Slashdot Mirror
Safecracking for the Computer Scientist
secureman writes "It looks like Matt Blaze (the University of Pennsylvania CS
professor best known for finding security flaws in the NSA Clipper Chip
and in master keyed
locks) is still causing trouble in physical security circles. There's a draft paper (dated December '04) on his web site
entitled Safecracking for the
Computer Scientist, which is a pretty in-depth look at what
computer security can learn from safes (and vaults). The interesting
thing is that it describes in detail the different ways that safes are
cracked, probably revealing techniques that locksmiths would rather you
didn't know about (there's a lot of security-by-obscurity there). The
conclusion seems to be that while safes can fail, at least they do so
in better ways than computer systems do. Warning: it's a
2.5 meg pdf file with lots of pretty pictures."
The information for the way that locksmithing is done (including lock picking) is available in most libraries. Ditto for safe and vault construction methodologies for the past 120 years.
Cmon, you expected a 2.5 mb file to last...
Here's Google's HTML-ification of the pdf (sans said 'pretty pictures')
http://mirrordot.org/stories/a98b5b5fc2096a7b567c4 b2e77ca0f1f/safelocks.pdf
http://shell.athenet.net/~files/safelocks.pdf
All safes open using a maintenance combination of 12345.
Did anyone else read the headline and think this was some horrible spoof on "Queer Eye for the Straight Guy"?
... no.
Well, now that you mention it
It's simple: I demand prosecution for torture.
I think his comparison is on to something here.
A good safe is designed in layers, so that to get in, you have to break through each layer. And the more layers, the more time it takes. Safe-makers know no safe is completely secure, and all safes are crackable.
Time is the enemy of anyone looking to commit theft/robbery, whether that person is working physically or digitally. So the longer it takes the more secure the system it is.
While we defeinitely know security by obfuscation is stupid in terms of computer security, safety by layers makes sense.
If there were several layers of encryption (asymmetrical and symmetrical), compromising the system takes more time, and if one layer fails, the game isn't over just yet.
Admittedly secure traffic would be much slower than unsecured traffic, the benefits of this kind of layered approach would be more than worth it for data that needs to be as secure is possible.
You can't defeat physics.
" Unable to determine IP address from host name for www.crypto.com
Wow, that's pretty darned secure!
"Derp de derp."
That sounds like the combination some idiot would have on his luggage.
Thinkin' Lincoln - a web comic of presidential proportions
To top it off, his mastery of punctuation and the Shift Key is far better than yours.
I think I need a new sig here.
The challenge for IT security is that computer science loves to use abstractions, encapsulation, APIs, libraries and what not that let the programmer ignore the details of the internal complexity of systems. The problem is that it leads one to assume that these systems behave in some idealized fashion (the logical, black-box model of the system). In reality, the systems don't always follow the assumed logical model or the ignored internals create side-effects that are unforeseen by the original programmer, but exploited by malicious actors.
For example, assumptions about metadata and syntax give rise to buffer overflow or malformed string exploits. In trusting that an input string will be its stated length or follow the official syntax, the programmer adheres to the logical model of the system but creates a vulnerability. Similarly, physical power consumption artifacts can let a cracker guess the state or internal activities of a smartcard encryption chip. The original programmer is unaware that the code creates these artifacts since most coding paradigms ignore issues such as the exact execution time of subroutines, power consumption of CPU instructions, etc.
Becoming security conscious means unlearning all the tricks that let a programmer ignore the complexity inside a system. It means understanding the real behavior of all the internals, all the side-effects, and all the system properties that might be observable or influenceable by a malicious party. That makes programming for security very different and very much harder that standard programming.
To mangle a metaphor, security means that one must peel the onion to ensure that it does not have contain an open door in its core.
Two wrongs don't make a right, but three lefts do.
True story.
I needed access to secured room of a building my company was renovating. It had a pushbutton type combination lock on it (or some such). I asked the combination, and the maintenance superintendent said "1-2-3-4-5". I immediately blurted out "1-2-3-4-5? That sounds like the combination some idiot would put on his luggage." Straight Pavlovian response to a Mel Brooks straight line.
