Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Study of Physical Hacks at DefCon

Zonk posted more than 7 years ago | from the old-ways-are-the-best-ways dept.

Security 299

eldavojohn writes "DefCon usually focuses on electronic security, but Saturday a talk was held that focused on possibly the oldest form of hacking — lockpicking. As software security becomes better and better, the focus may be shifting towards simple hacking tips like looking over someone's shoulder for their password, faking employment or just picking the locks to gain access to the building where machines are left on overnight. From the article: 'Medeco deadbolt locks relied on worldwide at embassies, banks and other tempting targets for thieves, spies or terrorists can be opened in seconds with a strip of metal and a thin screw driver, Marc Tobias of Security.org demonstrated for AFP ... Tobias says he refuses to publish details of 'defeating' the locks because they are used in places ranging from homes, banks and jewelers to the White House and the Pentagon. He asked AFP not to disclose how it is done.' I'm sure all Slashdot readers are savvy enough to use firewall(s) but do you know and trust what locks 'physically' protect your data from hacks like these?"

Sorry! There are no comments related to the filter you selected.

Backstop that lock... (5, Insightful)

swb (14022) | more than 7 years ago | (#20123235)

...with a Smith & Wesson (or a Glock, or a Bushmaster, or a Remington).

Re:Backstop that lock... (4, Insightful)

couchslug (175151) | more than 7 years ago | (#20123317)

Funny, but you do have a valid point. Locks keep honest people honest.

It isn't difficult to slice through or drill most locks or the doors holding them, let alone picking the lock, but if there is an armed human on the other side that changes the game a bit. :)

Re:Backstop that lock... (1, Insightful)

r_jensen11 (598210) | more than 7 years ago | (#20123387)

Except that, statistically, people who keep guns for 'protection' against robbers are more often victims of their guns rather than the burglars. I know this is ignoring the fact that the GP was making a joke. It's much more effective to have an alarm system than it is to back up your deadbolt locks with a gun. For starters, a burglar wouldn't know you have a gun in your house, while simply having a sign in the front window or the front yard saying "This house is protected by ADT" would make someone think twice about going into your house.

Personally, I'd have a sign that says "Beware of Dog [dogthebountyhunter.com] " with an appropriate picture on the sign.

Re:Backstop that lock... (4, Insightful)

Hijacked Public (999535) | more than 7 years ago | (#20123607)

Also, statistically, 100% of unarmed people are unable to repel boarders with arms.

I have both the ADT sign and the above suggested firearms.

Re:Backstop that lock... (5, Insightful)

Anonymous Coward | more than 7 years ago | (#20123651)

That argument has been discredited by several studies.

Just look at how they derive those numbers...they categorize "loved ones" and "family members" and anyone you have ever met.

If you want the real, peer reviewed scientific analysis on guns in the hands on citizens, just check out the writings of John Lott.

Re:Backstop that lock... (4, Informative)

kd5ujz (640580) | more than 7 years ago | (#20123707)

Re:Backstop that lock... (4, Insightful)

HUADPE (903765) | more than 7 years ago | (#20124459)

I would never want one of these signs. It seems like it would attract many criminals whose intent was to steal my gun.

Re:Backstop that lock... (4, Insightful)

swb (14022) | more than 7 years ago | (#20123881)

Your statistics aren't true, it's a tired argument hauled out by gun ban types based on a repudiated and poor study.

The problem we have is that since the 1970s, we've emaciated homeowners and law-abiding citizens by making it difficult to use deadly force.

If, as was the case prior to 1960 in most parts of the US, it was generally assumed that a property owner could use deadly force against an intruder, it would be the equivalent of a "Protected by Smith and Wesson" sign in front of EVERY house, along with criminals having to assume the risk of such crimes.

Re:Backstop that lock... (0)

JohnFluxx (413620) | more than 7 years ago | (#20124351)

Making it much more likely that the burglar carries a weapon with them. Real smart idea.

Re:Backstop that lock... (1)

Rakishi (759894) | more than 7 years ago | (#20124379)

Well as the UK found out, a knife is just as effective as a gun when everyone is unarmed and knives are perfectly legal to carry about by convicted criminals (unlike guns). Your point being?

Re:Backstop that lock... (1)

Ramble (940291) | more than 7 years ago | (#20124731)

Actually, in the UK I believe it's illegal to carry a blade over 3 inches with swings out of the handle. However someone with a valid excuse (like a kitchen knife salesman) would be able to bypass that.

If guns stop crime then why crime in the USA? (3, Insightful)

fantomas (94850) | more than 7 years ago | (#20124885)

Parent's point I'd guess would be that it's an arms war. If you're saying that the way to stop being knifed is to carry a knife yourself, then the criminals carry guns. And if you match that with a gun, surely the only solution is for everybody to carry fecking ridiculous big guns around? Personally I am happy to be able to walk down to the shops without needing to carry a weapon.

If weapons stop crime, how come the USA, one of the most tooled up countries in the world, has so much crime and so many people die from gun injuries?

Re:Backstop that lock... (2, Interesting)

Fulcrum of Evil (560260) | more than 7 years ago | (#20124453)

This isn't borne out by any evidence. I call a foul and remove the argument from play. No yardage on the call.

