Safecracking for the Computer Scientist 322
secureman writes "It looks like Matt Blaze (the University of Pennsylvania CS
professor best known for finding security flaws in the NSA Clipper Chip
and in master keyed
locks) is still causing trouble in physical security circles. There's a draft paper (dated December '04) on his web site
entitled Safecracking for the
Computer Scientist, which is a pretty in-depth look at what
computer security can learn from safes (and vaults). The interesting
thing is that it describes in detail the different ways that safes are
cracked, probably revealing techniques that locksmiths would rather you
didn't know about (there's a lot of security-by-obscurity there). The
conclusion seems to be that while safes can fail, at least they do so
in better ways than computer systems do. Warning: it's a
2.5 meg pdf file with lots of pretty pictures."
not that obscure (Score:4, Informative)
Re:not that obscure (Score:3, Funny)
so it is quite obscure
Re:not that obscure (Score:4, Insightful)
Re:not that obscure (Score:3, Insightful)
Re:not that obscure (Score:4, Insightful)
This problem is quite common in all the countries where literacy levels should be at 100%. In reality, about 20% of Britons have very poor literacy skills; in Switzerland, it's more than 30%.
Some studies have linked poor literacy to excessive TV viewing. People can't read because they don't read.
Re:not that obscure (Score:2)
Re:not that obscure (Score:5, Funny)
You'll discover that you are incorrect, Sir.
Well that puts it (Score:4, Interesting)
Erk, now where have all those SuperCriminals gone?
slashdotted (Score:3, Funny)
How about a safe holding up to the
wgetting it at 12 K/s
Correction... (Score:2)
It was a 2.5 meg pdf file with lots of pretty pictures. (that I will not be able to look at for a few hours. Damn.)
Unable to determine IP address (Score:2, Funny)
The following error was encountered:
Unable to determine IP address from host name for www.crypto.com
The dnsserver returned:
No DNS records
That's helpful.
Re:Unable to determine IP address (Score:5, Funny)
Wow, that's pretty darned secure!
Well so much for the PDF... (Score:4, Informative)
Here's [64.233.167.104] Google's HTML-ification of the pdf (sans said 'pretty pictures')
Mirror of pdf (Score:5, Informative)
Where is the foresight? (Score:3, Insightful)
There was a guy [punditguy.com] with Tsunami Videos on his blog which ended up costing him $1,000 before he knew what hit him. Does Slashdot compensate those with huge bandwidth bills? or give any warning prior to linking to something like a pdf?
Re: Where is the foresight? (Score:3, Insightful)
It's about legality. It's totally legal to link, but mirroring may get you in trouble.
Re: Where is the foresight? (Score:3, Insightful)
They're linking to a
Mirror (Score:5, Informative)
The shocking secret the industry wants covered up (Score:5, Funny)
Re:The shocking secret the industry wants covered (Score:5, Funny)
Re:The shocking secret the industry wants covered (Score:2)
Re:The shocking secret the industry wants covered (Score:2)
Re:The shocking secret the industry wants covered (Score:5, Funny)
I needed access to secured room of a building my company was renovating. It had a pushbutton type combination lock on it (or some such). I asked the combination, and the maintenance superintendent said "1-2-3-4-5". I immediately blurted out "1-2-3-4-5? That sounds like the combination some idiot would put on his luggage." Straight Pavlovian response to a Mel Brooks straight line.
It was only after a 5 seconds of being stared at that I realized that the Superintendent had intentionally set that combination, and he was NOT a "Spaceballs" fan.
Re:The shocking secret the industry wants covered (Score:2, Interesting)
The client I currently work at installed similar push-button combination locks on all doors from each floor's elevator hall, and spent a far bit of money on it too.
The combination was set to 7-2-5-3.
Not being a big one for remembering this sort of thing, I idly tried entering 2-3-5-7 - and it opened!
A few tests revealed that their vaunted locks would open with any arrangement of the required four digits - reducing the security from 1 in 1
Re:The shocking secret the industry wants covered (Score:3, Funny)
I do agree with the other points though.
Re:The shocking secret the industry wants covered (Score:3)
Of course, if your lock can't handle multiple digits being the same, well, it's time for a new lock!
