 |  | top stories | | 1 new story
no new comments | | etcetera | 2 new stories
33 new comments | | filmtv | 3 new stories
48 new comments | | media | 1 new story
44 new comments | | politics | 3 new stories
127 new comments | | scitech | 1 new story
11 new comments | | work | 2 new stories
28 new comments | |
|
| | | "The find illustrates a number of interesting things about studying security issues. What does an ethical person do with this kind of information, given that it is impossible to alert the 'good guys' about the vulnerability without tipping off the 'bad guys'? The plot thickens a bit on this point -- turns out master locksmiths have known this about keys roughly as long as locks have existed. Protecting vulnerabilities by keeping them secret is often derided as 'security by obscurity' in the info security world, but then again, the knowledge remained pretty well-hidden until some InfoSec weenie had to go write a paper. Now it's in the New York Times. Even people who wouldn't have dreamed of doing something like this before will now know it's possible.
"The issue brings up another thorny aspect of security in general -- given a choice between security and convenience, security rarely wins. Master keys, by their very existence, illustrate this principle. They are a single point of failure for a large group of locks, but they do make it handy to get back into a dorm room after a student loses his keys. With doors, as with many computer systems, it appears that security is rarely justified beyond the point that it prohibits casual attacks. Just as computer geeks always defer to the abilities of the 'determined attacker,' it would appear that building managers feel little need to prevent against 'ninjas rappelling in from the roof stuff.'
"It seemed obvious at first that this incident is a rare opportunity to teach newbies about the importance of computer security. On further consideration, I have to wonder if this might be the even rarer opportunity for computer security types to understand the wisdom that governs the non-computer world. Perhaps there is something to be said for approaching security with low expectations and a willingness to keep secrets."
|
| | |
[ more plastic... ] |
| | | | | | | 1. Um... no. | | | | by BitterCupOJoe |  | | | at Wed 29 Jan 6:27am | score of 1 | | | | | | |
The problem with keeping secrets, in this case, is that all it takes is one unscrupulous person that knows the secret to completely fuck you over. By "approaching security with low expectations and a willingness to keep secrets" you end up precisely with a bunch of master locksmiths knowing how to make master keys easily, and trusting ALL of them to not let anyone else know how. In addition, you trust those same master locksmiths to upgrade locks so that there is no master key that will work on them, with no external pressure to do so. It's been 500 years or so that the lock has existed, and it hasn't happened yet. What makes you think computer security will be any better?
"This is your world. These are your people. You can live for yourself today, or help build tomorrow for everyone."
| | | | [ ...reply just to this | comment on the story... | next new ] | | |
| | | | | | 5. Re: Um... no. | | | | by dylanr | | | | at Wed 29 Jan 9:25am | score of 1.5 informative | | in reply to comment 1 | | | | | |
The problem with keeping secrets, in this case, is that all it takes is one unscrupulous person that knows the secret to completely fuck you over.
Honestly, I don't see why computer security should be approached much differently than regular old building security. For businesses where a master key system is considered adequate protection, weak passwords on a Win32 network should be plenty. Businesses that use magnetic strip ID badges and employ night watchmen should be thinking about public key authentication and monitored intrusion detection systems. There's no point in encrypting your LAN traffic if you leave the file cabinets unlocked.
In any event, some level of trust is required in all non-trivial human enterprises and trust relationships are almost always the first point of failure. You can't run anything larger than a mom & pop shop without figuring out a way of extending trust.
Employees who work with sensitive proprietary information may need to sign NDAs. Here, too, it only takes one unscrupulous person to fuck you over. It happens all the time, and yet that's still about the best thing anyone has come up with to protect secrets. If the fact that you've made a legal pledge not to do something isn't sufficient deterrant, there's not much else that's going to stop you.
What's different about computer security is the ethic. I used to think it was a scientific information-wants-to-be-free ethic, but events like this one make me less sure. It's one thing to discover a hole and draw attention to it so that it gets fixed. It's quite another to go out of your way to crack systems that were never that secure to begin with.
