The ethics of lock picking and telling
In 2004, a video circulated on the Internet showing how a standard Bic pen could be used to open the U-shaped Kryptonite bike lock. The company recalled the locks, replaced newer purchases, and changed the design for new locks. Problem solved, right?
Not exactly. Despite the fact that the problem had been revealed 12 years earlier in a British bike magazine, Kryptonite had continued to sell the locks unchanged. Angry customers filed a class action lawsuit that was settled in 2005, with Kryptonite offering to replace all affected locks or provide vouchers, and compensate people whose bicycles were stolen as a result of the lock being picked.
"If you don't make the problems public, the companies don't fix them and the consumers buy shoddy stuff," said Bruce Schneier, chief security technology officer at BT.
Bruce Schneier is chief security technology officer at BT.
(Credit: Schneier.com)There's been plenty written about breaking into the virtual locks that safeguard sensitive data on the Web. But the picking of real-world physical locks is becoming an increasingly popular pastime for some. Enthusiasts have formed sporting clubs and hold regular competitions. Security researchers write books about how locks can be broken into and show how it's done on blogs and videos and at security conferences.
Naturally, lock manufacturers aren't happy. They argue that publicizing the vulnerabilities causes people to panic unnecessarily and puts the public at risk by giving criminals information they can use to break door locks, safes, and other secured assets.
But, just like third-party disclosure of vulnerabilities in software forces manufacturers to acknowledge security holes and patch them quickly, lock manufacturers will find they can't escape the scrutiny and will have to be held accountable for their products, experts say.
"The concept of responsible disclosure is well and good for new locks that haven't hit the market yet. But that doesn't help you when the lock is already embedded in millions of facilities. They're not going to fix them," said Marc Weber Tobias, a lawyer who has written a book about breaking into high-security Medeco locks called Open in Thirty Seconds and issued the original security alert on all tubular locks that included the Kryptonite locks.
Tobias will be presenting a session at the Defcon hacker conference in Las Vegas next week on how to break the key control of Medeco M3 locks by making fake keys.
Marc Weber Tobias is co-author of 'Open in Thirty Seconds.'
(Credit: Matt Fiddler)"How does it help the consumer not to tell them that there is a vulnerability?" he said. "Medeco customers have a right to know whether their locks can be compromised."
The issue highlights the conflicting world views of two very different groups: hackers who like a good challenge and enjoy taking things apart, and traditional hardware manufacturers who don't want anyone but certified locksmiths testing their systems.
As the lock manufacturers' and locksmith trade groups see it, most non-locksmiths picking locks are trying to reduce security, not improve it.
Web sites selling lock picking tools are breaking U.S. federal law, said Tim McMullen, legislative manager for the Associated Locksmiths of America.
Ralph Vasami, executive director of the Builders Hardware Manufacturers Association, said: "We believe that lock picking, obviously, is an illicit activity, even if it's a sport. We frown on all of that, even if it's for fun."
The industry doesn't need outsiders pointing out flaws with products because there is an established system in place for creating new standards for manufacturers to follow, he said.
Ralph Vasami is executive director of the Builders Hardware Manufacturers Association.
(Credit: BHMA)"As new technologies have become available that is what spurred product innovation and that spurs development of new standards," Vasami said. "I think we're a pretty nimble and flexible organization."
However, the standards are voluntary, and new security vulnerabilities may not fit in with established procedures. For instance, Tobias said that when he informed the standards group last year that a deadbolt could be broken into with a screwdriver, he was told that the method he was using was not defined in any standard. "The standards aren't protecting people," he said.
Unlike with software, where patches and fixes can be downloaded quickly, locks have to be physically replaced when they are found to be vulnerable to picking. This infrastructure issue puts more of a responsibility on vulnerability researchers to not publicize the problems to the public, said Clyde Roberson, technical director of Medeco Security Locks.
"Our responsibility is to make changes when we see a change in the state of the art," he said. "Everybody has some responsibility to not disclose things that can hurt people and that people don't have power over changing."
Asked how a company would know when its locks are vulnerable if it weren't for independent researchers announcing problems, Roberson said companies should rely on independent testing agencies like Underwriters Laboratories.
"Is it a known vulnerability if people don't know about it?" he then asked, rhetorically. "I'm not sure you need to worry about it unless people are out there demonstrating it and showing how to do it."
Keeping a security problem secret
But that notion of "security through obscurity" wrongly assumes that keeping a security problem secret will protect the people relying on the security system.
"The assumption is that the criminals don't know about it," BT's Schneier said. "Criminals know how to pick locks...The secrecy just hides the truth from the consumer."
"The goal is to make security better. As soon as it's not responsible to do research, the bad guys win," Schneier said.
