SoylentNews is people
SoylentNews
Submitted via IRC for Runaway1956
Tenants at a property in New York City just struck a deal in what is both a wildly reasonable ask but also a crucial precedent at a time of increasing surveillance—their landlord has to give them physical keys to their building.
Five tenants in Hell’s Kitchen sued their landlord in March after the owners installed a Latch smart lock on the building last year. It is unlocked with a smartphone, and reportedly granted tenants access to the lobby, elevator, and mail room. But the group that sued their landlords saw this keyless entry as harassment, an invasion of privacy, and simply inconvenient.
“We are relieved that something as simple as entering our home is not controlled by an internet surveillance system and that because we will now have a mechanical key they will not be tracking our friends and our family,” 67-year-old tenant Charlotte Pfahl, who has lived in the building for 45 years, told the New York Post.
Source: After Smart Lock Allegedly Traps Senior in Apartment, Tenants Sue for Physical Keys and Win
(Score: 2) by darkfeline on Thursday May 09 2019, @04:02AM (18 children)
I would recommend learning lockpicking for the sole purpose of understanding just low little security traditional pin and tumbler locks provide.
I would very much trust a digital lock over a physical one, given that the digital lock is FOSS and properly designed which admittedly is asking for a lot.
The physical part of the lock is always the biggest weak point. Cryptography when done well is mathematically unbreakable within a reasonable time frame. But no physical lock is unpickable or unbypassable.
I think it'd be awesome if someone came up with a reliable FOSS digital lock design that could be used everywhere. It would drastically increase security (but again, the physical parts of the lock/door/walls are still weak points).
Join the SDF Public Access UNIX System today!
(Score: 5, Insightful) by Arik on Thursday May 09 2019, @04:16AM (7 children)
Correct. And any lock which protects real (rather than virtual) property has to be a physical lock, even if it has a virtual component - it can still be picked or bypassed.
You don't make it more secure by adding a second vector of attack, even if it is one that's truly impossible to exploit, you still haven't improved security at all. Because no matter how secure your cryptography is, I can simply ignore it and focus on the physical lock.
And of course that's all in fantasy world where these things are done right. In the real world that virtually never happens. Why would the company spend a lot of money on really improving security? Their development budget is obviously better spent on making sure their products spy on the buyers. THAT's something they can make money on.
If laughter is the best medicine, who are the best doctors?
(Score: 3, Interesting) by darkfeline on Thursday May 09 2019, @07:11AM (6 children)
>And any lock which protects real (rather than virtual) property has to be a physical lock, even if it has a virtual component - it can still be picked or bypassed.
No it can't be picked, as there's no keyhole of any kind. It can be bypassed, but that is easier to secure relative to a keyhole. You can always saw through a deadbolt, but that's way more effort/energy/brute force than picking a keyhole.
Consider an idealistic lockbox. There's always a physical attack: drills, saws, etc. If the lockbox uses some sort of physical key, you can always pick it and that will generally be easier. Of course, more expensive locks will be harder to pick, but it will always be physically possible.
But if the lockbox uses an ideal digital lock, it can't be picked. It can still be breached physically, but you're not defeating math.
A digital lockbox is strictly theoretically superior to a physical lockbox. Of course, practice is different from theory; so far it is far more practical to build a secure and cheap physical lockbox than a digital one, and that's why I expressed hope in engineering progress that would allow a digital lockbox to be viable.
Join the SDF Public Access UNIX System today!
(Score: 3, Informative) by Arik on Thursday May 09 2019, @11:35AM (4 children)
Yeah, that's not actually a requirement. As an example, many electronic locks with no keyhole are nonetheless easily pickable using a magnet. If you can manipulate the tumblers (or whatever are passing for them in the design) from the outside, then you can pick the lock, keyhole or no keyhole.
"But if the lockbox uses an ideal digital lock, it can't be picked. It can still be breached physically, but you're not defeating math."
It can still be picked, that part I must simply disagree with. The second part? Maybe true but that's not the point. I don't want to defeat math, I just want (hypothetically) to get past the lock.
https://www.youtube.com/watch?v=2KSoPIeN9wY picking a digital lock with no keyhole, using a magnet.