New PIN posted *on* the door (Score:5, Funny)
Unfortunately it was taken down before I could take a picture of it.
Xix.
Re:The shocking secret the industry wants covered (Score:3, Funny)
The first thing I thought to myself was:
"That sounds like the combination some GENIUS would have on his luggage!"
Re:The shocking secret the industry wants covered (Score:4, Funny)
Re:The shocking secret the industry wants covered (Score:2)
Re:The shocking secret the industry wants covered (Score:2)
Re:The shocking secret the industry wants covered (Score:5, Informative)
Re:The shocking secret the industry wants covered (Score:3, Funny)
Re:The shocking secret the industry wants covered (Score:5, Interesting)
He said he went around Los Alamos after he learned this trying those two combinations and opened about 1/3 of the locks with one or the other.
Re:The shocking secret the industry wants covered (Score:2)
Seriously though... that's a good book, it's sitting right here on my bed stand.
Re:The shocking secret the industry wants covered (Score:3, Interesting)
Now I could see lazy users setting the combos to something easy to remember like 60-30-60 or such, but they don't come from the factory with either of the two setti
Re:The shocking secret the industry wants covered (Score:5, Informative)
Oh wow, I love Amazon. Find Surely You're Joking, Mr. Feynman! on Amazon and use the search function to look for "Safecracker meets Safecracker". Click on the last link on the first page, and you can find the exact text. The combinations in the book are actually 25-0-25 and 50-25-50. It also turns out that it only opened 1/5th of the safes, not 1/3rd. That book search rules!
(sarcasm mode) (Score:2, Funny)
A point well made (Score:5, Insightful)
A good safe is designed in layers, so that to get in, you have to break through each layer. And the more layers, the more time it takes. Safe-makers know no safe is completely secure, and all safes are crackable.
Time is the enemy of anyone looking to commit theft/robbery, whether that person is working physically or digitally. So the longer it takes the more secure the system it is.
While we defeinitely know security by obfuscation is stupid in terms of computer security, safety by layers makes sense.
If there were several layers of encryption (asymmetrical and symmetrical), compromising the system takes more time, and if one layer fails, the game isn't over just yet.
Admittedly secure traffic would be much slower than unsecured traffic, the benefits of this kind of layered approach would be more than worth it for data that needs to be as secure is possible.
Similar (Score:5, Insightful)
Re:Similar (Score:3, Insightful)
Re:A point well made-Digital makes everything bett (Score:2)
Re: Multiple levels of encryption weaker? (Score:3, Interesting)
That's true, but:
Re: Multiple levels of encryption weaker? (Score:3, Interesting)
Well, I'll try to explain why people think what you are proposing is suboptimal.
Firstly, I think you have misunderstood what "adding extra bits" (enlarging the key) means --- at least in this context. In my (silly) example, the key had the length of 1 (number). Notice there is no bits, since the atomic unit in this encryption unit is letters. If you increase the number of bits we would have more numbers.. E.g, (1,2) would make "have" into "icwg", which would be harder to break. The scheme is actually not T
general coding v. coding for security: assumptions (Score:5, Insightful)
For example, assumptions about metadata and syntax give rise to buffer overflow or malformed string exploits. In trusting that an input string will be its stated length or follow the official syntax, the programmer adheres to the logical model of the system but creates a vulnerability. Similarly, physical power consumption artifacts can let a cracker guess the state or internal activities of a smartcard encryption chip. The original programmer is unaware that the code creates these artifacts since most coding paradigms ignore issues such as the exact execution time of subroutines, power consumption of CPU instructions, etc.
Becoming security conscious means unlearning all the tricks that let a programmer ignore the complexity inside a system. It means understanding the real behavior of all the internals, all the side-effects, and all the system properties that might be observable or influenceable by a malicious party. That makes programming for security very different and very much harder that standard programming.
To mangle a metaphor, security means that one must peel the onion to ensure that it does not have contain an open door in its core.
Re:general coding v. coding for security: assumpti (Score:3, Insightful)
It also takes a lot longer. If you're questioning everything the C library is doing, you're going to spend al
Re:general coding v. coding for security: assumpti (Score:2)
Hacker vs cracker (Score:5, Funny)
Re:Hacker vs cracker (Score:2, Funny)
Re:Hacker vs cracker (Score:2)
Fun
A Companion Piece... (Score:5, Informative)
Don't leave home without it.
