Slashdot Mirror

← Back to Stories (view on slashdot.org)

Open Millions of Hotel Rooms With Arduino

Posted by Unknown on from the do-not-disturb-taken-as-challenge dept.

MrSeb writes with an excerpt from Extreme Tech about a presentation at Black Hat: "Bad news: With an Arduino microcontroller and a little bit of programming, it's possible for a hacker to gain instant, untraceable access to millions of key card-protected hotel rooms. This hack was demonstrated by Cody Brocious, a Mozilla software developer, at the Black Hat security conference in Las Vegas. At risk are four million hotel rooms secured by Onity programmable key card locks. According to Brocious, who didn't disclose the hack to Onity before going public, there is no easy fix: There isn't a firmware upgrade — if hotels want to secure their guests, every single lock will have to be changed. I wish I could say that Brocious spent months on this hack, painstakingly reverse-engineering the Onity lock protocol, but the truth — as always, it seems — is far more depressing. 'With how stupidly simple this is, it wouldn't surprise me if a thousand other people have found this same vulnerability and sold it to other governments,' says Brocious. 'An intern at the NSA could find this in five minutes.'"

62 of 268 comments (clear)

  1. Well, that's it! by camperdave · · Score: 5, Insightful

    Bad news: With an Arduino microcontroller and a little bit of programming, it's possible for a hacker to gain instant, untraceable access to millions of key card-protected hotel rooms.

    Well, that's it! There's only one thing we can do... outlaw Arduinos

    --
    When our name is on the back of your car, we're behind you all the way!
    1. Re:Well, that's it! by Anonymous Coward · · Score: 3, Funny

      Bad news: With an Arduino microcontroller and a little bit of programming, it's possible for a hacker to gain instant, untraceable access to millions of key card-protected hotel rooms.

      Well, that's it! There's only one thing we can do... outlaw Arduinos

      Not a complete solution, I'm sure there are other devices that could be used. To solve the problem completely we'll have to outlaw programming.

    2. Re:Well, that's it! by Joce640k · · Score: 5, Insightful

      "...who should be scolded for not disclosing the hack to Onity before going public"

      a) As if they don't already know what the hack is.
      b) If the only solution is to change all the locks, maybe on their own dime, do you think disclosure will make them volunteer to do it?

      --
      No sig today...
    3. Re:Well, that's it! by billcopc · · Score: 2

      That's not sufficient. We have to go all the way and outlaw thinking. It's the only way to be sure no one defeats our puny weapons with their superior intellect.

      --
      -Billco, Fnarg.com
    4. Re:Well, that's it! by uigrad_2000 · · Score: 3, Interesting

      Well, that's it! There's only one thing we can do... outlaw Arduinos

      That's the beauty *cough* of the DMCA. They already are illegal! They will continue to be illegal until the Library of Congress makes an exemption.

      I'm not completely sure if owning them is legal or not. The DMCA prevents "dissemination of technology, devices, or services intended to circumvent measures". Later provisions in the law cover cases where the device is not intended for circumvention, but is frequently used that way, such as open source DVD player software, which is not intended for copying the DVD, but can be used that way. Simply owning an Arduino would not qualify as "dissemination", but if you unknowingly sold or gave away your Arduino, I'm pretty sure you could be charged with breaking the DMCA. It's unlikely that you would be charged, unless the person that bought your Arduino proceeded to use it to break into a hotel room, but the point is that it's nearly impossible to avoid breaking this law!

      --
      Free unix account: freeshell.org
  2. I wouldn't have either by Anonymous Coward · · Score: 5, Insightful

    When the guys share these hacks with the companies ahead of time, they tend to get sued or get their presentations cancelled by the vengeful corporations. They're better off not disclosing these things ahead of time.

    1. Re:I wouldn't have either by plover · · Score: 2

      Their presentations may or may not get suppressed, but this approach pretty much ensures he will get sued.

