Friday Squid Blogging: Octonaut

A space-traveling squid.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on September 28, 2012 at 4:37 PM • 43 Comments

Comments

cshannonSeptember 28, 2012 8:28 PM

TSA got my vote of no confidence last year. My wife, daughter and myself arrive at the security desk with boarding passes and passports in hand. The male TSA agent starts flirting with my daughter, she was 18 at the time and a high school athlete. He looks over our boarding passes, initials them and lets all three of us pass. I had a lot of photo gear in my backpack, so it had to be x-rayed twice, then hand searched. Then we discover we are on concourse A and our boarding passes said B. We talk to a female TSA agent on the way out, she looked at our boarding passes and asked who let us on to the wrong concourse, we point him out and with out saying a word gave us a look of he's an idiot. We pass through security a second time, again my back pack was x-rayed twice over by a different set of TSA agents and we are allowed to pass. We get to LAX and I reach in to the pouch on the side of my backpack and I feel something cold and sharp. I had gone through security twice and none of the TSA agents found my snips, which are a pair of heavy duty scissors designed to cut communication wire, the type used by phone repair people. I am sure they are on the banned item list.

WOW, talk about security theatre!

David TSeptember 28, 2012 10:48 PM

It's security theater, allright. But are the agents incompetent? or are they attempting an impossible task?

Sure, the TSA agents could have inspected you much more closely and found your snips. As vast as the US air transport system is, though, this would result in unacceptable levels of delay, and call for a lot more manpower at the TSA stations. That money ain't coming.

I don't think increasing the competence of the TSA agents would make much difference; it's the system itself which is flawed.

David TSeptember 28, 2012 11:03 PM

And furthermore, we have a limited number of competent people in the US, and I don't want them spending their time staffing TSA inspection stations in airports.

NobodySpecialSeptember 28, 2012 11:36 PM

@David - but they insist on checking your boarding pass at least four times.
They generally check it when you enter the security area, somebody else will put a little cross on it when you get to the head of the line, then the person on the belt will insist on seeing it again, just after you have put your jacket or purse in the machine then the check it as you go through the X-ray.

Somebody might have noticed it was the wrong gate - surely if you pick 4 people at random, at least one of them is able to read

WillSeptember 29, 2012 1:21 AM

"Automated calls, fraud and the banks: a mismatch made in hell"

a nice article by Cory Doctorow

http://www.guardian.co.uk/technology/2012/sep/27/...

"A spokesman from UK Payments assured the host, Paul Lewis, that the banks' services are secure because they ask you to choose from a list of dates of birth, and "only your bank would have that information about you"."
...
"They've managed to externalise the whole cost of sorting out real unusual transactions from fake ones to their customers."

Jenny JunoSeptember 29, 2012 4:50 AM

@DavidT
It isn't an impossible task, it is an impossibly easy task. For all intents and purposes there is no threat. So no matter how little effort they put in, they are still going to be successful 99.99999999% of the time. The bound on the minimum amount of work they put in is whatever it takes to "look busy." Anything more than that is essentially wasted effort so nobody but new recruits and the fanatical are going to do it.

Clive RobinsonSeptember 29, 2012 5:28 AM

@ Will,

Like Cory I have a strange habit of getting animated at the UK's Radio 4 on a number of occasions

Just the other morning one Radio 4 AM presenter called the film trailer made in the US by a convicted criminal that has cause so many problems in Muslim countries "US made" several times thus potentialy chucking further fuel on the fire.

I'm just glad I did not hear the episode of Money Box that Cory did, I suspect a blood vessel would have burst and coated the Kitchen in a fine mist of blood. Or atleast ruined my breakfast of just out of the oven home baked bread and home made ginger marmalade (yes I make and bake bread during my insomniac nights).

There have been several occasions where I've been sarcasticaly told "Calm Down Dear" (a catch phrase from an excruciating bad insurance add) when listening to Radio 4. Most often with one of the highbrow programs called "In our Time" (presented by Baron Melvyn Bragg, FRS, FBA, FRSA, FRSL, FRTS) where they have "dummed down" to talk about technology and strayed flat footedly into one of my areas of knowledge.

