Every single lock will not have to be changed. There are several ways to fix this without replacing the entire lock. Fill the hole. Cover the whole with an exterior lock. Put a more secure circuit between the exterior plug and the lock's main board. That more secure circuit only need to handle NOT letting you read the memory. Given that the article is completely wrong about having to change the locks, I would question whether there really isn't a way to fix it via firmware. Either way though, the fix does not require a new lock, and it is a task that the hotel's regular handyman can perform.
Fill the hole: No. Read the article. The hole is needed and used routinely to charge the battery and reprogram. Cover the hole with an exterior lock: So this is your plan to avoid changing out the lock? Add yet another lock on top? And how secure is that lock? Add a circuit ahead of the main board: Where? There is no room for that. You would have to replace the entire main board. Firmware fix: Perhaps possible, but these are very old designs using very limited microcontrollers. And you would still have to replace every reprogramming device in the field to get around this because your solution would also prevent reprogramming the lock.
So, NO, the article is not completely wrong. Your post is pretty close to completely wrong. By the time you do any of the modifications you suggest, it would be cheaper to change the lock.
And none of those changes could be accomplished by the handyman. At best, they might be able to change out the lock. Most of those guys know how to swing a wrench and a toilet plunger. They are not very good at board level soldering. Even worse at changing microprocessors inside a lock chassis designed specifically to be tamper resistant.
Best case is that they can replace the entire circuit board using cheaper more modern ICs in the same amount of space. But even that is likely to more expensive to than just replacing every single lock.
In actuality, This will never be done, until the next hotel remodel. Additional theft insurance, maybe purchased by the manufacturer, will be by far the cheapest alternative.
He didn't reveal the actual hack, he only demonstrated that one exists.
Further, there are already several instances of people being sued into silence after responsible disclosure.
Further the problem can not be fixed, and replacement of all locks world wide would be so experience and time consuming that it would never be done in response to responsible disclosure.
The probable outcome here is that the lock maker buys more insurance and sends a memo to customers offering a discount on new and improved locks. Which will be ignored by virtually all hotels.
Responsible disclosure would serve no purpose in this instance.
I think that the number is based on the profit Samsung made from these devices, Apple's alleged "losses" due to these products, and some punitive amount added in for good measure.
Just goes to show how much is at stake.
That might work if the iPad wasn't outselling the Galaxy tab by about 100 to one. Apple still owns the tablet space even tho they have lost the smartphone market. But these are triflingly inconsequential patents we are talking about here.
Users don't want everything tied to a single identifier, particularly one controlled by Microsoft, Google, Facebook or some other company.
Exactly.
However, the sad part about this is we have already gone way past the point where compartmentalization of our on-line experience is anything but a pipe dream.
Those people who may want to link all your accounts across various websites can now do so without so much as a warrant. And they don't need to be a three letter agency to pull this off. Any hick sheriff or small town detective can do the same thing with a few simple letters.
The technology of single sign on, when done right, doesn't expose much more than the fact that Google (by way of example) says the person attempting to sign on with that google id knew the password. It really does not pass much info back to the requesting site other than the email address. The site never sees the password, or other account details.
When people sign up for a site with a custom log in and password, they usually end up giving an email address anyway, but at least when doing it that way, the perception remains that this login stands alone and discrete from other logins. (This is a questionable assumption at best).
Someone cracking Slashdot's database does not get much. One could make the case that cracking any site that uses OpenID authentication via another site gets even less. No passwords are stored locally at site xyz. If done right. But that is hard to verify.
The big scary part is when the OpenID provider gets cracked everything is cracked. Unless combined with some form of two factor identification a stolen password is all it takes.
Make your message the hook, not the counterpoint, or you WILL be misunderstood.
Had the hook been the main message the song would never have been played. How would that have served any purpose?
The idea was to get the song on every radio station, and sell records (and make money). It worked.
Once out there, people listen more closely, and when they do the message won't be misunderstood. That you still see it used today, inappropriately simply indicated people new to the song haven't yet listened to much beyond the hook. These are useful idiots, serving the song writer's purpose.
Now don't get me started on Pumped Up Kicks. Not after Aurora.
I'm sure MicroUSB and other industry-standard connectors weren't considered. For how many years now has Apple been the last holdout with proprietary connectors?