      Worse, in his paper he uses an example of framing a hotel employee for murder! While dramatizing the vulnerability is not uncommon amongst hackers looking to draw media attention to the seriousness of their claims, suggesting a plan for murder is a really, really poor choice. The consequences of this could be even higher than the civil penalties of a lawsuit.

      --
      John
    2. Re:I wouldn't have either by rvw · · Score: 3, Interesting

      When the guys share these hacks with the companies ahead of time, they tend to get sued or get their presentations cancelled by the vengeful corporations. They're better off not disclosing these things ahead of time.

      Plus in this case, what could Onity have done? They cannot create an update that is automatically downloaded and installed over the next month onto those locks, like with Windows or Flash. If they knew about this before, and had a proper fix for it, then they would have to communicate it to thousands of hotels, and that would result in disclosure as well.

    3. Re:I wouldn't have either by TheCarp · · Score: 4, Funny

      That is, unless he is planning to use the Basic Instinct Defense "What, do you think I am stupid enough to publish details of how a murder could be committed, by anyone, using these devices, and then do it myself?"

      Though, if he tries it, I hope he remembers, the short white dress and no underwear is key to making it work.

      --
      "I opened my eyes, and everything went dark again"
    4. Re:I wouldn't have either by Yvanhoe · · Score: 4, Insightful

      Onity sells fake security. They are the ones who should be sued by their thousands of clients. If you sell security, you have to be good at it.

      --
      The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
    5. Re:I wouldn't have either by Mathinker · · Score: 4, Insightful

      > suggesting a plan for murder is a really, really poor choice

      From the website explanation:

      Such circumstantial evidence, placing a staff member in the room at the time of death, could be damning in a murder trial, and at least would make that staff member a prime suspect. While other factors (e.g. closed circuit cameras, eyewitnesses, etc) could be used to support the staff member's case, there's no way we can know whether or not the audit report is false.

      Unless you believe that Brocious can somehow know the details of every murder trial currently going on anywhere in the world at this time, this fact is actually an excellent defense for justifying immediate disclosure.

      And anyway, if your interesting legal theory was correct, the broadcast of every Columbo episode, for example, would have exposed {N,A}BC to criminal charges or civil liability. Not likely.

    6. Re:I wouldn't have either by nolife · · Score: 3, Insightful

      If they truely can not fix these locks without physically replacing them, I can garentee any prior contact with them about this bug would have resulted in every legal and possible assumed legal resposnse they could think of to prevent him from disclosing the information.
      The end result would be no disclosure and everyone that stays in one of these hotel rooms is at risk. At least if the information is public, people can take action to protect themselves and their stuff by using the deadbolt/latch, the safe, taking their shit with them, leaving in their trunk or at the place they are working if this is a business trip.

      --
      Bad boys rape our young girls but Violet gives willingly.
    7. Re:I wouldn't have either by Anonymous Coward · · Score: 3, Insightful

      You know how you feel when your computer-illiterate relatives try to talk to you about programming or hacking? That's how lawyers feel when Slashdotters try to talk about law.

  3. Bad news for you maybe by crazyjj · · Score: 5, Funny

    Great news for the budget-minded vacationer looking for a hotel bargain.

    --
    What political party do you join when you don't like Bible-thumpers *or* hippies?
  4. Re:Lock the door when inside by Iniamyen · · Score: 5, Funny

    Don't fret, most hotel rooms have safes secured by Onity programmable key card locks.

  5. Re:Lock the door when inside by h4rr4r · · Score: 5, Informative

    Many of those safes have backup passwords, hotels generally do not change the default one.

  6. Reliable? by Slippery_Hank · · Score: 4, Informative

    From TFA: He tested this hack on three randomly choosen hotel room doors, failed to open any. Had to stop to reprogram the device, and then managed to open one of the doors. I'll stick to being worried about corrupt security guards.

    1. Re:Reliable? by Anonymous Coward · · Score: 5, Insightful

      From TFA: He tested this hack on three randomly choosen hotel room doors, failed to open any. Had to stop to reprogram the device, and then managed to open one of the doors. I'll stick to being worried about corrupt security guards.

