News Story About Lock Vulnerability: NY Times, LONG
Robert L. Bass
Master Key Copying Revealed
January 23, 2003
By JOHN SCHWARTZ
A security researcher has revealed a little-known vulnerability in many
locks that lets a person create a copy of the master key for an entire
building by starting with any key from that building. The researcher, Matt
Blaze of AT&T Labs-Research, found the vulnerability by applying his area of
expertise - the security flaws that allow hackers to break into computer
networks - to the real-world locks and keys that have been used for more
than a century in office buildings, college campuses and some residential
complexes.
The attack described by Mr. Blaze, which is known by some locksmiths, leaves
no evidence of tampering. It can be used without resorting to removing the
lock and taking it apart or other suspicious behavior that can give away
ordinary lock pickers.
All that is needed, Mr. Blaze wrote, is access to a key and to the lock that
it opens, as well as a small number of uncut key blanks and a tool to cut
them to the proper shape. No special skills or tools are required;
key-cutting machines costing hundreds of dollars apiece make the task
easier, but the same results can be achieved with a simple metal file. After
testing the technique repeatedly against the hardware from major lock
companies, Mr. Blaze wrote, "it required only a few minutes to carry out,
even when using a file to cut the keys."
AT&T decided that the risk of abuse of the information was great, so it has
taken the unusual step of posting an alert to law enforcement agencies
nationwide. The alert describes the technique and the possible defenses
against it, though the company warns that no simple solution exists. The
paper, which Mr. Blaze has submitted for publication in a computer security
journal, has troubled security experts who have seen it. Marc Weber Tobias,
a locks expert who works as a security consultant to law enforcement
agencies, said he was rewriting his police guide to locks and lock-picking
because of the paper. He said the technique could open doors worldwide for
criminals and terrorists. "I view the problem as pretty serious," he said,
adding that the technique was so simple, "an idiot could do it."
The technique is not news to locksmiths, said Lloyd Seliber, the head
instructor of master-key classes for Schlage, a lock company that is part of
Ingersoll-Rand. He said he even taught the technique, which he calls
decoding, in his training program for locksmiths. "This has been true for
150 years," Mr. Seliber said.
Variations on the decoding technique have also been mentioned in passing in
locksmith trade journals, but usually as a way for locksmiths to replace a
lost master key and not as a security risk. When told that Mr. Seliber
taught the technique to his students, Mr. Tobias said: "He may teach it, but
it's new in the security industry. Security managers don't know about it."
In the paper, Mr. Blaze applies the principles of cryptanalysis, ordinarily
used to break secret codes, to the analysis of mechanical lock designs. He
describes a logical, deductive approach to learning the shape of a master
key by building on clues provided by the key in hand - an approach that
cryptanalysts call an oracle attack. The technique narrows the number of
tries that would be necessary to discover a master-key configuration to only
dozens of attempts, not the thousands of blind tries that would otherwise be
necessary.
The research paper might seem an odd choice of topics for a computer
scientist, but Mr. Blaze noted that in his role as a security researcher for
AT&T Labs, he examined issues that went to the heart of business security
wherever they arose, whether in the digital world or the world of steel and
brass.
Since publishing Mr. Blaze's technique could lead to an increase in thefts
and other crimes, it presented an ethical quandary for him and for AT&T
Labs - the kind of quandary that must also be confronted whenever new
security holes are discovered in computing. "There's no way to warn the
good guys without also alerting the bad guys," Mr. Blaze said. "If there
were, then it would be much simpler - we would just tell the good guys."
Publishing a paper about vulnerable locks, however, presented greater
challenges than a paper on computer flaws. The Internet makes getting the
word out to those who manage computer networks easy, and fixing a computer
vulnerability is often as simple as downloading a software patch. Getting
word out to the larger, more amorphous world of security officers and
locksmiths is a more daunting task, and for the most part, locks must be
changed mechanically, one by one.
But Mr. Blaze said the issue of whether to release information about a
serious vulnerability almost inevitably came down to a decision in favor of
publication. "The real problem is there's no way of knowing whether the bad
guys know about an attack," he said, so publication "puts the good guys and
the bad guys on equal footing."
In this case, the information appears to have made its way already to the
computer underground. The AT&T alert to law enforcement officials said that
a prepublication version of the paper distributed privately by Mr. Blaze for
review last fall had been leaked onto the Internet, though it has not been
widely circulated.
"At this point we believe that it is no longer possible to keep the
vulnerability secret and that more good than harm would now be done by
warning the wider community," the company wrote. There is evidence that
others have chanced upon other versions of the technique over the years.
Though it does not appear in resources like "The M.I.T. Guide to
Lockpicking," a popular text available on the Internet, Mr. Blaze said,
"several of the people I've described this to over the past few months
brightened up and said they had come on part of this to make a master key to
their college dorm."
Mr. Blaze acknowledged that he was only the first to publish a detailed look
at the security flaw and the technique for exploiting it. "I don't think
I'm the first person to discover this attack, but I do think I'm the first
person to work out all the details and write it down," he said. "Burglars
are interested in committing burglary, not in publishing results or warning
people."
Mr. Tobias, the author of "Locks, Safes and Security: An International
Police Reference," said that the technique was most likely to be used by an
insider - someone with ready access to a key and a lock. But it could also
be used, he said, by an outsider who simply went into a building and
borrowed the key to a restroom. He said he had tested Mr. Blaze's technique
the way that he tests many of the techniques described in his book: he gave
instructions and materials to a 15-year-old in his South Dakota town to try
out. The teenager successfully made a master key.
In the alert, AT&T warned, "Unfortunately, at this time there is no simple
or completely effective countermeasure that prevents exploitation of this
vulnerability, short of replacing a master-keyed system with a nonmastered
one." The letter added, "Residential facilities and safety-critical or
high-value environments are strongly urged to consider whether the risks of
master keying outweigh the convenience benefits in light of this new
vulnerability."
Other defenses could make it harder to create master keys. Mr. Blaze said
that owners of master-key systems could move to the less popular master-ring
system, which allows a master key to operate the tumblers in a way that is
not related to the individual keys. But that system has problems of its own,
security experts say. Mr. Blaze suggested that creating a fake master key
could also be made more difficult by using locks for which key blanks are
difficult to get, though even those blanks can be bought in many hardware
stores and through the Internet.
But few institutions want to spend the money for robust security, said Mr.
Seliber of Schlage. His company recommends to architects and builders that
they take steps like those recommended by Mr. Blaze, measures that make it
more difficult to cut extra keys - like using systems that are protected by
patents because their key blanks are somewhat harder to buy, Mr. Seliber
said. Even though such measures would add only 1 to 2 percent to the cost of
each door, builders were often told to take a cheaper route. He said that
they were told, " `We're not worried about ninjas rappelling in from the
roof stuff - take it easy.' "
That is not news to Mr. Blaze, who said it was also a familiar refrain in
the world of computer security. "As any computer security person knows," he
said, "in a battle between convenience and security, convenience has a way
of winning."
Submitted by Robert L Bass.