More annoying by far however is that I'm not a "Radio 4 type" and by choice would not listen to it (I prefer Radio 3 or Clasic FM during the day and something like Absolute in the evening). It is she who tells me to "Calm Down Dear" who is the avid Radio 4 type. So much so that even my son finds a simple pleasure in anoying her by "blowing raspberries" in time to "The Archers" theam tune, prior to sneaking out of the kitchen like a large rodent with his ill gotton gains of a Chocolate Cookie or three (again home baked but by his mum). And we men folk of the family cannot be the only ones with a dislike for the Archers, a well known UK comedian once refered to "the shortest measurable period of time being that between the start of the Archers theam tune and the radio off button being pushed".

Clive RobinsonSeptember 29, 2012 9:40 AM

OFF Topic:

I don't know how many of you remember the various PC-Spying issues where (supposadly) legitimate organisations put monitoring software on the computer you own/lease/rent/borrow.

The big nasty was that of school children being spyed on by the computers that they had to use to do their school work on (Lower Merion School District in Pennsylvania).

Well back in May a couple discovered to their horror that the system they had "rented to own" and had paid off on had been loaded with a piece of software (PC Rental Agent) when the manager of the shop came around to "reposess" the computer and showed the couple a photo taken with the computer camera. The police were called and the result was legal action against the shop chain owners (Aaron's Inc.).

Well things have moved on a bit the couple still don't have the computer back as apparently the police still have it as evidence but the FTC has made a provisional ruling for a settlement against a number of organisations that is now open for thirty days for public comment,

http://arstechnica.com/security/2012/09/...

I think the message is becoming clear that many organisations do not believe in the "privacy of the home" and are quite happy to have their employees record what are certainly private and may also be intimate pictures inside of peoples homes some of which may well be images of minors in states of undress and or adults engaging in activities that although perfactly legal are of a most intimate nature that they would not wish to be known by others.

The moral is don't have computers in your home in areas that you would consider to be private at any time as the chances are increasing that you are being watched and recorded...

As the ability to "build your own" PC diminishes and "all in one" home entertainment systems the only readily available choice I fully expect more of this "spying" to happen to the point it becomes effectivly "the norm".

Clive RobinsonSeptember 29, 2012 11:02 AM

OFF Topic:

Those of you with IEEE accounts might want to read this and take action if you have not already been contacted by the IEEE.

http://news.cnet.com/8301-1009_3-57520112-83/...

Apparently the IEEE has made two quite serious mistakes,

1, Left log files available by open FTP.
2, Stored Uname/Pword in clear text.

The result is something like 100,000 user accounts could have been comprised.

Nick PSeptember 29, 2012 11:20 AM

@ Clive Robinson

Hmm, perhaps the proper response is to rent these things and install a rootkit that bricks the BIOS shortly after return. Enough people doing that to enough machines might impact their balance sheet quite a bit. That could lead to a policy change.

FigureitoutSeptember 29, 2012 12:56 PM

Apparently the Mexican cartels have been able to disguise a 300ft. radio tower (!) and carry out "secure comms" (lol!) with it. I certainly hope someone is able to get some pictures as I would be very interested in how they hid a 300 ft tower!

Oh, and I've said in the past how news orgs copy each other word-for-word and how this will lead to a monopolization of the newspeak making process. I also find it funny how most have boilerplate stating to not "publish, broadcast, rewrite, or redistribute". Here are some textbook examples here:http://abcnews.go.com/International/wireStory/mexico-finds-cartel-radio-network-300-foot-tower-17353758#.UGcl71E_KmE
http://www.krqe.com/dpp/news/world/...
http://www.washingtonpost.com/world/the_americas/...
http://www.news.com.au/breaking-news/world/...
http://www.toledonewsnow.com/story/19671161/...

@Clive
Doug posted the IEEE story last week, unless you're bringing it up for possibly more discussion.

cshannonSeptember 29, 2012 2:11 PM

@ David T
I feel that we all agree that the TSA security system is flawed.
Your argument is that you do not want the alphas performing TSA gate security and that if the security methodology was perfect then a lower cast could provide an acceptable level of security.
Brave new world eh?
I don't know, but the thought of putting minimum wage employees (or there about) in charge of equipment that throws ionizing radiation at my equipment and my body and diagnosing the results is a little troubling to me.

