Saturday, May 21, 2011


Opening locks without keys is one of the challenges historically associated with computer hacking, like gaming and Chinese food, chronicled in Steven Levy's classic, Hackers: Heroes of the Computer Revolution (Anchor Doubleday, 1984;O'Reilley 2010;  but available all over the Internet as a PDF).  So, it is fitting that at the SUMIT_2010 Conference (Security @ the University of Michigan IT, October 7, 2010), Deviant Ollam of The Core Group was again a guest speaker.  Sandwiched between techies Whitfield Diffie and Christopher Hoff, and government agents Melissa Hathaway and Marcus J. Ranum, Deviant Ollum was a hit with the crowd.  After his talk, outside the auditorium, he set up a corral of tables with locks and tools for people to play with; and he answered questions for about an hour.

His on-stage demonstration was fascinating, compelling, shocking, and revealing.  We throw shackles on our cages of servers, buying them at hardware stores and big box stores, and never considering how vulnerable they leave us.  It is pretty easy for someone to let themself into your racks, insert or copy what they want and then leave without a trace.  Or almost without a trace.  Deviant Ollam's presentation included forensics, showing the evidence of tampering.  But you have to know what you are looking for and looking at.
"Physical security is an oft-overlooked component of data and system security in the technology world. While frequently forgotten, it is no less critical than timely patches, appropriate password policies, and proper user permissions. You can have the most hardened servers and network but that doesn’t make the slightest difference if someone can gain direct access to your network equipment and server racks."  - Deviant Ollam, The CORE Group. "The Four Types of Lock: Physical Security is Data Security."
Shortly after that October 7, 2010, conference, I got interested in the problem of archiving and reporting on modern paper money (here on Necessary Facts).  I made a presentation about that at ArbSec, a local Ann Arbor computer security group that grew out of the DefCon734 chapter here.  Via ArbSec, I met A2 Locksporting, the lockpicking club.  Attending club meetings once a month, I learned how to pick a lock. 

Numismatists study all forms of money.
The threat of counterfeiting led governments to make their notes more secure.
It also led the USA government in Washington to install software,
firmware, and hardware on all personal computer scanners.
If you scan a current-issue Federal Reserve Note, they will know about it.
The EURion Project here on NecessaryFacts.

I also learned how to take a lock apart and put it back together, how to match a lock to its key, and other techniques.  It so happened that because of the Levy book - which I read when it came out, having hacked my first password in 1977 - I always kept keys. I have lots of them.  They can be useful.  You can make a lock "bump" with a old key.  An old key can be recut.  It might work on its own: locks are disappointingly generic.  If you only care about keeping out honest people, you can save money, time and grief, by paying attention to the codes on the locks, buying four or five identical ones at the same time. 

If you browse for lockpicking tools, you will find many sellers.  The Ann Arbor Locksporting Club seems to like Lockpicker's Mall. I like their website. From 2004-2010, I reviewed websites for the American Numismatic Association and I learned to look for reliable information, free articles, and open and honest statement of who owns the site and the company and where to find them in real life.  They meet those requirements. 

Core of Lock disassembled.

No comments:

Post a Comment