Regards,
Robert L Bass
=============================>
Bass Home Electronics
ASA Approved Vendor
http://www.Bass-Home.com
2291 Pine View Cir
Sarasota, FL 34231
877-722-8900 Sales & Support
941-925-9747 Fax
rober...@comcast.net
=============================>
AlarmReview
>Master Key Copying Revealed
Isn't Matt Blaze the guy that wants unrestricted exchange of cryptology
equipment to foreign countries? Sometimes I think he comes up with this stuff
just because he can. It's like the hackers who hack because they can, they
don't think they are doing anything wrong. In his case, he's a bit tamer
because he works for AT&T labs with a steady paycheck, otherwise, who knows
what he would be doing. The MIT guide (interesting reading) is enough for
public distribution, his latest report serves no purpose for public disclosure.
It's like publishing a report detailing how you discovered a way to disarm all
alarm panels at the keypads. It's good that we know it's possible so
manufactures can correct it, it's another thing to publicly publish it.
Rob-
Security Review Group
"Helping you secure your security"
Security Review Group provides independent security consulting, and is not
affiliated with any selling, installing, monitoring or servicing company.
Robert L. Bass
authorities on computer security. He has written numerous treatises on the
subject.
In a deposition taken from Blaze as an expert witness as part of FELTEN v
RECORDING INDUSTRY ASSOCIATION OF AMERICA, INC, he made the following
statements which have been widely misinterpreted by the press and others
with little understanding of the subject:
"It is only by a thorough understanding of how real systems
fail in practice that we are able to develop design principles for
more secure systems in the future. Because there are no systematic
techniques for ensuring the correctness of most aspects of secure
systems architecture, research toward discovering vulnerabilities
in systems as they are actually designed and implemented is absolutely
essential for the advancement of the field. Scientific progress
in this discipline necessarily depends upon the exploration of
computer system weaknesses and the publication of the knowledge
learned.
"Research results on vulnerabilities in existing and proposed
systems can often be generalized to apply to other designs. The
impact can be far-reaching and can sometimes mean that broad classes
of systems previously thought to be secure have to be abandoned or
re-engineered. For example, around 1990, two Israeli scientists,
Eli Biham and Adi Shamir, discovered a technique, called "differential
cryptanalysis," that could be used, in theory, to more quickly
"break" messages encrypted under the US Government's Data Encryption
Standard. Their technique turned out to be applicable to most of
the publicly known secret-key block cipher algorithms in existence
at the time. The results of this research were dramatic: many
algorithms previously thought to be secure had to be abandoned,
but new algorithms were from then on designed specifically to resist
the technique. Research leading to such results is not condemned
or discouraged for its potential short-term disruptive effect by
the scientific or academic communities. On the contrary, such work
is universally admired and valued for its essential contribution
to our knowledge of how to design good systems.
"It should not be surprising, as paradoxical as it may seem
at first blush, that researchers and other scientists who study
security and privacy customarily embrace and value openness and
wide publication even of results that expose vulnerabilities. Such
publication represents the natural advance of knowledge in a
relatively new field of scientific study.
"Security researchers are drawn from many different disciplines,
come from a wide range of backgrounds, and enjoy a variety of
employment situations. Some are mathematicians, others are computer
scientists, while others come from other engineering and science
fields or from different areas entirely. Many hold advanced degrees,
and a significant number are employed in a traditional academic
environment. Many work in commercial and government research
laboratories, while some hold employment outside the traditional
research environment. It is not uncommon for students and
non-academics to make significant contributions to the field. The
set of individuals with a legitimate need to test systems for
vulnerabilities and publish their results is not at all limited to
those holding academic credentials or advanced educational or
professional status.
"Security researchers, like all scientific and engineering
researchers, necessarily rely on open publication of the knowledge
learned as the means for communicating with one another and for
measuring progress in the field. Publication customarily occurs
across a variety of venues and forums, including refereed journals,
peer-reviewed conferences, workshops, public lectures, "work in
progress" talks, issuance of technical reports, and over the Internet
and email discussion groups. Researchers are judged, and advance
professionally, largely based on their publication records. Other
scientists depend upon having access to other researchers' results
to evaluate and build upon the existing base of knowledge. Many
scientists have come to depend upon the Internet as a primary mode
of distribution because of its speed, low cost, and global reach."
This is not some oddball character who wants to give away our secrets.
Rather, he's a scientist whose main area of interest is the design of
hack-resistant security and cryptographic systems.
There has always been a tug of war between those who believe secrecy is the
best way to keep a system secure and those who believe in open source
security, subject to intense peer review and public scrutiny. With even my
rudimentary understanding of the principle involved, derived from over 25
years in the industry and untold hours dealing with PC security issues, I
concur with Blaze.
> Isn't Matt Blaze the guy that wants unrestricted exchange of
> cryptology equipment to foreign countries? Sometimes I
> think he comes up with this stuff just because he can.
It's his job to assess security weaknesses and find ways to plug them.
> It's like the hackers who hack because they can, they
> don't think they are doing anything wrong.
The only thing he has in common with hackers is he learns how they work so
he can beat them. It's like police detectives studying the habits of
smugglrs so they can find out how they bring their garbage into the country.
> In his case, he's a bit tamer because he works for AT&T labs
> with a steady paycheck, otherwise, who knows what he would
> be doing.
He'd probably be working for the FBI or the CIA, except they don't get guys
with his credentials very often. :^)
> The MIT guide (interesting reading) is enough for public
> distribution, his latest report serves no purpose for public
> disclosure.
If you refer to the report on lock mastering, it serves to let security
professionals know what thieves already know. Or would you prefer that only
thieves know how to do this? By publishing the report he alerts and enlists
countless security professionals so they can study ways to plug the hole.
> It's like publishing a report detailing how you discovered a way
> to disarm all alarm panels at the keypads. It's good that we know
> it's possible so manufactures can correct it, it's another thing to
> publicly publish it.
If you or I could devise such a method, it's a safe bet -- no, make that a
certainty -- that others with bad intentions can and will likewise discover
the method. By making it public you alert alarm owners to the danger,
allowing them to take preventative measures, such as physically securing the
keypads or whatever. Keep it a secret and only the hackers will know.
Robert L. Bass
saying that *you* have "little understanding of the subject." That was not
my intention. That was directed at others outside the industry who have
bad-mouthed Blaze and other responsible scientists. I apologize for the
implied slight.
AlarmReview
>Upon reading this after posting it, I
>realize it sounded as though I was
>saying that *you* have "little
>understanding of the subject."
Didn't take it that way.
I agree Matt Blaze is by far one of the best computer security scientist we
have. My concern was more that the problems he found should not be publicly
disclosed at this time. That's why I alluded to him publishing it just to say
he did it. I'm also confused that in his deposition to federal court in the CA
case against the State Department's ban on exporting certain information and
equipment, he stated that it's only by spreading the deficiency information
that a fix could be found in a timely manner and fixed. He also made reference
to the relatively easy accessibility of hacking information and the virtual
overnight spreading of this information. If it wasn't for the ability for a
flaw to reach millions in an hour, the need for the deficiency to be know could
be kept secret until a fix is found. I just feel that this lock problem is not
being exploited to the point of needing public disclosure.
As it relates to alarms, we know there are people who are trying to find a
method around motion detectors, aluminum foil, electric blankets, etc. But
compared to the number of actual burglars, it's a minute number. If a
deficiency in a motion is found, it may take manufactures some time to correct
it, and may require the replacing of motions. By the time it's widely known
how to defeat a motion, the manufactures probably already have a fix.
Computers, on the other hand, are another story. There are thousands of
hackers working day and night, from the techno-hacking geeks, to little Jane
down the street. By the time someone publishes a flaw, thousands have already
exploited it and moved on to something else. The fix is a simple patch. Not
so with alarms and not so with locks.
