Re: Obscurity (was Re: "Locked Shop")

I don't think the alt.locksmithing FAQ addresses these issues in any depth at all, certainly not sufficiently so to help someone develop an informed opinion one way or the other. The only thing I can find is an assertion that the arguments that apply to software don't apply to locks, which seems to be based on a rather dubious understanding of the costs of maintaining and distributing software.

I think it would be enormously useful for someone to do a better job at articulating the case for obscurity in physical security systems. Right now, it seems to be mostly locksmiths who even understand what the arguments are. Perhaps there are compelling reasons for it that might even apply to systems in domains that currently embrace openness. Or perhaps the arguments are weak and don't even hold water for locks -- we won't know unless someone can state understandably what they are. I've concluded that the arguments as I understand them are faulty and weak, but I'm willing to be persuaded that I'm wrong. After all, computer security and cryptology researchers face these issues often - perhaps even more often than locksmiths do. We would welcome the kind of moral certainty about how to handle security vulnerabilities that some locksmiths seem to have.

But they don't. Knowledge about locks and how they fail is useful for progress in more than just locksmithing, whether locksmiths understand that or not. Lock users, for one, to say nothing of other kinds of security practitioners (such as cryptographers).

That's certainly my experience -- I've been able to learn quite a bit about locks from the open literature, including many of the more jealously guarded "secrets" about how to defeat them. It required concerted effort, though, and if I had been less interested I would probably have given up. But if it's true that the only barrier to obtaining locksmithing information is time, effort and money, how can one argue at the same time that obscurity benefits security here? Surely potential criminals would have an even keener interest in investing that kind of time, effort and money, even more than would-be locksmiths or lock users. If it's really just a matter of time, effort and money, then it seems that obscurity here is more like an attempt by a trade guild to monopolize and protect the value of its body of knowledge than a necessity for the "protection of the public," as some claim.

Reply to
Matt Blaze
Loading thread data ...

the ABSOLUTE bottom line is 2 things... the customer, AND his pocket book...

lets discuss security... KW, Weiser, Weslock, Schlage grade 3 are OUT...

now, define SECURITY... strength of the lock, OR, 'strength' of the key and keyway?

if its the strength of the lock,then we got to go into the building trades... ABSOLUTELY NO hollow core doors... solid wood IF 2/3'4" minimum... NO glass within 6 FEET of the door.-this includes windows within the 6 foot. NO sliding glass doors AT ALL NO pre made frames either, ESPECIALLY of wood...MUST BE METAL and NOT sheet metal thickness crap

locks for a house must NOT use the door knob to contain the lock cylinder... IE-deadbolt type ONLY...

now, if its the KEY- then Assa, Medeco, or similar ONLY... the lock cylinder in my neighbor hood costs $65 PER insertion point...Keys run $5 each. this does NOT include the lock housing, either- thats extra, and adds about $100 for some. (choice of finish is NOT available, BTW) ONLY available from the lock shop that originally installed them, BTW.

NOW, you have a BEGINNING of security.

Now, you got a job, that pays-ehh- $500 a week-which would be GOOD pay in my area... and you get told a new front door lock is going to cost you a half weeks pay... add a new back door lock as well, and you just blew a weeks pay... are you going to do it? MOST of humanity cannot NOR NEEDS that level...

Now, SECURITY... I would LOVE to see microscrap software made that DID NOT NEED 50 'security patches', and even at THAT point, it still got bigger holes in it than the Grand canyon... --Shiva-- nuk pu nuk

Reply to
--Shiva--

BINGO!!

Matt, I heartily agree with your assessment of this issue. It is unfortunate that some locksmiths fail to see the big picture and continue to engage in counterproductive ad hominem attacks against those who boldly identify security issues that need to be dispassionately examined. Deductive "a priori" reasoning is, by its very nature, suppositional and does not assess direct experience or facts in the way "a posteriori" inductive reasoning does. In some biased discussions the "logic" may follow the "rules" but it is often so heavily invested with emotion and ego that it is as defective as the joke syllogism: "Nobody is perfect; I'm nobody, therefore I'm perfect." Most locksmiths unfamiliar with sophisticated logical discourse often substitute defensive emotionalism for rational arguments to bolster their myopic views regarding Security-Through-Obscurity. I believe that you have adequately defined what it is and also what it is not. One can only hope that the laudable intent of your ethical message was received and understood by a majority of clear heads.

