try to sum up a few of them, and also provide some busting of said myths.

Cyclists shouldn’t ride in the road

For a person on a bicycle, riding in the road may be their only legal option. Riding on pedestrian pavements is against the law, unless these paths are marked as being shared use. You will find the occasional dedicated segregated cycle lane, which is certainly preferable to interacting with motor vehicles, but these are currently few and far between. And even if such shared use or dedicated infrastructure is present, these do not automatically exclude a person on a bicycle from using the the main road. People on bicycles have the same rights to the road as people in cars, in vans, on mopeds, on motorbikes, and even on horses.

Some roads are explicitly no-go areas for people on bicycles, namely motorways, and roads that have signs posted restricting bicycles from using them.

Cyclists have to stay in the cycle lane

Some UK roads have markings that indicate what’s commonly known as a cycle lane. These usually come in two forms:

  • “Regular” cycle lanes. These are denoted by a dashed line separating it from “car lanes”. Other vehicles cannot enter or park in this lane “unless it is unavoidable” (Highway Code Rule 140)
  • Mandatory cycle lanes. These are separated from other lanes using a solid white line, and other vehicles cannot enter or park in them at any time (unless there are timing restrictions sign-posted).

These lanes, albeit sometimes useful, are not compulsory for people on bicycles. On my commute, for example, I often find these blocked by parked cars or other obstructions. In these cases I opt for the safer option of occupying the regular lane .

Cyclists need to stay to the left of the left lane

This is not only incorrect, but “riding in the gutter” is potentially quite dangerous. The UK Department for Transport endorses the concept of primary and secondary positioning for cyclists in the road (including as part of the Cyclecraft book):

  • Primary position: Occupying the centre of the lane, also known as “taking the lane”. This simultaneously makes you visible to vehicles behind you, and discourages drivers from attempting to pass you when it’s not safe.
  • Secondary position: No closer than 0.5 metres from the kerb, giving other vehicles space to pass you. You should only use this position if it does not negatively affect your safety.

In essence, if a person on a bicycle doesn’t think it’s safe for vehicles behind them to pass, they are fully entitled to “take the lane”. This is probably the most common situation where I find drivers get annoyed with me on London’s roads. They might feel like I’m obstructing them, but the truth is I am looking out for my own safety.

Cyclists run red lights and break other laws all the time

Some people on bicycles sometimes break the law. This is also true for people using other means of transport. Reliable statistics on what type of road user does the most red light jumping or law breaking is pretty hard to come by, it seems. Most interest-groups seem to be able to provide their own flavour of stats, such as the IAM and the LTDA. My own (non-statistically sound) experience is that some people fail to follow the rules of the road, irrespective of their chosen form of transport.

Cyclists have to give way to cars

As pointed out earlier, people on bicycles have the same rights on the road as any other road user. Car drivers have no automatic right above and beyond any other road users. This includes giving other road users their fair share of the road.

But drivers pay road tax, and cyclists don’t

Nobody in the UK pays “road tax”. It was abolished in 1937. Owners of vehicles might pay what’s known as Vehicle Excise Duty (VED), which is based on the amount of CO2 your vehicle emits. Although you might do some heavy breathing while cycling, you’re unlikely to ever find yourself producing enough CO2 to qualify for anything other than the £0 band (several modern eco-friendly cars fall into this category as well).

Road building and maintenance in the UK is funded through general taxation. As such, no particular type of road user contributes more than any other.

Cyclists hold up traffic

If you’re stuck behind a person on a bicycle, you’re likely going to feel like they’re in your way, and slowing you down. This may be the case momentarily, but once you’ve safely passed them you’ll have open road in front of you. In your regular rush hour traffic, this is likely not the case: you’re in a car, stuck behind lots of other cars.

Helmets are a no-brainer and should be compulsory

There’s a fair amount of debate regarding the efficacy of cycling helmets. Reliable data can be hard to find, and it’s open to interpretation.

Some countries have tried making use of cycle helmets mandatory, and this had a marked negative effect on the number of people cycling. As a result, it can be argued that the overall impact on the health of the general public suffers. Even the British Medical Journal has published on the matter.

I don’t believe helmets should be compulsory, as it discourages ordinary people from cycling. However, I will still wear a helmet as a personal choice for most of my cycling.