If laughter is the best medicine, who are the best doctors?
(Score: 2) by c0lo on Thursday May 09 2019, @12:56PM (3 children)
Not all models of digital lock have the same weakness. One can design a digital lock impervious to any magnet.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by Arik on Thursday May 09 2019, @02:03PM (2 children)
In the case I cited, you can (at considerable expense) have those locks retrofitted with non-ferrous replacement parts to prevent this from working. Rarely done, but that's besides the point.
Is the lock unpickable after the modification? No. That's fallacious logic. Just because you don't know immediately *how* to pick it, doesn't mean it can't be picked. It's a physical lock, it has somewhere in it at least one tumbler, and if you can by any means move the tumbler(s) into place you have picked it. It may be practically impossible to pick it (at least right up until the moment someone finds a way) but the idea that *as a class* you can say they aren't pickable is not good. Exactly the sort of thinking that leads to nearly every electronic lock being quite easy to circumvent.
If laughter is the best medicine, who are the best doctors?
(Score: 2) by c0lo on Thursday May 09 2019, @03:22PM (1 child)
Nitpicking (no I didn't change topics)
Naaahhh, the approach is to just sell a higher security higher price model with pre-fitted non-ferrous components. Brass is good enough.
Strictly speaking, yes. Just because lock picking is a term that applies to key operated locks.
E.g. opening the code lock of safe is usually named safe cracking [wikipedia.org]
Wanna bet?
Look, I'm gonna use a simple crossbar latch mechanism embedded into the door - you'll agree that a latch is a door lock. Except I'll add a minor modification: to latch is kept into locked position by a hydraulic piston that's inaccessible to the hardened side.
If you wanna open from inside, you just rotate a ball valve which allows the hydraulic oil to flow into a small reservoir and you can open the latch by pulling the inside lever.
On the outside/hardened side, you have the digital pad to enter your code - if accepted, a battery operated circuit opens the valve. If not, the valve remains closed and the force you need to apply against the hydraulic pressure is higher than the break point of the outside lever of the latch.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by Arik on Thursday May 09 2019, @04:02PM
Both options are available, both are rare. Not only because of substantially increased cost of purchase, but also TCO. Because when you *need* the locksmith to gain access to it, his quickest and easiest way to access it is removed.
But, that doesn't mean he won't be able to do the job. It will just take him a little longer. And if the locksmith can do it, then it's also possible for an adversary to do it.
This is a fundamental paradox of security in all its forms. Anything perfectly secure would also be perfectly impossible to maintain. The first time there's a malfunction, forget it, you can't break in to fix it. Manufacturers aim to make money, and they balance the possibility of bad reviews and other fallout from less secure products against the increased support costs etc. that result when the idiot buyer inevitably locks himself out and demands they fix it. The latter turns out to be much more frequent and important than the former.
"Strictly speaking, yes. Just because lock picking is a term that applies to key operated locks.
E.g. opening the code lock of safe is usually named safe cracking [wikipedia.org]"
I wasn't talking about safe cracking though, it's still quite possible it might be picked. Just because no one you or I are aware of at the moment doesn't mean no one has, and even in no one has, someone might later. It's the same situation as with the steel one, before the magnet trick got out and it was presumed unpickable. And yet it turns out to be one of the easiest locks ever made. Slap a $20 magnet on the side and what is effectively a single tumbler is picked in the blink of an eye. Extremely convenient for the locksmith, and for the idiot customer who's probably a lot more likely to lock himself out than to see an attempted burglary thwarted by the lock.
Anyway, once you replace it with brass, the magnet doesn't work, but that doesn't mean it's unpickable. It just means we're waiting to see how it will be done.
If laughter is the best medicine, who are the best doctors?
(Score: 2) by DannyB on Thursday May 09 2019, @02:33PM
The best remedy for that in the true spirit of IoT is to provide a USB port.
The lower I set my standards the more accomplishments I have.
