Personally I get more annoyed when reporters cover stories about "cyber attacks" but don't actually go into the details of what's going on -- because a DDoS is a completely different story from a SQL Injection.
The keys are being sold so cheaply that it is easier to just buy them online than to turn the published key image into your own copy: "UltimateSecurityDevices offers 1620 keys at $7.40 each for up to nine, and $6.66 each for 10 or more. Any order over $249 comes with a 10 percent discount."
EDIT: My point is that the cat is way, way, way out of the bag. Publishing the key image reduces the security of this key from 0.2% to 0.1%. It's already utterly destroyed.
Great point- it seems like the NY Post is following standard whitehat full disclosure procedures. My takeaway is that for any security vulnerability, as long as you append "because terrorism / for the children", you're in the clear.
Another point missed is that the lock mechanism on something like an elevator fire-service switch is not exactly robust, and a person determined to access it could probably do so quite easily with standard locksmith tools or even a screwdriver or pry tool.
The keys make casual mischief easier, but would not stop anyone more serious.
The keys make tampering much less noticeable. If you take a crowbar to a panel, someone will eventually see it and investigate. With a key you lock up after yourself and no one will know.
Actually looking at that key any cheap pick set or a couple of bobby pins and in a matter of seconds I could open and reclose the lock (without having ever seen the key). Surely any self respecting terrorist could figure that out too. If a cheap little lock is all that protects us from terrorism the danger level hasn't changed too much.
A paper clip and a binder clip are usually sufficient to open any keyed furniture lock in the office where you found the clips. It actually takes longer to bend the paper clip into the proper pick shape than it does to open the lock. You can also pick them back into the locked position afterward.
That's a case where having an actual key is less useful than knowledge of how the locks work, because the key won't actually open every lock in the office, whereas the clips will.
This is why you make a distinction between privacy locks and security locks.
Most of the locks in daily use by humans on this planet are barely better than privacy locks. I once unlocked the car, got in, and started it up before the country music station on the radio made me realize that my car was actually parked in the next space over in the parking lot. It was a different brand of GM car that coincidentally had exactly the same body style, paint color, and locks as mine.
After that, I thought about trying my key in every car in the parking lot, but I never quite overcame my fear of getting arrested for it.
There are keys which are simply used for tamper reduction. If you buy an RV in the United States, it will have lots of external compartments storage. These will likely all have the same key, as every other RV on the lot. Furthermore you can use your key to open all kinds of things! It's like a treasure hunt. Mysterious stainless steel panel on public restroom wall? Yep. Sprinkler controller? Yep.
And you can order them on Amazon for a wide variety of prices, depending on what function the are sold for. Sprinkler keys are cheapest. Security system keys are much more expensive. RV keys, in between. But all the same key.
I ordered some Torx TR bits to upgrade my Mac Mini, and now I've been noticing those screws everywhere too. I'm tempted to just start carrying a screwdriver around...
I had that experience a few years back, when I picked up a set of Torx TR bits for a college project. Almost temped to carry it around and randomly unscrew things just to say "Tamper-resistant? Ha!"
This article is not good. I, for one, applaud the NY Post for publishing the key. Back when we were all flipping out over electronic voting, I published a "how-to" on Ars for compromising various popular voting machines, complete with some codes and other instructions. It was so easy anyone could do it, and the piece was printed out and waved angrily at various hearings on CSPAN, and the end result was...
Well, actually, the end result was that some counties went back to mechanical, and some didn't, and today it's all still a mess and it's impossible to have any confidence that your vote was correctly recorded. And now, in the digital age, voting is probably just this cargo cult ritual that we all do to summon this "democracy" thing that our ancestors once encountered.
Anyway, my point is, just publish the key. That makes it harder for the people who are embarrassed by this and want to bury it to do so.
And now, in the digital age, voting is probably just this cargo cult ritual that we all do to summon this "democracy" thing that our ancestors once encountered.
If the current situation is a farce, what description does more than half of the population being disenfranchised deserve?
States with paper ballots and electronic tabulators shouldn't have too much problems with election integrity, the electronic results may be tampered with, but the paper trail is much harder to mess with.
I think there's an important difference between outright prohibiting someone from voting, and allowing them to vote but not counting it. If you prohibit someone from voting, at least they know it happened.
Paper trails are great, but are they checked frequently?
Yeah, the stated election process and actual election outcome have to both be considered, but my point was more that there aren't any good ol' days to harken back to when it comes to evaluating how egalitarian US elections are in practice.
Personally, I'm more concerned that parties have easier access to the ballot and that people are prevented from voting than I am with records tampering.
Agreed on both points. The potential for shenanigans with electronic voting machines is worrying, but it seems to be a mostly theoretical problem right now.
Maybe start from the assumption that the people designing election systems have considered someone printing extra ballots? The system I'm familiar with has safeguards to ensure that the only ballots that get counted come from eligible voters.
