Keyless entry...........

Full disclosure especially when the exploit is readily available for download as an executable likely does increase the number of attacks. I am willing to bet that in excess of 90% of the so called hackers are script kiddies with no clue about what they are doing. They are just launching the latest greatest exploit they downloaded off the net. Their success would greatly deminish if people would patch their systems. On that you' re dead on.

The reality is even if they are there is still likely an easier way in. Windows, kick the door, etc. Some apartments and condos having only one entryway being the exception. Looking around most conventional houses the locking hardware is way down the list as far as weaknesses. That doesn't mean exploits should be handed out to anyone. They aren't as freely disseminated in the computer community as some would like you to believe either. Anyone who doesn't believe that read some of the hacker forums on usenet or elsewhere and look at the flames that rise when someone says the IT equivelant of " I need a masterlock combo.".

In many cases it's largely irrelevant. the customer will only pay so much, and often this makes sense when the security chain is looked at as a whole.

I think you can readily see the problem with that line of reasoning. No one needs to be told to throw something through a window. Granted that is probably the approach they will take with or without the knowledge to carry out a more eloquent attack. There are however situations where it's not an option either because there is nothing other than the lock practical to attack or because of the need to minimize damage i.e. many 'inside job' thefts. Obscurity makes hackers lives more difficult to. If you're trying to hack into a machine but have no idea what OS it runs and can't find out or if you do know but have no knowledge of that OS the machine will be MUCH harder to break into.

The trouble is that the FAQ's start off by saying "Will people on this newsgroup give me information about picking locks, etc.? Yes and No. These is a serious debate"

To acknowledge that there is a debate is to acknowledge that there is disagreement on the issue. If it sounds like I argue from both sides, I do. I see both perspectives.

This sounds a lot like the whole Matt Blaze debate... It all boils down to computers are very upgradeable technology... Often times you can remotely upgrade computers to be better than they were before the upgrade...

Locks have to be REPLACED in order to be upgraded... That is one thing that Blaze never seems to be able to understand...

That and literally thousands of people are able to work together in order to fix a cyber problem... The internet is wonderful... Computer abuse runs rampant with one given trick until that trick is locked out and another found and so on... Any given lock is open to repeated abuse with little possibility of detection... How often does a locksmith disassemble a lock to see if it has been tampered with ??? Funny thing about computers is that they can call for remote help when tampering becomes apparent...

Evan the Maintenance Man

Right back at you. Not full disclosure. Go to alt.hacking or alt.2600 and ask how to break into XYZ and watch the flames pour in. The info is out there but it is not handed out on a silver platter to anyone simply because they ask. If you still say otherwise why don't you post a I need to crack into XYZ to the either forum I mentioned and we can all watch you get flamed, the people there will be no more helpful than those here in an analogous situation or better yet please provide me with the OS including version of all systems you admin, the modem numbers and protocols in use, user names, services enabled, in fact just give me all details other than the actual passwords. Afterall if you have done your job there is no reason to obscure anything but the user passwords themselves. Any hacker or maybe more apptly cracker less someone say i'm using the wrong term, with a clue will tell you that the hardest part of breaking into a remote system is gathering intelligence on it. While you're at it why not post what locks you have on your doors the security you have on your windows and other potential entracnes and the Maker and model and configuration of your alarm system if you have one. Afterall there is no reason to obscure any of that. What harm could come of posting it? Go down to your local bank and ask them for details of their security system, burglary and hold up and see how far you get. There is little doubt that obscurity makes any intruders job harder, unfortunately it also leaves those vulnerable ignorant. Virtually all of the information anyone would ask for about physical security is available to anyone willing to put out the effort to find it. That doesn't mean it's reasonable to assume we will just hand it out to anyone simply because they ask..

This is a bit simplistic. The users on those Admins systems would say that they don't deserve it because they have no control over the situation. You also don't address whether or not most attackers are script kiddies just launching an executable they could never create on their own. You sidestep the whole issue by blaming the admins (who admitedly are negligent) for failing to harden their systems.