Re:Backstop that lock... (1)

parabyte (61793) | more than 7 years ago | (#20124847)

In Germany the law is quite reasonable in these cases. In self-defense you are only allowed to use adequate means to defend yourself, so you typically get away with shooting an unarmed intruder in the foot, or you can shoot an armed intruder without warning, but you are not allowed to shoot a burglar who is running away in the back.

However, there is an exception where the use of excessive force is not punished: When you family is around, and you act in order to protect them, you will very probably get away with killing anyone who breaks into your house at night, armed or not.

p.

Re:Backstop that lock... (4, Informative)

swb (14022) | more than 7 years ago | (#20123415)

No, it was meant to be serious. Locks keep out honest people and lazy criminals (given how often the police issue updates reminding us to lock the doors because they've had a run of unforced entry burglaries, there must be a lot of them).

Weapons keep out ANYBODY, but watch out for criminal-friendly laws on deadly force that either require you to flee your own home or prove that you were threatened with imminent risk of death or great bodily harm.

Fortunately where I live, deadly force is justified within your own home top stop the commission of a felony, and burglary is a felony.

Re:Backstop that lock... (2, Insightful)

LordSnooty (853791) | more than 7 years ago | (#20124127)

Weapons keep out ANYBODY, but watch out for criminal-friendly laws on deadly force that either require you to flee your own home or prove that you were threatened with imminent risk of death or great bodily harm.
Which is right and proper since in most Western countries the state doesn't demand the death penalty for burglary.

Re:Backstop that lock... (5, Insightful)

couchslug (175151) | more than 7 years ago | (#20124391)

"Which is right and proper since in most Western countries the state doesn't demand the death penalty for burglary."

You mistake shooting a "burglar" for penalizing said burglar instead of SELF-defense. Defending yourself is not to be confused with lynching.
A "burglar" (intruder) is a huge risk to the occupant of a house because the intruder has incentive to kill the householder to shut him/her up, and sometimes does.
Crimes of opportunity in a home invasion include rape, torture, arson to cover up the evidence etc.
Intruders are not typically like Roger Moore in "The Saint".

If you don't want to defend yourself, it is your right not to. To say that I cannot defend myself is to say that I don't matter, and those who would violate me do. I respectfully disagree.
Even in Iraq, the US allows householders one firearm. This is because police response is reactive, not preemptive. All the cops can usually do is collect evidence and maybe arrest the perp for whatever he/she did. This neither does not reverse or prevent damage to the victim.

When I was TDY to Saudi Arabia, some crackheads decided to party on my property. My wife asked them to leave. They told her to fsck off and made threatening statements. (We lived in an area with light police protection and long response times.) She retreated to the house, got our our Mini-14, and put several warning shots into the ground (not towards the crackheads) where the bullets could be retrieved if required. They promptly left and never returned for the remaining three years we lived there. When the police finally responded, the officer was fine with it. (I love the South!

The right to violent self-defense is essential to freedom, because if you are forbidden to defend yourself anyone can do their will to you.

Re:Backstop that lock... (1)

Javit (68742) | more than 7 years ago | (#20124687)

Any state criminal justice system has the luxury of time, which you seem to take for granted. In the heat of a home invasion or a mugging, there is no time to evaluate criminal history, review evidence, discern intentions. You forget the thinly veiled "or else" of these situations. "Just give me your wallet and car keys" (or else). Can you trust them? These victims are being threatened with unknown bodily harm by a stranger who's already taken it beyond the pale, it's more than fair for them to assume they may be killed if they don't kill first.

Re:Backstop that lock... (1)

GuldKalle (1065310) | more than 7 years ago | (#20123549)

No GUNS keep honest people honest :)

Re:Backstop that lock... (1)

Arthur Grumbine (1086397) | more than 7 years ago | (#20123377)

Who wants to sit around their office at night when they can get one of these [techeblog.com] for when they're away?

Re:Backstop that lock... (1)

JFlex (763276) | more than 7 years ago | (#20123627)

or a Pit Bull (or a Rottweiler, or a German Shepherd, or a Doberman).

Re:Backstop that lock... (1)

Graff (532189) | more than 7 years ago | (#20124239)

In addition to having a weapon available I like to back it up with a well-trained dog. My Dalmatian might look cute but she's very nasty when it comes to intruders!

There's a lot of people who would have no problems dealing with a person that would think twice if that person had an angry dog with them.

Re:Backstop that lock... (0)

Anonymous Coward | more than 7 years ago | (#20124669)

[flamebait troll-food redacted ]

Here in Urrp, at a medium-sized tech firm (~500 employees) we have a 24/7 NOC and CCTV in all our remote cages in unmanned Data Centres. (That's our own home-rolled CCTV, on our own network, on top of the DC provider's own CCTV, static guarding, perimeter security etc etc.)

Seems to work pretty well. We've had a couple of physical break-ins where scrotes have made off with a couple of plasma screens, but (a) we got bee-utiful shots of them peering in through the window before forcing the door, and (b) *shrug* so what? Who cares, it's just a telly. We're insured. No-one got hurt. The local hot fuzz took one look & knew exactly who they were anyway.

Protection (5, Funny)

SaidinUnleashed (797936) | more than 7 years ago | (#20123253)

>>do you know and trust what locks 'physically' protect your data from hacks like these?"