So if Matt publishes his findings, he's taking a generally unknown problem and
instructing others, who may never figure it out on their own, on how to do it.
Let's take the motion. If he knows that by using a tuning fork surrounded by
peanut brittle it would defeat the motion, how many people know about it or
would figure it out on their own? For that matter how many would even care how
to defeat a motion? But if it's publicly published, how fast do you think
peanut brittle will disappear off the shelves?
>If you refer to the report on lock mastering, it serves to let security
>professionals know what thieves already know. Or would you prefer
>that only thieves know how to do this?
But all locksmiths already know this. What the MIT manual did was give
instructions to some people on how they also could do it. What about all those
thousands who try the MIT procedures and found it doesn't work on their locks?
Do they sit around trying to defeat it? Probably not. They go back to hacking
computers and having a kegger. But what Blaze is doing is saying, O.K., a
million people knows about the MIT manual, maybe only a thousand are successful
because of changes in lock technology and design, so I'm going to publish those
features so those who couldn't create master keys under MIT, could do it now.
Once again, I'm not saying he's an idiot, I'm saying it's premature to release
the information while so few know about it. Computer security flaws are closed
by downloading a patch, How long will it take to replace a billion locks?
Can you picture Dad's face when he walks into the bedroom and finding stuff
from the neighbors houses and Little Jane is sitting on her bed with a hunk of
metal and a file.
Southern
news:20030123191810...@mb-fh.aol.com...
What the press article missed was that you really need to know a fair amount
about locks to do it efficiently. Anybody who worked in physical security
knew about it too.
The computer security world learned in the last few years that without
public disclosure, some of the big companies would do nothing. Public
disclosure was the only way to get them to act. The blast a MS VP let forth
("risking the national infrastructure") when a bunch of holes in IE were
announced was scary until it was pointed out that the company knew about
them and was not intending to fix them.
Southern
(Who has a master keyed house)
Robert L. Bass
>
> >Upon reading this after posting it, I
> >realize it sounded as though I was
> >saying that *you* have "little
> >understanding of the subject."
>
> Didn't take it that way.
>
> I agree Matt Blaze is by far one of the best computer security scientist
we
> have. My concern was more that the problems he found should not be
publicly
That is exactly the point of contention. There are those who believe that
security "holes" should be kept secret. I understand the concern since I'm
in the security business. But there are very strong reasons to make
computer security methods public. Only by open source security (where
anyone competent can understand how it works) do we develop progressively
stronger, hack resistant systems.
For years most of the major PC and network security techniques have been
public information. Hackers will most assuredly figure them out anyway.
But *real* security can't be broken even by someone who knows exactly how it
works.
Trying to keep things a secret is like hiding the key under the mat. A
thief will eventually stumble on it. After a while so many thieves will
have stumbled upon it that the mat will become the first place they look for
the key. Now suppose the door couldn't be opened without the key PLUS a
128-bit code or perhaps a GUID (Guaranteed Unique ID). Sure the thief will
know where the key is. He might even know how the lock works. But without
that GUID he's still standing on the doorstep and your goodies are still
inside.
Now let's suppose that the thief has lots of time on his hands. He builds a
device to run through all 3.4x10^^38 possible codes in your 128-bit system
in an hour or so. After a while he's going to get in, regardless if you
have hidden the key under the mat.
There are also hundreds of security engineers around the globe trying to
find out how to crack the 128-bit encrypted lock. A couple of them discover
that by building a device (the same one the thief is working on) they can
crack the door. They publish their findings in SDM. You read the article
and realize that you can make the lock better by adding a few tricks to
outwit the thief's method. You install the new stuff and the thief is still
out in the code.
If it hadn't been for those engineers discovering and publishing the "hack"
you would not have known about it. The thief would have built it eventually
and he'd have some fine, used stereo gear in his living room. Yours would
just have fade marks on the carpet where the speakers used to stand. :(
I realize this is an over-simplification of things but hopefully the analogy
conveys the "other side" of this issue.
> That's why I alluded to him publishing it just to say he did it.
Naah. Computer scientists publish this stuff because that's how they gain
knowledge -- by sharing with the rest of the world. It's a reciprocal thing
and it works.
> I'm also confused that in his deposition to federal court
> in the CA case against the State Department's ban on
> exporting certain information and equipment, he stated
> that it's only by spreading the deficiency information
> that a fix could be found in a timely manner and fixed.
He's right. Besides, the stupid ban on exporting 128-bit encryption is a
joke. The bad guys already have it. They stole it as soon as it cam out.
Bad guys don't give a l'âne du rat about the law. By prohibiting
distribution we only shut off sales to the good guys.
> He also made reference to the relatively easy accessibility
> of hacking information and the virtual overnight spreading
> of this information...
True again. Hacks are often spread faster than new releases. Only by
making hacks known to a maximum number of competent scientists can the good
guys stay ahead of the crooks.
> If it wasn't for the ability for a flaw to reach millions in an
> hour, the need for the deficiency to be know could be kept
> secret until a fix is found...
But the bad guys already *do* spread the deficiencies immediately. You
don't want to muzzle the good guys when the hackers are running free online.
> I just feel that this lock problem is not being exploited to
> the point of needing public disclosure.
The problem is that no one is doing anything about it. Worse, even when new
anti-hack lock schemes are developed there will already be tens of millions
of exploitable locks in service. Only by alerting security people and those
who need protection can we hope to avert major crises. It is virtuaklly
impossible to let every responsible party know this stuff by means of secret
warnings. No one even knows who to tell. By making it public at least
those who need to know have a chance of hearing the warning. Without it,
sooner or later someone gets into the wrong part of a chemical plant, water
treatment facility or whatever. You have to *assume* that the bad guys
already know about it or soon will, regardless if Blaxe kept it under his
hat. In fact, there have been discussions of this "bug" on the Internet
long before he did his report.
> --- snip ---
>
> So if Matt publishes his findings, he's taking a generally unknown
> problem and instructing others...
The thing is it's not an unknown flaw. Thieves already know about it. The
ones who *didn't* know are mostly security professionals. :^(
> But all locksmiths already know this. What the MIT manual did was give
> instructions to some people on how they also could do it.
Are you sure that *all* locksmiths already knew about it? What about all
the corporate security managers at all the major structures in the country
that rely on a mastered locking system?
KD
professionals do.
Keep in mind that having a theory and putting it into practice are two
different things. To say that a person could make a top level master key in
just a few minutes with a few key blanks is ridiculous. Sorry, but both the
Times reporter and Mr. Blaze are sensationalizing. It's not likely to
happen out in the world; too much of a task and too time consuming.
And, no offense to Mr. Blaze, but the article makes him look kind of
foolish. Quote: Mr. Blaze said, "several of the people I've described this
to over the past few months brightened up and said they had come on part of
was leaked onto the internet?
My opinion.
"Robert L. Bass" <rober...@comcast.net> wrote in message
news:qimdnSmfTc4...@giganews.com...
-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 80,000 Newsgroups - 16 Different Servers! =-----
Robert L. Bass
> professionals do.
How many have you polled? :^)
> Keep in mind that having a theory and putting it into practice are two
> different things. To say that a person could make a top level master key
in
> just a few minutes with a few key blanks is ridiculous.
