follow me on Twitter

    Tuesday, November 4, 2008

    Pumpcon, Philadelphia, PA, October 25, 2008—PART ONE, Physical and Electronic Security Vulnerabilities

    When I was growing up, one of the benefits to having a CIA dad was that I got to play with the cool stuff he brought home. As a result, I’ve been trained to beat lie detectors, how to mentally isolate physical stimuli with training on a biofeedback machine, how to make instant keys with a magical metal that melts within seconds in a spoon held over a lighter flame, and how to break into the doors and windows in the house in which I grew up. There was also a very cool lock picking kit that he had, and once when I locked myself out of my car in a dark parking lot, my Dad showed up with the kit and had my car open in seconds. Growing up, I thought that was a skill that most dads had and that every kid should be taught. I was taught these useful skills that ended up helping me in many situations.

    So why are the best lock picking techniques and tools kept a secret or are illegal to possess in D.C.? Is this another example of “security through obscurity?” I’ve spent some time in the lock picking villages at HOPE and Defcon conferences. Why aren’t there more of these opportunities available to the general public, e.g. not only to locksmiths or computer security conference attendees?

    This was one of the issues I addressed in my presentation at Pumpcon. I had a great time talking about this at Pumpcon. Soon after Defcon and inspired by the events surrounding the three undergrads from MIT, I began researching how to disclose security vulnerabilities. Curious about the divide between the electronic/physical security breaches compared to those involving computer software and hardware, why aren’t both groups interested in truthful discussions regarding flaws? Shouldn’t we as consumers who rely on software designers to protect our home computers and mechanical engineers who designed the locks on our houses know if something isn’t quite as secure as advertised?

    It seems as if the hardware and physical/electronic security hacks take a long time to be exposed. For example, Marc Tobias presented at HOPE and Defcon in 2008 about how to pick Medeco key locks. However, according to my government fed sources, Medeco lock vulnerabilities have been known for more than a decade. What’s the reason for it not being publicly discussed? I’ve been told that it takes a highly skilled lock picker—or a locksmith—to successfully pick Medeco locks.

    But surely, there were skilled lock pickers out there, so why the silence? I found the following on a site that discusses Tobias’ book:

    “A detailed analysis is available together with a video demonstration that clearly shows the method of bypass. This publication has been restricted to locksmiths and the professional security community because of the simplicity of the technique and the potential security ramifications that could result from a public disclosure of the exact method. If you have security responsibility, you may contact the author for access to the restricted document. The password has been posted on ClearStar for security professionals.”

    I know that the locksmith community has a lot of power, but do they have the power to silence discussion about how to pick locks? Perhaps this is true especially considering that it’s illegal to own a lock picking kit in some states unless you’re a licensed locksmith. Is this an example of a good way to make things more secure or, on the other hand, an example of legislation protecting jobs in an industry? This is how the Freemasons started; they were protecting the secret ingredients for making cement thus making the formula a coveted secret protected by those sworn into a brotherhood and keeping the brothers with guaranteed jobs.

    For a modern example, someone from the crowd at Pumpcon told me that Joe Grand, aka KingPin, gets death threats regarding his lock picking research. I’d like to find more information regarding this statement. (Denied by Kingpin--see comments.) If true, that’s a sobering example of the power of a brotherhood of some kind protecting their own. Is lock picking worthy of protecting through this extreme measure? Does it make us more secure?

    Will this attitude eventually spill over into the computer hardware and software security industry? I fear it might.

    Note: The picture above is of the back of Kevin Mitnick’s business card. Obviously, it contains lock picking tools. They will work. Funny, but I think his thumb print is still on the other side of card! ; )


    Rob T Firefly said...

    I'm always amazed by those in security-focused industries like locksmithing who fail to appreciate what boils down to a source of free R&D work for them. If they focused more on fixing problems people find with their products, and less on trying to pretend said problems do not exist, the result would undoubtedly be a more robust and successful product for everyone.

    As things like 3-D printing and home prototyping improve and penetrate into the mainstream, I would love to eventually see efforts to design open-source locks anyone can construct and improve upon.

    Anonymous said...

    If we limit the context only to the computer industry, anyone revealing security vulnerabilities is of critical importance. Why? Because the industry will either take a long time to do it on its own without provacation or it won't do it at all. The disclosures benefits everyone. Too many products and software are released half-baked with the odd notion that there is always time to fix it with a patch later.

    Janis S.

    Tiffany Strauchs Rad said...


    What's your opinion about the difference between disclosure procedures for electronic/physical security and computer software/hardware?

    Tiffany Strauchs Rad said...

    Rob T Firefly,

    I like the idea of open source locks. I'm going to propose the idea at the next Maine Hackerspace meeting. Perhaps we can work on a joint project with Hacktory? One of Maine's first projects will be to build a 3-D printer, but it will be a while. We still don't have a physical location.

    Anonymous said...

    In my view there is a disclosure difference between physical/electronic security vulnerabiities and IT/computer vulnerabilities. The knowledge base of IT vulnerabilities tends to be catholic because the arena is universal. Physical security is not. It is conceivable that a terrorist could exploit a physical security vulnerability before it can be fixed. Janis S.

    Joe Grand aka Kingpin said...

    No death threats for me yet, at least not that I know of. If so, they'd likely be for hardware security vulnerabilities, not lockpicking (which I suck at.) Maybe there's another Kingpin, but I hope not. That link isn't me, either, it's :) -kp

    Tiffany Strauchs Rad said...

    Thanks, Kingpin,
    I've fixed the link. YOU are the Kingpin to whom I referred and to whom I want to correctly link. Also, thanks for rejecting the claim about death threats. There is no better source than for you to deny it. I'm glad it's not true for your safety and because it would be ushering the computer software and hardware industry down a darker road if that's what some may resorts to in order to be lazy about the security of their products. But when Chris Soghoian reports (;title) that "rubber hose techniques" may have been used to beat the cryptographic key out of a suspect in Turkey under the auspices of the US government, I worry.