Well, off to a round of Obstacle Golf.

Clive RobinsonSeptember 29, 2012 4:25 PM

@ Figueritout,

Doug posted the IEEE story last week

I missed it I must be getting old ;-)

However I do remember Nick P and RobertT talking about IEEE papers last week which is what made me think it would be of interest to some of this blogs readers.

And speaking of @ Nick P,

Hmm, perhaps the proper response is to rent these things and install a rootkit that bricks the BIOS shortly after return

Yes I must admit if I was to be the recipient of a PC that was "owned" by a third party I would (as I am with this mobile) be fairly circumspect with what I did with it or initialy perform a compleat HD transplant on it prior to use (on the assumption that most of this tracker style stuff is bloatware and won't squease into a BIOS ROM). But yes the idea of bricking it shortly after it's been signed back certainly does have some appeal. Better still modify the spyware such that it sends back malware infected graphics files such that the shops "admin" computers get bricked in some way it would be a case of being "hoist by their own petard" [1]

[1] Petard : From the French peter meaning to "break wind" [2]. It is a seige weapon or anti-fortification device. Esentially it was the forrunner of the shaped demolition charge, it was a metel cone or bell shaped device filled with gunpowder and sealed with a wooden base that was set and pined/propped against a wall or door and set off with a slow match. However fairly frequently the matches were either faulty or cut short resulting in the Petardier getting "hoist" by the premature detonation. Hence "Hoist by your own petard" meaning to be hurt by your own evil device.

[2] Peter this semi archaic French word for breaking wind has produced one or two humours results in it's time. There was a company called GEC Plessey Telecoms that under US influance changed it's name to GPT. On an attempt to push into the European Market GPT decided to start just across the channel in France with a major sales confrance. Again under US influance the sales people had been told to go up to the confrence lecturn and say their name boldly followed by GPT. Somewhere along the line somebody else thought it would be a good idea to say it with a slightly french accent. So you had a sales guy going up to the lecturn and saying "Mike Smith GPT" but to the French audiance it sounded like "Mike Smith J'ai pété" or translated back into English "Mike Smith I have Farted"...

Clive RobinsonSeptember 30, 2012 12:05 AM

@ Anton,

Adobe Hacked!

You beat me to it :-)

However what you did not say is it's a quite significant "up stream" attack against the Adobe Code Signing infrastructure and possibly an insider attack (which I'm looking for more details on).

Adobe's (ASSET) security blog posting can be read here,

http://blogs.adobe.com/asset/2012/09/...

Put simply, somebody got in "up stream" of Adobe's code signing process on one of their product lines and thus could get their malicious code signed by Adobe and thus accepted by the update process on any PC that trusts Adobe Certs.

It's the sort of attack I identified ages ago as being a major weakness of code signing. Basicaly all code signing does is attest that at some point in time a code bundle was put through a code signing process using a particular key. It does not attest to if the code is valid or of any kind of quality or for that matter from the code signing key holder.

So the two basic types of attack against code signing are,

1, Obtain a copy of a valid signing key.
2, Get up stream of the legitim code signing process.

Importantly and where most people get it wrong is that the security of the up stream code development needs to be as good if not better than the code signing process, and this is very hard to do for a whole host of reasons (@ Nick P has made some comments on this some time ago).

From the ASSET blog it appears that Adobe (unlike other organisations) actually put some thought into the security of their up stream signing process but it went wrong for this particular development server.

From the ASSET blog post,

We have identified a compromised build server that required access to the code signing service as part of the build process. Although the details of the machine’s configuration were not to Adobe corporate standards for a build server, this was not caught during the normal provisioning process. We are nvestigating why our code signing access provisioning process in this case failed to identify these deficiencies.

I've highlighted two important points which indicate that the build server in question was more vulnerable than it should have been. Now assuming that it is not a "PR smoke screen" you have to ask did these alleged "APT attackers" get lucky and find the only vulnerable server or did they know which server was vulnerable in advance? Which raises an inportant point "was the server vulnerable by accident or design?".

Further it raises the question of when the server was mis configured, "before or after it became a valid user of the code signing infrastructure?".