Didn't the EU mandate a standardized charger connection? Apple slips through a loop hole by providing an adapter. Like the people who forgot their charger will remember the adapter.
Why not some teeth in the law? Forbid the import or sale in the EU of any phone that uses ANYTHING other than the standard adapter for charging.
Or are those draconian measures reserved only for rounded corners? Why does Apple get a pass?
Actually, playing the music, and calling attention to the exploit is a sign of kiddies at play, and nothing to do with any professional or state backed efforts. Why would you reveal your exploit?
Its possible this is a diversionary tactic to hide something serious going on at different workstations. But I doubt it. It could also be an inside prank, because unless you are there to see the panic ensue, why play music. But I doubt that as well.
The story is just as likely to be totally bogus: Unverified email form a nuclear scientist, Really!?, Like these guys get to send mail unguarded, un-scanned, un-censored?
On the other hand, not keeping your mouth shut about the piracy, and suddenly announcing you're giving your game away because of all the "piracy" may get you some publicity that will increase your in-app income by even more than continued sales would have done. It's possible, and obviously it's what these guys are banking on.
And the beauty of that is there doesn't have to be any real level of piracy for this ploy to work.
Their refusal to reveal actual piracy numbers pretty much lends credence to this possibility.
Did you ever stop to consider that perhaps it's easier to control in-app purchases than it is to prevent the initial pirated version from being installed?
I considered this for about 37 seconds, then realized it was not germane. So what if people are emailing the.apk all over the world? The were still able to bank all the sales reported in the Google Market.
They had around a quarter of a million PAID downloads at the time they declared it free.
Regardless of being pirated or purchased, the money flow from In-APP will be the same. They knew this going in. Like I said, its not their first trip to the bank with games. If you can earn a quick quarter million in under a month, why make it free? Just keep your mouth shut about the piracy and bank the legitimate sales along with the in-app money.
If random people with illegitimate copies are allowed to use your servers to patch or for gameplay, then you are doing it wrong.
Or, you are doing it INTENTIONALLY.
The game in question supports In-App-Purchases, and in fact, to play the game to conclusion, most users will spend more money for in-app-purchase of weapons etc than the game's initial purchase price. The game calls home.
Its widely suspected that this was Madfinger Games monetization plan all along.
They planned to release at 99 cents, gain a quick couple hundred thousand downloads, recovering all of their development costs. (This isn't their first game, and they already had their game engine in the can from earlier games).
Then, magnanimously, when it became clear that you needed to make in-app-purchases, they planned to make it free.
They go so much flack for making it free after charging about a quarter of a million people 99 cents, that they decided to play the victim card.
But ALL THE TIME their game had been calling home for authorization at install, and ALL THE TIME they had allowed these pirated installs because they were intending to make their money on In-App-Purchases, and really didn't give a rip about piracy.
Its a suckers play, and most of the mainstream press as well as bloggers who should know better are falling for it.
It will create so many new jobs and so much specialist knowledge, it can't fail to improve the economy!
Ah, yes, that's it, they are trying to institutionalize the Broken Window Falacy.
Personally, I suspect the term "Living standard" is code for we don't want any standards we can't subvert, and we want the freedom to pack in as much proprietary crap as we can and go after patent license fees down the road.
There are more VOIP providers than there are species of fish.
Ok, fair warning, I'm officially stealing that line.
But you do have POTS whether you know it or not. It may not be on your premises, but that's not the issue. If you can call a POTS number from your Voip, you can dial into a conference call.
Find a device that can run without the battery. Many, if not most laptops can run with the battery removed by simply plugging it in. There is no battery technology in common use today that can survive sitting unused for 25 years. Further, most laptops are never truly "off" and are always pulling a trickle charge for the clock.
But the suggestion to include a whole computer seems pointless to me.
I have banker's boxes full of documents (mostly code listings) circa 1986 printed on the first HP laser jet. No sticking problem.
The only sticking I've seen in laser printing is from early models (circa 1975) of IBM 3800 laser printers (mainframe laser printers) which printed so fast the thermoplastic never had time to cool before it was pressed down by the sheet above. Print jobs directly off the back end would sometimes stick together. This was solved in a few months by a toner change.