Publishing details on how to make a master key is a bit like publishing a script on how to hack a Win32 box. Neither is considered hardened by the people who installed them (hopefully), but each is "good enough" for its purpose. That equation changes when the exploit is published.
It's a delicate balance, I realize... but lately the work being done in this area has felt less like a public service and more like a "protection" racket. One time-honored way to make a name for yourself as a security consultant is to reduce the security of all the people who haven't hired you yet. It's no accident that some of the leading people in this field are reformed crackers.
trust those same master locksmiths to upgrade locks so that there is no master key that will work on them
I trust the locksmith to do exactly what I ask to be done. Master key systems are installed at the customer's request and (presumably) reflect the customer's conclusion that such a system is the proper one to install.
What makes you think computer security will be any better?
Because the more "security" we've gotten, the worse the problem has become. In any political or social arena, this would be as obvious as day. In the InfoSec world, we're still working from a blame-the-victim mentality. Absolute security is infeasible in most situations and impractical in most others.
We long ago passed the point where our security technology eclipsed human capabilities. Breaking 8-10 character passwords has been trivial for some time now. The longer a password you have to remember, the less random it becomes... so we all move over to certificates, right? I use SSH for all my important work, but let's be serious for a second... deploying and managing PKI for normal people is just a disaster in the making. You've secured the network but made workstations a much larger failure point in the process.
What is needed is not better packet filtering, but stronger law enforcement and more mature risk management.
In theory there should be no difference between theory and practice. In practice, there usually is.
| | | | [ ...reply just to this | comment on the story... | next new ] | | |
|
| | | | | 13. Re: Um... no. | | | | by keenduck | | | | at Wed 29 Jan 4:08pm | score of 1 | | in reply to comment 5 | | | | | |
Put it this way - is it better that knowledge of exploits to crack into systems better in the hands of a few, or the hands of all?
If only a few people know of an exploit, and never reveal it to the public, but continually use it to compromise systems, no one would be the wiser. If the knowledge is more widely spread, at least people know the danger exists, and can take steps to protect themselves.
As they say in open source, "Many eyes make bugs shallow." The same probably works for security issues as well.
- keenduck
You missed a good part ... What? ... She was masturbating ... Where?!
| | | | [ ...reply just to this | comment on the story... | next new ] | | |
|
| | | | | 19. Re: Um... no. | | | | by dylanr | | | | at Wed 29 Jan 5:13pm | score of 1 | | in reply to comment 13 | | | | | |
is it better that knowledge of exploits to crack into systems better in the hands of a few, or the hands of all?
I don't see that there is a choice, actually.
Consider it this way: knowledge is basically infinite. Even the amount there is to know in a tightly focused discipline like computer security is difficult for one person to comprehend.
Thus, any particular bit of knowledge is invariably held by only a few. Could it possibly be any other way?
The Linux kernel, for example, has been open for public inspection since about 1992. But only a very small number of people actually understand how it works and an even smaller number of people are prepared to think about what might cause it to fail. But if one of those people wrote a script that any punk with a PC can run, they've done the whole world an enormous disservice.
Some security protocols (such as public key encryption) are made stronger by peer review. Others simply aren't. This isn't a one-aphorism-fits-all world.
In the political world, measures like NMD are laughed at by serious analysts... not because missile attack is impossible (or even unlikely), but because defending against missile attack is basically impossible. Worse, it may be undesirable: would you really want to increase the value of "suitcase" nukes and other, more-portable threats? Contemporary computer security long ago passed the NMD milestone in terms of what pie-in-the-sky perfection it has established as an acceptable minimum. At some point I expect cooler heads to prevail... but there's little sign of it so far.