I know I weld my doors shut nightly. You should too!

Re:Protection (3, Funny)

KingJ (992358) | more than 7 years ago | (#20123279)

I know I weld my doors shut nightly. You should too!

I tried that with my wooden doors, didn't work out too well...

Re:Protection (1)

toleraen (831634) | more than 7 years ago | (#20123423)

Really? You'd have to be a pretty determined thief to try and pick a lock on a fiery door.

Re:Protection (1)

d'fim (132296) | more than 7 years ago | (#20123585)

Naw, just wait for a bit, and no more door!

Keep some weenies and marshmallows in your burglar's toolkit just in case.....

Re:Protection (4, Funny)

mcpkaaos (449561) | more than 7 years ago | (#20123637)

Using doors for physical security is so 90s. I keep my servers suspended over an open pit of RIAA lawyers.

Re:Protection (3, Funny)

maeka (518272) | more than 7 years ago | (#20123805)

How do you resist the temptation to let the servers drop?

Re:Protection (0)

Anonymous Coward | more than 7 years ago | (#20124635)

If my above top secret industry, we once told the lawyers the servers were piratebay mirrors. We quickly found out cattle prods are insufficient to pacify them.

Yeah, but... (0)

Anonymous Coward | more than 7 years ago | (#20124905)

How do you protect your servers from all their abusive subpoenas?

"Hacking" (5, Informative)

Arthur Grumbine (1086397) | more than 7 years ago | (#20123259)

From TFS,

"...simple hacking tips like looking over someone's shoulder for their password."

How far the meaning of this word has come from it's original [wikipedia.org] usage.

Re:"Hacking" (2, Funny)

Anonymous Coward | more than 7 years ago | (#20123289)

Language, how it doth change! How I mifs the language of yore, and fmite the technological neologifms brought.. ironically.. by the self-proclaimed "hackers" who then complain that the word they used to describe themselves has evolved in meaning.

Re:"Hacking" (4, Funny)

multisync (218450) | more than 7 years ago | (#20123345)

I'm reminded of Ralph Macchio asking Mr. Miyagi what kind of belt he had in the Karate Kid. Mr. Miyagi's answer:

"Canvas. JC Penny. Three ninety-eight. You like?"

Re:"Hacking" (0)

Anonymous Coward | more than 7 years ago | (#20124615)

Funny, I would have thought that the original usage of "hacking" would have referred to destroying things with an axe. In any case I'm sure that usage predates your usage by many many years.

Locks are pretty much useless (5, Funny)

Anonymous Coward | more than 7 years ago | (#20123271)

Because doors are riddled with 0-day exploits in the frames and hinges. With even a small vehicle, you can exploit a stack-overflow in the frame, popping the entire door out. DOS attacks against hinge pins can also be used to completely bypass a lock.

Yeah but just try a remote DDOS with zombies (2, Funny)

davidwr (791652) | more than 7 years ago | (#20123465)

Yeah you can get an army of zombies [dubbdesign.com] to help you pick the lock, but you have to get the in close proximity to the lock and make sure they don't trip over each other.

Besides, most zombies don't have the physical dexterity necessary for good lock-picking. In large groups they are good at tearing the door off its hinges or ramming through it though.

Re:Locks are pretty much useless (1)

Maelwryth (982896) | more than 7 years ago | (#20124311)

"Because doors are riddled with 0-day exploits in the frames and hinges. With even a small vehicle, you can exploit a stack-overflow in the frame, popping the entire door out. DOS attacks against hinge pins can also be used to completely bypass a lock."

And we won't even mention windows :).

Wetware hacking (3, Insightful)

Rosco P. Coltrane (209368) | more than 7 years ago | (#20123291)

the focus may be shifting towards simple hacking tips like looking over someone's shoulder for their password, faking employment or just picking the locks to gain access to the building where machines are left on overnight.

It's not shifting at all. I've done my share of hacking when I was younger (ahem) and the weakest link was always the human link. It was much easier to con the secretary into giving a password than hacking the secretary's computer, and I suspect it's even more the case now with more solid computer systems. That's called social engineering and it will always work very well indeed, because much to my dismay, computer users get dumber and dumber as computer get more and more powerful.

As for lockpicking, it's not really a secret that no lock is safe. Look up "bump key" in your favorite search engine and you'll see what I mean.

Re:Wetware hacking (1)

ls671 (1122017) | more than 7 years ago | (#20123577)

It's not shifting at all. I've done my share of hacking when I was younger (ahem)

Agreed, nothing new to see here, I had people getting in the data center through the roof 10 years ago to get at the data so we needed to install better locks and better PHYSICAL intrusion detection systems ;-)

Re:Wetware hacking (1)

LurkerXXX (667952) | more than 7 years ago | (#20123817)

I think you need to check out medico locks if you think they are in the same line of locks that can be picked with a bump key.

If these guys actually have a way of defeating a medico lock, they've done something special.

Medeco (2, Informative)

ls671 (1122017) | more than 7 years ago | (#20124187)

I think you need to check out medico locks if you think they are in the same line of locks that can be picked with a bump key.

