Re: `Safe cracking' article and matt Blaze

The real problem is that people like Blaze are in positions of trust in society. Then he abuse it by publishing trade secrets in the name of research.

When they do things like this and get away with it it gives other peoples like him the idea that this is OK. We have to nip it in the bud or soon there will be no security left after these intellectuals get through with us. Ed "Lockie" NYC Locksmith, retired Real World Security Professional

Reply to
the_lockie
Loading thread data ...

The only thing about the article that could really be called a trade secret would be the section on manipulation. The only thing that stopped that so called secret from getting out before was the price tag on the books that cover it.

Reply to
TheTOWCH

and a person with no security ethics named matt :-)

Reply to
Key

I think you meant to say:

We have to nip it in the bud or soon there will be no __APPEARANCE_OF__ security left

This is so silly on so many levels. You sell a product that has known deficiencies so that you can break in when you need to. Then you act like it's a big deal when someone talks about it! On top of that you act like it's a matter of national security when, in fact, it changes nothing.

It does not take a brain surgeon to figure out that anyone can buy a safe, disassemble it and figure out it's weaknesses. The fact that every single copy of model X is built the same way is planned insecurity. Now THAT's a crime. That they are sold as secure when they are not is a crime.

If you want to get Blaze to protect your job, that's understandable. To villify him for openly discussing what is known within the industry to be common shortcomings is shear hypocrisy.

I'm still waiting for SCHLAGE to notify folks that it's recalling their defective entry locks. Wait, they can't so that without disclosing that they are insecure, so only the locksmiths and burglers know.

I must be in a foul mood, because I've seen 5 holier-than-thou posts in the last hour. If anyone should be proescuted for lessening the national security it's the companies that sell insecure locks and safes without warning their customers that they are vulnerable.

Sigh

Reply to
dbs__usenet

ail

Not really. The manipulation information covered by Blaze has most all been in the public domain and easily available to anyone who bothered to look for at least several decades. I had a surprisingly good book on it when I was 15 or so. Cost was about $10.00 give or take. Drilling information has always been harder (read more expensive) to come by than manipulation info due to the sheer amount of research needed to compile it.

The drilling information Blaze covered isn't specific enough to enable anybody to do the most efficient job on a given box in most cases either.

The article is pretty harmless. Truth be told I could give someone exact instructions how to open a given container and 9 out of 10 people off the street would be unable to carry it out under hostile (i.e. while committing a crime) field conditions. The one that could wouldn't have much trouble getting the info on his or her own even if it meant buying the safe in question to study it.

Reply to
Putyourspamhere

Bullshit (and I've called you on this before)

What is "the locksmith trade" doing ? It's selling over-priced "secure" products to an unsuspecting audience who don't realise their limitations. This extends from the S&G products described in this paper down to (&deity; forbid) Sentry.

Now if the situation was half as bad as you claim, then you should be ashamed. Not Matt Blaze, but _you_ and every other locksmith who has been selling these things. Because if all it took to make these locks open to widespread manipulation was this one paper, then you've been selling a shoddy snake-oil product and ripping off your customers for years.

Of course we know the situation isn't that bad. Manipulation is a hard skill to acquire and the average burglar will still favour breaking the window to putting in any effort. And many of them are too strung out or just plain dumb to read this paper, let alone learn the contents. But the fact remains that the products of the "security" industry have been compromised for years and rather than accepting this and fixing it, your reaction is this secret-squirrel Guild mentality that hopes the problem will go away if you ignore it. Well it won't - the real bad guys knew this stuff beforehand, and they passed it around.

What are the problems exposed in this paper ? Mainly that poor manufacturing allows the disk pack to be read. Well how about _fixing_ that problem, rather than whining when someone points it out? Or are you waiting for China to discover the lock industry and take that away from US industry too, when they offer a better quality product at a sensible price ? For the only thing keeping the fat mark-up on Group 2 combination locks is inertia in the retail channel and some diminishing work for higher security products in government. What''s the difference between Group 1 and Group 2 anyway ? A buck's worth of extra parts and _not_ having the sloppy manufacture, that's all.

