`Safe cracking' article and matt Blaze

You are a security professional. The idea that you have no influence simply because they already have equipment is bunk.

Every executive, manager, and most homeowners I've known are more willing to listen to an obviously informed, experienced third party than a random retailer trying to part them from their money. Your opinion could well drive their next purchase to a much more secure safe/lock. If you told them directly that their low-end safe was vulnerable to well-known weaknesses that even moderately experienced crooks could find and exploit, you could easily convince them to upgrade (and give the cheap one to granny). The manufacturers all make more robust equipment, the clients just don't know how to tell because the trade has hidden its vulnerabilities.

It has aided and abetted criminals for decades by not retiring outdated products. Cars were required to install seat belts in all cars, why shouldn't your industry be required to install better locks in all safes?

Or you could keep denying any responsibility and professional pride as long as the money keeps coming in. The idea that since you can't fix all the problems you shouldn't do any small part is pathetic. I suppose you'd be as proud of being a draft dodger? It fits your logic.

Foxy

Reply to
Foxyshadis
Loading thread data ...

What?? Windows updates come out frequently more than once a week. With most systems shipped windows autoupdate is enabled unless you choose to disable it.

Even

AV software is updated at least once a week with new virus difinitions and other changes, typically automatically. If not updated regularily it would be useless.

Software is MUCH more easyily updated that physical security devices. In most cases "updating" physcial security means the complete replacement of the device.

Reply to
Putyourspamhere

The reaction in this group to Professor Blaze's paper is extraordinary. I almost wonder if the vitriol being poured out is not a case of "the lady doth protest too much"? It certainly isn't based on logic!

Blaze has been simultaneously accused of divulging secret information, and also of writing an article that was merely derivative of well known facts. He has also been accused of aiding even lazy "script kiddie" burglars in learning lock manipulation, and at the same time, of omitting important basic facts, and treating only the simplest and cheapest locks.

It should be obvious that these accusations are contradictory, and therefore at least half of them must be wrong. It is not difficult to determine which ones are wrong, because if you read the article clearly and with an open mind, Blaze clearly explains. Yes, he does omit important basic facts, and discuss only the cheapest locks--and says so too, because this is not a guide to safe cracking. Yes, he does draw heavily on earlier writing about safe security--and says so too, because the paper is not fundamentally about criticising safe security, it is about seeing the way the industry as a whole works with its defects, in comparison to IT security.

This paper is a survey of information about safe security, and the directions in which that more experienced field can aid research into computer security. He does criticise some areas of safe security design, but overall is quite complimentary to the profession. And he does, in the process, discuss ways that the very cheapest, nearly obsolescent locks can be defeated--information which is already in the public domain. Sure, some of the info you get on the 'net or in cheap books is incomplete, but isn't Blaze's discussion also incomplete on those details?

There really doesn't seem to be anything here to get upset about, and frankly not a lot of interest to safe technicians--but it is interesting, as it was intended to be, to IT security people.

Now a couple of specific points:

  1. Someone pointed out that fixing thousands of defective locks scattered around the country is a lot harder than downloading patches. This is probably true, and a fair comment, although I think you'll find that downloading patches to thousands machines is a lot harder and more expensive than you realise. However, upgrading lock packages has clearly occurred in the past, and in the particular case of safe lock packages, they actually seem to have been designed for it. With the common form factor and simple mounting, it should only take a few minutes on-site to swap a package over. To defray costs, the old lock packages could be returned to the manufacturer for factory modification and re-issue; make up any difference with a small "annual maintenance fee" to the client. Personally I'd much rather pay than unwittingly live with an insecure device.

  1. I do think it's reasonable for security consumers to be informed about types of weaknesses in products, at least at a general level. For example, most users probably don't care too much about lock manipulation and will be happy with a Group 2 lock, since lock manipulation, as I am sure you are all aware, is a quite rare method of safe burglary. However I know of a certain business (and I am sure there are many like them) that uses a safe to protect sensitive but time-degrading information. To have that information stolen from them would be merely inconvenient, so they have a fairly cheap safe; however to have it stolen *undetectably* would be a disaster. They need Group 1 locks, but they didn't know it, because as mere security consumers they were considered unworthy of such secrets.

  2. I am rather puzzled by claims that Group 1 lock packages are dramatically more expensive than Group 2. OK, I'm not a locksmith, but I do know a little bit about metalwork and I just can't see it. Looking at Blaze's Fig 18. (c) and (d) (Sargent and Greenleaf 8400 Group 1 lock with butterfly dial) vs. Fig. 1 (Sargent and Greenleaf R6730 Group 2), I can't see more four or five dollars difference between their internals. OK, the 8400 may have other, expensive enhanced features to resist drilling and so forth, but the anti-manipulation feature is simple--ingenious, but simple--and could easily be installed in the cheaper lock if people only knew it was available so they could ask for it.

