A different perspective on Matt Blaze

This statement cuts to the heart of the problem. Even if one believes that the owners of systems vulberable to the exploit published by Blaze have nobody but themselves to blame if they don't upgrade there are many people potentially effected who have absolutely no say in the matter and who may not even know that their locks are masterkeyed.

Many people do not know or care anything about the specifics of one lock vs another. That is the point. To infer that because of that they somehow deserve to be victimized is absurd. Even more so when you consider that in many cases those who depend on the lock on their door for security have no say over the lock in question.

I doubt it drove him nuts. If it did he would simply have fired you for denying him access to a locker on his premises which he was in effect simply letting you use.

Frequently that would not be the case. This isn't really relevant anyway as most people don't have the skills to repin their own locks.

Virtually everything you have stated is irrelevant to the discussion at hand.

A. Most people do not have the skills or desire to repin their own locks. Those who do are likely not effected by the publication of the vulnerbilities which started this discussion as they already have security in place to defeat the described exploit.

B. In many cases it would violate their lease agreements to do so. If you were my tenant and I needed to get in in an emergency and I found myself locked out because you had recombinated the locks and deactivated my key or masterkey you would find yourself evicted in short order for denying me access. You would also find yourself sued for any additional damage which occured because I was denied access. Same situation for employees at most jobs. Masterkeys when used exist for a reason. You essentially take the position that everyone should just go out and de-master the locks on their offices, appartments they rent, etc. Of course you don't bother to concern yourself with the consequences, or whether they are even capable of doing what you describe.

Oh, it did, for sure! And he simply could not fire me because I did a good job, and because it stood in my contract that the locker is for the time working there my private property. it was simply illegal that he had a masterkey, and that he used it without letting me kno about it afterwards, and he knew this, and I knew this.

But when I can assume that there is a masterkey (and everyone can assume this if it is a system with one key for different doors) then it is just my problem, if I do nothing against it. Without knowing a thing about masterkeying and such, when I suspect somone else could have a key to my door and I do nothing against it then it is just my own fault if something goes wrong.

Not in germany. Your home is your castle; you just are not allowed to destroy or throw away the lock. If you do it is still not illegal, you just have to pay for it, or for the whole MK system if throwing away a lock compromises the system.

Maybe in your country, but not here. the owner of the apartment has no right to access it without my knowledge. Period.

Not in the office when I just work there, but of course I am allowed to change the lock of the place I have rented.

regards - Ralph

I knew you would make this argument and it is badly flawed. Many people have no choice in the matter. They are legally compelled in many cases to have masterkeyed locks. Landlord access and the restriction that the tenant shall not change locks is part of many lease agreements. Additionally your argument would essentially hold a 10 year old child responsible for his or her own fate if the locks on his or her house are inadequate due to a parent or the previously mentioned landlord. This is as foolish as if I were to state that since I have a concealed carry permit and have a better than average ability to defend myself that anyone who doesn't is responsible for street crime which befalls them. These things are all very obvious to anyone who looks at the problem beyond it's very surface.

I don't necessarily know that to be true. You have provided no documentation of it and you also said not long ago that 90% of compromising information with regard to locksmithing was easily available on the internet yet failed to meet a very simple challenge for information which, if your statement was to be believed should have been easily obtainable.

Assuming it is true however we are not talking about Germany. The techniques in question were tested by Mr Blaze in America and the paper was published in America, so for purposes of this debate it is logical that we are talking about America.

Once again you haven't cited anything to support what you say as true but assuming that in Germany it is that's still irrelevant to the US where most of the masterkey systems likely to be effected are located.

I notice you still completely ignore the fact that most people are not locksmiths and that many do not know how to change or repin their own locks.

Bob, that's not the point. My point is that as far as the rest of the world is concerned Matt Blaze is a respected security expert, to the point that government agencies ask his opinions and major newspapers report on his work. We on the other hand are a bunch of locksmiths. At the end of the day what Mr Blaze and people like him think of us carries a lot more weight than what we think of them.

I think a lot of us are having the same reaction I did when I first read about it (in the local paper). I was shocked that someone would openly discuss sensitive information. After researching it some more, though, I calmed down a bit. A lot of this stuff is already on the Internet and even at the local library. His article seems to be scientific and technical (have you actually read it? I did. It was interesting). It wasn't written as a how to for thieves. As far as I can tell, the people in his field write articles like that all the time, and none of them are saying that Blaze was unethical or irresponsible for his. In fact, none of the newspaper articles I read even question whether it was OK for him to have done this. Yes, you think it was unethical. See what I wrote in the last paragraph about whose opinion matters more to the public about things like this. Also, his article was in some obscure computer security magazine. It was the newspapers who told the public about it.