That's not really the crux of the issue. The crux is: Will more users fix a flaw that has been disclosed to them than will be victimized by criminal use of a flaw that has also been disclosed to criminals previously ignorant of it. If yes then complete openess is the way to go. If no complete openess is a net loser. That is simplistic but the bottom line is does publicizing increase or decrease criminal success.

Thats a question that no one will ever be able to answer... Criminals who would steal from random houses several times before being caught often have no benefit to disclosing how them came to decide to undertake such activities and where they attained knowledge of how to go about doing it...

An honest thief is all but impossible to find...

Evan the Maintenance Man

incorrect, security by obscurity isn't security at all. Identifying an OS is trivial at best. most times it plainly states what it is, or you can scan and to tcp fingerprinting, or sniff other connections to and from it and tcp print it passively giving the attacker no direct contact with the box yet revealing the OS. and 'inside jobs' are done by people with keys. that's why it's an inside job. they have some type of access. and I really doubt that us talking about the joys of manipulation and the frustration that it brings with it is going to convince say a janitor that works for a museum to lift a priceless piece of art by going about it the hard way instead of using his key and fleeing the country a much wealthier man.

point being people already know locks don't garuntee security as there are weaker links in the chain to begin with. and if there are no weaker points people DO realize that locks can be picked. it is common knowledge. locks are used to delay a crime, not stop it. the alarm is to alert police or the armed property owner of the presence of foul play that the lock is delaying giving them time to intercept.

yea I need advice from a socialist state created by criminals that other countries didn't want. g'day mate.

people on this

that there is

both sides, I do. I

noted. the Faq needs may need revision on this subject.

Careful what you call a socialist state. We are well on our way.

There are two immediately apparant problems with that. The first is that many employees have no direct access to what they want to steal. A good example is the employee who can drop money in a safe but not remove it.Sure would be nice to know how to get in there without leaving a trace. This can apply to any secure area. Years ago at a convenience store I assistant managed at we had a guy who had figured out how to get into the control cabinet for the gas pumps. He would flip the manual override on a couple of boards (one board per pump) and the gas sales were not recorded on his shifts sales which were tabulated by the stores electronic equipment. Mechanical readings directly from the dispensers were taken daily but not shiftly and were coming up short. The give away was they were always short on days he worked and every shift he would pull out the overhead cigarette drawers which happened to block the camera view of the control cabinets but interestingly enough he wouldn't stock any cigarettes. Instead he would dissapear out of view for a few minutes and then return to stock cigarettes. He was busted in relatively short order by adding a camera he knew nothing about which clearly showed him picking the lock on the control cabinet and flipping over to manual mode and by taking a mechanical reading without his knowledge right before his shift and then returning that night to take one after. Second using a key you are entrusted with would be a dead give away as to who committed the crime.

Do you really think museums and other places take no precautions against that? Do you think the janitor is privy to the exact configuration and programming of the museums security system? Not to mention that museums and such places have been known to have gaurds.

None the less that's still the bottom line. In computer security there is little doubt that openess with regard to flaws increases then number of attempted attacks but does it decrease the net number of successful attacks because now informed users have patched their systems? The same is true for physical security.

I just see it as their job security. they have no real concern for others.

With regard to the first statement in and of itself: Is there a problem with that? Why hand out information which took time, effort and money to garner for free simply because someone asks? Especially when they offer nothing in return. With regard to the second you are off base. Job security and the public good are not mutually exclusive. If a large number of people would fix flaws when publicized I would say widly publicize everything, but they won't just as a large number of computer admins don't patch and even more wouldn't if it wern't for automatic updates. If you want information on physical security weaknesses 'public' you already have your wish. It is. You just have to put forth a little effort looking for what you want to know.

because other professions do and I see nothing special about locksmithing.

what's the bitting for American Padlock M21005

because other information was necessary for me to know which bitting to ask for. could you please tell me?