
HN's Daeken will expose security flaw in 4m hotel room keycard locks - ssclafani
http://www.forbes.com/sites/andygreenberg/2012/07/23/hacker-will-expose-potential-security-flaw-in-more-than-four-million-hotel-room-keycard-locks/
======
daeken
I'm planning on doing a Reddit AMA for reversing in general -- as well as this
work -- in the next hour or two, but if anyone has any questions I'll do my
best to answer here. All I ask is no protocol details (paper and full code
will be out tomorrow immediately following my talk) and no legal questions. Go
wild.

Edit: Since this thread has blown up a bit, we may as well just do it here for
real. If you have any reversing questions or background questions or whatnot,
feel free.

~~~
mpakes
Was it necessary to wear a t-shirt that reads "It's fun to use learning for
evil!" in the photo shoot for a Forbes spread? This doesn't help the negative
perception of the word "hacker". :-/

All due respect to the work you're doing – I'm a former member of the security
industry myself (worked on the IPS engine at TippingPoint).

~~~
tptacek
You don't think this is a little nitpicky? He's at the "Black Hat Briefings".

~~~
larrys
It's fairly easy to change a T-shirt. Whether or not anyone agrees with his
appearance or not being relevant, he wasn't photographed in the audience at
the conference or up on stage.

He posed for a photograph in a hotel.

Even if he didn't have a spare shirt, the gift shop in a hotel generally does.
That's if he had thought of that issue. No problem with telling the
photographer you had to change. Even if they noted that in the story it's the
picture that's worth 1000 words.

I had a story done a number of years ago and they sent a photographer to the
office. I took several hours to arrange everything to get a good setup for the
photo. It paid off. The photo was good and the photo editor liked and made it
the centerpoint of a story where many people were quoted. It ran all over in
syndication. My point is simply it's important to think ahead when the media
comes knocking. (Along those lines hmm, maybe he did the right thing with that
t-shirt publicity wise).

In any case people can now learn from the "nitpick" and decide for themselves
if they are ever in the spotlight what they want to do.

~~~
daeken
I did plan to wear the shirt; I felt it injected a bit of fun into something
that, frankly, is scary as hell.

~~~
ChuckMcM
Forgive me if I'm just naive but I don't get the 'scary' part. Locks have
always been 'advisory' and people who have wanted to circumvent them for both
good and evil rate them by their 'time to disable'.

Hotel locks with hard keys had their issues as well, and were pretty trivially
picked with simple tools. But the key is always that you need to bring the
'simple tools' which is to say that they aren't vulnerable in a way that
someone who decides on the spur of the moment to enter the room can easily
duplicate. They need the plug that fits the power cord, they need the software
which does the JTAG wiggler etc etc.

So if it is 'scary' that people who are not affiliated with the hotel either
as guests or as staff can, with pre-meditation, open a hotel room door without
damage. Then you need to re-define scary. This has always been true, and will
probably always be true by the nature of hotels and motels.

~~~
cjy
It should be noted that [some] hotel doors with electronic key cards also have
physical key holes (as a backup) that are hidden, but are still susceptible to
being picked.

This just supports your point that hotel doors are not 100% secure for anyone
who really wants to get through.

Edit: Replaced all with some. The doors at the hotels I worked had backup
physical keys in case the battery failed. It's cool that Onity locks can be
powered externally if the battery fails. Thanks for the correction.

~~~
daeken
That's not really the case. While some of these do exist, Onity's locks
themselves do not contain any physical keyhole and I've never seen them
installed in such a configuration. Other vendors may be different.

------
screwt
Could you explain a little more why you didn't go for responsible disclosure
to Onity?

In the article you suggest that you don't think they could fix it. Maybe true
but shouldn't you (a) give them the oppurtunity to try (just cos you can't
spot the fix doesn't mean it's impossible), and (b) give them the chance to
say "yep, it's broken - give us 3 months to ship out new locks to all our
customers" (yes, highly unlikely I know!).

Given that you sat on this for a year before publishing, there was ample
oppurtunity to inform Onity before you publish.

~~~
daeken
Given the simplicity of the vulnerabilities (as mentioned in the article, you
have full and unauthenticated memory access) and the length of time -- over a
decade -- that these locks have been on the market, there is absolutely no
doubt that they knew about this.

Given that, I felt that they would delay, delay, delay, and delay some more
before finally going silent, at which point I would be forced to do this
anyway. Simply put, I have zero confidence in their ability to mitigate this
properly, and I believe that the only proper course of action is to make this
public and let the hotels make themselves secure by whatever means possible.