In the computer security community there's an entirely different attitude, in two ways. One is that "security through obscurity" as you rely on it is a joke. A mechanism is only judged secure if it's still secure _despite_ the bad guy knowing the whole details. This is attainable too, and it means that IT security products (the real ones) out in the field are a lot more robustly engineered than physical security products.

Secondly there's an attitude that beating up a system's weaknesses in public is a _good_ thing. We know the bad guys do it in private, so if we can't stop them, we'd better do some of it too and improve the techniques as a result.

Of course there are snake-oil IT security products. They come from big corporates and they're sold to fools in suits who don't know any better. Neither side follows the two principals above. WEP (wireless networking) and any product of M$oft are just the more infamous examples. Most IT security failures are like physical security failures though - social engineering and conning the humans, rather than addressing the rather less easily fooled hardware.

As to your ad hominem attacks, then you should be thoroughly ashamed. Are you an American ? Do you have any understanding of the Constitution and the freedoms it holds most dear ? Yet you have an attitude that's straight out of Communist North Korea, where your secretive control-freak sham would be more at home.

Reply to
Andy Dingley

REALLY??? I KNOW for a FACT that the people that own Kwikset (Black and Decker) do NOT care ONE BIT on their patent, ASSUMING they even GOT one, on the KW handles.. I am getting CHINESE locks that unless you look INSIDE, you cannot tell who made it, and except for 1 part, are TOTALLY interchangeable..

PLUS, so far, according to all the safe literature I have seen, its usually pretty easy to open a 'chinese' safe.. ther MAY BE exceptions, however all the literature I have seen at the moment, has not shown one.

For the only thing keeping the fat

correct-whats the diff between a door knob and a handicap lever? .75 worth of stuff, BUT the price can differ $75. WE cannot buy it cheaper, WE are held by the manufacturers and THEIR greed. and I have seen some REALLY sloppy group 1's..

example.. Microsoft..

suggest you go back and read some new rules/laws passed.. Patriot acts 1 and 2..

--Shiva--

Reply to
--Shiva--

To a large degree yes. Lockie pretty much only posts here to whine about something Matt Blaze has published and then typically links right to it to maximize the potential "damage". Lockie might even be Matt Blaze increasing the exposure of his articles without opening himself up to accusations of shameless self promotion. Yes. I'm kidding. But Blaze himself couldn't come up with a better teaser to get people to read his papers than lockie does.

Neither example is especially "over-priced" and both are quite adequate for their intended purpose. If you need a burglary safe you don't buy a safe designed just to protect from fire and if you need strong protection against covert entry you buy a manipulation resistant lock. Not to mention that physical security should be supplemented by alarms and/or surveillance anyway. To be completely honest my chief criticism of the combo lock paper by Blaze is that none of it is original. I'm sure he actually got some hands on experience with it and verified what he wrote but it still amounts to little more than a book report on what has been public domain for decades.

As has been said time and again for anyone who bothers to listen NOT EVERY CUSTOMER WANTS OR CAN AFFORD THE HIGHEST SECURITY DEVICES AVAILABLE. The situation is the same in the computer world, although there the trade off is more convenience than cost based. Linux and Unix are arguably a hell of alot more secure than windows but which OS do you think makes up the overwhelming share in the PC market? Add to this the fact that the 'openess' of the computer security community with regard to the discusion of flaws makes it possible for every script kiddie and his or her brother to download the latest exploit which they typically could not explain the workings of if you put a gun to their head much less create on their own. It's highly doubtful that openess with regard to computer security is on the balance beneficial to the overall security of the average user.

Virtually all security is compromisable in some way. You can take the best computer or physical security in the world and put a gun to the head of whoever has access and you are likely going to get in. All any security can be expected to do is slow an attacked down and make his job harder.

Well

It's debatable how much the bad guys "pass" stuff around. What's the upside to them doing so?

It's been done already. Many manipulation resistant lock designs exist. The

6730 and similar is the lowest security lock in common use on anything approaching a "real" safe. Safe manufacturers also add to the difficult by designing boxes that minimize the weakness of the locks used.

China doesn't typically offer quality. Only price.

For the only thing keeping the fat

Precision tolerances cost alot in any mass produced product.

