`Safe cracking' article and matt Blaze
the_l...@yahoo.com
As many of you know Matt Blaze a professor at Pennsylvania
University has published an article that reveals proprietary
techniques of safe penetration. It was featured on well known
hacker website recently, and it came to our attention on Saturday.
It includes information normally reserved to the trade, for good
reasons that need not be discussed here.
The article is available to the general public without any
restrictions whatsoever. We as professionals in the security
field are outraged and concerned with the damage that the
spread of this sensitive information will cause to security
and to our profession. We know many of you will be too.
There are steps being taken to deal with this through proper
channels, but we need your help and support. We doubt that
his university would appreciate their resources being used for this
kind of activity, but they may not be aware of it or of the negative
impact that his so called work has on our industry. With concern for
homeland security so important, we belive that your voice will be
heard.
The article in question is at [URL]
http://www.crypto.com/papers/safelocks.pdf [/URL].
Attempts to reason with Blaze have been a failure in the
past, he is the same joker who wrote about Master Keyed locks
in the "New York Times" last year.
Blaze's boss is Chairman Fernando Pereira.
Email: PER...@CIS.UPENN.EDU
His boss's boss is Dean Eduardo D. Glandt.
Email: egl...@seas.upenn.edu
The President of the University is Amy Gutman.
Email: pre...@pobox.upenn.edu
These people need to hear from you. Tell them what
you think polietly and firmly in your own words. Explain
that you are a security professional and that your job
is made harder by this sort of thing, and that security
will suffer.
Also, very important. The article has photographs that may
not belong to Blaze because they appear to be commercial.
If anyone has information on the copyrights of any of these photos
please let us know so we can let the copyright holders know how
their property is being used possibly illegally and without their
permission.
Forward this not as you see fit to others in the profession.
Thank you for your Attention.
/////
Forwarded by Ed "Lockie"
NYC Locksmith, Retired
fugi
> Forwarded from the NYC-LOCKS list:
that's some good material, and great pictures to accompany it. I
sent a couple emails praising the high quality of his work. thanks
for the link.
--
Anyone who becomes master of a city accustomed to freedom and does
not destroy it may expect to be destroyed by it; for such a city
may always justify rebellion in the name of liberty and its ancient
institutions. -Niccolo Machiavelli
'Key
news:crbv8r$nva$3...@news.corenap.com...
> the_l...@yahoo.com wrote:
>> Forwarded from the NYC-LOCKS list:
>
> that's some good material, and great pictures to accompany
> it. I
> sent a couple emails praising the high quality of his
> work. thanks
> for the link.
>
surly you're not in the profession !
my2ยข
--
"Key"
the_l...@yahoo.com
society. Then he abuse it by publishing trade secrets in the name
of research.
When they do things like this and get away with it it gives other
peoples like him the idea that this is OK. We have to nip it in the
bud or soon there will be no security left after these intellectuals
get through with us.
Ed "Lockie"
NYC Locksmith, retired
Real World Security Professional
TheT...@gmail.com
secret would be the section on manipulation. The only thing that
stopped that so called secret from getting out before was the price tag
on the books that cover it.
'Key
news:1104804101.3...@z14g2000cwz.googlegroups.com...
and a person with no security ethics named matt :-)
--
"Key"
fugi
> my2?
> --
> "Key"
the free distribution of knowledge is essential to the development
of the subject. don't think of yourself as a gatekeeper to the
information that nobody but those in your circle have. it'll get
you as far as the Maginot line got the French in WWII. those who
only have a purely defensive stance will always fall to the offensive.
'Key
> 'Key <K...@ya.net> wrote:
>> "fugi" <fu...@ultra.bl.org> wrote in message
>> news:crbv8r$nva$3...@news.corenap.com...
>> > the_l...@yahoo.com wrote:
>> >> Forwarded from the NYC-LOCKS list:
>> >
>> > that's some good material, and great pictures to
>> > accompany
>> > it. I
>> > sent a couple emails praising the high quality of his
>> > work. thanks
>> > for the link.
>> >
>
>
>> surly you're not in the profession !
>
>> my2?
>> --
>> "Key"
>
>
> the free distribution of knowledge is essential to the
> development
> of the subject. don't think of yourself as a gatekeeper to
> the
> information that nobody but those in your circle have.
just as I thought,
you're definatly not in the physical security profession !
> it'll get you as far as the Maginot line got the French in
> WWII. those who
> only have a purely defensive stance will always fall to
> the offensive.
disagree..
Ethics is a word you should learn a little about.
--
"Key"
fugi
> --
> "Key"
what do you disagree with, the fact that the french fell to the
germans? or the fact that they fell from fighting a defensive war?
gpulford
is AFAIK deducible from the locks themselves and therefore cannot be
described as "proprietary information". If there are some parts that are
very sensitive, let's talk about these and how publication of these facts
hurts the lock industry or puts people's security at risk. Most crooks use
rather blunt techniques (angle grinders, drills, torches) to open safes, so
where's the problem?
Hats off to Blaze, it's about time that some serious Comp Sci/algorithmic
work was applied to determine how secure the locks are that most people
take for granted. The lock industry and the public stand to benefit from
this scrutiny of the product range.
G. Pulford
<the_l...@yahoo.com> wrote in message
news:1104772265.5...@c13g2000cwb.googlegroups.com...
'Key
I disagree with
"a purely defensive stance will always fall to the
offensive"
as it applies to the subject.
do try and keep up
--
"Key"
dbs__...@tanj.com
I think you meant to say:
We have to nip it in the bud or soon there will be no
__APPEARANCE_OF__ security left
This is so silly on so many levels. You sell a product that has known
deficiencies so that you can break in when you need to. Then you act
like it's a big deal when someone talks about it! On top of that you act
like it's a matter of national security when, in fact, it changes nothing.
It does not take a brain surgeon to figure out that anyone can buy a
safe, disassemble it and figure out it's weaknesses. The fact that
every single copy of model X is built the same way is planned insecurity.
Now THAT's a crime. That they are sold as secure when they are not is
a crime.
If you want to get Blaze to protect your job, that's understandable.
To villify him for openly discussing what is known within the industry
to be common shortcomings is shear hypocrisy.
I'm still waiting for SCHLAGE to notify folks that it's recalling their
defective entry locks. Wait, they can't so that without disclosing that
they are insecure, so only the locksmiths and burglers know.
I must be in a foul mood, because I've seen 5 holier-than-thou posts in
the last hour. If anyone should be proescuted for lessening the national
security it's the companies that sell insecure locks and safes without
warning their customers that they are vulnerable.
Sigh
fugi
many instances in history disprove you. Infact, I'm not aware of
a single event that will go along with your argument. then again
a locksmith is like any other trade, I'll bet you have the education
of a plumber or a construction worker. I guess I shouldn't expect
much. carry on.
do try to keep up.
Glen Cooper
"--Shiva--" <no...@abuse.net> wrote in message
news:nobmt099q8ljkeg0r...@4ax.com...
> On Tue, 4 Jan 2005 23:11:47 -0000, you wrote:
>
> >The lock industry and the public stand to benefit from
> >this scrutiny of the product range.
> >
> >G. Pulford
> many $$$ is it..
> I can sell a KW, or I can sell a good lock, but why BOTHER
> selling the good lock, when you are mounting it on cardboard or
> less...
> its only as good as the weakest link, and at the MOMENT, house
> construction IS the weakest link...
> --Shiva--
>
>
I see nothing good or bad coming out of this matter concerning Matt Blaze.
This is the information age. This info is out there already. He condensed
it into an easier to read format but really nothing said by him is new to
locksmiths or anyone who has bothered to take a safe lock apart to see how
it works. It's no big deal. Safes have been the same for a very long time.
Nothing has really changed in decades. I don't agree with his ethics but
that matter is not important in cyberspace.
To try to restrict this un-patanted info from the public domain is pointless
because the internet and the modern world we live in is alot different than
it was years ago when it was possible to control information like this. The
old timers out there should realise that things once reguarded not too long
ago as close lipped just aren't the same in this land of cyberspace where
the whole world is connected at the touch of a keyboard.
It's pointless to try and control un-patanted secrets anymore. The people
in the security industry need to open their eyes and do a better job at
securing their trade secrets so people like Matt Blaze who have a little
time on their hands don't open up a 40 or 50 year old book on safes, write
a paper, and get us all upset that he's spilling trade secrets. We can do
this by advancing cheap security items like the standard pin cylinder locks
to use as an example into the 21st century and quit relying on the same
system that has been around since Yale invented the thing over a hundred
years ago. I think the Europeons are ahead of the US concerning this
example because they use mostly lever locks which are more difficult to pick
and dont cost an arm and a leg for the old lady on SSI.
As far as the cheap Kwikset lock compared to the high dollar Medeco
comparision goes, that Kwikset can be improved to the point where it would
be almost impossible to pick at an extra production cost of less than one
dollar a lock which could easily be passed on to the customer. Remember a
size 14 boot will kick in a door no matter what lock it has on it if the
door isn't up to par and if the crook cant kick in the door then he'll go
through a window or a hole in the roof.
The fact of the matter is the lock manufactuers, Ingersol Rand and Black and
Decker being the two largest ones here in the states, dont want to spend a
dollar or two more on their locks to improve them. They would rather put
out pot metal junk that offers only a since of security. If the public in
general only knew what I know, that being the fact that Kwikset and Titan
locks are junk, the famous Schlage 'Maximam Security Deadbolt' is pot metal,
Yale is no longer up to par, Sentry safes are worthless... If the public
only knew the US lock market is having to compete with China junk to the
point where they are afraid raising the cost of their Home Depot locks that
the average consumer buys by a few dollars in order to increase the locks
security may put them out of buisness because the comsumer doesn't know any
better...
Putyourspamhere
>From: TheT...@gmail.com
Not really. The manipulation information covered by Blaze has most all been in
the public domain and easily available to anyone who bothered to look for at
least several decades. I had a surprisingly good book on it when I was 15 or
so. Cost was about $10.00 give or take. Drilling information has always been
harder (read more expensive) to come by than manipulation info due to the sheer
amount of research needed to compile it.
The drilling information Blaze covered isn't specific enough to enable anybody
to do the most efficient job on a given box in most cases either.
The article is pretty harmless. Truth be told I could give someone exact
instructions how to open a given container and 9 out of 10 people off the
street would be unable to carry it out under hostile (i.e. while committing a
crime) field conditions. The one that could wouldn't have much trouble getting
the info on his or her own even if it meant buying the safe in question to
study it.
Steve Paris
> I'll bet you have the education
> of a plumber or a construction worker. I guess I shouldn't expect
> much.
No Fungi, we have the edumakation of a Locksmith, which in fact seems to
attract snotty superior twits such as yourself, as you are obviously drawn
to this lowly 'blue collar' newsgroup, because as usual, all you superior
bookworm nerdy types wouldn't know how to change a light globe without
having to do a Google search and an MIT study coarse on the subject, then
you'd be too scared to climb up on the chair, ha ha. And mate, what's with
this rubbish that you seem to think will impress on us, just how 'incredibly
superior' you are to us poor lowly tradesmen.
"Anyone who becomes master of a city accustomed to freedom and does
not destroy it may expect to be destroyed by it; for such a city
may always justify rebellion in the name of liberty and its ancient
institutions. -Niccolo Machiavelli"
PLEASE,............. My face burns with embarrassment for you. Someone,
anyone, please ... give this guy a wedgie.
Keyman55
Well said!
Thanks
"Steve Paris" <lo...@myoffice.net.au> wrote in message
news:crgfig$7t9$1...@news-02.connect.com.au...
dbs__...@tanj.com
> On Tue, 4 Jan 2005 23:36:10 -0600, you wrote:
>
>> Remember a
>>size 14 boot will kick in a door no matter what lock it has on it if the
>>door isn't up to par and if the crook cant kick in the door then he'll go
>>through a window or a hole in the roof.