It was only after a 5 seconds of being stared at that I realized that the Superintendent had intentionally set that combination, and he was NOT a "Spaceballs" fan.
"As God is my witness, I thought turkeys could fly." A. Carlson
This one throws a monkey-wrench in the works of the old "hacker vs cracker" argument. If someone is a redneck safe-cracking computer scientist from Georgia, what category do they fall into? Hmmm?
Don't blame Durga. I voted for Centauri.
Similarly, you can have as many security layers as you wish but if you forget to weld the back end of the safe or network on than they still do nothing for security... your only as secure as your weakest point of security.
So I was reading the DaVinci Code and the main characters discovered that the account number for a swiss bank account was the first several digits of the Fibbonaci sequence.
The first thing I thought to myself was:
"That sounds like the combination some GENIUS would have on his luggage!"
Rats would be more funny if they could fart.
Don't leave home without it.
We must be alert to the danger that public policy could become captive to a scientific-technological elite. - Eisenhower
Surely You're Joking Mr. Feynmann has a chapter called "Safecracker Meets Safecracker." It describes his time at Los Alamos during which he repeatedly opened people's safes. (The ease with which he did this actually quite disturbing.) Anyway, at the end of the chapter, he talks about how he learned that a particular lock came factory set at either 0-30-0 or 60-30-60 (I think those were the two), following which the owner would change it to something more secure.
He said he went around Los Alamos after he learned this trying those two combinations and opened about 1/3 of the locks with one or the other.
Well i dont think we have much to worry about here. As most
Pick a corner area of your basement. Build a concrete block room, filling the block voids with concrete and rebar. Put a roof on the block room made out of steel plate, anchored to the block walls, and add another 4" of concrete and rebar on top of this.
For the entrance, use two doors. The inside door should be a vault door (better gun safe door hung on a frame with inside release). Outside door should be steel fire/security door with steel frame and heavy locks. Outside door is just to be time consuming to get to the inside door.
This wouldn't be all that expensive, either, considering a high-end gun safe alone is $5k pretty easily.
out of the hands of most criminals.
Erk, now where have all those SuperCriminals gone?
John Dillinger penetrated a bank vault and looted safe-deposit boxes within, but he did it by stealth, finding a closed-down bank, pretending to be an authorized workman, and taking a long time to extract the contents.
When I was a kid, my friends and I put an ordinary paper firecracker inside a wooden box, about the size of a cigar box, and secured the lid. To our surprise, the box spontaneously disassembled itself into its component parts, which travelled outwards at high speed. All of that from a firecracker that would only cause minor burns if you held it in your fingers when it exploded.
Mea navis aericumbens anguillis abundat
If 00000000 is an acceptable nuclear missle secret launch code, then 12345 has got to be NSA-level security!
HIV Crosses Species Barrier... into Muppets
IOW, you can't brute-force a 256-bit key.
My father who got sent to locksmithing training by the Department of Defense was describing how you drill into the door of a safe to open it if you've somehow lost the combination. Basically you get a piece of metal that is the size of the door from the manufacturer -- it has marks on it where to drill. You drill according to the directions, and then fiddle with the inner workings of the locking mechanism to move the tumblers where they should be in order to open the safe, and to change the combination.
The bad part is that once you've done this, to make the safe secure again you put a steel ball bearing the size of the hole in the hole, and then weld it in there. There is absolutely no way you're going to be able to drill through that steel. Any drill bit you try to drill through it is just going to dance on it, and end up breaking the drill bit.
So I guess in that case, safes that have been forcibly opened using the above method are safer than ones that havn't.
da w00t. mtfnpy?
There was a burglar in Texas last year that was breaking into city hall buildings all over the state. In almost every one he managed to get access to the safe or safes kept in the building without prying or damaging the safes.
When he finally got caught be debriefed and gave up his MO. He would get in to the building be defeating a usually inadequate door lock with a screw driver. Then once inside he would look in all the desk drawers for sticky notes with numbers on them. In almost every one he would find a sticky note with the combination to the safe. This guy hit over 50 different city halls and got into the safe(s) in almost all of them.