(Score: 1, Insightful) by Anonymous Coward on Thursday May 09 2019, @04:27AM
The pin and tumbler lock may not provide much security, but it provides the ability to unlock your door with purely mechanical means, independent of electricity and spy services.
The real security is provided by the Smith and Wesson behind the door.
(Score: 0) by Anonymous Coward on Thursday May 09 2019, @06:58AM (2 children)
Are there any good online resources you know to illustrate the subject?
(Score: 2) by Farkus888 on Thursday May 09 2019, @07:28AM
Google lock sport and or locksport. There isn't much cruft on this subject. Picks are cheap, your real expense will be a collection of locks to play with. Buy some CHEAP locks to start. They will be easier and you don't want to start with the hardest lock. You can get there with practice but you don't want to get discouraged and quit before you've started.
(Score: 2) by Runaway1956 on Thursday May 09 2019, @01:47PM
Youtube has a number of videos on the subject. I've watched several over the years. If you browse around, you'll learn that there is a brand of padlock, and a brand of doorlocks from Europe which are very nearly unpickable. Common Master padlocks and their like? I pick those routinely. Door locks in the US have some really crappy brands, and some less crappy brands, but most can be opened pretty easily. Many that are hard to "pick" are vulnerable to opening with a small, flimsy screw driver. Where there's a will, there's a way. It's funny to see a high dollar lock used to lock a door with a flimsy door frame, where you can insert a sturdy screwdriver, and pry the doorframe sideways, enough to allow the door to open.
(Score: 4, Insightful) by ledow on Thursday May 09 2019, @08:10AM (3 children)
I would recommend learning carpentry because you can drill around anything in a door within seconds.
Tumbler locks aren't secure - neither are maglocks, electric strikes, or anything else that you would need to implement to replace them. They're not supposed to be. Like car doors, they only need be "secure enough", which can literally mean holding out against a simple attack for 30 seconds in the car industry.
Physical locks are there for insurance purposes. You have to prove forced entry for your insurance to actually pay out, generally. Just enough to prove that you didn't leave the door open, let the burglar in yourself, or that you didn't take the locks off the doors entirely. That's all a physical lock is there for... most doors can be put through in seconds, and often the wall next to the door is even less secure than the door itself.
Door locks are convenient, passive security against untargeted and unprepared attacks (i.e. no screwdriver on you) designed to make you cause damage to effect entry. That's all they are. That's all they've ever been. That's all they can be - smart or not. A "British Standard" lock is a prerequisite of almost all insurance in my country, and I tell you now that that doesn't mean much.
I manage the access control systems at my workplace. I guarantee you that I can get into any site that uses those same manufacturer's products without causing physical damage. They have network connectivity, tamper sensors, centralised reporting, web accessibility, hi-security fobs, etc. but I tell you now that I could tamper with a reader by carrying a single Allen key, not set off the tamper alert, then cause the system to open the doors. Once in, I stand a good chance of actually getting to the controller units and then opening every door across the site.
I know for a fact that the exact system I have, with the same hardware, in the same configurations, is used at a local RAF base because it has a number of security features (encrypted communications, lockdown functionality, etc.). The controller units cost nearly £1000 each. It's not an off-the-shelf system, it's quite advanced. But I bet I could get into any site that had it. The reason I wouldn't is that it would be burglary.
If I know, then damn sure most people with that system know, and DAMN sure all the installers and anyone who's security tested it knows. Now, without being on site, I can tell you the port to scan for remotely, I can describe the data format, I can describe how to fabricate an "all doors open" emergency alert packet. I need only run a cloud-based port scan and I'd likely find a bunch of places that were exposing their system to the net for precisely this kind of "app" functionality... the systems are often all web-based and used for things like visitor management and remote-site-management, and I guarantee you I'd find some "interesting" sites that were running that hardware and exposing the functionality to the net, and cause problems.
Not because the locks are "insecure". They are, but that's beside the point (most door-strike locks can be convinced to not lock properly and many lack any kind of "door is actually closed" sensor, so you can rig them with primitive wedges so that once a cardholder accesses them, the door "looks" shut but is actually open until you come along and remove the rig.