> user will pay..
>
> --Shiva--
If that were a valid excuse you'd never sell a medeco. After all, the glass
windows can be shattered.
As long as the lock industry (including locksmiths) continue to sell
and service junk that can be wrenched open, pulled apart and otherwise
easily defeated, the public will continue to buy it.
Case in point; My relatives thought there was no difference between a
kwikset and any other lock until I pointed out the weaknesses. All have
upgraded to better locks.
In short, you won't value a quality lock if all the experts hide the
shortcomings of a cheap imitation.
Daniel
Jeff Wisnia
then again
> a locksmith is like any other trade, I'll bet you have the education
> of a plumber or a construction worker. I guess I shouldn't expect
> much. carry on.
You just blew yourself out of the water with that low shot you effete snob.
You're probably too stupid to understand that to become a master at any
mechanical trade requires the same kind of intelligence, diagnostic
abilities and inquisitive mind needed to become a professional in the
fields of law or medicine. To say nothing of the business know-how and
common sense needed to put everything on the line and open your own shop.
It's attitudes like your which prevent many a person who'd be excellent
for and happy in a trade from starting out in it; because their parents
say things like, "What intelligent girl would want to marry a plumber?"
and, "You'll never make a good living fixing locks." Those attitudes may
in part account for the undesirable number of yutzes at the lower
eschelons of most trades, particularly in urban areas, where people who
have to use their hands along with their brains get little respect from
the yuppies.
I lurk here because when I was an MIT student nearly 50 years ago there
wasn't a lock on campus we students couldn't get by without leaving a
trace, and it didn't hurt our minds to learn about those kind of things.
I like to keep learning.....
Jeff
--
Jeffry Wisnia
(W1BSV + Brass Rat '57 EE)
http://home.comcast.net/~jwisnia18/jeff/
"As long as there are final exams, there will be prayer in public
schools"
'Key
you're correct, I do not have a college education.
however, I didn't need it.
I have been in business and have 23+ years
education/expierence in the Locksmith/Security field and
have earned enough $$$'s to retire 6 years ago at the age of
45.
> do try to keep up.
its not me that needs to keep up..
"carry on"
--
"Key"
Joe Kesselman (address as shown)
> I lurk here because when I was an MIT student nearly 50 years ago there
> wasn't a lock on campus we students couldn't get by without leaving a
> trace, and it didn't hurt our minds to learn about those kind of things.
That isn't quite how I got my start -- I arrived knowing some of the
basics -- but it's where I first got intensive practice. Though you
predate my stay at the 'tute considerably.
> I like to keep learning.....
That's the real key to this trade -- and to MIT, for that matter. If you
don't like learning and aren't willing to continue studying, you're
sunk, or at least doomed to low income.
a1l...@gmail.com
I have read this message board for a while but this is my first posting
here. Thanks to all of you for some very interesting food for thought
over the years. I'm a safe tech in Delaware with customers up to
Philadelphia and am familiar with this University. My shop does mostly
commercial work these days mainly for some big companies you probably
know and love. Still its a living and I woundnt trade it for the world.
I just wanted to let you all know that I sent E-Mail to University of
Pennsylvania. I sent it to the three addresses here of Mr. Pereira and
Mr. Glandt and Pres. Gutman. Plus I found another one that got a
response that sounded concerend. That is
Maureen S. Rush, M.S., CPP
Vice President For Public Safety
Division of Public Safety
University of Pennsylvania
Phone: (215) 898-7515
Fax: (215) 573-2651
E-Mail: mr...@publicsafety.upenn.edu
She responded promptly to my concerns. Obviously she understands the
security problems with this kind of material. You should also send to
the other 3 addresses too.
In my letter I explained my background and how this makes my job harder
and will weaken security for everyone.
I dont want to put my letter in a public place here because I talked
about what was right and wrong in the article and I dont want to give
aid and comfort to criminals by pointing it out here. Any real pro will
have no troble seeing whats fiction and what isnt in the article
though.
Well thats it. Just wanted to say hi to my fellow pros and pass on this
maybe useful info.
Howard 'Howie" Slokum
Evan
> NYC Locksmith, Retired
> There are steps being taken to deal with this through proper
> channels, but we need your help and support. We doubt that
> his university would appreciate their resources being used for this
> kind of activity, but they may not be aware of it or of the negative
> impact that his so called work has on our industry. With concern for
> homeland security so important, we belive that your voice will be
> heard.
What steps do you think you can take Ed ???
The U.S. Constitution specifically protects free speech in
(Amendment 1) and also limits the period of time to which authors
and inventors can have exclusive claim to their writings and
dicsoveries (Article I, Section 8)
The "Homeland Security" concern is bullshit, and anyone who uses
it in an argument is basically all but saying: "I have no other real point
to make so I will say 'Homeland Security' in an attempt to scare you
into taking me and my words more seriously than you would, because
you don't or can't understand what I am talking about, and I want you to
agree with me without questioning what I am saying"
> Also, very important. The article has photographs that may
> not belong to Blaze because they appear to be commercial.
> If anyone has information on the copyrights of any of these photos
> please let us know so we can let the copyright holders know how
> their property is being used possibly illegally and without their
> permission.
Why not read up on copyright law, "Fair Academic Use" specifically...
Ed, it is quite unfortunate that you do not see that you and others like
yourself who are so outspoken about Mr. Blaze and his work actually
make it MORE credible the LOUDER your outcries against it are...
The fastest way to make something more interesting is to tell people
not to look at it, or to say that it is so outrageous and shocking to
"trade professionals"... If you truly want Mr. Blaze and his papers to
fade into obscurity, then IGNORE them and they will fall into the cracks
of the Internet and soon be forgotten...
WOW: Here is a really dumb NEON sign advertising the very thing
you say is SOOO BAD... Ever thought of NOT contributing to the
interest in the work you say is so dangerous for everyone's safety??
> The article in question is at [URL]
> http://www.crypto.com/papers/safelocks.pdf [/URL].
>
> Attempts to reason with Blaze have been a failure in the
> past, he is the same joker who wrote about Master Keyed locks
> in the "New York Times" last year.
I am sure that people could say the same thing about attempts to
"reason" with you...
>
> Blaze's boss is Chairman Fernando Pereira.
> Email: PER...@CIS.UPENN.EDU
> His boss's boss is Dean Eduardo D. Glandt.
> Email: egl...@seas.upenn.edu
> The President of the University is Amy Gutman.
> Email: pre...@pobox.upenn.edu
>
> These people need to hear from you. Tell them what
> you think polietly and firmly in your own words. Explain
> that you are a security professional and that your job
> is made harder by this sort of thing, and that security
> will suffer.
>
I am sure that they would not like the fact that you linked
their e-mail addresses in a UseNet Newsgroup...
I am sure you have heard of the concept of SPAM...
Next time names and titles would be good enough and
anyone who cares to contact them could go to the
UPENN website and look them up...
~~Evan
(Formerly a Maintenance Man, Now a college student with a 3.85 GPA)
Leon Rowell
then. I don't post a lot because I specialize in antique autos &
motorcycles and do Safe deposit box work so I don't keep up with the
latest and greatest except what I read in the group. I subscribed to LL
for many years when I was doing general locksmithing work but dropped it
when I started doing the antique auto stuff. Good to see a new face....
Leon Rowell
Putyourspamhere
>From: --Shiva-- no...@abuse.net
>Newsgroups: alt.locksmithing
>Date: Wed, 05 Jan 2005 16:26:50 +0000
>Reply-To: shiv...@pcis.net
>Message-ID: <i95ot09ipba8kej5s...@4ax.com>
>References: <1104772265.5...@c13g2000cwb.googlegroups.com>
><crf7u7$7rs$1...@news.netkonect.net>
><nobmt099q8ljkeg0r...@4ax.com> <341cmbF...@individual.net>
>X-Newsreader: Forte Agent 1.91/32.564
>X-No-Archive: yes
>MIME-Version: 1.0
>Content-Type: text/plain; charset=us-ascii
>Content-Transfer-Encoding: 7bit
>NNTP-Posting-Host: 24.137.136.93
>X-Trace: newsfeed.slurp.net 1104942484 24.137.136.93 (5 Jan 2005 11:28:04
>-0500)
>Lines: 12
>X-Original-NNTP-Posting-Host: 24.137.136.93
>Path:
>lobby!ngtf-m01.news.aol.com!ngpeer.news.aol.com!feed2.newsreader.com!news
reader.com!newsread.com!news-xfer.newsread.com!news.glorb.com!in.100proofn
ews.com!in.100proofnews.com!newsfeed.slurp.net!not-for-mail
>
>
>
>On Tue, 4 Jan 2005 23:36:10 -0600, you wrote:
>
>> Remember a
>>size 14 boot will kick in a door no matter what lock it has on it if the
>>door isn't up to par and if the crook cant kick in the door then he'll go
>>through a window or a hole in the roof.
> thats what Matt doesnt understand.. that and $$$ that the end
>user will pay..
>
> --Shiva--
>
>
Blaze understands that perfectly well. He obviously feels that exposing the
flaw is more beneficial than it is harmful. Or he may do it simply for the sake
of study and dissemination of information in a moral/ethical vacumn. Why he
does it or what he does or does not understand is irrelevant because he will
continue to do as he has done. Even if he didn't there will always be others
like him publishing flaws. It's the information age and there is no getting
away from it. Personally I think the likelyhood of misuse of information in his
safe lock article in particular is quite small.
fugi
yea I can just see some street punks breaking into banks and trying
to crack their vault from the paper they read... I'm sure they've
read it too, their intrest in manipulating group 2 and group 1
locks and all.
either that, or they'll do what works, ask for the money instead.
--
dbs__...@tanj.com
> She responded promptly to my concerns. Obviously she understands the
> security problems with this kind of material. You should also send to
> the other 3 addresses too.
>
> In my letter I explained my background and how this makes my job harder
> and will weaken security for everyone.
>
> I dont want to put my letter in a public place here because I talked
> about what was right and wrong in the article and I dont want to give
> aid and comfort to criminals by pointing it out here. Any real pro will
> have no troble seeing whats fiction and what isnt in the article
> though.
I'd like to know how this makes the job of installing and serviceing
safes harder. I know how it might make it harder to sell cheap safes
if people realize that the ratings are rigged and that they all have
vulnerabilities, but how does that make it harder to service them?
Does anyone else see the absurdity of this person explaining to a perfect
stranger the ways that blaze was crorrect and incorrect in the guise of
maintaining security secrets? If he was truely concerned with keeping
the knowledge restricted to the initiate, he would never have confirmed
those secrets to unknown third parties.
Methinks he's just worried about his livelyhood, and using public good
as a shield.
Daniel
Homer J
of an IT guy and not an equipment guy. Have dealt with these types before
and can be dangerous bunch ... shooting their mouths off about something
they can't come to grips with. Really should concentrate efforts on the IT
side, vapourware, firewalls, PKI's, smoke & mirrors, horse - shit, etc...
etc .....
Want to do something righteous Matt - come up with a hack for the P4 card
.... there a challenge for you !
#1 question to him is would he dare to place his precious server in a senior
safe constructed for that purpose ?? Passwords seem to be easier to
hack/crack than trying to punch out the tongue on a pair of redundant S&G
6435.
Some of the info is in the public domain. There are quiet a few assumptions,
completely missed the boat on many points and yes, some information which
really shouldn't be published publicly. Shame on you Matt .... "thou shalt
don the hood of shame and stand the corner for the next week or two."
Obviously looked only so far, maybe as far as his arm could reach - should
have looked to see where some of the standards come from and even go beyond
UL and look at UL/C, CEN, RAL or VDS where its a real challenge for the
OEM's to come up with a creative solution to thwart attack.
Think now there's a bit more mystique to "lock whispers" (LOL) than before
.... Oceans 13 anyone ??
Regards, A.J.
