This is a very good paper for anyone interested in learning about the basics of drilling and manipulating safe locks and their security in general, as well as a lot of other information that's usually hush hushed by the security by obscurity obsessed locksmithing community. You could probably find most if not all of this information independently but you would spend some time and money doing it. Matt Blaze's presentation of the material is very good and the photographs are, as usual professional quality. Blaze has a real talent for writing a scientifically valid paper which is also very readable, something that many in academia have great difficulty in doing. This may have been posted to alt.locksmithing before but it is worthy of being posted again.
Interestingly, security by obscurity was a significant element in safe security in past years - the era when experienced 'tank men' had high status in the criminal world - or even the odd case where criminals managed to make copies of the various keys needed to enter a bank vault, this happened in Australia in the 1960's. Part of the problem was that much money was kept in what had become hopeless safes and strongrooms dating from the turn of the last century.
Nowadays, they seem to be an extinct breed - alarm, communications and other security technologies have driven them out of business. Armed robberies are now the trend.
Hence few security professionals would lose any sleep over such 'trade secrets' escaping nowadays - design of systems would assume full general knowledge by criminals.
Let's see................ it's Matt Blaze and his sidekick Tobias that deemed it completely appropriate to teach the world how to make and use bump keys and how to beat Masterkeyed lock systems. Let's just think about bumping as an issue for a moment... What kind of locks are on your grandparents house???? What no high security???? Just a knobset & deadlock on the front door and another knobset on the back. Might even be a
7-change mortice lock on the laundry door. When the local crack-head is eyeing their house, won't it be wonderful now that he added some new techniques of getting into your Grannies' place??? Don't worry though, he'll be gentle with them. If Tobias or Blaze were redesigning locks...... we could then understand that they are looking for a safer and more secure world. Let's find the weeknesses of security, publish it on the internet in as many places as we can, align ourselves with lockpicker hobbyists and then sit back and wait for the aftermath and make a lot of money too.... My only hope is they also have grandparents who haven't done an expensive security upgrade to their home. Maybe the TOOOL folks can give them a hand with the locks.
More delusional security by obscurity stupidity. Matt Blaze and Marc Tobias didn't create the vulnerabilies that make bump keying or all the other childishly simple attacks which the lock industries deffective products are succeptible to possible. THE LOCK INDUSTRY DID. Vulnerability to bump keying has only been a well known problem for about 3/4 of a century now. Fix the problems YOUR industry has created and there won't be a problem.
There was never any security by obscurity with regard to any mass marketed product. All one need do is buy the product in question and examine it for weaknesses. Security by obscurity is nothing but an illusion.
Except of course that higher grade safes, vault doors, detention locks, etc are not mass marketed. I can well imagine someone trying to buy a copy of the Chase Manhattan main vault door.
Alos, a long time ago, I heard an employee working for a safe company bemoaning that shop floor staff did not keep accurate plans of re-locking mechanisms - made opening more difficult. Coming to think of it, they probably made each one a bit different and deliberately did not keep details. Now that is security by obscurity.
Poria like yourself (Tobias....Blaze) live off the problems of others. Tell the world about their shortcomings and never offer any solutions. Oh... the bad industry...blah blah. As I said previously, maybe you had better stop by your grandparents house and let me know about obscurity. WHo was the idiot teacher teaching little hackers & crackers how to beat Master-keyed sytems at the U of P and then had a student produce a masterkey to fit the entire university?????? Think that cost the U of P $40grand. But that's right.... you don't care about the costs to others as long as there is a profit to be made. Remember when fertilizer was only used to fertilize????
Sorry to dissapoint you Sherlock but I'm neither of them.
How exactly do I live off the problems THE LOCK INDUSTRY has created with it's blatantly deffective products?
Tell
I already have. There is no obscurity. All the information is readily available. If it wern't you wouldn't be whining and crying over people disseminating it. You destroy the validity of your own arguments with every sentence you utter.
WHo was the
No surpirise there. Most masterkey systems are as DEFECTIVE as most of the other products the lock industry sells, installs, and services. You just provided the proof. If the lock industry were doing it's job it would not be possible for the student to produce the masterkey. The more people like you blather on the more you make my points for me.
It should have cost the INCOMPETENT locksmith who installed the system a 40 grand lawsuit. Much better I suppose you think for people to covertly make master keys nobody knows about on a system people erroneously believe is secure.
But that's
Where's the profit for me???? Don't overheat your brain trying to answer it's basicly a rhetorical question since it's obvious you don't know what you are talking about.
You sure changed that. That whole big pile of crap from you to distract from the fact that the lock industry sells defective products to an unsuspecting public and then trys to blame anyone who won't play coverup with them for their own dishonesty and incompetence.
