Earler this month Slashdot announced the publication of Matt Blaze's new paper Safecracking for the Computer Scientist (.pdf, 2.5 MB). Bruce Schneier's blog pointed me to an alt.locksmithing thread where locksmiths debate full disclosure in light of Matt's article.

The thread starts with the usual defense of "security through obscurity" one might expect:

"As many of you know Matt Blaze a professor at Pennsylvania University has published an article that reveals proprietary techniques of safe penetration. It was featured on well known hacker website recently, and it came to our attention on Saturday. It includes information normally reserved to the trade, for good reasons that need not be discussed here. The article is available to the general public without any restrictions whatsoever. We as professionals in the security field are outraged and concerned with the damage that the spread of this sensitive information will cause to security and to our profession."

Here is an educated response to this foolish opinion:

"I think you meant to say: We have to nip it in the bud or soon there will be no __APPEARANCE_OF__ security left. This is so silly on so many levels. You sell a product that has known deficiencies so that you can break in when you need to. Then you act like it's a big deal when someone talks about it! On top of that you act like it's a matter of national security when, in fact, it changes nothing.

It does not take a brain surgeon to figure out that anyone can buy a safe, disassemble it and figure out it's weaknesses. The fact that every single copy of model X is built the same way is planned insecurity. Now THAT's a crime. That they are sold as secure when they are not is a crime.

If you want to get Blaze to protect your job, that's understandable. To villify him for openly discussing what is known within the industry to be common shortcomings is shear hypocrisy.

I'm still waiting for SCHLAGE to notify folks that it's recalling their defective entry locks. Wait, they can't so that without disclosing that they are insecure, so only the locksmiths and burglers know."

One response shows that lock vendors are acting exactly like software vendors not held accountable for producing flawed software:

"The fact of the matter is the lock manufactuers, Ingersol Rand and Black and Decker being the two largest ones here in the states, dont want to spend a dollar or two more on their locks to improve them. They would rather put out pot metal junk that offers only a since of security. If the public in general only knew what I know, that being the fact that Kwikset and Titan locks are junk, the famous Schlage 'Maximam Security Deadbolt' is pot metal, Yale is no longer up to par, Sentry safes are worthless."

For a 1991 document on picking locks, check out the Guide to Lock Picking, hosted at a real "hacker site" -- MIT.

Comments

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics