As many of you know Matt Blaze a professor at Pennsylvania
University has published an article that reveals proprietary
techniques of safe penetration. It was featured on well known
hacker website recently, and it came to our attention on Saturday.
It includes information normally reserved to the trade, for good
reasons that need not be discussed here.
The article is available to the general public without any
restrictions whatsoever. We as professionals in the security
field are outraged and concerned with the damage that the
spread of this sensitive information will cause to security
and to our profession. We know many of you will be too.
There are steps being taken to deal with this through proper
channels, but we need your help and support. We doubt that
his university would appreciate their resources being used for this
kind of activity, but they may not be aware of it or of the negative
impact that his so called work has on our industry. With concern for
homeland security so important, we belive that your voice will be
heard.
The article in question is at [URL]
http://www.crypto.com/papers/safelocks.pdf [/URL].
Attempts to reason with Blaze have been a failure in the
past, he is the same joker who wrote about Master Keyed locks
in the "New York Times" last year.
Blaze's boss is Chairman Fernando Pereira.
Email: PER...@CIS.UPENN.EDU
His boss's boss is Dean Eduardo D. Glandt.
Email: egl...@seas.upenn.edu
The President of the University is Amy Gutman.
Email: pre...@pobox.upenn.edu
These people need to hear from you. Tell them what
you think polietly and firmly in your own words. Explain
that you are a security professional and that your job
is made harder by this sort of thing, and that security
will suffer.
Also, very important. The article has photographs that may
not belong to Blaze because they appear to be commercial.
If anyone has information on the copyrights of any of these photos
please let us know so we can let the copyright holders know how
their property is being used possibly illegally and without their
permission.
Forward this not as you see fit to others in the profession.
Thank you for your Attention.
/////
Forwarded by Ed "Lockie"
NYC Locksmith, Retired
that's some good material, and great pictures to accompany it. I
sent a couple emails praising the high quality of his work. thanks
for the link.
--
Anyone who becomes master of a city accustomed to freedom and does
not destroy it may expect to be destroyed by it; for such a city
may always justify rebellion in the name of liberty and its ancient
institutions. -Niccolo Machiavelli
surly you're not in the profession !
my2¢
--
"Key"
When they do things like this and get away with it it gives other
peoples like him the idea that this is OK. We have to nip it in the
bud or soon there will be no security left after these intellectuals
get through with us.
Ed "Lockie"
NYC Locksmith, retired
Real World Security Professional
and a person with no security ethics named matt :-)
--
"Key"
> my2?
> --
> "Key"
the free distribution of knowledge is essential to the development
of the subject. don't think of yourself as a gatekeeper to the
information that nobody but those in your circle have. it'll get
you as far as the Maginot line got the French in WWII. those who
only have a purely defensive stance will always fall to the offensive.
just as I thought,
you're definatly not in the physical security profession !
> it'll get you as far as the Maginot line got the French in
> WWII. those who
> only have a purely defensive stance will always fall to
> the offensive.
disagree..
Ethics is a word you should learn a little about.
--
"Key"
> --
> "Key"
what do you disagree with, the fact that the french fell to the
germans? or the fact that they fell from fighting a defensive war?
Hats off to Blaze, it's about time that some serious Comp Sci/algorithmic
work was applied to determine how secure the locks are that most people
take for granted. The lock industry and the public stand to benefit from
this scrutiny of the product range.
G. Pulford
<the_l...@yahoo.com> wrote in message
news:1104772265.5...@c13g2000cwb.googlegroups.com...
I disagree with
"a purely defensive stance will always fall to the
offensive"
as it applies to the subject.
do try and keep up
--
"Key"
I think you meant to say:
We have to nip it in the bud or soon there will be no
__APPEARANCE_OF__ security left
This is so silly on so many levels. You sell a product that has known
deficiencies so that you can break in when you need to. Then you act
like it's a big deal when someone talks about it! On top of that you act
like it's a matter of national security when, in fact, it changes nothing.
It does not take a brain surgeon to figure out that anyone can buy a
safe, disassemble it and figure out it's weaknesses. The fact that
every single copy of model X is built the same way is planned insecurity.
Now THAT's a crime. That they are sold as secure when they are not is
a crime.
If you want to get Blaze to protect your job, that's understandable.
To villify him for openly discussing what is known within the industry
to be common shortcomings is shear hypocrisy.
I'm still waiting for SCHLAGE to notify folks that it's recalling their
defective entry locks. Wait, they can't so that without disclosing that
they are insecure, so only the locksmiths and burglers know.