(Bank Security Engineer)
<the_l...@yahoo.com> wrote in message
news:1104772265.5...@c13g2000cwb.googlegroups.com...
Joe Kesselman (address as shown)
selective about what details he included, (b) a bit better informed (s
you say, he's missed some significant points in this one), and (c) if he
was actually saying anything new, rather than writing a
not-particularly-good review-of-existing-literature document that
doesn't even achieve the goal stated in the title of drawing
implications for one field from the other (either way).
If he was my grad student, I'd give him a C on this one. It's pretty,
but it's pretty empty of actual thought. No publish-or-perish points.
the_l...@yahoo.com
sensitive info and that he slanders the locksmithing profession in the
process.
I have a question for mr. knowitall:: if safes are no good as you say
what do you suggest instead? Plus if you guys are so smart why do
computer virus keep happening. We wont be hold our breath waiting for
your answer.
Joe thanks for the message. I sent mine too.
Putyourspamhere
>From: "Joe Kesselman (address as shown)" keshlam...@comcast.net
>I wouldn't be quite as upset about his papers if he was (a) a bit more
>selective about what details he included, (b) a bit better informed (s
>you say, he's missed some significant points in this one), and (c) if he
>was actually saying anything new, rather than writing a
>not-particularly-good review-of-existing-literature document that
>doesn't even achieve the goal stated in the title of drawing
>implications for one field from the other (either way).
"c" is especially accurate. It moght as well be a book report.
Putyourspamhere
>From: the_l...@yahoo.com
>
>The problem with blaze the knownothing nimrod is that he prints
>sensitive info and that he slanders the locksmithing profession in the
>process.
If he knows nothing then how can he detail sensitive information?
>I have a question for mr. knowitall:: if safes are no good as you say
He never said that.
>what do you suggest instead? Plus if you guys are so smart why do
>computer virus keep happening.
I don't think Blaze works for MS.
Evan
<the_l...@yahoo.com> wrote in message
news:1105218751.5...@c13g2000cwb.googlegroups.com...
Ed:
Now you are sinking down to the level of name calling
like some kind of a child...
Compujter viruses keep happening because some
of them are written so that they can adapt their code
everytime they infect a new system... The majority of
computer systems in the world that get attacked are
home PCs that in turn infect other networks as users
connect remotely to computers at work or school etc
and transfer files...
Think of it this way, if you had a safe lock that could
change its combination as you were manipulating it
how long do you think it would take you to open it ???
Grow up...
The LOUDER you complain about Blaze and his
work the more credible you make it...
If you don't feed it it will fade away and fall back
into the cracks of the internet...
Evan,
~~formerly a maintenance man, now a college student with a 3.85 GPA
Glen Cooper
are not snapping to the fact that when one billion or so people get together
on this thing called cyberspace, information gets passed around. YOU CANT
STOP IT!... If it wasn't for you posting it here then neither I nor about 1
billion other people over the course of the next 20 or 50 or even 100 years
would have never known or know about it because these post here on
alt.locksmithing are recorded forever and the more people that read them,
the more they will show up toward the number one search result on Google.
Wake up, you aren't in Kansas anymore. This new age is about information
and if you don't want something to be known then you can't post links. The
word will get out and you WILL NOT stop it.
With respect
Glen
<the_l...@yahoo.com> wrote in message
news:1105218751.5...@c13g2000cwb.googlegroups.com...
Andy Dingley
>We have to nip it in the
>bud or soon there will be no security left
Bullshit (and I've called you on this before)
What is "the locksmith trade" doing ? It's selling over-priced
"secure" products to an unsuspecting audience who don't realise their
limitations. This extends from the S&G products described in this
paper down to (&deity; forbid) Sentry.
Now if the situation was half as bad as you claim, then you should be
ashamed. Not Matt Blaze, but _you_ and every other locksmith who has
been selling these things. Because if all it took to make these locks
open to widespread manipulation was this one paper, then you've been
selling a shoddy snake-oil product and ripping off your customers for
years.
Of course we know the situation isn't that bad. Manipulation is a hard
skill to acquire and the average burglar will still favour breaking
the window to putting in any effort. And many of them are too strung
out or just plain dumb to read this paper, let alone learn the
contents. But the fact remains that the products of the "security"
industry have been compromised for years and rather than accepting
this and fixing it, your reaction is this secret-squirrel Guild
mentality that hopes the problem will go away if you ignore it. Well
it won't - the real bad guys knew this stuff beforehand, and they
passed it around.
What are the problems exposed in this paper ? Mainly that poor
manufacturing allows the disk pack to be read. Well how about
_fixing_ that problem, rather than whining when someone points it out?
Or are you waiting for China to discover the lock industry and take
that away from US industry too, when they offer a better quality
product at a sensible price ? For the only thing keeping the fat
mark-up on Group 2 combination locks is inertia in the retail channel
and some diminishing work for higher security products in government.
What''s the difference between Group 1 and Group 2 anyway ? A buck's
worth of extra parts and _not_ having the sloppy manufacture, that's
all.
In the computer security community there's an entirely different
attitude, in two ways. One is that "security through obscurity" as
you rely on it is a joke. A mechanism is only judged secure if it's
still secure _despite_ the bad guy knowing the whole details. This is
attainable too, and it means that IT security products (the real ones)
out in the field are a lot more robustly engineered than physical
security products.
Secondly there's an attitude that beating up a system's weaknesses in
public is a _good_ thing. We know the bad guys do it in private, so if
we can't stop them, we'd better do some of it too and improve the
techniques as a result.
Of course there are snake-oil IT security products. They come from big
corporates and they're sold to fools in suits who don't know any
better. Neither side follows the two principals above. WEP (wireless
networking) and any product of M$oft are just the more infamous
examples. Most IT security failures are like physical security
failures though - social engineering and conning the humans, rather
than addressing the rather less easily fooled hardware.
As to your ad hominem attacks, then you should be thoroughly ashamed.
Are you an American ? Do you have any understanding of the
Constitution and the freedoms it holds most dear ? Yet you have an
attitude that's straight out of Communist North Korea, where your
secretive control-freak sham would be more at home.
Putyourspamhere
>From: Andy Dingley din...@codesmiths.com
>Newsgroups: alt.locksmithing
>On 3 Jan 2005 15:46:09 -0800, the_l...@yahoo.com wrote:
>
>>We have to nip it in the
>>bud or soon there will be no security left
>
>Bullshit (and I've called you on this before)
To a large degree yes. Lockie pretty much only posts here to whine about
something Matt Blaze has published and then typically links right to it to
maximize the potential "damage". Lockie might even be Matt Blaze increasing the
exposure of his articles without opening himself up to accusations of shameless
self promotion. Yes. I'm kidding. But Blaze himself couldn't come up with a
better teaser to get people to read his papers than lockie does.
>What is "the locksmith trade" doing ? It's selling over-priced
>"secure" products to an unsuspecting audience who don't realise their
>limitations. This extends from the S&G products described in this
>paper down to (&deity; forbid) Sentry.
Neither example is especially "over-priced" and both are quite adequate for
their intended purpose. If you need a burglary safe you don't buy a safe
designed just to protect from fire and if you need strong protection against
covert entry you buy a manipulation resistant lock. Not to mention that
physical security should be supplemented by alarms and/or surveillance anyway.
To be completely honest my chief criticism of the combo lock paper by Blaze is
that none of it is original. I'm sure he actually got some hands on experience
with it and verified what he wrote but it still amounts to little more than a
book report on what has been public domain for decades.
>Now if the situation was half as bad as you claim, then you should be
>ashamed. Not Matt Blaze, but _you_ and every other locksmith who has
>been selling these things. Because if all it took to make these locks
>open to widespread manipulation was this one paper, then you've been
>selling a shoddy snake-oil product and ripping off your customers for
>years.
As has been said time and again for anyone who bothers to listen NOT EVERY
CUSTOMER WANTS OR CAN AFFORD THE HIGHEST SECURITY DEVICES AVAILABLE. The
situation is the same in the computer world, although there the trade off is
more convenience than cost based. Linux and Unix are arguably a hell of alot
more secure than windows but which OS do you think makes up the overwhelming
share in the PC market? Add to this the fact that the 'openess' of the computer
security community with regard to the discusion of flaws makes it possible for
every script kiddie and his or her brother to download the latest exploit which
they typically could not explain the workings of if you put a gun to their head
much less create on their own. It's highly doubtful that openess with regard to
computer security is on the balance beneficial to the overall security of the
average user.
>Of course we know the situation isn't that bad. Manipulation is a hard
>skill to acquire and the average burglar will still favour breaking
>the window to putting in any effort. And many of them are too strung
>out or just plain dumb to read this paper, let alone learn the
>contents. But the fact remains that the products of the "security"
>industry have been compromised for years and rather than accepting
>this and fixing it, your reaction is this secret-squirrel Guild
>mentality that hopes the problem will go away if you ignore it.
Virtually all security is compromisable in some way. You can take the best
computer or physical security in the world and put a gun to the head of whoever
has access and you are likely going to get in. All any security can be expected
to do is slow an attacked down and make his job harder.
Well
>it won't - the real bad guys knew this stuff beforehand, and they
>passed it around.
It's debatable how much the bad guys "pass" stuff around. What's the upside to
them doing so?
>What are the problems exposed in this paper ? Mainly that poor
>manufacturing allows the disk pack to be read. Well how about
>_fixing_ that problem, rather than whining when someone points it out?\
It's been done already. Many manipulation resistant lock designs exist. The
6730 and similar is the lowest security lock in common use on anything
approaching a "real" safe. Safe manufacturers also add to the difficult by
designing boxes that minimize the weakness of the locks used.
>Or are you waiting for China to discover the lock industry and take
>that away from US industry too, when they offer a better quality
>product at a sensible price ?
China doesn't typically offer quality. Only price.
For the only thing keeping the fat
>mark-up on Group 2 combination locks is inertia in the retail channel
>and some diminishing work for higher security products in government.
>What''s the difference between Group 1 and Group 2 anyway ? A buck's
>worth of extra parts and _not_ having the sloppy manufacture, that's
>all.
Precision tolerances cost alot in any mass produced product.
>In the computer security community there's an entirely different
>attitude, in two ways. One is that "security through obscurity" as
>you rely on it is a joke.
Which is largely why my firewalls record dozens of attempted attacks a day by
mindless little script kiddies that are lucky if they even know how to use the
tool they just downloaded.
A mechanism is only judged secure if it's
>still secure _despite_ the bad guy knowing the whole details.
There is no mechanism completely secure. As somebody else already pointed out:
Who would want one? In the event of a lockout you would not be able to get at
what it was that was so important to secure.
> This is
>attainable too, and it means that IT security products (the real ones)
>out in the field are a lot more robustly engineered than physical
>security products.
And just like with physical security products inferior, usually much more
convenient products outsell them by a large proportion. Look at sales of linux
vs windows.
>Secondly there's an attitude that beating up a system's weaknesses in
>public is a _good_ thing.
Yep the script kiddies love it. It keeps them in the game.
We know the bad guys do it in private, so if
>we can't stop them, we'd better do some of it too and improve the
>techniques as a result.
The question is do you cause more successful attacks and greater overall damage
than you prevent or vice versa? I have never seen any scientific evidence
presented either way.
>Of course there are snake-oil IT security products. They come from big
>corporates and they're sold to fools in suits who don't know any
>better.
Yep.
Neither side follows the two principals above. WEP (wireless
>networking) and any product of M$oft are just the more infamous
>examples.
Comparable to Kwikset and similar. The main difference is it's alot easier and
cheaper for all affected users to download a patch for windows than it is to
replace every Kwikset in America.
Most IT security failures are like physical security
>failures though - social engineering and conning the humans, rather
>than addressing the rather less easily fooled hardware.
>
>As to your ad hominem attacks,
An ad-hominem attack seeks to discredit an idea or stated position by attacking
the person who holds or presents it. Nobody is doing that. They are just
stating the position that he's irresponsible. That's not an ad-hominem attack.
then you should be thoroughly ashamed.