Now from the way the ASSET post has been written the implication is it is that it was misconfigured by an Adobe insider. Which if it is not a "PR smoke screen" raises the further question of if this insiders identity is known or not and if they were negligent or malicious?...

Which in turn raises a whole bunch of other questions about the security of the rest of the Adobe "pre code signing infrastructure"... which I'm sure Adobe's PR people are not going to want to discuss publicaly...

billySeptember 30, 2012 8:06 AM

this is the second time we have seen the
space traveling squid. this suggests time travel is possible??

Nick PSeptember 30, 2012 11:19 AM

Re: Good Software Configuration Management

"Importantly and where most people get it wrong is that the security of the up stream code development needs to be as good if not better than the code signing process, and this is very hard to do for a whole host of reasons (@ Nick P has made some comments on this some time ago)." (Clive Robinson)

Indeed. One requirement of trustworthy application development is that the repository and build system is trustworthy. Otherwise, who knows what's being signed. D Wheeler is the only person I know of who spelled out most key requirements for a trustworthy repository (link below). Most of these features wouldn't be hard to implement. I keep spending time on and off improving that to be a decentralized, replicating system between distrusting parties. It's doable with today's technology, but it's a ton of work. The companies doing the highly robust version would always be behind on releases, at least for trusted version. Motivation's an issue: do they have a pressing reason to use such a system? If not, I'd rather not try to make a concret version of it. High security development is too stressful to be wasted, imho.

http://www.dwheeler.com/essays/scm-security.html

(Note: there are many useful links on that page about robust CM, OSS/FOSS CM, & Aegis claiming they meet most requirements.)

The main problem is that most popular SCM's don't have the required features & also mandate an insecure OS. If they were easily separated from the OS, progress can be made incrementally toward assuring them. The first step would be putting them on hardened, minimized OS's. Minimal OpenBSD, a tiny Linux with SMACK mandatory access control, & minimal Solaris w/ Argus PitBull are options. The process would mostly be a pipeline, maybe with some rule-driven or scripted parts (aka The Director). The first program is written VERY robustly to accept incoming submissions, validate them, convert them into easily parsed format, & pass them on. Next program takes a submission & performs security checks on it. If it passes, it logs the submission to append-only storage & passes it on. Untrusted components with read-only access perform all the initial checks, tests, builds, etc. These can be quick & more carelessly written. They have permission to write to something that tells the Director process that the submission meets QA guidelines. In early versions, this might be the final build process & a separate process signs/integrates the results.

In later versions, that was just a first pass. Upon completion of first pass, submitters are informed their work is scheduled for full integration. Their client or SCM might keep an unofficial version of the respository that has already merged it just to make development easier. After all, the SCM's versioning control will make sure everything eventually integrates in order. The data scheduled for trusted build loads & the Director identifies the programs needed to build it. They will be written in safe languages, use minimal concurrency (if any), run in a sandbox, use preallocated storage/memory for their operations & be monitored at runtime for integrity. For performance reasons, the process will utilize incremental compilation to keep from doing expensive rework. The build process is very step-by-step & intermediate work can be saved for source-to-object code verification optionally (DO-178B requires this). These processes might build executables, documentation, installers and so on. The final product(s) can be optionally verified by humans or tests before Signing. The Signing phase has another process run some checks to ensure the right build process was followed, archive the release files into one file, hash it, timestamp it, log it, sign it, & mark it ready for release. The Release process is controlled by policy & may not be on the machine at all, with an admin manually pulling the file. All sensitive admin work is done through a dedicated hardware port with OS assigned privileges (and authentication, of course).

Taking it up toward high robustness, one may use a tamper-resistant, PowerPC platform (one exists) to host the secure build system. Let's say all you do is use that to check authorizations, authenticate submissions, log all changes to untrusted storage, send signed hashes of changes to auditor, do the master build, & sign it. Developers send signed submissions to the secure build system. If they pass security checks, they are saved locally for the future build & sent to an untrusted build system that runs typical tests & SCM software. If that build system OKs the software, the secure build system OKs the submission for a future build. Hackers compromising the main (untrusted) build system could not force malware to be signed. Admins messing with things may be detected by 3rd party auditors. Impersonating a developer requires access to their machine at a minimum. Additional security can be added in the form of a visually verified signature on a separate machine, like my old transaction appliance. (Developer machine + trusted device + KVM switch, easy as that.) Throw in two factor authentication + security cameras, then you're down to malicious developers attempting stuff that will be caught by the auditors.