The best safes in the world won't keep people from being clueless about security.
Heck is a place for people that don't believe in gosh.
They changed the timeclock override password at work from 00000 to 12345 because the button broke from overuse :)
A good locksmith specializing in safes doesn't care if you know how safes are opened-- on the contrary, they'll tell you all about it. The job of a competent physical security professional is give the client a straight and honest description of how the product works and what its weaknesses are, and safes are no exception. I've worked for a locksmith for the last ten years and it's company policy to show clients exactly what they're getting and/or what they already have. With safe openings, my boss explains exactly what he's doing and how it all works. Admittedly, there are a lot of locksmiths who think this should all be top secret stuff, but they're just fooling themselves. All the info is out there. There's no official schooling for locksmiths, and no coherent regulation of the profession. Subsequently, there's no way to really keep the information out of the hands of "criminals" while still allowing access for beginners trying to start out in the profession. You can join the Associated Locksmiths of America essentially by just saying you're a locksmith, although you'll be approved for membership quicker if you have the recommendation of an existing ALOA member. Once you have an ALOA membership number, you're a locksmith as far as the "keepers of the knowledge" are concerned. Heck, you don't have to have anything but fifty bucks and a mailing address to subscribe to The Locksmith Ledger, and they frequently have articles on opening various safes.
Really, none of the techniques outlined by Mr. Blaze in the PDF are any big secret. Anyone with access to such a lock mechanism (buy a safe and you've got one) and a little brainpower can figure all that stuff out. The thing is, drilling a safe requires fairly specialized tools and is very noisy. Manipulating a safe requires a lot of practice, and even an expert can take a LONG TIME to get into a safe. There's no astounding revelations there. Walk into my boss' locksmith shop and he'd show you all that. I've tried my hand at both drill penetration and manipulation, and there are no "secrets" that make any of that stuff easy. At best, the knowledge it just makes it possible-- and that knowledge is available through simple observation.
If a job's not worth doing, it's not worth doing right.
Picking a Bramah lock is quite possible, but requires some specialized tools.
Actually, the S&G lock he showed is pretty much current industry standard design. They're not as easy to manipulate as they sound. The principle is very simple, but the practice is extraordinarily difficult.
Even a cheap $2 Master pad-lock, as he briefly mentioned in two sentences on page 31, has false gates on the wheels, basically defeating all the simplistic techniques mentioned in the article.
They don't generally use false gates on the wheels of safe locks because the fence doesn't ride on the wheels while they're turning. The fence only drops down to contact the wheels when that smaller brass wheel in front is rotated so that thar hook shaped piece falls into it. False gates can make it more difficult to figure out where the real gates are, but the fact that they have a bottom and are not as deep as the real gate make them susceptible to the exact same analysis as a non-gated wheel pack. I think you are not entirely understanding how these locks work and the methods of manipulation he describes.
Although he states that these false gates are easily identified, trust me, they are not.
Trust you? You think an S&G 6730 lock (retail price $115.02, my price $69.01, 5 of them currently in stock at my lock supplier's warehouse in DC-- I just checked their online catalog) is "at least a hundred years old" and expect me, a locksmith with 10 years experience learning from a boss with 30 years experience, to trust your analysis? Please.
--------
Funny you should mention, but those cheap master locks with the false gates is absurdly easy to manipulate. As a locksmith I'll probably be banned from our secret society meetings for telling y'all this; but here, try it at home:
First off, those false gates are only on the last wheel-- the first to wheels are smooth except for the combination notch. Second, the "keyspace" for those master combo locks is a lot smaller than it looks. The dial may be numbered 0 through 39, but you can be within 1.5 in either direction of the correct number and the fence will drop in. For sake of ease of implementation of my manipulation method, I usually round that down to 1.25 because this allows me to divide the wheel into 16 increments 2.5 apart. So effectively the possible numbers are 0 2.5 5 7.5 10 12.5 etc.-- basically each of the numbers marked on the dial face and the halfway mark between them.