The ethical way to promote real security is to identify ways to improve it. The only way that can be done is by openly identifying its weaknesses. Greater security is needed everywhere. Defining risks, planning improvements, and LEARNING from past mistakes is the path to follow. Playing "locked-shop" Security-Through-Obscurity games only fools the foolish. It is clear that neither you nor I are suggesting that we make certain key codes, encryption keys or safe combinations available. However, if the basic security equipment and system designs are made more effective because we have carefully defined flaws and vulnerabilities, who can dispute the outcome on ethical grounds? The open discussion, identification and elimination of security flaws should be a fundamental area of professional concern within the locksmith industry instead of a source of petty disagreement. However, it is not unusual for some people within the locksmith industry to personally attack and misinterpret the intent of those who engage in candid examinations of security.

Surreptitious methods of entry, such as picking, may be easily executed on many standard lock mechanisms. However, merely hardening the designs to increase the "pick-resistance" of a potential lock target only shuts out opportunistic malefactors. Abundant evidence attests to the fact that most crimes associated with the circumvention of security equipment do not entail surreptitious methods. Brute force and bypass methods are clearly the top choices for circumventing most security measures.

The real value of "pick-resistance" is to force malefactors to use more difficult and time consuming non-surreptitious methods to achieve their goals. The "hope" is that with an adequate multi-layer physical systems approach to all security risks, the bad boys will seek softer targets to avoid detection. However, "911" was, or should have been, a wake-up call for all security professionals because some dedicated malefactors, who are willing to sacrifice their lives to achieve their dark goals, could care less about detection at the last moment of their final chosen act. That's why early detection and improved intelligence gathering are vital in today's new world of ugly security challenges. Access control systems, pick-resistant locks, encryption schemes, biometrics, restricted information, codes and keyways, etc. cannot totally prevent crime. However, they do force dedicated and determined criminals to use methods that will leave evidence that security has been breached. The real risk in high security situations is NOT KNOWING that security has been breached. Can X-07's, Medeco locks, etc., be defeated? Yes! But, the real hope is that the breach will be obvious because surreptitious methods will be less likely to accomplish the task.

In a world where sabotage, espionage and guerrilla warfare have been developed to an art form, it should be clear by now that total security is largely a myth. The best that can be done is to improve early detection or intent, and increase the difficulty and time necessary to circumvent any series of security measures. For the average, non-military, home and business security needs, the primary security focus should be to protect doors and windows against brute force and bypass attack. Add a silent central-station alarm system, CCTV, a mean guard dog, burglar bars, and a moat if you like, but locksmiths should not mislead themselves, or their customers, into thinking the main security risks are adequately reduced merely by upgrading the pick-resistance of lock cylinders or selling deadbolts. Pseudo-professionals simplistically seek only to protect their cash flow; ethical professionals are dedicated to an honest and forthright commitment to the real needs of their clients. With respect to security, risk assessment is vital to the process of improvement. Informing the public about their real risks will actually improve the bottom line for security practitioners. Those who tenaciously resist the progressive improvements that result from an open discussion of security vulnerabilities are essentially undermining their own chosen profession as well as the public trust.

Dave

Reply to
SCHLOSSLOCK

THat sure leaves Microsoft out, as far as security.... MY ISP gets hacked sometimes once a day.... thanks to Microsofts crap software... there is NOTHING that can be done about it, EXCEPT switch to Linus software where the security is far better...

that statement above describes Microsoft TO A T... protect the cash flow...screw the customer, but protect the cash flow... --Shiva-- nuk pu nuk

Reply to
--Shiva--

Is two decades in IBM, mixed product and research divisions, good enough for you?

Software has high development and maintanance costs but essentially zero publishing and distribution costs. Hardware has much higher costs of actually distributing upgrades. That does make the cost/benefit analysis distinctly different.

Check the archives of the newsgroup, if you want to see it thrashed out in painful detail, repeatedly. Most of us who have been around a while consider this a FAQ and are a bit tired of repeating it.