In theory there should be no difference between theory and practice. In practice, there usually is.
| | | | [ ...reply just to this | comment on the story... | next new ] | | |
|
| | | | | | 2. Before you try... | | | | by David Flores |  | | | at Wed 29 Jan 7:58am | score of 3 brilliant | | | | | | |
Yes, Lee Dong, you acquired a key from one of my henchmen and have managed to produce a master by applying your knowledge of the black arts of the Ninja and a little cryptoanalysis. But let me assure you: you have but reached the foot of the mountain, and are a long way yet from the summit. For even if you manage to evade my sophisticated security system and attack mecha-canines, you will face a virtual labyrinth of offices that you must navegate and traverse before reaching the room where I keep the Omega Device. And in each of those rooms you will face a new opponent, expertly trained in a martial art even more deadly than the previous combatant. So you are an accomplished swordsman, ok, but are you equally adept at dodging throwing stars? And if you survive that test, how are your skills with the Nunchaku? And do you think that your hand-to-hand martial arts skills are refined enough to beat seven different opponents each with a different style of attack? Ha, ha.... ha, ha.... ha, ha, ha, ha, ha, ha! Ahhhhhh. Ha, ha, ha, ha, ha!... oh yeah... one thing... no fair to use your sword in the hand to hand combat areas, ok?
Your Pal, General Chang.
GAFB and GAFB2
| | | | [ ...reply just to this | comment on the story... | next new ] | | |
| | | | | | 24. Re: Before you try... | | | | by StofCircumstance | | | | at Wed 29 Jan 9:21pm | score of 1 | | in reply to comment 2 | | | | | |
General Chang, my old nemesis. Be forewarned, I know your most vital secret. I know of the hidden entrance to your mountain, the one with the escalators that take you straight to the room with the Omega Device.
How do I know of your most closely-kept secret, you nefarious ne'er-do-well? I met a subcontractor in a bar in town, and over the course of several bottles of expensive sake, he told me everything.
In the future, you might consider killing off everyone you employ to build these ridiculous strong-holds you are determined to reside in around the globe. Maybe then I won't be able to get past your overly expensive booby-traps, cyborg-samurai, and nunchaku-weilding opium whores.
Love,
Lee "Long" Dong
P.S. Did you get the birthday card I sent you? (I never got a thank-you note.)
P.P.S. I love the color scheme in your office; we need to get together to discuss design ideas for my new lair sometime. You can reach my on my Blackberry.
Zen Happens
| | | | [ ...reply just to this | comment on the story... | next new ] | | |
|
| | | | | 28. Re: Before you try... | | | | by David Flores | | | | at Thu 30 Jan 4:56am | score of 1 | | in reply to comment 24 | | | | | |
In the future, you might consider killing off everyone you employ to build these ridiculous strong-holds you are determined to reside in around the globe
Well, I usually do, you know, but the guy you talked to was my nephew and every time I brought up his elimination Mrs. Chang would hear nothing of it.
Oh, I know what you're thinking. You're thinking "Wait a second, General Chang, you're a powerful warlord who's blackmailing the World with the Omega Device. You have hundreds of henchmen at your beck and call. You executed four of them last week for failing to throw themselves to the ground fast enough when in your presence. And you let yourself be brow-beaten by your wife?" I know, I know. They sound like reasonable objections, but you haven't met Mrs. Chang. I mean, we're talking major Dragon Lady... brrrrrr!
GAFB and GAFB2
| | | | [ ...reply just to this | comment on the story... | next new ] | | |
|
| | | | | | 3. Physical vs. Electronic | | | | by IamaplasticSquid | | | | at Wed 29 Jan 8:47am | score of 3 informative | | | | | | |
As a former locksmith I can comment here with a bit of background. Almost no break ins occur with master keys, it is much easier to kick in the door in almost any building than to try to make master keys. The things you need to get a master key made are physical, key blanks in the appropriate pattern for instance. Online all one has to do is put the code up on a bug track site and now everyone in the world has access with no physical effort at all.
All that is needed, Mr. Blaze wrote, is access to a key and to the lock that it opens, as well as a small number of uncut key blanks and a tool to cut them to the proper shape. No special skills or tools are required; key-cutting machines costing hundreds of dollars apiece make the task easier, but the same results can be achieved with a simple metal file.