I think it is medeco http://www.medeco.com/ [medeco.com] not "medico". Medico locks are for locking up your girlfriend so nobody can access her private parts.

These locks are harder, but not impossible to bump for a very skilled locksmith. Nothing is 100% hack-proof, just harder to hack.

Re:Wetware hacking (0)

Anonymous Coward | more than 7 years ago | (#20124211)

I'm not sure if Abloy is safe against all lock picking techniques, but at least a bump key doesn't work with it. http://www.abloy.com/ [abloy.com]

No, I don't (1, Insightful)

The Man (684) | more than 7 years ago | (#20123305)

My own data is kept at home, where my windows are left open all day and the locks can be picked by amateur locksmiths in a few minutes. It's basically there for the taking, but as it happens there's really very little of value - I don't keep identifying information like social security numbers electronically, and I don't happen to own any intrinsically valuable data. The reason I protect my computers is to avoid seeing them used by others to launch attacks; between the legal concerns and a simple moral obligation to the rest of humanity, I don't want that happening. The actual data that needs protecting is stored elsewhere - in a bank vault, perhaps. The real concerns are around all the corporations and government agencies which insist that they need all this information but then do nothing to protect it - physically or electronically. Given their lax electronic safeguards, I don't really see much point in improving physical security: right now my data can be obtained more easily and with less risk of detection by electronic means than by physically breaking into a data centre.

Re:No, I don't (1)

Eddi3 (1046882) | more than 7 years ago | (#20123533)

And you live where, Exactly? For, uh, informational purposes, of course.

i guess throwing in windows (1)

varkman (818678) | more than 7 years ago | (#20123313)

makes you a scriptkiddie then

How is it done? (0)

Anonymous Coward | more than 7 years ago | (#20123319)

he refuses to publish details of 'defeating' the locks

Aw, pfsst, boring! Anyone has any clue?

Everywhere I've ever worked we had alarm systems (1)

mikeabbott420 (744514) | more than 7 years ago | (#20123333)

I would be a lot less worried about locks being picked then any number of other "social engineering" methods.

Kind of a related question (2, Interesting)

iminplaya (723125) | more than 7 years ago | (#20123339)

Why do they put door locks on a convertible?

Re:Kind of a related question (1)

woodchip (611770) | more than 7 years ago | (#20123623)

I don't know. But a couple days ago I set off my car alarm on my convertible by trying to unlock the door from the outside. Which is kinda silly, seeing the top was down, and I could just jump into the driver seat NASCAR style.

(I don't normally lock it if I leave the top down)

Re:Kind of a related question (1)

LurkerXXX (667952) | more than 7 years ago | (#20123851)

Because slicing open a closed convertible top takes more effort and is a more noticeable action than opening an unlocked door.

Yes, tops can be sliced open. Regular car door locks can also be defeated in about 3 seconds using a slam stick.

Nothing is going to stop someone from getting into your car if they want to. Requiring some level of effort will detour many folks who would snag something if they were just walking by otherwise.

Re:Kind of a related question (1)

networkBoy (774728) | more than 7 years ago | (#20124113)

On a side note, some of the most secure locks are found on German cars (specifically Porsche and Mercedes Benz, don't know about BMW, but I would assume so). I don't know a lockpick that will work on an AMG SL65. Hotwiring is, of course an option, but a damn hard one.
-nB

anecdotal (5, Interesting)

zogger (617870) | more than 7 years ago | (#20123923)

One summer I was forced to park right in the same neighborhood as crack houses, etc, because of where I had to work. As did my co workers. They all locked their doors and trunks, result, all of them got busted glass and popped trunks. I warned them too, I really did, I said "look at reality, these cars are targets now". Nope, none of them listened. I left my doors unlocked and the trunk slightly open, just eased down. The ride was so old and ratty I wasn't afraid of it getting stolen, albeit that was a chance. There was nothing left in the car to steal, a very cheap in dash radio not even worth a dollar at a pawn shop, but I made it easy for the crooks to ascertain that, because I knew they would look.

Ya, it sucked doing that,the principle rankled me, but my practical nature took over, because it was better than having to replace a door window.

Most modern stick frame construction houses are vulnerable to a razor knife. Just pick a section of wall and slice a hole. You got plastic siding, a thin tyvek sheet, some cheap ass pressboard stuff,(glorified cardboard really), some spun fiberglass insulation, then drywall. That's all you need, a couple minutes with a razor knife and any thief can get in easy, let alone if they use something like a cordless sawzall thing.

Re:anecdotal (4, Interesting)

iminplaya (723125) | more than 7 years ago | (#20124217)

Most modern stick frame construction houses are vulnerable to a razor knife.

There were thieves in Chicago(and I'm sure elsewhere) that would steal whole garages, bricks and all. Turns out they could sell the bricks. And watch out for stolen manhole covers. That could really hurt. Well, you have the right idea. Don't go through those neighborhoods wearing your nice shoes.

Am I the only one slightly amused... (0, Flamebait)

weak* (1137369) | more than 7 years ago | (#20123351)

...by a bunch of people who were shaken down for lunch money in grade school talking about physical security?

Re:Am I the only one slightly amused... (0)

Anonymous Coward | more than 7 years ago | (#20124543)

Yes.