      Proof of Concept != Final Version

    2. Re:Reliable? by gwolf · · Score: 2

      My experience in the last hotel where I stayed:

      Got out of the pool, wrapped in a towel, went to the desk.
      – Oh, ma'am, I'm sorry, I guess I forgot my key in the room. Can somebody open the room for me? It's 104
      – Don't worry, click-click-swipe. Here is a new key for you. Cheers!

      How hard is this system to abuse?

    3. Re:Reliable? by nolife · · Score: 2

      When I travel, I leave my stuff out everywhere similar to what I do at home, throw loose bills and change on the table, laptop sitting out possible still plugged in and on. I average about 30 nights a year in a hotel room and I've never had a problem with anything mising that I've noticed. When my room is cleaned, all of my stuff is still in the same exact place or its moved into one neat pile instead of many scattered piles. It only takes one corrupt person though but its not like the one time you forget to grab your wallet or leave your smartphone out it is going to disappear.

      --
      Bad boys rape our young girls but Violet gives willingly.
    4. Re:Reliable? by Anonymous Coward · · Score: 5, Informative

      I suspected upon hearing this that he was trying to bitbang a protocol using the Arduino functions such as delaymicroseconds and digitalwrite and he was probably having to adjust these to account for inconsistencies caused perhaps between locks (where battery voltage may affect timing) but also the inherent timing problems caused by the braindead manner in which these "friendly" functions operate. Even worse, he is using the Arduino's Serial library which is even worse about causing timing and memory problems.

      Upon reading his code I found that assumption to be correct. If he ditched the Arduino library and wrote correct AVR code using ISR's and hardware timers to implement the communication protocol I think the reliability of the exploit would dramatically improve. Reading his analysis of the protocol I even think the two-wire interface could be used directly with a tiny bit of extra hardware. Also, the Arduino MEGA is unnecessary; a normal arduino or even a $2 ATTiny would do this job fine.

      I should mention that it's not his fault that the Arduino library is terrible code and that its essentially unusable for this kind of thing; they do sort of purport that is more capable than it is. I do however suggest that you adjust your thoughts on the reliability of his exploit.

  7. Re:Lock the door when inside by magarity · · Score: 2, Insightful

    Obviously that person meant the chain lock that's separate from the key card lock. I hope not just the deadbolt; the ones built in to hotel key card lock mechanisms can be opened by the master key card. Not the ones the housekeepers carry but the one the chief maintenance guy keeps in his office. One assumes this hack can open the bolt as well as the regular latch.

  8. A bit of hyperbole... by kaizendojo · · Score: 5, Insightful

    When demonstrated for the reporter, the hack only worked on *one* out of *four* of the doors tested in a REAL hotel, and then only on the second attempt after Brocious fine tuned and tweaked his software. Also, this can be defeated by simply using any one of the mechanical locks on the door.

    The bottom line is that if you aren't using the mechanical bolt or slide lock when staying at *any* hotel, you were vulnerable way before this hack. Keep in mind that there are plenty of AUTHORIZED users of master card keys on the hotel staff.

    1. Re:A bit of hyperbole... by SkimTony · · Score: 5, Insightful

      When a hotel staffer uses a master key card, it's logged (the security system notes which key was used when). Presumably with this hack, that isn't necessary. Also, the ability to open the doors on 25% of hotel rooms is still a concern.

    2. Re:A bit of hyperbole... by Anonymous Coward · · Score: 5, Insightful

      The bottom line is that if you aren't using the mechanical bolt or slide lock when staying at *any* hotel, you were vulnerable way before this hack.

      That might work if you're *in* the room. What if you need to venture outside?

    3. Re:A bit of hyperbole... by camperdave · · Score: 3, Insightful

      The problem with using the mechanical bolt or slide lock is that they must be operated from *INSIDE* the room. I don't know about others, but when I'm staying at a hotel it is because I am attending a conference or something, so most of the time I am not inside the room. So the deadbolt or chain lock does nothing. If a bad guy wanted in while someone was inside, all he would have to do is knock on the door and say "Hotel security. Open the door, please".

