`Safe cracking' article and matt Blaze

609 views
Skip to first unread message

the_l...@yahoo.com

unread,
Jan 3, 2005, 12:11:05 PM1/3/05
to
Forwarded from the NYC-LOCKS list:

As many of you know Matt Blaze a professor at Pennsylvania
University has published an article that reveals proprietary
techniques of safe penetration. It was featured on well known
hacker website recently, and it came to our attention on Saturday.
It includes information normally reserved to the trade, for good
reasons that need not be discussed here.

The article is available to the general public without any
restrictions whatsoever. We as professionals in the security
field are outraged and concerned with the damage that the
spread of this sensitive information will cause to security
and to our profession. We know many of you will be too.

There are steps being taken to deal with this through proper
channels, but we need your help and support. We doubt that
his university would appreciate their resources being used for this
kind of activity, but they may not be aware of it or of the negative
impact that his so called work has on our industry. With concern for
homeland security so important, we belive that your voice will be
heard.

The article in question is at [URL]
http://www.crypto.com/papers/safelocks.pdf [/URL].

Attempts to reason with Blaze have been a failure in the
past, he is the same joker who wrote about Master Keyed locks
in the "New York Times" last year.

Blaze's boss is Chairman Fernando Pereira.
Email: PER...@CIS.UPENN.EDU
His boss's boss is Dean Eduardo D. Glandt.
Email: egl...@seas.upenn.edu
The President of the University is Amy Gutman.
Email: pre...@pobox.upenn.edu

These people need to hear from you. Tell them what
you think polietly and firmly in your own words. Explain
that you are a security professional and that your job
is made harder by this sort of thing, and that security
will suffer.

Also, very important. The article has photographs that may
not belong to Blaze because they appear to be commercial.
If anyone has information on the copyrights of any of these photos
please let us know so we can let the copyright holders know how
their property is being used possibly illegally and without their
permission.

Forward this not as you see fit to others in the profession.

Thank you for your Attention.
/////

Forwarded by Ed "Lockie"
NYC Locksmith, Retired

fugi

unread,
Jan 3, 2005, 12:26:51 PM1/3/05
to
the_l...@yahoo.com wrote:
> Forwarded from the NYC-LOCKS list:

that's some good material, and great pictures to accompany it. I
sent a couple emails praising the high quality of his work. thanks
for the link.

--
Anyone who becomes master of a city accustomed to freedom and does
not destroy it may expect to be destroyed by it; for such a city
may always justify rebellion in the name of liberty and its ancient
institutions. -Niccolo Machiavelli

Message has been deleted

'Key

unread,
Jan 3, 2005, 5:50:12 PM1/3/05
to
"fugi" <fu...@ultra.bl.org> wrote in message
news:crbv8r$nva$3...@news.corenap.com...

> the_l...@yahoo.com wrote:
>> Forwarded from the NYC-LOCKS list:
>
> that's some good material, and great pictures to accompany
> it. I
> sent a couple emails praising the high quality of his
> work. thanks
> for the link.
>


surly you're not in the profession !

my2¢
--
"Key"


the_l...@yahoo.com

unread,
Jan 3, 2005, 6:46:09 PM1/3/05
to
The real problem is that people like Blaze are in positions of trust in
society. Then he abuse it by publishing trade secrets in the name
of research.

When they do things like this and get away with it it gives other
peoples like him the idea that this is OK. We have to nip it in the
bud or soon there will be no security left after these intellectuals
get through with us.
Ed "Lockie"
NYC Locksmith, retired
Real World Security Professional

TheT...@gmail.com

unread,
Jan 3, 2005, 9:01:41 PM1/3/05
to
The only thing about the article that could really be called a trade
secret would be the section on manipulation. The only thing that
stopped that so called secret from getting out before was the price tag
on the books that cover it.

'Key

unread,
Jan 4, 2005, 2:31:12 AM1/4/05
to
<TheT...@gmail.com> wrote in message
news:1104804101.3...@z14g2000cwz.googlegroups.com...

and a person with no security ethics named matt :-)

--
"Key"


fugi

unread,
Jan 4, 2005, 2:06:21 PM1/4/05
to

> my2?
> --
> "Key"


the free distribution of knowledge is essential to the development
of the subject. don't think of yourself as a gatekeeper to the
information that nobody but those in your circle have. it'll get
you as far as the Maginot line got the French in WWII. those who
only have a purely defensive stance will always fall to the offensive.

'Key

unread,
Jan 4, 2005, 4:33:29 PM1/4/05
to
"fugi" <fu...@ultra.bl.org> wrote in message
news:crepfd$qlo$2...@news.corenap.com...

> 'Key <K...@ya.net> wrote:
>> "fugi" <fu...@ultra.bl.org> wrote in message
>> news:crbv8r$nva$3...@news.corenap.com...
>> > the_l...@yahoo.com wrote:
>> >> Forwarded from the NYC-LOCKS list:
>> >
>> > that's some good material, and great pictures to
>> > accompany
>> > it. I
>> > sent a couple emails praising the high quality of his
>> > work. thanks
>> > for the link.
>> >
>
>
>> surly you're not in the profession !
>
>> my2?
>> --
>> "Key"
>
>
> the free distribution of knowledge is essential to the
> development
> of the subject. don't think of yourself as a gatekeeper to
> the
> information that nobody but those in your circle have.

just as I thought,
you're definatly not in the physical security profession !

> it'll get you as far as the Maginot line got the French in
> WWII. those who
> only have a purely defensive stance will always fall to
> the offensive.

disagree..
Ethics is a word you should learn a little about.

--
"Key"

fugi

unread,
Jan 4, 2005, 6:03:10 PM1/4/05
to

> --
> "Key"

what do you disagree with, the fact that the french fell to the
germans? or the fact that they fell from fighting a defensive war?

gpulford

unread,
Jan 4, 2005, 6:11:47 PM1/4/05
to
Welcome to the land of the real. What Blaze has written about in his paper
is AFAIK deducible from the locks themselves and therefore cannot be
described as "proprietary information". If there are some parts that are
very sensitive, let's talk about these and how publication of these facts
hurts the lock industry or puts people's security at risk. Most crooks use
rather blunt techniques (angle grinders, drills, torches) to open safes, so
where's the problem?

Hats off to Blaze, it's about time that some serious Comp Sci/algorithmic
work was applied to determine how secure the locks are that most people
take for granted. The lock industry and the public stand to benefit from
this scrutiny of the product range.

G. Pulford


<the_l...@yahoo.com> wrote in message
news:1104772265.5...@c13g2000cwb.googlegroups.com...

Message has been deleted

'Key

unread,
Jan 4, 2005, 8:06:11 PM1/4/05
to
"fugi" <fu...@ultra.bl.org> wrote in message
news:crf7be$2ut$1...@news.corenap.com...

I disagree with


"a purely defensive stance will always fall to the
offensive"

as it applies to the subject.

do try and keep up
--
"Key"


dbs__...@tanj.com

unread,
Jan 4, 2005, 9:30:47 PM1/4/05
to


I think you meant to say:

We have to nip it in the bud or soon there will be no

__APPEARANCE_OF__ security left

This is so silly on so many levels. You sell a product that has known
deficiencies so that you can break in when you need to. Then you act
like it's a big deal when someone talks about it! On top of that you act
like it's a matter of national security when, in fact, it changes nothing.

It does not take a brain surgeon to figure out that anyone can buy a
safe, disassemble it and figure out it's weaknesses. The fact that
every single copy of model X is built the same way is planned insecurity.
Now THAT's a crime. That they are sold as secure when they are not is
a crime.