  1. The fellow who is advocating sending harassing letters about Professor Blaze should do a little more homework. The tone of the suggested letters suggests that it is thought Blaze may be some minor assistant professor at UPenn who can be harassed into complying with your demands. In fact, apart from being an Assistant Director he is a eminent, highly respected person who is, for example, chairman of the world's largest computer security conference, a frequent advisor to Congressional committees, and an occasional security advisor to NIST and the US Department of Justice on certain classified programs.

  2. Blaze's response to this issue last time it came up is actually quite interesting. Among other things, he found evidence that the debate within the locksmithing trade goes back a long time:
    formatting link
    Cheers, Roger
Reply to
roger_for_nntp

ROFL... guess you never worked on one then.. its sorta like working on your lawn mower, but, its not as quick as 'changing the plug'. its more like at times, changing the head. I wsa quoted one time, the time necessary to change a lock on a vault to 'another model'.. by Mosler reps themselves.. They said to allow 40 man hours PER lock to make the new model fit. and this was a group 1 to a group 1, too

no, they need a SAFE. too many times, they 'go to the local 'buyers club', plunk down a couple of hundred for a safe', and think they are secure.. they dont ASK.. and a group 1 lock mounted on a 'supposed' safe' is a moot point, usually they just take the whole thing and open it later

as YOU stated above, manulipation is the LAST means of entry.. it takes too long, and where speed is the requirement, there are other methods.

and look at what 95% of the worlds computers use.. Windows..and 'how secure' it is.. how many THOUSANDS of patches have been posted? and how many THOUSANDS more need to be posted to fix the computers?

I had a kid show me one time, how secure the web sites were.. He logged on to HIS ISP, and in 45 SECONDS, went to MY ISP, got my name, addy, and phone number from THEIR server.. (using Windows software on my ISP) and never left a trace.. thats security??? I think not.. Matt need to fix his OWN area first..something that I ahve NOT seen happen, in the long years I been using a computer since from DOS 2.2 in fact..

--Shiva--

Reply to
--Shiva--

ONE MINOR FACT that you are leaving out is that these conflicting opinions you are citing above originate from different people... In any aspect of life there will be people with opinions that differ based on the individual's level of knowledge in the subject area and other life experiences...

To respond to your statement regarding the "script kiddie" comment, I feel that Blaze's papers WILL clue some people into to things that they never knew about before, nor had any idea of where to seek out such information prior to Blaze's papers... Lazy people usually don't put much effort into researching things, but will make use of information that gets dumped into thier hands...

The statement you make about half of these arguments being wrong only shows that you are quite biased yourself... The world is NOT "right/wrong" or "black/white", but it is vastly made up of things that are exist between these polar opposites in "shades of grey"...

There is an underlying problem here that Blaze and the people most outspoken among his supporters is failing to realize, the operating principles that work well in the IT industry might not fit into other aspects of life, inluding physical security...

Security is not about locks alone: (The following is copied from an eariler post I madeon the topic...) The concept of "Security" is not achieved simply through the installation of a lock or a safe... It is the collective achievement of an entire effort of an individual or organization that includes locks as only one element of the greater scheme, which includes but is not limited to:

-- Locks (and the Doors and Walls that contain the room)

-- Security Personnel (Guards, Armed or Un-armed)

-- Electronic Monitoring Systems (CCTV and Burglary Alarms)

-- Policies and Procedures that reinforce the goal of "Security"

-- An Architectural Design that supports the goal of "Security" (Think of a school, which by design is easy to get out of in the event of an emergency... This element of its basic design also makes it easy to get into as wel, and is much more difficult to later adapt such a building to being more "secure" while still remaing "safe" and easy to get out of during an emergency ...)

While I agree that there are parallels in basic concepts of Security in the IT and physical security industries, the execution of the ideas varies... In the IT world programs can be made or set to reject access requests/attempts after a certain number of incorrect attempts... Keyed locks and mechanical combination locks do not nor will likely ever have this type of capability incorporated into their designs... Blaze acknowledged the biggest factor behind this issue, manily the economic choices that people make, "Security" is an abstract concept to most people who don't deal with it for a living... Money spent on putting the most expensive "high-security" lock on a door with windows or leading into a room with windows in it will be wasted if one motivated burglar happens by with a hammer... Many customers want what they want and don't care to listen to "extra" advice offered, especially when it has to do with altering more than a door (or it's lock) to enhance security...