Not because the communications are poorly encrypted. They are (the one I know uses Java code, fixed keys, broadcast UDP, and insecure cryptography across the network).
But because having stuff online, and having it fitted by the local locksmith who knows bugger-all about the system and just fits the door locks and wires it up to the net is a FAR FAR FAR bigger hole than someone who has to spend 30 seconds bumping the lock tumblers.
And I'll be honest - I have a specialist contractor who deals *only* in these systems, only from the one manufacturer, who are huge, global and do nothing else. And I tell you now - I know more about the insecurities of that system than they do, I have actually been asked to sell my software solutions to them for the system (because the original manufacturer excluded certain functionality which you can directly code yourself against the exposed local network API), and I can tell you now that their engineer likes to have an entry on the system for himself with a number of fobs assigned despite having nothing to do with the site itself (guess how I know that, guess who turned them off!).
Just because something is electronic does not mean it's better. You're placing your house security on a 12v solenoid. No different to the one in your car's central locking. And like the one in your car's central locking, bypassable in a matter of seconds for a professional even if the system is "flawless" in terms of electronic security (which it won't be).
Now... many, many, many places do that - from prisons to military bases to shops and warehouses. It's fine. Because you *don't* rely on that 12v solenoid to keep you secure. You never do. You rely on it being something that someone has to hack or force in order to get past it. That's its purpose. A damage canary.
My house had not only physical locks but electronic locks. But I tell you now that the electronic locks are the ones that I assume will be bypassed (even with battery backup, RFID fobs, etc.). I only ever electronically locked my side-gate, so that my ex could cycle her bike straight in if it was raining, and we could put the bins out and put them back without having to carry another key. But the house had ordinary physical locks.
My neighbours were *both* burgled in targeted burglaries within a six-month period. Both times by jumping the fence, going round the back, smashing a window quietly (I think they may have dampened the smash with a towel or something similar).
What kept them away from the house in the middle?
Big tough strong smart-locks they couldn't bypass? No.
An alarm that went off loudly around the neighbourhood? It may have helped my neighbours, but no. An alarm goes off almost every day, by the time anyone does anything, they are long-gone.
Cameras? I had them, they didn't. They are easily bypassed and often useless. We actually had footage of our neighbour's burglars but it wasn't convictable. But I can monitor them remotely, I actually loaded them onto my iPad in work and they were always in front of me - very handy for seeing whether my Amazon parcel was delivered yet, or what twat keeps parking in front of my drive.
Tough doors and security bolts? No. For my neighbours they smashed a window round the back and literally NOBODY heard, not even the next-door-neighbour (just feet away) in their garden at the time.
What kept them away? Luck and looks. Cameras, sensors, electronic locks, and signs. "This one won't be easy". I imagine a large expensive apartment building with multiple keys for entry is not an easy burglary target either.
Combined with the fact that I expect them to bypass the locks, so the insides were also camera'd and the alarm notified the only person who ever actually cared about my house being burgled - me. GSM alarms are fat better than anything that just sounds an alarm. Only you know if it's the cat (especially if you can see the cameras) or a cat burglar. Only you know if your guests have just forgotten about the alarm. Only you will call the police if it's actually a crime in progress... never rely on your neighbours to do so, they are fobbed off so easily and often just don't care about yet-another-alarm! And only you stand to benefit if you stop the burglars in their tracks.
Most of the "house security" market is a con. They aren't there to "secure" you. That's incredibly expensive, incredibly difficult and incredibly labour-intensive. Cameras can be disabled or obscured quite easily. Locks can be bypassed or destroyed. Doors themselves are weak and vulnerable. And most burglars probably use the window anyway. Alarms only work if monitored (so obviously they charge you a fortune to monitor them, while disclaiming any responsibility if they don't notice).
A physical lock is not your weak point, nor some closed-source blob in a lock firmware. Thinking it is shows a complete misunderstanding of actual security.
But a physical lock costs £20 a door a few quid to cut some keys, leaving lots of money for cameras and staff. A digital one, properly installed, secured, monitored, serviced and linked to all the necessary doors costs thousands and thousands and thousands. And is no more secure.