The trick to that is getting the key blanks in the first place, most building such as universities use restricted key blanks you can't get at the hardware store, you need a locksmith or a locksmith wholesaler. Now if you walked into my store and asked for those restricted blanks you wouldn't have gotten them without a hell of a good bluff and some paperwork, but lets say you did get them. You take them back and start to file. If they use any type of commercial lock, the tolerances on the keys are very slight, and any error will stop a key from working. You may have encountered this when you go to a hardware store and have a key copied. The better the make of lock, the more precise the copy has to be. I used to make keys using fairly precise machines to manufacturers codes, and they still weren't close enough sometimes. Good luck with the hand filing. Even if you make a master you still have to be there to use it, which raises your risk considerable vs an internet attack. Few 'secure' areas rely soley on a master keyed lock for there security.
I won't go into the other options you have in a masterkey system to make it hard to break, but there are many alternate high security lock companies out there that make this sort of thing much, much harder to do. Compare that difficulty to cutting and pasting code from a web page and see why most locksmiths don't lose sleep over the thought of 15 year olds with files.
We used to say there was no such thing as perfect locks or lock systems, you just buy an appropriate amount of security to the risk you face. In a bad neighborhood, get better locks. Real high security needed, use high security locks. One of the problems with the internet is that we are all in the same neighborhood. That script kiddie could be attacking your home PC or your business, odds are he doesn't know or care the difference. Some universities, labs, and business have junk masterkey systems, but that article drastically overstates the risk faced day to day from this 'vulnerability'. On the contrary, my little home firewall shows constant checks for the usual security holes.
Plastic Squid, Toy Box 2 (The Big Clear Plastic One with the Blocks and Stuff)
| | | | [ ...reply just to this | comment on the story... | next new ] | | |
| | | | | | 7. Re: Physical vs. Electronic | | | | by Adipic Acid | | | | at Wed 29 Jan 1:33pm | score of 1 | | in reply to comment 3 | | | | | |
Key blanks can be fabricated for this purpose with a simple die casting kit from the local hardware store. They won't be as durable as the real thing, but they should last long enough to "do the trick."
Kicking in the door is always an option if you're objective is simply to take stuff one time. On the other hand, having a building master key and a fake cleaning uniform could allow you to perform routine espionage, say of a competitor's bids for contracts.
No folly is more costly than the folly of intolerant idealism. - Churchill
| | | | [ ...reply just to this | comment on the story... | next new ] | | |
|
| | | | | 17. Re: Physical vs. Electronic | | | | by gameCoder | | | | at Wed 29 Jan 4:49pm | score of 1.5 brilliant | | in reply to comment 7 | | | | | |
having a building master key and a fake cleaning uniform could allow you to perform routine espionage
Of course, if you just got hired by the appropriate cleaning company, you wouldn't need either the fake uniform or the fake key. :)
Master Shake: "Oh you think you're the expert? Lets see how much your ass knows about flyin'!"
| | | | [ ...reply just to this | comment on the story... | next new ] | | |
|
| | | | | 20. Re: Physical vs. Electronic | | | | by Adipic Acid | | | | at Wed 29 Jan 5:18pm | score of 1 | | in reply to comment 17 | | | | | |
But it might be traceable. I was shocked when I found out that our cleaning crew is fingerprinted as part of the hiring process. I do not work in a building that requires that kind of security, but the contractor applies the same rules to all of their new hires, no matter what building they are assigned to.
No folly is more costly than the folly of intolerant idealism. - Churchill
| | | | [ ...reply just to this | comment on the story... | next new ] | | |
|
| | | | | | 6. Just a little heads up on push-combination locks | | | | by halfwit | | | | at Wed 29 Jan 10:08am | score of 1.5 astute | | | | | | |
Anyone have the push combination locks, commonly seen on college dormitory doors? It's typically 5 buttons labelled 1 through 5 in a straight line or circular pattern. For the door to unlock, you have to hit the buttons in a certain pattern, like
4,1, 3 and 5 together, 2. Or 1,4,5.