Hmm. Sort of like saying that an end user can be taught to install and
program a P9600, huh? And yet... I do it every day.
> Sorry, but both the Times reporter and Mr. Blaze are
> sensationalizing. It's not likely to happen out in the
> world;...
Hmm. He talked to college students who said they were using it to master
the dorm keys. I guess maybe it is likely to happen. The only question is
when will it result in a major loss -- say an unauthorized access to a
chemical or bio research storage room? Obviously, if a bunch of college
kids already knew about it, serious bad guys must also know.
So, if college kids and most locksmiths knew, who didn't know? Facilities
security managers -- the people responsible for deciding what kind of
physical and electronic security systems will be implemented -- apparently
did not know. Tic, tic, tic...
> too much of a task and too time consuming...
Not according to the story I read. Apparently, someone with the right
knowledge can do it fairly easily with ordinary hand tools and a few key
blanks. This may not directly impact the average home owner, but it sure as
heck has the potential to impact society at large if the manufacturers are
not forced by public pressure to do something about it.
> And, no offense to Mr. Blaze, but the article makes him look kind of
> foolish. Quote: Mr. Blaze said, "several of the people I've described
this
> to over the past few months brightened up and said they had come on part
of
> this to make a master key to their college dorm." Is it a surprise that
it
> was leaked onto the internet?
> My opinion.
Actually, Blaze stated that the technique was already known before he
experimented with it. He didn't discover the method. He just analyzed it
and came up with a mathematical model of the process. His was also not the
first paper on the subject. It *was* the first to thoroughly examine the
flaw and to fully explain it.
Note that until his paper none of the major lock manufacturers was seriously
attacking the problem. And that is precisely the same as the Microsoft
issue. Unless and until a serious threat is well known and documented, the
major players won't do anything about it.
KD
> > Maybe not all locksmiths knew about it, but the majority of experienced
> > professionals do.
>
> How many have you polled? :^)
Over 20 years actively involved in trade, classes, associations, employers,
employees, etc.; I've talked master keying to quite a few and done plenty.
> > Keep in mind that having a theory and putting it into practice are two
> > different things. To say that a person could make a top level master
key
> in
> > just a few minutes with a few key blanks is ridiculous.
>
> Hmm. Sort of like saying that an end user can be taught to install and
> program a P9600, huh? And yet... I do it every day.
I don't know what that is, so you're probably right.
> > Sorry, but both the Times reporter and Mr. Blaze are
> > sensationalizing. It's not likely to happen out in the
> > world;...
>
> Hmm. He talked to college students who said they were using it to master
> the dorm keys. I guess maybe it is likely to happen. The only question
is
> when will it result in a major loss -- say an unauthorized access to a
> chemical or bio research storage room? Obviously, if a bunch of college
> kids already knew about it, serious bad guys must also know.
I didn't say it couldn't be done, but access to a number of keys and locks
would be necessary. A college student having a number of dorm rooms or even
a dorm building for experimenting is very different from someone getting
access to a public or private office building. Government agencies and
other "high-risk" ventures have standards that use high security locks /
restricted keys and electronics. And of course alarms, cctv, security
guards.
> So, if college kids and most locksmiths knew, who didn't know? Facilities
> security managers -- the people responsible for deciding what kind of
> physical and electronic security systems will be implemented -- apparently
> did not know. Tic, tic, tic...
It may not always be impressed enough to end-users, but as he said in the
article: convenience not security.
There are also a number of methods to master key a lock.
> > too much of a task and too time consuming...
>
> Not according to the story I read. Apparently, someone with the right
> knowledge can do it fairly easily with ordinary hand tools and a few key
> blanks. This may not directly impact the average home owner, but it sure
as
> heck has the potential to impact society at large if the manufacturers are
> not forced by public pressure to do something about it.
I've read the paper with the theory and formula. There are too many
variables and circumstances that are taken into account. It's a lab
experiment, not real world.
It can be proved mathmatically. Physically doing it is another matter.
An example: A 6 pin tumbler lock in a large master key system with a change
in every pin chamber. There are 64 possible keys that fit it. You may be
able to make a key that fits that lock and a few others, but moving from
lock to lock, room to room, and hallway to hallway... How much work will it
take before you hit on the master? And how will you know it's a top level
master until you try it in all the locks. See my point?
> > And, no offense to Mr. Blaze, but the article makes him look kind of
> > foolish. Quote: Mr. Blaze said, "several of the people I've described
> this
> > to over the past few months brightened up and said they had come on part
> of
> > this to make a master key to their college dorm." Is it a surprise that
> it
> > was leaked onto the internet?
> > My opinion.
>
> Actually, Blaze stated that the technique was already known before he
> experimented with it. He didn't discover the method. He just analyzed it
> and came up with a mathematical model of the process. His was also not
the
> first paper on the subject. It *was* the first to thoroughly examine the
> flaw and to fully explain it.
True.
> Note that until his paper none of the major lock manufacturers was
seriously
> attacking the problem. And that is precisely the same as the Microsoft
> issue. Unless and until a serious threat is well known and documented,
the
> major players won't do anything about it.
I don't believe there is a serious threat and that the lock manufacturers
have a problem to attack. Lock manufacturers sell locks that can be picked
easily too; have been for years and years and will continue to. Many also
offer high security locks.
Well, we'll see.
Some people think it won't be that long before it's all electronic /
biometric. What do you think?"
Have a good one.
Coherers
> variables and circumstances that are taken into account. It's a lab
> experiment, not real world.
> It can be proved mathmatically. Physically doing it is another matter.
> An example: A 6 pin tumbler lock in a large master key system with a
change
> in every pin chamber. There are 64 possible keys that fit it. You may be
> able to make a key that fits that lock and a few others, but moving from
> lock to lock, room to room, and hallway to hallway... How much work will
it
> take before you hit on the master? And how will you know it's a top level
> master until you try it in all the locks. See my point?
KD,
Interesting point about systems where there are multiple levels of
mastering. You are right - you couldn't determine the top-level master
except by a lot of trial and error. His paper doesn't cover that.
However, where there is only one level of mastering I think this is more
than a lab experiment. The author claims in his article in the NYT that " he
gave instructions and materials to a 15-year-old in his South Dakota town to
try out. The teenager successfully made a master key. " I see no reason to
doubt it. Even with multiple levels of mastering, the method will give you a
"master" to all the locks at the same level as the change in your
possession.
You only need access to one lock and a number of blanks equal to the number
of pins in the lock plus one. Finding out the bitting heights is the only
thing you need specialised knowledge for, although as the author says, there
are ways to find that out if you don't know already.
The computer security industry reckons that attacks from insiders are almost
as big a risk as from outsiders. In light of this, and thinking about secure
locations I have worked at, I **know** that I could have done what was
needed if so inclined. All you need to have is half a dozen "work in
progress" keys on a key ring. Nobody would think twice if they saw an
employee trying to open a door to a room that he has access to with the
"wrong" key. The attacker can then cut the position on the keys that don't
work at home at his leisure and repeat the process next day - he would have
the master in a week or two.
I agree with you about this not being such a big secret. When you think
about it, it is obvious really. I worked out the detail from the just NYT
article in all of ten seconds, and I'd be surprised if smart and experienced
locksmiths don't work it out from scratch in their first few years in the
trade. I am just amazed that guys like Marc Weber Tobias didn't know about
it though. I have his book on the shelf, but I'll be a little less
respectful to it in future!
Coherers
"KD" <KD_locksmit...@hotmail.com> wrote in message
news:3e316...@corp.newsgroups.com...
KD
But, in his paper, he states that it was tested on medium and large scale
installations and the systems were all "total position progression" systems.
Besides this not making sense to me, he admits that other common master
keying methods and techniques were not tested. I'm not sure what the actual
input the experts contributed either.
I just don't like the slant that was put on this - with one key from a
system, anyone can make a top level master key in a few minutes with a file
and a small number of blanks. I agree that it can be done - given enough
time, opportunity, and motivation, but don't feel it's the high risk that it
was made out to be.
I guess I need to get Marc's book. Or, should I wait for the revised
edition? :)
"Coherers" <nos...@deathtoallspammers.com> wrote in message
news:4gfY9.3243$TO.21...@news-text.cableinet.net...> KD,
Robert L. Bass
> news:4NWcnaCeVtM...@giganews.com...
> > > Maybe not all locksmiths knew about it, but the majority of
experienced
> > > professionals do.
> >
> > How many have you polled? :^)
>
> Over 20 years actively involved in trade, classes, associations,
employers,
> employees, etc.; I've talked master keying to quite a few and done
plenty.
That wasn't the question. How many locksmiths have you polled to determine
whether they were aware of this specific problem?
> > > Sorry, but both the Times reporter and Mr. Blaze are
> > > sensationalizing. It's not likely to happen out in the
> > > world;...
> >
> > Hmm. He talked to college students who said they were using it to
master
> > the dorm keys. I guess maybe it is likely to happen. The only question
> is
> > when will it result in a major loss -- say an unauthorized access to a
> > chemical or bio research storage room? Obviously, if a bunch of college
> > kids already knew about it, serious bad guys must also know.
>
> I didn't say it couldn't be done, but access to a number of keys and locks
> would be necessary.
And yet some college students had already been doing it. The point Mr Blaze
made was that it can be done and it's not that difficult. Therefore, lock
makers ought to be doing something about it. Since you say you've been
aware of this for 20 years yet the problem remains, I'd say it's high time
someone exposed the problem to public scrutiny.
> A college student having a number of dorm rooms or even
> a dorm building for experimenting is very different from someone getting
> access to a public or private office building.
How about two or three dishonest employees working in concert at... say, the
Chase Manhattan Bank data center? Or do you not believe that could ever
happen? What about a sleeper cell with members working at ummm, Millstone I
I?
BTW, I used to monitor the cooling towers. They installed their own alarms
and just wanted another backup. Since one of the upper echelon engineers
happened to be a client I got the job. Even though I didn't get to visit
the plant it was a nice feather in the cap for us. Then again, even though
we would have passed, no one *ever* checked our credentials.
> Government agencies and other "high-risk" ventures have
> standards that use high security locks / restricted keys and
> electronics...
I've been in some of those facilities, including military complexes. On one
place in southern NJ there were ordinary passage locksets on the doors --
not even Schlage or Medeco, but cheap-o Kwikset!!!
> And of course alarms, cctv, security guards.
Security guards are nice if they're (1) awake; (2) sober and (3) honest.
Most are, but it only takes one bad apple and you have a problem.
But all of that is beside the point. If the security protocol for a given
site requires locks on the doors which are accessible only to persons with
specific keys, then the system aught to be secure enough that a couple of
people with more free time than ethics can't easily circumvent it. If it is
not then somebody aught to say something. Blaze did exactly that.
> > So, if college kids and most locksmiths knew, who didn't know?
Facilities
> > security managers -- the people responsible for deciding what kind of
> > physical and electronic security systems will be implemented --
apparently
> > did not know. Tic, tic, tic...
>
> It may not always be impressed enough to end-users, but
> as he said in the article: convenience not security. There
> are also a number of methods to master key a lock.
The problem is that this is a significant security hole and most end users
were NOT being told about it at all. Bad guys already knew it. College
kids knew it. It's been on the Internet long before Blaze did a more
complete exposition of the problem.
> > > too much of a task and too time consuming...
> >
> > Not according to the story I read. Apparently, someone with the right
> > knowledge can do it fairly easily with ordinary hand tools and a few key
> > blanks. This may not directly impact the average home owner, but it
sure
> as
> > heck has the potential to impact society at large if the manufacturers
are
> > not forced by public pressure to do something about it.
>
> I've read the paper with the theory and formula. There are
> too many variables and circumstances that are taken into
> account. It's a lab experiment, not real world.
If that is true, then how is it a bunch of non-professionals (college kids)
were able to do it?
> It can be proved mathmatically. Physically doing it is
> another matter. An example: A 6 pin tumbler lock in
> a large master key system with a change in every pin
> chamber. There are 64 possible keys that fit it. You may
> be able to make a key that fits that lock and a few others,
> but moving from lock to lock, room to room, and hallway
> to hallway... How much work will it take before you hit
> on the master? And how will you know it's a top level
> master until you try it in all the locks. See my point?
Yes, clearly. Do you recall the first attack on the World Trade Center?
That one was largely a failure for the terrorists. I happen to know a
little about the investigation that went on because, entirely by accident, I
had dealings with one of the ATF agents who was investigating some
explosions in eastern Connecticut forests years before. The terrorists
planned and practiced for the first try for *years* before they actually
drove a van full of explosives into the WTC parking garage. That one
failed.
They planned the next try for about a decade. How many security loopholes
did they actually need to exploit for September 11? There was the lack of
coordination between various federal and state agencies. That was the first
problem. There was the failure to investigate suspicious flight students.
There was the lack of adequate screening in Logan Airport. There were lots
of other security holes -- some minor and some major. The terrorists knew
all about them. Most of us didn't. Most Americans had no idea that someone
could get on an airplane carrying a razor knife (box cutter).
Each of those holes formed a link in a chain. If anyone had done something
to close even one of them it is possible that September 11th would have been
an ordinary day like any other. Three thousand Americans would not have
died.
But everyone at every step of the way said essentially the same thing or at
least acted as though they thought the same thing. "It's OK. There are
lots of checks and balances. We're safe. Nothing can harm us here on
American soil."
I'm not trying to say that this particular problem is going to be the cause
of the next terrorist attack. It's just that we need to stop ignoring these
things. Pretending that if we say nothing the bad guys won't find out will
surely pave the way for worse things to happen.
> I don't believe there is a serious threat and that the lock manufacturers
> have a problem to attack.
Tic, tic, tic.
> Lock manufacturers sell locks that can be picked easily too;
> have been for years and years and will continue to. Many also
> offer high security locks.
Yup. Medeco makes cylinders that are almost impossible to pick. But if
they're part of a mastering system and the wrong person gets two or more
keys, the whole system may be exposed. I am well aware that Medeco doesn't
offer blanks of their highest security locks. But a determined fellow with
a decent milling machine can make them up by the hundreds. I know. I've
worked in a pattern shop where pattern makers would replicate three
dimensional shapes out of everything from polyethylene to brass.
> Well, we'll see.
Hopefully we won't need another horrific eye opener to do so.
> Some people think it won't be that long before it's all electronic /
> biometric. What do you think?"
That will help but it's not likely to be widely implemented for several
decades. At present biometrics are way too costly for the average facility.
Meanwhile most are at risk.
> Have a good one.