I know that's a bit of a strange answer, but this is a strange situation; it's
taken me a while to figure out the correct course of action, and I feel that
this really is the best way for the safety of the public.

Edit: Toned down some of the wording; unnecessary.

~~~
akamaka
That's a completly bogus excuse. The question wasn't why you're releasing it
publicly, but why you haven't made any attempt to contact the company
beforehand, which you seem to have had a year to do.

Edit: The only reasons I can think of are laziness or just plain not giving a
shit about responsible disclosure.

~~~
Kadin
In order so that they could do ... what, exactly? It doesn't sound like
there's any mitigation that they could perform. At the very least, the guts of
every lock has to be replaced. Given that, the rational, profit-maximizing
thing for them to do is to stonewall, misdirect, bring out the lawyers, shoot
the messenger, and generally continue to sell as many flawed locks as
possible. We've all seen vendors do that in the past when faced with
intractable, deep-seated defects in a product, so it wouldn't be unexpected or
unreasonable to assume.

All the notification would be is a courtesy, allowing them time to start
designing and marketing a new product, instead of having the market get handed
to their competitors when hotels suddenly have to start replacing their locks
with less-flawed ones. And I'm not sure a company that produced a flawed
products deserves that.

~~~
huhtenberg
> _what, exactly?_

They could plug the access holes, with custom pentalobe screws. That's an
under a dollar per lock fix.

~~~
tptacek
So, that's more than a million dollars more than NYSE:UTX's gross profits for
the last quarter, and ~1/4 of their gross revenue over the same quarter. No, I
don't think they were going to do that.

~~~
3am
Financial reports are typically in 1000s of dollars - UTX's net reported in
03/2012 were $330 million USD.

edit: source is <http://finance.yahoo.com/q/is?s=UTX> ('All numbers in
thousands' in upper right of the statement). Easy mistake! I just happened to
be passingly familiar with United Technologies, which is a large diversified
industrial conglomerate that includes Carrier (A/C systems), Sikorsky
(helicopters), and Pratt & Whitney (aircraft engines) among other
subsidiaries.

~~~
tptacek
URL? I got mine from Google Finance, but only quickly eyeballed it; it's very
likely you're right.

------
jgrahamc
It won't be a surprise to learn that these types of locks are vulnerable, but
I'll be fascinated to learn the details especially since it sounds like you
can get access to an internal bus easily.

The assassination of Mahmoud Al-Mabhouh
([http://en.wikipedia.org/wiki/Assassination_of_Mahmoud_al-
Mab...](http://en.wikipedia.org/wiki/Assassination_of_Mahmoud_al-Mabhouh))
allegedly by Mossad involved attacking an electronic hotel lock to get access
to his room:

"A readout of activity that took place on the hotel room's electronic door
lock indicated that an attempt was made to reprogram al-Mabhouh’s electronic
door lock at this time. The investigators believe that the electronic lock on
al-Mabhouh’s door may have been reprogrammed and that the killers gained entry
to his room this way. The locks in question, VingCard Locklink brand (Dubai
police video, 21:42), can be accessed and reprogrammed directly at the hotel
room door."

~~~
daeken
Yep, bus is clearly accessible on the bottom of the lock.

As for Ving, I think they're going to be next up; spent years honing my skills
in reversing this sort of thing, seems like a shame to stop now.

~~~
shurane
How did you hone your skills for years? Have you been working with other lock
providers? Or other methods, or just the process of reverse-engineering the
software that hardware interacts with?

You are cool, you know that?

~~~
daeken
I haven't been working on other lock hardware, but reversing the whole Onity
system from the ground up has been quite an undertaking. I described a rough
version of the whole process in another comment. I've also worked on a couple
other devices, e.g. the Emotiv EPOC EEG.

And thanks, I like to think so.

------
ulope
Interesting, but it's not as if hotels in general have been high security
installations.

Very easy experiment: Just go to the front desk an thell them that you sadly
seem to have lost your room card. 90% of the time they will just ask for your
room number without requiring any kind of proof that it's actually your room.