Well, at one place I was at we had the locks everywhere with combination 1 and 4, 3. We had a new addition to the building added, and the locksmith company added four new locks on the new doors. The owner asked what the combination for those new locks were, and they said "1 and 4, 3". "What a coincidence, that's what we have on the rest of our locks!" "Oh, all the locks we install have that as the default." Needless to say, we had all of the combinations changed immediately.
I don't know how common that scenario is, but I'd recommend changing the default combination on said locks if you use them just in case.
| | | | [ ...reply just to this | comment on the story... | next new ] | | |
| | | | | | 9. Re: Just a little heads up on push-combination | | | | by cloudofdust | | | | at Wed 29 Jan 1:58pm | score of 1 | | in reply to comment 6 | | | | | |
I was thinking about this very thing when I read the writeup. They're called Simplex locks and this article about them was in 2600 about 12 years ago.
According to the article both FedEx and UPS use these locks on their drop boxes. Apparently UPS was also using the "default" combination...on every drop box in the Northeast!
I think this just emphasizes that the human factor is the most important in any security scenario.
| | | | [ ...reply just to this | comment on the story... | next new ] | | |
|
| | | | | 25. Re: Just a little heads up on push-combination | | | | by StofCircumstance | | | | at Wed 29 Jan 9:26pm | score of 1 | | in reply to comment 6 | | | | | |
Interestingly enough, I can corroborate that story.
I used to work for Border's Books, at 2 different locations. At both locations, the code for the push locks was 1 and 4, 3. I always assumed it was a company-wide thing, so the higher-ups could have unfettered access during "inspections."
Now I know that everyone was just really lazy. Thanks!
Zen Happens
| | | | [ ...reply just to this | comment on the story... | next new ] | | |
|
| | | | | | 14. Everything old is new again... | | | | by slaphappy | | | | at Wed 29 Jan 4:18pm | score of 1 | | | | | | |
Everything old is new again. Locksmithing was the standard tool in trade for the black-hat hacker since the first days of computer science. It's intellectually challenging and anti-social enough for renegade geeks to have fun with it.
More than a few of MIT's legendary "Model Railroad Club" (the very first hackers) were locksmithing enthusiasts, and used their skills to gain access to MIT's computers for bouts of coding and "midnight engineering", where they'd actually take a soldering gun to these systems in the dead of night to improve performance without anyone knowing.
The legacy continues today. One guy I know who's into computer security has a locksmith's license and a wholesale number, just to get access to special key blanks, keymaking tools and lockpicking gear. He doesn't steal anything, or even tresspass... he just likes knowing he can open any lock at any time. Has a gigantic, redneck keyring hanging off his belt, too.
slap*happy
| | | | [ ...reply just to this | comment on the story... | next new ] | | |
| | | | | | | 16. More thorough discussion on Slashdot. | | | | by tylerh | | | | at Wed 29 Jan 4:45pm | score of 1 | | | | | | |
Slashdot generated almost 500 comments on this story 6 days ago. I suggested reading that discussion at Filter level 4 to keep it manageable. The Slashdot crowd has many more links, including the actual a paper, and several good, short descriptions of how it works.
This should have been a quick link.
Courage
| | | | [ ...reply just to this | comment on the story... | next new ] | | |
| | | | | | | 21. The secret | | | | by outlier | | | | at Wed 29 Jan 5:23pm | score of 1 | | | | | | |
According to the paper (pdf) that Blaze wrote, the technique is pretty damn simple. Once you understand how master keyed locks work (the pins have two "unlock" positions instead of one), it becomes one of those "why didn't I think of that" things.
In the tech field the feeling is that "security through obscurity" is not very effective. Blaze points out that this is exactly what locksmiths have been doing. He presents a rather interesting historical argument against this from one of the foremost inventors of mechanical locks -- 150 years ago.
-->"You big smarty! ... Do you rub your giant brain with special brain cremes and brain jellies?" - DJGilmore
| | | | [ ...reply just to this | comment on the story... | next new ] | | |
| | |
| | Member Login | | | |
|