Cycling in the UK is horribly unsafe

When a person on a bicycle is killed on UK’s roads, it tends to get quite a bit of press coverage, and rightly so. These deaths are avoidable, and several countries are working towards eradicating all road deaths. Some might be tempted to blame the person on the bicycle for causing the incident (see any of the above myths for “reasons”), but unforgiving infrastructure is a far more likely culprit in many cases. A simple mistake by a driver, a person on a bicycle or a pedestrian can have horrible consequences, usually for the most vulnerable party involved in the incident.

Again, statistics can be interpreted, cycling in the UK is statistically quite safe, and is likely getting safer.  There’s also the argument that the health benefits from increased physical activity far outweigh the negligible increase in risk.

So you’re saying we should get on our bikes?

Yes, absolutely! It’s generally safe, practical and a great way to get exercise. Most importantly, it can also be lots of fun!


Goodbye old VPS, hello Mythic Beasts!

For the past few years, I’d been leveraging a VPS provider based in Germany, with hosting in France. It was a big step up from my previous shared hosting provider, and let me take control of various aspects of my website and mail server setup:

  • Configuring (and hardening) the server setup, instead of relying on the hosting provider’s “OK for most people’s needs” setup
  • Leveraging my own properly signed SSL certificates, instead of needing to pay the hosting provider extra for the privilege
  • IPv6 support (sort of… more on that later)

At first, the move to the (old) VPS provider was a great improvement. They were even willing to provide me an IPv6 address, and responses to support tickets were pretty timely.

Then, about a year ago, signs that the honeymoon was over started appearing. Repeated IPv6 connectivity issues were initially met with quick responses, but kept occurring. Things got worse when the founder of the company got a full-time job at a (well-known) start-up. To cut a long story short, here’s a screenshot of my current support ticket queue:

Screenshot 2015-03-14 15.56.10

Yes, you read that right, those tickets are from July 2014, and have not been responded to. Needless to say, if you want to keep someone’s business, don’t ignore support tickets for eight months.

Enter stage left: Mythic Beasts

So I’ve moved to Mythic Beasts as my VPS provider. Several reasons compelled me:

  • They natively support IPv6. And they’re serious about.
  • They support causes I can get behind, such as the RaspberryPi and CycleStreets.
  • They let me pick whichever OS I wanted (so I went for FreeBSD)
  • Reverse DNS management for both IPv4 and IPv6
  • Their support (so far) has been excellent. Even on a Sunday, when I’m sure they had better things to do.

I’m quite excited about this move, and hope my new home will serve me well (get it?).

FreeRADIUS-WPE and Quirky WPA Supplicants

I was recently on a wireless testing gig where I was faced with a relatively typical scenario: a corporate wireless network leveraging PEAP with MSCHAPv2 for authentication, and wireless clients that were configured to not check for a valid certificate when communicating with the RADIUS server.

My standard approach to this on Backtrack follows the one Robert Portvliet describes in his post Capturing and cracking a PEAP challenge/response with FreeRADIUS-WPE (go read it):

  1. Use hostapd to create a fake access point with the same SSID as the network we are targeting
  2. Use FreeRADIUS-WPE to act as a fake RADIUS server for our fake access point
  3. Get some clients to connect to you, and let FreeRADIUS-WPE perform its magic
  4. Grab the challenges and responses from the log file, and use asleap to brute force the users’ passwords

Unfortunately, asleap didn’t like the challenge and responses I was feeding it, returning:

    Could not recover last 2 bytes of hash from the
    challenge/response. Sorry it didn't work out.

This is quite annoying, and seems to happen with certain WPA supplicants in certain situations. One of these situations seems to be when you have Windows clients authenticating against an Active Directory backed RADIUS server. That’s a pretty common situation.

The reason for this (from what I can understand) appears to be due to how the MSCHAPv2 protocol works, and how some supplicants don’t entirely follow the rules. A great write-up of the protocol components was written by Moxie Marlinspike a while back: Divide and Conquer: Cracking MS-CHAPv2 with a 100% success rate.

For our purposes, we only care about how the client sends the username to the RADIUS server: a Windows supplicant that thinks it’s authenticating against Active Directory will send its username as DOMAIN\user, but it will compute its response to the server challenge based on just the username. FreeRADIUS-WPE by default doesn’t know this, and will assume that DOMAIN\ is part of the username. What we end up with is a challenge and a response that are computed using two different usernames.

So how do you get FreeRADIUS to handle this quirk with EAP clients? In /usr/local/etc/raddb/modules/mschap, add the following:

    with_ntdomain_hack = yes

This activates extra code in FreeRADIUS-WPE that strips the domain name off the username before doing its challenge/response computation, providing values that asleap can use.