I must be in a foul mood, because I've seen 5 holier-than-thou posts in
the last hour. If anyone should be proescuted for lessening the national
security it's the companies that sell insecure locks and safes without
warning their customers that they are vulnerable.
Sigh
many instances in history disprove you. Infact, I'm not aware of
a single event that will go along with your argument. then again
a locksmith is like any other trade, I'll bet you have the education
of a plumber or a construction worker. I guess I shouldn't expect
much. carry on.
do try to keep up.
I see nothing good or bad coming out of this matter concerning Matt Blaze.
This is the information age. This info is out there already. He condensed
it into an easier to read format but really nothing said by him is new to
locksmiths or anyone who has bothered to take a safe lock apart to see how
it works. It's no big deal. Safes have been the same for a very long time.
Nothing has really changed in decades. I don't agree with his ethics but
that matter is not important in cyberspace.
To try to restrict this un-patanted info from the public domain is pointless
because the internet and the modern world we live in is alot different than
it was years ago when it was possible to control information like this. The
old timers out there should realise that things once reguarded not too long
ago as close lipped just aren't the same in this land of cyberspace where
the whole world is connected at the touch of a keyboard.
It's pointless to try and control un-patanted secrets anymore. The people
in the security industry need to open their eyes and do a better job at
securing their trade secrets so people like Matt Blaze who have a little
time on their hands don't open up a 40 or 50 year old book on safes, write
a paper, and get us all upset that he's spilling trade secrets. We can do
this by advancing cheap security items like the standard pin cylinder locks
to use as an example into the 21st century and quit relying on the same
system that has been around since Yale invented the thing over a hundred
years ago. I think the Europeons are ahead of the US concerning this
example because they use mostly lever locks which are more difficult to pick
and dont cost an arm and a leg for the old lady on SSI.
As far as the cheap Kwikset lock compared to the high dollar Medeco
comparision goes, that Kwikset can be improved to the point where it would
be almost impossible to pick at an extra production cost of less than one
dollar a lock which could easily be passed on to the customer. Remember a
size 14 boot will kick in a door no matter what lock it has on it if the
door isn't up to par and if the crook cant kick in the door then he'll go
through a window or a hole in the roof.
The fact of the matter is the lock manufactuers, Ingersol Rand and Black and
Decker being the two largest ones here in the states, dont want to spend a
dollar or two more on their locks to improve them. They would rather put
out pot metal junk that offers only a since of security. If the public in
general only knew what I know, that being the fact that Kwikset and Titan
locks are junk, the famous Schlage 'Maximam Security Deadbolt' is pot metal,
Yale is no longer up to par, Sentry safes are worthless... If the public
only knew the US lock market is having to compete with China junk to the
point where they are afraid raising the cost of their Home Depot locks that
the average consumer buys by a few dollars in order to increase the locks
security may put them out of buisness because the comsumer doesn't know any
better...
Not really. The manipulation information covered by Blaze has most all been in
the public domain and easily available to anyone who bothered to look for at
least several decades. I had a surprisingly good book on it when I was 15 or
so. Cost was about $10.00 give or take. Drilling information has always been
harder (read more expensive) to come by than manipulation info due to the sheer
amount of research needed to compile it.
The drilling information Blaze covered isn't specific enough to enable anybody
to do the most efficient job on a given box in most cases either.
The article is pretty harmless. Truth be told I could give someone exact
instructions how to open a given container and 9 out of 10 people off the
street would be unable to carry it out under hostile (i.e. while committing a
crime) field conditions. The one that could wouldn't have much trouble getting
the info on his or her own even if it meant buying the safe in question to
study it.
> I'll bet you have the education
> of a plumber or a construction worker. I guess I shouldn't expect
> much.
No Fungi, we have the edumakation of a Locksmith, which in fact seems to
attract snotty superior twits such as yourself, as you are obviously drawn
to this lowly 'blue collar' newsgroup, because as usual, all you superior
bookworm nerdy types wouldn't know how to change a light globe without
having to do a Google search and an MIT study coarse on the subject, then
you'd be too scared to climb up on the chair, ha ha. And mate, what's with
this rubbish that you seem to think will impress on us, just how 'incredibly
superior' you are to us poor lowly tradesmen.
"Anyone who becomes master of a city accustomed to freedom and does
not destroy it may expect to be destroyed by it; for such a city
may always justify rebellion in the name of liberty and its ancient
institutions. -Niccolo Machiavelli"
PLEASE,............. My face burns with embarrassment for you. Someone,
anyone, please ... give this guy a wedgie.
"Steve Paris" <lo...@myoffice.net.au> wrote in message
news:crgfig$7t9$1...@news-02.connect.com.au...
