FAQ  •  Register  •  Login
UKLockpickers.co.uk Lockpicking supplies such as Lockpicks, tools, and more! COMMANDOLOCK.COM Military grade padlock systems lockpickshop.com A source for lockpicking supplies such as lockpicks, locksmith tools, and more!

Security through obscurity

<<

Wizer

Familiar Face

Posts: 166

Joined: Tue Dec 08, 2009 1:48 pm

Location: Finland

Post Fri Oct 05, 2012 8:04 am

Security through obscurity

Do You believe in security through obscurity?
-That a door or a lock is secure if nobody knows the little by-pass, or that it rakes easy, or that there is a key under the door mat?
I think that if a lock is secure enough, theres no reason to keep any information about its vulnerabilities and tips on picking seacret. No high-schooler can pick an Abloy no matter what we write on the internet.
And if the lock is not secure enough, is easily pickable, or has a quick by-pass, the public should know about it. The bad guys will learn it anyway.
In theory this would apply even to most secure locks. Safes and all. If there is some vulnerability in the lock that can be revealed in the net by just using a couple sentences it should be known by the manufactorer and every consumer. Like ”drill 3 inch below dial”.
I´m not saying we should help the random crook that comes to these forums, we can tell them to piss off or we can have some fun on them.
And I´m not trying to change the morals of the whole locksport community over night.
I´m just hoping for some discussion.
<<

Alaphablue

The only difference between me and this crazy island is that I'm a madman!
The only difference between me and this crazy island is that I'm a madman!

Posts: 398

Joined: Sun Aug 26, 2012 3:08 pm

Location: Nova Scotia

Post Fri Oct 05, 2012 8:25 am

Re: Security through obscurity

Most residential doors have cheap locks . you are right but people don't want to hear how unsecure there locks are . Not to many affordable locks are secure . Why are they not making more hidden locks or locks with restrictive hoods on them .I suppose you can't let your front door lock be the only thing securing your home .I have two dogs and a sour ass old neighbor who shoots squirrels off his bird feeder with a 12 Gauge watching my house .
<<

pin_pusher

User avatar

Familiar Face

Posts: 116

Joined: Sat Nov 13, 2010 2:03 pm

Location: center of earth

Post Fri Oct 05, 2012 9:04 am

Re: Security through obscurity

Alaphablue wrote:I have two dogs and a sour ass old neighbor who shoots squirrels off his bird feeder with a 12 Gauge watching my house .


...and those are by far some very valuable positions to hold on security vs obscurity. as i have read that the number one and two deterrents for burglary are a dog, and secondly some sort of sign or notice of a security system. but, what i find rather important is that persons participate in their community together to improve security within whatever values they may share. as marc tobias has mentioned several times that security is a direct correlation to potential expenses, he ignores that this too can be an obscurity depending on the knowledge of the criminal or their objectives in conjunction with skill--also fluctuations in technology and market change. but it is surprising when the wealthy are content with their ownership of rare, expensive, and marketable possessions but don't bother with locking their doors, or consider the unreliability of their existing low security. this is the position of the locksmith and locksport enthusiast; i make it a point to address the issue of obscurity vs security, not so much security through obscurity--but that has some weight on the situation as well. i think of it as a three dimensional graph; there is a relationship between security and obscurity on one axis and across that is the relationship between behavior and possession/value...that's what i've got for now, this is a subject i have been working on for some time. as i am intrigued by critical theory and comparative literature (my other hobbies), i am always working on my analysis and essay concerning this very subject. i'm interested to hear others imput. :ugeek:
<<

Ragnar

User avatar

Familiar Face

Posts: 32

Joined: Wed Jul 25, 2012 7:16 pm

Location: Pennsylvania

Post Fri Oct 05, 2012 11:37 am

Re: Security through obscurity

All security is through obscurity whether we like it or not. The key to your crypto/hash an encrypted drive/file. Your password. The keys to your house/car/work... If someone gets them (ie, they are no longer obscure) then it falls.

I only say this because security though obscurity is a common criticism in the computer world when, at a very fundamental level, it's actually all we have.
<<

mdc5150

User avatar

Contributor
Contributor

Posts: 1113

Joined: Mon Jan 24, 2011 10:35 pm

Post Fri Oct 05, 2012 11:47 am

Re: Security through obscurity

You know safes come with burglary ratings. The ratings for the most part are based on how long it would take to get in using construction tools.