See above. Compare costs of getting a patch out to your customers, per customer, versus cost of upgrading however many tons of brass you want to estimate are in use.

Also compare degree of risk. Computer security can be attacked by other computers on an assembly-line basis and with some masking of attacker's identity, which puts the threshhold of "good enough" in a different place than single attack by a reasonably skilled human against a single lock with continual risk of being observed.

As I said: Engineering, not science. The goal in most cases isn't the perfect lock, it's the one that makes the would-be crook go bother someone else or delays him long enough to cross his risk/benefit threshhold. Obscurity is a legitimate part of that transfer function.

Different game. Different scenarios to guard against.

If you want access to pro-level locksmithing info, go get it. It takes some investment of time and effort and cash. Not a huge amount -- it's within the reach of a serious hobbyist. It really is sufficiently available that there's little benefit to being excessively open here.

And declining to hand it to the world on a platter raises the threshhold just enough that those who are willing to make that effort tend not to be the ones who would be most likely to abuse it.

We _will_ discuss some of that information here. People make their own decisions about how much; since it'a an alt. group, we can't stop each other, except by flaming the perp to the point of annoyance (which is relatively rare unless someone is *way* out of line and being an ass about it as well). The fact that there is a consensus, and that the serious hobbyists buy into it as much as the pros do, ought to tell you something.

For the rest: If you don't value it enough to make some reasonable effort to obtain it, you can live without it.

See above. If potential criminals were willing to work, most of them wouldn't be potential criminals. We're not (directly) worrying about the guys who break into high-end jewel vaults here, we're worrying about the ass who's looking for advice on how to do basic theft... of which there are a plethora, and of which some periodically do discover this discussion.

We can, and do, share information which is chosen not to help them unduly. That does limit what we'll discuss on the group. Sometimes additional conversations go on off-line, when we feel we know and trust the individual in question.

Consider that copping an attitude, calling names (however mild, and however well-justified you feel the accusations are) and demanding data rather than working for it (including working the social aspect) doesn't tend to facilitate trust.

Reply to
Joe Kesselman (yclept Keshlam

It occurs to me that this may be a strawman. I agree -- surely few would disagree -- that it would be wrong to knowingly provide a criminal with instruction for the purpose of helping them commit theft. But the obscurity advocates with whom I disagree argue for much more than that: they don't any open discussion that might have the *side effect* of helping bad guys commit theft, even when it helps the good guys improve or evaluate their security or develop better security mechanisms.

The problem is that discussi My argument with the publication of the attack method is philosophical. It shouldn't have been published, because the only people it will educate is the people who will use it to compromise security. Locksmiths don't have to be surreptitious in decoding a lock. Locksmiths would rather disassemble a lock to decode it, instead of wasting a few key blanks and time using this technique. That is probably why it has only been published in the industry a few times. Anyone who understands keying knows that master keying is a compromise.

If that really reflects the attitude of the locksmiths and the lock industry toward the analysis of attacks against their products, we are in a lot of trouble.

Reply to
Matt Blaze

It's a direct response to the "seems to be based on a rather dubious understanding". My understanding may differ from yours, but I have basis for it.

For the rest, we agree that we disagree, and I'm willing to leave it at that rather than pursue the matter further at this time. Different assumptions plus same data sometimes does yield different conclusions.

Reply to
Joe Kesselman (yclept Keshlam

OR: Seek to publish this information in a journal where it will actually reach a target audience who can (a) knowledgably evaluate it for novelty and correctness, and (b) consider what, if anything, can/should be done about it -- which in this case would mean the locksmithing trade journals such as The National Locksmith, Locksmith Ledger, etc.

I know, that doesn't get you academic publication credits. But that's a matter of letting the rules of YOUR guild drive you into doing the wrong thing...