>Are you an American ?
Why? Because they stated an opinion?
Do you have any understanding of the
>Constitution and the freedoms it holds most dear ?
Uh yeah I think they are excercising their first amendment rights and
criticizing Blaze's actions.
Yet you have an
>attitude that's straight out of Communist North Korea, where your
>secretive control-freak sham would be more at home.
>
What kind of lock do you have on your house and where do you live? Alarm? Dog?
Guns? When do you go to work? A little secrecy isn't a bad thing. If you
disagree you'll have no problem answering all the questions.
Putyourspamhere
>From: --Shiva-- no...@abuse.net
>
>
>>As to your ad hominem attacks, then you should be thoroughly ashamed.
>>Are you an American ? Do you have any understanding of the
>>Constitution and the freedoms it holds most dear ?
> suggest you go back and read some new rules/laws passed..
>Patriot acts 1 and 2..
Patriot Act two has not passed and if half the people who complain about it
bothered to write their representatives in Congress it like won't.
Puma
advertised to? "Security by obscurity" doesn't work. It's certainly not
Matt Blaze's fault that locksmiths insist upon keeping "secrets" to
make money from people. This is the 21st Century. Guilds are dead.
Guilds that extort money from folks with their "secrets" should be
doubly gone.
Kitchendon
your pants down. Either your locks are secure or they are not.
If someone points out the flaws in your security you should fix those
flaws. Instead you are blaming the messenger for something that is
utlimately your own fault.
Don
Keyman55
What is it that is so terrible with Matt Blaze's article?
He didn't discover ANYTHING, he simply put all the info in a public place.
There is NOTHING in that article that any locksmith didn't already know.
So he told the world how to open a safe (um hmm).
Those of you who are familiar with the methods described know that just
reading 1 article about the principles involved will not get the safe open,
any more than reading a book about landing a spacecraft on the moon,makes
you an astonaut. or reading a the owners manual to an automobile makes you
a good driver.
I personally would like to see 1 ( just 1) non-locksmith open any safe with
just the info given.
I may just try that, I have a safe in my office that the combo was lost
years ago. I think I will give the article to one of the empolyees and see
if they can get the safe open.
I may even use that for my next apprentice 'test'.
<the_l...@yahoo.com> wrote in message
news:1104772265.5...@c13g2000cwb.googlegroups.com...
> Forwarded from the NYC-LOCKS list:
>
> As many of you know Matt Blaze a professor at Pennsylvania
> University has published an article that reveals proprietary
> techniques of safe penetration. It was featured on well known
> hacker website recently, and it came to our attention on Saturday.
> It includes information normally reserved to the trade, for good
> reasons that need not be discussed here.
>
> The article is available to the general public without any
> restrictions whatsoever. We as professionals in the security
> field are outraged and concerned with the damage that the
> spread of this sensitive information will cause to security
> and to our profession. We know many of you will be too.
>
> Forwarded by Ed "Lockie"
> NYC Locksmith, Retired
>
'Key
news:1105716090.3...@c13g2000cwb.googlegroups.com...
> Perhaps locks ought to actually "protect" things they way
> they're
> advertised to?
most locks do actually "protect" things they were "designed"
to protect.
> "Security by obscurity" doesn't work.
sure it does.
> It's certainly not
> Matt Blaze's fault that locksmiths insist upon keeping
> "secrets" to
> make money from people.
its not the reason "locksmiths insist upon keeping
"secrets".
"making money from people" has absolutly nothing to do with
it.
> This is the 21st Century. Guilds are dead.
> Guilds that extort money from folks with their "secrets"
> should be
> doubly gone.
again,
doesn't really apply.
--
"Key"
fugi
> Don
it can't be 'fixed' really. like computer security, anything that
has 'access control' can be accessed by the authorized user or
process. so there's a way in, it just takes manipulation for a
non-authorized user to gain that access. of course lack of bounds
checking and data integrity in careless peoples code makes that
easier, much as simple locking mechanisms make it easier. the most
you can do with access control is slow unauthorized access, and
hope your efforts to impede your enemy will allow you the time to
detect the attempt at intrusion and then work offensively against
them instead of relying on your defensive structures in place.
a high quality safe with thick hardplate, angled steel, and a
relocker among other items to protect against brute force attacks,
and a quality lock such as an X-09 to protect against manipulation,
and an alarm system to alert the propper people (read Armed people)
of the intrusion occuring will prevent most any burglary. but it
doesn't come cheap, and obscurity at this point doesn't create any
further security.
we need to drop the secrecy as it only instills a false sense of
security in using the improper procedure to secure an item of value.
t3kno...@gmail.com
listing of all of the ways of getting around a lock so that I can
secure against _that_- instead of being ignorant, and relying on the
hope that all would-be safe-crackers are ignorant as well.
fugi
> I would love to see a published list of XP's flaws as well, but
> it aint gonna happen.
> --Shiva--
>
>
someone isn't famaliar with bugtraq...
gf...@softfish.com
--Shiva-- wrote:
> On 14 Jan 2005 09:39:00 -0800, you wrote:
>
gf...@softfish.com
--Shiva-- wrote:
> On 14 Jan 2005 09:39:00 -0800, you wrote:
>
Dan
On Mon, Jan 03, 2005 at 09:11:05AM -0800, the_l...@yahoo.com wrote:
> As many of you know Matt Blaze a professor at Pennsylvania
> University
That'd be University of Pennsylvania. Penn State U. is a different
institution. You probably want to get that right when you, you know,
write your nasty letters, file your lawsuits, or what have you. `
> We as professionals in the security
> field are outraged and concerned with the damage that the
> spread of this sensitive information will cause to security
> and to our profession. We know many of you will be too.
I'm only a consumer in the realm of physical security, but personally,
I'd be outraged that the "professionals" are trying to keep this
information secret from me. In the computer security realm, the
professionals tend to be fairly open with their clients about what their
system is capable of. I'd expect no lower standard of professionalism
here.
> Blaze's boss is Chairman Fernando Pereira.
> Email: PER...@CIS.UPENN.EDU
> His boss's boss is Dean Eduardo D. Glandt.
> Email: egl...@seas.upenn.edu
> The President of the University is Amy Gutman.
> Email: pre...@pobox.upenn.edu
You probably won't find a very receptive audience, and you probably
shouldn't even bother writing, to be honest.
Also, WRT copyrighted photographs, academic use is generally protected
under fair use, so you probably won't get too far there, either.
In other words, you've little recourse. Making a big stink only makes
you look a bit silly. One option you may wish to consider is to follow
what is generally considered de rigeur in the software industry:
acknowledge the vulnerbility, and publish a workaround and a fix. Of
course, that costs money--yours, not the consumers'--but then, that's
the result of designing insecure products. Vulnerabilities happen to
even the best designer, after all. Try not to take it so personally.
--
Dan
Dan
> > "Security by obscurity" doesn't work.
>
> sure it does.
saying "sure it does" or "no it doesn't" does nothing to further your
case.
So, here's what I see as a rational position. Defining "security through
obscurity" as relying on the secrecy of a design rather than the secrecy
of a password, code, or other authentication token is poor design. The
reason is a very simple calculation of the amount of secrecy preserved.
In a password-protected computer system with, say, an 8 character
password comprised of [A-Z][a-z][0-9], there are 8^62 possible
passwords. Assuming a pseudo-random (i.e. "secure") password, that gives
an attacker a 1/8^62 chance of successfully guessing the password on a
given try; i.e., on average, it will take 8^31 guesses to get the right
password. This is security through a very small amount of secret
information; keeping the functioning of the code behind the password
authentication mechanism secret ads relatively little value (there are
only a handful of likely designs of such a system in any given language
and larger system design; i.e. knowing the parameters of the system, I
can make a much narrower guess at the implementation).
Comparatively, in a non-password-protected system relying on an obscure
entrance mechanism--say, a Webpage with a URL not linked to from a
search engine or public page--the mechanism is still easily guessed,
because it contains much less random information. For instance,
Reuters did just this
(http://seclists.org/lists/politech/2002/Oct/0064.html).
Or, let me present an example in the case of safes. We can generalize
the methods of accessing a safe in two ways: via knowing (or guessing)
the authentication mechanism (key, code, etc) or by bypassing the
requirement for authentication. In the former case, obscurity gains
quite literally nothing; as I discussed above, with a sufficient amount
of secret random data, there's no value in keeping the mechanism also
secret. In the latter case, it may be tempting to say that obscurity is
worthwhile here, but it probably is not: anyone can disassemble a safe
to determine how it functions, and the mechanical principles used are
simple enough that it wouldn't take a rocket scientist (or a locksmith)
to see the holes (as in the case of Blaze's master keyed sytems paper,
where the vulnerability was well known and readily apparent to anyone
who understood the system). So obscurity ads little or no value, and may
in fact detract: by assuming the inner workings are secret, a lock
designer may disregard vulnerabilities that would become apparent to
anyone who *did* know the inner workings, meaning that mere
disassembly--or a leak of the product designs--may be sufficient
information to bypass the (much harder to come-by) password.
So obscurity clearly ads little or no value in a secure system, and if a
system relies on its workings being secret, that reliance is false. You
can find more literature on this on the Web, of course, in relation to
computer security, but I believe it is even more applicable when it
comes to physical security, where relatively less expertise is needed to
understand at least simple locking mechanisms (I'm not a physical
security expert, obviously, but I can understand how a master keyed
cylinder lock works--and spot the hole--without any training or
background).
Cheers.
--
Dan
Edwin
http://money.howstuffworks.com/safecracking1.htm would be a lot easier
reading than "Safecracking for the computer scientist."
As a person interested in computer security, I prefer actual security
over pretending flaws/weaknesses don't exist if no one talks about them.
mfkenney
your heads in the sand. Security-through-obscurity has never and will
never work.
I am not going to take an elitist stance and belittle anyones training
or education. You may be a very smart guy and I am sure you are
skilled at what you do. But let's face it, the product that you work
with has flaws. Rather than castigating the messenger, you should be
working to improve your product. That is the mark of a true
professional.
I for one hope this paper gets distributed far and wide. I am going to
do my best to make sure it does so...
--Mike
the_l...@yahoo.com wrote:
> Forwarded from the NYC-LOCKS list:
>
> As many of you know Matt Blaze a professor at Pennsylvania
> University has published an article that reveals proprietary
> techniques of safe penetration. It was featured on well known
> hacker website recently, and it came to our attention on Saturday.
> It includes information normally reserved to the trade, for good
> reasons that need not be discussed here.
>
> The article is available to the general public without any
> restrictions whatsoever. We as professionals in the security
> field are outraged and concerned with the damage that the
> spread of this sensitive information will cause to security
> and to our profession. We know many of you will be too.
>
> There are steps being taken to deal with this through proper
> channels, but we need your help and support. We doubt that
> his university would appreciate their resources being used for this
> kind of activity, but they may not be aware of it or of the negative
> impact that his so called work has on our industry. With concern for
> homeland security so important, we belive that your voice will be
> heard.
>
> The article in question is at [URL]
> http://www.crypto.com/papers/safelocks.pdf [/URL].
>
> Attempts to reason with Blaze have been a failure in the
> past, he is the same joker who wrote about Master Keyed locks
> in the "New York Times" last year.
>
> Blaze's boss is Chairman Fernando Pereira.
> Email: PER...@CIS.UPENN.EDU
> His boss's boss is Dean Eduardo D. Glandt.
> Email: egl...@seas.upenn.edu
> The President of the University is Amy Gutman.
> Email: pre...@pobox.upenn.edu
>
Putyourspamhere
>From: fugi fu...@ultra.bl.org
>and a quality lock such as an X-09 to protect against manipulation,
X-09 is overkill if that is all you want to ahcieve.
Putyourspamhere
>From: t3kno...@gmail.com
>
>Security through obscurity isn't security at all.
Sure it is, against anyone the mechanism remains obscure to.
I'd rather have a
>listing of all of the ways of getting around a lock so that I can
>secure against _that_
Because you think you will be able to do it better than the manufcaturers that
do nothing but? If you really think you can do it better than the pros, and
logically why would you, you've got your safe right there don't you? Study it
and add some surprises to it. Make sure you know what you are doing though or
the only one locked out will be you.
instead of being ignorant, and relying on the
>hope that all would-be safe-crackers are ignorant as well.
Most safe crackers that will have the information on your lock and box design
have knowledge of, and practical experience with, techniques that you have
likely never heard of so if it's between you and them with regard to the
security of the container and mechanism there's probably not going to be much
of a contest. Your best bet: Know and understand the ratings system used for
safes and make sure that you have a professionally installed and monitored
alarm (forget about the dialer setups commonly used in residential applications
if you are serious) that does not allow the time needed relative to what you
have because if given enough time the right person WILL get in it or carry it
off (I don't care how heavy or well attached it is) no matter what you do.
Also keep in mind that somebody can't steal what they can't find.
'Key
news:20050114222057.GB20915@specialk...
---snip---
> --
> Dan
From the FAQ
http://www.indra.com/archives/alt-locksmithing/
0. Will people on this newsgroup give me information about
picking locks, etc.?
Yes and No. This is a serious debate, based on serious
principles. Most experienced people here are quite willing
to discuss the basics of lock construction and operation.
Few (if any) are willing to give specific answers regarding
opening a particular lock or safe - without knowing the
asker or having other evidence that the inquiry is
legitimate.
Another balancing act regards the general effect of
information. As Joe K. put it succinctly, "On one side there
are the idealists who believe that even weak security should
not be further compromised without good reason; on the other
there are those who believe that weak locks should be forced
out of the market. There's never going to be agreement
here... can we just agree that reasonable people can
disagree, and have done with it?"
People have contrasted locksmithing "security by obscurity"
with practice in the software arena (in which it has
generally been considered to be misguided and therefore be
bad for society.) Exposing flaws as a social good breaks
down when there are hundreds of thousands of current owners
of the product who don't know that the flaw has been
exposed. Even if they find out, there is another big
difference. This is the cost of correcting the flaw
(upgrading.) Installing the patches on your copy of software
takes a bit of effort, but you don't have to throw out and
purchase a new physical product (such as a lock.) The
manufacturer of the lock is pretty certain not to make it
available for free. Basically you have to buy a new item and
have it replaced, and this adversely impacts users, many of
whom do not have the budget to correct the flaw. Therefore
publishing the security flaw costs users *much* more for a
lock than for a piece of software.
And the fact is that a nominally flawed product _does_
provide adequate security against the unmotivated and
ignorant who are the primary folks attacking physical
security systems (as opposed to the motivated and clueful
who attack electronic security and can do it from a distance
without physical presence).
g'day
--
"Key"
drogers
> Case in point; My relatives thought there was no difference between a
> kwikset and any other lock until I pointed out the weaknesses. All
have
> upgraded to better locks.
Can I ask: How many times have your relatives been burgled? Do they all
live in neighbourhoods that suffer from burglaries? Your security
assessment of the threats appear to be non-existent!
Here is an example for you: If you leave your door unlocked for one
week: what are the chances of you getting burgled? If you leave your
door locked for a week what are the chances of you getting burgled? The
answer is: it all depends on the presence of the burglar.
pierre...@gmail.com
Wait, when exactly security start to suffer ? Is it when the "security
profesional"'s design is flawed, or when some other guy reveals it ?
The measure of security is absolute, and not dependant of the fact that
people know about vulnerabilities.
Besides, I have a problem with what you call "proprietary techniques".
Is a vulnerability a proprietary technique ? What I think is that when
you call your products "secure" and complain about a guy saying that
they're finally not that secure, "proprietary techniques" are actually
lies (or "deliberate omissions").
Now let's talk about "the damage it will cause to your profession".
Aren't you responsible for your own image ? Do you really feel good
when you say something that means "I used to have a good reputation
because customers didn't know my products aren't as secure as I claim,
now I risk losing that reputation because some guy revealed the truth.
Please make him shut up" ?
Pierre.
di...@cfcl.com
to try half of the possible passwords. However, the calculation should
result in 4*8^61 as the number of guesses needed. This is 2^92 times
larger or more than a billion billion billion times as many guesses.
Big numbers can be tricky.
Dick
Dan wrote:
...
Dan
> Well, Dan sort of had the right idea that you would (on average) have
> to try half of the possible passwords. However, the calculation should
> result in 4*8^61 as the number of guesses needed. This is 2^92 times
8^62/2 is what I was trying to say. I don't believe this affects the
validity of my point, other than to make it apparent that I'm careless.
;)
--
Dan
Dan
> Basically you have to buy a new item and
> have it replaced, and this adversely impacts users, many of
> whom do not have the budget to correct the flaw. Therefore
> publishing the security flaw costs users *much* more for a
> lock than for a piece of software.
I've heard this before--the claim that replacing locks costs more than
replacing software. It's possible that this is correct, though the cost
of patching software is probably much higher than you think (for a large
enterprise, the cost of even a little downtime is quite
steep--Amazon.com supposedly loses $180,000 per hour of downtime
(according to http://www.stanford.edu/~blp/papers/asrandom.pdf)).
Regardless, the debate here is not really technical, but legal (or
moral)--does a vendor have a duty to fix a faulty product? In the case
of the software industry, there are EULAs--End User License
Agreements--that specify a limited liability for the vendor. In the case
of the lock industry, is there an equivalent? If you advertise a lock as
being resistent to bic-pen-attacks, and it turns out that it can be
opened with a bic pen, do you have a duty to replace it? I'd say yes.
So take the case of Kryptonite--had the physical security industry had
any sort of "full disclosure" practice, it would have been widely known
to the general public (i.e. me) that Kryptonite bike locks are worthless
pieces of shit. I never would have bought one, nor would others. As a
result, Kryptonite would have had to push the sales of their alternative
mechanisms, and may have lost some sales, but in the end, it probably
would have been *cheaper* than their current recall program is.
My point is that it's not hard to imagine a situation in which full
disclosure does not merely increase the security of the customer, but it
also lowers the operating costs of both the customer and the vendor.
And yes, I recognize that some customers will remain unaware of
published vulnerabilities, just as they do with software, but
ultimately, I believe it is more valuable to reward those who track such
things than to punish them in a misguided attempt to serve those who
would rather remain ignorant. It provides the *option* of greater
security to those who desire it, rather than forcing everyone to
maintain the same level of mediocrity (what is this, Soviet Russia?).
--
Dan
hobbs
the_l...@yahoo.com wrote:
> When they do things like this and get away with it it gives other
> peoples like him the idea that this is OK. We have to nip it in the
> bud or soon there will be no security left after these intellectuals
> get through with us.
In the field of cryptography, where Matt works, there's a central
tenet, which holds that security that derives from withholding
_procedures_ is no security at all. In other words, if publishing an
article like Matt's negates the security of safes, then safes were
never secure to begin with. The principle is called "security by
obscurity." True security would require that the safe is secure (to the
desired "hardness") against someone who knows every detail of its
design, but nothing about the combination. Thus, "security lies in the
key." Those in the cryptography field have watched inferior systems and
those based on obscurity fail time and time again; their goal is to
produce more refined systems against which no attack -- outside of
knowing the key itself -- is more efficient than brute force. The field
of locksmithing would benefit from doing the same.
And, on another note, customers would benefit from knowing what they're
getting. Blaze's final conclusion, unless I'm badly mistaken, is that
while some safes aren't as good as might be expected, they're still
moderately resistant to attack; and more advanced safes are available
that provide more resistance to known attacks. It's only in the best
interest of security for customers to know just how secure systems are,
and to make an informed choice based on the level of security they
need. So blasting this publication on moral grounds is itself
professionally irresponsible.
Sincerely
Andrew Rodland
Jonathan Apfelkern
> Interesting article - good effort however obviously written through the eyes
> of an IT guy and not an equipment guy. Have dealt with these types before
> and can be dangerous bunch ... shooting their mouths off about something
> they can't come to grips with. Really should concentrate efforts on the IT
> side, vapourware, firewalls, PKI's, smoke & mirrors, horse - shit, etc...
> etc .....
Now you're being unfair. Those "IT security guys", of which I am one,
have produced some pretty good stuff, if we count cryptographers, even
outstanding things.
And its not like they wouldn't tell you how to break a certain insecure
product: http://www.ntbugtraq.com/ They even produced some nice
alternative to that product: http://www.openbsd.org/ for instance -- but
if you choose to ignore that work of security pros and instead opt to use
an insecure product on whose development the IT security guys in general
have no influence on, then please do as you see fit. Just don't blame
IT-security in general.
In the 19th century, auguste Kerckhoffs stated: "the security of a
cryptosystem must depend only on the key and not on the secrecy of any
other part of the system". I don't see why this principle should not
extend to locks.
Most vectors of attack on a lock are through design flaws
(and if a lock has design flaws, that's definitly a reason to publish
them, and get them fixed) and small mechanical inaccuracies (which are
merely a measurement for the quality of implementation of a certain
mechanism, but for which I don't see any problem on publication either
"Company XY lock series Z are shoddily made, and thus easier to crack, but
then, they are cheap...") I'm not a locksmith, but only an amateur mainly
concerned with historic locks and lockpicking (pre 19th-century); so
bear with me if I'm missing some details of the trade. Still I think
these points are valid.
In closing, I think we could learn much from each other. The "physical
security" guys obviously some lessons about full disclosure, and the
"IT security" guys maybe something about incident response.
Cheers
Jonathan
Jonathan Apfelkern
wrote:
> The real problem is that people like Blaze are in positions of trust in
> society. Then he abuse it by publishing trade secrets in the name
> of research.
- Shoot the messenger then?
- You define "flaw" as "trade secret"?
- You are obviously much better suited to be the guard of those secrets?
- Why should I trust you not to sack my safe, since you seemed to have
known the flaws for a long time? And not published them?
- How can I trust you as a locksmith, when you're not telling me which
flaws these locks have? When I know that you know how to circumvent
those locks?
being provocative
Jonathan
Evan
"Jonathan Apfelkern" <jona...@discordia.ch> wrote in message
news:pan.2005.01.16....@discordia.ch...
With all due respect one thing the computer type people just can't seem
to understand is that locks are "real" and are not able to be updated in
the same way software which is "virtual" can be....
Everything is relative in the "physical" security world... You select a
lock
based on a survey of the installation environment and the most likely
threats that the lock will be subjected to...
...
There is NO SUCH THING as a lock that will keep everyone out, as
others here have noted "if it can be built, it can be taken apart"
It is only a matter of having the right collection of knowledge and
access to tools and time alone with the lock...
The concept of "Security" is not achieved simply through the installation
of a lock or a safe... It is the collective achievement of an entire effort
of an individual or organization that includes locks as only one element
of the greater scheme, which includes but is not limited to:
-- Locks (and the Doors and Walls that contain the room)
-- Security Personnel (Guards, Armed or Un-armed)
-- Electronic Monitoring Systems (CCTV and Burglary Alarms)
-- Policies and Procedures that reinforce the goal of "Security"
-- An Architectural Design that supports the goal of "Security"
(Think of a school, which by design is easy to get out of in the event
of an emergency... This element of its basic design also makes it
easy to get into as wel, and is much more difficult to later adapt such
a building to being more "secure" while still remaing "safe" and easy
to get out of during an emergency ...)
Please enough with the "security by obscurity" argument... Just
because the IT industry moves at the speed of the internet does
not mean that others that don't should be made to "catch up with"
it in order to considered "acceptable"...