If you want to get Blaze to protect your job, that's understandable.
To villify him for openly discussing what is known within the industry
to be common shortcomings is shear hypocrisy.

I'm still waiting for SCHLAGE to notify folks that it's recalling their
defective entry locks. Wait, they can't so that without disclosing that
they are insecure, so only the locksmiths and burglers know.

I must be in a foul mood, because I've seen 5 holier-than-thou posts in
the last hour. If anyone should be proescuted for lessening the national
security it's the companies that sell insecure locks and safes without
warning their customers that they are vulnerable.


Sigh

fugi

unread,
Jan 4, 2005, 10:59:20 PM1/4/05
to

many instances in history disprove you. Infact, I'm not aware of
a single event that will go along with your argument. then again
a locksmith is like any other trade, I'll bet you have the education
of a plumber or a construction worker. I guess I shouldn't expect
much. carry on.

do try to keep up.

Glen Cooper

unread,
Jan 5, 2005, 12:36:10 AM1/5/05
to

"--Shiva--" <no...@abuse.net> wrote in message
news:nobmt099q8ljkeg0r...@4ax.com...

> On Tue, 4 Jan 2005 23:11:47 -0000, you wrote:
>
> >The lock industry and the public stand to benefit from
> >this scrutiny of the product range.
> >
> >G. Pulford
> the public, is for the most part, not interested... EXCEPT, how
> many $$$ is it..
> I can sell a KW, or I can sell a good lock, but why BOTHER
> selling the good lock, when you are mounting it on cardboard or
> less...
> its only as good as the weakest link, and at the MOMENT, house
> construction IS the weakest link...
> --Shiva--
>
>

I see nothing good or bad coming out of this matter concerning Matt Blaze.

This is the information age. This info is out there already. He condensed
it into an easier to read format but really nothing said by him is new to
locksmiths or anyone who has bothered to take a safe lock apart to see how
it works. It's no big deal. Safes have been the same for a very long time.
Nothing has really changed in decades. I don't agree with his ethics but
that matter is not important in cyberspace.

To try to restrict this un-patanted info from the public domain is pointless
because the internet and the modern world we live in is alot different than
it was years ago when it was possible to control information like this. The
old timers out there should realise that things once reguarded not too long
ago as close lipped just aren't the same in this land of cyberspace where
the whole world is connected at the touch of a keyboard.

It's pointless to try and control un-patanted secrets anymore. The people
in the security industry need to open their eyes and do a better job at
securing their trade secrets so people like Matt Blaze who have a little
time on their hands don't open up a 40 or 50 year old book on safes, write
a paper, and get us all upset that he's spilling trade secrets. We can do
this by advancing cheap security items like the standard pin cylinder locks
to use as an example into the 21st century and quit relying on the same
system that has been around since Yale invented the thing over a hundred
years ago. I think the Europeons are ahead of the US concerning this
example because they use mostly lever locks which are more difficult to pick
and dont cost an arm and a leg for the old lady on SSI.

As far as the cheap Kwikset lock compared to the high dollar Medeco
comparision goes, that Kwikset can be improved to the point where it would
be almost impossible to pick at an extra production cost of less than one
dollar a lock which could easily be passed on to the customer. Remember a
size 14 boot will kick in a door no matter what lock it has on it if the
door isn't up to par and if the crook cant kick in the door then he'll go
through a window or a hole in the roof.

The fact of the matter is the lock manufactuers, Ingersol Rand and Black and
Decker being the two largest ones here in the states, dont want to spend a
dollar or two more on their locks to improve them. They would rather put
out pot metal junk that offers only a since of security. If the public in
general only knew what I know, that being the fact that Kwikset and Titan
locks are junk, the famous Schlage 'Maximam Security Deadbolt' is pot metal,
Yale is no longer up to par, Sentry safes are worthless... If the public
only knew the US lock market is having to compete with China junk to the
point where they are afraid raising the cost of their Home Depot locks that
the average consumer buys by a few dollars in order to increase the locks
security may put them out of buisness because the comsumer doesn't know any
better...


Putyourspamhere

unread,
Jan 5, 2005, 1:23:01 AM1/5/05
to
ail
>From: TheT...@gmail.com

Not really. The manipulation information covered by Blaze has most all been in
the public domain and easily available to anyone who bothered to look for at
least several decades. I had a surprisingly good book on it when I was 15 or
so. Cost was about $10.00 give or take. Drilling information has always been
harder (read more expensive) to come by than manipulation info due to the sheer
amount of research needed to compile it.

The drilling information Blaze covered isn't specific enough to enable anybody
to do the most efficient job on a given box in most cases either.

The article is pretty harmless. Truth be told I could give someone exact
instructions how to open a given container and 9 out of 10 people off the
street would be unable to carry it out under hostile (i.e. while committing a
crime) field conditions. The one that could wouldn't have much trouble getting
the info on his or her own even if it meant buying the safe in question to
study it.

Steve Paris

unread,
Jan 5, 2005, 5:29:40 AM1/5/05
to
"fugi" <fu...@ultra.bl.org> wrote in message

> I'll bet you have the education


> of a plumber or a construction worker. I guess I shouldn't expect
> much.

No Fungi, we have the edumakation of a Locksmith, which in fact seems to
attract snotty superior twits such as yourself, as you are obviously drawn
to this lowly 'blue collar' newsgroup, because as usual, all you superior
bookworm nerdy types wouldn't know how to change a light globe without
having to do a Google search and an MIT study coarse on the subject, then
you'd be too scared to climb up on the chair, ha ha. And mate, what's with
this rubbish that you seem to think will impress on us, just how 'incredibly
superior' you are to us poor lowly tradesmen.

"Anyone who becomes master of a city accustomed to freedom and does
not destroy it may expect to be destroyed by it; for such a city
may always justify rebellion in the name of liberty and its ancient
institutions. -Niccolo Machiavelli"

PLEASE,............. My face burns with embarrassment for you. Someone,
anyone, please ... give this guy a wedgie.


Keyman55

unread,
Jan 5, 2005, 7:05:05 AM1/5/05
to
Steve ,
Well said!
Thanks

"Steve Paris" <lo...@myoffice.net.au> wrote in message
news:crgfig$7t9$1...@news-02.connect.com.au...

Message has been deleted

dbs__...@tanj.com

unread,
Jan 5, 2005, 12:26:52 PM1/5/05
to
--Shiva-- <no...@abuse.net> wrote:

> On Tue, 4 Jan 2005 23:36:10 -0600, you wrote:
>
>> Remember a
>>size 14 boot will kick in a door no matter what lock it has on it if the
>>door isn't up to par and if the crook cant kick in the door then he'll go
>>through a window or a hole in the roof.
> thats what Matt doesnt understand.. that and $$$ that the end
> user will pay..
>
> --Shiva--


If that were a valid excuse you'd never sell a medeco. After all, the glass
windows can be shattered.

As long as the lock industry (including locksmiths) continue to sell
and service junk that can be wrenched open, pulled apart and otherwise
easily defeated, the public will continue to buy it.

Case in point; My relatives thought there was no difference between a
kwikset and any other lock until I pointed out the weaknesses. All have
upgraded to better locks.

In short, you won't value a quality lock if all the experts hide the
shortcomings of a cheap imitation.


Daniel

Jeff Wisnia

unread,
Jan 5, 2005, 1:06:55 PM1/5/05
to
fugi wrote:
then again
> a locksmith is like any other trade, I'll bet you have the education
> of a plumber or a construction worker. I guess I shouldn't expect
> much. carry on.