You too. It's always a pleasure airing these subjects.
RABSparks
involved, I found the commentary on the master lock keying system interesting.
My expertise is in IDS, access control, and contraband detection (weapons,
explosives), and not master key systems.
Each site that I have been involved with goes through a threat definition phase
before the first security drawing is started. This phase defines the threat as
we can best determine it to be. If the threat to a nuclear power facility at
one time was a small, armed group then the security/access control system is
designed and implemented to counter that specific threat. If, however the
threat is by a well armed, paramilitary group, then the security system and
ancillary procedures have to be reoriented to deal with that specific threat.
In many critical areas, the user agency calls for "two man rule" in which no
area can be occupied by a single individual. And the access control system is
designed to accomplish that objective. So you say, what about three people, or
four. And if not four, then five, or six? Well somewhere your threat analysis
has to kick in and provide a guideline. If we do the right background checks,
polygraph when need be, and re-check every "x" years, is that sufficient? And
if not, then do we need to be sure that all vital areas are protected such that
it takes five people to be in the area all of the time? And what happens when
no one is in the area and someone needs to reach that emergency valve or
switch? So you're always doing tradeoffs-so that too much security doesn't
compromise emergency operations and emergency ops don't compromise your overall
security.
Vital areas are in a constant state of "secure" such that opening the door in
itself sets off the alarms (plural because all alarms are annunciated in two
places) and forces a guard response.
Critical sites have routine "black hat" exercises where conversations in the
security control centers are recorded as well as those taking place on two way
radios.Often CCTV is used to visually observe the security force's reaction.
These exercises are important because no matter how well one designs the
security system, there is always the lax guard or guards, or other human foible
that can lead to a disaster.
In the early 70's I was involved in the anti-skyjacking efforts. We knew when
we got "done" that the weapon detectors weren't going to alarm on a lot of
things. We also saw that during tests, the nearest men's room trash can would
be the container for a lot of stuff that would have gotten through the weapon
detector. Was the system full proof? No, it wasn't. But the threat had been
defined as a single skyjacker armed with a handgun. And that's what the FAA
defended against. And they defended against it successfully until 911 changed
the rules.
In retrospect, a group of passengers working together could have stopped 4 men
"armed" with box openers from doing the damage they ultimately perpetrated.
Likewise a single armed sky marshal could have done the same thing. No one saw
it coming and because of that the system wasn't geared to dealing with the
revamped threat.
If there was a substantial failure, it was becoming complacent about how good
our security was without spending the time and money to brainstorm other threat
scenarios. What we had was a stagnant defense unable to deal with a changing
threat. And for that a lot of people/agencies bear responsibility.
Hopefully if we learned one thing it was that our existing security systems and
procedures need more "black hat" exercises performed by outside organizations
who don't "know the rules" and are free to approach the exercise anyway they'd
like. I don't see that type of group in the new Homeland Security
Department--yet. Maybe it will evolve with the new department now that it's
official.
Insofar as what we, the public, need to know.... we don't need to know the
shortcomings of every IDS sensor, access control device, lock, weapon or
explosive detector. Suffice to say that I am not aware of any of the
aforementioned equipment/systems that don't have any shortcomings. What we need
are good people who work for the government and who are aware of the shortfalls
and are capable of designing systems that use multiple sensor phenomenologies
(two different sensor types in the same area) such that one complements the
other.
It's not fun to play "catch up" after a disaster occurs. And it's hard to find
the time to brainstorm "black hat" exercises without an on-going awareness that
someone out there is doing it for real.
Regards,
rick
Coherers
means by it is that the bittings of change differ from those of the master
in all positions. I don't think the experts contributed anything. All he is
showing here is a vulnerability in a particular group of systems, and he
says as much. Which is fine as long as the reader takes it with his
provisos. Unfortunately, a casual reader of the NYT doesn't get them. Also,
as a paper published by a scientist, he ought to tell us the "sample size" -
i.e. the number of sites the technique was used at. We know it is at least
four.
I know where you are coming from on the actual risk. There is a tendency to
fail to distinguish between what is theoretical, what is possible, what is
reasonably practical and what is likely. And everywhere in between.
There are many insecure locks in use which can be raked quite easily, but
generally when a property so protected is compromised, it is by other means.
Risk assessment is about probabilities. There are loads of scare stories in
the computing world about "vulnerabilities" that are very unlikely to be
exploited, and if they were would have marginal impact, and this is Blaze's
background.
And, I wonder how many genuinely high security installations use master
systems anyway. They are widely considered as less secure than their direct
equivalent, non-mastered, lock. In lower security environments, the
risk/operational benefit/cost equation favours their use currently. Question
is, does this really change that balance significantly?
Locks, Safes and Security is fairly basic stuff, but good none the less. By
the sound of the author's comments, I'd wait for the next edition. Although,
given the long interval between the first two editions ( 29 years), you
might have a long wait!
Coherers
"KD" <KD_locksmit...@hotmail.com> wrote in message
news:3e319...@corp.newsgroups.com...
Robert L. Bass
on a few items.
RABSparks wrote:
>
> In retrospect, a group of passengers working together could have
> stopped 4 men "armed" with box openers from doing the damage
> they ultimately perpetrated. Likewise a single armed sky marshal
> could have done the same thing. No one saw it coming and
> because of that the system wasn't geared to dealing with the
> revamped threat.
The truth is that a number of people did see it coming and even tried to
warn us. Agents questioned the strange behavior of certain flight students.
FAA personnel asked that things be checked out. Police and FBI agents knew
from the earlier attack and more recent events that there was a very real
threat on the horizon. But everyone assumed that someone else was watching
the store. In the end, no one was watching.
> If there was a substantial failure, it was becoming complacent
> about how good our security was without spending the time and
> money to brainstorm other threat scenarios...
Scientists like Blaze do just that sort of thing every day. His job
involves discovering threats (security holes really) and finding ways to
patch them. The master key situation is not central to his area of
expertise. But it is parallel and close enough that he thought it merited
some attention.
> What we had was a stagnant defense unable to deal with a
> changing threat. And for that a lot of people/agencies bear
> responsibility.
Interestingly, the only reason the attack wasn't significantly worse -- a
strike at either the White House perhaps -- was that a group of ordinary
citizens were alerted to the precise nature of the threat and heroically
stopped the terrorists on the fourth airplane.
> Hopefully if we learned one thing it was that our existing security
> systems and procedures need more "black hat" exercises performed
> by outside organizations who don't "know the rules" and are free to
> approach the exercise anyway they'd like. I don't see that type of
> group in the new Homeland Security Department--yet. Maybe it will
> evolve with the new department now that it's official.
Don't hold your breath. The new department will likely need years just to
get the subordinate agencies talking to each other. Mega-bureaucracies
don't perform well in situations that demand speed and flexibility to
respond to rapidly changing threats.
> Insofar as what we, the public, need to know.... we don't need to
> know the shortcomings of every IDS sensor, access control device,
> lock, weapon or explosive detector...
Those of us who depend upon these systems most certainly do need to know
both their strengths and weaknesses. Make no mistake about it. If the
helmsman on the Titanic knew how susceptible the hull was he would have been
going much slower. No one thought he needed to know. In fact, it is
unlikely that the captain knew of the weakness. It is almost certain that
none of the passengers knew of the threat... until they heard the hull being
ripped open.
