Entries Tagged "locks"

Page 9 of 12

Defeating Motion-Sensor Secured Doors with a Stick

An old trick, but a good story:

Everyone thought the doors were incredibly cool. Oh, and they were. Upon entering a secure area (that is, anywhere except the lobby), one simply waved his RFID-enabled access card across the sensor and the doors slid open almost instantly. When leaving an area, motion detectors automatically opened up the doors. The only thing that was missing was the cool “whoosh” noise and an access panel that could be shot with a phaser to permanently seal or, depending on the plot, automatically open the door. Despite that flaw, the doors just felt secure.

That is, until one of G.R.G.’s colleagues had an idea. He grabbed one of those bank-branded folding yardsticks from the freebie table and headed on over to one of the security doors. He slipped the yardstick right through where the sliding doors met and the motion detector promptly noticed the yardstick and opened the door. He had unfettered access to the entire building thanks to a free folding yardstick.

Posted on December 15, 2006 at 7:01 AMView Comments

Expensive Cameras in Checked Luggage

This is a blog post about the problems of being forced to check expensive camera equipment on airplanes:

Well, having lived in Kashmir for 12+ years I am well accustomed to this type of security. We haven’t been able to have hand carries since 1990. We also cannot have batteries in any of our equipment checked or otherwise. At least we have been able to carry our laptops on and recently been able to actually use them (with the batteries). But, if things keep moving in this direction, and I’m sure it will, we need to start thinking now about checking our cameras and computers and how to do it safely.
This is a very unpleasant idea. Two years ago I ordered a Canon 20D and had it “hand carried” over to meet me in England by a friend. My friend put it in their checked bag. The bag never showed up. She did not have insurance and all I got $100 from British Airways for the camera and $500 from American Express (buyers protection) that was it. So now it looks as if we are going to have to check our cameras and our computers involuntarily. OK here are a few thoughts.

Pretty basic stuff, and we all know about the risks of putting expensive stuff in your checked luggage.

The interesting part is one of the blog comments, about halfway down. Another photographer wonders if the TSA rules for firearms could be extended to camera equipment:

Why not just have the TSA adopt the same check in rules for photographic and video equipment as they do for firearms?

All firearms must be in checked baggage, no carry on.

All firearms must be transported in a locked, hard sided case using a non-TSA approved lock. This is to prevent anyone from opening the case after its been screened.

After bringing the equipment to the airline counter and declaring and showing the contents to the airline representative, you take it over to the TSA screening area where it it checked by a screener, relocked in front of you, your key or keys returned to you (if it’s not a combination lock) and put directly on the conveyor belt for loading onto the plane.

No markings, stickers or labels identifying what’s inside are put on the outside of the case or, if packed inside something else, the bag.

Might this solve the problem? I’ve never lost a firearm when flying.

Then someone has the brilliant suggestion of putting a firearm in your camera-equipment case:

A “weapons” is defined as a rifle, shotgun, pistol, airgun, and STARTER PISTOL. Yes, starter pistols – those little guns that fire blanks at track and swim meets – are considered weapons…and do NOT have to be registered in any state in the United States.

I have a starter pistol for all my cases. All I have to do upon check-in is tell the airline ticket agent that I have a weapon to declare…I’m given a little card to sign, the card is put in the case, the case is given to a TSA official who takes my key and locks the case, and gives my key back to me.

That’s the procedure. The case is extra-tracked…TSA does not want to lose a weapons case. This reduces the chance of the case being lost to virtually zero.

It’s a great way to travel with camera gear…I’ve been doing this since Dec 2001 and have had no problems whatsoever.

I have to admit that I am impressed with this solution.

Posted on September 22, 2006 at 12:17 PMView Comments

What is a Hacker?

A hacker is someone who thinks outside the box. It’s someone who discards conventional wisdom, and does something else instead. It’s someone who looks at the edge and wonders what’s beyond. It’s someone who sees a set of rules and wonders what happens if you don’t follow them. A hacker is someone who experiments with the limitations of systems for intellectual curiosity.

I wrote that last sentence in the year 2000, in my book Secrets and Lies. And I’m sticking to that definition.

This is what else I wrote in Secrets and Lies (pages 43-44):

Hackers are as old as curiosity, although the term itself is modern. Galileo was a hacker. Mme. Curie was one, too. Aristotle wasn’t. (Aristotle had some theoretical proof that women had fewer teeth than men. A hacker would have simply counted his wife’s teeth. A good hacker would have counted his wife’s teeth without her knowing about it, while she was asleep. A good bad hacker might remove some of them, just to prove a point.)

When I was in college, I knew a group similar to hackers: the key freaks. They wanted access, and their goal was to have a key to every lock on campus. They would study lockpicking and learn new techniques, trade maps of the steam tunnels and where they led, and exchange copies of keys with each other. A locked door was a challenge, a personal affront to their ability. These people weren’t out to do damage—stealing stuff wasn’t their objective—although they certainly could have. Their hobby was the power to go anywhere they wanted to.

Remember the phone phreaks of yesteryear, the ones who could whistle into payphones and make free phone calls. Sure, they stole phone service. But it wasn’t like they needed to make eight-hour calls to Manila or McMurdo. And their real work was secret knowledge: The phone network was a vast maze of information. They wanted to know the system better than the designers, and they wanted the ability to modify it to their will. Understanding how the phone system worked—that was the true prize. Other early hackers were ham-radio hobbyists and model-train enthusiasts.