      --
      When our name is on the back of your car, we're behind you all the way!
    4. Re:A bit of hyperbole... by Anonymous Coward · · Score: 5, Interesting

      Does Onity offer centrally logged door units?

      99% of the shit I've worked with at hotels (from an installation POV) just checks that the mag card has a particular number in track 3. They're dumb as fuck.
      Putting the word "ADM" in track 2 unlocks most of the doors in many hotels. Sad but true fact.

  9. swedish supermodels beware by tekrat · · Score: 5, Funny

    Geeks now have the ability to get into your hotel room while changing into your bikini...

    But why would a geek be changing into your bikini?

    --
    If telephones are outlawed, then only outlaws will have telephones.
    1. Re:swedish supermodels beware by Chas · · Score: 3, Funny

      Basically it's the perfect armor.

      Some 500 pound guy in a thong is so horrific that you simply can't look at it long enough to aim and shoot.

      That and the whole Cthulu-esque "I stared into madness and madness stared back" aspect.

      --


      Chas - The one, the only.
      THANK GOD!!!
  10. What happened to responsible disclosure? by nastav · · Score: 5, Insightful

    It's easily and effectively argued that security through obscurity does no one any good, but responsible disclosure is still widely considered to be a good practice. Supposing a vendor is willing to fix their serious bugs, it really helps in preventing large scale attacks between the time of disclosure and reaction (by the vendor). If Onity had been willing to replace all it's locks over a short period of time (say, 6 months) at massive cost to itself - but nevertheless done it to protect it's long term reputation, it makes a lot of sense to give Onity that opportunity without outing the flaw. It's unlikely that such a large-scale replacement of locks would have been pursued, but giving Onity an opportunity to consider that option would have been responsible. It helps Onity, but it also helps customers of Onity (like Hotels who might have chosen to replace their locks, or individuals who might ask questions before going to a particular hotel). Now everybody knows it can be done, and many will try. Sure, an NSA intern could have figured it out, but the fact remains that it was not being massively exploited for large-scale robberies, for e.g.. Targeted exploits are bad - no doubt - and I'm sure some of this was already going on, but there isn't much doubt that the sum total of targeted exploits does less bad than what might happen now - namely large scale exploits. I suppose I'm arguing that security-through-obscurity does work - but in a targeted and limited fashion - as to provide cover for short durations when real security is pursued. It may not work, but it's worth a try - and by going public before giving Onity a chance to pursue a 'fix', this researcher has, in my books, acted against public good.

    --
    -- obligatory (but true) caveat: my comments my own, and don't reflect my employer or colleagues' positions.
    1. Re:What happened to responsible disclosure? by epine · · Score: 4, Insightful

      If Onity had been willing to replace all it's locks over a short period of time (say, 6 months) at massive cost to itself - but nevertheless done it to protect it's long term reputation, it makes a lot of sense to give Onity that opportunity without outing the flaw.

      Responsible disclosure is a fair response to a responsible failure. Few of these that make the news are responsible failures. Chisellers dressed up in security theatre profiting from their faux contrivances while playing this stupid game of harassing the bearer of bad news, as if the bearer of bad news is an indentured, unpaid employee.

      I understand the source of this faux reverence for charlatans much better after reading God is not Great. Scientology was a crock from day one, but now that so many gentle and naive souls have absorbed this crockery and imbued it with deep personal meaning, those of us who are deeply offended by the shitbag Hubbard are supposed to subside into polite silence. I asked myself after reading Hitchens: Why do I sit around keeping a respectfully stiff upper lip about xemufascism? To hell with that.

      Banks should not be bailed out of bad loans, and security professionals should not be bailed out for chrome-plating obscurity. When the mistake is subtle enough to make a patent examiner's head explode, I'm all for responsible disclosure. Either pass the bar, or don't let the door hit you on the way out.