I agree that it is a survey of information, however it is unfortunately very biased by Blaze's perspective of the world looking at things and concluding that they would be somehow "better" if they would only follow the same principle methods of operation as the IT industry...

I know cryptography is a fascinating field and agree that locks and parts of locks fall into that area... However, the DESIGN of locks has little if anything to do with that concept...

While I am generalizing about downloading software patches, my perceptions of software being "readily fixable" via a download are much closer to reality than your generalization about locks being fixed or swapped out "in a few minutes"... Skill levels come into play here and as others have noted many computer systems "automatically" update unless the user is savvy enough to disable such functions...

Software downloads are much more compatable with the system they will be uinstalled on because the program conditions that are in error are known... Swapping out an worn/defective/obsolete lock is not quite that easy unless THE EXACT lock being replaced is still available... Older safes and even newer models have differences in the construction/configuration of the container... The skill level to adapt a current lock into field conditons that that are not the same vary from easy to difficult, and the time factor involved in that undertaking is much more than that of locating and installing a new patch to fix a "bug" in your computer...

A person buying a safe is not a "security" customer, they are someone buying a safe... It is true that not all safes are created equal, and some people don't wish to expend more money on the safes that are "better"...

Making that statement would be like me saying someone looking into buying a computer wants to be educated about the world of IT, which often times is not the case...

I agree, "Lockie's" comments are not the best way to make his point... NOR is advertising the very thing he finds offensive an effective way to go about complaining about it...

I don't care about who Blaze is, I understand that he is very well versed in computer technology areas, however, his skills at linking this to other areas of life are lacking... I could probably write a similar paper about locks being similar to computer science and have the same response to it from IT professionals that Blaze is getting about hsi from locksmiths... It is a matter of perspective... His perspective on computers is dead on, but his views on other aspects are a bit clouded and therefore he compensates by adapting things he doesn't fully understand into things he does by making comparisons... That is not the most effective way to fully understand a topic in which you are writing a research paper on...

I also agree with several of the others here in the newsgroup that would have graded his work as "average"...

Evan, ~~formerly a maintenance man, now a college student

Reply to
Evan

Reply to
rsazima

and your purpose of re-posting what the snipped-for-privacy@yahoo.com wrote would be ?

Reply to
Key

If you want to evaluate whether the average locksmith is interested more in helping his customers or in protecting his job, you can conduct this simple experiment:

Borrow a Ford or Lincoln automobile with a keypad lock. Lock a set of keys in it: just set 'em right in the front seat, where the locksmith can see them. Phone a locksmith, and tell him you locked your keys in the car, and don't know your keypad code. When the locksmith shows up, he will perform a couple of manuevers that you yourself could have done (if you took a few minutes to make the tools, although it'd be illegal for you to have them) and then, if he cares more about protecting his job, he'll collect his fee and leave.

If he cares about his customers, he'll collect his fee, and then show you how to look up under the dash near the steering column and find what your keypad code is. Oh, I'm sorry; did I give away a trade secret?

Reply to
syberghost

gee, was never told the code was there.. 2 OTHER places on the vehicles, yes, but not under the dash.. gonna have to go ask the Ford dealer about that one. and I tell them IF they are in that situation.. another funny.. if the BATTERY is dead, the buttons dont work IF they DO know the code

--Shiva--

Reply to
--Shiva--

No because that is not where Ford Lincoln Mercury typically puts the code. It's usualy somewhere in the trunk on a sticker. The location varies.

Reply to
putyourspamhere

Just a quick top of the head pass:

*encryption
*system administrators charged with security
*secure operating systems, secure network protocols

Yes, and making computers both easy to use and secure is at least equally as challenging. For example, making MS Windows secure in one go without also making it obsolete would be impossible.

Y'all are as ignorant of computer security as you claim Matt Blaze is of physical security.

I doubt that Matt Blaze intended his article to be a research paper. I suspect he had hoped that it would stimulate a dialogue between physical security experts and computer experts. Or maybe he's just curious about the mathematics of mechanical lock design.

Somewhere in this thread someone criticized the existing security in computer systems. Computer security experts, like Matt Blaze, have often criticized the computer security industry. The experts get much the same reaction there that Matt Blaze's article is getting here - ostriches burying their heads in the sand.

If you can write a similar paper from the physical security perspective, then do it. I suspect that would please him, as it would at least be the beginning of a real dialogue.

But I can't speak for Matt Blaze, only knowing bits and pieces of his reputation and not the man himself.

I'm tempted to cross-post some of this to comp.security.misc and sci.crypt and let some of the vacuum out of the thread, but more oxygen also usually means higher flames.