Unfortunately this is a false assumption to make. Yes, they may have considered it but ultimately there is increasingly very little that can be done to impede such fraud. Frank Abagnale explains how paper-based fraud is easier than it ever has been due to technological proliferation[1]
>You need a conspiracy at every precinct where you replace or introduce ballots.
Indeed. I'm not sure if you watched some of the clip I linked to but that it one of the things Abagnale speaks to. With decreasing budgets, increasing corruption, or a simple lack of ethics it is easy enough to compromise an individual and thus the whole system which they administer. Any social engineer will tell you it is far easier to hack a person than to hack a system.
This is why I would argue that a more automated electric system, one which relies on less human administrators, would would be more difficult for the average person to compromise than a paper-based system which relies on a higher number of human administrators.
So, the idea that "obscurity is not security" is not exclusive to security professionals. It is the justification that investigative journalists use on a daily basis in pursuing and publishing their stories. Next time you read an exposé of a government function, consider that the government at some point pressured the journalist to back off for "the sake of national security|the children"...assuming that the journalist isn't a total sociopath, we can give some benefit of the doubt and assume the reporter believes it's more important to expose government incompetence completely so that there's no turning back. That is almost certainly what the NYPost thought here...images draw attention. They also cost money to print, especially in full color on the inside pages. This wasn't an accident and the author of the critique shows his utter ignorance of civic institutions and bureaucracy.
It's not the newspaper's responsibility to keep secrets. That's actually pretty much the opposite of their responsibility. If the key was intended to be secret, then the organizations that use it should have done a better job keeping it that way.
Somewhat related, it wasn't that long ago that the TSA published their own master keys:
I did some video work in a couple of prisons. We had to sit with the prison security team afterwards and watch all the tapes looking for images of keys - they had already been burned to the £m before.
30 comments
[ 2.8 ms ] story [ 74.3 ms ] threadThe keys are being sold so cheaply that it is easier to just buy them online than to turn the published key image into your own copy: "UltimateSecurityDevices offers 1620 keys at $7.40 each for up to nine, and $6.66 each for 10 or more. Any order over $249 comes with a 10 percent discount."
EDIT: My point is that the cat is way, way, way out of the bag. Publishing the key image reduces the security of this key from 0.2% to 0.1%. It's already utterly destroyed.
The keys make casual mischief easier, but would not stop anyone more serious.
[1]: https://www.youtube.com/watch?v=ZUvGfuLlZus
That's a case where having an actual key is less useful than knowledge of how the locks work, because the key won't actually open every lock in the office, whereas the clips will.
This is why you make a distinction between privacy locks and security locks.
Most of the locks in daily use by humans on this planet are barely better than privacy locks. I once unlocked the car, got in, and started it up before the country music station on the radio made me realize that my car was actually parked in the next space over in the parking lot. It was a different brand of GM car that coincidentally had exactly the same body style, paint color, and locks as mine.
After that, I thought about trying my key in every car in the parking lot, but I never quite overcame my fear of getting arrested for it.
And you can order them on Amazon for a wide variety of prices, depending on what function the are sold for. Sprinkler keys are cheapest. Security system keys are much more expensive. RV keys, in between. But all the same key.
Well, actually, the end result was that some counties went back to mechanical, and some didn't, and today it's all still a mess and it's impossible to have any confidence that your vote was correctly recorded. And now, in the digital age, voting is probably just this cargo cult ritual that we all do to summon this "democracy" thing that our ancestors once encountered.
Anyway, my point is, just publish the key. That makes it harder for the people who are embarrassed by this and want to bury it to do so.
If the current situation is a farce, what description does more than half of the population being disenfranchised deserve?
States with paper ballots and electronic tabulators shouldn't have too much problems with election integrity, the electronic results may be tampered with, but the paper trail is much harder to mess with.
Paper trails are great, but are they checked frequently?
Personally, I'm more concerned that parties have easier access to the ballot and that people are prevented from voting than I am with records tampering.
[1]https://youtu.be/x0fEA0MsiV8?t=2266
You need a conspiracy at every precinct where you replace or introduce ballots.
I realize it isn't a perfect system, but you can't just fire up your laser printer and leave the extra ballots sitting outside the polling place.
Indeed. I'm not sure if you watched some of the clip I linked to but that it one of the things Abagnale speaks to. With decreasing budgets, increasing corruption, or a simple lack of ethics it is easy enough to compromise an individual and thus the whole system which they administer. Any social engineer will tell you it is far easier to hack a person than to hack a system.
This is why I would argue that a more automated electric system, one which relies on less human administrators, would would be more difficult for the average person to compromise than a paper-based system which relies on a higher number of human administrators.
Somewhat related, it wasn't that long ago that the TSA published their own master keys:
https://www.schneier.com/blog/archives/2015/09/tsa_master_ke...
And here's a case where a prison put a picture of their master key on the cover of a booklet given to every prisoner:
http://www.news.com.au/national/killer-escaped-prison-after-...
Mainstream media isn't showing their utter ignorance of security so much as showing everybody else's.