The bottom line is that we have a respected scientist pointing out a small defeat. The reaction? A bunch of us locksmiths acting like a criminals over it, posting his home address and then accusing him of being unethical and irresponsible.

This is not making us look good in the eyes of anyone. Do we have something to hide? Did we put a flaw in MK locks on purpose and are we in a panic because someone blew the lid on it? We sure are acting like it.

We'd be a lot better off with Blaze and others like him on our side and working with us. He's not the enemy. Why are you trying to make him the enemy?

Who work daily with locks and physical security systems where as Mr. Blaze's area of expertise is computer security, which as has been pointed out repeatedly here by many different people is very different when it comes to patching security holes.

Hardly.

The article was well written. The methodology is sound. No one said he doesn't have his facts straight regarding his paper. That the material presented is comepletely original in origin is another matter.

The purpose for which it was written makes little difference in practice. I have no doubt that he thought he was and in fact is doing the right thing. That doesn't change the fact that likely more harm than good will come of it.

Journalists seldom if ever question right or wrong only the source of the information.

And you think that your own opinion on this is of any more consequence than the opinions you say matter least because.......why again?

If it was his address (Just as likely some other poor guys who has no idea whats going on) then you're right it wasn't very professional to post it here. However that was one guy. If you looked at that one individuals previous posts you would see that he is hardly typical of most people on this forum.

Virtually every lock is vulnerable in some way or another. For example virtually any lock not UL 437 compliant, which encompasses the majority of residential locks in use today, can be defeated in about 60 seconds or less, perhaps a little longer if you want to use gross working time. Now is it really a good idea to try to get specific information on how to do it into the hands of everyone in the country? Customers decide how much security they want. Those who went with a lower security system for the most part did so because they chose to do so. Those who would be willing to upgrade their systems to eliminate the vulnerbility Blaze pointed out likely inevested in systems invulnerable to it to begin with.

I don't know that enemy is the right word. However what he did certianly did more harm than good in the eyes of a large number of people who post here.

In addition to what I previously posted this is not the first time this technique has been discussed although perhaps Mr Blaze believed it to be, although there is certainly some doubt of that as Mr Blaze seems to be enough of a researcher to have discovered previous references to it albeit in somewhat less detail and with less analysis than he presented it with.

The Yarchive link is a lot of irrelevent material to read through to find the one relevant paragraph. It is:

From snipped-for-privacy@brl-smoke.arpa (Doug Gwyn) 12-Nov-1987 17:36:05 Subj: [1137] Re: mastered systems

Actually, if you have an operating key, you need not remove the lock cylinder in order to determine all the pin splits in it. Obtain one extra key blank per pin column (7 for the typical institutional Best lock); duplicate the operating key except for one column on the blanks, omitting a different column on each blank. Then, for each blank, try it with the omitted column cut to number 0 (high), then 1, then 2, ... and record which bittings open the lock. That tells you what the splits are in that column. The whole set of trials tells you what all the splits are in all columns.

The best way to cut the keys is with a code machine; next best is to duplicate from a depth key set; third best is to set up an extra cylinder plug with just one pin of the desired length in the appropriate column, and file down the key until it brings the pin flush with the plug.

Putyourspamhere, I just reread Blaze's article, which also credits Mr. Gwyn. By your logic, isn't Mr. Gwyn at least as guilty as Mr. Blaze is, since he did the same thing in 1987? Where does it end?

No... I said "irresponsible" There's a difference. I really don't think he did it with malice in mind. I think it was more along the lines of ignorance. He really didn't (and probably still doesn't) see the "big picture". I'm sure Mr. Blaze has the where-with-all (and then some) to put ASSA on all of the doors to his house - and that of his parents' "senior" apartment, (if applicable).

Not everyone is able to do that.

Additionally, many, many people have no idea what the real meaning of the term "Masterkeyed" even means. I have to explain it sometimes several times in any given week. And that's with _commercial_ customers!

I join late in this thread. _I_ never said he was the enemy. I merely stated that people (in general) who think it's okay to publish circumvential information of any kind to the general public are doing a disservice to people who may have no control over the situation. As stated previously, the elderly person in the senior "high rise" may not even have a clue what a MK system is, let alone have the ability to do something to change things.

Bobby

I don't know that guilty is the right word. Gwyn, as far as I know did not have his directions published in the NY times so the number of people who read them were likely much fewer. The point is the information Blaze presented was well known in the security world. There are undoubtably many more references to it since I found the two I posted in less than five minutes on nonsecure forums. It's rather like if I were to go to my safe books then publish the startling news that a popular safe can in fact be drilled open along with the precise method to do it. I dare say the majority of those who install master-key systems are and were familiar with what Blaze publicized and for the most part offered their master-key customers more secure alternatives which they either implemented or refused based on their own security needs. Those who refused them are not all that likely to go to the expense of upgrading them now, and those who would be willing to upgrade went with a more secure alternative in the first place. Consequently what is the great benefit of making the information available to the general public?

Yep that's the jerk. Somebody back then tried to make the same idiotic argument that nobody would actually USE any of that info he was always spewing to commit a crime.

Whoa! .since when does the internet stop at the border. Foreign countries use pin timbler locks too, Different lock hardware maybe and profile cylinders but the technology of pinning an MK system is the same i suspect.

documentation of

You are right. However I would wager that less than .01% of the population of any given area have first seen the information online. As far as I know it isn't availble anywhere mainstream. The most likely way someone would accidentally run across it in a search is looking for information on Blaze himself. The vast majority of public exposure came from the Times article. It is far more likely that any given individual who reads the Times is now aware of the method in question than a given indivdual outside the Times normal circulation. That means the method is likely still not widely known by the general population in Germany. Therefore it's more logical to discuss potential senarios under US law. Besides I have no idea what the law on landlord access and employer access to employee lockers is in Germany. Ralph didn't give any source he just stated what he believes the law to be. I have seen him make other statements that are highly questionable so I'm frankly not taking his word for it.

You're right I'm sure they don't. Add to that that many are not capable of changing or repinning their own locks and it becomes clear that these are likely some of the people most likely to be victimized by a mis-user of the information Blaze publicized.

---snip to trim---

same idiotic argument

always spewing to commit

yea, he sure was a character !!!

It sounds like your problem is with the New York Times, not Mr. Blaze, who according to TNL wrote his article for a computer security journal. It was because of that publication that the New York Times learned of it. Blaze thinks that we can't depend on stuff like this being kept secret (and I think I agree with him more than I disagree), but it was the New York Times that gave it to the general public, not him. He didn't ask them to print it and if they hadn't printed it the public wouldn't know about it right now. Blaming Mr. Blaze for that is unfair and doesn't help the situation.. My point is that we need some perspective here. It makes our profession look stupid when we say or imply that the problem with master key security is respected Bell Labs scientists writing articles for journals. We should be discussing what to do about master key security and should welcome people like Mr. Blaze into that discussion. Otherwise they will have it without us, and that is NOT GOOD FOR ANY OF US. Hint: A bad way to welcome them is to make accusations that they're unethical, insults about ivory towers, and vailed threats involving their home address.

CA Locksmith

This assumes a higher level of technical knowledge about locks than is found in the general public.

Are you under the impression that KA (keyed alike) locks must be masterkeyed?

Also, if you change the locks in your apartment so the landlords representative can't get in - and then when you are away something bad happens - such as a broken pipe in your apartment which is flooding the apartment below you - do you feel it is ok for the landlord to wait until you return before getting into your apartment?

Is it not interesting that 3 of four posters here who seem to all be agreeing with and supporting each other have NEVER posted anything else to Usenet and their posts all seem to originate from AOL. I'm sure it's just a happy coincidence LOL.

I agree. I do think his background research was inadequate and his decision on where and how to publish was misguided.

Those aren't crimes. Just mistakes.

Unfortunately those mistakes are going to drive security down and/or drive costs up for our customers. Not a great deal, but it's still a net Bad Thing for the society.

It would be nice to get consensus that there really are better ways to handle such "discoveries" in the future... eg, publication through more appropriate channels so *PROPER* review by expert practitioners can be conducted both before publication (I presume any locksmithing journal editor would have told him "Nothing new, but it's probably worth editing a bit and publishing as a tutorial for folks who are less experienced in master keying and to encourage innovation within the field.")

I really think he's bright enough to see the point we've been trying to make. He may even agree with it if we stop hammering on him and give him time to think about it. But as long as we keep sniping at him, he's going to feel he has to continue defending himself. I can't blame him.

Move to table this and let everyone think about it for a few months. If Matt makes the same mistakes again, now that he's more familiar with the issues, *THEN* I agree he may be due for some serious flamage.