`Safe cracking' article and matt Blaze

Fellow security pros:

I have read this message board for a while but this is my first posting here. Thanks to all of you for some very interesting food for thought over the years. I'm a safe tech in Delaware with customers up to Philadelphia and am familiar with this University. My shop does mostly commercial work these days mainly for some big companies you probably know and love. Still its a living and I woundnt trade it for the world.

I just wanted to let you all know that I sent E-Mail to University of Pennsylvania. I sent it to the three addresses here of Mr. Pereira and Mr. Glandt and Pres. Gutman. Plus I found another one that got a response that sounded concerend. That is Maureen S. Rush, M.S., CPP Vice President For Public Safety Division of Public Safety University of Pennsylvania Phone: (215) 898-7515 Fax: (215) 573-2651 E-Mail: snipped-for-privacy@publicsafety.upenn.edu

She responded promptly to my concerns. Obviously she understands the security problems with this kind of material. You should also send to the other 3 addresses too.

In my letter I explained my background and how this makes my job harder and will weaken security for everyone.

I dont want to put my letter in a public place here because I talked about what was right and wrong in the article and I dont want to give aid and comfort to criminals by pointing it out here. Any real pro will have no troble seeing whats fiction and what isnt in the article though.

Well thats it. Just wanted to say hi to my fellow pros and pass on this maybe useful info.

Howard 'Howie" Slokum

the snipped-for-privacy@yahoo.com wrote:

Reply to
a1locks
Loading thread data ...

What steps do you think you can take Ed ???

The U.S. Constitution specifically protects free speech in (Amendment 1) and also limits the period of time to which authors and inventors can have exclusive claim to their writings and dicsoveries (Article I, Section 8)

The "Homeland Security" concern is bullshit, and anyone who uses it in an argument is basically all but saying: "I have no other real point to make so I will say 'Homeland Security' in an attempt to scare you into taking me and my words more seriously than you would, because you don't or can't understand what I am talking about, and I want you to agree with me without questioning what I am saying"

Why not read up on copyright law, "Fair Academic Use" specifically...

Ed, it is quite unfortunate that you do not see that you and others like yourself who are so outspoken about Mr. Blaze and his work actually make it MORE credible the LOUDER your outcries against it are...

The fastest way to make something more interesting is to tell people not to look at it, or to say that it is so outrageous and shocking to "trade professionals"... If you truly want Mr. Blaze and his papers to fade into obscurity, then IGNORE them and they will fall into the cracks of the Internet and soon be forgotten...

WOW: Here is a really dumb NEON sign advertising the very thing you say is SOOO BAD... Ever thought of NOT contributing to the interest in the work you say is so dangerous for everyone's safety??

I am sure that people could say the same thing about attempts to "reason" with you...

I am sure that they would not like the fact that you linked their e-mail addresses in a UseNet Newsgroup... I am sure you have heard of the concept of SPAM... Next time names and titles would be good enough and anyone who cares to contact them could go to the UPENN website and look them up...

~~Evan (Formerly a Maintenance Man, Now a college student with a 3.85 GPA)

Reply to
Evan

Welcome to the group Howie I hope we see some posts from you now and then. I don't post a lot because I specialize in antique autos & motorcycles and do Safe deposit box work so I don't keep up with the latest and greatest except what I read in the group. I subscribed to LL for many years when I was doing general locksmithing work but dropped it when I started doing the antique auto stuff. Good to see a new face....

Leon Rowell

snipped-for-privacy@gmail.com wrote:

Reply to
Leon Rowell

I'd like to know how this makes the job of installing and serviceing safes harder. I know how it might make it harder to sell cheap safes if people realize that the ratings are rigged and that they all have vulnerabilities, but how does that make it harder to service them?

Does anyone else see the absurdity of this person explaining to a perfect stranger the ways that blaze was crorrect and incorrect in the guise of maintaining security secrets? If he was truely concerned with keeping the knowledge restricted to the initiate, he would never have confirmed those secrets to unknown third parties.

Methinks he's just worried about his livelyhood, and using public good as a shield.

Daniel

Reply to
dbs__usenet

Interesting article - good effort however obviously written through the eyes of an IT guy and not an equipment guy. Have dealt with these types before and can be dangerous bunch ... shooting their mouths off about something they can't come to grips with. Really should concentrate efforts on the IT side, vapourware, firewalls, PKI's, smoke & mirrors, horse - shit, etc... etc .....

Want to do something righteous Matt - come up with a hack for the P4 card .... there a challenge for you !

#1 question to him is would he dare to place his precious server in a senior safe constructed for that purpose ?? Passwords seem to be easier to hack/crack than trying to punch out the tongue on a pair of redundant S&G

6435.

Some of the info is in the public domain. There are quiet a few assumptions, completely missed the boat on many points and yes, some information which really shouldn't be published publicly. Shame on you Matt .... "thou shalt don the hood of shame and stand the corner for the next week or two."