You're spending your money on the wrong things. And I speak as someone who just yesterday was just given several thousand pounds worth of up-to-date access control kit that was surplus to requirements that would easily secure a 20-door site and has a bunch of spare hardware that would cover any gaps. My front door is a double-locking, two-physical locks keyed entry.
I mean, good luck getting in without my *knowing* (almost immediately) - not to mention getting a lovely screenshot of you breaking in to provide to my insurers - but I'm perfectly aware that you can get in quite easily. Hell, it's a rented apartment, I guarantee that someone who used to live here still has a copy of the key somewhere in their junk drawer, and likely the landlord never changed the locks.
But I'm perfectly aware that all that thousands of pounds worth of kit on my front door that I could bolt to it tomorrow wouldn't make it any more difficult for you, and would notify me just the same.
(Score: 2) by All Your Lawn Are Belong To Us on Thursday May 09 2019, @03:12PM (2 children)
Well said and +1.
The two other things locks might do are: 1) cause a delay / allow a neighbor to spot the person trying to pick or break the lock, or 2) make noise. A wrecking bar, in most cases, is far faster than trying to defeat a lock - two persons with two bars (and in some cases just a single bar) can pop almost any dual locked wood frame door and many metal ones. A hammer on a large enough window (as you mentioned) is likewise sufficient for the vast majority of cases.
Security is always relative and never absolute, in my experience.
This sig for rent.
(Score: 2) by fyngyrz on Thursday May 09 2019, @04:19PM (1 child)
I often wish that traps (AKA "mantraps") were legal. I'd totally invest in — or just build — something along the lines of a pit of gnashing blades.
"No, officer, there is no body. Yes, my roses are doing well — I just composted them, see?"
--
I want to grow my own food, but I can't find pizza seeds.
(Score: 2) by All Your Lawn Are Belong To Us on Friday May 10 2019, @05:58PM
Yes, I've always wanted one [fandom.com] as well.
Oh, wait...
This sig for rent.
(Score: 2) by Immerman on Thursday May 09 2019, @06:19PM
>The physical part of the lock is always the biggest weak point
Only the biggest weak point *of the lock*. And only if the software/electronic component is theoretically sound and flawlessly implemented. Which is difficult even for seasoned computer security experts, much less cut-rate lock, car, etc. manufacturers.
I remember looking into lock-picking at one point out of curiosity. One of the big takeaways was that lock-picking is generally the most difficult way to bypass security, useful primarily when you want to hide the fact that you have done so. Even an easily-picked mechanical lock is typically the most secure part of a door, and the door is usually the most secure part of the building. If you want to get into a locked room, it's usually far faster and easier to go through a window, ceiling, or wall than to go through the door. Or quite often you can even bypass the lock entirely to attack the latch directly, as in the old credit-card trick for a typical door latch.
If you really want to go through the door, and the latch is well enough protected that you have to attack the lock, then shooting or drilling it is far faster and easier than picking it. Even if picking it can be easily done in under a minute (as is the case for most locks).
The primary purpose of lock-picking is to open a lock without damaging anything - i.e. for covert entry that won't be noticed soon(if ever) for either criminal or pranking purposes, or to open a lock for someone who has locked their keys on the other side of it without doing any damage. For everyone else, just break things, it's easier.
And that's true whether the lock is purely mechanical, or electronically controlled. All electronics do is present different attack vectors - no different than the more creative pick-resistant mechanical locks out there with strange-looking keys or multistage mechanisms. Except that mechanical lockpicking often requires skill, while electronic lockpicking often just requires downloading the right software and pushing a button.
All of which is to say, the only real function of locks is to protect against crimes of temptation and opportunity - a.k.a. "they keep an honest man honest". Anyone skilled in infiltration is unlikely to be more than mildly inconvenienced unless the lock is more expensive than whatever it's protecting.
(Score: 2) by Reziac on Friday May 10 2019, @02:23PM
Enjoy.
https://www.youtube.com/results?search_query=+LockPickingLawyer+electronic+lock [youtube.com]
And there is no Alkibiades to come back and save us from ourselves.