You just blew yourself out of the water with that low shot you effete snob.

You're probably too stupid to understand that to become a master at any
mechanical trade requires the same kind of intelligence, diagnostic
abilities and inquisitive mind needed to become a professional in the
fields of law or medicine. To say nothing of the business know-how and
common sense needed to put everything on the line and open your own shop.

It's attitudes like your which prevent many a person who'd be excellent
for and happy in a trade from starting out in it; because their parents
say things like, "What intelligent girl would want to marry a plumber?"
and, "You'll never make a good living fixing locks." Those attitudes may
in part account for the undesirable number of yutzes at the lower
eschelons of most trades, particularly in urban areas, where people who
have to use their hands along with their brains get little respect from
the yuppies.

I lurk here because when I was an MIT student nearly 50 years ago there
wasn't a lock on campus we students couldn't get by without leaving a
trace, and it didn't hurt our minds to learn about those kind of things.
I like to keep learning.....

Jeff

--
Jeffry Wisnia

(W1BSV + Brass Rat '57 EE)

http://home.comcast.net/~jwisnia18/jeff/

"As long as there are final exams, there will be prayer in public
schools"

'Key

unread,
Jan 5, 2005, 2:48:01 PM1/5/05
to
"fugi" <fu...@ultra.bl.org> wrote in message
news:crfomo$9iv$1...@news.corenap.com...

you're correct, I do not have a college education.
however, I didn't need it.
I have been in business and have 23+ years
education/expierence in the Locksmith/Security field and
have earned enough $$$'s to retire 6 years ago at the age of
45.

> do try to keep up.

its not me that needs to keep up..

"carry on"
--
"Key"


Message has been deleted

Joe Kesselman (address as shown)

unread,
Jan 5, 2005, 7:59:16 PM1/5/05
to
Jeff Wisnia wrote:
> I lurk here because when I was an MIT student nearly 50 years ago there
> wasn't a lock on campus we students couldn't get by without leaving a
> trace, and it didn't hurt our minds to learn about those kind of things.

That isn't quite how I got my start -- I arrived knowing some of the
basics -- but it's where I first got intensive practice. Though you
predate my stay at the 'tute considerably.

> I like to keep learning.....

That's the real key to this trade -- and to MIT, for that matter. If you
don't like learning and aren't willing to continue studying, you're
sunk, or at least doomed to low income.

a1l...@gmail.com

unread,
Jan 6, 2005, 6:02:24 AM1/6/05
to
Fellow security pros:

I have read this message board for a while but this is my first posting
here. Thanks to all of you for some very interesting food for thought
over the years. I'm a safe tech in Delaware with customers up to
Philadelphia and am familiar with this University. My shop does mostly
commercial work these days mainly for some big companies you probably
know and love. Still its a living and I woundnt trade it for the world.

I just wanted to let you all know that I sent E-Mail to University of
Pennsylvania. I sent it to the three addresses here of Mr. Pereira and
Mr. Glandt and Pres. Gutman. Plus I found another one that got a
response that sounded concerend. That is
Maureen S. Rush, M.S., CPP
Vice President For Public Safety
Division of Public Safety
University of Pennsylvania
Phone: (215) 898-7515
Fax: (215) 573-2651
E-Mail: mr...@publicsafety.upenn.edu

She responded promptly to my concerns. Obviously she understands the
security problems with this kind of material. You should also send to
the other 3 addresses too.

In my letter I explained my background and how this makes my job harder
and will weaken security for everyone.

I dont want to put my letter in a public place here because I talked
about what was right and wrong in the article and I dont want to give
aid and comfort to criminals by pointing it out here. Any real pro will
have no troble seeing whats fiction and what isnt in the article
though.

Well thats it. Just wanted to say hi to my fellow pros and pass on this
maybe useful info.

Howard 'Howie" Slokum

Evan

unread,
Jan 6, 2005, 12:07:43 PM1/6/05
to
> Forwarded by Ed "Lockie"
> NYC Locksmith, Retired
<the_l...@yahoo.com> wrote in message:

> There are steps being taken to deal with this through proper
> channels, but we need your help and support. We doubt that
> his university would appreciate their resources being used for this
> kind of activity, but they may not be aware of it or of the negative
> impact that his so called work has on our industry. With concern for
> homeland security so important, we belive that your voice will be
> heard.

What steps do you think you can take Ed ???

The U.S. Constitution specifically protects free speech in
(Amendment 1) and also limits the period of time to which authors
and inventors can have exclusive claim to their writings and
dicsoveries (Article I, Section 8)

The "Homeland Security" concern is bullshit, and anyone who uses
it in an argument is basically all but saying: "I have no other real point
to make so I will say 'Homeland Security' in an attempt to scare you
into taking me and my words more seriously than you would, because
you don't or can't understand what I am talking about, and I want you to
agree with me without questioning what I am saying"

> Also, very important. The article has photographs that may
> not belong to Blaze because they appear to be commercial.
> If anyone has information on the copyrights of any of these photos
> please let us know so we can let the copyright holders know how
> their property is being used possibly illegally and without their
> permission.

Why not read up on copyright law, "Fair Academic Use" specifically...

Ed, it is quite unfortunate that you do not see that you and others like
yourself who are so outspoken about Mr. Blaze and his work actually
make it MORE credible the LOUDER your outcries against it are...

The fastest way to make something more interesting is to tell people
not to look at it, or to say that it is so outrageous and shocking to
"trade professionals"... If you truly want Mr. Blaze and his papers to
fade into obscurity, then IGNORE them and they will fall into the cracks
of the Internet and soon be forgotten...

WOW: Here is a really dumb NEON sign advertising the very thing
you say is SOOO BAD... Ever thought of NOT contributing to the
interest in the work you say is so dangerous for everyone's safety??

> The article in question is at [URL]
> http://www.crypto.com/papers/safelocks.pdf [/URL].
>
> Attempts to reason with Blaze have been a failure in the
> past, he is the same joker who wrote about Master Keyed locks
> in the "New York Times" last year.

I am sure that people could say the same thing about attempts to
"reason" with you...

>
> Blaze's boss is Chairman Fernando Pereira.
> Email: PER...@CIS.UPENN.EDU
> His boss's boss is Dean Eduardo D. Glandt.
> Email: egl...@seas.upenn.edu
> The President of the University is Amy Gutman.
> Email: pre...@pobox.upenn.edu
>
> These people need to hear from you. Tell them what
> you think polietly and firmly in your own words. Explain
> that you are a security professional and that your job
> is made harder by this sort of thing, and that security
> will suffer.
>

I am sure that they would not like the fact that you linked
their e-mail addresses in a UseNet Newsgroup...
I am sure you have heard of the concept of SPAM...
Next time names and titles would be good enough and
anyone who cares to contact them could go to the
UPENN website and look them up...

~~Evan
(Formerly a Maintenance Man, Now a college student with a 3.85 GPA)


Leon Rowell

unread,
Jan 6, 2005, 12:21:00 PM1/6/05
to
Welcome to the group Howie I hope we see some posts from you now and
then. I don't post a lot because I specialize in antique autos &
motorcycles and do Safe deposit box work so I don't keep up with the
latest and greatest except what I read in the group. I subscribed to LL
for many years when I was doing general locksmithing work but dropped it
when I started doing the antique auto stuff. Good to see a new face....