> Suffice to say that I am not aware of any of the aforementioned
> equipment/systems that don't have any shortcomings. What we
> need are good people who work for the government and who
> are aware of the shortfalls and are capable of designing systems
> that use multiple sensor phenomenologies (two different sensor
> types in the same area) such that one complements the other.
Thanks, but I'll take my chances with the public knowing more so the
government bureaucrats can't just sit on their derriers until the next
attack. Having dealt with government agencies over the years, I know better
than to believe they'll take care of everything for me.
Imagine if a qualified pilot had been one of the passengers that stormed the
cockpit of the fourth airplane. While you're thinking about it, suppose the
full extent of the threat had been public knowledge before September 11.
There probably would have been a few dead passengers. There definitely
would have been 19 terrorists beaten to death on the floor as all the planes
made their way to the nearest airports to land briefly and throw out the
garbage.
> It's not fun to play "catch up" after a disaster occurs. And it's hard
> to find the time to brainstorm "black hat" exercises without an
> on-going awareness that someone out there is doing it for real.
Until the government is able to completely guaranty my personal safety and
that of my family, I prefer to know what threats exist and where the
weaknesses are. I don't like guns but I'd be delighted to join in with
another 200 passengers and kick the living crap out of the next group of
crazies.
BTW, I happened to witness an "incident" aboard an airliner where passengers
took matters into their own hands. I was on a flight leg from Chicago to
Las Vegas a few years ago, heading out to CES. There was a group of six
drunken passengers from Australia on the plane. One of them decided to
smoke a cigarette in the bathroom. The flight attendant noticed the odor of
smoke and confronted the guy when he emerged.
The passenger got rude with her and when she threatened to notify the pilot
he roughly pushed past her, forcing her to fall into a seat. I saw this (as
did everyone else in the vicinity). Now I'm not inclined to fight but I
won't allow someone to knock a woman down without getting involved. I
started to get out of my seat, intending to do something about it and
thinking "this is probably a mistake."
As I arose from my chair, an entire group of husky looking characters seated
behind me also rose up. Several of them grabbed the guy and physically
moved him to his seat. One fellow told him if he got up again he'd kick his
@$$. It turned out that the rows behind mine were mostly members of a
hockey team.
When we got to McCarran Airport the idiot was arrested. Several of his
friends got loud with the airport police and they were also given free
accomodations, courtesy of the state of Nevada.
That's what I call a good use of public pressure to restore order. :^)
Coherers
Question.
To your knowledge, do the genuinely high security sites like you describe
use mastered lock systems at all? Given the inherent vulnerabilities already
known, I'd have thought they tend to steer clear of them altogether.
Coherers.
----- Original Message -----
From: "RABSparks" <rabs...@aol.comnospam>
Newsgroups: alt.security.alarms
Sent: Friday, January 24, 2003 10:33 PM
Subject: Re: News Story About Lock Vulnerability: NY Times, LONG
> Having been in the high end of the security business for decades and still
> involved, I found the commentary on the master lock keying system
interesting.
> My expertise is in IDS, access control, and contraband detection (weapons,
> explosives), and not master key systems.
>
<SNIP>
KD
your opinions on the so-called "problem" are based on the fact that you
believe what you read.
We're talking about the properties that are inherent to a master key system.
When locksmiths learn to master key, they learn these properties.
It's much more difficult than the NY Times and Mr. Blaze exclaimed. Both
slanted toward what they wanted to achieve. Every security device has it's
vulnerabilities, so they all have "problems".
College students in a co-operative environment is not the real world.
I believe just about anything can happen, but, I don't worry about getting
hit by lightning every time I go out in a thunder storm.
I hope someone was minding the store in those military facilities that had
only Kwikset passage sets. The right security measures should be installed
for the application.
My position is that it's not a significant security threat or the problem
that it was made out to be.
"Robert L. Bass" <rober...@comcast.net> wrote in message
news:WqednX3jEv4...@giganews.com...
Robert L. Bass
>
> You raised some interesting points and I appreciate what
> you said. But, your opinions on the so-called "problem"
> are based on the fact that you believe what you read.
Well, yes. But I also know that the author is one of the top security
scientists in the world. I give him a tad more credence than someone else
of unknown credentials.
> We're talking about the properties that are inherent to a
> master key system. When locksmiths learn to master key,
> they learn these properties. It's much more difficult than
> the NY Times and Mr. Blaze exclaimed...
That is a factor of who is doing the hacking. By way of comparison, there
are some professional, paid installers in the alarm industry who have a hard
time understanding some of the systems my DIY'rs install. Some DIY'rs catch
on in a flash. Others require a lot of hand holding. However, all
eventually complete the task.
With locks it's the same thing. I know installers who can't pick a panel
lock. I can pick most locks in a minute or two. There are locksmiths who
can accomplish the same in a tenth the time it takes me. Either way the
lock will open. It's only a matter of time.
> Both slanted toward what they wanted to achieve...
I know a few people who believe the NYT is distorted. I even know some
folks who only believe "news" that comes from Pat Robertson. Most of the
educated people I know believe the Times is a reliable paper. For some
reason more of the former group than the latter worry about black
helicopters, media conspiracies, etc.
> Every security device has it's vulnerabilities, so they all have
> "problems".
Interestingly, this one has generated a lot of very angry comments from
folks who on the one hand claim it is insignificant while on the other claim
that by telling the story we are exposing ourselves to attack. It kind of
makes one wonder who is not being forthright.
> College students in a co-operative environment is not the real
> world...
Really? Oh, OK. I guess if only a bunch of college kids figured out how to
defeat master lock systems then we have nothing to worry about. After all,
no crooks or terrorists ever went to college and none of them ever work in
concert. My mistake. What was I thinking? :^)
> I believe just about anything can happen, but, I don't worry
> about getting hit by lightning every time I go out in a thunder
> storm.
Same here, but I also don't walk around carrying an aluminum ladder during a
thunderstorm. If I see a storm coming, I also close the windows rather than
say it's not likely to rain.
> I hope someone was minding the store in those military facilities
> that had only Kwikset passage sets. The right security measures
> should be installed for the application. My position is that it's not
> a significant security threat or the problem that it was made out to
> be.
I guess that depends on what is behind the door.
KD
Blaze is a computer security expert, not a lock expert or locksmith. How
exactly did it get leaked onto the internet? :^)
The college students had to have had access to more than one key and lock
with the co-operation of their fellow dormmates. I can't see this happening
in a public or private office building or facility without raising
suspicions. The idea that at a person could walk in off the street, borrow
a key to the restroom, and produce a top level master key is ridiculous.
Would you say that panel locks are easily picked and therefore a serious
security threat?
You should write for the Times. :)
"Robert L. Bass" <rober...@comcast.net> wrote in message
news:8WqdnWqQ8IY...@giganews.com...
RABSparks
access system. But employees do not have key access since they have their
access cards. Keys therefore are more highly regulated. And, if you were to use
a key, the IDS (balanced mag switch) on the door would alarm precipitating an
immediate (and fast) alarm response to that area. The sites that I have been
involved with have better locking systems, ie Medeco, making key duplication a
bit harder.
