A few years ago, I spent most of the summer sleeping on the floor of a friend’s kitchen. It was a lots-of-time, not-much-money sort of summer so everyone was pretty excited when the set of lockpicks that he’d ordered off the Internet arrived. We went down to the hardware store and bought a vise, some wood, and 6 random locks. Brought the whole thing home, clamped it all down on the table and armed only with a printout of MIT’s Guide to Lockpicking settled in to try to teach ourselves the skill.
We opened the first lock in under an hour.
He got it first, and it didn’t take long for me to catch up. The second lock came even quicker. Within an afternoon, all 6 had been defeated. Friends came over and we showed them. They learned in minutes. We had speed contests. It wasn’t quite Hollywood-style, shove-a-bobby-pin-in-the-door-and-you’re-in but it wasn’t far off either.
When someone picks a lock for the first time, you can see the dawning realization across their face. This is easy. It feels like a superpower. Suddenly, you are conscious of how many locked doors you pass every day. I could open any of those.
I remember looking at the 6 locks we’d bought, parts scattered amongst their packaging, boldly promising security and safety, each openable in under a minute.
“People secure their HOMES with these,” I said.
Not too long ago, Google Street View debuted in Canada. Amidst the excitement and the I-can-see-my-house-from-here of my generally wired peers, there was one voice of dissent. We were catching up in a coffee shop and the subject came up.
“I think it’s creepy,” she said.
She worried about the fact that there were images of her house online now, that anyone could look up. What if someone used it to plan a crime? To pick a house? Didn’t they need her permission before they recorded everything?
I explained about privacy laws and how the exterior of your house is public, that we don’t need permission to record it. That this was necessary, because if I’d taken her photo right there, then behind her through the window, there would have been 4 households from which to obtain permission. That trying to shut something like that down would grind photography to a halt.
Besides, we already have access to satellite imagery that would make the 1950s CIA gasp – available for free and ad-supported. Besides, even if we shut down street view, there are probably hundreds if not thousands of images of her house online. They aren’t easy to find yet, but software like Photosynth is changing that. They’re building 3d models of cities from Flickr data now.
Online, security through obscurity is widely understood to be a terrible way to go about protecting your systems. The assumption has to be that someone will work out and exploit any weaknesses. The right approach is to actively seek and fix vulnerabilities, then publicize and patch them.
The reason for this is the multiplicative power of computers. It’s very easy to attempt cracking a computer and you can do it many times at once, limited only by bandwidth and processing power. With a botnet of previously compromised systems, that’s not much limit at all. It becomes a casual event, part of the background noise of the Internet. Computers are essentially bathed in a soup of attacks from the moment they are connected.
Consider the arrest of steampunk anarchist Elliot “Dr. Calamity” Madison and friend during the G20 protests.
The pair were found sitting in front of a bank of laptops and emergency frequency radio scanners. They were wearing headphones and microphones and had many maps and contact numbers in the room.
Official police documents allege the two men used Twitter messages to contact protesters at the summit “and to inform the protesters and groups of the movements and actions of law enforcement”.
“It was all just publicly available information,” his defenders cry, “Since when is giving that out a crime?”
It’s an attitude that may help to drum up sympathy but that gives Calamity and friend far too little credit for all the effort that they were putting in. They weren’t dumb pipes. They were organizing, curating, filtering, and broadcasting. That’s real work and it shaped noise into valuable data for people on-the-ground (and prosecutors after-the-fact).
Aircrack-ng is a suite of tools that allows you to determine a Wi-Fi network key by listening in on packets being broadcast between the router and logged-in computers. I’ve seen it in action. It takes only a few minutes to recover the password for a WEP wireless network. From there, you can log in just like a legitimate user. Unless the people who own the network are paying attention to the IP addresses of all the computers and number of active connections, they’ll never notice.
Most people couldn’t tell you their IP address. Or what one is.
In the police’s complaint about Dr. Calamity, I hear the echoes of my friend’s concern about Street View. A great deal of the world of physical security relies on obscurity. A lot of the methods and information required to break into a building is publicly available but there’s been widespread reliance on the fact that it’s hard to gather all of that information, harder still to do it in secret, and there is substantial risk undertaken by the people who try to act on it.
That’s changing as more and more information is getting captured, organized, and distributed. The tools to sift through the data are getting more powerful, but the counter-measures for homeowners and private individuals aren’t necessarily catching up. How can they? How do you patch a lock?
The problems of digital security are coming to the physical world. Attacks will get cheaper, and so they can be more frequent and more casual. Smart homes and the Internet of things mean that more objects will be hybrids, vulnerable to physical and digital attack. Able to act both physically and digitally. Someone will hack your vacuum cleaner. Someone will use your sprinkler to access your bank records.
The reason that consumer locks don’t need to be more pick- or bump-proof than they are now is that it’s generally easier to just smash a window.