~~~
petitmiam
Or there's those hotels where you have to leave the keys at the front desk.
Each time you come back you say your room number and they give you the key.

~~~
tripzilch
Yeah, that was our hostel in NYC. I asked about that, and they kind of looked
at me funny, as if I was paranoid or something. If figured the best way would
be to semi-jokingly show her my ID regardless and be friendly and chatty in
the hopes she'd remember my face with the room number.

In hindsight I might have tried asking for a different room number's key to
see if she was paying attention and then quickly correct myself "No, just
kidding, my room's 208 not 210. I just wanted to see if you'd give people any
room key they ask for". Maybe that would've made them see the issue.

Instead, I took the easy route and made sure to never leave my netbook,
passport, tickets, etc in the room (all the rest was replaceable and we were
travelling light).

I would have probably done differently if I wasn't in a foreign country on a
different continent and still getting used to the cultural uncanny valley of
NYC being "almost, but not quite like Europe", so I opted for the safe choice
of not being a bother to these obviously hard-working people.

------
kristopolous
duh? I'm sorry but low security systems like hotel rooms of course have wide
vulnerabilities. The front desk will just give out keys based on trust since
you don't have to register everyone staying in the room; they don't even have
an audit trail if they wanted to use it.

Keyless entry cars are mostly crackable ... garage door systems are trivial,
you can bump pin tumbler locks, many home security systems have no backup
power. rfid skimmers are cheap and easy-to-use. almost every elock I've seen
has the bus readily exposed on the outside (secured by a single screw at
best).

There's at most 6 things I can think of that actually do not have trivial
security issues.

If I knew I would become famous by informing the press that, for instance, a
car model only has a handful of key patterns for millions of cars, I would
have done it a long time ago, but I thought such things were just stupefyingly
obvious.

~~~
lgeek
> a car model only has a handful of key patterns for millions of cars

This reminds me of growing up in Eastern Europe. Story time: Under the
Romanian communist regime, there was only one car factory (Dacia[1]) making
cars for personal use. Their main model was essentially the same from the '70s
until 2004. For the first 10 years or so after the '89 revolution, Dacia
dominated the local car market (because their cars were cheap and really easy
to fix).

Now that we have the oh-so-important context, your comment reminded me that
when I was a kid, my parents bought a Dacia. What confused me at a time was
that random people would periodically ask to borrow the key.

It turns out that for 30-something years, Dacia only used a few models of
keys. In fact there were so few that if you locked your keys inside (doors
were unlocked by key and they locked automatically) it was feasible to try
keys from random cars until one worked.

To be fair, the engine key was different from the door key, and it didn't have
this problem. But, getting back to your comment, if you're talking about a
recent card model then that's just crazy.

Also, I would have thought that keyless entry systems use correctly
implemented public key cryptography. Is that not the case?

[1]: <http://en.wikipedia.org/wiki/Automobile_Dacia> [2]:
<http://en.wikipedia.org/wiki/Romanian_Revolution_of_1989>

~~~
kristopolous
Many after-market and non-luxury cars can fall victim to a replay attack. More
expensive vehicles use something called a rolling code, here's an example
chip: <http://ww1.microchip.com/downloads/en/devicedoc/21143b.pdf> and
<http://www.atmel.com/Images/doc2600.pdf>

Just to be perfectly clear, what you have is a synchronized incrementing
number usually using some in-house block-cipher with a 2^16 period. When the
car receives a PRN from the RKE, it checks the locality of its current
sequence (usually about 2^8) and then if the PRN matches one of them, you are
in. So if you have the 2^16 sequence, just skip over every 2^8 and see if it
unlocks. That's 2^8 tries; under a second.

If you don't have that, with a few sequences you can deduce the key pretty
easily; each PRN is 32 bits; providing you up to 32 bits of information.

Since the payload is an incrementing 16 bit number you have probably 3 bits of
entropy on the 32 bits (8 PKE commands between your sniffing). Anyway, assume
you have 29 bits from the 32. You also have to toss the 16 bit sequence on the
64 bit source key calculations since it is effectively a salt.

Therefore, you can conservatively get the magic 64-bit key in 6 transmissions
assuming there are no sequence collisions of that length. And even if there
are, the solution space of the collisions would be quite modest.

Since each transmission has a plaintext serial associated with it (usually a
subset of the VIN ... available on the windshield and all), you are not at a
loss as to which transmission is which car.

So install your sniffer in an office-building parking structure on Monday,
assume codes before 1100 are locks, after 1400 are unlocks, and you are in the
car of your choosing by Thursday.

Pretend you don't have this. Pretend you want to do brute force on the 32 bit
key-space. There's something called guard time. The idea is that there's a
backoff period before another code can be tried. That's usually about a
millisecond or two; if at all.

The transmission of the payload is on the order of tens of microseconds.

So generally speaking you can presume that you can do about 1.5m keys an hour.

Now let's say you are a car thief and you go to a lot of new cars ... there's
64 of them (2^6) just to make our lives easy. You have a wonderful consequence
of the birthday-problem.

A 2^32 key space with a 2^8 tolerance over 2^6 vehicles ... means (32 - 8 - 6)
= 2^18 keys until you should have a match.

Now let's see, you can generate about 2^21 keys per hour ... oopsie daisy.
Look what we just did ... Your mean time to unlock one of the cars passes a
50% threshold in all of 4 minutes.

And that's the naive approach, without doing any predictive plaintext attack.

Now let's assume you use both methods together. We aren't talking about much
waiting time here.

So I mean yes, the rolling code means you can't just do a replay. Ok, fine ...
right ... you have to do a napkin full of math and a little programming. It's
not real security.

------
javajosh
I was always curious about elock systems, particularly about how they are
reprogrammed. Presumably they are reprogrammed by the front desk, centrally,
but how does the signal reach the lock? Presumably there must be wires
attached (at least for power). So why is there an external port on the lock at
all? Also, what is the possibility that a lock exploit could affect the
central reprogramming system?

Edit: just read below that these things are battery powered, which raises two
questions, first, ok, how are they reprogrammed, and second, how does a hotel
not go bankrupt replacing thousands of batteries all the time?