So now you have a keyspace of 16 * 16 * 16, or 4096 combinations. This is still a pretty big number, so let's reduce it. Pull up on the shackle and "feel" each of the points where there's a false gate on that last wheel. Around a certain number range it will feel "loose" because these lock wheels are never perfectly round and the fence of the lock will be stopped by the other two wheels. Once you find this loose space, you have a way to check if the other two wheels are correct. If they are, the fence will drop into them and your will feel friction at that formerly loose position. At that point you need only turn the dial until the third wheel gate is aligned and it pops open.
You only need to go through 16 * 16 = 256 combinations on those other two wheels to find the combination. And you don't have to "clear" the lock after each try either: You set the first wheel at (say) 2.5, then spin around to 0 and see if it rubs. If it doesn't turn back the other way again to advance the second wheel to 5 then see if the third wheel rubs. Then go back and advance the second wheel to 7.5 and check the third wheel. Do this 16 times and you've checked all the combos beginning with 0. Reset the lock (4 spins) and try the ones that start with the first wheel at 2.5. continue this process until lock opens.
The longest one of these has ever taken me is 20 minutes.
If a job's not worth doing, it's not worth doing right.
I walked past the gym we have in the basement of our building. When too maany (non entitled) people started using it, they changed the PIN on the door. I know this because some Brainiac posted a apologetic notice on the door that helpfully included the *new* PIN for regular gym patrons.
Unfortunately it was taken down before I could take a picture of it.
Xix.
"Everything is adjustable, provided you have the right tools"
I'm a locksmith and any locksmith with half a brain should know that all of this is commonly available information. Certainly a few old fogies who think locksmithing is some sort of secret society like the Freemasons would pitch a fit if the customer wanted to see the inside of his safe lock. Or maybe they're pissed because they've been telling customers that the safes they're selling are "impenetrable", but if that's the case then they're the idiots. I have personally showed the various "safecracking" techniques to customers and let them try their hand at manipulating a combo lock. The theory is simple, but the implementation is darn near impossible without years of experience and practice. I've never had a customer decide not to buy a safe because I showed him how they're cracked and he thought it was "too easy". Basically, what it comes down to is that there's no such thing as 100% security. You Can pay more money and add more complication to get "more 9's", but a Star or Horizon in-floor burglary safe will keep out all but the most determined intruder. Honestly, any locksmith that thinks there are any "trade secrets" in the industry is foolig themselves. Anyone can get an Associated Locksmiths of America membership and a business license, and from there buy books that explain it all.
I seriously doubt that posting this on slashdot is going to lead to a massive upswing in safecracking. The one thing I've noticed in the business is that (weird as it sounds) most people are basically honest! Besides, safecracking isn't fast enough for most criminals. Most safe burglaries happen when someone knows the combination, either having been entrusted with it, watching someone else dial it, or finding it written down in a drawer somewhere.
If a job's not worth doing, it's not worth doing right.
For $35USD, and a glance at my driver's licence, I was able to purchase a lock-pick set. I was intrigued, after seeing hundreds of movies showing theives and spies opening doors faster than people with keys.
After alot of research, and pracitice, I was able to open several brands of pad-locks, as well as the doors' to my house. Guess What? It's not as easy as it looks.
I did this mainly out of curiosity, but I recently had a chance to put this new skill to the test.
My neighbor had locked her keys in her house, and asked for my help. After thinking about it for 15 seconds, agreed to help.
I broke a pane in the window of her back door. There was no way I was going to let her know that I was capable of defeating the locks on her house. I have no intrest in breaking and entering, but the fact is, if people know you can do it, and something goes missing, guess who the first suspect is going to be?
I would love to figure out how to open a safe, not because I want to rob anyone.....it's just really cool, and the fun is in learning how to do something most people can't.
Today's show is brought to you by the number 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0: 25
They make those, but my boss refuses to install them anymore, even if the customer wants it. We've seen too many cases of fritzed electronics, dead batteries, and broken wires with those things. I have only once seen a regular mechanical combo lock fail spectacularly, requiring drilling to open the safe, and in that case the lock "worked badly" for WEEKS beforehand (but the customer, of course, waited till it broke). Electronic locks tend to have binary failures: the work fine up until the point where they don't work at all.
