Creative destruction.

Quiet Babylon

Secure/Obscure

Wednesday October 14, 2009 || by Tim!

1.

A few years ago, I spent most of the summer sleeping on the floor of a friend’s kitchen. It was a lots-of-time, not-much-money sort of summer so everyone was pretty excited when the set of lockpicks that he’d ordered off the Internet arrived. We went down to the hardware store and bought a vise, some wood, and 6 random locks. Brought the whole thing home, clamped it all down on the table and armed only with a printout of MIT’s Guide to Lockpicking settled in to try to teach ourselves the skill.

MARBLEHEAD BARN DOOR
Creative Commons License photo credit: snowriderguy

We opened the first lock in under an hour.

He got it first, and it didn’t take long for me to catch up. The second lock came even quicker. Within an afternoon, all 6 had been defeated. Friends came over and we showed them. They learned in minutes. We had speed contests. It wasn’t quite Hollywood-style, shove-a-bobby-pin-in-the-door-and-you’re-in but it wasn’t far off either.

When someone picks a lock for the first time, you can see the dawning realization across their face. This is easy. It feels like a superpower. Suddenly, you are conscious of how many locked doors you pass every day. I could open any of those.

I remember looking at the 6 locks we’d bought, parts scattered amongst their packaging, boldly promising security and safety, each openable in under a minute.

“People secure their HOMES with these,” I said.

2.

And then I learned about bumping locks. And then Kryptonite turned out to be defeated by a Bic pen. And then Wired wrote about Marc Weber Tobias.

3.

Not too long ago, Google Street View debuted in Canada. Amidst the excitement and the I-can-see-my-house-from-here of my generally wired peers, there was one voice of dissent. We were catching up in a coffee shop and the subject came up.

“I think it’s creepy,” she said.

Creepy?

She worried about the fact that there were images of her house online now, that anyone could look up. What if someone used it to plan a crime? To pick a house? Didn’t they need her permission before they recorded everything?

I explained about privacy laws and how the exterior of your house is public, that we don’t need permission to record it. That this was necessary, because if I’d taken her photo right there, then behind her through the window, there would have been 4 households from which to obtain permission. That trying to shut something like that down would grind photography to a halt.

Besides, we already have access to satellite imagery that would make the 1950s CIA gasp – available for free and ad-supported. Besides, even if we shut down street view, there are probably hundreds if not thousands of images of her house online. They aren’t easy to find yet, but software like Photosynth is changing that. They’re building 3d models of cities from Flickr data now.

4.

Online, security through obscurity is widely understood to be a terrible way to go about protecting your systems. The assumption has to be that someone will work out and exploit any weaknesses. The right approach is to actively seek and fix vulnerabilities, then publicize and patch them.

The reason for this is the multiplicative power of computers. It’s very easy to attempt cracking a computer and you can do it many times at once, limited only by bandwidth and processing power. With a botnet of previously compromised systems, that’s not much limit at all. It becomes a casual event, part of the background noise of the Internet. Computers are essentially bathed in a soup of attacks from the moment they are connected.

5.

Consider the arrest of steampunk anarchist Elliot “Dr. Calamity” Madison and friend during the G20 protests.

The pair were found sitting in front of a bank of laptops and emergency frequency radio scanners. They were wearing headphones and microphones and had many maps and contact numbers in the room.

Official police documents allege the two men used Twitter messages to contact protesters at the summit “and to inform the protesters and groups of the movements and actions of law enforcement”.

New York man accused of using Twitter to direct protesters during G20 summit

“It was all just publicly available information,” his defenders cry, “Since when is giving that out a crime?”

It’s an attitude that may help to drum up sympathy but that gives Calamity and friend far too little credit for all the effort that they were putting in. They weren’t dumb pipes. They were organizing, curating, filtering, and broadcasting. That’s real work and it shaped noise into valuable data for people on-the-ground (and prosecutors after-the-fact).

6.

Aircrack-ng is a suite of tools that allows you to determine a Wi-Fi network key by listening in on packets being broadcast between the router and logged-in computers. I’ve seen it in action. It takes only a few minutes to recover the password for a WEP wireless network. From there, you can log in just like a legitimate user. Unless the people who own the network are paying attention to the IP addresses of all the computers and number of active connections, they’ll never notice.