Leon Rowell

Putyourspamhere

unread,
Jan 6, 2005, 1:41:34 PM1/6/05
to
>Subject: Re: `Safe cracking' article and matt Blaze
>From: --Shiva-- no...@abuse.net
>Newsgroups: alt.locksmithing
>Date: Wed, 05 Jan 2005 16:26:50 +0000
>Reply-To: shiv...@pcis.net
>Message-ID: <i95ot09ipba8kej5s...@4ax.com>
>References: <1104772265.5...@c13g2000cwb.googlegroups.com>
><crf7u7$7rs$1...@news.netkonect.net>
><nobmt099q8ljkeg0r...@4ax.com> <341cmbF...@individual.net>
>X-Newsreader: Forte Agent 1.91/32.564
>X-No-Archive: yes
>MIME-Version: 1.0
>Content-Type: text/plain; charset=us-ascii
>Content-Transfer-Encoding: 7bit
>NNTP-Posting-Host: 24.137.136.93
>X-Trace: newsfeed.slurp.net 1104942484 24.137.136.93 (5 Jan 2005 11:28:04
>-0500)
>Lines: 12
>X-Original-NNTP-Posting-Host: 24.137.136.93
>Path:
>lobby!ngtf-m01.news.aol.com!ngpeer.news.aol.com!feed2.newsreader.com!news
reader.com!newsread.com!news-xfer.newsread.com!news.glorb.com!in.100proofn
ews.com!in.100proofnews.com!newsfeed.slurp.net!not-for-mail

>
>
>
>On Tue, 4 Jan 2005 23:36:10 -0600, you wrote:
>
>> Remember a
>>size 14 boot will kick in a door no matter what lock it has on it if the
>>door isn't up to par and if the crook cant kick in the door then he'll go
>>through a window or a hole in the roof.
> thats what Matt doesnt understand.. that and $$$ that the end
>user will pay..
>
> --Shiva--
>
>

Blaze understands that perfectly well. He obviously feels that exposing the
flaw is more beneficial than it is harmful. Or he may do it simply for the sake
of study and dissemination of information in a moral/ethical vacumn. Why he
does it or what he does or does not understand is irrelevant because he will
continue to do as he has done. Even if he didn't there will always be others
like him publishing flaws. It's the information age and there is no getting
away from it. Personally I think the likelyhood of misuse of information in his
safe lock article in particular is quite small.

fugi

unread,
Jan 6, 2005, 3:11:11 PM1/6/05
to

yea I can just see some street punks breaking into banks and trying
to crack their vault from the paper they read... I'm sure they've
read it too, their intrest in manipulating group 2 and group 1
locks and all.

either that, or they'll do what works, ask for the money instead.

--

dbs__...@tanj.com

unread,
Jan 6, 2005, 5:27:26 PM1/6/05
to
a1l...@gmail.com wrote:
> She responded promptly to my concerns. Obviously she understands the
> security problems with this kind of material. You should also send to
> the other 3 addresses too.
>
> In my letter I explained my background and how this makes my job harder
> and will weaken security for everyone.
>
> I dont want to put my letter in a public place here because I talked
> about what was right and wrong in the article and I dont want to give
> aid and comfort to criminals by pointing it out here. Any real pro will
> have no troble seeing whats fiction and what isnt in the article
> though.

I'd like to know how this makes the job of installing and serviceing
safes harder. I know how it might make it harder to sell cheap safes
if people realize that the ratings are rigged and that they all have
vulnerabilities, but how does that make it harder to service them?

Does anyone else see the absurdity of this person explaining to a perfect
stranger the ways that blaze was crorrect and incorrect in the guise of
maintaining security secrets? If he was truely concerned with keeping
the knowledge restricted to the initiate, he would never have confirmed
those secrets to unknown third parties.


Methinks he's just worried about his livelyhood, and using public good
as a shield.


Daniel

Homer J

unread,
Jan 7, 2005, 9:58:13 AM1/7/05
to
Interesting article - good effort however obviously written through the eyes
of an IT guy and not an equipment guy. Have dealt with these types before
and can be dangerous bunch ... shooting their mouths off about something
they can't come to grips with. Really should concentrate efforts on the IT
side, vapourware, firewalls, PKI's, smoke & mirrors, horse - shit, etc...
etc .....

Want to do something righteous Matt - come up with a hack for the P4 card
.... there a challenge for you !

#1 question to him is would he dare to place his precious server in a senior
safe constructed for that purpose ?? Passwords seem to be easier to
hack/crack than trying to punch out the tongue on a pair of redundant S&G
6435.

Some of the info is in the public domain. There are quiet a few assumptions,
completely missed the boat on many points and yes, some information which
really shouldn't be published publicly. Shame on you Matt .... "thou shalt
don the hood of shame and stand the corner for the next week or two."

Obviously looked only so far, maybe as far as his arm could reach - should
have looked to see where some of the standards come from and even go beyond
UL and look at UL/C, CEN, RAL or VDS where its a real challenge for the
OEM's to come up with a creative solution to thwart attack.

Think now there's a bit more mystique to "lock whispers" (LOL) than before
.... Oceans 13 anyone ??

Regards, A.J.

(Bank Security Engineer)

<the_l...@yahoo.com> wrote in message
news:1104772265.5...@c13g2000cwb.googlegroups.com...

Joe Kesselman (address as shown)

unread,
Jan 8, 2005, 12:37:45 AM1/8/05
to
I wouldn't be quite as upset about his papers if he was (a) a bit more
selective about what details he included, (b) a bit better informed (s
you say, he's missed some significant points in this one), and (c) if he
was actually saying anything new, rather than writing a
not-particularly-good review-of-existing-literature document that
doesn't even achieve the goal stated in the title of drawing
implications for one field from the other (either way).

If he was my grad student, I'd give him a C on this one. It's pretty,
but it's pretty empty of actual thought. No publish-or-perish points.

the_l...@yahoo.com

unread,
Jan 8, 2005, 4:12:31 PM1/8/05
to
The problem with blaze the knownothing nimrod is that he prints
sensitive info and that he slanders the locksmithing profession in the
process.

I have a question for mr. knowitall:: if safes are no good as you say
what do you suggest instead? Plus if you guys are so smart why do
computer virus keep happening. We wont be hold our breath waiting for
your answer.

Joe thanks for the message. I sent mine too.

Putyourspamhere

unread,
Jan 8, 2005, 5:16:04 PM1/8/05
to

>From: "Joe Kesselman (address as shown)" keshlam...@comcast.net

>I wouldn't be quite as upset about his papers if he was (a) a bit more
>selective about what details he included, (b) a bit better informed (s
>you say, he's missed some significant points in this one), and (c) if he
>was actually saying anything new, rather than writing a
>not-particularly-good review-of-existing-literature document that
>doesn't even achieve the goal stated in the title of drawing
>implications for one field from the other (either way).

"c" is especially accurate. It moght as well be a book report.

Putyourspamhere

unread,
Jan 8, 2005, 5:19:11 PM1/8/05
to

>From: the_l...@yahoo.com

>
>The problem with blaze the knownothing nimrod is that he prints
>sensitive info and that he slanders the locksmithing profession in the
>process.

If he knows nothing then how can he detail sensitive information?

>I have a question for mr. knowitall:: if safes are no good as you say

He never said that.

>what do you suggest instead? Plus if you guys are so smart why do
>computer virus keep happening.

I don't think Blaze works for MS.

Evan

unread,
Jan 8, 2005, 6:33:13 PM1/8/05
to

<the_l...@yahoo.com> wrote in message
news:1105218751.5...@c13g2000cwb.googlegroups.com...