~~~
daeken
The locks _are_ programmed by the front desk, but then the data is transferred
to the Portable Programmer which then is used to update the doors. The doors
themselves are not connected to power, but are rather completely battery-
driven. The likelihood of anything impacting the front desk equipment is
effectively nil.

(Note: This is all specific to Onity locks)

~~~
javajosh
I'm surprised that's how they are designed. How often do the batteries need
replacement? (I realize that this isn't exactly related to your hack, but I'm
finding myself fascinated by the economics of maintaining lots of locks. It
reminds me of the problem of early computers having to replace vacuum tubes at
a certain rate, limiting the size of the machine).

Also, is it the housekeeping staff that reprograms the lock after they clean
the room? It seems like it would be very inefficient to send a special person
around to reprogram the lock after every check out.

~~~
daeken
The battery lifetime depends on how much traffic the door gets, but generally
I believe it's 4-6 months, which is pretty impressive for 4 AAs.

As for reprogramming the doors, that only happens very rarely. The cards have
an expiration date and a code that cycles, meaning that when a new card is
introduced, the old ones won't work anymore. So really it only needs to be
reprogrammed when the clock gets out of sync or the batteries die (there's no
non-volatile storage, just RAM).

~~~
javajosh
_> The cards have an expiration date and a code that cycles, meaning that when
a new card is introduced, the old ones won't work anymore._

How interesting. Does that mean that you could theoretically have access to an
empty room if there's no new occupant? It seems like you need some sort of
expiry to prevent that from happening, but I can't imagine how that would work
without some signal passing between the front desk and the lock.

~~~
daeken
There is an expiration date on the card (the lock keeps time). However, with
the crypto vulnerabilities I'm going to be announcing, it's possible to
manipulate cards to change the expiration date or increment the code key value
(which is what gets cycles); this would allow you to continue using a card
indefinitely.

You can't make cards out of nothing, though, so that helps mitigate it.

~~~
javajosh
So they set the card to expire when you plan to check out. But I've extended
my stay (and done late check out) and I didn't have to get a new card. Why did
my room lock let me back in without getting a new or rewritten card?

~~~
daeken
I don't know about other systems, but with Onity systems you have to get a new
card to extend the expiration date. Of course, it's possible they gave you a
card with the incorrect expiration in the first place; happens all the time.

------
mark_g
The poor hacker's alternative:
[http://www.youtube.com/watch?v=WAkJRpKeyYg&has_verified=...](http://www.youtube.com/watch?v=WAkJRpKeyYg&has_verified=1)

------
jcfrei
let's do this AMA thing right here, because my questions might get lost in the
reddit noise. You seem like the prototype hacker to me - what's your personal
stack? like OS, text editor, the computer you use daily?

thanks for answering those 3 little questions.

~~~
daeken
Haha, it seems we already are doing the AMA here.

My stack now is a Lenovo W520 running Ubuntu and KDE, and Sublime Text as my
editor. Over the years when I did this, I was running everything from a
cheapo, hacked-together box to a 13" Macbook Pro, all running Windows Vista/7.

~~~
otoburb
Do you use Backtrack at all, or do you simply craft/download/build-from-source
your own tools as you need them?

