Neil Hopcroft

A digital misfit

The article is available to the general public without any restrictions whatsoever. We as professionals in the security field are outraged and concerned with the damage that the spread of this sensitive information will cause to security and to our profession. We know many of you will be too.”


Categories: Memories.

/ 13 Comments

13 comments

  1. meryc

    This is very inresting.

    Keep people uninfored then they wount know how to brake stuff.

    Secuirity throught stiking your head in the sand.

    Reply
    • neilh

      There are some limits on the physical security necessary, if you have too much on the door they’ll just get in through the window. I suspect that most breakins these days involve physically forcing somethings rather than picking the lock. Even with more knowlege about lockpicking out in the general public its still likely to remain that way. Safes are, perhaps, a slightly different story, but even so there is plenty of material out there about breaking them, and they’re not hard to crack if you know what you’re doing.

      Reply
  2. evilmandykins

    lol. this guy prefers the ostrich method of security does he?
    its a bit like the discovery of how to pop the circular cycle locks- once the information was widespread enough the companies using the locks pretty immediatly came up with an improvement. any decent security person would know better than to rely on “trade secrets” staying quiet, and get off their laurels to tighten the security in question :P
    sheesh.

    Reply
  4. purple_peril

    Fascinating article. The security metrics given really are quite bizarre:

    “safe testing as described here does not produce upper or lower bounds on security in the sense usually used in information security. They are clearly not lower bounds, since better tools or
    techniques not known when a safe was tested might substantially reduce the required penetration time. The results are not especially meaningful as upper bounds, either, since the conditions are sufficiently generous to the attacker to make it very unlikely that they could be achieved under field conditions.”

    But then:
    ““Group 1” locks are intended to resist expert manipulation for at least twenty hours; …“Group 2M,” are said to resist expert manipulation for up to two hours”.

    So that’s saying roughly, “We reckon Group 1 locks hold for anything up to 20 hours, cos that’s how long it took us to open it, but your Group 2M will be open in a jiffy unless you’re really lucky and it takes a couple of hours”.

    Do these people have no grasp of statistics?
    :)

    Reply
    • neilh

      To be fair, nearly nobody has a grasp of statistics. But realistically having a lock that takes 24 hours to penetrate just means people are going to find another way, should they feel so inclined. I remember always choosing ‘demolitions’ as a skill in my role playing days, since everywhere you went had heavily guarded doors, but that didn’t count for anything if you went through the wall.

      Reply
  5. purple_peril

    >a million people around the world are going to have a go at locks that otherwise wouldn’t have bothered

    Yes, I have to admit that I’m now itching to have a go! Hmmm… maybe I can try one of those little room safes next time I’m in a hotel (in *my* room of course!)
    :)

    Reply
    • neilh

      http://clsdemo.caltech.edu/14/02/FeynmanLosAlamos.htm

      ” So I used to practice it like a cardsharp practices cards, you know – all the time. Quicker and quicker and more and more unobtrusively I would come in and talk to some guy. I’d sort of lean against his filing cabinet, and you wouldn’t even notice I’m doing anything. I’m not doing anything – just playing with the dial, that’s all, just playing with the dial. But all the time I was taking the two numbers off! And then I would go back to my office and write the two numbers down, the last two numbers of the three. Now, if you have the last two numbers, it takes just a minute to try for the first number; there’s only 20 possibilities, and it’s open. OK? It takes about three minutes to open a safe if you know the last two numbers.”

      Reply
  8. neilh

    The kind of people who would put this sort of information to nefarious ends are likely to be doing unpleasent things anyway, this sort of knowlege doesn’t make people criminal, just changes how they go about their criminalness.

    Reply
  9. ulfilias

    Where there is a will….

    Security is inherantly a misnomer in the sense that you feel secure about it, typicaly this is because you haven’t considered all of the options.

    Most of the time, most security is to keep away the casual opertunist, and to give a perception that its not worth thier while to bother. If you go overboard on security people will often wonder whats in there and why do you not want anyone to know…I’ve heard of things being broken into just because its a challenge.

    There are some designs of locks that are secure, they are not generaly sold, as people usualy need a back-up method of getting in….If you loose a key, forget a combination etc, you have to be able to retrive the stuff some way, so a secure lock is actualy of little comercial value.

    p.s. Sorry about the other night, got in late and just crashed, maybe with a bit more planning ???

    Reply
    • neilh

      Indeed, security is a bunch of trade-offs, balance between hindering usability by those authorised to use and stopping those unauthorised…

      No worries, we’ll get together at some point, no doubt….

      Reply

Leave a Reply

Your email address will not be published.