Worst: You're still trusting a third party to set this all up and do maintenance. You're also trusting the company making the tamper-resistant platform to not subvert it. Trusting the tamper-resistance probably isn't so bad considering it's the least likely attack vector. The only way to deal with subversion is multiple hardware types from multiple vendors/fabs running different implementations of a SCM spec, then cross checking what they produce. Having them print hashes of stuff is a way to do that without several thousand pages produced each day. All of this is an option in my HA[-like] decentralized SCM designs.

Note: Many aspects of the latter design, mainly separating into security-critical & non-critical machines, can be used in the medium assurance design. Matter of fact, once the system is broken up into communicating processes, this is even easier. I've been leaning toward communicating processes (asynchronous) on separate physical machines in recent designs b/c that's WAY easier to secure & usable boards are cheaper than ever (this ain't 1960 people!).

Hope this helps someone trying to make a "secure" build process. Adobe, take note!

WillOctober 1, 2012 2:30 AM

http://singularityhub.com/2012/09/28/...

Absolute must-see.

The video was produced by Febelfin, the Belgian Financial Sector Federation, as part of a safe Internet banking campaign. The video is pretty compelling: if people are shocked at how much Dave can find out about them, the thought of some unscrupulous stranger doing the same is, well, downright creepy.

AC2October 1, 2012 3:57 AM

Don't know if this was posted earlier...

One of the SourceForge mirrors for phpMyAdmin was compromised and a backdoor was inserted into the package...

http://arstechnica.com/security/2012/09/...

http://sourceforge.net/blog/phpmyadmin-back-door/

@Clive, Nick P

The customers of these rent-a-comp outfits reported by Ars are usually poor people being ripped off... Usually not the kind of people who would have the skills to do what you're saying...

But yes, never a better time to learn Build-Your-Own. Cheap, secure and easily upgradeable...

Of course you can't do that for laptops/ tablets/ smartphones (unless you count replacing the BIOS and OS, possibly via cracking).

FigureitoutOctober 1, 2012 12:53 PM

Absolute must-see.--@Will's right, watch it; especially if you're looking for humor. We need a whole new evaluation of the internet I think (I want to lay my own wire); but that's basically impossible now and an absurd statement to make.

@Random832
These stories knock the breath out of me. The mayor and FDNY are looking at it all wrong. Why is there a key that "would allow control of virtually any elevator in the city, could knock out power to municipal buildings, darken city streets, open subway gates and some firehouse doors and provide full access to 1 World Trade Center and other construction sites"? It's so funny it's not.

Random832October 1, 2012 3:48 PM

@Figureitout - In fairness, there are probably good life safety reasons for _most_ of the listed uses, though they should definitely have a better expiration schedule, and some of the uses could probably be substituted with the more universal sort of fireman's key [pictured: http://imgur.com/ms8CA]

Clive RobinsonOctober 2, 2012 12:33 AM

OFF Topic:

As some of you might know the ACLU had earlier this year requested via FOI requests on the DOJ information on Internet based "pen register" (who you call) and "trap and trace" (who calls you). It appears the DOJ are legaly required to prepare and submit the figures to the US politicos regularly but rarely do these days.

Well a little while ago the DOJ released some
documents to the ACLU who have in turn released them to the public on their web site.

Unsuprisingly the DOJ figures show that the US LEA's have very significantly increased Internet surveillance especialy where LEA's don't have to show "probable cause" so in effect the surveillance on Internet and other electronic comms happens without a warrant or judicial oversight.

Over on Sophos's Naked Security web site Paul Roberts has provided an overview of the documents,

http://nakedsecurity.sophos.com/2012/09/28/...

A quick look at the graph shows what appears to the naked eye to be in effectivly an exponential rise year on year...

What is not clear is just what "non content" data the LEA's get access to and how far back (non content data is currently presumed not to be 4th Amendment protected).

In the past getting "pen register" and "trap and trace" information required physical hardware to be attached to a persons phone line so it was not retrospective. These days it just requires access to the database held by various service providers so at the very least the time period becomes an "open question".