Also, did you switch from Windows to Linux because of the available tools and
development environment, or because the Linux desktop had matured enough you
could get sh*t done without worrying about driver compatibility issues or
other common complaints about Linux [lap|desk]tops?

~~~
daeken
I don't use Backtrack or similar tools; the only tools I use that I didn't
write myself are IDA Pro and Burp Proxy (if I'm doing websec work).

As for switching OSes, the primary reason I did so is that my work for my day
job all requires Linux. In terms of reversing, Windows is really the only way
to fly; the tools just aren't there otherwise.

~~~
tripzilch
> In terms of reversing, Windows is really the only way to fly; the tools just
> aren't there otherwise.

Curious, why is that, and what tools are those then?

------
st3fan
I think that making this public is not a very good example of responsible
disclosure and I hope there will be a lawsuit before the presentation to
prevent the details from being exposed.

I am all about exposing vulnerabilities but I honestly think there needs to be
a dialog with the vendor first. Specially for exploits like this where there
is a lot at stake.

I find the excuse of 'there is nothing they can do anyway' very poor. I have
no doubt that this technique is known to locksmiths and law enforcement and
maybe a smaller group of criminals. But making this public and exposing it to
the world will allow any criminal with a soldering iron and an Arduino to
start exploiting this.

Daeken, you have done an awesome job making this known. Maybe that it enough
to get the ball rolling. Or do you just want to do damage for fame and profit?

~~~
m0nastic
This argument has been going around for as long as I can remember, and I think
it's incredibly harmful to researchers (whether they be security or other).

Upon discovering the vulnerability, the only real action he could take which
would be universally considered unacceptable would be to use that research to
go around breaking into hotel rooms (which is illegal).

If he decided to go into business selling devices to bypass hotel room locks,
there would also probably be a majority opinion that that isn't really "above-
board". Even that isn't necessarily universally agreed on though (as there are
a lot of people who argue that providing access to tools isn't criminal)

But he didn't do that either.

He decided that this was a pretty severe vulnerability (made worse by the fact
that remediating it isn't trivial), and that he wanted people to know about
it.

Hoping that the vendor will sue him to prevent that information from being
disseminated is about the worst possible outcome from research of any kind;
ignoring the fact that you don't seem to posit any rationale for what exactly
they'd be suing about (protected trade secrets? violation of a license
agreement?)

The thing about "responsible disclosure" is that it isn't something that
exists by fiat. It's an intentional reframing of disclosure policies by
vendors to attempt to steer the research community towards doing what's in the
vendors best interests.

I understand their desire to reframe that policy, but that doesn't make it
"the only ethically responsible way to conduct vulnerability disclosures".

Recently, there's been a lot of news about BMW's being able to be stolen
trivially through access to the OBD port on certain models. There's an OSVDB
entry for it and everything‡.

That's another example where providing information to the public was
considered to be very important (like the issue Cody discovered, it's also not
something that can be easily fixed. It's also been ignored by the vendor).

In virtually all other regards, making research public is considered the
responsible thing to do.

While I'm not a card-carrying member of the full-disclosure sentiment, I
strongly disagree that releasing research publicly is boolean irresponsible.

‡ <http://osvdb.org/83707>

~~~
st3fan
I'm not saying he should not publish this at all. I just think it will be more
responsible to try to work with the vendor. Right now he has not even made
that effort.

~~~
danweber
And he hasn't released the source code and hardware specs _yet_. So, although
I think he should have contacted the vendor (even if that could have been
inconvenient for him) before going public, he still hasn't made it trivial for
a third party to go around robbing unattended hotel rooms. It's his choice but
I would appeal to him to not do that.

Full disclosure is a lot of fun, and it increases the status of geeks like us,
so it's really to approve of it. I did when I was in college.

------
tmpaccount
I'm not certain, but in the picture from the Forbes article the lock looks
exactly like the kind used on many doors in my university - the shape is
exactly the same, and ours had the same type of electrical connector in the
same place at the bottom of the lock. I remember because I considered
attacking this interface before noticing the torx security screw next to the
connector; removing this screw allows the panel covering the bottom part of
the lock to be removed (the edge of this panel is visible in the Forbes
photo), exposing the bolt mechanism of the lock. Turning this mechanism one
way opened the lock, turning it the other double-locked it so it couldn't be
opened with the proper keycard.

I wonder if any HN readers have access to an Onity lock to check whether this
method works on them?