Re:Am I the only one slightly amused... (0)

Anonymous Coward | more than 7 years ago | (#20124585)

yes

I just want to warn you that (0)

wamerocity (1106155) | more than 7 years ago | (#20123359)

I work for the CIA, and locking mechanisms are copyrighted, and therefore any talk of picking locks is a violation of the DMCA.

You are warned!

Re:I just want to warn you that (0)

Anonymous Coward | more than 7 years ago | (#20123711)

IANAL but I've thought about this before. Technically, reading section 1201(a) literally, it's very possible that lockpicking discussion/lockpicks WOULD be in violation of the DMCA provided that the lock being discussed was being used to secure a copyrighted works and the copyright owner pursued the case. If it hasn't been done in the next couple years, I might consider making a test case out of it.

How to pick Medeco locks (2, Informative)

Iphtashu Fitz (263795) | more than 7 years ago | (#20123373)

Google is your friend. All of about 30 seconds of searching came up with this [fortliberty.org] article as well as others. Although I didn't watch them I also found a few videos posted on YouTube that claim to demonstrate how to do it.

Re:How to pick Medeco locks (4, Informative)

mlts (1038732) | more than 7 years ago | (#20123719)

From what the original poster's article said, this appears to be a valid method against the original Medeco and the Medeco Biaxial line [1], but I don't see how this would have any effect at all versus the latest Medeco3 mechanism (well, latest since 2003), which uses side bitting on the key as well as the usual Medeco rotating pins.

Other than Medeco, there is one type of lock that would be excellent for security, Abloy's Protec line, which from what I read takes 10-12 hours to pick even for the pros at detainer disk type of locks. However, the Protec line isn't sold in the US. Older Abloy lines are decent, but it would take far less time for a pro to pick them open. There are other high security locks out there, and one can read from a lock site what the weaknesses are of each of them.

Nothing is 100% secure. If some thief is determined enough to bypass something, they can.

Lastly, high security locks just one tool, in a toolbox of security options. If its worth locking with a high security cylinder, its worth having a centrally monitored alarm system (with a duress code [2] option.)

[1]: Biaxial isn't that much more secure than the original Medeco, but it allows for (IIRC) 10 times as many key combinations, allowing for more flexible keying options.

[2]: Yes, home invasions are on the rise, so make sure an alarm system has a duress feature (where it disarms, but silently calls the central station)... and USE the alarm. If at home, use the alarm's "at home" feature which monitors the doors and windows, but doesn't arm the IR detectors. A high security lock is no good when it is opened by the owner at gunpoint.

Re:How to pick Medeco locks (4, Interesting)

eggoeater (704775) | more than 7 years ago | (#20123869)

From what the original poster's article said, this appears to be a valid method against the original Medeco and the Medeco Biaxial line...
Sorry, but I'm not buying the article the GP pointed to...it's simply saying "modify a diamond shaped lock pick...etc etc". I don't see how ANY lock picking solution can get around correctly rotating the pins so the holes line up with the sidebar. Added to that, there are many things to help defeat the constant tension during a pick, mushroom pins being one.

You seem to know a thing or two about Medeco locks (like the fact that there's a diff. between the original and Biaxial). If you know/see something about the article I don't, please let me know. My father worked for Medeco (and I briefly worked in their factory one summer) and I'm sure he'd love to know.

Also, last I heard, there was still a reward offered by Medeco for picking a lock at their headquarters in Salem VA.

Re:How to pick Medeco locks (4, Insightful)

mlts (1038732) | more than 7 years ago | (#20124069)

The OP's article really didn't have much detail, but there are other sites that one can check out that have more details on attacks on Medeco locks.

The Medeco reward I've heard about in a number of different forms, so I'm not sure the exact details. Last I heard, if someone can pick 3 Medeco cylinders (the six pin type found in deadbolts, not the four or five that are used as replacement for disk tumbler cylinder replacements.), they get a prize. However I have no clue what the real status of that is.

Nothing is unpickable by someone who knows their stuff and has the manual dexterity. Its slowing people down, to where even a skilled lock manipulator will take hours to open the lock, which will most likely mean detection. Its also forcing someone to leave a signature (scratches), so if stuff does get taken, one can prove to an insurance company that a lock was defeated or something was broken.

Mushroom pins help, but are just one security mechanism, forcing locksmiths to jam the pins up, then let them float downward to the shear line, rather than pushing pins up from their resting place. I'm pretty sure the sidebar is pickable by some tool that rotates the pins, as its talked about on various lockpicking sites.

This is one reason I recommend high security locks. If someone kicks down a door or breaks a window, that leaves a noticable signature where a claim with insurance has more ground. If someone's house is robbed by a bumped lock, there is no trace, and it goes to a word against word thing to prove that stuff was there, and is now not.

It may be the security has nothing to do with the tumbler mechanism. In some locks are weaknesses that have nothing to do with the cylinder used. For example, one lock I have has a very pick resistant cylinder, but one can use a shim and the lock pops right open.

Lastly, some people may state security through obscurity, but I'm glad that the methods of opening Medeco deadbolts are not made public. Physical locks can't be updated like most programs can. Every cylinder in a building would need replacing, and that would amount to hundreds of thousands, if not millions of dollars, factoring in parts, labor, the time it takes to deploy a new keying system, getting the new keys to all the employees, etc.