Clive RobinsonOctober 2, 2012 12:42 AM

@ AC2,

The customers of these rent-a-comp outfits reported by Ars are usually poor people being ripped off... Usually not the kind of people who would have the skills to do what you're saying..

Sadly true, and if these people were to get the skills and use them for their own protection, the companies concerned would probably make it "part of the contract" that they don't, knowing full well that the individual people don't have the resources to fight back what would in all probably be an unfair restriction.

Clive RobinsonOctober 2, 2012 1:20 AM

@ Figureitout,

Why is there a key that "would allow control of virtually any elevator in the city, could knock out power to municipal buildings, darken city streets, open municipal buildings, darken city streets, open subway gates and some firehouse doors and subway gates and some firehouse doors and provide full access to 1 World Trade Center and other construction sites"?

Several reasons,

The first is given by Random832, a second is "mission creep" and a third is "dumming down to save cost", all of which I have seen in the UK with FB (Fire Brigade) Keys.

Once the principle of a "selected access" for "safety reasons" is established (usually via the use of Courts and Insurance companies wishing to reduce liability) it almost immediatly becomes subject to "mission creep". That is because the principle is put in place by a judge, the president can then be applied to other similar cases and due to the size of payout for culpable negligence it gets very very broad coverage. Untill it becomes accepted custom and practice and all locks in public or communal areas become covered, not just to limit liability but because the locks are so much less expensive and the costs of key managment drops dramaticaly as well. However this "cost reduction" then has another effect, to remain competitive a lock manufacturer has to reduce costs of raw materials, returns and labour. This causes the locks to get "dummed down" by the removal of wards and levers to the point they have no security value at all and become in effect "door latches" with "bring your own handles".

For instance in the UK the FB1 key was originaly designed for a five lever lock with atleast three wards. A few years ago over in East London they demolished several council/social housing blocks of flats and I aquired from the demolition scrap several FB locks. The majority of those labled as FB1 had just one lever and no wards so could be picked by a child with a bent nail if cut to the right length...

These locks were used in all sorts of places some of which were used to restrict access to arguably dangerous areas such as that of power distrubution and lift machines and other plant equipment such as communal heating and air conditioning.

It is this sort of cost driven "dumming down" that almost always follows "best practice" which is driven by liability limitation. Which is just one reason to treat "best practice" with considerable suspicion as in time it usually ends up as "worst practice, with a legal get out of jail free card" which is what we see here.

FigureitoutOctober 3, 2012 12:25 PM

@Random832
Link didn't work, but I imagine it's an axe :) I can't argue w/ life safety, but it's a cheap argument.

@Clive
I had a hunch about those reasons but I didn't want to hear them. Sounds kind of similar to the hotel locks. Even w/ a camera, there's little physical impediments to theft/unlawful entry.
You know, in my college dorm we used to be able to break-in to any room with just a credit card. The only way to stop it would be someone on the inside pushing the lock w/ their finger.
However, you'd probably be happy to know that the cheap lock on my bike, even though it had saw-marks from someone, held up and beat the thief.

999999999October 3, 2012 5:45 PM

American express website minor privacy issue:
When trying to log in through https://www.americanexpress.com/
the auto-complete feature of the browser is disabled.
However,logging in through:
https://online.americanexpress.com/myca/logon/us/action?request_type=LogonHandler&Face=en_US&inav=iNavLnkLog
allows the browser to save the username.

After being alerted to this slight inconsistency...AMEX replied
[quote]

Response (Neha Choudhary) 10/03/2012 06:15 PM
Good Afternoon XXXX,

We apologize for any inconvenience you may have faced.

To fix this issue, please follow few simple steps :

Launch Internet Explorer Browser (for e.g. www.americanexpress.com)

Click - Tools

Click - Internet Options

Click - Delete Cookies / Delete Files and Clear History.

Once you do this, there should be no problem with the AutoComplete.

If you still face any inconvenience, please call us immediate at 800-297-7500. A representative will fix it while you'll be over the phone.

