Here’s a physical-world example of why master keys are a bad idea. It’s a video of two postal thieves using a master key to open apartment building mailboxes.
Changing the master key for physical mailboxes is a logistical nightmare, which is why this problem won’t be fixed anytime soon.
Posted on January 6, 2020 at 6:20 AM •
Not email, paper mail:
Thieves, often at night, use string to lower glue-covered rodent traps or bottles coated with an adhesive down the chute of a sidewalk mailbox. This bait attaches to the envelopes inside, and the fish in this case—mail containing gift cards, money orders or checks, which can be altered with chemicals and cashed—are reeled out slowly.
In response, the US Post Office is introducing a more secure mailbox:
The mail slots are only large enough for letters, meaning sending even small packages will require a trip to the post office. The opening is also equipped with a mechanism that grabs at a letter once inserted, making it difficult to retract.
The crime has become more common in the past few years.
Posted on March 25, 2019 at 9:39 AM •
I’ve previously written about mail cover—the practice of recording the data on mail envelopes. Sai has been covering the issue in more detail, and recently received an unredacted copy of a 2014 audit report. The New York Times has an article on it:
In addition to raising privacy concerns, the audit questioned the Postal Service’s efficiency and accuracy in handling mail cover requests. Many requests were processed late, the audit said, which delayed surveillance, and computer errors caused the same tracking number to be assigned to different requests.
The inspector general also found that the Postal Inspection Service did not have “sufficient controls” in place to ensure that its employees followed the agency’s policies in handling the national security mail covers.
According to the audit, about 10 percent of requests did not include the dates for the period covered by surveillance. Without the dates in the files, auditors were unable to determine if the Postal Service had followed procedures for allowing law enforcement agencies to monitor mail for a specific period of time.
Additionally, 15 percent of the inspectors who handled the mail covers did not have the proper nondisclosure agreements on file for handling classified materials, records that must be maintained for 50 years. The agreements would prohibit the postal workers from discussing classified information.
And the inspector general found that in about 32 percent of cases, postal inspectors did not include, as required, the date on which they visited facilities where mail covers were being processed. In another 32 percent of cases, law enforcement agencies did not return documents to the Postal Inspection Service’s Office of Counsel, which handles the national security mail covers, within the prescribed 60 days after a case was closed.
Posted on August 18, 2015 at 6:48 AM •
A man was arrested for drug dealing based on the IP address he used while querying the USPS package tracking website.
Posted on May 22, 2015 at 12:33 PM •
Sidebar photo of Bruce Schneier by Joe MacInnis.