SoylentNews is people
SoylentNews
Submitted via IRC for Runaway1956
Tenants at a property in New York City just struck a deal in what is both a wildly reasonable ask but also a crucial precedent at a time of increasing surveillance—their landlord has to give them physical keys to their building.
Five tenants in Hell’s Kitchen sued their landlord in March after the owners installed a Latch smart lock on the building last year. It is unlocked with a smartphone, and reportedly granted tenants access to the lobby, elevator, and mail room. But the group that sued their landlords saw this keyless entry as harassment, an invasion of privacy, and simply inconvenient.
“We are relieved that something as simple as entering our home is not controlled by an internet surveillance system and that because we will now have a mechanical key they will not be tracking our friends and our family,” 67-year-old tenant Charlotte Pfahl, who has lived in the building for 45 years, told the New York Post.
Source: After Smart Lock Allegedly Traps Senior in Apartment, Tenants Sue for Physical Keys and Win
(Score: 4, Insightful) by ledow on Thursday May 09 2019, @08:10AM (3 children)
I would recommend learning carpentry because you can drill around anything in a door within seconds.
Tumbler locks aren't secure - neither are maglocks, electric strikes, or anything else that you would need to implement to replace them. They're not supposed to be. Like car doors, they only need be "secure enough", which can literally mean holding out against a simple attack for 30 seconds in the car industry.
Physical locks are there for insurance purposes. You have to prove forced entry for your insurance to actually pay out, generally. Just enough to prove that you didn't leave the door open, let the burglar in yourself, or that you didn't take the locks off the doors entirely. That's all a physical lock is there for... most doors can be put through in seconds, and often the wall next to the door is even less secure than the door itself.
Door locks are convenient, passive security against untargeted and unprepared attacks (i.e. no screwdriver on you) designed to make you cause damage to effect entry. That's all they are. That's all they've ever been. That's all they can be - smart or not. A "British Standard" lock is a prerequisite of almost all insurance in my country, and I tell you now that that doesn't mean much.
I manage the access control systems at my workplace. I guarantee you that I can get into any site that uses those same manufacturer's products without causing physical damage. They have network connectivity, tamper sensors, centralised reporting, web accessibility, hi-security fobs, etc. but I tell you now that I could tamper with a reader by carrying a single Allen key, not set off the tamper alert, then cause the system to open the doors. Once in, I stand a good chance of actually getting to the controller units and then opening every door across the site.
I know for a fact that the exact system I have, with the same hardware, in the same configurations, is used at a local RAF base because it has a number of security features (encrypted communications, lockdown functionality, etc.). The controller units cost nearly £1000 each. It's not an off-the-shelf system, it's quite advanced. But I bet I could get into any site that had it. The reason I wouldn't is that it would be burglary.
If I know, then damn sure most people with that system know, and DAMN sure all the installers and anyone who's security tested it knows. Now, without being on site, I can tell you the port to scan for remotely, I can describe the data format, I can describe how to fabricate an "all doors open" emergency alert packet. I need only run a cloud-based port scan and I'd likely find a bunch of places that were exposing their system to the net for precisely this kind of "app" functionality... the systems are often all web-based and used for things like visitor management and remote-site-management, and I guarantee you I'd find some "interesting" sites that were running that hardware and exposing the functionality to the net, and cause problems.
Not because the locks are "insecure". They are, but that's beside the point (most door-strike locks can be convinced to not lock properly and many lack any kind of "door is actually closed" sensor, so you can rig them with primitive wedges so that once a cardholder accesses them, the door "looks" shut but is actually open until you come along and remove the rig.
Not because the communications are poorly encrypted. They are (the one I know uses Java code, fixed keys, broadcast UDP, and insecure cryptography across the network).
But because having stuff online, and having it fitted by the local locksmith who knows bugger-all about the system and just fits the door locks and wires it up to the net is a FAR FAR FAR bigger hole than someone who has to spend 30 seconds bumping the lock tumblers.
And I'll be honest - I have a specialist contractor who deals *only* in these systems, only from the one manufacturer, who are huge, global and do nothing else. And I tell you now - I know more about the insecurities of that system than they do, I have actually been asked to sell my software solutions to them for the system (because the original manufacturer excluded certain functionality which you can directly code yourself against the exposed local network API), and I can tell you now that their engineer likes to have an entry on the system for himself with a number of fobs assigned despite having nothing to do with the site itself (guess how I know that, guess who turned them off!).
Just because something is electronic does not mean it's better. You're placing your house security on a 12v solenoid. No different to the one in your car's central locking. And like the one in your car's central locking, bypassable in a matter of seconds for a professional even if the system is "flawless" in terms of electronic security (which it won't be).
Now... many, many, many places do that - from prisons to military bases to shops and warehouses. It's fine. Because you *don't* rely on that 12v solenoid to keep you secure. You never do. You rely on it being something that someone has to hack or force in order to get past it. That's its purpose. A damage canary.