    2. Re:What happened to responsible disclosure? by icebike · · Score: 3, Informative

      He didn't reveal the actual hack, he only demonstrated that one exists.

      Further, there are already several instances of people being sued into silence after responsible disclosure.

      Further the problem can not be fixed, and replacement of all locks world wide would be so experience and time consuming that it would never be done in response to responsible disclosure.

      The probable outcome here is that the lock maker buys more insurance and sends a memo to customers offering a discount on new and improved locks. Which will be ignored by virtually all hotels.

      Responsible disclosure would serve no purpose in this instance.

      --
      Sig Battery depleted. Reverting to safe mode.
    3. Re:What happened to responsible disclosure? by plover · · Score: 3, Interesting

      In this case he took it upon himself to decide that "there is no possible fix therefore responsible disclosure won't help." But we don't know for sure that the company can't fix the problem with some kind of software update - that's simply his claim. If there is a way to update the EEPROM, any way at all, then a software update could have fixed the problem. Sure, it would be a breaking change to the existing card key systems, but it might not entail a hardware fix to millions of hotel room doors. This guy never gave them that chance.

      Notification would have enabled the company to create an update plan, to order a million new circuit boards, to redesign the protocols, to schedule repair crews, to do whatever it took to fix the problem, and to have all that stuff prepared before his disclosure. No matter who they are and how badly they want to fix the problem, this is a year long process at least. Now, during that entire year, bad guys with Arduinos will have full access to unoccupied hotel rooms.

      And he's going to get sued into the next millennium. Not only are the plaintiffs going to use arguments like the above, but they're also going to drag his business dealings into it. They're going to make claims like "he's disgruntled because his business venture failed, and he did this out of spiteful retaliation." They're going to throw so much trash at him that I'm not sure even Johnny Cochran would have been able to get him out of trouble.

      --
      John
    4. Re:What happened to responsible disclosure? by Hatta · · Score: 2

      responsible disclosure is still widely considered to be a good practice.

      Responsible disclosure will inform those vulnerable as soon as possible, so they can take steps to mitigate. There's nothing responsible about keeping a security flaw secret.

      --
      Give me Classic Slashdot or give me death!
    5. Re:What happened to responsible disclosure? by Anonymous Coward · · Score: 2, Insightful

      responsible disclosure is still widely considered to be a good practice.

      As another poster has mentioned, responsible disclosure has been punished in the past, by the original disclosee using the courts to prevent the later presentation.

      When the courts did not punish these parties for

      1. abusing the court system to prevent presentations
      2. shooting messengers
      3. undermining responsible disclosure

      the court system effectively took an anti-responsible-disclosure position. This guy is just going along with the government's opinion that responsible disclosure is bad idea and force should be used to discourage people from doing it, because it's better to surprise an industry and userbase with a sudden security threat. As mentioned, a very credible and lvikely alternative is that he could have been sued by the vendor for telling them about the problem prior to the presentation.

      And of course, there's the other point, which is that most people who would take advantage of this hole, probably already knew about it.

      Here's how it can be fixed. Some people still do still use responsible disclosure. It's not dead; it's just risky and didn't happen in this case. I want to see the Right Thing happen when a vendor mis-handles it. If they sue the bad-news-bearer or sue to prevent a presentation, and the court responds with serious sanctions, so that the suing company's equity holders lose all their equity (and maybe some personal assets as well) as a direct result of their legal aggression, then responsible disclosure will become a viable practice.

      Telling your lawyer to write a nasty letter, needs to become a risky thing to do, only done when someone is sure they're right. People who do that in bad faith, knowing they will cause expense or inconvenience for the innocent party that the nasty letter is aimed at, need to lose. We need to enact policies which cause them to lose. And you can't have responsible disclosure be a widely-used strategy, without these new policies.

  11. Auditing by nastav · · Score: 4, Insightful

    All locks can be defeated with enough effort. The goal often is make it obvious that a lock was defeated - by leaving an electronic trail or physical one (broken door for e.g.). Akin silent data-loss, silent compromise of a lock is much much worse.