Having some level of the construction, design and assembly of
locks remaining somewhat private is a good thing... It does add
just a SMALL AMOUNT of added security just by the fact that not
everyone knows EXACTLY how it works... What the world does
not need is some type of "script kiddies" that can bypass locks
that are the ONLY security device being employed simply
because one person or even a group of people decided to
apply the concepts and procedures employed in the IT industry
to locks and physical security under the mistaken impression
that revealing the "design flaws, vulenrabililities and most
common ways to attack" such devices will make it possible
for every lock to be upgraded to "fix or resist" such things...
Downloading a software patch is quite easy and cheap when
you compare it to actually physically replacing an actual device
(in this case a lock)...
Evan
~~formerly a maintenance man, now a college student
Rob...@gmail.com
Joe Kesselman (address as shown) wrote:
> Jeff Wisnia wrote:
> > I lurk here because when I was an MIT student nearly 50 years ago
there
> > wasn't a lock on campus we students couldn't get by without leaving
a
> > trace, and it didn't hurt our minds to learn about those kind of
things.
>
> That isn't quite how I got my start -- I arrived knowing some of the
> basics -- but it's where I first got intensive practice. Though you
> predate my stay at the 'tute considerably.
>
> > I like to keep learning.....
>
> That's the real key to this trade -- and to MIT, for that matter. If
you
> don't like learning and aren't willing to continue studying, you're
> sunk, or at least doomed to low income.
Beth
<guy...@hotmail.com> wrote:
> Everything is relative in the "physical" security world... You select a
> lock
> based on a survey of the installation environment and the most likely
> threats that the lock will be subjected to...
> There is NO SUCH THING as a lock that will keep everyone out, as
> others here have noted "if it can be built, it can be taken apart"
> It is only a matter of having the right collection of knowledge and
> access to tools and time alone with the lock...
> The concept of "Security" is not achieved simply through the installation
> of a lock or a safe... It is the collective achievement of an entire effort
> of an individual or organization that includes locks as only one element
> of the greater scheme, which includes but is not limited to:
> -- Locks (and the Doors and Walls that contain the room)
> -- Security Personnel (Guards, Armed or Un-armed)
> -- Electronic Monitoring Systems (CCTV and Burglary Alarms)
> -- Policies and Procedures that reinforce the goal of "Security"
> -- An Architectural Design that supports the goal of "Security"
And this is different from computer security how?
Evan
"Beth" <sne...@unlisted.net> wrote in message
news:150120051935190178%sne...@unlisted.net...
>
> And this is different from computer security how?
Umm... Last time I checked a building and it's design and equipment
were not able to be upgraded simply by downloading a "patch"...
The line between "reality" and computer science seems to be a bit
hazy for a lot of people that make statements supportive of certain
written documents...
Andy Dingley
>With all due respect one thing the computer type people just can't seem
>to understand is that locks are "real" and are not able to be updated in
>the same way software which is "virtual" can be....
Neither can software be updated in this way.
In some cases it can, but it's a narrow sub-section of the possible
case - very difficult to rely on it. Much of today's software is in
"embedded" systems - pretty much a closed system for updates, once
shipped. For operating systems they're pretty much fixed too -
relatively few domestic PC systems get updated after purchase. Even
for mass-market retail software, once that "golden master" has been
produced, the cost of updates is enormous.
There's also the risk that for many systems you need _all_ members of
a network to be secure - just one unpatched box may be enough to
expose all of them.
Even worse is the case where the secure component is a major part of
an industry standard protocol. How do you fix a protocol like WEP or
A5 when there are millions of dependent devices out in service ? The
risk might be large, but it's rarely a justification for rendering a
whole technology generation obsolete - especially when several
manufacturers are involved.
So software has many advantages, but the _practical_ benefits of them
are less useful than you might hope.
Beth
<guy...@hotmail.com> wrote:
> "Beth" <sne...@unlisted.net> wrote in message
> news:150120051935190178%sne...@unlisted.net...
> > And this is different from computer security how?
> Umm... Last time I checked a building and it's design and equipment
> were not able to be upgraded simply by downloading a "patch"...
I've seen defective locks on file cabinets replaced faster than a patch
can be downloaded and installed. But more to the point, each of the
listed items in the post I responded to has parallels in computer
security. And quite often, as already stated by Andy Dingley, there's
more to solving computer security problems than simply patching
defective software.
> The line between "reality" and computer science seems to be a bit
> hazy for a lot of people that make statements supportive of certain
> written documents...
Then there's the line between what you know think you know about me and
what I really am...
Since I only dabble in cryptography on occasion as the mood strikes me,
let me engage in some speculation. I suspect Matt Blaze is more
interested in the parallels between the design of locks and the design
of cryptographic algorithms, and his article is intended to encourage
an exchange of ideas between lockmakers and cryptographers.
On the other hand, if I understand correctly, "security through
obscurity" is a mistake made as often by lockmakers as by computer and
communication equipment manufacturers. There are parallels between
physical security and computer security, and each can learn from the
other, including learning from the other's mistakes.
Foxyshadis
simply because they already have equipment is bunk.
Every executive, manager, and most homeowners I've known are more
willing to listen to an obviously informed, experienced third party
than a random retailer trying to part them from their money. Your
opinion could well drive their next purchase to a much more secure
safe/lock. If you told them directly that their low-end safe was
vulnerable to well-known weaknesses that even moderately experienced
crooks could find and exploit, you could easily convince them to
upgrade (and give the cheap one to granny). The manufacturers all make
more robust equipment, the clients just don't know how to tell because
the trade has hidden its vulnerabilities.
It has aided and abetted criminals for decades by not retiring outdated
products. Cars were required to install seat belts in all cars, why
shouldn't your industry be required to install better locks in all
safes?
Or you could keep denying any responsibility and professional pride as
long as the money keeps coming in. The idea that since you can't fix
all the problems you shouldn't do any small part is pathetic. I suppose
you'd be as proud of being a draft dodger? It fits your logic.
Foxy
Putyourspamhere
>From: Andy Dingley din...@codesmiths.com
>On Sun, 16 Jan 2005 01:20:14 GMT, "Evan" <guy...@hotmail.com> wrote:
>
>>With all due respect one thing the computer type people just can't seem
>>to understand is that locks are "real" and are not able to be updated in
>>the same way software which is "virtual" can be....
>
>Neither can software be updated in this way.
>
>In some cases it can, but it's a narrow sub-section of the possible
>case - very difficult to rely on it. Much of today's software is in
>"embedded" systems - pretty much a closed system for updates, once
>shipped. For operating systems they're pretty much fixed too -
>relatively few domestic PC systems get updated after purchase.
What?? Windows updates come out frequently more than once a week. With most
systems shipped windows autoupdate is enabled unless you choose to disable it.
Even
>for mass-market retail software, once that "golden master" has been
>produced, the cost of updates is enormous.
AV software is updated at least once a week with new virus difinitions and
other changes, typically automatically. If not updated regularily it would be
useless.
>There's also the risk that for many systems you need _all_ members of
>a network to be secure - just one unpatched box may be enough to
>expose all of them.
>
>Even worse is the case where the secure component is a major part of
>an industry standard protocol. How do you fix a protocol like WEP or
>A5 when there are millions of dependent devices out in service ? The
>risk might be large, but it's rarely a justification for rendering a
>whole technology generation obsolete - especially when several
>manufacturers are involved.
>
>So software has many advantages, but the _practical_ benefits of them
>are less useful than you might hope.
Software is MUCH more easyily updated that physical security devices. In most
cases "updating" physcial security means the complete replacement of the
device.
Evan
<roger_f...@hotmail.com> wrote in message
> The reaction in this group to Professor Blaze's paper is extraordinary.
> I almost wonder if the vitriol being poured out is not a case of "the
> lady doth protest too much"? It certainly isn't based on logic!
>
> Blaze has been simultaneously accused of divulging secret information,
> and also of writing an article that was merely derivative of well known
> facts. He has also been accused of aiding even lazy "script kiddie"
> burglars in learning lock manipulation, and at the same time, of
> omitting important basic facts, and treating only the simplest and
> cheapest locks.
ONE MINOR FACT that you are leaving out is that these conflicting
opinions you are citing above originate from different people... In any
aspect of life there will be people with opinions that differ based on
the individual's level of knowledge in the subject area and other life
experiences...
To respond to your statement regarding the "script kiddie"
comment, I feel that Blaze's papers WILL clue some people into to
things that they never knew about before, nor had any idea of where
to seek out such information prior to Blaze's papers... Lazy people
usually don't put much effort into researching things, but will make use
of information that gets dumped into thier hands...
> It should be obvious that these accusations are contradictory, and
> therefore at least half of them must be wrong. It is not difficult to
> determine which ones are wrong, because if you read the article clearly
> and with an open mind, Blaze clearly explains. Yes, he does omit
> important basic facts, and discuss only the cheapest locks--and says so
> too, because this is not a guide to safe cracking. Yes, he does draw
> heavily on earlier writing about safe security--and says so too,
> because the paper is not fundamentally about criticising safe security,
> it is about seeing the way the industry as a whole works with its
> defects, in comparison to IT security.
The statement you make about half of these arguments being wrong
only shows that you are quite biased yourself... The world is NOT
"right/wrong" or "black/white", but it is vastly made up of things that are
exist between these polar opposites in "shades of grey"...
There is an underlying problem here that Blaze and the people most
outspoken among his supporters is failing to realize, the operating
principles that work well in the IT industry might not fit into other
aspects
of life, inluding physical security...
Security is not about locks alone:
(The following is copied from an eariler post I madeon the topic...)
The concept of "Security" is not achieved simply through the installation
of a lock or a safe... It is the collective achievement of an entire effort
of an individual or organization that includes locks as only one element
of the greater scheme, which includes but is not limited to:
-- Locks (and the Doors and Walls that contain the room)
-- Security Personnel (Guards, Armed or Un-armed)
-- Electronic Monitoring Systems (CCTV and Burglary Alarms)
-- Policies and Procedures that reinforce the goal of "Security"
-- An Architectural Design that supports the goal of "Security"
(Think of a school, which by design is easy to get out of in the event
of an emergency... This element of its basic design also makes it
easy to get into as wel, and is much more difficult to later adapt such
a building to being more "secure" while still remaing "safe" and easy
to get out of during an emergency ...)
While I agree that there are parallels in basic concepts of Security
in the IT and physical security industries, the execution of the ideas
varies... In the IT world programs can be made or set to reject access
requests/attempts after a certain number of incorrect attempts...
Keyed locks and mechanical combination locks do not nor will likely
ever have this type of capability incorporated into their designs...
Blaze acknowledged the biggest factor behind this issue, manily
the economic choices that people make, "Security" is an abstract
concept to most people who don't deal with it for a living...
Money spent on putting the most expensive "high-security" lock on
a door with windows or leading into a room with windows in it will
be wasted if one motivated burglar happens by with a hammer...
Many customers want what they want and don't care to listen to
"extra" advice offered, especially when it has to do with altering
more than a door (or it's lock) to enhance security...
> This paper is a survey of information about safe security, and the
> directions in which that more experienced field can aid research into
> computer security. He does criticise some areas of safe security
> design, but overall is quite complimentary to the profession. And he
> does, in the process, discuss ways that the very cheapest, nearly
> obsolescent locks can be defeated--information which is already in the
> public domain. Sure, some of the info you get on the 'net or in cheap
> books is incomplete, but isn't Blaze's discussion also incomplete on
> those details?
I agree that it is a survey of information, however it is unfortunately
very biased by Blaze's perspective of the world looking at things and
concluding that they would be somehow "better" if they would only
follow the same principle methods of operation as the IT industry...
I know cryptography is a fascinating field and agree that locks and
parts of locks fall into that area... However, the DESIGN of locks has
little if anything to do with that concept...
> There really doesn't seem to be anything here to get upset about, and
> frankly not a lot of interest to safe technicians--but it is
> interesting, as it was intended to be, to IT security people.