Ed:

Now you are sinking down to the level of name calling
like some kind of a child...

Compujter viruses keep happening because some
of them are written so that they can adapt their code
everytime they infect a new system... The majority of
computer systems in the world that get attacked are
home PCs that in turn infect other networks as users
connect remotely to computers at work or school etc
and transfer files...

Think of it this way, if you had a safe lock that could
change its combination as you were manipulating it
how long do you think it would take you to open it ???

Grow up...

The LOUDER you complain about Blaze and his
work the more credible you make it...

If you don't feed it it will fade away and fall back
into the cracks of the internet...

Evan,
~~formerly a maintenance man, now a college student with a 3.85 GPA


Glen Cooper

unread,
Jan 9, 2005, 12:42:42 AM1/9/05
to
Why dont you just quit talking about it Ed? I agree with you 100% but you
are not snapping to the fact that when one billion or so people get together
on this thing called cyberspace, information gets passed around. YOU CANT
STOP IT!... If it wasn't for you posting it here then neither I nor about 1
billion other people over the course of the next 20 or 50 or even 100 years
would have never known or know about it because these post here on
alt.locksmithing are recorded forever and the more people that read them,
the more they will show up toward the number one search result on Google.
Wake up, you aren't in Kansas anymore. This new age is about information
and if you don't want something to be known then you can't post links. The
word will get out and you WILL NOT stop it.

With respect
Glen


<the_l...@yahoo.com> wrote in message
news:1105218751.5...@c13g2000cwb.googlegroups.com...

Andy Dingley

unread,
Jan 9, 2005, 5:34:15 PM1/9/05
to
On 3 Jan 2005 15:46:09 -0800, the_l...@yahoo.com wrote:

>We have to nip it in the
>bud or soon there will be no security left

Bullshit (and I've called you on this before)

What is "the locksmith trade" doing ? It's selling over-priced
"secure" products to an unsuspecting audience who don't realise their
limitations. This extends from the S&G products described in this
paper down to (&deity; forbid) Sentry.

Now if the situation was half as bad as you claim, then you should be
ashamed. Not Matt Blaze, but _you_ and every other locksmith who has
been selling these things. Because if all it took to make these locks
open to widespread manipulation was this one paper, then you've been
selling a shoddy snake-oil product and ripping off your customers for
years.

Of course we know the situation isn't that bad. Manipulation is a hard
skill to acquire and the average burglar will still favour breaking
the window to putting in any effort. And many of them are too strung
out or just plain dumb to read this paper, let alone learn the
contents. But the fact remains that the products of the "security"
industry have been compromised for years and rather than accepting
this and fixing it, your reaction is this secret-squirrel Guild
mentality that hopes the problem will go away if you ignore it. Well
it won't - the real bad guys knew this stuff beforehand, and they
passed it around.

What are the problems exposed in this paper ? Mainly that poor
manufacturing allows the disk pack to be read. Well how about
_fixing_ that problem, rather than whining when someone points it out?
Or are you waiting for China to discover the lock industry and take
that away from US industry too, when they offer a better quality
product at a sensible price ? For the only thing keeping the fat
mark-up on Group 2 combination locks is inertia in the retail channel
and some diminishing work for higher security products in government.
What''s the difference between Group 1 and Group 2 anyway ? A buck's
worth of extra parts and _not_ having the sloppy manufacture, that's
all.

In the computer security community there's an entirely different
attitude, in two ways. One is that "security through obscurity" as
you rely on it is a joke. A mechanism is only judged secure if it's
still secure _despite_ the bad guy knowing the whole details. This is
attainable too, and it means that IT security products (the real ones)
out in the field are a lot more robustly engineered than physical
security products.

Secondly there's an attitude that beating up a system's weaknesses in
public is a _good_ thing. We know the bad guys do it in private, so if
we can't stop them, we'd better do some of it too and improve the
techniques as a result.

Of course there are snake-oil IT security products. They come from big
corporates and they're sold to fools in suits who don't know any
better. Neither side follows the two principals above. WEP (wireless
networking) and any product of M$oft are just the more infamous
examples. Most IT security failures are like physical security
failures though - social engineering and conning the humans, rather
than addressing the rather less easily fooled hardware.

As to your ad hominem attacks, then you should be thoroughly ashamed.
Are you an American ? Do you have any understanding of the
Constitution and the freedoms it holds most dear ? Yet you have an
attitude that's straight out of Communist North Korea, where your
secretive control-freak sham would be more at home.

Message has been deleted

Putyourspamhere

unread,
Jan 9, 2005, 8:04:38 PM1/9/05
to


>From: Andy Dingley din...@codesmiths.com
>Newsgroups: alt.locksmithing

>On 3 Jan 2005 15:46:09 -0800, the_l...@yahoo.com wrote:
>
>>We have to nip it in the
>>bud or soon there will be no security left
>
>Bullshit (and I've called you on this before)

To a large degree yes. Lockie pretty much only posts here to whine about
something Matt Blaze has published and then typically links right to it to
maximize the potential "damage". Lockie might even be Matt Blaze increasing the
exposure of his articles without opening himself up to accusations of shameless
self promotion. Yes. I'm kidding. But Blaze himself couldn't come up with a
better teaser to get people to read his papers than lockie does.

>What is "the locksmith trade" doing ? It's selling over-priced
>"secure" products to an unsuspecting audience who don't realise their
>limitations. This extends from the S&G products described in this
>paper down to (&deity; forbid) Sentry.

Neither example is especially "over-priced" and both are quite adequate for
their intended purpose. If you need a burglary safe you don't buy a safe
designed just to protect from fire and if you need strong protection against
covert entry you buy a manipulation resistant lock. Not to mention that
physical security should be supplemented by alarms and/or surveillance anyway.
To be completely honest my chief criticism of the combo lock paper by Blaze is
that none of it is original. I'm sure he actually got some hands on experience
with it and verified what he wrote but it still amounts to little more than a
book report on what has been public domain for decades.

>Now if the situation was half as bad as you claim, then you should be
>ashamed. Not Matt Blaze, but _you_ and every other locksmith who has
>been selling these things. Because if all it took to make these locks
>open to widespread manipulation was this one paper, then you've been
>selling a shoddy snake-oil product and ripping off your customers for
>years.

As has been said time and again for anyone who bothers to listen NOT EVERY
CUSTOMER WANTS OR CAN AFFORD THE HIGHEST SECURITY DEVICES AVAILABLE. The
situation is the same in the computer world, although there the trade off is
more convenience than cost based. Linux and Unix are arguably a hell of alot
more secure than windows but which OS do you think makes up the overwhelming
share in the PC market? Add to this the fact that the 'openess' of the computer
security community with regard to the discusion of flaws makes it possible for
every script kiddie and his or her brother to download the latest exploit which
they typically could not explain the workings of if you put a gun to their head
much less create on their own. It's highly doubtful that openess with regard to
computer security is on the balance beneficial to the overall security of the
average user.

>Of course we know the situation isn't that bad. Manipulation is a hard
>skill to acquire and the average burglar will still favour breaking
>the window to putting in any effort. And many of them are too strung
>out or just plain dumb to read this paper, let alone learn the
>contents. But the fact remains that the products of the "security"
>industry have been compromised for years and rather than accepting
>this and fixing it, your reaction is this secret-squirrel Guild
>mentality that hopes the problem will go away if you ignore it.