Reply to
Joe Kesselman (yclept Keshlam

Whew!! what a long winded fellow. Big words too. I read two sentences and fell asleep. It reminded me of some Professor at a small liberal arts community college lecturing to a group of wide eyed Mush brains and impressing them with his astounding vocabulary (style over substance). I don't even know what you said. (often the mush brains don't either) Phil

Reply to
cashcroft

Matt: I've followed this thread a nauseatingly long time without responding. But I've given the matter quite a bit of thought as have you, it appears, from your postings. I think your entry into this group with the Master System story was Interesting to say the least. My reaction to it was "So What?" as you have seen, there are ways to set up the system so that what was reported could not be done. I'd like to say that the analogy of software security and Physical security falls to the age old argument breaker of comparing "Apples to Oranges" Software and all of it's applications and weaknesses are at it's infancy after all, computers are only about fifty years old. Physical security, (Locks) date back thousands of years. (I'm reminded of my studies of Economics where the text starts out slamming the way that Accountants look at the world and do their business. Accounting on the one hand, has had Thousands of Years to fine tune the processes they use While Economists first appeared, [out of thin air it would seem] during the first decades of the twentieth century. Accounting is straight forward and merely a way of keeping track of what has occurred. Economics is a Pseudo Science that tries to predict the future [gypsy with a crystal ball anyone?]) Granted, if the software a Large Company is using is compromised, it can cause great financial losses But if Physical security is breached it can cause more than loss of financial medium Phil

Reply to
cashcroft

I apologize if you felt left behind by my "Canadian English." Perhaps we just have better teachers in Canada, eh? However, irrespective of your apparent brotherly reproof appertaining to my prose, the comments I made were specifically directed to Dr. Matt Blaze and self-appointed locksmith industry spokesman, Mr. Billy B. Edwards, both of whom I "assumed" to be capable of communicating as reasonably educated adults. Again, I apologize if I "assumed" too much with respect to you or other individuals visiting this newsgroup. I certainly would never address you or anyone else as a "mush brain." However, since I am relatively new here, I shall further "assume" that your knowledge about the cognitive profile of this newsgroup far exceeds mine. Dave

Reply to
SCHLOSSLOCK

You've repeated this vague and somewhat sinister-sounding accusation several times, the implication being that there has been some kind of dishonesty on my part. It is true that, as is the usual practice with research writing, I revised my paper several times before it was committed to print, removing typos and adding exposition, etc. However, in the case of this paper I've also kept the original preprint version of it on my web site (it's linked to from my "papers" directory at

formatting link
The only document that had "confidential - do not distribute" on it was a fact sheet that AT&T and I prepared when we learned that a New York Times reporter was doing a story on the subject. Even that fact sheet remains essentially unchanged; the only difference between the original document and the version made available after the Times story hit was the removal of the no-longer-relevant header and the addition of a link discussing the reaction to the paper. So I'm not sure what you're talking about here. More to the point, I fail to see how, even if it had any basis in fact, any of this would relate to your argument that people shouldn't do research on attacks against physical security systems.

In any case, the only references I've been able to find to anything like my crypto-oracle attack since I wrote my first draft have been outside the published literature -- in folklore, in Usenet groups and the like (which I took care to cite once I learned of it, even though technically these are not published, archival references). As you yourself point out, the locksmith community, if it was aware of the technique, apparently never saw the need to or value in documenting it. But all this is beside the point, since the focus of my paper is not master keyed systems per se, but the usefulness of cryptanalytic approaches outside computing or communication systems.

The rest of your message just doesn't make much sense. You invoke the specter of endangering the people at the bottom economic rungs of society, yet, as you surely know, few private residential locks are master keyed (except those in some dormitories and apartment complexes, but even those wouldn't be serviced or paid for by the tenants themselves).

While the sincerity and depth of your anger is obvious, your shrill, personal attacks are neither logical nor helpful for your own purposes. In particular, they won't discourage independent research in this area, by me or others. Instead, they are likely to discourage those who do such research from working with lock industry "leaders" when disseminating their results.

It's a free country, of course, and you can be as angry with me as you like if it makes you feel better. But your emotional bluster is unlikely to persuade many others, especially lock users who learn that their systems are vulnerable. It is natural enough to want to shift blame to the messenger, but don't count on others seeing things the way you hope they will. In particular, if you've sold or designed master key systems, you may have some explaining to do if you knew of specific weaknesses that you withheld from your clients. They might expect more than "I hoped no one else would figure it out."