If that were a valid excuse you'd never sell a medeco. After all, the glass
windows can be shattered.
As long as the lock industry (including locksmiths) continue to sell
and service junk that can be wrenched open, pulled apart and otherwise
easily defeated, the public will continue to buy it.
Case in point; My relatives thought there was no difference between a
kwikset and any other lock until I pointed out the weaknesses. All have
upgraded to better locks.
In short, you won't value a quality lock if all the experts hide the
shortcomings of a cheap imitation.
Daniel
You just blew yourself out of the water with that low shot you effete snob.
You're probably too stupid to understand that to become a master at any
mechanical trade requires the same kind of intelligence, diagnostic
abilities and inquisitive mind needed to become a professional in the
fields of law or medicine. To say nothing of the business know-how and
common sense needed to put everything on the line and open your own shop.
It's attitudes like your which prevent many a person who'd be excellent
for and happy in a trade from starting out in it; because their parents
say things like, "What intelligent girl would want to marry a plumber?"
and, "You'll never make a good living fixing locks." Those attitudes may
in part account for the undesirable number of yutzes at the lower
eschelons of most trades, particularly in urban areas, where people who
have to use their hands along with their brains get little respect from
the yuppies.
I lurk here because when I was an MIT student nearly 50 years ago there
wasn't a lock on campus we students couldn't get by without leaving a
trace, and it didn't hurt our minds to learn about those kind of things.
I like to keep learning.....
Jeff
--
Jeffry Wisnia
(W1BSV + Brass Rat '57 EE)
http://home.comcast.net/~jwisnia18/jeff/
"As long as there are final exams, there will be prayer in public
schools"
you're correct, I do not have a college education.
however, I didn't need it.
I have been in business and have 23+ years
education/expierence in the Locksmith/Security field and
have earned enough $$$'s to retire 6 years ago at the age of
45.
> do try to keep up.
its not me that needs to keep up..
"carry on"
--
"Key"
That isn't quite how I got my start -- I arrived knowing some of the
basics -- but it's where I first got intensive practice. Though you
predate my stay at the 'tute considerably.
> I like to keep learning.....
That's the real key to this trade -- and to MIT, for that matter. If you
don't like learning and aren't willing to continue studying, you're
sunk, or at least doomed to low income.
I have read this message board for a while but this is my first posting
here. Thanks to all of you for some very interesting food for thought
over the years. I'm a safe tech in Delaware with customers up to
Philadelphia and am familiar with this University. My shop does mostly
commercial work these days mainly for some big companies you probably
know and love. Still its a living and I woundnt trade it for the world.
I just wanted to let you all know that I sent E-Mail to University of
Pennsylvania. I sent it to the three addresses here of Mr. Pereira and
Mr. Glandt and Pres. Gutman. Plus I found another one that got a
response that sounded concerend. That is
Maureen S. Rush, M.S., CPP
Vice President For Public Safety
Division of Public Safety
University of Pennsylvania
Phone: (215) 898-7515
Fax: (215) 573-2651
E-Mail: mr...@publicsafety.upenn.edu
She responded promptly to my concerns. Obviously she understands the
security problems with this kind of material. You should also send to
the other 3 addresses too.
In my letter I explained my background and how this makes my job harder
and will weaken security for everyone.
I dont want to put my letter in a public place here because I talked
about what was right and wrong in the article and I dont want to give
aid and comfort to criminals by pointing it out here. Any real pro will
have no troble seeing whats fiction and what isnt in the article
though.
Well thats it. Just wanted to say hi to my fellow pros and pass on this
maybe useful info.
Howard 'Howie" Slokum
> There are steps being taken to deal with this through proper
> channels, but we need your help and support. We doubt that
> his university would appreciate their resources being used for this
> kind of activity, but they may not be aware of it or of the negative
> impact that his so called work has on our industry. With concern for
> homeland security so important, we belive that your voice will be
> heard.
What steps do you think you can take Ed ???
The U.S. Constitution specifically protects free speech in
(Amendment 1) and also limits the period of time to which authors
and inventors can have exclusive claim to their writings and
dicsoveries (Article I, Section 8)
The "Homeland Security" concern is bullshit, and anyone who uses
it in an argument is basically all but saying: "I have no other real point
to make so I will say 'Homeland Security' in an attempt to scare you
into taking me and my words more seriously than you would, because
you don't or can't understand what I am talking about, and I want you to
agree with me without questioning what I am saying"
> Also, very important. The article has photographs that may
> not belong to Blaze because they appear to be commercial.
> If anyone has information on the copyrights of any of these photos
> please let us know so we can let the copyright holders know how
> their property is being used possibly illegally and without their
> permission.