Richard Feynman was a hacker; read any of his books.

Computer hackers follow these evolutionary lines. Or, they are the same genus operating on a new system. Computers, and networks in particular, are the new landscape to be explored. Networks provide the ultimate maze of steam tunnels, where a new hacking technique becomes a key that can open computer after computer. And inside is knowledge, understanding. Access. How things work. Why things work. It’s all out there, waiting to be discovered.

Computers are the perfect playground for hackers. Computers, and computer networks, are vast treasure troves of secret knowledge. The Internet is an immense landscape of undiscovered information. The more you know, the more you can do.

And it should be no surprise that many hackers have focused their skills on computer security. Not only is it often the obstacle between the hacker and knowledge, and therefore something to be defeated, but also the very mindset necessary to be good at security is exactly the same mindset that hackers have: thinking outside the box, breaking the rules, exploring the limitations of a system. The easiest way to break a security system is to figure out what the system’s designers hadn’t thought of: that’s security hacking.

Hackers cheat. And breaking security regularly involves cheating. It’s figuring out a smart card’s RSA key by looking at the power fluctuations, because the designers of the card never realized anyone could do that. It’s self-signing a piece of code, because the signature-verification system didn’t think someone might try that. It’s using a piece of a protocol to break a completely different protocol, because all previous security analysis only looked at protocols individually and not in pairs.

That’s security hacking: breaking a system by thinking differently.

It all sounds criminal: recovering encrypted text, fooling signature algorithms, breaking protocols. But honestly, that’s just the way we security people talk. Hacking isn’t criminal. All the examples two paragraphs above were performed by respected security professionals, and all were presented at security conferences.

I remember one conversation I had at a Crypto conference, early in my career. It was outside amongst the jumbo shrimp, chocolate-covered strawberries, and other delectables. A bunch of us were talking about some cryptographic system, including Brian Snow of the NSA. Someone described an unconventional attack, one that didn’t follow the normal rules of cryptanalysis. I don’t remember any of the details, but I remember my response after hearing the description of the attack.

“That’s cheating,” I said.

Because it was.

I also remember Brian turning to look at me. He didn’t say anything, but his look conveyed everything. “There’s no such thing as cheating in this business.”

Because there isn’t.

Hacking is cheating, and it’s how we get better at security. It’s only after someone invents a new attack that the rest of us can figure out how to defend against it.

For years I have refused to play the semantic “hacker” vs. “cracker” game. There are good hackers and bad hackers, just as there are good electricians and bad electricians. “Hacker” is a mindset and a skill set; what you do with it is a different issue.

And I believe the best computer security experts have the hacker mindset. When I look to hire people, I look for someone who can’t walk into a store without figuring out how to shoplift. I look for someone who can’t test a computer security program without trying to get around it. I look for someone who, when told that things work in a particular way, immediately asks how things stop working if you do something else.

We need these people in security, and we need them on our side. Criminals are always trying to figure out how to break security systems. Field a new system—an ATM, an online banking system, a gambling machine—and criminals will try to make an illegal profit off it. They’ll figure it out eventually, because some hackers are also criminals. But if we have hackers working for us, they’ll figure it out first—and then we can defend ourselves.

It’s our only hope for security in this fast-moving technological world of ours.

This essay appeared in the Summer 2006 issue of 2600.

Posted on September 14, 2006 at 7:13 AMView Comments

Computer-Controlled Fasteners

It’s a really clever idea: bolts and latches that fasten and unfasten in response to remote computer commands.

What Rudduck developed are fasteners analogous to locks in doors, only in this case messages are sent electronically to engage the parts to lock or unlock. A quick electrical charge triggered remotely by a device or computer may move the part to lock, while another jolt disengages the unit.

Instead of nuts and bolts to hold two things together, these fasteners use hooks, latches and so-called smart materials that can change shape on command.The first commercial applications are intended for aircraft, allowing crews to quickly reshape interiors to maximize payload space. For long flights, the plane may need more high-cost business-class seats, while shorter hauls prefer a more abundant supply of coach seats.

Pretty clever, actually. The whole article is interesting.

But this part scares me:

A potential security breach threat apparently doesn’t exist.

“I wondered what’s to prevent some nut using a garage door opener from pushing the right buttons to make your airplane fall apart,” said Harrison. “But everything is locked down with codes, and the radio signals are scrambled, so this is fully secured against hackers.”

Clearly this Harrison guy knows nothing about computer security.

EDITED TO ADD: Slashdot has a thread on the topic.

Posted on April 3, 2006 at 12:57 PMView Comments

New Kind of Door Lock

There’s a new kind of door lock from the Israeli company E-Lock. It responds to sound. Instead of carrying a key, you carry a small device that makes a series of quick knocking sounds. Just touching it to the door causes the door to open; there’s no keyhole. The device, called a “KnocKey,” has a keypad and can be programmed to require a PIN before operation—for even greater security.

Clever idea, but there’s the usual security hyperbole:

Since there is no keyhole or contact point on the door, this unique mechanism offers a significantly higher level of security than existing technology.

More accurate would be to say that the security vulnerabilities are different than existing technology. We know a lot about the vulnerabilities of conventional locks, but we know very little about the security of this system. But don’t confuse this lack of knowledge with increased security.

Posted on March 22, 2006 at 5:15 AMView Comments

1 7 8 9 10 11 12

Sidebar photo of Bruce Schneier by Joe MacInnis.