Finally everyone is screened before gaining access to the site in the first
place. This doesn't totally preclude the possibility of a gun or explosives
coming on to the site, but it significantly reduces the probability that
someone will be able to smuggle contraband in.
rick
Robert L. Bass
> or locksmith. How exactly did it get leaked onto the
> internet? :^)
Blaze is, among other things, a systems analyst. He applies the same kind
of mathematical logic to physical systems as he does to compuer software
systems. I'm not sure what you mean by the question above. How did what
get leaked? Blaze didn't "leak" anything onto the Internet. He published a
paper on master key systems and a serious security problem. The term "leak"
imples something nefarious or sneaky. Blaze was entirely up front about it.
The hacking technique itself has been known for some time and has been
discussed in USENET and other online media. What Blaze did was analyze the
problem and explain it in detail so that it can be understood and properly
dealt with.
> The college students had to have had access to more than
> one key and lock with the co-operation of their fellow
> dormmates. I can't see this happening in a public or private
> office building or facility without raising suspicions...
You're kidding yourself. You can't imagine a scenario where two or more
people in a public or private office building would work in concert to
cheat, steal or spy on secure resources??? Perhaps it will never happen at
Pollyana Enterprises. :^)
> The idea that at a person could walk in off the street, borrow
> a key to the restroom, and produce a top level master key is
> ridiculous.
Until it happens. Right up to September 10th, 2001, the idea that someone
with a box cutter could bring down the Trade Center and kill 3,000 people
also seemed "ridiculous."
Suppose an employee has a key to his office and his wife works down the
hall. Each has a separate key which lets him into the building and his/her
own office but not the other's office. How hard would it be for one to
borrow or copy the other's key, even without their knowledge?
Here's another way. Although men usually keep their keys in a front pocket,
women leave them in their pocketbooks. A mail clerk going from office to
office all day long might enter unoccupied spaces frequently. How many
women leave their purse on or next to the desk while they run across the
hall to another office? There are countless ways that a dishonest person
could access a few keys within a mastered system. Once he has an impression
of a few he's home free.
> Would you say that panel locks are easily picked and therefore
> a serious security threat?
Now exactly. I would say that panel locks are easily picked and therefore
should not be relied upon to protect anything. The control panel in a high
security facility should be self-protected (within the area of coverage)
and/or under constant observation. In a residence I usually suggest placing
the panel in an obscure but protected place. How many systems have we all
come across where the panel is inside the front hall closet along with the
siren and the keypad is on the opposite side of the closet wall?
> You should write for the Times. :)
Naah. I prefer ASA.
Robert L. Bass
We occasionally read about one or another trusted government or military
person who has been spying for years before being caught. Needless to say,
these folks were usually very well screened. No matter how tightly
controlled your key distribution system is, keys *are* in the hands of
people. If one or more of those people are dishonest you have a small
problem. If by working in concert they can gain access to areas beyond
their authority you have a recipe for disaster.
Even though you describe extremely tight security which is in place at some
facilities, the vast majority of sites are not so highly protected. Many
airports use master key systems to allow access to baggage handling areas,
ramps (airplane parking spaces), even security offices. At some class "C"
airports the tower itself is accessed with a key. I've been inside some of
these facilities so I know. An ex-ATC with a gun could enter, disable the
few tower staff and wreak havoc.
The list of places that use master keyed locks without other security layers
is endless. Most are only protecting financial assets. Some protect access
to things that could be used with deadly consequences. Most of the
operators of those facilities have no idea that these systems are so weak.
What Blaze did was make the problem public. At least that puts the good
guys on a level playing field with the bums. Since the hole is already
known and can be exploited, I think public notice is a good thing.
Regards,
Robert L Bass
=============================>
Bass Home Electronics
ASA Approved Vendor
http://www.Bass-Home.com
2291 Pine View Cir
Sarasota, FL 34231
877-722-8900 Sales & Support
941-925-9747 Fax
rober...@comcast.net
=============================>
RABSparks wrote:
>
> High security sites do use a mechanical key system in
> addition to the card access system. But employees do
> not have key access since they have their access cards.
> Keys therefore are more highly regulated...
RABSparks
electronic access control and fewer master-keyed systems. I don't have a
comment on the Blaze issue in particular. However I strongly believe that
vulnerabilities should not be in the public domain, limited to those with
proper clearance and a "need to know".
In my experience, when it comes to IDS/access control vulnerabilities, those
that had a valid need to know, knew. And no, an alarm company engaged in
providing general commercial and residential systems doesn't need to know the
vulnerabilities because the threat that most of these sites are facing is not
the same level of threat (and expertise) faced by high security sites.
Several years ago, Sandia National Laboratories published two books. One was on
access control and locks, the second on IDS. Compiled in these handbooks was a
tremendous amount of useable information including system shortcomings. The
Sandia manuals became more tightly controlled after one turned up in a Federal
Bureau of Prisons facility.
rick
JtSfR
defeats and access codes to alarm systems on this NG, offers to download
any panel and because he posted the key story it has now become sacrosanct
(in his opinion).
KD
"In this case, the information appears to have made its way already to the
computer underground. The AT&T alert to law enforcement officials said that
a prepublication version of the paper distributed privately by Mr. Blaze for
review last fall had been leaked onto the Internet, though it has not been
widely circulated."
In fact, Mr. Blaze posted it on his website. Even though he had no external
links to it at the time, how could a computer security expert not expect it
to be found?
You bring up some incredible arguments, but you are sensationalizing and
hypothetical-izing (sic) it the same way the Times reporter and Mr. Blaze
did. I'm not trying to convince you, I can see that wouldn't happen. :) I
do suggest you read the article and his paper again. Do a little more
investigating if you like and try it yourself.
There's also discussion in alt.locksmithing with the arguments going both
ways. Time will tell what the reactions and actions of end-users and
manufacturers will be. Most likely will come down to economics and not much
will happen.
"Robert L. Bass" <rober...@comcast.net> wrote in message
news:h8qcncCS4ov...@giganews.com...
KD
Even though he is WRONG. J/K Robert. I've enjoyed the discussion. :)
"JtSfR" <alar...@Shotmail.com> wrote in message
news:b0umf1$s11$2...@slb6.atl.mindspring.net...
KD
and balances in place. This what I was trying to express to Robert Bass;
in the real world there are circumstances which would make it very difficult
to pull off (that is formulating and creating a master key).
"G. Morgan" <y...@127.0.0.1> wrote in message
news:c9q53vse91r9vo8j7...@4ax.com...
> On Thu, 23 Jan 2003 09:39:55 -0500, "Robert L. Bass"
> <rober...@comcast.net> wrote:
>
> >This article quoted from NYTimes.com
> >Master Key Copying Revealed
> >January 23, 2003
> >By JOHN SCHWARTZ
> >
> >A security researcher has revealed a little-known vulnerability in many
> >locks that lets a person create a copy of the master key for an entire
> >building by starting with any key from that building.
>
> <snip article>
>
> Makes me wonder if I should bring it up to one of our biggest clients
> that uses master keys to about 100 buildings. They issued our company
> several of the keys so we can service the alarms after hours and
> access mechanical and electrical rooms during regular hours. Most
> physical plant employees have a key to their own building, and a alarm
> code. Some have the "e-key" which unlocks 90% of doors, but no alarm
> codes. Our company has no access cards, and we don't handle access
> control for them, Diebold does, and they have no alarm codes. So a
> system of checks and balances is in place. I suppose if we all got
> together and formed a "conspiracy" we could, but since all the
> locksmiths, alarm contractors, and access control contractors are
> separate and backround'ed this is not likely to happen.
>
>
> -Graham