Acid-free archival paper should be good, even for photos. Look at what the manufacturer says - they mean serious business when they make these papers, real art will be put up in museums reproduced on them.
We are talking 25 years here. You don't need to be particularly worried about printed documents, even photos, over that short period.
Go into any business that has been around for 30 or 40, or dig into some boxes in your attic or your parents attic, dig into the back of the file cabinets or storage boxes, and you will find documents much older than 25 years that are in perfect shape.
Acid free paper is for 100 years plus, and has been the norm for off the shelf office paper since the 60s or earlier. True archival paper is Alkaline paper, which has a life expectancy of over 1,000 years for the best paper and 500 years for average grades.
So for 25 years, no special precautions need be taken when using common commercial printing paper that you might buy at your local office supply store.
Even Newspapers can be saved for 25 years by simply bagging them in plastic, but it might be better to access the newspaper's web site and print the desired articles on you laser printer using standard office paper.
I agree. Go with something that is VERY common, and simply a socket connection (like USB, SD card, MicroSD,).
Don't go with moving media, like disk drives, unless they are in an external drive chassis with USB connectors, because disk drive connectors have changed twice in the last 25 years and its likely to happen again. Bear in mind the desktop or laptop computer may be completely replaced in 25 years by flat screen portable devices.
Modern interfaces like USB tend to be backward compatible with prior devices. So when USB 6.0 is pushed out in 25 years, there will still be a boat load of USB 1,2 and 3 devices, and chances are if the connectors are the same they will also be compatible.
Exactly.
Seriously, I can't imagine how GP was moderated insightful.
Did the moderators all skip breakfast this morning?
Every single lock will not have to be changed. There are several ways to fix this without replacing the entire lock. Fill the hole. Cover the whole with an exterior lock. Put a more secure circuit between the exterior plug and the lock's main board. That more secure circuit only need to handle NOT letting you read the memory. Given that the article is completely wrong about having to change the locks, I would question whether there really isn't a way to fix it via firmware. Either way though, the fix does not require a new lock, and it is a task that the hotel's regular handyman can perform.
Fill the hole: No. Read the article. The hole is needed and used routinely to charge the battery and reprogram.
Cover the hole with an exterior lock: So this is your plan to avoid changing out the lock? Add yet another lock on top? And how secure is that lock?
Add a circuit ahead of the main board: Where? There is no room for that. You would have to replace the entire main board.
Firmware fix: Perhaps possible, but these are very old designs using very limited microcontrollers. And you would still have to replace every reprogramming device in the field to get around this because your solution would also prevent reprogramming the lock.
So, NO, the article is not completely wrong. Your post is pretty close to completely wrong.
By the time you do any of the modifications you suggest, it would be cheaper to change the lock.
And none of those changes could be accomplished by the handyman. At best, they might be able to change out the lock. Most of those guys know how to swing a wrench and a toilet plunger. They are not very good at board level soldering. Even worse at changing microprocessors inside a lock chassis designed specifically to be tamper resistant.
Best case is that they can replace the entire circuit board using cheaper more modern ICs in the same amount of space. But even that is likely to more expensive to than just replacing every single lock.
In actuality, This will never be done, until the next hotel remodel. Additional theft insurance, maybe purchased by the manufacturer, will be by far the cheapest alternative.
He didn't reveal the actual hack, he only demonstrated that one exists.
Further, there are already several instances of people being sued into silence after responsible disclosure.
Further the problem can not be fixed, and replacement of all locks world wide would be so experience and time consuming that it would never be done in response to responsible disclosure.
The probable outcome here is that the lock maker buys more insurance and sends a memo to customers offering a discount on new and improved locks. Which will be ignored by virtually all hotels.
Responsible disclosure would serve no purpose in this instance.
I think that the number is based on the profit Samsung made from these devices, Apple's alleged "losses" due to these products, and some punitive amount added in for good measure.
Just goes to show how much is at stake.
That might work if the iPad wasn't outselling the Galaxy tab by about 100 to one. Apple still owns the tablet space even tho they have lost the smartphone market.
But these are triflingly inconsequential patents we are talking about here.
Users don't want everything tied to a single identifier, particularly one controlled by Microsoft, Google, Facebook or some other company.