Virtually all security is compromisable in some way. You can take the best
computer or physical security in the world and put a gun to the head of whoever
has access and you are likely going to get in. All any security can be expected
to do is slow an attacked down and make his job harder.

Well
>it won't - the real bad guys knew this stuff beforehand, and they
>passed it around.

It's debatable how much the bad guys "pass" stuff around. What's the upside to
them doing so?

>What are the problems exposed in this paper ? Mainly that poor
>manufacturing allows the disk pack to be read. Well how about

>_fixing_ that problem, rather than whining when someone points it out?\

It's been done already. Many manipulation resistant lock designs exist. The
6730 and similar is the lowest security lock in common use on anything
approaching a "real" safe. Safe manufacturers also add to the difficult by
designing boxes that minimize the weakness of the locks used.

>Or are you waiting for China to discover the lock industry and take
>that away from US industry too, when they offer a better quality
>product at a sensible price ?

China doesn't typically offer quality. Only price.

For the only thing keeping the fat
>mark-up on Group 2 combination locks is inertia in the retail channel
>and some diminishing work for higher security products in government.
>What''s the difference between Group 1 and Group 2 anyway ? A buck's
>worth of extra parts and _not_ having the sloppy manufacture, that's
>all.

Precision tolerances cost alot in any mass produced product.

>In the computer security community there's an entirely different
>attitude, in two ways. One is that "security through obscurity" as
>you rely on it is a joke.

Which is largely why my firewalls record dozens of attempted attacks a day by
mindless little script kiddies that are lucky if they even know how to use the
tool they just downloaded.

A mechanism is only judged secure if it's
>still secure _despite_ the bad guy knowing the whole details.

There is no mechanism completely secure. As somebody else already pointed out:
Who would want one? In the event of a lockout you would not be able to get at
what it was that was so important to secure.

> This is
>attainable too, and it means that IT security products (the real ones)
>out in the field are a lot more robustly engineered than physical
>security products.

And just like with physical security products inferior, usually much more
convenient products outsell them by a large proportion. Look at sales of linux
vs windows.

>Secondly there's an attitude that beating up a system's weaknesses in
>public is a _good_ thing.

Yep the script kiddies love it. It keeps them in the game.


We know the bad guys do it in private, so if
>we can't stop them, we'd better do some of it too and improve the
>techniques as a result.

The question is do you cause more successful attacks and greater overall damage
than you prevent or vice versa? I have never seen any scientific evidence
presented either way.


>Of course there are snake-oil IT security products. They come from big
>corporates and they're sold to fools in suits who don't know any
>better.

Yep.

Neither side follows the two principals above. WEP (wireless
>networking) and any product of M$oft are just the more infamous
>examples.

Comparable to Kwikset and similar. The main difference is it's alot easier and
cheaper for all affected users to download a patch for windows than it is to
replace every Kwikset in America.

Most IT security failures are like physical security
>failures though - social engineering and conning the humans, rather
>than addressing the rather less easily fooled hardware.
>
>As to your ad hominem attacks,


An ad-hominem attack seeks to discredit an idea or stated position by attacking
the person who holds or presents it. Nobody is doing that. They are just
stating the position that he's irresponsible. That's not an ad-hominem attack.

then you should be thoroughly ashamed.
>Are you an American ?


Why? Because they stated an opinion?

Do you have any understanding of the
>Constitution and the freedoms it holds most dear ?

Uh yeah I think they are excercising their first amendment rights and
criticizing Blaze's actions.

Yet you have an
>attitude that's straight out of Communist North Korea, where your
>secretive control-freak sham would be more at home.
>

What kind of lock do you have on your house and where do you live? Alarm? Dog?
Guns? When do you go to work? A little secrecy isn't a bad thing. If you
disagree you'll have no problem answering all the questions.

Putyourspamhere

unread,
Jan 10, 2005, 11:29:22 AM1/10/05
to

>From: --Shiva-- no...@abuse.net

>
>

>>As to your ad hominem attacks, then you should be thoroughly ashamed.
>>Are you an American ? Do you have any understanding of the


>>Constitution and the freedoms it holds most dear ?

> suggest you go back and read some new rules/laws passed..
>Patriot acts 1 and 2..

Patriot Act two has not passed and if half the people who complain about it
bothered to write their representatives in Congress it like won't.

Puma

unread,
Jan 14, 2005, 10:21:30 AM1/14/05
to
Perhaps locks ought to actually "protect" things they way they're
advertised to? "Security by obscurity" doesn't work. It's certainly not
Matt Blaze's fault that locksmiths insist upon keeping "secrets" to
make money from people. This is the 21st Century. Guilds are dead.
Guilds that extort money from folks with their "secrets" should be
doubly gone.

Kitchendon

unread,
Jan 14, 2005, 11:39:35 AM1/14/05
to
Sounds like you and your fellow security professionals got caught with
your pants down. Either your locks are secure or they are not.

If someone points out the flaws in your security you should fix those
flaws. Instead you are blaming the messenger for something that is
utlimately your own fault.

Don

Keyman55

unread,
Jan 14, 2005, 12:03:05 PM1/14/05
to
I must be out of touch with reality.

What is it that is so terrible with Matt Blaze's article?

He didn't discover ANYTHING, he simply put all the info in a public place.
There is NOTHING in that article that any locksmith didn't already know.
So he told the world how to open a safe (um hmm).
Those of you who are familiar with the methods described know that just
reading 1 article about the principles involved will not get the safe open,
any more than reading a book about landing a spacecraft on the moon,makes
you an astonaut. or reading a the owners manual to an automobile makes you
a good driver.

I personally would like to see 1 ( just 1) non-locksmith open any safe with
just the info given.

I may just try that, I have a safe in my office that the combo was lost
years ago. I think I will give the article to one of the empolyees and see
if they can get the safe open.
I may even use that for my next apprentice 'test'.

<the_l...@yahoo.com> wrote in message
news:1104772265.5...@c13g2000cwb.googlegroups.com...


> Forwarded from the NYC-LOCKS list:
>
> As many of you know Matt Blaze a professor at Pennsylvania
> University has published an article that reveals proprietary
> techniques of safe penetration. It was featured on well known
> hacker website recently, and it came to our attention on Saturday.
> It includes information normally reserved to the trade, for good
> reasons that need not be discussed here.
>
> The article is available to the general public without any
> restrictions whatsoever. We as professionals in the security
> field are outraged and concerned with the damage that the
> spread of this sensitive information will cause to security
> and to our profession. We know many of you will be too.
>

> Forwarded by Ed "Lockie"
> NYC Locksmith, Retired
>


'Key

unread,
Jan 14, 2005, 12:25:16 PM1/14/05
to
"Puma" <docra...@gmail.com> wrote in message
news:1105716090.3...@c13g2000cwb.googlegroups.com...

> Perhaps locks ought to actually "protect" things they way
> they're
> advertised to?

most locks do actually "protect" things they were "designed"
to protect.

> "Security by obscurity" doesn't work.

sure it does.

> It's certainly not
> Matt Blaze's fault that locksmiths insist upon keeping
> "secrets" to
> make money from people.

its not the reason "locksmiths insist upon keeping
"secrets".
"making money from people" has absolutly nothing to do with
it.


> This is the 21st Century. Guilds are dead.
> Guilds that extort money from folks with their "secrets"
> should be
> doubly gone.

again,
doesn't really apply.