Re:How to pick Medeco locks (0)

Anonymous Coward | more than 7 years ago | (#20124163)

Someone determined enough would just bring a torch and some insulating pads a battery powered cutting wheel and sawsall, a nice assortment of thermite cutters and a fire extinguisher ;)

Re:How to pick Medeco locks (1)

Big Bob the Finder (714285) | more than 7 years ago | (#20124215)

Tobias (who either *is* security.org or works for them) is the author of Locks, Safes, and Security: An International Police Reference. On their webpage they announce a detailed look at the Medeco M3. [security.org] From the description, it sounds like they have a way to bypass it, but no idea if it's true or not when they won't release details. I think these are the same guys that also manufacture the tools specific to bypassing Abloys.

Re:How to pick Medeco locks (2, Insightful)

plover (150551) | more than 7 years ago | (#20124785)

This attack sounds like one I heard about 10 years ago. Some kid showed up at a locksmith convention selling Medeco opening kits for cheap. A former buddy bought one.

Basically, the trick is you don't pick the lock at all. You pass the metal strip THROUGH the body of the lock and out the back, and use it to retract the bolt mechanism behind the cylinder. Damned clever attack.

..refuses to publish details.. (0, Flamebait)

nurb432 (527695) | more than 7 years ago | (#20123509)

Anyone can make *claims*. Either put up or shut up.

Re:..refuses to publish details.. (1)

eggoeater (704775) | more than 7 years ago | (#20123795)

Not only that but last I heard, Medeco offers a reward to anyone who can reliably (ie. consistently) defeat their locks. All he as to do is demonstrate that to them...wouldn't need to be public.

Re:..refuses to publish details.. (0)

Anonymous Coward | more than 7 years ago | (#20124013)

Right, but as the summary said,

...can be opened in seconds with a strip of metal and a thin screw driver, Marc Tobias of Security.org demonstrated for AFP.
I mean, I don't expect you to read the article, but come on, the summary, please!

If its anything like hacking.. (3, Funny)

g0dsp33d (849253) | more than 7 years ago | (#20123643)

There's probably a door around back that is standing open.

...hack... (1)

duck0 (1073338) | more than 7 years ago | (#20123661)

Anyone else bothered by the incorrect [hack.org] use of "hack" here?

Re:...hack... (0)

Anonymous Coward | more than 7 years ago | (#20124107)

Same here. I'm getting very sick and tired of people using chopping motions with irregularity and noviceness to get into computer systems. There's absolutely nothing here about thinning out undergrowth with a machete either.

Re:...hack... (1)

DrSkwid (118965) | more than 7 years ago | (#20124177)

It's ok so long as one wears one's hacking jacket [countrysupplies.com] .

How Medeco locks work (4, Informative)

Beryllium Sphere(tm) (193358) | more than 7 years ago | (#20123671)

The cuts in the key are individually angled so they rotate the tumblers as well as lifting them. Slots in the tumblers are lined up by the rotation to unlock a sidebar that fits into a longitudinal slot in the cylinder.

Bump keys can't even get started opening that.

More burglars have feet than have lockpicking skills. Step one in physical security is to combat kick-in attacks. Replace your strike plate, which I can almost guarantee is inadequate, with a reinforced model like the Mag-3 and most important, install it with #10 wood screws at least 3" long, so it can't tear out of the studs when subjected to a good kick. Predrill the holes and put soap on the threads so you don't break screws as you install it.

A block watch is a great idea too. Neighbors are a security mechanism.

An alarm system also protects you against fire, which depending on where you live can be a bigger threat than burglary.

Re:How Medeco locks work (1)

canuck57 (662392) | more than 7 years ago | (#20123739)

A block watch is a great idea too. Neighbors are a security mechanism.

Another good one I find is an Doberman that hasn't had dinner yet.

Re:How Medeco locks work (1)

Acer500 (846698) | more than 7 years ago | (#20124621)

Disclaimer: true but probably exaggerated story.

I live in Uruguay, and the most common burglary problem comes from young kids/teens from poor settlements ("cantegriles"/"villas miserias"/"favelas") that hop across roofs and walls of houses looking for an unprotected house to make a quick entrance and steal whatever valuables are at hand.

While I was studying with a classmate of a well-to-do family in his house, we heard a noise and saw one such teen trying to enter (he hadn't noticed us). We called the police and foolishly tried to follow him (he might have been armed, and it's not usual for people to own weapons in Uruguay). He escaped by jumping the wall into the next door house... which had a famished Doberman, which promptly attacked the teen. The police caught him and managed to separate him from the Doberman, but not before the Doberman had torn one of the teen's testes (ouch).

Re:How Medeco locks work (2, Informative)

Tamugin (851088) | more than 7 years ago | (#20124005)

Predrill the holes and put soap on the threads so you don't break screws as you install it.

Replace soap with beeswax in this case. The moisture in soap will affect the wood surrounding the screws and weaken it. Beeswax leaves the wood in good shape as well as helping you to drive 3" screws without shearing the heads off when you're almost finished.

Re:How Medeco locks work (1)

DrSkwid (118965) | more than 7 years ago | (#20124203)

What is this '3"' of which you speak?