Reply to
Matt Blaze

Reply to
cashcroft

In the final analysis, the positive outcome of exposing certain security vulnerabilities is that it creates new opportunities for security professionals to prosper while doing the greatest good for their clients and the public at large. Quite frankly, there are bigger security risks confronting us at this very moment.

In a free society we are totally exposed to so many risks that make public disclosure about the well-known vulnerabilities of masterkey systems insignificant by comparison. Dr. Blaze performed a limited objective study and the findings were published. Those who fail to, or refuse to, acknowledge the positive side of the academic exercise, are living in the ancient past.

Each security shortcoming or vulnerability that is exposed offers an opportunity for progress in new product development and improved business. Realistically, we have more to fear from unsecured manhole covers or a one-time cipher string (formerly known as a one-time pad cipher) than we do from any disclosures about conventional masterkey system vulnerabilities.

As long as dedicated security professionals are free to ask tough questions, play devils advocate, and uncover potential weaknesses, our field will continue to prosper and the public trust will be maintained.

The danger of binding one's ego too closely to any particular position in a debate or argument is that objectivity usually suffers dramatically. True professionals should pursue the high road and refrain from imputing questionable motives to those who are guilty of nothing more than objective scholarship and intellectually honest disclosure.

Overreacting to the point of engaging in ad hominem attacks, angry insults and flame-baiting do not support any argument. This type of activity is clearly self-defeating and an embarrassment to the locksmithing industry as well as anyone claiming to represent its highest standards of professionalism.

Dave

Reply to
SCHLOSSLOCK

Well, you propose in the paragraph that I quoted from your recent editorial in _The_National_Locksmith_ that the attacks described in my paper are of little use to locksmiths and that the only people that documenting it will educate are those that would do harm. If locksmiths don't need to think about attacks, who does? And how do you propose that they communicate with each other?

The security research community does not have a "closed" literature or "secret" conferences, for what we consider to be good and well established reasons. When its members (like me) do research, the results are published in the open literature. Structuring things that way was not an accidental or caviler decision. It is based on the broad consensus that that is the best way to ensure progress, and a considered belief that, on balance, this helps us more than it hurts us, even when the immediate results may be somewhat disruptive or inconvenient (indeed, we demand open publication precisely to help resist misguided pressure from vested interests to suppress results). This is also how science and academia work generally.

You might think that we're off base, of course, but you should realize that your disagreement is really with the security research community in general and not just me. You can call me irresponsible or reckless all you want, but that isn't going to discourage me or other scientists who might study locks from publishing our results in the future. Instead, if you really think we're doing harm and want the study of locks excluded from the open literature, your best bet is probably to participate in the community and make your case. You might have an uphill battle, since your position is a rather radical one, but it is an open community that anyone is free to try and influence.

You, and based on the some of the dismissive carping here, other members of your profession, seem to have an underlying faith that stodgy academics and security researchers have little to offer locksmithing. I suggest that that is dangerously misguided and dooms you to be caught by surpise again and again, whether you think I'm a scoundrel for publishing my paper or not.

Actually, I tried to be scrupulous in avoiding any information or materials that could be construed as secret or privileged in researching my paper (I got your book via inter-library loan, although I later bought my own copy). I didn't want to inadvertently betray any confidences, so I limited myself to publicly accessible literature. (This is similar to the reason that many cryptologists working in the public research community avoid access to classified material on the subject).

On the contrary, the abstractions used in analyzing secure computing and communications systems turn out to provide a very powerful basis for understanding locks and their keyspaces. At least for me, that was a much more natural way to look at locks than thinking about them in strictly physical or mechanical terms. Indeed, thinking of master keyed locks as online authentication oracles leads directly to a bi-linear solution for what would naively seem like an exponential problem for the attacker. In fact, it seems like almost a textbook example, as if master keying practices were invented specifically to demonstrate this class of weakness.

I don't know, but I suspect this may explain why so many engineers and computer scientists report having derived similar attacks as bored college students, while the approach seems to be considered somewhat more esoteric and less intuitive among those who deal with locks as strictly mechanical objects. I certainly never discovered anything like these attacks until I started thinking of locks as computational objects.