"Except" doesn't really apply becuase I said "mass marketed". I already allowed exception for the Chase Manhattan Main vault door etc. That said security at that level does not rely on obscurity either. The locksmith who works for the bank will have detailed information about the vault door, and since the vault door inner covers I have seen on safety deposit vaults are clear and allow easy inspection of the mechanism bank employees and possibly even some customers depending on bank layout may have this information as well, does that mean they can compromise the vault? No. Because the bank relies on true, tested, redundant security NOT obscurity.
How do you really know? Do you know to a CERTAINTY who has that information? If not then you don't know if it's security by obscurity or not. Another problem with security by obscurity. There is no definitive test for whether the information is really obscure from the people who would use it in an attack or whether it is just thought to be. Is it obscure from an employee who has daily unsupervised access to the open safe? I don't think so. Relying on something being obscure when you can't prove that it is is a dangerous thing to do. Much better to rely on a known and well tested design.
This all brings up another interesting point: If we are going to rely on security by obscurity why should locksmiths be given any special access to information? The security by obscurity model dictates that the fewer people with access to "sensitive" information the better. I saw another thread where locksmiths were patting themselves on the back about a law requiring car companies to assist them with information for making keys to vehicles. ALOA supported this position. This is contrary to security by obscurity. The fewer people who have access to the information the less chance for abuse. Let the car makers and dealers who have the information anyway make the keys. There is no reason to trust such sensitive information to mere locksmiths. The security by obscurity model requires that information needed to make car keys be carefully kept from locksmiths who simply can't be trusted with it. The locksmithing industry can't even keep a consistent position. Security by obscurity is good when they financially benefit and bad when they don't.
The world has suffered from so many of you pretentious bastards that don't care for anyone but themselves and yet claim that it is for the good of humanity. Telling people on the internet how to break into peoples' homes is based on your lack of a backbone to try and instigate changes. Did you loose a job with Corbin or something???? Did your mother beat you with a lock?? What's next... Locksmiths are secretly trying to overthrow the Whitehouse?? By-the-way........... you didn't tell us what kind of locks are on your grandparents house. Go ahead and lie to us.... ASSA on the front door and Medeco on the back. Bump-proof???
Hardly. Anybody remotely interested knew how to make bump keys long before TOOOL or Tobias elaborated on the subject. Next you will give Tobias credit for inventing the pick gun which uses the exact same principle.
Again pretty obvious to anybody who cared enough to learn how masterkeying works, although in practice dissasembly is still probably the bigger threat e.g. guy has a lock on his apt door. Knows it's masterkeyed, takes it apart and with the aid of his key for comparison makes a master key. It ain't rocket science. Pretty obvious those extra pins are there for some reason. The sad reality is that you take a low end big box store lock that can be opened by a stiff breeze to begin with, add master pins to it, and, absent spool pins, which most guys don't bother to add, it can be opened by a kid with a hairpin anyway. If you don't start with a quality lock with good tolerances masterkeying destroys all traces of security.
Let's just think about
I doubt any crack head who didn't know about it before has taken the time to research bump keying online or drop a nice chunk of crack purchasing change on LSS. Crack heads and their ilk tend to prefer the time tested footpicking or brickpicking methods. Professional methods just increase the time till their next fix and deprive them of the destructive behavior they so enjoy.
Don't worry though,
In all fairness Blaze typically reccomends countermeasures to the exploits he describes and fixing the problems isn't really their job. They are acting in the role of security analysts, they are not, as far as I know, involved in designing locks.
we could then understand
Couldn't effectively do that if the manfacturers had fixed the problems and with bump keying there really isn't any damn excuse. The vulnerability has been known since at least the 40's, probably for much longer.
in as many places as
Now this is logical: Wish harm on the elderly relatives of someone for their actions even though the relatives have no control of said actions. Yep brilliant. Makes you sound like a real rational, sane professional.
Maybe the TOOOL folks can give them a hand with the locks.
It isn't nearly this idealistic in reality. The problem is not that the means to combine physical and electronic security to make successful burglary very difficult doesn't exist, it's that most people don't take advantage of what's available. The classic example is the guy with a $15 budget special lock on his front door, no alarm, and 10 grand in a big box store special fire safe that isn't even bolted down. I don't even like to think about what some people keep in gun safes. Residential alarms? Most, if they are even armed, are easily defeated by a pro, or even an amateur with a little knowledge. Skilled criminals probably have drifted away from safe cracking and other property crimes but only because the rewards in high tech electronic fraud are much greater and the crimes are far lower risk.
"rifnraf" snipped-for-privacy@bigpond.net.au> wrote alot of childish babbling irrelevance not worth repeating to distract from the fact that the lock industry has knowingly sold defective products for decades. If you think you are upset now wait until the industry bankrupting lawsuits start in ernest.
Facts:
The lock industry sells many defective products that can be bumped open in seconds.