I hope you find it helpful. Please let me know if I can be of further help.
Sincerely,
Neha Choudhary
Email Servicing Team
American Express Interactive Services
[/quote]


While not strictly a security issue,
Why is there this inconsistency? If the company has decided that usernames should not be retained by the browser and took steps to do so on the main login page, then any entry in to the system should have the same policy.

Clive RobinsonOctober 4, 2012 6:55 AM

@ Figueritout,

@Clive I had a hunch about those reasons but I didn't want to hear them. Sounds kind of similar to the hotel locks.

I can understand not wanting to hear about it but unfortunatly "freemarket economics" that give rise to the now almost universal "race to the bottom" is one of the biggest but least talked about security issues.

That said "Fire/health safety locks" are actually worse security wise than hotel locks. The reason being there has to be a minimum level of security to keep guests out of each others rooms.

Secondly Hotels have the option of "electronic locks" which are quite secure in some respects (but appaling in others that could be easily fixed at a modest price). Locks on Plant and other infrequently accessed areas have the issue of "cann't wait" if the battery dies which could well happen in the couple of months or so between normal usages.

One of the more interesting issues comming up that currently does not have a viabale solution is security locks on Nuclear Waste Repositories. These will not be opened much more than once every decade or so and currently there is no chemical energy storage system that can last a half century let alone a century. Belive it or not some current proposels involve weights pullies and small AC generators powered by them...

FigureitoutOctober 4, 2012 3:45 PM

True, it may be the essence of many; certainly supply chain poisoning. You would think that with time, quality would improve not decline.

Ah crikey nuclear waste...forget the locks, how about where to actually store the stuff. I'm not following with what current proposals want to do.

Speaking of locks, have you seen this?
--Upon first glance, I want to scream "You've got to be kidding me?!". They claim it's secure, so I'll reserve my judgment until I hear some horror stories. I don't want one though, as there's now yet another digital record of when you just left your home.

Clive RobinsonOctober 5, 2012 2:05 AM

@ Figureitout,

With regards Lockitron, you say,

They claim it's secure, so I'll reserve my judgment untill I hear some horror stories.

I won't wait... I definitely will not be investing in what smacks of a college kid project, for a whole list of reasons. The pictures smack you in the face with "Apple Fanboi" so my first thought at seeing the site is "style over substance. Then this bit realy said "run for the hills" to me,

Lockitron is compatible with any smartphone thanks to our mobile website. Older phones can use Lockitron through simple text message commands

With SMS being easily spoofable and sent in clear plaintext (ie no link level and no app level encryption) I suspect it's going to be easily vulnerable to "replay attacks".

But on a more practical level lets have a little think about this new electronic lock and it's fresh faced designers, firstly even on the "give away first buyer" price it's to expensive it would need to be sub $100 for what it is. Secondly what lock mechanics are they going to use, I suspect that whatever it is it's covered by somebody elses secondary patent (unless it's expired). If it's not covered or has been covered by a patent then it will be a "new and unproven" design which means it's reliability has a big big question mark over it, so not the sort of thing you want on your front door when the winter snow and ice or summer heat cause it to bind up lock you out and make your life a missery while you wait for a lock smith with a big drill... Thirdly what size battery do you think it has? look at it this way it looks like it uses WiFi to talk to the Internet and user response time in such a product is going to be vital, much more than a 0.5Sec delay from button press on the phone to the click of the lock opening and people are going to get unhappy fairly quickly. This mean

Clive RobinsonOctober 5, 2012 3:00 AM

@ Figuritout,

A thousand curses on this smart phone and it's annoying problems... (yes I know I should replace it but like a wart it's grown on me, and I just cannt find a replacment I like, so it's even made it to the "favorit itch list").

To"continue" with the battery size and response time,

This means the lock is going to have to remain activly powered up all the time and be sending "keep alive" activity to stop things like DHCP lease timeouts on the WiFi router. Now have a look at an old style phone battery that maybe lasted a week after a full recharge and no phone activity. Some of these old batteries were up in the 1100mA/h capacity (ie half voltage point). And newer design batteries in the same size are only about three times the capacity at 3500mA/h. So a simple backwards calc 3500/(365.25*24) = 0.399mA/h average operating budget, and to get a minimum 3.6 volts you would be looking at four ~1.5V cells so a max average power budget of considerably less than 2mW. However the "shorted" power would be well in excess of 6V*7A or well beyond the 50W margin. Although you could not get it out due to various physical constraints you convert mA/h to W/s and as a rough rule of thumb divide by 10secs to get the equivalent short power available so 3.5Ax6Vx360 ~= 7.5KW/s for ten seconds which is going to be enough to cause considerable scorching if not an actual fire in your door (which has happened in the past)... I hope they get UL approval...