Best home safe is a home vault (Score:5, Interesting)
For the entrance, use two doors. The inside door should be a vault door (better gun safe door hung on a frame with inside release). Outside door should be steel fire/security door with steel frame and heavy locks. Outside door is just to be time consuming to get to the inside door.
This wouldn't be all that expensive, either, considering a high-end gun safe alone is $5k pretty easily.
Comment removed (Score:5, Interesting)
Re:Best home safe is a home vault (Score:5, Interesting)
When the family grocery store burned down the only thing left was the safe, which is where the lottery tickets and other such important/like-money-but-not-money type things were kept overnight. Of course having been in the middle of an inferno for 6 straight hours left it such that it couldn't be opened using the combination or door.
My Uncle called the safe company, and they faxed him some instructions and told him to take it to the local autobody shop. At which point we learned why safes of that size are so damn heavy. Outer and inner boxes of thick steel, with the inner space filled with concrete!! (It's hard to get through and it insulates against fire..)
A couple hours of careful torching and hammering latter and only one corner of one document came out singed - everything else was fine.
Massive Keyspace? (Score:3, Interesting)
Isn't the use of ever increasing keyspace sizes in encryption algorithms (ie SHA256, SHA512, SHAadInfinitum) at a pace slightly higher than Moore's law effectively doing this now?
I can't count how many times I have read "...will take longer than the age of the Universe itself to brute force this /insert encryption scheme of choice here/..." when reading about some new fangled encryption scheme. Naturally, that claim is based on computational power at the time, but doesn't this exactly dispute his claim?
We can be better at it, sure. But computer security systems are designed with at least SOME regard for the notional hacker's motive, opportunity, and skill level.
Re:Massive Keyspace? (Score:4, Insightful)
IOW, you can't brute-force a 256-bit key.
Re:Massive Keyspace? (Score:2)
If Leibinz is right and time and space don't exist, AND if there are other, possible realities... the whole thermodynamic thing is moot because causality is not inviolable.
If causality is not inviolable, then simultaneous (as in photon simultanaeity) transmittal of information, or that "spooky action at a distance" Einstein talked about, as well as paralell computation i
[I stole this post, don't know from where] (Score:3, Funny)
Re:Massive Keyspace? (Score:3, Interesting)
It really drives home the point that security is much more difficult to right do th
Why no mention of key-locked dials and bolt levers (Score:2)
Sure, lockable dials are pickable (and my S&G group 2 lock's key looks fairly lame), but it's one of those additional layer/skill attributes that makes the stuff all the less desirable.
Re:Why no mention of key-locked dials and bolt lev (Score:4, Insightful)
Actually, the S&G lock he showed is pretty much current industry standard design. They're not as easy to manipulate as they sound. The principle is very simple, but the practice is extraordinarily difficult.
Even a cheap $2 Master pad-lock, as he briefly mentioned in two sentences on page 31, has false gates on the wheels, basically defeating all the simplistic techniques mentioned in the article.
They don't generally use false gates on the wheels of safe locks because the fence doesn't ride on the wheels while they're turning. The fence only drops down to contact the wheels when that smaller brass wheel in front is rotated so that thar hook shaped piece falls into it. False gates can make it more difficult to figure out where the real gates are, but the fact that they have a bottom and are not as deep as the real gate make them susceptible to the exact same analysis as a non-gated wheel pack. I think you are not entirely understanding how these locks work and the methods of manipulation he describes.
Although he states that these false gates are easily identified, trust me, they are not.
Trust you? You think an S&G 6730 lock (retail price $115.02, my price $69.01, 5 of them currently in stock at my lock supplier's warehouse in DC-- I just checked their online catalog) is "at least a hundred years old" and expect me, a locksmith with 10 years experience learning from a boss with 30 years experience, to trust your analysis? Please.