The lock industry and locksmithing industries have known about the deffects for decades.
The lock industry and many locksmiths have failed to disclose the defects to the public and have in fact participated in an active coverup often slandering anyone who blows the whistle on their deffects claiming personal gain etc when in fact no personal gain is realized..
Can you dispute any of these facts? The answer of course is no which is why you babble on about irrelevant nonsense regarding where I might live and, being functionally illiteterate, about what sort of locks I have on my door, claiming Medeco when I already answered this irrelevant question twice. Your argument is nothing more than blaming anyone who won't go along with a big coverup of your industries DEFECTIVE PRODUCTS. Go get an education. Take a critical thinking class. You need it, badly.
And yet Tim has nothing positive to add to this discusion....... Your still full of s**te. The big coverup??? It's quite obvious, Timmy, that you would prefer to play with locks as a hobby rather than actually make a living in the trade. I really do hope that today you get a call from your Nanna and she tells you the front door was found open and everything is gone. The front door was opened without a key. When the report finally arrives, the Perp has admitted to robbing your grandparents home from techniques he learned on the internet. Maybe, if your lucky, you'll get a chance to meet the Perp at your next TOOOL practice session. Tim .......... the bottom line is this: Not all information belongs on the internet............... If said information leads to a crime being committed due to that information, then the author should be prosecuted. If you really had a problem with the manufacturers of locks, then tell us how many you wrote too, to tell them of their conspiracy to make unsafe products. My guess is that you're the type just to complain and the internet was the greatest gift to you.....
ROFLOL This is your attempt at logical argument??? There is something wrong with anybody who won't be an unethical crook selling defective products to consumers?? You should work for the asbestos industry.
I really do hope that today you get a call from your
Actually if that were the case she might do rather well. Elderly woman trusts lock sold to her by an industry of supposed professionals, said lock is then defeated by moron street thug. Elderly woman goes and sees lawyer. lawyer sues lock maker and locksmith if applicable. Locksmith nearly goes bankrupt just trying to pay the lawyer bills to take care of all the paper the plaintiffs lawyer buries him under. Case goes to jury, jury sees bump keying demo, jury realizes product was defective crap, jury feels very sorry for elderly woman and utter contempt for rip off lock industry, jury awards elderly woman a ridiculous amount of money. At this point the locksmith is toast because he can't even afford the appeal bond to appeal the ruling and the elderly woman gets pretty much everything he owns + whatever he can earn for the rest of his life. The lock company settles for a lot of money instead of pressing an appeal because they realize appealate court judges probably have crappy locks on their houses too..
Maybe, if your lucky, you'll get a
TOOOl is a European organization and I'm in the US. How can you discuss something when you don't even know the relevant parties?
And how about the person who defrauded the customer with the defective product.....oh wait a minute....that's you and your industry.
If you
Bla bla bla. Translation: "Goddamit we locksmiths sell crappy defective products and we have gotten away with it for years with no problem now people are telling everyone about it, one of us is going to get sued." No wonder you won't post your name. If I were such an unethical person I probably wouldn't want anybody to know who I was either.
That was supposedly forty grand to replace the deficient master key system. Somebody like old rifraf would prefer that 50 unknown masterkeys exist for
10 years so that there appears to be no problem even though there really is a great big one than that one person makes a master key bringing the weakness to the attention of the appropriate people who promptly do the right thing and scrap the system. This is called the Ostrich security strategy and is widly practiced within the locksmithing community. Nevermind that numerous burglaries, rapes, etc occur, as long as nobody, especially the owners of the system and the people who depend on it for their safety, know there's a problem everything is just fine.
But this is an argument that relies on the premise that the lock is defective just because it can be defeated. If this premise were true, then every component of a building that could be compromised would be subject to this standard of liability.
Roger what is the intended pupose of a lock? Is it not to keep unauthorized persons out, or at least present a reasonable level of resistance to an unauthorized person entering? Is that not why a lock exists? Now if you like I suppose you can try to argue that a lock that can be bumped open in 30 seconds or less, by a person of meager skill, with a tool anyone can make from a common key blank presents a reasonable level of protection against unauthorized entry, but I suspect the vast majority of the American public, the same American public which sits on juries, would disagree with you. Especially after seeing a demonstration of just how easy it is. A picture is worth a thousand words and a real live demonstration is worth about
1,000,000. If you want to make the ridiculous argument that a product which fails miserably to perform the task for which it is intended is not defective I suppose that makes you no different than most other so called 'locksmiths'. Yes the defective locks will keep out the very stupidist and laziest criminals which I suppose is why you think it isn't defective. I imagine you think a roof that only leaks 4 or 5 gallons of water everytime it rains is OK too, afterall it keeps some rain out.
PolyTech Forum website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.