    --
    -- obligatory (but true) caveat: my comments my own, and don't reflect my employer or colleagues' positions.
  12. Wrong by Belial6 · · Score: 3, Insightful

    Every single lock will not have to be changed. There are several ways to fix this without replacing the entire lock. Fill the hole. Cover the whole with an exterior lock. Put a more secure circuit between the exterior plug and the lock's main board. That more secure circuit only need to handle NOT letting you read the memory. Given that the article is completely wrong about having to change the locks, I would question whether there really isn't a way to fix it via firmware. Either way though, the fix does not require a new lock, and it is a task that the hotel's regular handyman can perform.

    1. Re:Wrong by Dcnjoe60 · · Score: 2

      Chances are that retrofitting the existing lock will cost more than replacing it.

    2. Re:Wrong by wvmarle · · Score: 3, Informative

      Every single lock will not have to be changed. There are several ways to fix this without replacing the entire lock. Fill the hole.

      And you can't recharge the battery any more - so sooner or later your lock is going to be out of service.

      Cover the whole with an exterior lock.

      Probably impossible as the current casing has not been designed for that; and anyway they all will end up with a single physical key: copy that and you're good. And anyway this requires a physical modification to the lock, likely the whole outer casing, not much less work than replacing the whole lock.

      Put a more secure circuit between the exterior plug and the lock's main board. That more secure circuit only need to handle NOT letting you read the memory.

      That is equivalent to changing out the main board of the lock. Which is probably more practical: it is not likely this lock has any space inside to install an extra board inside. Besides considering how modern devices are designed, replacing the lock is probably easier to do than replacing or adding a circuit board. Which is definitely not something your run-of-the-mill handyman can do.

    3. Re:Wrong by pepty · · Score: 3, Insightful

      Every single lock will not have to be changed. There are several ways to fix this without replacing the entire lock. Fill the hole. Cover the whole with an exterior lock.

      That port is used to recharge the battery in the lock.

      Put a more secure circuit between the exterior plug and the lock's main board. That more secure circuit only need to handle NOT letting you read the memory. Given that the article is completely wrong about having to change the locks, I would question whether there really isn't a way to fix it via firmware. Either way though, the fix does not require a new lock, and it is a task that the hotel's regular handyman can perform.

      The board itself is probably cheap, removing the port from the board and soldering in a new daughter board/port would be expensive. I don't see any advantage to that over replacing the whole board, which is what the article ("New circuitboards will have to be installed in every affected lock,") actually suggests.

      Given that the article is completely wrong about having to change the locks, I would question whether there really isn't a way to fix it via firmware.

      Brocious's full time job was to reverse engineer Onity's locks and front desk systems for a startup; he probably knows whether the lock has upgradable firmware.

    4. Re:Wrong by icebike · · Score: 4, Insightful

      Every single lock will not have to be changed. There are several ways to fix this without replacing the entire lock. Fill the hole. Cover the whole with an exterior lock. Put a more secure circuit between the exterior plug and the lock's main board. That more secure circuit only need to handle NOT letting you read the memory. Given that the article is completely wrong about having to change the locks, I would question whether there really isn't a way to fix it via firmware. Either way though, the fix does not require a new lock, and it is a task that the hotel's regular handyman can perform.

      Fill the hole: No. Read the article. The hole is needed and used routinely to charge the battery and reprogram.
      Cover the hole with an exterior lock: So this is your plan to avoid changing out the lock? Add yet another lock on top? And how secure is that lock?
      Add a circuit ahead of the main board: Where? There is no room for that. You would have to replace the entire main board.
      Firmware fix: Perhaps possible, but these are very old designs using very limited microcontrollers. And you would still have to replace every reprogramming device in the field to get around this because your solution would also prevent reprogramming the lock.

      So, NO, the article is not completely wrong. Your post is pretty close to completely wrong.
      By the time you do any of the modifications you suggest, it would be cheaper to change the lock.

