Safecracking

Matt Blaze has written an excellent paper: "Safecracking for the computer scientist."

It has completely pissed off the locksmithing community.

There is a reasonable debate to be had about secrecy versus full disclosure, but a lot of these comments are just mean. Blaze is not being dishonest. His results are not trivial. I believe that the physical security community has a lot to learn from the computer security community, and that the computer security community has a lot to learn from the physical security community. Blaze's work in physical security has important lessons for computer security -- and, as it turns out, physical security -- notwithstanding these people's attempt to trivialize it in their efforts to attack him.

Posted on January 14, 2005 at 8:18 AM • 11 Comments

Comments

jayJanuary 14, 2005 12:30 PM

This is ultimately a personal decision, but I think I would avoid that situation. That NDA can have a chilling effect on speech long after the initial study is over, because at any point the government can decide to claim that certain information you have was learned from that situation (whether it actually was, or you learn or figure it out later, etc).

[And they can be nasty. I remember one scientist who was charged with violations slipping up in his public statements, and when he was speaking to a reporter about his situation he happened to mention the number of infractions he was charged with ... alas mentioning the NUMBER of violations was in itself a violation and the count incremented]

Davi OttenheimerJanuary 14, 2005 5:11 PM

The locksmiths sound vulnerable. Funny, that is exactly how I felt when I watched skilled lock-pickers open eight deadbolts in less than 30 seconds. Ironically I don't think I've ever seen a locksmith's lock picking competition; they have always been sponsored by physics departments and computer security shows.

I wonder, were locksmiths also angry at the bicyclists who announced the pen-attack story last fall? Or what about Kryptonite spokeswoman Donna Tucci when she said "Anything with a tubular cylinder could be a concern including vending machines, coin-operated machines, other security products"? Did she breach some form of "trust" by publically acknowledging a flaw?

My take on Matt Blaze's research is that it could be embraced as a big help to the locksmiths and lock business as it could actually expand the market to scrutinizing and replacing locks more often (to keep up with the disclosure of vulnerabilities, and to improve lock design). Some of the locksmith argument seems to involve market forces driving lock companies to keep costs down...the obvious answer to that is to generate demand for more secure, albeit more expensive, product.

As you say, physical security could take a few tips from the rapidly growing business of computer security; with the ubiquity of rapid information dissemination they might not have a choice.

Jochen SchulzJanuary 15, 2005 4:05 AM

Just a sidenote:
I think it it is very bad style to use tinyurl links (see the "pissed off" link) - especially on web pages, where they don't take any visible space at all. You may use them in plain text mails or usenet postings to make them more readable, but most of the time I really want to know to which site I am being sent.

Dan BerkesJanuary 15, 2005 9:15 PM

I see this as a learning experience. The popular corporate attitude, when faced with someone making a public revelation of a security flaw in their products, is to do everything in their power to sue or jail the person making that claim.


In this Usenet tempest, we have the opportunity to look past the corporate veil at the human mentality behind the sue/imprison choices. Perhaps by observing how real people react in such situations, we can find a better way of approaching and educating companies on the benefits of acknowledgment and cooperation.


Ad-hominem: Most of the bellowing was generated by the original poster. If you read his prior posting history you quickly learn that he has a problem with any aspect of locksmithing being discussed in public. If pressed (and, indeed, often when not) he'll tell you it's because "there's a war on." Push him a little and you'd probably wind up with a full-blown net.kook on your hands.

Terence TanJanuary 16, 2005 4:35 PM

Blaze's paper was about how computer security professionals could learn a lot from physical security, and the ideas and approaches that they take to securing things.

I think this thread nicely illustrates the converse, that physical security folks could learn a lot from computer security.

Rich KaszetaJanuary 20, 2005 8:34 AM

The backlash is not surprising. I've got a lot of contacts in physical security and law enforcement that get very, very pissed off if you point out the vulnerabilities of a particular security strategy, not understanding that if I can see them, so can most anybody else that is intelligent. Too often the combination of "security by obscurity" and "security theatre" is accepted as "good security."

SKFebruary 19, 2006 4:48 PM

Speaking as a locksmith and member of a popular lockpicking club, I think the locksmith community does overreact constantly to their "secrets" being passed out. Like anybody can't just hit Google and have dozens of websites pop up telling you how to pick locks, bypass security and so on. Some of the local locksmith associations referred to our club as a "danger to society" just because we're teaching people in their early twenties how to pick locks, but more, to understand how locks work and how security really works. Everyone automatically jumps to the conclusion that knowledge = corruption. Kind of makes you wonder, if knowing how to pick locks at an early age makes you automatically a budding criminal, how did all the middle aged/older locksmiths of today get started in their careers?

chaXXXOctober 17, 2007 5:00 AM

Please help! Lost combination of Diplomat Safe, Model A125, serial mnumber E9924878.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..