Why put $500 locks on a house that can be easily accessed by breaking a $20 window? So you put on bars or Shatter Gard and now the glass is more secure. So you go back to the door that has properly installed high security locks and use something like a battering ram to break down the door and also breaks down the door jamb. Make the door jambs more secure and it will take longer to get in. Security is all about buying time. How long is the average burglar going to take to get in? How much time is he willing to spend to get in there? Just a though.
<<

Oldfast

User avatar

OldddffAASSTT the Spin Master Extraordinaire and American Lock Slayer
OldddffAASSTT the Spin Master Extraordinaire and American Lock Slayer

Posts: 4412

Joined: Thu Mar 31, 2011 9:16 am

Location: Michigan

Post Fri Oct 05, 2012 5:12 pm

Re: Security through obscurity

Wizer, this always makes for an interesting discussion. One in which I love to hear ALL the different takes people have on it.

pin_pusher - If/when you ever come to a final piece of writing, I'd love to read it. You've some interesting thoughts.

My personal thoughts on this may change with time. But I've always seemed to lean more toward full disclosure.

It seems to me that neither the companies that produce & sell security based products, nor the consumers that
purchase & use them... want to hear it! lol. And even when they do listen, they have no interest in utilizing the
information they've been given. But take for example that rare consumer that actually does care & is making a
conscious effort to make an informed decision. My feeling is that this person has every right to know the ins &
outs of what they're about to purchase.

If a particular discovery warrants it, responsible disclosure should precede full disclosure. In other words, we first
inform the company of the vulnerability and give them sufficient time to correct it. If the company chooses to not
use the information, that's fine. But in this instance, I feel strongly that the same information should be given to
the public so that they too may have the same choice.... to utilize it or not. Regardless of what they do with it.
" Enjoy the journey AS MUCH as the destination."
<<

piotr

User avatar

Contributor
Contributor

Posts: 738

Joined: Thu Nov 25, 2010 3:59 am

Location: Victoria, Australia

Post Fri Oct 05, 2012 7:32 pm

Re: Security through obscurity

Ragnar wrote:All security is through obscurity whether we like it or not. The key to your crypto/hash an encrypted drive/file. Your password. The keys to your house/car/work... If someone gets them (ie, they are no longer obscure) then it falls.

I only say this because security though obscurity is a common criticism in the computer world when, at a very fundamental level, it's actually all we have.


Not really. The "security through obscurity" criticism relates entirely to the design of the cryptographic algorithm (or the lock and other physical security infrastucture). If knowledge of the cryptographic algorithm serves to undermine the security of that cipher then it is intrinsically insecure and predicated on the secrecy of the algorithm. Contrast this with the widely used cryptographic algorithms (eg. DES, RSA, Blowfish) and that their algorithms are in the public domain yet they remain secure. Knowledge in this context doesn't relate to knowledge of the private key but rather to the cryptographic scheme. You are correct in that all security systems do entail some form of secrecy but sound security doesn't rely entirely on secrecy.

Applying this idea to physical security, "security through obscurity" would be a lock design that depends on the secrecy of that design for its security such that acquiring that lock and studying its operation would render other locks of that same type insecure. Locks that are vulnerable to bumping fall into that category. Arguing that key security (physical and cryptographic) is a form of obscurity fails to capture a key principle in security engineering, namely that encryption software and lock cylinders that are in the field, in service, are generally accessible to all parties and that this situation is typically unavaoidable because the vendors of the software (and lock cylinders) are commercial enterprises that rely on sales. Further, putting encryption software (and lock cylinders) in operation entails bringing in third parties to install, adapt, repair, maintain them. This necessarily further distributes the knowledge of the security designs. Security engineering is intended to protect those that rely on the cryptographic algorithm (or lock design) from this "collateral" distribution of knowledge about the underlying design. As a programmer, if I implement a design that encrypts the contents of a database using DES, my knowledge of that design shouldn't introduce a vulnerability. Similarly, as a locksmith if I install a particular lock on a facility, my knowledge of the inner workings of that lock sholdn't render that facility vulnerable to my possible corruption. As a general rule, physical and cryptographic keys can be more easily secured than lock cylinder designs and crypographic algorithms. Since we don't want to rely on design obfuscation for security we assume that the encryption software and lock cylinder will be acquired by those with criminal intentions and we engineer our security such that this knowledge will not make it any easier to defeat that security. That is the essence of the derogatory refrain "security through obscurity".
Last edited by piotr on Fri Oct 05, 2012 8:56 pm, edited 1 time in total.
<<

piotr

User avatar

Contributor
Contributor

Posts: 738

Joined: Thu Nov 25, 2010 3:59 am

Location: Victoria, Australia

Post Fri Oct 05, 2012 8:29 pm

Re: Security through obscurity

pin_pusher wrote:as marc tobias has mentioned several times that security is a direct correlation to potential expenses, he ignores that this too can be an obscurity depending on the knowledge of the criminal or their objectives in conjunction with skill--also fluctuations in technology and market change. but it is surprising when the wealthy are content with their ownership of rare, expensive, and marketable possessions but don't bother with locking their doors, or consider the unreliability of their existing low security. this is the position of the locksmith and locksport enthusiast;


In most parts of the world the (free-)market has developed a solution to the problem of securing commercial and residential properties and central to that solution is insurance against theft of contents. The market preferred scheme (for the want of a better phrase) is:
* cheap to moderately priced locks (In North America, Schlage and Kwikset and copies, in Australia, Lockwood and copies; double locking "dead locks" and window locks are typically stipulated in Australian home contents insurance policies); and
* home/business contents insurance.