>
> Now a couple of specific points:
> 1. Someone pointed out that fixing thousands of defective locks
> scattered around the country is a lot harder than downloading patches.
> This is probably true, and a fair comment, although I think you'll find
> that downloading patches to thousands machines is a lot harder and more
> expensive than you realise. However, upgrading lock packages has
> clearly occurred in the past, and in the particular case of safe lock
> packages, they actually seem to have been designed for it. With the
> common form factor and simple mounting, it should only take a few
> minutes on-site to swap a package over. To defray costs, the old lock
> packages could be returned to the manufacturer for factory modification
> and re-issue; make up any difference with a small "annual maintenance
> fee" to the client. Personally I'd much rather pay $20 than unwittingly
> live with an insecure device.
While I am generalizing about downloading software patches, my
perceptions of software being "readily fixable" via a download are
much closer to reality than your generalization about locks being fixed
or swapped out "in a few minutes"... Skill levels come into play here
and as others have noted many computer systems "automatically"
update unless the user is savvy enough to disable such functions...
Software downloads are much more compatable with the system
they will be uinstalled on because the program conditions that are
in error are known... Swapping out an worn/defective/obsolete lock
is not quite that easy unless THE EXACT lock being replaced is still
available... Older safes and even newer models have differences in
the construction/configuration of the container... The skill level to
adapt a current lock into field conditons that that are not the same
vary from easy to difficult, and the time factor involved in that
undertaking is much more than that of locating and installing a new
patch to fix a "bug" in your computer...
> 2. I do think it's reasonable for security consumers to be informed
> about types of weaknesses in products, at least at a general level. For
> example, most users probably don't care too much about lock
> manipulation and will be happy with a Group 2 lock, since lock
> manipulation, as I am sure you are all aware, is a quite rare method of
> safe burglary. However I know of a certain business (and I am sure
> there are many like them) that uses a safe to protect sensitive but
> time-degrading information. To have that information stolen from them
> would be merely inconvenient, so they have a fairly cheap safe; however
> to have it stolen *undetectably* would be a disaster. They need Group 1
> locks, but they didn't know it, because as mere security consumers they
> were considered unworthy of such secrets.
A person buying a safe is not a "security" customer, they are someone
buying a safe... It is true that not all safes are created equal, and some
people don't wish to expend more money on the safes that are "better"...
Making that statement would be like me saying someone looking into
buying a computer wants to be educated about the world of IT, which
often times is not the case...
> 3. I am rather puzzled by claims that Group 1 lock packages are
> dramatically more expensive than Group 2. OK, I'm not a locksmith, but
> I do know a little bit about metalwork and I just can't see it. Looking
> at Blaze's Fig 18. (c) and (d) (Sargent and Greenleaf 8400 Group 1 lock
> with butterfly dial) vs. Fig. 1 (Sargent and Greenleaf R6730 Group 2),
> I can't see more four or five dollars difference between their
> internals. OK, the 8400 may have other, expensive enhanced features to
> resist drilling and so forth, but the anti-manipulation feature is
> simple--ingenious, but simple--and could easily be installed in the
> cheaper lock if people only knew it was available so they could ask for
> it.
>
> 4. The fellow who is advocating sending harassing letters about
> Professor Blaze should do a little more homework. The tone of the
> suggested letters suggests that it is thought Blaze may be some minor
> assistant professor at UPenn who can be harassed into complying with
> your demands. In fact, apart from being an Assistant Director he is a
> eminent, highly respected person who is, for example, chairman of the
> world's largest computer security conference, a frequent advisor to
> Congressional committees, and an occasional security advisor to NIST
> and the US Department of Justice on certain classified programs.
I agree, "Lockie's" comments are not the best way to make his point...
NOR is advertising the very thing he finds offensive an effective way to
go about complaining about it...
I don't care about who Blaze is, I understand that he is very well
versed
in computer technology areas, however, his skills at linking this to other
areas of life are lacking... I could probably write a similar paper about
locks
being similar to computer science and have the same response to it from
IT professionals that Blaze is getting about hsi from locksmiths... It is a
matter of perspective... His perspective on computers is dead on, but his
views on other aspects are a bit clouded and therefore he compensates
by adapting things he doesn't fully understand into things he does by
making comparisons... That is not the most effective way to fully
understand a topic in which you are writing a research paper on...
I also agree with several of the others here in the newsgroup that
would have graded his work as "average"...
> 5. Blaze's response to this issue last time it came up is actually
> quite interesting. Among other things, he found evidence that the
> debate within the locksmithing trade goes back a long time:
> http://www.crypto.com/hobbs.html
>
> Cheers,
> Roger
Evan,
rsa...@gmail.com
> will suffer.
>
'Key
news:1105982848....@c13g2000cwb.googlegroups.com...
and your purpose of re-posting what the_l...@yahoo.com
wrote would be ?
--
"Key"
syber...@gmail.com
more in helping his customers or in protecting his job, you can conduct
this simple experiment:
Borrow a Ford or Lincoln automobile with a keypad lock.
Lock a set of keys in it: just set 'em right in the front seat, where
the locksmith can see them.
Phone a locksmith, and tell him you locked your keys in the car, and
don't know your keypad code.
When the locksmith shows up, he will perform a couple of manuevers that
you yourself could have done (if you took a few minutes to make the
tools, although it'd be illegal for you to have them) and then, if he
cares more about protecting his job, he'll collect his fee and leave.
If he cares about his customers, he'll collect his fee, and then show
you how to look up under the dash near the steering column and find
what your keypad code is.
Oh, I'm sorry; did I give away a trade secret?
'Key
news:1105983957.8...@z14g2000cwz.googlegroups.com...
protecting or not protecting the locksamiths job has nothing
to do with your senario.
the locksmith would be contracted to onlyopen the car.
not to teach you where to find the the keypad code.
> Oh, I'm sorry; did I give away a trade secret?
no,
a Ford or Lincoln keypad code is not located under the dash.
my2ยข
--
"Key"
putyourspamhere
No because that is not where Ford Lincoln Mercury typically puts the
code. It's usualy somewhere in the trunk on a sticker. The location
varies.
Beth
<guy...@hotmail.com> wrote:
Just a quick top of the head pass:
> Security is not about locks alone:
> (The following is copied from an eariler post I madeon the topic...)
> The concept of "Security" is not achieved simply through the installation
> of a lock or a safe... It is the collective achievement of an entire effort
> of an individual or organization that includes locks as only one element
> of the greater scheme, which includes but is not limited to:
> -- Locks (and the Doors and Walls that contain the room)
*encryption
> -- Security Personnel (Guards, Armed or Un-armed)
*system administrators charged with security
> -- Electronic Monitoring Systems (CCTV and Burglary Alarms)
*secure operating systems, secure network protocols
> -- Policies and Procedures that reinforce the goal of "Security"
*ditto
> -- An Architectural Design that supports the goal of "Security"
*ditto
> (Think of a school, which by design is easy to get out of in the event
> of an emergency... This element of its basic design also makes it
> easy to get into as wel, and is much more difficult to later adapt such
> a building to being more "secure" while still remaing "safe" and easy
> to get out of during an emergency ...)
Yes, and making computers both easy to use and secure is at least
equally as challenging. For example, making MS Windows secure in one
go without also making it obsolete would be impossible.
Y'all are as ignorant of computer security as you claim Matt Blaze is
of physical security.
> I don't care about who Blaze is, I understand that he is very well
> versed
> in computer technology areas, however, his skills at linking this to other
> areas of life are lacking... I could probably write a similar paper about
> locks
> being similar to computer science and have the same response to it from
> IT professionals that Blaze is getting about hsi from locksmiths... It is a
> matter of perspective... His perspective on computers is dead on, but his
> views on other aspects are a bit clouded and therefore he compensates
> by adapting things he doesn't fully understand into things he does by
> making comparisons... That is not the most effective way to fully
> understand a topic in which you are writing a research paper on...
I doubt that Matt Blaze intended his article to be a research paper. I
suspect he had hoped that it would stimulate a dialogue between
physical security experts and computer experts. Or maybe he's just
curious about the mathematics of mechanical lock design.
Somewhere in this thread someone criticized the existing security in
computer systems. Computer security experts, like Matt Blaze, have
often criticized the computer security industry. The experts get much
the same reaction there that Matt Blaze's article is getting here -
ostriches burying their heads in the sand.
If you can write a similar paper from the physical security
perspective, then do it. I suspect that would please him, as it would
at least be the beginning of a real dialogue.
But I can't speak for Matt Blaze, only knowing bits and pieces of his
reputation and not the man himself.
I'm tempted to cross-post some of this to comp.security.misc and
sci.crypt and let some of the vacuum out of the thread, but more oxygen
also usually means higher flames.
> Evan,
> ~~formerly a maintenance man, now a college student
Hopefully not in computer science at the upper level yet.
'Key
> But I can't speak for Matt Blaze, only knowing bits and
> pieces of his
> reputation and not the man himself.
thats correct, you can't !
neither can we.
> I'm tempted to cross-post some of this to
> comp.security.misc and
> sci.crypt and let some of the vacuum out of the thread,
> but more oxygen
> also usually means higher flames.
if it "usually means higher flames"?
why would you even be tempted?
--
"Key"
Gryphonn
> Interesting article - good effort however obviously written through
the eyes
> of an IT guy and not an equipment guy. Have dealt with these types
before
> and can be dangerous bunch ... shooting their mouths off about
something
> they can't come to grips with. Really should concentrate efforts on
the IT
> side, vapourware, firewalls, PKI's, smoke & mirrors, horse - shit,
etc...
> etc .....
Hi all
My apologies for coming in well late to this thread. However, I felt I
should read all comments before shooting my mouth off as some have
done.
My first question is simple and may be considered a troll post:
Why is there a 'tradesmen' v 'academic' argument through this thread?
Both avenues of vocation have their merits and disadvantages. Neither
is an indication of how smart one is. Hell, I'm an IT geek now, but
drove trucks for 11 years prior to getting an 'edjamacashun'.
Second question:
Why is disclosing the fact that some locks have security issues a
problem? After all, we are talking about **security**, not something
trivial such as a cupboard lock to stop the cat stealing from the
larder. If a particular security device is not as secure as it is
advertised or claimed to be, shouldn't the consumer have a right to
know? If not, then the locksmith industry could be seen to be following
the 'security through obscurity' model, which has been proven to be a
risky business method many a time.
> >
> > The article is available to the general public without any
> > restrictions whatsoever. We as professionals in the security
> > field are outraged and concerned with the damage that the
> > spread of this sensitive information will cause to security
> > and to our profession.
I know the question has been asked, but for what earthly reason are you
outraged? It appears from reading the threads that the only real
outrage was that a 'boffin/geek/academic/seat warmer' wrote the paper
and not an industry insider. To be outraged that common weaknesses in
supposedly secure hardware were exposed seems to me to be more a
knee-jerk reaction than anything. I would have thought the paper would
make those in and outside the industry more aware of the need to get
manufacturers to work harder at making their security hardware *more*
secure.
>> We doubt that
> > his university would appreciate their resources being used for this
> > kind of activity, but they may not be aware of it or of the
negative
> > impact that his so called work has on our industry. With concern
for
> > homeland security so important, we belive that your voice will be
> > heard.
I understand that universities tend to approve research, rather than
discourage the practice. This report has probably given the University
(through your efforts as well) a lot of free publicity and has made the
paper itself a sought after piece of research by hackers, geeks,
tweakers, criminals and locksmiths alike.
> >
> > These people need to hear from you. Tell them what
> > you think polietly and firmly in your own words. Explain
> > that you are a security professional and that your job
> > is made harder by this sort of thing, and that security
> > will suffer.
A defective security technology has been exposed and therefore will
hurt the security industry...mmm...strange logic, but then I have
trouble 'keeping up'.../.
:o)
Once again, apologies for butting in late in the thread.