Re:How Medeco locks work (0)

Anonymous Coward | more than 7 years ago | (#20124907)

american notation for three inch. ' is foot. I believe teh the same two (' and ") are the minutes and seconds of an arc, respectively. (ie [0-360] degree [0-60]' [0-60]"). see WP [wikipedia.org]

locks are designed to keep honest people honest (1)

bl8n8r (649187) | more than 7 years ago | (#20123733)

Not for securing a fortress. Surveillance with active IDS is a better deterrent eg: armed guards patrol premises and monitor video stations vs. a medico lock.

The article summary must be misleading. (1, Informative)

Anonymous Coward | more than 7 years ago | (#20123845)

The summary must be butchering Marc Tobiases recent claim of the obvious: The slider mechanism in the Medeco M3 is a patent extension feature and provides virtually no additional security.

Gasp! You don't say?

Almost all lock manufacturers add these useless features every time their patent expires. The M3 one being particularly worthless, but others that come to mind are the Bilock trigger, the Schlage Everest Slider, and the Mul-T-Lock interactive element. I believe it's EVVA that added a similar mechanism to their locks, but one that is almost worthy of being called an upgrade.

They all accomplish the same thing: A "specially" made portion of the key, moves(or allows to move) a spring loaded obstruction until it now longer obstructs the shear line. Most of these obstructions can be cleared out of the way with a lockpick or aren't even an issue if the lock is being picked.

If Marc Tobias ACTUALLY accomplished as the article suggested, then he would have to provide extraordinary proof to match his extraordinary claim. I am intimately familiar with Medeco, and a strip of metal and a paperclip isn't going to open these locks mounted on a door short of a comb attack which I doubt would work, or through an extraordinary amount of skill. Medeco are a BITCH to pick.

A Baseball Bat... (0)

Anonymous Coward | more than 7 years ago | (#20123847)

... is all I need to physically protect MY data. >:D

It's the form factor, stupid. (3, Interesting)

Animats (122034) | more than 7 years ago | (#20124027)

A big problem with mechanical locks is the form factor. Anything that has to fit in a standard US cylinder lock hole is inherently weak. It's just too small.

There are some good locking systems out of Israel. Mul-T-Lock makes door locks that extend three or four deadbolts through the door and into the frame, like a vault door. These are made to work like ordinary door lever locks.

The best residential doors are found in older HUD-financed housing projects in bad neighborhoods. Apartment doors are steel fire doors mounted in steel frames, and walls are reinforced concrete. Those things will resist a battering ram. The lock mechanisms usually aren't that great, but the threat there is generally brute force, not lockpicking.

It's surprisingly hard to get good doors and locks in the US. There are better locks in parts of the Third World.

Re:It's the form factor, stupid. (2, Insightful)

Rakishi (759894) | more than 7 years ago | (#20124487)

It's surprisingly hard to get good doors and locks in the US. There are better locks in parts of the Third World.
Mostly because there is greater demand there.

Of course in such places the criminals simply find ways to not have to open the lock. I'm sure in some of those places the door literally has to withstand a battering ram, car powered one that is, or it isn't of much use. In Poland criminals didn't even bother to pick locks to apartments half the time, they simply found some old lady carrying groceries to her apartment then offered to help carry them for her. Then as soon as she opened the door they punched her out (or killed her or just pushed her out of the way if she was lucky) and robbed her apartment. And I don't mean a few did this, I mean all of them did this.

Re:It's the form factor, stupid. (1)

Fulcrum of Evil (560260) | more than 7 years ago | (#20124633)

There are better locks in parts of the Third World.

There's probably a reason for that. Still, I'd like a decent steel door that looks like wood and a frame to put it in.

bad summary or bad article? (1)

holistah (1002858) | more than 7 years ago | (#20124041)

the focus may be shifting towards simple hacking tips like looking over someone's shoulder for their password, faking employment or just picking the locks to gain access to the building where machines are
I didn't RTFA, this is /. afterall, but "focus may be shifting"? how is this news? This is (at the very least an extension of) what kevin mitnick talked about for years, and no doubt others before him as well. news? I think not.

Article is Redundant (1)

maestro371 (762740) | more than 7 years ago | (#20124165)

Defcon routinely deals with physical security as a subset of the overall program. Last year it was lock-bumping. At least that was somewhat unexpected. A couple of years before that (the last time I attended), there was all kinds of information on lock-picking (a co-worker even purchased a lockpick kit from one of the vendors represented).

None of this is news, and frankly doesn't seem Slashdot-worthy.

Who needs a safe? (0)

Anonymous Coward | more than 7 years ago | (#20124185)

I'm in Florida - we have Stand your Ground laws and the Castle Doctrine. Who needs a safe and 911 when you could reach for 357?

Crypto (3, Insightful)

Yvanhoe (564877) | more than 7 years ago | (#20124339)

That's what encryption is for. Even with physical access, your files are secure as long as the key lives inside your brain.
Of course they can then be deleted, but someone who would have access to my computer could only "damage" my most precious data, not read it. A computer does not work like a safe, it can be much more efficient.