FigureitoutOctober 5, 2012 3:59 PM

@Clive
Yeah, $149; in this economy why would someone add this to their house unless the "trendies" want to look "hip/tech savvy". They're copying Apple, going for the slick elegant design. You talking about the lock mechanics makes me want to split one of these open. According to their ads, it takes 4 AA batteries and has typical lifetime of a year; depending on your usage. Your power analysis is interesting, I'd want to test it. If the batteries run out, you can still use your key; so I'm confused if it really adds security besides sending out signals that someone knocked/unlocked your door. For instance, let's say you're at work and receive a notification your doors been unlocked. Do you take it as a glitch or are you going to book it home to see if you're a theft victim?

In their "U-toob" ad, they didn't mention that if you don't have internet, it's an addition $5/month to use sms.

There are door frame compatibility issues, if your door doesn't close all the way there will be jamming issues. It is recommended you use a wooden door as metal ones would interfere w/ router range. So maybe an a$$clown could cause a little trouble interfering w/ someone's lock.

All that info was from their website, so of course sprinkle a little salt on them. As we tear apart their invention, I should note that I commend them for attempting innovation; I'd just rather see the intelligence put in other places and to discontinue this new trend of wireless control of more and more appliances/devices.

Re: Your "dumb" phone, send it to "Yankee Land", I can introduce it to clamp w/ electronic sander or good ole sledgehammer. :) You do become attached to something like a mobile. You say it's some sort of keyboard glitch but maybe it's malware? Why don't you use a regular computer?

OFF TOPIC, but it's a squid post and I wanted to ask you something about interference. In the U.S., every device using rf requiring FCC approval has this bit of legalese that strikes me as sheer bs. "This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference; and (2) This device must accept any interference received, including interference that may cause
undesired operation."
--It's the last bit that really angers me. That I must accept interference, even if it causes undesired operation. Sounds like a subtle way of asserting control; but I do not agree with that legalese. Was wondering if you feel the same way or have similar restrictions in the U.K. as you have mentioned in past you're familiar w/ some regulations?

Clive RobinsonOctober 5, 2012 6:53 PM

@ Figureitout,

I'll start with the easy one,

Was wondering if you feel the same way or have similar restrictions in the U.K. as you have mentioned in past you're familiar w/ some regulations?

The whole thing starts with "Putting on the Market" or in the US making available to the public. In both cases "public" or the "Market" is assumed to be the retail outlet of finished items or "systems", not the proffessional or repair market that would buy components and subassemblies etc to make the systems.

In the US your regulatory body is the FCC in Europe it's rather more complicated and by EU Directive all goods "placed on the market" must carry the CE and or other marks such as the caution mark which is a attention mark (!) in a circle.

To get the CE mark the goods need to have been tested to a series of tests in a framework of directives and standards. In the case of consumer electronics there are several depending on product type. However all consumer electronics must be compliant with the Low Voltage Directive (LVD) which is for basic electronic safety and one or more other standards. of which active devices must comply with the ElectroMagnetic Compatability (EMC) directive. The main directive in question is the RT&TTE Directive for radio, telephone and telecommunications equipment. This mandates a testing and certification regime with various test standards for various types of equipment/systems all of vhich include LVD and EMC. You can find the standards on the EU's website Europa.

Under the EMC standard there are two basic classes of equipment which are broadly consumer for home/office use and industrial for all other uses. The EMC spec proscribes maximum levels of unintentional emmisions and also levels of suseptability to emissions from other equipment.

The reasons for the suseptability requirments is for "correct operation" such that it is possible for you to use your mobile phone or two way radio next to a broadcast receiver (AM/FM receiver) or computer without causing an issue. Look at it this way would you want four or five hourss of work on your PC to get blown out of the water simply because your mobile phone rang next to it?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..