--------
Funny you should mention, but those cheap master locks with the false gates is absurdly easy to manipulate. As a locksmith I'll probably be banned from our secret society meetings for telling y'all this; but here, try it at home:
First off, those false gates are only on the last wheel-- the first to wheels are smooth except for the combination notch. Second, the "keyspace" for those master combo locks is a lot smaller than it looks. The dial may be numbered 0 through 39, but you can be within 1.5 in either direction of the correct number and the fence will drop in. For sake of ease of implementation of my manipulation method, I usually round that down to 1.25 because this allows me to divide the wheel into 16 increments 2.5 apart. So effectively the possible numbers are 0 2.5 5 7.5 10 12.5 etc.-- basically each of the numbers marked on the dial face and the halfway mark between them.
So now you have a keyspace of 16 * 16 * 16, or 4096 combinations. This is still a pretty big number, so let's reduce it. Pull up on the shackle and "feel" each of the points where there's a false gate on that last wheel. Around a certain number range it will feel "loose" because these lock wheels are never perfectly round and the fence of the lock will be stopped by the other two wheels. Once you find this loose space, you have a way to check if the other two wheels are correct. If they are, the fence will drop into them and your will feel friction at that formerly loose position. At that point you need only turn the dial until the third wheel gate is aligned and it pops open.
You only need to go through 16 * 16 = 256 combinations on those other two wheels to find the combination. And you don't have to "clear" the lock after each try either: You set the first wheel at (say) 2.5, then spin around to 0 and see if it rubs. If it doesn't turn back the other way again to advance the second wheel to 5 then see if the third wheel rubs. Then go back and advance the second wheel to 7.5 and check the third wheel. Do this 16 times and you've checked all the combos beginning with 0. Reset the lock (4 spins) and try the ones that start with the first wheel at 2.5. continue this process until lock opens.
The longest one of these has ever taken me is 20 minutes.
Time is the Key (Score:4, Interesting)
John Dillinger penetrated a bank vault and looted safe-deposit boxes within, but he did it by stealth, finding a closed-down bank, pretending to be an authorized workman, and taking a long time to extract the contents.
Better Safe Cracking through Chemistry (Score:5, Interesting)
When I was a kid, my friends and I put an ordinary paper firecracker inside a wooden box, about the size of a cigar box, and secured the lid. To our surprise, the box spontaneously disassembled itself into its component parts, which travelled outwards at high speed. All of that from a firecracker that would only cause minor burns if you held it in your fingers when it exploded.
Re:Better Safe Cracking through Chemistry (Score:2, Informative)
So is it chemistry or physics that makes this work? I suppose the pressure generated by the explosion is the main factor to success but what about a purely chemical reaction via an exothermic reaction in the water causing it to expand....
Re:Better Safe Cracking through Chemistry (Score:5, Informative)
Re:Better Safe Cracking through Chemistry (Score:2, Interesting)
Re:Better Safe Cracking through Chemistry (Score:4, Insightful)
Re:Better Safe Cracking through Chemistry (Score:5, Informative)
Re:Better Safe Cracking through Chemistry (Score:3, Informative)
That technique was used in the movie "The Score". I'm not sure that it would work on a real safe using a small charge. Also, you would have to drill two holes, one to let water in and one to let air out, or it is going to take a long time to fill.
A guide to science in movies - comments on the movie the score [intuitor.com]
Re:Better Safe Cracking through Chemistry (Score:3, Informative)
Without containment, there's no pressure to build up, and explosives typically don't explode, but just burn quite rapidly.
So, reinforcing firecrackers can make them a lot louder/destructive.
For those wanting more history (Score:2, Informative)
Fail-secure (Score:3, Insightful)
It is actually interesting on how you "tap" a safe (Score:3, Interesting)
The bad part is that once you've done this, to make the safe secure again you put a steel ball bearing the size of the hole in the hole, and then weld it in there. There is absolutely no way you're going to be able to drill through that steel. Any drill bit you try to drill through it is just going to dance on it, and end up breaking the drill bit.
So I guess in that case, safes that have been forcibly opened using the above method are safer than ones that havn't.
No Protection for the Clueless (Score:5, Interesting)
There was a burglar in Texas last year that was breaking into city hall buildings all over the state. In almost every one he managed to get access to the safe or safes kept in the building without prying or damaging the safes.