Exactly.
However, the sad part about this is we have already gone way past the point where compartmentalization of our on-line experience is anything but a pipe dream.
Those people who may want to link all your accounts across various websites can now do so without so much as a warrant. And they don't need to be a three letter agency to pull this off. Any hick sheriff or small town detective can do the same thing with a few simple letters.
The technology of single sign on, when done right, doesn't expose much more than the fact that Google (by way of example) says the person attempting to sign on with that google id knew the password. It really does not pass much info back to the requesting site other than the email address. The site never sees the password, or other account details.
When people sign up for a site with a custom log in and password, they usually end up giving an email address anyway, but at least when doing it that way, the perception remains that this login stands alone and discrete from other logins. (This is a questionable assumption at best).
Someone cracking Slashdot's database does not get much. One could make the case that cracking any site that uses OpenID authentication via another site gets even less. No passwords are stored locally at site xyz. If done right. But that is hard to verify.
The big scary part is when the OpenID provider gets cracked everything is cracked. Unless combined with some form of two factor identification a stolen password is all it takes.
Make your message the hook, not the counterpoint, or you WILL be misunderstood.
Had the hook been the main message the song would never have been played. How would that have served any purpose?
The idea was to get the song on every radio station, and sell records (and make money). It worked.
Once out there, people listen more closely, and when they do the message won't be misunderstood. That you still see it used today, inappropriately simply indicated people new to the song haven't yet listened to much beyond the hook. These are useful idiots, serving the song writer's purpose.
Now don't get me started on Pumped Up Kicks. Not after Aurora.
I'm sure MicroUSB and other industry-standard connectors weren't considered. For how many years now has Apple been the last holdout with proprietary connectors?
Didn't the EU mandate a standardized charger connection? Apple slips through a loop hole by providing an adapter. Like the people who forgot their charger will remember the adapter.
Why not some teeth in the law? Forbid the import or sale in the EU of any phone that uses ANYTHING other than the standard adapter for charging.
Or are those draconian measures reserved only for rounded corners? Why does Apple get a pass?
{whistle!} a little sensitive, aren't we. whew! i can only imagine how overprotective you are with more personal things.
I rather suspect his iPhone is the only personal possession he has. Most likely his girlfriend-in-the-pocket.
Oh, and here's an apostrophe for the punctuation police: '
Actually, playing the music, and calling attention to the exploit is a sign of kiddies at play, and nothing to do
with any professional or state backed efforts. Why would you reveal your exploit?
Its possible this is a diversionary tactic to hide something serious going on at different workstations. But I doubt it.
It could also be an inside prank, because unless you are there to see the panic ensue, why play music. But I doubt that as well.
The story is just as likely to be totally bogus: Unverified email form a nuclear scientist, Really!?, Like these guys get to send mail unguarded, un-scanned, un-censored?
On the other hand, not keeping your mouth shut about the piracy, and suddenly announcing you're giving your game away because of all the "piracy" may get you some publicity that will increase your in-app income by even more than continued sales would have done. It's possible, and obviously it's what these guys are banking on.
And the beauty of that is there doesn't have to be any real level of piracy for this ploy to work.
Their refusal to reveal actual piracy numbers pretty much lends credence to this possibility.
Did you ever stop to consider that perhaps it's easier to control in-app purchases than it is to prevent the initial pirated version from being installed?
I considered this for about 37 seconds, then realized it was not germane. .apk all over the world? The were still able to bank all the sales reported in the Google Market.
So what if people are emailing the
They had around a quarter of a million PAID downloads at the time they declared it free.
Regardless of being pirated or purchased, the money flow from In-APP will be the same. They knew this going in. Like I said, its not their first trip to the bank with games. If you can earn a quick quarter million in under a month, why make it free? Just keep your mouth shut about the piracy and bank the legitimate sales along with the in-app money.
If random people with illegitimate copies are allowed to use your servers to patch or for gameplay, then you are doing it wrong.
Or, you are doing it INTENTIONALLY.
The game in question supports In-App-Purchases, and in fact, to play the game to conclusion, most users will spend more money
for in-app-purchase of weapons etc than the game's initial purchase price. The game calls home.
These purchases can't (yet) be hacked like the reported hacking of IOS in-app purchases.
