Schneier on Security
A blog covering security and security technology.
« Secure Flight Privacy/IT Working Group |
| SIGNAL Article »
January 14, 2005
Matt Blaze has written an excellent paper: "Safecracking for the computer scientist."
It has completely pissed off the locksmithing community.
There is a reasonable debate to be had about secrecy versus full disclosure, but a lot of these comments are just mean. Blaze is not being dishonest. His results are not trivial. I believe that the physical security community has a lot to learn from the computer security community, and that the computer security community has a lot to learn from the physical security community. Blaze's work in physical security has important lessons for computer security -- and, as it turns out, physical security -- notwithstanding these people's attempt to trivialize it in their efforts to attack him.
Posted on January 14, 2005 at 8:18 AM
• 11 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
This is ultimately a personal decision, but I think I would avoid that situation. That NDA can have a chilling effect on speech long after the initial study is over, because at any point the government can decide to claim that certain information you have was learned from that situation (whether it actually was, or you learn or figure it out later, etc).
[And they can be nasty. I remember one scientist who was charged with violations slipping up in his public statements, and when he was speaking to a reporter about his situation he happened to mention the number of infractions he was charged with ... alas mentioning the NUMBER of violations was in itself a violation and the count incremented]
The locksmiths sound vulnerable. Funny, that is exactly how I felt when I watched skilled lock-pickers open eight deadbolts in less than 30 seconds. Ironically I don't think I've ever seen a locksmith's lock picking competition; they have always been sponsored by physics departments and computer security shows.
I wonder, were locksmiths also angry at the bicyclists who announced the pen-attack story last fall? Or what about Kryptonite spokeswoman Donna Tucci when she said "Anything with a tubular cylinder could be a concern including vending machines, coin-operated machines, other security products"? Did she breach some form of "trust" by publically acknowledging a flaw?
My take on Matt Blaze's research is that it could be embraced as a big help to the locksmiths and lock business as it could actually expand the market to scrutinizing and replacing locks more often (to keep up with the disclosure of vulnerabilities, and to improve lock design). Some of the locksmith argument seems to involve market forces driving lock companies to keep costs down...the obvious answer to that is to generate demand for more secure, albeit more expensive, product.
As you say, physical security could take a few tips from the rapidly growing business of computer security; with the ubiquity of rapid information dissemination they might not have a choice.
I see this as a learning experience. The popular corporate attitude, when faced with someone making a public revelation of a security flaw in their products, is to do everything in their power to sue or jail the person making that claim.
In this Usenet tempest, we have the opportunity to look past the corporate veil at the human mentality behind the sue/imprison choices. Perhaps by observing how real people react in such situations, we can find a better way of approaching and educating companies on the benefits of acknowledgment and cooperation.
Ad-hominem: Most of the bellowing was generated by the original poster. If you read his prior posting history you quickly learn that he has a problem with any aspect of locksmithing being discussed in public. If pressed (and, indeed, often when not) he'll tell you it's because "there's a war on." Push him a little and you'd probably wind up with a full-blown net.kook on your hands.
Speaking as a locksmith and member of a popular lockpicking club, I think the locksmith community does overreact constantly to their "secrets" being passed out. Like anybody can't just hit Google and have dozens of websites pop up telling you how to pick locks, bypass security and so on. Some of the local locksmith associations referred to our club as a "danger to society" just because we're teaching people in their early twenties how to pick locks, but more, to understand how locks work and how security really works. Everyone automatically jumps to the conclusion that knowledge = corruption. Kind of makes you wonder, if knowing how to pick locks at an early age makes you automatically a budding criminal, how did all the middle aged/older locksmiths of today get started in their careers?
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.