Cheers,
Gryph
Gryphonn
https://lists.netsys.com/
mailman/listinfo/full-disclosure
full-disclo...@lists.etsys.com
(Subscribe in subject)
Joe Kesselman (address as shown)
search archives over the past decade at least, or for a very brief
summary of the key issues see the FAQ. The real answer is that while in
theory practice should be identical to theory, in practice that turns
out not to be the best answer.
Joe Kesselman (address as shown)
> in theory practice should be identical to theory, in practice that turns
> out not to be the best answer.
Putting it another way: This is an engineering discipline, not a
science. Cost-effectiveness dominates the equation, and that requires
considering *ALL* costs. Which Mr. Blaze hsn't made any effort to do in
this case.
As I said, I wouldn't object as much to his academic paper if it was a
good paper. It really isn't. He hasn't added anything to the base of
knowledge, and he hasn't even done an adequate job of summarizing it;
all he's done is put his name on it. It isn't quite plagerism, but
that's because there isn't a single thought in the paper that anyone
familiar with either field would claim is original.
'Key
news:r00pu0l408narsf1n...@4ax.com...
> On Mon, 17 Jan 2005 22:06:56 -0500, you wrote:
>
>>Putting it another way: This is an engineering discipline,
>>not a
>>science. Cost-effectiveness dominates the equation, and
>>that requires
>>considering *ALL* costs. Which Mr. Blaze hsn't made any
>>effort to do in
>>this case.
>>
>
> the
> secure, at all..
>>As I said, I wouldn't object as much to his academic paper
>>if it was a
>>good paper. It really isn't. He hasn't added anything to
>>the base of
>>knowledge, and he hasn't even done an adequate job of
>>summarizing it;
>>all he's done is put his name on it. It isn't quite
>>plagerism, but
>>that's because there isn't a single thought in the paper
>>that anyone
>>familiar with either field would claim is original.
>
> knob is
> not as secure as a grade 1 Schlage.. 'stop at that point',
> and
> that statement is both safe, meaning NO defeating
> instructions
> were given, and true.
>
> now, when one then publicizes HOW to defeat the Weiser,
> then all
> of a sudden, that information, is now widespread, and you
> unfortunately do not know who or WHEN in the future,
> someone will
> read that, and break into their neighbors house with it..
> was
> damage done? yes.. did the original person that published
> it
> care? apparently not..
> now, I always have to wonder.. WHAT IF, it happened to the
> ORIGINAL writer??? who can he go scream and holler at?
> himself,
> who, by his actions, does not care..
>
> Security has a limiting factor- what the person is
> willing to
> spend. GOOD security requires a change in the building,
> plus
> construction, plus finally, in the locks themselves..
> a $100 'cannot have the key copied', cannot be picked'
> dead bolt
> does absolutely NO good on a hollow core door, but, yet, I
> see it
> done a lot of times..
> Matts article, if I was grading it, would rate no more
> than a C.
> his 'area of coverage' was SEVERELY limited, in that he
> did not
> consider the other factors involved with it.
> And I am speaking from 20 years of repairing and
> inspecting
> houses, plus 15 doing lock work.
>
> --Shiva--
well put Shiva.
what most have missed here is that
"HOW to defeat" information being widespread on an open
forum for ANYONE,
with less than honest intentions, to view and learn from is
a big mistake.
they can call the censoring of such information what they
will
but I call it professional ethics.
m2
--
"Key"
syber...@gmail.com
co-worker owns.
Or is it just a coincidence that we picked the only three models that
are different than you're claiming?
scottelloco
Thanks very much for the link. Maybe this will give
someone food for thought when thinking of ways to make
locks more secure, which is something the locksmithing
industry has yet to do successfully. It's about time
the industry became more open to suggestions. Your
posting of this information shows me you're going in
the right direction.
I recently found out that Kryptonyte locks can be
_easily_ opened with a Bic pen. Needless to say, I did
not find this out from Kryptonyte. I found it out from
a person like Blaze. I have now purchased a "more
secure" lock to protect my property.
This is just an example of why your publishing of
Blaze's information is a great service to those of us
who like to know the vulnerability of the security
devices we use so that we can take our own steps to
improve security the security of our property instead
of having to rely on the locksmithing industry to keep
us informed... which, as you have pointed out, they do
a lousy job.
Thanks again, -Scott
Absinthe
<roger_f...@hotmail.com> wrote in message
news:1105971312.7...@c13g2000cwb.googlegroups.com...
>
> Now a couple of specific points:
> 1. Someone pointed out that fixing thousands of defective locks
> scattered around the country is a lot harder than downloading patches.
> This is probably true, and a fair comment, although I think you'll find
> that downloading patches to thousands machines is a lot harder and more
> expensive than you realise. However, upgrading lock packages has
> clearly occurred in the past, and in the particular case of safe lock
> packages, they actually seem to have been designed for it. With the
> common form factor and simple mounting, it should only take a few
> minutes on-site to swap a package over. To defray costs, the old lock
> packages could be returned to the manufacturer for factory modification
> and re-issue; make up any difference with a small "annual maintenance
> fee" to the client. Personally I'd much rather pay $20 than unwittingly
> live with an insecure device.
Roger, how many AR mortice locks do you see with the extra piece on theback
of the cylidner that prevents snakepicking, or how many Americal Padlocks
have you seen to be rekeyed and either don't have the extra peice that
protects against the vulnerability they have either not there, or discarded
by the locksmith that is doing the rekeying? FWIW how many AR cylinders do
you see installed with no collar? It would appear that forget the
conveneince, it is eihter flat out not being done, or circumvented for
convenience sake. When security becomes inconveneint lazyness takes over. I
seem to remember a place that forced password changes with excessive
regularity so people started usign passwords like A1b2 then changing them to
B2c3 etc to meet the standard and not forget them. I guess it is similar.
>
> 2. I do think it's reasonable for security consumers to be informed
> about types of weaknesses in products, at least at a general level. For
> example, most users probably don't care too much about lock
> manipulation and will be happy with a Group 2 lock, since lock
> manipulation, as I am sure you are all aware, is a quite rare method of
> safe burglary. However I know of a certain business (and I am sure
> there are many like them) that uses a safe to protect sensitive but
> time-degrading information. To have that information stolen from them
> would be merely inconvenient, so they have a fairly cheap safe; however
> to have it stolen *undetectably* would be a disaster. They need Group 1
> locks, but they didn't know it, because as mere security consumers they
> were considered unworthy of such secrets.
The problems with informing people about stuff that they will invariably not
correct is probably that is gives a feelingof insecurity that wasnt there
before. Let us preserve the illusion of security :) It is not hard to reason
that a guy with a 300,000 USD house with a $9 Tylo and no deadbolt, is
either A. not concerned with security, B. Depending on the power of his
insurance policy or C. not properly educated by his locksmith (if he even
has one). However, if we show him how easily it is bypassed inorder to
upsell him to somethign better are we doing him a disservice by showing him
how unsecure he really is, or perhaps we are doing society a disservice by
showing one guy how easily he can break into his neighbors house. What's the
point?
>
> 3. I am rather puzzled by claims that Group 1 lock packages are
> dramatically more expensive than Group 2. OK, I'm not a locksmith, but
> I do know a little bit about metalwork and I just can't see it. Looking
> at Blaze's Fig 18. (c) and (d) (Sargent and Greenleaf 8400 Group 1 lock
> with butterfly dial) vs. Fig. 1 (Sargent and Greenleaf R6730 Group 2),
> I can't see more four or five dollars difference between their
> internals. OK, the 8400 may have other, expensive enhanced features to
> resist drilling and so forth, but the anti-manipulation feature is
> simple--ingenious, but simple--and could easily be installed in the
> cheaper lock if people only knew it was available so they could ask for
> it.
Locksmiting is such a miniscule industry that as soon as you put "locksmith"
or "safe" onto a product or description, it would seem that you have license
to charge double. Then when some of these companies try and peddle there
wares to other industries "tow truck", "law enforcement" etc.. Lockies get
incensed and try to stage boycottes and such. The prevailing thoughts is
we'll just charge the lockie more and they can pass it on to their
customers.
>
> 4. The fellow who is advocating sending harassing letters about
> Professor Blaze should do a little more homework. The tone of the
> suggested letters suggests that it is thought Blaze may be some minor
> assistant professor at UPenn who can be harassed into complying with
> your demands. In fact, apart from being an Assistant Director he is a
> eminent, highly respected person who is, for example, chairman of the
> world's largest computer security conference, a frequent advisor to
> Congressional committees, and an occasional security advisor to NIST
> and the US Department of Justice on certain classified programs.
>
Blaze is not a pioneer in revealing the secrets. Many other people have
shared many other things. Look at Bill Phillips, or anythign by Paladin
press, the "MIT guide", or the "Amateurs Guide to Impressining"
>
> Cheers,
> Roger
>
Just some thoughts :)
Shawn
> you're correct, I do not have a college education.
> however, I didn't need it.
There's nothing magical about a college degree, certainly.
> I have been in business and have 23+ years
> education/expierence in the Locksmith/Security field and
> have earned enough $$$'s to retire 6 years ago at the age of
> 45.
The fact that you can make money doing something doesn't necessarily
make that thing either right or good. Many people have made lots of
money selling shoddy goods and passing them off as valuable. That is
exactly what the lock industry is doing today, and has been doing for a
long time now. Matt Blaze is just shining the same bright light on
your industry that has been focused for some time now on the data
security industry, and the flaws he's finding are significant.
It should surprise no one that there are problems... if we've learned
anything at all about security in the world of computers its that
secrecy *hurts* security, rather than helping it.
What is surprising is that locksmiths are responding so badly to the
problem. Rather than beginning to develop new designs that address the
discovered flaws, and rather than organizing "white hat" lock and
safebreaking organizations to evaluate designs and discover and publish
weaknesses so that they can be *fixed*, locksmiths are complaining that
Blaze is the problem.
Blaze is not the problem, he and people like him are the only solution
that is really going to overcome the entrenched inertia of the
lockmakers.
I do think it's worth keeping in mind that physical security is not
exactly the same as most computer security: You can fix a computer
security hole, in most cases, by installing new software. That's a far
less expensive operation than replacing a lock, or a safe. On the
other hand, locksmiths do a great disservice to their customers when
they allow people to believe that locks and safes are more secure than
they really are.
What we need to achieve is a balance. The physical security industry
needs to construct an internal, competitive process for the creation
and analysis of new designs, similar to the way cryptographers operate.
In addition, it needs to develop a way to objectively describe the
security of a given lock design, and to implement procedures for
notifying lock owners when the industry and/or manufacturer discover
that the design is less secure than previously thought. That will
allow lock and safe owners to intelligently make decisions as to when
or if a security device should be replaced, or augmented. With that
sort of infrastructure in place, it will be reasonable to suppress the
free publication of cracking information -- because even without
publishing the details, the industry will still be making consumers
aware of security problems.
Until that happens, Blaze and others have a moral obligation to publish
this information.
'Key
news:1106159812....@c13g2000cwb.googlegroups.com...
Shawn,
I agree with most of your comments.
What you and others are failing to understand is that, in
the real world, no matter how much we TRY and tell our
customers about their inadequate security. Most of them let
their wallet make their decisions for them. They do NOT or
will NOT spend the needed $$$'s to upgrade.
my2
--
"Key"
Steve Paris
"'Key" <K...@Ya.Net> wrote in message >
> Shawn,
> I agree with most of your comments.
> What you and others are failing to understand is that, in the real world,
> no matter how much we TRY and tell our customers about their inadequate
> security. Most of them let their wallet make their decisions for them.
> They do NOT or will NOT spend the needed $$$'s to upgrade.
>
> my2
> --
> "Key"
Same down here, and I reckon the world over. I stock very little upper
market locksets anymore. It sits on the shelf month after month. Government
& big end business are the only ones that are interested in 'the good stuff'
and even then their wallets are pretty tight.
--
Steve Paris Locksmith
Cairns Australia