If a job's not worth doing, it's not worth doing right.
http://www.timhunkin.com/94_illegal_engineering.ht m
Rich.
libguestfs - tools for accessing and modifying virtual machine disk images
I tried that myself with my new Quanilon(tm) quantum CPU from AMD. The problem I had, was when the cooling fan failed the CPU overheated -- causing the probability wave to colapse -- and my cat died...
Required reading for internet skeptics
I believe the original poster simply misremembered the combinations mentioned in the book. My memory may have been corrupted by seeing your post, but I'm pretty sure the combinations in this story were 50-25-50 and 25-50-25.
Oh wow, I love Amazon. Find Surely You're Joking, Mr. Feynman! on Amazon and use the search function to look for "Safecracker meets Safecracker". Click on the last link on the first page, and you can find the exact text. The combinations in the book are actually 25-0-25 and 50-25-50. It also turns out that it only opened 1/5th of the safes, not 1/3rd. That book search rules!
Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
Bah. A real genius would set his combination to the LAST few digits of the Fibbonaci sequence ;-)
--- Egads, I glow in the dark!
Well, I'll try to explain why people think what you are proposing is suboptimal.
Firstly, I think you have misunderstood what "adding extra bits" (enlarging the key) means --- at least in this context. In my (silly) example, the key had the length of 1 (number). Notice there is no bits, since the atomic unit in this encryption unit is letters. If you increase the number of bits we would have more numbers.. E.g, (1,2) would make "have" into "icwg", which would be harder to break. The scheme is actually not THAT bad --- there are methods to break this sort of encryption, but it isn't trivial. A person that has not studied cryptography would be pressed to break something like this, at least if the key length is unknown.
If you take this method to an extreme with keys longer than the text, you would have a fair encryption method, provided that the keys are kept secret. But nevermind that.
Now, to invent another cryptographic method, let's consider a method where the positions in the alfabet are multiplied rather than added, and the modulo of 26 is taken. So for the example key (1,2) and the word "have" the result would be "hbvj".
How secure are these methods combined? Well, if the coded and original letters have position x and y, respectively, and we are using keys k,l with values k_1, k_2, ..., k_n and l_1, l_2, ..., l_m, where n and m are some integral numbers. Then the effort spend on encrypting the message is O(n+m). The effort spend decrypting then will only be proportional to the smallest common multiple of n and m --- it's an easy proof, so I leave it as an exercise. However, for the same effort you could have obtained and effort proportional to the multiplum... and the encryption and decryption rutines would be simpler, and thus less errorprone. That's one argument against layering encryption algorithms.
Now, either of these algorithms may be weak --- indeed, the muliplum algorithm is for a number of reasons, most importantly the distribution of the resulting letters is not uniform. Note that if the addition is performed first, no harm is done by this, but if the multiplication is performed second, the distribution would be skewed in such a way that the addition key could be guessed from the distribution of the letters of the encoded message. This would render the combined algorithm weaker then the addition alone. This is the "real world" example you asked for... and admit it, it is not that far-fetched for a slashdot comment ;-)
Disclaimer: I'm not really a crypto guy, just an IT specialist + mathematician.
Religion is regarded by the common people as true, by the wise as false, and by rulers as useful.
In physicist Richard Feynman's book, "Surely You're Joking, Mr. Feynman," he talks about working on the Manhattan Project in New Mexico. He discovered he could figure out the combination to the safes they were using just by touch. So he went around to various offices and would kind of lean on the safe while chatting with the inhabitant. He'd twiddle the dial as though he were just playing around with it during the conversation, but he was really determining the combination. Eventually, he went to the security people and showed them how easy it was to crack these things, and showed how he had the combinations to many safes. Instead of improving the safes, the response of the security people was to make the occupant of every office Feynman had ever been in change the safe combination. The inhabitants were none too happy, and to avoid a repeat of the episode banned Feynman from entering their offices thenceforth. The safes were left as vulnerable as before.