My house had not only physical locks but electronic locks. But I tell you now that the electronic locks are the ones that I assume will be bypassed (even with battery backup, RFID fobs, etc.). I only ever electronically locked my side-gate, so that my ex could cycle her bike straight in if it was raining, and we could put the bins out and put them back without having to carry another key. But the house had ordinary physical locks.
My neighbours were *both* burgled in targeted burglaries within a six-month period. Both times by jumping the fence, going round the back, smashing a window quietly (I think they may have dampened the smash with a towel or something similar).
What kept them away from the house in the middle?
Big tough strong smart-locks they couldn't bypass? No.
An alarm that went off loudly around the neighbourhood? It may have helped my neighbours, but no. An alarm goes off almost every day, by the time anyone does anything, they are long-gone.
Cameras? I had them, they didn't. They are easily bypassed and often useless. We actually had footage of our neighbour's burglars but it wasn't convictable. But I can monitor them remotely, I actually loaded them onto my iPad in work and they were always in front of me - very handy for seeing whether my Amazon parcel was delivered yet, or what twat keeps parking in front of my drive.
Tough doors and security bolts? No. For my neighbours they smashed a window round the back and literally NOBODY heard, not even the next-door-neighbour (just feet away) in their garden at the time.
What kept them away? Luck and looks. Cameras, sensors, electronic locks, and signs. "This one won't be easy". I imagine a large expensive apartment building with multiple keys for entry is not an easy burglary target either.
Combined with the fact that I expect them to bypass the locks, so the insides were also camera'd and the alarm notified the only person who ever actually cared about my house being burgled - me. GSM alarms are fat better than anything that just sounds an alarm. Only you know if it's the cat (especially if you can see the cameras) or a cat burglar. Only you know if your guests have just forgotten about the alarm. Only you will call the police if it's actually a crime in progress... never rely on your neighbours to do so, they are fobbed off so easily and often just don't care about yet-another-alarm! And only you stand to benefit if you stop the burglars in their tracks.
Most of the "house security" market is a con. They aren't there to "secure" you. That's incredibly expensive, incredibly difficult and incredibly labour-intensive. Cameras can be disabled or obscured quite easily. Locks can be bypassed or destroyed. Doors themselves are weak and vulnerable. And most burglars probably use the window anyway. Alarms only work if monitored (so obviously they charge you a fortune to monitor them, while disclaiming any responsibility if they don't notice).
A physical lock is not your weak point, nor some closed-source blob in a lock firmware. Thinking it is shows a complete misunderstanding of actual security.
But a physical lock costs £20 a door a few quid to cut some keys, leaving lots of money for cameras and staff. A digital one, properly installed, secured, monitored, serviced and linked to all the necessary doors costs thousands and thousands and thousands. And is no more secure.
You're spending your money on the wrong things. And I speak as someone who just yesterday was just given several thousand pounds worth of up-to-date access control kit that was surplus to requirements that would easily secure a 20-door site and has a bunch of spare hardware that would cover any gaps. My front door is a double-locking, two-physical locks keyed entry.
I mean, good luck getting in without my *knowing* (almost immediately) - not to mention getting a lovely screenshot of you breaking in to provide to my insurers - but I'm perfectly aware that you can get in quite easily. Hell, it's a rented apartment, I guarantee that someone who used to live here still has a copy of the key somewhere in their junk drawer, and likely the landlord never changed the locks.
But I'm perfectly aware that all that thousands of pounds worth of kit on my front door that I could bolt to it tomorrow wouldn't make it any more difficult for you, and would notify me just the same.
(Score: 2) by All Your Lawn Are Belong To Us on Thursday May 09 2019, @03:12PM (2 children)
Well said and +1.
The two other things locks might do are: 1) cause a delay / allow a neighbor to spot the person trying to pick or break the lock, or 2) make noise. A wrecking bar, in most cases, is far faster than trying to defeat a lock - two persons with two bars (and in some cases just a single bar) can pop almost any dual locked wood frame door and many metal ones. A hammer on a large enough window (as you mentioned) is likewise sufficient for the vast majority of cases.
Security is always relative and never absolute, in my experience.
This sig for rent.
(Score: 2) by fyngyrz on Thursday May 09 2019, @04:19PM (1 child)
I often wish that traps (AKA "mantraps") were legal. I'd totally invest in — or just build — something along the lines of a pit of gnashing blades.
"No, officer, there is no body. Yes, my roses are doing well — I just composted them, see?"
--
I want to grow my own food, but I can't find pizza seeds.
(Score: 2) by All Your Lawn Are Belong To Us on Friday May 10 2019, @05:58PM
Yes, I've always wanted one [fandom.com] as well.
Oh, wait...
This sig for rent.