      And none of those changes could be accomplished by the handyman. At best, they might be able to change out the lock. Most of those guys know how to swing a wrench and a toilet plunger. They are not very good at board level soldering. Even worse at changing microprocessors inside a lock chassis designed specifically to be tamper resistant.

      Best case is that they can replace the entire circuit board using cheaper more modern ICs in the same amount of space. But even that is likely to more expensive to than just replacing every single lock.

      In actuality, This will never be done, until the next hotel remodel. Additional theft insurance, maybe purchased by the manufacturer, will be by far the cheapest alternative.

      --
      Sig Battery depleted. Reverting to safe mode.
  13. Re:I'm sure the government has easier ways by Maximum+Prophet · · Score: 5, Insightful

    Silly Reader, warrants are so 20th century. These days, they just show a letter, that you can't discuss with anyone, citing a "secret" law. Yes, it's unconstitutional, but if you're a $12/hour clerk, and the guy with the gun is asking, are you going to make a fuss?

    --
    All ideas^H^H^H^H^Hprocesses in this post are Patent Pending. (as well as the process of patenting all postings)
  14. Image by firewrought · · Score: 5, Interesting

    The hacker has (in his picture for the Forbes article) unkempt hair and a T-shirt that says "It's Fun To Use Learning For Evil!". I realize Black Hat has this whole counterculture thing going guys, but would it kill you to put on the veneer of respectability? Geez... this guy looks like a cliche movie hacker lackey.

    You know that your intentions are honorable, that you wouldn't (for instance) rob a hotel room, and that maybe you are part of the process by which society gets stronger over the long run, but the audience of Forbes is predisposed to see you as a shady menace (or cost multiplier). And the audience of Forbes has more real influence to pass laws that restrict or limit access to your favorite toys (prior examples being some telephony tools, radio electronics, lockpicks, encryption software, etc.).

    It sounds silly, but a clean shave and a button-down is how you say "I'm one of the good guys" to this crowd (or the general public, actually).

    --
    -1, Too Many Layers Of Abstraction
    1. Re:Image by slashmojo · · Score: 5, Insightful

      would it kill you to put on the veneer of respectability?

      Like a banker? ;)

    2. Re:Image by CaptainLard · · Score: 2

      Like a banker? ;)

      Exactly! Better evidence to prove GP's point does not exist. Just look respectable and society at large won't punish you for losing trillions to enriching yourself. If we all started showering regularly we could own this town!

    3. Re:Image by Hatta · · Score: 3, Insightful

      Do you want to turn people off needlessly

      If those people are such sorry excuses for human beings as to judge someone based on the clothes they wear, they can fuck right off. There is nothing inherently respectable about wearing slacks, and quite a lot inherently disrespectable about judging people based on appearances. It's just another manifestation of the base tribal instincts that are responsible for racism, and it's not a bit nicer.

      --
      Give me Classic Slashdot or give me death!
    4. Re:Image by gstoddart · · Score: 2

      The hacker has (in his picture for the Forbes article) unkempt hair and a T-shirt that says "It's Fun To Use Learning For Evil!". I realize Black Hat has this whole counterculture thing going guys, but would it kill you to put on the veneer of respectability? Geez... this guy looks like a cliche movie hacker lackey.

      He's a hacker, at a hacking conference, doing something that happened to be of interest to Forbes.

      It sounds silly, but a clean shave and a button-down is how you say "I'm one of the good guys" to this crowd

      What part of "Black Hat" isn't obvious? He isn't, and he isn't trying to be "one of the good guys".

      This isn't some carefully groomed spokesperson we're talking about, this is the guy who managed to open hotel doors without a key, and told everyone how you do it.

      I suspect if Forbes had said "hey, mind shaving, getting a haircut, and changing your t-shirt", he'd have told them to go straight to hell.

      Because he isn't marketing himself to the Forbes demographic, or the general public. I'm not even sure why you think he should be.

      You run stories about geeks doing sketchy things, and you might get pictures of sketchy looking geeks.