Obviously looked only so far, maybe as far as his arm could reach - should have looked to see where some of the standards come from and even go beyond UL and look at UL/C, CEN, RAL or VDS where its a real challenge for the OEM's to come up with a creative solution to thwart attack.

Think now there's a bit more mystique to "lock whispers" (LOL) than before .... Oceans 13 anyone ??

Regards, A.J.

(Bank Security Engineer)

Reply to
Homer J

I wouldn't be quite as upset about his papers if he was (a) a bit more selective about what details he included, (b) a bit better informed (s you say, he's missed some significant points in this one), and (c) if he was actually saying anything new, rather than writing a not-particularly-good review-of-existing-literature document that doesn't even achieve the goal stated in the title of drawing implications for one field from the other (either way).

If he was my grad student, I'd give him a C on this one. It's pretty, but it's pretty empty of actual thought. No publish-or-perish points.

Reply to
Joe Kesselman (address as shown

"c" is especially accurate. It moght as well be a book report.

Reply to
Putyourspamhere

Reply to
Puma

Sounds like you and your fellow security professionals got caught with your pants down. Either your locks are secure or they are not.

If someone points out the flaws in your security you should fix those flaws. Instead you are blaming the messenger for something that is utlimately your own fault.

Don

Reply to
Kitchendon

I must be out of touch with reality.

What is it that is so terrible with Matt Blaze's article?

He didn't discover ANYTHING, he simply put all the info in a public place. There is NOTHING in that article that any locksmith didn't already know. So he told the world how to open a safe (um hmm). Those of you who are familiar with the methods described know that just reading 1 article about the principles involved will not get the safe open, any more than reading a book about landing a spacecraft on the moon,makes you an astonaut. or reading a the owners manual to an automobile makes you a good driver.

I personally would like to see 1 ( just 1) non-locksmith open any safe with just the info given.

I may just try that, I have a safe in my office that the combo was lost years ago. I think I will give the article to one of the empolyees and see if they can get the safe open. I may even use that for my next apprentice 'test'.

Reply to
Keyman55

it can't be 'fixed' really. like computer security, anything that has 'access control' can be accessed by the authorized user or process. so there's a way in, it just takes manipulation for a non-authorized user to gain that access. of course lack of bounds checking and data integrity in careless peoples code makes that easier, much as simple locking mechanisms make it easier. the most you can do with access control is slow unauthorized access, and hope your efforts to impede your enemy will allow you the time to detect the attempt at intrusion and then work offensively against them instead of relying on your defensive structures in place.

a high quality safe with thick hardplate, angled steel, and a relocker among other items to protect against brute force attacks, and a quality lock such as an X-09 to protect against manipulation, and an alarm system to alert the propper people (read Armed people) of the intrusion occuring will prevent most any burglary. but it doesn't come cheap, and obscurity at this point doesn't create any further security.

we need to drop the secrecy as it only instills a false sense of security in using the improper procedure to secure an item of value.

Reply to
fugi

most locks do actually "protect" things they were "designed" to protect.

sure it does.

its not the reason "locksmiths insist upon keeping "secrets". "making money from people" has absolutly nothing to do with it.

again, doesn't really apply.

Reply to
Key

Security through obscurity isn't security at all. I'd rather have a listing of all of the ways of getting around a lock so that I can secure against _that_- instead of being ignorant, and relying on the hope that all would-be safe-crackers are ignorant as well.

Reply to
t3knomanser

The concept of 'security through obscurity' is SO false and outdated.

You should be ashamed of selling your customers devices that depend on this kind of 'security' - it is YOU who should be censored and reprimanded.

If I purchase a safe I would like to think that it is proof against a reasonably professional safecracker, and that such a safecracker would be required to emply brute force tools to open that safe. I DO NOT want a safe that could be opened ( and closed again !) undetectably by a pro, for example.

I say this in all kindness and without any malice whatsoever: you're a fricking moron !

Reply to
bovanator

I would love to see a published list of XP's flaws as well, but it aint gonna happen.

--Shiva--

Reply to
--Shiva--

those are available.. HOWEVER, when you hear the prices, you start getting a 'portion of your body' in a SUDDEN serious pucker..

MOST people will NOT 1. LISTEN, and 2, pay for it. they will not spend the money..

the old rule was whatever you were 'putting in the safe', the safe 'should cost' 10% of that value. or rather TOTAL security of the items should be 10% of value. --Shiva--

Reply to
--Shiva--

someone isn't famaliar with bugtraq...

Reply to
fugi

Read BugTraq

--Shiva-- wrote:

Reply to
gfish

Read BugTraq

--Shiva-- wrote:

Reply to
gfish

somebody doesnt bother to use XP, with its 3 back doors..

--Shiva--

Reply to
--Shiva--

PolyTech Forum website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.