Encryption - easier to use than you might think (2, Interesting)

Cheesey (70139) | more than 7 years ago | (#20124577)

I'm currently managing a transition to using only encrypted file systems, using loop-aes. As the parent says, one reason to use encrypted file systems is protection against burglars. The access keys for the data disappear as soon as the power is disconnected, so the burglar gets the hardware but no data. Thieves have to be unusually smart if they want to copy the plaintext - they'll have to trick you into revealing the key to them somehow.

But it doesn't just protect my data from burglars. It also enables me to return hard disks for warranty replacement without worrying that the manufacturer will be able to look through my files. I don't have to scrub my disks before sending them off. Disk scrubbing is never 100% effective, and might not even be possible if the controller has failed.

Loop-aes is now supported by Debian stable. I just needed to apt-get two packages, loop-aes-utils and loop-aes-modules-$KERNELVERSION. Through this, it is very easy to add non-root encrypted filesystems to your machine. An encrypted root filesystem is harder to arrange, but well worth having. There are HOWTO guides to help you set one up. The usual implementation requires you to enter a passphrase as your machine boots.

Progress (1)

kbox (980541) | more than 7 years ago | (#20124353)

the focus may be shifting towards simple hacking tips like looking over someone's shoulder for their password
Wow, 1337. Hacking certainly has moved with the times.

Bump key (1)

Fizzl (209397) | more than 7 years ago | (#20124369)

...nuff said.

Faking For Dummies: I Recommend (0)

Anonymous Coward | more than 7 years ago | (#20124443)


this book for WAR CRIMINALS [whitehouse.org] .

Feloniously,
W.

Windows... (1)

Sanguis Mortuum (581999) | more than 7 years ago | (#20124493)

And, as with any discussion of security, the least secure thing in the building is the Windows...

Locks are easy (4, Funny)

reboot246 (623534) | more than 7 years ago | (#20124571)

Locks are easy compared to trying to unhook her bra with your left hand in the dark.

ThinkGeek to the rescue? (1)

KlaymenDK (713149) | more than 7 years ago | (#20124597)

Where I live we've had our share of "be wary of lockpicks" type campaigns. I've had my eyes on the "RFID Digital Door Lock"* from ThinkGeek for some time, and thought that maybe this would be the thing (except I rent my home, so it's not really my door to drill holes in). At least, it ought to be difficult to pick; it would be just as easy as ever to just bust in the entire door.

Are there any slashdotters out there who have actually bought and tried this lock? Any good/bad reviews to be had?

* http://www.thinkgeek.com/gadgets/electronic/77af/ [thinkgeek.com]

Keyboard JitterBug eavesdropping (3, Informative)

stock (129999) | more than 7 years ago | (#20124631)

The Dell key-logger hoax has probably the best decoy story to move
professional hackers/security staffers into the wrong direction, as in
May 2006, USENIX published the following research article :

"Keyboards and Covert Channels"
  by Gaurav Shah, Andres Molina and Matt Blaze , 2006-05-17
  Department of Computer and Information Science
  University of Pennsylvania
http://www.usenix.org/events/sec06/tech/shah/shah_ html/jbug-Usenix06.html [usenix.org]

In it the authors demonstrate that todays unwarranted wire tapping NSA
activities, normally don't result in much success as serious internet
users routinely apply encryption into their communications, like IPSec
tunneling, ssh, VPN access connections, secure web-traffic https when
i.e. doing Internet banking activities.

However, secret service found a clever approach to all this, by
covertly installing a Keyboard JitterBug into your keyboard. Here's
how to secure your most trusted keyboard :

Keyboard JitterBug eavesdropping
http://crashrecovery.org/internet/#jitter [crashrecovery.org]

where i may add, that lock picking _ALSO_ has been the best hoax ever
on public display. Why? How many people today design their _OWN_
locksmith locks? All installed door-locks worldwide are somehow sold in
stores, hence its products and replacement keys are in the archives of
the local secret service.

Robert

Interesting (1)

springbox (853816) | more than 7 years ago | (#20124671)

Tobias says he refuses to publish details of 'defeating' the locks because they are used in places ranging from homes, banks and jewelers to the White House and the Pentagon. He asked AFP not to disclose how it is done.

I remember reading about how most locks can be easily defeated using a technique called bumping [wikipedia.org] . This site [toool.nl] also has PDFs and videos describing how it's done. Also searching Google for "bumping" gives you a lot of information on the subject, so unless this is something radically new, I don't understand what they're trying to hide.

For details... (3, Informative)

Stone Rhino (532581) | more than 7 years ago | (#20124713)

See tobias's post on engadget a couple weeks ago: http://www.engadget.com/2007/07/19/the-lockdown-th e-medeco-m3-meets-the-perilous-paper-clip/ [engadget.com]

Medeco offers several levels of key control to insure that its patent protected blanks cannot be copied, replicated or simulated. In many systems, proprietary keyways are available to further ensure that keys cannot be improperly compromised. Although the m3 is a very secure lock, we were able to simulate Medeco keys that can be made to bypass the keyway and slider protection of almost any system -- all without infringing on any Medeco intellectual property. It turns out that a standard paper clip will depress the slider precisely to the correct position. A wire or paper clip, fashioned as shown, is inserted into the keyway and wedged at the end of the body of the slider.
So, with a proper paperclip, you can eliminate the additional security and remove its advantages against certain types of attacks.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?