--
"Key"


fugi

unread,
Jan 14, 2005, 12:22:57 PM1/14/05
to

> Don

it can't be 'fixed' really. like computer security, anything that
has 'access control' can be accessed by the authorized user or
process. so there's a way in, it just takes manipulation for a
non-authorized user to gain that access. of course lack of bounds
checking and data integrity in careless peoples code makes that
easier, much as simple locking mechanisms make it easier. the most
you can do with access control is slow unauthorized access, and
hope your efforts to impede your enemy will allow you the time to
detect the attempt at intrusion and then work offensively against
them instead of relying on your defensive structures in place.

a high quality safe with thick hardplate, angled steel, and a
relocker among other items to protect against brute force attacks,
and a quality lock such as an X-09 to protect against manipulation,
and an alarm system to alert the propper people (read Armed people)
of the intrusion occuring will prevent most any burglary. but it
doesn't come cheap, and obscurity at this point doesn't create any
further security.

we need to drop the secrecy as it only instills a false sense of
security in using the improper procedure to secure an item of value.

t3kno...@gmail.com

unread,
Jan 14, 2005, 12:39:00 PM1/14/05
to
Security through obscurity isn't security at all. I'd rather have a
listing of all of the ways of getting around a lock so that I can
secure against _that_- instead of being ignorant, and relying on the
hope that all would-be safe-crackers are ignorant as well.

Message has been deleted
Message has been deleted

fugi

unread,
Jan 14, 2005, 3:04:37 PM1/14/05
to
--Shiva-- <no...@abuse.net> wrote:

> I would love to see a published list of XP's flaws as well, but
> it aint gonna happen.

> --Shiva--
>
>

someone isn't famaliar with bugtraq...

gf...@softfish.com

unread,
Jan 14, 2005, 4:00:32 PM1/14/05
to
Read BugTraq


--Shiva-- wrote:
> On 14 Jan 2005 09:39:00 -0800, you wrote:
>

gf...@softfish.com

unread,
Jan 14, 2005, 4:00:37 PM1/14/05
to
Read BugTraq


--Shiva-- wrote:
> On 14 Jan 2005 09:39:00 -0800, you wrote:
>

Message has been deleted

Dan

unread,
Jan 14, 2005, 5:00:06 PM1/14/05
to
FYI...

On Mon, Jan 03, 2005 at 09:11:05AM -0800, the_l...@yahoo.com wrote:
> As many of you know Matt Blaze a professor at Pennsylvania
> University

That'd be University of Pennsylvania. Penn State U. is a different
institution. You probably want to get that right when you, you know,
write your nasty letters, file your lawsuits, or what have you. `

> We as professionals in the security
> field are outraged and concerned with the damage that the
> spread of this sensitive information will cause to security
> and to our profession. We know many of you will be too.

I'm only a consumer in the realm of physical security, but personally,
I'd be outraged that the "professionals" are trying to keep this
information secret from me. In the computer security realm, the
professionals tend to be fairly open with their clients about what their
system is capable of. I'd expect no lower standard of professionalism
here.

> Blaze's boss is Chairman Fernando Pereira.
> Email: PER...@CIS.UPENN.EDU
> His boss's boss is Dean Eduardo D. Glandt.
> Email: egl...@seas.upenn.edu
> The President of the University is Amy Gutman.
> Email: pre...@pobox.upenn.edu

You probably won't find a very receptive audience, and you probably
shouldn't even bother writing, to be honest.

Also, WRT copyrighted photographs, academic use is generally protected
under fair use, so you probably won't get too far there, either.

In other words, you've little recourse. Making a big stink only makes
you look a bit silly. One option you may wish to consider is to follow
what is generally considered de rigeur in the software industry:
acknowledge the vulnerbility, and publish a workaround and a fix. Of
course, that costs money--yours, not the consumers'--but then, that's
the result of designing insecure products. Vulnerabilities happen to
even the best designer, after all. Try not to take it so personally.
--
Dan

Dan

unread,
Jan 14, 2005, 5:19:53 PM1/14/05
to
On Fri, Jan 14, 2005 at 05:25:16PM +0000, 'Key wrote:
> > "Security by obscurity" doesn't work.
>
> sure it does.

Seems to be some confusion here--on the nature of debating, at least;
saying "sure it does" or "no it doesn't" does nothing to further your
case.

So, here's what I see as a rational position. Defining "security through
obscurity" as relying on the secrecy of a design rather than the secrecy
of a password, code, or other authentication token is poor design. The
reason is a very simple calculation of the amount of secrecy preserved.

In a password-protected computer system with, say, an 8 character
password comprised of [A-Z][a-z][0-9], there are 8^62 possible
passwords. Assuming a pseudo-random (i.e. "secure") password, that gives
an attacker a 1/8^62 chance of successfully guessing the password on a
given try; i.e., on average, it will take 8^31 guesses to get the right
password. This is security through a very small amount of secret
information; keeping the functioning of the code behind the password
authentication mechanism secret ads relatively little value (there are
only a handful of likely designs of such a system in any given language
and larger system design; i.e. knowing the parameters of the system, I
can make a much narrower guess at the implementation).

Comparatively, in a non-password-protected system relying on an obscure
entrance mechanism--say, a Webpage with a URL not linked to from a
search engine or public page--the mechanism is still easily guessed,
because it contains much less random information. For instance,
Reuters did just this
(http://seclists.org/lists/politech/2002/Oct/0064.html).

Or, let me present an example in the case of safes. We can generalize
the methods of accessing a safe in two ways: via knowing (or guessing)
the authentication mechanism (key, code, etc) or by bypassing the
requirement for authentication. In the former case, obscurity gains
quite literally nothing; as I discussed above, with a sufficient amount
of secret random data, there's no value in keeping the mechanism also
secret. In the latter case, it may be tempting to say that obscurity is
worthwhile here, but it probably is not: anyone can disassemble a safe
to determine how it functions, and the mechanical principles used are
simple enough that it wouldn't take a rocket scientist (or a locksmith)
to see the holes (as in the case of Blaze's master keyed sytems paper,
where the vulnerability was well known and readily apparent to anyone
who understood the system). So obscurity ads little or no value, and may
in fact detract: by assuming the inner workings are secret, a lock
designer may disregard vulnerabilities that would become apparent to
anyone who *did* know the inner workings, meaning that mere
disassembly--or a leak of the product designs--may be sufficient
information to bypass the (much harder to come-by) password.

So obscurity clearly ads little or no value in a secure system, and if a
system relies on its workings being secret, that reliance is false. You
can find more literature on this on the Web, of course, in relation to
computer security, but I believe it is even more applicable when it
comes to physical security, where relatively less expertise is needed to
understand at least simple locking mechanisms (I'm not a physical
security expert, obviously, but I can understand how a master keyed
cylinder lock works--and spot the hole--without any training or
background).

Cheers.

--
Dan

Edwin

unread,
Jan 14, 2005, 5:55:49 PM1/14/05
to
If I was an aspiring safe cracker, I think
http://money.howstuffworks.com/safecracking1.htm would be a lot easier
reading than "Safecracking for the computer scientist."

As a person interested in computer security, I prefer actual security
over pretending flaws/weaknesses don't exist if no one talks about them.

mfkenney

unread,
Jan 14, 2005, 7:05:34 PM1/14/05
to
Wake up. You so-called professionals in the security field are burying
your heads in the sand. Security-through-obscurity has never and will
never work.

I am not going to take an elitist stance and belittle anyones training
or education. You may be a very smart guy and I am sure you are
skilled at what you do. But let's face it, the product that you work
with has flaws. Rather than castigating the messenger, you should be
working to improve your product. That is the mark of a true
professional.

I for one hope this paper gets distributed far and wide. I am going to
do my best to make sure it does so...