Thus in most cases it is necessary to only meet the physical security requirements of your insurance policy and those are typically quite undemanding. Yeah, I know it's not a sexy solution but cost is the principal driver and that is what the market has arrived at and it looks like that will be the status quo for the foreseable future. Only those businesses and houselholds with especially valuable contents can justify the expense (and inconvenience) of more exotic security systems. The only exception to this that springs to mind is those cases where an insurer has/will fail(ed) to honour the policy because/if there are no signs of forceable entry. In these cases the property owner should upgrade their security and/or switch insurers. But these cases are rare, most burglars still prefer reliable and quick destructive entry methods.

In this context, any vulnerability in the market share lock cylinders that would make it easier and quicker to gain illegitimate entry to a household or business than the well-known destructive entry methods should be publicisied because it's only a matter of time before this vulnerability will become known to criminals. A case in point is the vulnerability of the Kwikset Smart Series to an over-torque attack. The amount of torque required is so small and the tool design is so simple and the method so quick and quiet that it is preferable to any of the traditional destructive entry methods used by criminals (including traditional over-torque attacks).



In this case, full disclosure is entirely justified. This is also a good example of the problems of "security through obscurity" in that anyone can purchase one of these Kwikset Smart Series, disassemble it and learn of its vulnerabilities. Because over-torquing is well-known to "career burglars" this vulnerability in the Kwikset Smart Series is especially salient.
Last edited by piotr on Fri Oct 05, 2012 10:17 pm, edited 1 time in total.
<<

Ragnar

User avatar

Familiar Face

Posts: 32

Joined: Wed Jul 25, 2012 7:16 pm

Location: Pennsylvania

Post Fri Oct 05, 2012 8:54 pm

Re: Security through obscurity

piotr wrote:Not really. The "security through obscurity" cricism relates entirely to the design of the cryptographic algorithm (or the lock and other physical security infrastucture). If knowledge of the cryptographic algorithm serves to undermine the security of that cipher then it is intrinsically insecure and predicated on the secrecy of the algorithm. Contrast this with the widely used cryptographic algorithms (eg. DES, RSA, Blowfish) and that their algorithms are in the public domain yet they remain secure. Knowledge in this context doesn't relate to knowledge of the private key but rather to the cryptographic scheme. You are correct in that all security systems do entail some form of secrecy but sound security doesn't rely entirely on secrecy.

Applying this idea to physical security, "security through obscurity" would be a lock design that depends on the secrecy of that design for its security such that acquiring that lock and studying its operation would render other locks of that same type insecure. Locks that are vulnerable to bumping fall into that category. Arguing that key security (physical and cryptographic) is a form of obscurity fails to capture a key principle in security engineering, namely that encryption software and lock cylinders that are in the field, in service, are generally accessible to all parties and that this situation is typically unavaoidable because the vendors of the software (and lock cylinders) are commercial enterprises that rely on sales. Further, putting encryption software (and lock cylinders) in operation entails bringing in third parties to install, adapt, repair, maintain them. This necessarily further distributes the knowledge of the security designs. Security engineering is intended to protect those that rely on the cryptographic algorithm (or lock design) from this "collateral" distribution of knowledge about the underlying design. As a programmer, if I implement a design that encrypts the contents of a database using DES, my knowledge of that design shouldn't introduce a vulnerability. Similarly, as a locksmith if I install a particular lock on a facility, my knowledge of the inner workings of that lock sholdn't render that facility vulnerable to my possible corruption. As a general rule, physical and cryptographic keys can be more easily secured than lock cylinder designs and crypographic algorithms. Since we don't want to rely on design obfuscation for security we assume that the encryption software and lock cylinder will be acquired by those with criminal intentions and we engineer our security such that this knowledge will not make it any easier to defeat that security. That is the essence of the derogatory refrain "security through obscurity".


I completely agree with everything you said, I just believe the terminology is off. Steve Gibson (worth your time if you're into crypto) once remarked that everyone criticizes security through obscurity, but no one will give you their user name/password.
Steve's point (stolen as my own above) is that EVERYTHING is, fundamentally, security through obscurity. I realize there is an underlying concept here of "Available Source"/Full Disclosure (locks/crypto) & fully support that, I just prefer those terms instead of criticizing/demonizing obscurity.

Return to Random Banter

Who is online

Users browsing this forum: No registered users

Don't forget to visit our sponsors for all of your lockpicking needs!
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Grop
"CA Black" theme designed by stsoftware