      --
      Lost at C:>. Found at C.
    5. Re:Image by Translation+Error · · Score: 2

      Obviously, he wants to play himself when the movie is made.

      --
      When someone says, "Any fool can see ..." they're usually exactly right.
  15. Re:Lock the door when inside by ChunderDownunder · · Score: 2

    I've stayed in â20/night hostels where key cards served dual purposes.

    Shared dormitories had individual lockers for each inhabitant. Multiple key cards would open the room but each only a single locker.

    In this situation, a 'housekeeper exploit' could possibly find the locker code compromised, even if the room code remained secure.

  16. So they're called by oldmac31310 · · Score: 5, Funny

    pwnity now...

    --
    http://www.acetonestudio.com
  17. Locks only keep honest people out. by cgfsd · · Score: 2

    Like the old saying goes, locks only keep honest people out. If someone wants to get into something, given enough time and resources there is nothing that will keep them out.

    1. Re:Locks only keep honest people out. by icebike · · Score: 2

      Cute, but trite homily.

      Throwing that out there as an excuse is just so much hand waiving the problem away. Murder? Well, you didn't expect your dear brother to live for ever did you?

      Hotels don't promise you security against someone with unlimited time an unlimited resources, nor does anyone have enough time or resources unless they are willing to use explosives.

      --
      Sig Battery depleted. Reverting to safe mode.
  18. Re:I'm sure the government has easier ways by gstoddart · · Score: 4, Insightful

    I'm pretty sure that all the US government would have to do is turn up with a warrant and be given access to any room they like regardless of the type of lock used.

    With a warrant, you can do practically anything, because a judge has signed off on it.

    It's what they can do without warrants that scares me.

    --
    Lost at C:>. Found at C.
  19. Re:Lock the door when inside by specific · · Score: 4, Funny

    I've never hacked an Onity programmable key-card lock, but I did stay in a Holiday Inn Express last night.

    --
    If you lend someone $20 and never see that person again, it was probably worth it.
  20. Re:Lock the door when inside by SilverJets · · Score: 5, Informative

    You mean those safes where hotel staff have a master code that unlocks them in case the guest forgets the code they set? Those safes?

  21. Re:Lock the door when inside by Critical+Facilities · · Score: 4, Funny

    the chain lock that's separate from the key card lock

    Or according to Jon Stewart - "I have a chain lock on my door that says to criminals 'you're not getting in here......unless you push....kind of hard....with your hand'."

  22. Re:As usual however by gblackwo · · Score: 4, Funny

    You have until the end of the day to gather your things and turn in your geek card.

  23. Re:Not just hotel rooms by PPH · · Score: 2

    That just means some hot female coed will have her room broken into and her MacBook stolen while she is asleep. And she'll never be woken up.

    --
    Have gnu, will travel.
  24. Re:Lock the door when inside by courteaudotbiz · · Score: 3, Funny

    Why call them safes then? Let's call them UnSafes!

  25. Re:Lock the door when inside by Joce640k · · Score: 4, Interesting

    Obviously that person meant the chain lock that's separate from the key card lock. I hope not just the deadbolt; the ones built in to hotel key card lock mechanisms can be opened by the master key card. Not the ones the housekeepers carry but the one the chief maintenance guy keeps in his office. One assumes this hack can open the bolt as well as the regular latch.

    We had a problem with a hotel safe once. When the tech guy came he popped the plastic keypad off to expose a serial port then hooked up his iPhone to it and opened the door. I wonder how secure that is...

    --
    No sig today...
  26. Re:chain lock by DocSavage64109 · · Score: 2

    I'm pretty sure I saw a video of someone unlocking chain locks with a rubber band.

  27. Re:Lock the door when inside by Pope · · Score: 3, Funny

    We had a problem with a hotel safe once. When the tech guy came he popped the plastic keypad off to expose a serial port then hooked up his iPhone to it and opened the door. I wonder how secure that is...

    Lies! iPhones and iPads are for content consumption only, and cannot possibly used for real work.

    --
    It doesn't mean much now, it's built for the future.