"(The) lock picking (industry) doesn't get this because they're basically still a guild--a secret knowledge kind of field, whereas computer security is always built on open knowledge," he added. "There have been insecurities discovered by computer people-turned-locksmiths that have existed for hundreds of years."
Lock manufacturers aren't the only hardware makers confronting this issue. Voting machine manufacturer Sequoia threatened a security researcher who was planning to analyze a machine.
And more recently, Philips Semiconductor spinoff NXP sued to prevent a Dutch university from publishing information on security flaws in its Mifare Classic wireless smart card chip used in transit and building access systems around the world. A judge ruled earlier this month that blocking publication would violate the researchers' rights to freedom of expression and hinder vital research.
"The bottom line is the public needs to know," Tobias said. "Let them make their security assessments based on how secure they are told the locks are."
Misrepresenting hardware as more secure than it actually is poses a liability problem for the manufacturer and for companies using the security system to protect their customers' assets.
Siemens is having to change 300,000 cards that use the Mifare Classic chip as a result of the discovered security shortfalls, Schneier said.
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor.
Some things never change.
Another thing about locks. Anybody can buy one and use it for any purpose. Paperweight. Target. Bling, or to practice lock picking. Like most things, it's primary purpose isn't always the only legitimate use.
Safes are tough critters. Locks on appliances or equipment are sometimes tough too. But door locks are often easier to just go around that to try picking.
A lot depends on whether a criminal is concerned about leaving obvious evidence of his or her intrusion. If blatant evidence of a break in isn't a problem, it's easy to break a window, or even go through the wall instead of the locked door.
http://www.internetnews.com/security/article.php/3762091/Are+Bug+Disclosures+Helping+or+Hurting.htm
In regards to the complaining from the manufacturers that people shouldn't publicize the methods.....people I worked with used to get upset at our QA testers when they found bugs in our code. I never did, I told my co-workers that if they didn't leave the mistake, the tester wouldn't have found them. Same theory goes for locks. If you don't want a vulnerability found, don't leave one there. The long and short of it is that any lock that has a legitimate, intended way to open it also is vulnerable to unintended methods.
And finally.....it's illegal to sell lock picking equipment to non-licensed professionals, but it's not illegal to buy a hacksaw blade and a bench grinder to make my own.
Absolute nonsense. Show me such a law. There is a law against entering someone?s property without permission, but for sure if you own or have permission to access the lock you can try to pick it. Similarly, hardware stores will tell you there is a ?law? against duplicating a key because someone has stamped ?do not duplicate? on it. There is no such law. ----
?Unlike with software, where patches and fixes can be downloaded quickly, locks have to be physically replaced when they are found to be vulnerable to picking.? ----
On the other hand, once a software vulnerability has leaked out, a hack can be applied to millions of computers simultaneously by even a small group of hackers via the web, within a day or so. It takes much longer to train the whole criminal community on a new lock exploit, and longer to try it out in practice. There is time to change locks, or at least take advantage of the vulnerability information to reduce exposure.
No, actually, its because of those standards that the industry needs outsiders. Mitnick also helped to change a fairly standardized system known as the United States Judicial System.
Dr Zinj is right. Why waste time trying to defeat a security device if you can quickly go around it?
That would not have worked at one facility i worked at. Popping any floor or ceiling tile would trigger an alarm which would in turn cause an immediate lockdown of the entire base. This was normally followed by armed SPs.
Since accidents do happen we managed to **** a few people off when this occurred at quitting time. But as a licensed locksmith I can tell you the only reason you have locks on your house is to keep your honest neighbors honest. They for darn sure won't keep a professional out.
Really, all you need to get around a lock is one of those heavy-duty steel cutters. My father lost his key once, had to call campus security to remove the lock on his locker...... a petite 100 pound lady cut through that lock with a pair of HUGE boltcutters like a hot knife through butter, to his astonishment!
The interview is about :15 min into the program.
I just hope the day does not come when a judge in any court in North America gives in to their utterly ridiculous and completely absurd arguments. Hats off to Tobias for standing up to these greedy, money grubbing corporations who are attempting to stifle progress, scientific research and even the human thirst for advancement just to make more money.
security door lock</a> that fits on your floor. This lock can with stand a lot of force. It is mostly designed to keep you safe when you home. this <a href="http://www.doorchucky.com/">
front door lock</a> is pretty nice
-
by senojetan
April 9, 2009 4:28 PM PDT
- there is this floor door lock called the door chucky it is a security door lock that fits on your floor. This lock can with stand a lot of force. It is mostly designed to keep you safe when you home. this front door lock is pretty nice. you should check it out at
-
Reply to this comment
-
(22 Comments)http://www.doorchucky.com