[deletia]

No one is accusing you of deliberate wrongdoing, however that does not change the fact that consumers of master keyed locks have been kept ignorant of the possibility of simple attacks against the keyspaces of these systems. The open literature of the field (from vendor materials on the user/customer side to training manuals aimed at practitioners, from Foley-Belsaw on up through your book) is silent on this class of attack and the risks associated with it.

Instead, the conventional wisdom on master keying has been that it reduces security in two specific ways: by the existence of the master key (which might be stolen, copied, or lost -- things the user can take steps to guard against) and by increased vulnerability to picking and impressioning (which are mitigated against with better quality locks). Attacks against the keyspace, especially attacks that require only the legitimate "user interface" of the attacker's own lock to carry out, are an entirely different category of risk. Users of these systems might reasonably have expected to have been warned, especially if the industry had been aware of it before my paper was published.

So why wasn't the risk associated with this kind of attack more adequately addressed or disclosed? One possibility is that it wasn't recognized as a risk, that it was considered only in the context of techniques for reverse-engineering lost keys for customers and not an attack that might be used by others, If so, that's obviously wrong in hindsight but is nothing that anyone can complain about. Another possibility, though, is that the risk was recognized but a collective decision was made to ignore it and hope that no one outside the closed locksmithing world would independently derive it. If that's what happened, it seems a foolish optimism and, frankly, a negligent basis on which to base anyone's security.

Reply to
Matt Blaze

Cheap shot, Phil. I had an AOL account myself for a while. Sometimes disposable IDs have their uses.

Heck, I even had a Prodigy account for a while -- but that was because it was sponsored by Team OS/2.

Reply to
Joe Kesselman (yclept Keshlam

Dr. Blaze, it should be abundantly clear by now that Mr. Billy B. Edwards Jr. does not speak for everyone within the security industry. In every field of endeavor you will find little men with little minds and little imaginations going through life in little ruts, smugly resisting all changes, which would jar their little worlds.

In a nutshell, Mr. Billy B. Edwards betrays the public's trust by suggesting that security be effectively maintained through various subterfuges, which hide flaws, risks and vulnerabilities. This strategy cannot help but conjure up images of little boys with decoder rings and secret messages hiding inside their password protected chat rooms overestimating their importance. This is clearly an indefensible position. In addition, it totally underestimates the intelligence of potential malefactors.

After reading the strident comments made by Mr. Billy B. Edwards Jr. and others about your security research, it is shocking to discover how many half-educated men have the unmitigated gall to proffer straw man arguments as substitutes for logical argumentation. Predictably, as long as the unsophisticated can be easily influenced by straw man arguments, demagogues of every stripe will continue to practice the art in every profession.

I, for one, wish to thank you for making your research work available to the general public. I have no doubt that it will inspire others to search for better ways to improve security.

Dave

Selected paragraphs from Matt Blaze's reply to Billy B. Edwards Jr.:

Reply to
SCHLOSSLOCK

imaginations

Maybe I'm missing something here but the fact that master key systems can be readily decoded in the field has been widely known (and publicized) within the government, the locksmithing profession and the security industry for years. The former president of the ILOA Edwin Toepfer wrote a series of articles on locks for one of the security monthlies about 30 years ago detailing one method how it could be done. The article was reprinted and used by Sargent to promote their "Keso" system when it was introduced.

Blaze may have hit on a new technique if so he deserves the credit for an original invention . Its sole use however, is to provide a key to someone who is not supposed to have one. As a practical matter does it make more sense to quickly remove a cylinder or two, decode the master and reinstall them or to stand around with a bunch of blanks filing keys hoping you get the true master.

Reply to
Jim Gaynor

Jim,

I'd be quite interested in seeing that; do you have a reference to the original article or the reprint that I'd have a chance of tracking down?

Reply to
Matt Blaze

Your statements are true but not really relevant to the debate. Blaze never promoted the method elaborated on in his paper as a practical method for locksmiths. I don't think anyone else has defended it as such. The paper was to expose (right or wrong) a security vulnerability. The whole point was that this method could be used to get an unauthorized key.

Reply to
Putyourspamhere

PolyTech Forum website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.