~~~
daeken
I'm looking at my test lock (which doesn't have panels on it) and it looks to
me that there's no way you could access the lock mechanism from the battery
panel. With the HT locks I've played with, the locking mechanism sits inside
the door, between the lock itself (with the circuit board, card reader,
batteries, etc) and the back plate containing the deadbolt and such. Don't
think it's vulnerable to what you're describing. However, it should be noted
that if it's used in the university, it's almost definitely the Integra/CT
line from Onity, which is different.

~~~
tmpaccount
Ah I see, no doubt a cheaper, lower-security line. Thanks for the info and
congratulations on your hack.

------
webjprgm
Is the obvious fix to make the programming port available only from the inside
of the room? That's where the screws for physical bolt locks go.

And you can still have a DC power port on the outside in case of a powered-
down door, just no programming access.

Why have they not done it that way???

~~~
endianswap
Probably because if the system glitches out and they can't into the room
anymore (even with maintenance keys) then they wouldn't ever be able to fix
it?

~~~
daeken
Well, you can always drill the lock cylinder out, but that's a destructive
process. It is _possible_ to do this sort of thing in the right way, they just
didn't.

~~~
rcfox
What happens to the lock when the battery dies/the power goes out?

~~~
daeken
Once the batteries go out (they're not powered on guest room doors), the lock
won't open to keycards anymore. The batteries, though, are on the front of the
door just below the handle (see the panel at the bottom, in the story photo)
and can be replaced from the outside. Otherwise, it's possible to use the
portable programmer's open function to open the lock, if the batteries in the
PP are full enough; that's really iffy and has a tendency to not work, though.

------
kylebrown
What tools do you use for reversing hardware? Did you have to open up the lock
and tap into it with something like a logic analyzer? Or was it as simple as
creating a DC port adapter so you could read the data from the portable
programmer?

~~~
daeken
So, reversing it was sort of all over the place. I first had to reverse the
front desk system and all that; that was primarily done by sitting between the
equipment with a serial proxy and working from there. Once I had a good bit of
data captured, I'd write software to emulate being one side or the other.
Everything is RS232 and RS485, pretty straightforward.

In terms of reversing the actual lock protocol, that was a bit more tricky.
First step was tapping the line between the portable programmer and lock with
an o-scope (a 70s-era HP scope; only thing I could afford at the time, haha)
to figure out the voltage levels involved and the basic properties of the
communication. From there, I hit it with the Saleae Logic to see what the
communication actually looked like.

From there, I wrote some Python scripts to walk over the data from the logic
analyzer and attempt to decode the data. With some tweaking, I managed to
finally see some data that I knew, specifically the site code (which I knew
from other parts of the system).

After I knew all that, it was a matter of figuring out the actual hardware
level. Given that I have effectively no experience with this level of things,
this was a lot of asking questions, googling, and experimenting. I knew that
it was a one-wire protocol, so by reading up on other one-wire protocols I
managed to figure out a lot. Once that was done, everything just fell into
place; making the opening device work initially took maybe a day given all the
info I had.

------
thornofmight
How did you practice this and discover it? I can't imagine just wondering
around hotel rooms playing around with the doors...

~~~
daeken
I was working on a replacement of the Onity front-desk system at the time, and
I suspected it existed for a while. In another comment I detail how I reversed
everything, but everything was done on my own hardware, not just random
hotels.

------
wheelerwj
so reverse engineering seems cool. What skills do you find most
useful/versatile/neat/groovy or otherwise necessary for your reverse
engineering projects?

~~~
daeken
I can't really narrow it down to a single specific skill. When I'm reversing,
my steps are generally: figure out how I would design the system, come up with
a set of assumptions based on that, check the assumptions as quickly as
possible, then refactor your model of the system based on what you find. It's
really all about making educated guesses and then checking those; as you gain
experience, you start making better guesses.

~~~
wheelerwj
okay very cool. the scientific method, rinse, repeat. how long have you been
reversing?

~~~
daeken
About a decade now, probably. Started with MMOs, specifically Everquest, then
moved on to DRM (which, oddly enough, is what I was in Forbes for last time),
then on to locks and other hardware.

------
rdl
Any idea what locks Caesars and the Rio use?

------
stcredzero
_> HN's Daeken will expose_

You have my attention...

 _> security flaw in 4m_

sounding really interesting...

 _> hotel room keycard locks._

Oh. Well, still pretty cool.

EDIT: Actually, this kid of thing needs to get a lot more attention and
awareness. I could suggest a certification of some kind, but there's often a
reaction against that. But a certification that just indicated:

    
    
        - No passwords in plaintext
        - Not vulnerable to replay attacks
        - No "toy" encryption
    

Would be of great benefit in today's world.