When he finally got caught be debriefed and gave up his MO. He would get in to the building be defeating a usually inadequate door lock with a screw driver. Then once inside he would look in all the desk drawers for sticky notes with numbers on them. In almost every one he would find a sticky note with the combination to the safe. This guy hit over 50 different city halls and got into the safe(s) in almost all of them.
The best safes in the world won't keep people from being clueless about security.
No Big Secret (Score:5, Informative)
A good locksmith specializing in safes doesn't care if you know how safes are opened-- on the contrary, they'll tell you all about it. The job of a competent physical security professional is give the client a straight and honest description of how the product works and what its weaknesses are, and safes are no exception. I've worked for a locksmith for the last ten years and it's company policy to show clients exactly what they're getting and/or what they already have. With safe openings, my boss explains exactly what he's doing and how it all works. Admittedly, there are a lot of locksmiths who think this should all be top secret stuff, but they're just fooling themselves. All the info is out there. There's no official schooling for locksmiths, and no coherent regulation of the profession. Subsequently, there's no way to really keep the information out of the hands of "criminals" while still allowing access for beginners trying to start out in the profession. You can join the Associated Locksmiths of America [slashdot.org] essentially by just saying you're a locksmith, although you'll be approved for membership quicker if you have the recommendation of an existing ALOA member. Once you have an ALOA membership number, you're a locksmith as far as the "keepers of the knowledge" are concerned. Heck, you don't have to have anything but fifty bucks and a mailing address to subscribe to The Locksmith Ledger [lledger.com], and they frequently have articles on opening various safes.
Really, none of the techniques outlined by Mr. Blaze in the PDF are any big secret. Anyone with access to such a lock mechanism (buy a safe and you've got one) and a little brainpower can figure all that stuff out. The thing is, drilling a safe requires fairly specialized tools and is very noisy. Manipulating a safe requires a lot of practice, and even an expert can take a LONG TIME to get into a safe. There's no astounding revelations there. Walk into my boss' locksmith shop and he'd show you all that. I've tried my hand at both drill penetration and manipulation, and there are no "secrets" that make any of that stuff easy. At best, the knowledge it just makes it possible-- and that knowledge is available through simple observation.
Safe cracking/ Lock picking (Score:5, Interesting)
After alot of research, and pracitice, I was able to open several brands of pad-locks, as well as the doors' to my house. Guess What? It's not as easy as it looks.
I did this mainly out of curiosity, but I recently had a chance to put this new skill to the test.
My neighbor had locked her keys in her house, and asked for my help. After thinking about it for 15 seconds, agreed to help.
I broke a pane in the window of her back door. There was no way I was going to let her know that I was capable of defeating the locks on her house. I have no intrest in breaking and entering, but the fact is, if people know you can do it, and something goes missing, guess who the first suspect is going to be?
I would love to figure out how to open a safe, not because I want to rob anyone.....it's just really cool, and the fun is in learning how to do something most people can't.
Re:Safe cracking/ Lock picking (Score:3, Interesting)
About a week later, one of my students came to class very excited. He had made the tools and tried them--no success.
Then he locked his keys in his house. His tools were sitting on the seat of his unlocked car. So he tried again. I believe he said it took him about 40 minutes to get in. Not bad for a beginner.
Companion piece (Score:4, Interesting)
http://www.timhunkin.com/94_illegal_engineering.ht m [timhunkin.com]
Rich.
Richard Feynman - original geek safecracker (Score:5, Interesting)
Re:spoof? (Score:5, Funny)
Well, now that you mention it
Re: (Score:3, Funny)
Re:spoof? (Score:3, Informative)
It can happen, if something really funny comes up at just the wrong moment. I had it happen to me a couple years ago with lemonade as I was playing Scattergories with some friends. Lemonade is actually quite painful in the sinuses.
That said, I'm sure that 99.9% of the times you see that it's not tru
mod-parent-up (Score:2)
Re:spoof? (Score:2)
Queer Undead for the Straight Guy.
Television executives ressurect notable dead people who were gay or bisexual. (Alan Turing, Graham Chapman, Leonardo Da Vinci, Socrates and Alexander the Great for Mathematics, Comedy, Art, Philosophy, and Military Strategy respectively.) They then go into the lives of fairly unnotable heterosexuals, and help improve their lives.