Hopefully not in computer science at the upper level yet.

Reply to
Beth

thats correct, you can't ! neither can we.

if it "usually means higher flames"? why would you even be tempted?

Reply to
Key

something

Hi all My apologies for coming in well late to this thread. However, I felt I should read all comments before shooting my mouth off as some have done.

My first question is simple and may be considered a troll post:

Why is there a 'tradesmen' v 'academic' argument through this thread? Both avenues of vocation have their merits and disadvantages. Neither is an indication of how smart one is. Hell, I'm an IT geek now, but drove trucks for 11 years prior to getting an 'edjamacashun'.

Second question:

Why is disclosing the fact that some locks have security issues a problem? After all, we are talking about **security**, not something trivial such as a cupboard lock to stop the cat stealing from the larder. If a particular security device is not as secure as it is advertised or claimed to be, shouldn't the consumer have a right to know? If not, then the locksmith industry could be seen to be following the 'security through obscurity' model, which has been proven to be a risky business method many a time.

I know the question has been asked, but for what earthly reason are you outraged? It appears from reading the threads that the only real outrage was that a 'boffin/geek/academic/seat warmer' wrote the paper and not an industry insider. To be outraged that common weaknesses in supposedly secure hardware were exposed seems to me to be more a knee-jerk reaction than anything. I would have thought the paper would make those in and outside the industry more aware of the need to get manufacturers to work harder at making their security hardware *more* secure.

negative

I understand that universities tend to approve research, rather than discourage the practice. This report has probably given the University (through your efforts as well) a lot of free publicity and has made the paper itself a sought after piece of research by hackers, geeks, tweakers, criminals and locksmiths alike.

A defective security technology has been exposed and therefore will hurt the security industry...mmm...strange logic, but then I have trouble 'keeping up'.../. :o) Once again, apologies for butting in late in the thread. Cheers, Gryph

Reply to
Gryphonn

Or the Full-Disclosure list:

formatting link
snipped-for-privacy@lists.etsys.com (Subscribe in subject)

Reply to
Gryphonn

Most of your questions have been debated repeatedly in painful detail; search archives over the past decade at least, or for a very brief summary of the key issues see the FAQ. The real answer is that while in theory practice should be identical to theory, in practice that turns out not to be the best answer.

Reply to
Joe Kesselman (address as shown

Re my comment at

Putting it another way: This is an engineering discipline, not a science. Cost-effectiveness dominates the equation, and that requires considering *ALL* costs. Which Mr. Blaze hsn't made any effort to do in this case.

As I said, I wouldn't object as much to his academic paper if it was a good paper. It really isn't. He hasn't added anything to the base of knowledge, and he hasn't even done an adequate job of summarizing it; all he's done is put his name on it. It isn't quite plagerism, but that's because there isn't a single thought in the paper that anyone familiar with either field would claim is original.

Reply to
Joe Kesselman (address as shown

right, he wasnt SECURE, but does not consider the cost of the secure, at all..

now.. anyone could say, that for instance, a Weiser door knob is not as secure as a grade 1 Schlage.. 'stop at that point', and that statement is both safe, meaning NO defeating instructions were given, and true.

now, when one then publicizes HOW to defeat the Weiser, then all of a sudden, that information, is now widespread, and you unfortunately do not know who or WHEN in the future, someone will read that, and break into their neighbors house with it.. was damage done? yes.. did the original person that published it care? apparently not.. now, I always have to wonder.. WHAT IF, it happened to the ORIGINAL writer??? who can he go scream and holler at? himself, who, by his actions, does not care..

Security has a limiting factor- what the person is willing to spend. GOOD security requires a change in the building, plus construction, plus finally, in the locks themselves.. a $100 'cannot have the key copied', cannot be picked' dead bolt does absolutely NO good on a hollow core door, but, yet, I see it done a lot of times.. Matts article, if I was grading it, would rate no more than a C. his 'area of coverage' was SEVERELY limited, in that he did not consider the other factors involved with it. And I am speaking from 20 years of repairing and inspecting houses, plus 15 doing lock work.

--Shiva--

Reply to
--Shiva--

well put Shiva. what most have missed here is that "HOW to defeat" information being widespread on an open forum for ANYONE, with less than honest intentions, to view and learn from is a big mistake. they can call the censoring of such information what they will but I call it professional ethics.

m2

Reply to
Key

Except for the two different models I own and the third model my co-worker owns.

Or is it just a coincidence that we picked the only three models that are different than you're claiming?

Reply to
syberghost

PolyTech Forum website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.