Most people couldn’t tell you their IP address. Or what one is.

7.

In the police’s complaint about Dr. Calamity, I hear the echoes of my friend’s concern about Street View. A great deal of the world of physical security relies on obscurity. A lot of the methods and information required to break into a building is publicly available but there’s been widespread reliance on the fact that it’s hard to gather all of that information, harder still to do it in secret, and there is substantial risk undertaken by the people who try to act on it.

That’s changing as more and more information is getting captured, organized, and distributed. The tools to sift through the data are getting more powerful, but the counter-measures for homeowners and private individuals aren’t necessarily catching up. How can they? How do you patch a lock?

The problems of digital security are coming to the physical world. Attacks will get cheaper, and so they can be more frequent and more casual. Smart homes and the Internet of things mean that more objects will be hybrids, vulnerable to physical and digital attack. Able to act both physically and digitally. Someone will hack your vacuum cleaner. Someone will use your sprinkler to access your bank records.

8.

The reason that consumer locks don’t need to be more pick- or bump-proof than they are now is that it’s generally easier to just smash a window.

|| Filed under: broken, infrastructure ||
  • Locks only keep honest people honest.

    Security measures are as effective as they are ever going to be just by existing. Like the 'SecureAlarm' sticker in my neighbours front window, it doesn't have to be real to dissuade a non-threat.

    I have an eerily similar story lockpick story. I spent a summer living alone in a giant Victorian mansion that would usually house nine, completely broke, writing a cemetery conservation plan in Peterborough. I decided I needed a hobby of some sort to keep me entertained between weekends...It was either learn to pick locks or order a clockwork repair kit.

    And, living alone, it completely freaked me out that it was so easy to get past what was my only line of defense.

    Bump keys require no skill, the path of least resistance stops being an incentive.

    At the highest levels of security, both online and in real life, only the most knowledgeable and skilled can be confident that their property is secure, and even then that confidence is poised to be shattered.

    I'd like to be ready for when online privacy issues invade real life, but like both online and in real life, I'll probably still rely heavily on statistical obscurity.

    As a heritage person I take a lot of pictures of other peoples homes. As long as I'm on the street it's legal, but only because large scale, open projects like Google Streetview were (until recently) assumed to big to be viable. Its not too surprising that our personal security is disappearing as we become more of a global hivemind!
  • joshharle
    Tim; wow. This is very much in the vein of what I've been thinking recently. New tools for aggregating, sharing, and searching information while the world sits with its myriad of physical exploits (in the hacking sense).

    I generally think about it as the difference between Microsoft's Security through Obscurity, and the Linux model of what might be called publish-and-patch. The problem with the real world is that even if there was open discussion of security weaknesses, the actual physical investment needed to "patch" it is so much higher.

    Maybe the physical world will catch up at the point where CNC machines can immediately manufacture new parts, that can be swapped in!

    Regardless of the constellation of physical security systems we surround ourselves with, People will always be the number one security flaw. Why break a window or pick a lock, when you can knock on the door and con someone into giving you what you want? Maybe a more timely necessity is some sort of interpersonal virus and anti-malware agent; at some point in the drunken night your smartphone pipes up to let you know of the potential dangers of your encounter, or that you about to emotionally and financially expose yourself to a manipulating bastard!
blog comments powered by Disqus

Stay in Touch

We’re Running A Contest

New? Start Here

Site Info

6 Posts I’m Proud Of

Search:

Worth a Visit

Elsewhere

  • I have a Tumblr if you are into that sort of thing.
  • I complain about every-day design irregularly over here.

  • Prefer email to RSS for update notifications?

Creative Commons License
Quiet Babylon by Tim Maly is licensed under a Creative Commons Attribution 2.5 Canada License 2007-2009.
All of the photographs are Creative Commons Images from flickr. Click on them to link back to their creators and see their individual details.
Theme based on Fluid Solution theme ported to Wordpress by Kaushal Sheth, design by Arcsin. Hilariously, I got rid of the "fluid" part of the fluid solution and have since hacked away a lot of the rest of the original design. But that's not the creator's fault. It's a great theme.