Comment removed (Score:5, Funny)
Re:Surely you're joking... (Score:3, Insightful)
Re:Surely you're joking... (Score:3, Insightful)
Most of what he talks about that chapter was when he was able to figure out the last t
Re:Surely you're joking... (Score:2, Informative)
Re:Surely you're joking... (Score:2, Insightful)
Swear to God I want a "-1, Surely You're Redundant, Mr. Feynman" moderation just now.
Not /specifically/ directed at you, but the editors coulda saved a couple hundred posts if they'd mentioned him in the summary.
Re:Surely you're joking... (Score:2)
No they couldn't have.
Re:Considering the audience... (Score:5, Funny)
Well i dont think we have much to worry about here. As most
Re:Considering the audience... (Score:2, Funny)
Re:If all safes are crackable... (Score:2, Interesting)
So 40^8 = 6553600000000.
Let's say you'll hit the password halfway through the keyspace on average = 3276800000000.
Let's be really generous, and say a single user can attempt 60 keys / sec. That's 5184000 keys per day.
So, you'd get your password in about 632099 days... about 1700 years. Say you're attacking with 1000 people, that's only 1.7 years!
Oh wait, no supposedly secure system is going to accept 60000 failed key attempts per second, for 1.7 years, before failing. Nice thought, though.
Re:If all safes are crackable... (Score:2)
6553600000000 is a pretty large number, too.
For example, even if the system allows one try per second (and that is *VERY* generous, and assuming the machine is on a fast connection, too),
it would take 207,675 years to try every possibly combination.
It doesn't matter how many machines *you* have, as the system doing the authentication contro
Re:Book recommendation: The Great Train Robbery (Score:2)
Re:Book recommendation: The Great Train Robbery (Score:5, Interesting)
Picking a Bramah lock is quite possible [crypto.com], but requires some specialized tools. [lockpicking101.com]
Re:Book recommendation: The Great Train Robbery (Score:3, Interesting)
I "picked" a small Bramah lock on a liquor caddy once. My boss was repairing the customer's
Re:Tell you the truth I'm not happy about this. (Score:4, Insightful)
I'm a locksmith and any locksmith with half a brain should know that all of this is commonly available information. Certainly a few old fogies who think locksmithing is some sort of secret society like the Freemasons would pitch a fit if the customer wanted to see the inside of his safe lock. Or maybe they're pissed because they've been telling customers that the safes they're selling are "impenetrable", but if that's the case then they're the idiots. I have personally showed the various "safecracking" techniques to customers and let them try their hand at manipulating a combo lock. The theory is simple, but the implementation is darn near impossible without years of experience and practice. I've never had a customer decide not to buy a safe because I showed him how they're cracked and he thought it was "too easy". Basically, what it comes down to is that there's no such thing as 100% security. You Can pay more money and add more complication to get "more 9's", but a Star or Horizon in-floor burglary safe will keep out all but the most determined intruder. Honestly, any locksmith that thinks there are any "trade secrets" in the industry is foolig themselves. Anyone can get an Associated Locksmiths of America [aloa.org] membership and a business license, and from there buy books [hpcworld.com] that explain [hpcworld.com] it all. [hpcworld.com]
I seriously doubt that posting this on slashdot is going to lead to a massive upswing in safecracking. The one thing I've noticed in the business is that (weird as it sounds) most people are basically honest! Besides, safecracking isn't fast enough for most criminals. Most safe burglaries happen when someone knows the combination, either having been entrusted with it, watching someone else dial it, or finding it written down in a drawer somewhere.
Re:Tell you the truth I'm not happy about this. (Score:3, Insightful)
Personally, I think mass public distribution is better. It better serves to destroy the "security through obscurity" mindset held by a lot of locksmiths. It's not like any of
Re:The perfect safe (Score:5, Informative)
They make those, but my boss refuses to install them anymore, even if the customer wants it. We've seen too many cases of fritzed electronics, dead batteries, and broken wires with those things. I have only once seen a regular mechanical combo lock fail spectacularly, requiring drilling to open the safe, and in that case the lock "worked badly" for WEEKS beforehand (but the customer, of course, waited till it broke). Electronic locks tend to have binary failures: the work fine up until the point where they don't work at all.