Its widely suspected that this was Madfinger Games monetization plan all along.
They planned to release at 99 cents, gain a quick couple hundred thousand downloads, recovering all of their development costs. (This isn't their first game, and they already had their game engine in the can from earlier games).
Then, magnanimously, when it became clear that you needed to make in-app-purchases, they planned to make it free.
They go so much flack for making it free after charging about a quarter of a million people 99 cents, that they decided to play the victim card.
But ALL THE TIME their game had been calling home for authorization at install, and ALL THE TIME they had allowed these pirated installs because they were intending to make their money on In-App-Purchases, and really didn't give a rip about piracy.
Its a suckers play, and most of the mainstream press as well as bloggers who should know better are falling for it.
How hard can pushing buttons on a phone be?
Remember when you last ordered up a pizza for delivery?
It's the same thing.
Preserving something for austerity usually involves pinching pennies or something.
If you meant posterity instead, just recall that we are talking 25 years. Not that big of a deal.
It will create so many new jobs and so much specialist knowledge, it can't fail to improve the economy!
Ah, yes, that's it, they are trying to institutionalize the Broken Window Falacy.
Personally, I suspect the term "Living standard" is code for we don't want any standards we can't subvert, and we want the freedom to pack in as much
proprietary crap as we can and go after patent license fees down the road.
This can't help but lead to IE6 all over again.
There are more VOIP providers than there are species of fish.
Ok, fair warning, I'm officially stealing that line.
But you do have POTS whether you know it or not. It may not be on your premises, but that's not the issue.
If you can call a POTS number from your Voip, you can dial into a conference call.
Actually pressed CDs will always be readable, because they do not depend on a chemical ink.
They are composed of physical pits in a metallic layer.
And then remember to open the chest every year and feed the bacteria.
Dumb idea.
Find a device that can run without the battery. Many, if not most laptops can run with the battery removed by simply plugging it in.
There is no battery technology in common use today that can survive sitting unused for 25 years. Further, most laptops are never truly "off"
and are always pulling a trickle charge for the clock.
But the suggestion to include a whole computer seems pointless to me.
Laser printer pages don't stick together.
I have banker's boxes full of documents (mostly code listings) circa 1986 printed on the first HP laser jet. No sticking problem.
The only sticking I've seen in laser printing is from early models (circa 1975) of IBM 3800 laser printers (mainframe laser printers) which printed so fast the thermoplastic never had time to cool before it was pressed down by the sheet above. Print jobs directly off the back end would sometimes stick together. This was solved in a few months by a toner change.
Acid-free archival paper should be good, even for photos. Look at what the manufacturer says - they mean serious business when they make these papers, real art will be put up in museums reproduced on them.
We are talking 25 years here.
You don't need to be particularly worried about printed documents, even photos, over that short period.
Go into any business that has been around for 30 or 40, or dig into some boxes in your attic or your parents attic, dig into the back of the file cabinets or storage boxes, and you will find documents much older than 25 years that are in perfect shape.
Acid free paper is for 100 years plus, and has been the norm for off the shelf office paper since the 60s or earlier. True archival paper is Alkaline paper, which has a life expectancy of over 1,000 years for the best paper and 500 years for average grades.
So for 25 years, no special precautions need be taken when using common commercial printing paper that you might buy at your local office supply store.
Even Newspapers can be saved for 25 years by simply bagging them in plastic, but it might be better to access the newspaper's web site and print the desired articles on you laser printer using standard office paper.
25 years is not that hard to do.
I agree. Go with something that is VERY common, and simply a socket connection (like USB, SD card, MicroSD,).
Don't go with moving media, like disk drives, unless they are in an external drive chassis with USB connectors, because disk drive connectors have changed twice in the last 25 years and its likely to happen again. Bear in mind the desktop or laptop computer may be completely replaced in 25 years by flat screen portable devices.
Modern interfaces like USB tend to be backward compatible with prior devices. So when USB 6.0 is pushed out in 25 years, there will still be a boat load of USB 1,2 and 3 devices, and chances are if the connectors are the same they will also be compatible.
The phone is a new release. It does everything you need. There is no requirement to have the very latest OS to count ad modern.
Except that Scientology Advocated at least eat their own dogfood.