Bruce Schneier

 

Blog

Crypto-Gram Newsletter

Books

Essays and Op Eds

News and Interviews

Audio and Video

Speaking Schedule

Password Safe

Cryptography

About Bruce Schneier

Contact Information

 

Schneier on Security

A blog covering security and security technology.

« Secure Flight Privacy/IT Working Group | Main | SIGNAL Article »

January 14, 2005

Safecracking

Matt Blaze has written an excellent paper: "Safecracking for the computer scientist."

It has completely pissed off the locksmithing community.

There is a reasonable debate to be had about secrecy versus full disclosure, but a lot of these comments are just mean. Blaze is not being dishonest. His results are not trivial. I believe that the physical security community has a lot to learn from the computer security community, and that the computer security community has a lot to learn from the physical security community. Blaze's work in physical security has important lessons for computer security -- and, as it turns out, physical security -- notwithstanding these people's attempt to trivialize it in their efforts to attack him.

Posted on January 14, 2005 at 8:18 AM11 Comments

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

I believe your link for the paper is incorrect. The proper link is http://www.crypto.com/papers/safelocks.pdf

Posted by: Scott Plumlee at January 14, 2005 8:50 AM

A good time to remind folk of Tim "Rudiments of Wisdom" Hunkin's delightful essay on safecracking: http://www.timhunkin.com/...

Posted by: SoulCrusher at January 14, 2005 12:07 PM

This is ultimately a personal decision, but I think I would avoid that situation. That NDA can have a chilling effect on speech long after the initial study is over, because at any point the government can decide to claim that certain information you have was learned from that situation (whether it actually was, or you learn or figure it out later, etc).

[And they can be nasty. I remember one scientist who was charged with violations slipping up in his public statements, and when he was speaking to a reporter about his situation he happened to mention the number of infractions he was charged with ... alas mentioning the NUMBER of violations was in itself a violation and the count incremented]

Posted by: jay at January 14, 2005 12:30 PM

The locksmiths sound vulnerable. Funny, that is exactly how I felt when I watched skilled lock-pickers open eight deadbolts in less than 30 seconds. Ironically I don't think I've ever seen a locksmith's lock picking competition; they have always been sponsored by physics departments and computer security shows.

I wonder, were locksmiths also angry at the bicyclists who announced the pen-attack story last fall? Or what about Kryptonite spokeswoman Donna Tucci when she said "Anything with a tubular cylinder could be a concern including vending machines, coin-operated machines, other security products"? Did she breach some form of "trust" by publically acknowledging a flaw?

My take on Matt Blaze's research is that it could be embraced as a big help to the locksmiths and lock business as it could actually expand the market to scrutinizing and replacing locks more often (to keep up with the disclosure of vulnerabilities, and to improve lock design). Some of the locksmith argument seems to involve market forces driving lock companies to keep costs down...the obvious answer to that is to generate demand for more secure, albeit more expensive, product.

As you say, physical security could take a few tips from the rapidly growing business of computer security; with the ubiquity of rapid information dissemination they might not have a choice.

Posted by: Davi Ottenheimer at January 14, 2005 5:11 PM

Just a sidenote:
I think it it is very bad style to use tinyurl links (see the "pissed off" link) - especially on web pages, where they don't take any visible space at all. You may use them in plain text mails or usenet postings to make them more readable, but most of the time I really want to know to which site I am being sent.

Posted by: Jochen Schulz at January 15, 2005 4:05 AM

I see this as a learning experience. The popular corporate attitude, when faced with someone making a public revelation of a security flaw in their products, is to do everything in their power to sue or jail the person making that claim.


In this Usenet tempest, we have the opportunity to look past the corporate veil at the human mentality behind the sue/imprison choices. Perhaps by observing how real people react in such situations, we can find a better way of approaching and educating companies on the benefits of acknowledgment and cooperation.


Ad-hominem: Most of the bellowing was generated by the original poster. If you read his prior posting history you quickly learn that he has a problem with any aspect of locksmithing being discussed in public. If pressed (and, indeed, often when not) he'll tell you it's because "there's a war on." Push him a little and you'd probably wind up with a full-blown net.kook on your hands.

Posted by: Dan Berkes at January 15, 2005 9:15 PM

Blaze's paper was about how computer security professionals could learn a lot from physical security, and the ideas and approaches that they take to securing things.

I think this thread nicely illustrates the converse, that physical security folks could learn a lot from computer security.

Posted by: Terence Tan at January 16, 2005 4:35 PM

I tried many times but couldn't get the link.
I don't know why.
http://mhcell.textamerica.com/
mhcell

Posted by: Susa at January 17, 2005 1:21 PM

The backlash is not surprising. I've got a lot of contacts in physical security and law enforcement that get very, very pissed off if you point out the vulnerabilities of a particular security strategy, not understanding that if I can see them, so can most anybody else that is intelligent. Too often the combination of "security by obscurity" and "security theatre" is accepted as "good security."

Posted by: Rich Kaszeta at January 20, 2005 8:34 AM

Speaking as a locksmith and member of a popular lockpicking club, I think the locksmith community does overreact constantly to their "secrets" being passed out. Like anybody can't just hit Google and have dozens of websites pop up telling you how to pick locks, bypass security and so on. Some of the local locksmith associations referred to our club as a "danger to society" just because we're teaching people in their early twenties how to pick locks, but more, to understand how locks work and how security really works. Everyone automatically jumps to the conclusion that knowledge = corruption. Kind of makes you wonder, if knowing how to pick locks at an early age makes you automatically a budding criminal, how did all the middle aged/older locksmiths of today get started in their careers?

Posted by: SK at February 19, 2006 4:48 PM

Please help! Lost combination of Diplomat Safe, Model A125, serial mnumber E9924878.

Posted by: chaXXX at October 17, 2007 5:00 AM

Subscribe to comments on this entry

Post a comment




E-mail is optional and will not be displayed on the site.


Remember Me?


Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Powered by Movable Type. Photo at top by Geoffrey Stone.

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

 
Bruce Schneier
Blog Menu

Search


blog only
essays and op eds only
whole site

Blog Home Page
100 Latest Comments

Archives by Date

2012 J F
2011 J F M A M J J A S O N D
2010 J F M A M J J A S O N D
2009 J F M A M J J A S O N D
2008 J F M A M J J A S O N D
2007 J F M A M J J A S O N D
2006 J F M A M J J A S O N D
2005 J F M A M J J A S O N D
2004 J F M A M J J A S O N D

Support Bloggers' Rights!
Defend Privacy--Support Epic
Latest Book
Liars & Outliers
more books by Bruce Schneier
Syndication
Full Text Feed
Excerpts Feed

Follow on Twitter
Subscribe via Kindle

Translations
German
Italian

more translations

Crypto-Gram Newsletter
If you prefer to receive Bruce Schneier's comments on security as a monthly e-mail digest, subscribe to Schneier on Security's sister publication, Crypto-Gram.
read more