Which is largely why my firewalls record dozens of attempted attacks a day by mindless little script kiddies that are lucky if they even know how to use the tool they just downloaded.

A mechanism is only judged secure if it's

There is no mechanism completely secure. As somebody else already pointed out: Who would want one? In the event of a lockout you would not be able to get at what it was that was so important to secure.

And just like with physical security products inferior, usually much more convenient products outsell them by a large proportion. Look at sales of linux vs windows.

Yep the script kiddies love it. It keeps them in the game.

We know the bad guys do it in private, so if

The question is do you cause more successful attacks and greater overall damage than you prevent or vice versa? I have never seen any scientific evidence presented either way.

Yep.

Neither side follows the two principals above. WEP (wireless

Comparable to Kwikset and similar. The main difference is it's alot easier and cheaper for all affected users to download a patch for windows than it is to replace every Kwikset in America.

Most IT security failures are like physical security

An ad-hominem attack seeks to discredit an idea or stated position by attacking the person who holds or presents it. Nobody is doing that. They are just stating the position that he's irresponsible. That's not an ad-hominem attack.

then you should be thoroughly ashamed.

Why? Because they stated an opinion?

Do you have any understanding of the

Uh yeah I think they are excercising their first amendment rights and criticizing Blaze's actions.

Yet you have an

What kind of lock do you have on your house and where do you live? Alarm? Dog? Guns? When do you go to work? A little secrecy isn't a bad thing. If you disagree you'll have no problem answering all the questions.

Reply to
Putyourspamhere

Patriot Act two has not passed and if half the people who complain about it bothered to write their representatives in Congress it like won't.

Reply to
Putyourspamhere

In the field of cryptography, where Matt works, there's a central tenet, which holds that security that derives from withholding _procedures_ is no security at all. In other words, if publishing an article like Matt's negates the security of safes, then safes were never secure to begin with. The principle is called "security by obscurity." True security would require that the safe is secure (to the desired "hardness") against someone who knows every detail of its design, but nothing about the combination. Thus, "security lies in the key." Those in the cryptography field have watched inferior systems and those based on obscurity fail time and time again; their goal is to produce more refined systems against which no attack -- outside of knowing the key itself -- is more efficient than brute force. The field of locksmithing would benefit from doing the same.

And, on another note, customers would benefit from knowing what they're getting. Blaze's final conclusion, unless I'm badly mistaken, is that while some safes aren't as good as might be expected, they're still moderately resistant to attack; and more advanced safes are available that provide more resistance to known attacks. It's only in the best interest of security for customers to know just how secure systems are, and to make an informed choice based on the level of security they need. So blasting this publication on moral grounds is itself professionally irresponsible.

Sincerely Andrew Rodland

Reply to
hobbs

- Shoot the messenger then?

- You define "flaw" as "trade secret"?

- You are obviously much better suited to be the guard of those secrets?

- Why should I trust you not to sack my safe, since you seemed to have known the flaws for a long time? And not published them?

- How can I trust you as a locksmith, when you're not telling me which flaws these locks have? When I know that you know how to circumvent those locks?

being provocative Jonathan

Reply to
Jonathan Apfelkern

I didn't see anything in Blaze's article that could properly be called a trade secret. Trade secrets are information that an organization guards in order to maintain a business advantage over the competition. Marketing strategies, manufacturing techniques, customer lists, etc. are within the realm of trade secrets. Locksmiths and burglars aren't competitors. In many ways they are in a state of symbiosis. Without better burglars, there would be no need for better locksmiths. With better locks and locksmiths, burglars need to improve their skills in order to succeed at their "trade".

And, nothing within his article would give a safe lock manufacturer advantage over another. Had he published the exact makeup and manufacturing methods for Relsom, as an example, that would be something that Mosler could consider a trade secret. I saw nothing of the type there.

Is the material offensive to some locksmiths? Very probably yes. But it isn't a trade secret, any more than instructions on how to change your own oil would be a trade secret to Jify Lube, or instructions on how to replace a light socket would be a trade secret to an electrician. The fact that the information is well-known within the trade itself is a very good argument against it being a trade secret, especially if as has been suggested it was originally published and made available to the trade 40 or more years ago.

Reply to
Jay Hennigan

PolyTech Forum website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.