Why not read up on copyright law, "Fair Academic Use" specifically...
Ed, it is quite unfortunate that you do not see that you and others like
yourself who are so outspoken about Mr. Blaze and his work actually
make it MORE credible the LOUDER your outcries against it are...
The fastest way to make something more interesting is to tell people
not to look at it, or to say that it is so outrageous and shocking to
"trade professionals"... If you truly want Mr. Blaze and his papers to
fade into obscurity, then IGNORE them and they will fall into the cracks
of the Internet and soon be forgotten...
WOW: Here is a really dumb NEON sign advertising the very thing
you say is SOOO BAD... Ever thought of NOT contributing to the
interest in the work you say is so dangerous for everyone's safety??
> The article in question is at [URL]
> http://www.crypto.com/papers/safelocks.pdf [/URL].
>
> Attempts to reason with Blaze have been a failure in the
> past, he is the same joker who wrote about Master Keyed locks
> in the "New York Times" last year.
I am sure that people could say the same thing about attempts to
"reason" with you...
>
> Blaze's boss is Chairman Fernando Pereira.
> Email: PER...@CIS.UPENN.EDU
> His boss's boss is Dean Eduardo D. Glandt.
> Email: egl...@seas.upenn.edu
> The President of the University is Amy Gutman.
> Email: pre...@pobox.upenn.edu
>
> These people need to hear from you. Tell them what
> you think polietly and firmly in your own words. Explain
> that you are a security professional and that your job
> is made harder by this sort of thing, and that security
> will suffer.
>
I am sure that they would not like the fact that you linked
their e-mail addresses in a UseNet Newsgroup...
I am sure you have heard of the concept of SPAM...
Next time names and titles would be good enough and
anyone who cares to contact them could go to the
UPENN website and look them up...
~~Evan
(Formerly a Maintenance Man, Now a college student with a 3.85 GPA)
Leon Rowell
Blaze understands that perfectly well. He obviously feels that exposing the
flaw is more beneficial than it is harmful. Or he may do it simply for the sake
of study and dissemination of information in a moral/ethical vacumn. Why he
does it or what he does or does not understand is irrelevant because he will
continue to do as he has done. Even if he didn't there will always be others
like him publishing flaws. It's the information age and there is no getting
away from it. Personally I think the likelyhood of misuse of information in his
safe lock article in particular is quite small.
yea I can just see some street punks breaking into banks and trying
to crack their vault from the paper they read... I'm sure they've
read it too, their intrest in manipulating group 2 and group 1
locks and all.
either that, or they'll do what works, ask for the money instead.
--
I'd like to know how this makes the job of installing and serviceing
safes harder. I know how it might make it harder to sell cheap safes
if people realize that the ratings are rigged and that they all have
vulnerabilities, but how does that make it harder to service them?
Does anyone else see the absurdity of this person explaining to a perfect
stranger the ways that blaze was crorrect and incorrect in the guise of
maintaining security secrets? If he was truely concerned with keeping
the knowledge restricted to the initiate, he would never have confirmed
those secrets to unknown third parties.
Methinks he's just worried about his livelyhood, and using public good
as a shield.
Daniel
Want to do something righteous Matt - come up with a hack for the P4 card
.... there a challenge for you !
#1 question to him is would he dare to place his precious server in a senior
safe constructed for that purpose ?? Passwords seem to be easier to
hack/crack than trying to punch out the tongue on a pair of redundant S&G
6435.
Some of the info is in the public domain. There are quiet a few assumptions,
completely missed the boat on many points and yes, some information which
really shouldn't be published publicly. Shame on you Matt .... "thou shalt
don the hood of shame and stand the corner for the next week or two."
Obviously looked only so far, maybe as far as his arm could reach - should
have looked to see where some of the standards come from and even go beyond
UL and look at UL/C, CEN, RAL or VDS where its a real challenge for the
OEM's to come up with a creative solution to thwart attack.
Think now there's a bit more mystique to "lock whispers" (LOL) than before
.... Oceans 13 anyone ??
Regards, A.J.
(Bank Security Engineer)
<the_l...@yahoo.com> wrote in message
news:1104772265.5...@c13g2000cwb.googlegroups.com...
If he was my grad student, I'd give him a C on this one. It's pretty,
but it's pretty empty of actual thought. No publish-or-perish points.
I have a question for mr. knowitall:: if safes are no good as you say
what do you suggest instead? Plus if you guys are so smart why do
computer virus keep happening. We wont be hold our breath waiting for
your answer.
Joe thanks for the message. I sent mine too.