security--the lack thereof
I was thinking about what to carry on the morning commute, in order to minimize weight. If I'm bringing my padlock for the gym locker, I might as well bring a cable for the bike, right? I have that huge black cable from when I was in high school... But it's so heavy. What about a lesser cable just for short-term use? I started doing some reading online. It appears that even the huge black cable I used to use is of little use for theft prevention, so quickly would it fall prey to either hack saw or bolt cutter. And apparently you can't make too many assumptions about U locks either, even after the kryptonite debacle. It seems there are some "fake" ones that use pot metal or something in the U part and can be easily hacked through. Even barring that, the common ones can often be smashed or pried open. Only the expensive ones put up much resistance to the hammer and crowbar. Apparently a good chain is effective, but the good ones weigh a bit more than I'd like. So basically if you really don't want your bike stolen, use a high quality U lock and a big chain with a good padlock. That way if a thief specializes in breaking through one of these (or if a basic technology failure is found), the presence of the other may present an impediment or at least sufficient inconvenience to deter. So yeah, defense in depth. Of course, if a person has a super expensive lightweight designer carbon fiber bike with titanium blahblah, as light as it can be, it's kind of funny to then go lugging around 10 pounds of lockup gear. Just for kicks, I do a web search for lightweight bike lock chain, and the first match is Amazon selling the little toy lock chains that you can rip open with your bare hands. Sigh.
When I had the house re-keyed, I asked whether they sold any locks that were bump-key resistant. None... At least the locksmith understood my question. I don't understand why they couldn't take a cheap household lock, bore out the tops of the pin chambers or whatever (to prevent at least one pin from reaching all the way to the bottom), and install serrated pins too just for the heck of it (to frustrate traditional picking). I'm tempted to go into locksmithing just to see how easy it would be to retrofit an ordinary lock for better security. You could maybe even use a section of ordinary machine screw for the serrated pin(s).
Then there's my garage door opener. I badly want to replace the control mechanism with something that uses challenge/response and public key crypto, rather than whatever garbage I know they're using (which is probably subject to simple replay attacks). It's not that I want people to break my windows, but it irks me that my garage door is easily opened.
A quick perusal suggests to me that the extent of the solution put forth by garage door manufacturers is "rolling codes" for which I suspect it's not all that difficult to determine the internal state vectors if you know the algorithm being used, which mostly just means you can determine the manufacturer based on an inspection of the signal transmitted. I'm guessing that an attacker just needs to borrow one of your remotes long enough to press it a few times, or use a high gain receiver near your house a few days. Lest the reader think I'm just being cynical and distrustful, here's a quote from an article in 2003 concerning a lawsuit of a garage door manufacturer to try to block the sale of replacement remote control units: "As implemented by Chamberlain in its Liftmaster Security+ line of garage door openers, the remote and the receiver keep internal counters that begin in synch, and are incremented by a constant value (three) each time the door is opened..." It actually gets worse, due to some exemptions made to allow for resynchronizing in case you press the remote button a bunch while out of range, but the height of stupidity is when the prosecution claims that the defense's device rendered the security of their system useless, which it already was. Essentially, it's just what I feared: you just need to eavesdrop to determine the preprogrammed identity number, and then as far as the rolling security code goes, it can be easily dispensed with. Contrast this with the impressive marketing lies: "Billions of code combinations are randomly chosen by your rolling code system. This makes it impossible to capture your code into any kind of code grabber system used by a thief." Yah, impossible. Hmph. There are two armies that oppose each other. One of them thinks that corporate America can't be trusted. The other thinks that big government can't be trusted. What these fools don't realize is that they're both correct. I wouldn't mind so much about the garage doors but for the fact that this situation could have been avoided by basic education in modern crypto theory. We have the technology to solve these problems more effectively, but don't use it. Fortunately it's just a garage door and not a banking interface connected to the world wide web.
Well, I guess that came out a big negative. Oops. Is it better to remain silent?
When I had the house re-keyed, I asked whether they sold any locks that were bump-key resistant. None... At least the locksmith understood my question. I don't understand why they couldn't take a cheap household lock, bore out the tops of the pin chambers or whatever (to prevent at least one pin from reaching all the way to the bottom), and install serrated pins too just for the heck of it (to frustrate traditional picking). I'm tempted to go into locksmithing just to see how easy it would be to retrofit an ordinary lock for better security. You could maybe even use a section of ordinary machine screw for the serrated pin(s).
Then there's my garage door opener. I badly want to replace the control mechanism with something that uses challenge/response and public key crypto, rather than whatever garbage I know they're using (which is probably subject to simple replay attacks). It's not that I want people to break my windows, but it irks me that my garage door is easily opened.
A quick perusal suggests to me that the extent of the solution put forth by garage door manufacturers is "rolling codes" for which I suspect it's not all that difficult to determine the internal state vectors if you know the algorithm being used, which mostly just means you can determine the manufacturer based on an inspection of the signal transmitted. I'm guessing that an attacker just needs to borrow one of your remotes long enough to press it a few times, or use a high gain receiver near your house a few days. Lest the reader think I'm just being cynical and distrustful, here's a quote from an article in 2003 concerning a lawsuit of a garage door manufacturer to try to block the sale of replacement remote control units: "As implemented by Chamberlain in its Liftmaster Security+ line of garage door openers, the remote and the receiver keep internal counters that begin in synch, and are incremented by a constant value (three) each time the door is opened..." It actually gets worse, due to some exemptions made to allow for resynchronizing in case you press the remote button a bunch while out of range, but the height of stupidity is when the prosecution claims that the defense's device rendered the security of their system useless, which it already was. Essentially, it's just what I feared: you just need to eavesdrop to determine the preprogrammed identity number, and then as far as the rolling security code goes, it can be easily dispensed with. Contrast this with the impressive marketing lies: "Billions of code combinations are randomly chosen by your rolling code system. This makes it impossible to capture your code into any kind of code grabber system used by a thief." Yah, impossible. Hmph. There are two armies that oppose each other. One of them thinks that corporate America can't be trusted. The other thinks that big government can't be trusted. What these fools don't realize is that they're both correct. I wouldn't mind so much about the garage doors but for the fact that this situation could have been avoided by basic education in modern crypto theory. We have the technology to solve these problems more effectively, but don't use it. Fortunately it's just a garage door and not a banking interface connected to the world wide web.
Well, I guess that came out a big negative. Oops. Is it better to remain silent?