--Mike

the_l...@yahoo.com wrote:
> Forwarded from the NYC-LOCKS list:
>

> As many of you know Matt Blaze a professor at Pennsylvania

> University has published an article that reveals proprietary
> techniques of safe penetration. It was featured on well known
> hacker website recently, and it came to our attention on Saturday.
> It includes information normally reserved to the trade, for good
> reasons that need not be discussed here.
>
> The article is available to the general public without any

> restrictions whatsoever. We as professionals in the security


> field are outraged and concerned with the damage that the
> spread of this sensitive information will cause to security
> and to our profession. We know many of you will be too.
>

> There are steps being taken to deal with this through proper
> channels, but we need your help and support. We doubt that
> his university would appreciate their resources being used for this
> kind of activity, but they may not be aware of it or of the negative
> impact that his so called work has on our industry. With concern for
> homeland security so important, we belive that your voice will be
> heard.
>
> The article in question is at [URL]
> http://www.crypto.com/papers/safelocks.pdf [/URL].
>
> Attempts to reason with Blaze have been a failure in the
> past, he is the same joker who wrote about Master Keyed locks
> in the "New York Times" last year.
>

> Blaze's boss is Chairman Fernando Pereira.
> Email: PER...@CIS.UPENN.EDU
> His boss's boss is Dean Eduardo D. Glandt.
> Email: egl...@seas.upenn.edu
> The President of the University is Amy Gutman.
> Email: pre...@pobox.upenn.edu
>

Message has been deleted

Putyourspamhere

unread,
Jan 14, 2005, 9:45:58 PM1/14/05
to

>From: fugi fu...@ultra.bl.org


>and a quality lock such as an X-09 to protect against manipulation,


X-09 is overkill if that is all you want to ahcieve.

Putyourspamhere

unread,
Jan 14, 2005, 10:05:15 PM1/14/05
to

>From: t3kno...@gmail.com

>
>Security through obscurity isn't security at all.

Sure it is, against anyone the mechanism remains obscure to.


I'd rather have a
>listing of all of the ways of getting around a lock so that I can
>secure against _that_

Because you think you will be able to do it better than the manufcaturers that
do nothing but? If you really think you can do it better than the pros, and
logically why would you, you've got your safe right there don't you? Study it
and add some surprises to it. Make sure you know what you are doing though or
the only one locked out will be you.

instead of being ignorant, and relying on the
>hope that all would-be safe-crackers are ignorant as well.

Most safe crackers that will have the information on your lock and box design
have knowledge of, and practical experience with, techniques that you have
likely never heard of so if it's between you and them with regard to the
security of the container and mechanism there's probably not going to be much
of a contest. Your best bet: Know and understand the ratings system used for
safes and make sure that you have a professionally installed and monitored
alarm (forget about the dialer setups commonly used in residential applications
if you are serious) that does not allow the time needed relative to what you
have because if given enough time the right person WILL get in it or carry it
off (I don't care how heavy or well attached it is) no matter what you do.
Also keep in mind that somebody can't steal what they can't find.

'Key

unread,
Jan 15, 2005, 12:18:29 AM1/15/05
to
"Dan" <d...@af0.net> wrote in message
news:20050114222057.GB20915@specialk...
---snip---
> --
> Dan

From the FAQ
http://www.indra.com/archives/alt-locksmithing/
0. Will people on this newsgroup give me information about
picking locks, etc.?
Yes and No. This is a serious debate, based on serious
principles. Most experienced people here are quite willing
to discuss the basics of lock construction and operation.
Few (if any) are willing to give specific answers regarding
opening a particular lock or safe - without knowing the
asker or having other evidence that the inquiry is
legitimate.
Another balancing act regards the general effect of
information. As Joe K. put it succinctly, "On one side there
are the idealists who believe that even weak security should
not be further compromised without good reason; on the other
there are those who believe that weak locks should be forced
out of the market. There's never going to be agreement
here... can we just agree that reasonable people can
disagree, and have done with it?"

People have contrasted locksmithing "security by obscurity"
with practice in the software arena (in which it has
generally been considered to be misguided and therefore be
bad for society.) Exposing flaws as a social good breaks
down when there are hundreds of thousands of current owners
of the product who don't know that the flaw has been
exposed. Even if they find out, there is another big
difference. This is the cost of correcting the flaw
(upgrading.) Installing the patches on your copy of software
takes a bit of effort, but you don't have to throw out and
purchase a new physical product (such as a lock.) The
manufacturer of the lock is pretty certain not to make it
available for free. Basically you have to buy a new item and
have it replaced, and this adversely impacts users, many of
whom do not have the budget to correct the flaw. Therefore
publishing the security flaw costs users *much* more for a
lock than for a piece of software.

And the fact is that a nominally flawed product _does_
provide adequate security against the unmotivated and
ignorant who are the primary folks attacking physical
security systems (as opposed to the motivated and clueful
who attack electronic security and can do it from a distance
without physical presence).

g'day
--
"Key"


drogers

unread,
Jan 15, 2005, 5:27:20 AM1/15/05
to
To quote you:

> Case in point; My relatives thought there was no difference between a
> kwikset and any other lock until I pointed out the weaknesses. All
have
> upgraded to better locks.

Can I ask: How many times have your relatives been burgled? Do they all
live in neighbourhoods that suffer from burglaries? Your security
assessment of the threats appear to be non-existent!

Here is an example for you: If you leave your door unlocked for one
week: what are the chances of you getting burgled? If you leave your
door locked for a week what are the chances of you getting burgled? The
answer is: it all depends on the presence of the burglar.

pierre...@gmail.com

unread,
Jan 15, 2005, 9:01:20 AM1/15/05
to
> [...] and that security will suffer.


Wait, when exactly security start to suffer ? Is it when the "security
profesional"'s design is flawed, or when some other guy reveals it ?
The measure of security is absolute, and not dependant of the fact that
people know about vulnerabilities.

Besides, I have a problem with what you call "proprietary techniques".
Is a vulnerability a proprietary technique ? What I think is that when
you call your products "secure" and complain about a guy saying that
they're finally not that secure, "proprietary techniques" are actually
lies (or "deliberate omissions").

Now let's talk about "the damage it will cause to your profession".
Aren't you responsible for your own image ? Do you really feel good
when you say something that means "I used to have a good reputation
because customers didn't know my products aren't as secure as I claim,
now I risk losing that reputation because some guy revealed the truth.
Please make him shut up" ?

Pierre.

di...@cfcl.com

unread,
Jan 15, 2005, 11:06:54 AM1/15/05
to
Well, Dan sort of had the right idea that you would (on average) have
to try half of the possible passwords. However, the calculation should
result in 4*8^61 as the number of guesses needed. This is 2^92 times
larger or more than a billion billion billion times as many guesses.
Big numbers can be tricky.

Dick


Dan wrote:
...

Dan

unread,
Jan 15, 2005, 12:52:43 PM1/15/05
to
On Sat, Jan 15, 2005 at 08:06:54AM -0800, di...@cfcl.com wrote:
> Well, Dan sort of had the right idea that you would (on average) have
> to try half of the possible passwords. However, the calculation should
> result in 4*8^61 as the number of guesses needed. This is 2^92 times

Oops. I should never try to do algebra on a Friday.

8^62/2 is what I was trying to say. I don't believe this affects the
validity of my point, other than to make it apparent that I'm careless.
;)
--
Dan

Dan

unread,
Jan 15, 2005, 1:07:09 PM1/15/05