
3D reproduction of TSA master keys - monort
https://github.com/Xyl2k/TSA-Travel-Sentry-master-keys
======
mcherm
I will hang onto this and use it as an example of why it "government managed
backdoor key escrow" for encryption algorithms is such a bad idea.

~~~
fweespeech
Yep, it is the perfect explanation for why the Government can't be trusted
with "master keys" of any kind.

~~~
wnevets
like the "master keys" for the nuclear arsenal?

~~~
malloci
Bringing up the protection of the nuclear arsenal only enforces the fact that
an encryption "master key" controlled by the government isn't such a great
idea:

[http://arstechnica.com/tech-policy/2013/12/launch-code-
for-u...](http://arstechnica.com/tech-policy/2013/12/launch-code-for-us-nukes-
was-00000000-for-20-years/)

[http://www.nbcnews.com/id/20427730/ns/us_news-
military/t/air...](http://www.nbcnews.com/id/20427730/ns/us_news-
military/t/air-force-official-fired-after-nukes-fly-over-us/#.Vfb0Xbfuf1I)

[http://www.aol.com/article/2014/11/03/2-nuclear-
commanders-f...](http://www.aol.com/article/2014/11/03/2-nuclear-commanders-
fired-another-disciplined/20988136/)

[http://www.rt.com/usa/usaf-general-drunken-women-
moscow-529/](http://www.rt.com/usa/usaf-general-drunken-women-moscow-529/)

~~~
avar
You left out the worst incident I know of:

[http://edition.cnn.com/2014/06/12/us/north-carolina-
nuclear-...](http://edition.cnn.com/2014/06/12/us/north-carolina-nuclear-bomb-
drop/)

The US was one arming switch away from nuking North Carolina in 1961. This and
a bunch of other really scary nuclear-related accidents are covered in Command
& Control: [http://www.amazon.com/Command-Control-Damascus-Accident-
Illu...](http://www.amazon.com/Command-Control-Damascus-Accident-
Illusion/dp/0143125788)

------
bluesign
That's a great example for why any kind of 'master key' is dangerous.

~~~
KirinDave
The entire SSL infrastructure we use is not only looking at you side-eyed, but
also asking you if you've checked your SSL root certificate list lately.

Just saying, our life is full of secret master keys. Most of the products
built here rely on secret master keys. There really isn't any way to get
around secret master keys.

The problem here is that we don't trust the TSA to secure said master keys. In
part because it's an incredibly hard problem since any image capture device
glimpsing them can enable reproduction, but also because the TSA doesn't
incentivise its employees well enough (see pay bands here:
[http://www.federallawenforcement.org/tsa/](http://www.federallawenforcement.org/tsa/)
and note that airport security folks won't be making even $70k a year).

~~~
IshKebab
Well, yeah, and SSL's key system is widely regarded as awful and insecure.

That's why things like certificate pinning, DANE (using DNSSEC for SSL
certificates), and HSTS were invented.

~~~
dragonwriter
> Well, yeah, and SSL's key system is widely regarded as awful and insecure.

Its not really the key system so much as the fact that the _first_ step of
trust is broken because end-users aren't directly choosing trusted root CAs,
they are being chosen on behalf of the end users by third parties whose
interests aren't aligned with those of the end user, and who do as much as
possible to remove (or at least obscure) end-user control of that most
fundamental step in the delegation of trust that underlies SSL's key system.

------
flarg
In comparison, I recollect patients at a UK secure hospital being able to
memorise keys at a single glance and reproduce them from memory - my
colleagues had to keep their keys in leather sheaths at all times.

Also -
[https://www.schneier.com/blog/archives/2005/09/shoulder_surf...](https://www.schneier.com/blog/archives/2005/09/shoulder_surfin.html)

------
Danilka
Another example of why HN posting time matters
[https://news.ycombinator.com/item?id=10200641](https://news.ycombinator.com/item?id=10200641)

~~~
dheera
I feel like what matters more (unfortunately) is that you know a bunch of
people who you can get to immediately vote you up.

What might be more interesting is if HN used Facebook login and its front page
ranking algorithm only counted votes from people outside your friend network.

~~~
Shivetya
Oh please no, do not link it to facebook.

If anything, analysis of past voting should give a clue to accounts who game
the system.

------
vermontdevil
Bet you that the officials will double down on this through the judicial
system instead of acknowledging the truth about the absurdity of having a
'secured master key'.

------
lawlessone
Call it what it is , the master keys are a backdoor :-) . This should show
people why backdoors are dangerous.

------
TD-Linux
I printed the TSA007 key yesterday and it easily opened a TSA lock on hand.

------
asadotzler
When one can break into most zipping suitcases with a bic pen, rezipping it so
you never know I was there, what's the point of a lock?

~~~
PirateDave
Some locks do have alert features [0] so you should at least know it was
opened. It won't stop a thief, but at least it lets you know when someone was
looking. That is, if it makes it to your destination :-)

[0] [http://www.amazon.com/Kolumbo-TSA-Lock-2-pack-
BLACK/dp/B0106...](http://www.amazon.com/Kolumbo-TSA-Lock-2-pack-
BLACK/dp/B010664DDM)

~~~
matmann2001
The comment above is saying that you can get into luggage without even
touching the lock.

You just use something like a pen to break the zipper mesh. Sliding the zipper
back and forth when you're done will re-zip it.

------
willtheperson
Is there such a device that you can put in your luggage that video records the
contents and and towards where the person opening it would be standing?

Is it illegal to record someone going through your stuff? I mean, if they are
just looking through it to ensure the safety of everyone, why can't I ensure
the safety of my stuff?

~~~
click170
Be careful about wires and electronics in your bags. If it looks even the
slightest bit suspicious you might find that they've detonated your luggage
instead of delivering it.

Something like a goPro should be fine though, no visible wires and its one of
the most iconic cameras these days.

------
fit2rule
Seems to me pretty much any lock can have itself picked. Isn't that the point
though? If these are TSA-approved locks, I'm pretty glad they're in-secure,
because it'll teach fine lessons about security at a very personal level when
its breached. Perfect place to put a security lesson.

~~~
746F7475
Just travel with a firearm. You are by law required to have a lock that only
you have access to and a hardcase around the gun, so you can travel with cases
made out of metal with hefty locks that only you can open and if TSA needs to
get into them they have to get you, they can't just pry them open.

And the fire arm doesn't have to be loaded and IIRC it can even be a flare
gun, if you don't want to own actual firearm.

~~~
Vexs
Flare guns in your checked luggage is actually a really good thing to do even
if you arent concerned about it- I have a friend who works at an airport and
he says that protocol dictates they have to flag and keep special track of
anything gunlike- and flare guns don't need any sort of licence to carry. It
keeps your bags secure and makes sure your luggage gets where it is supposed
to go.

~~~
loopbit
Years ago I read the story of a professional photographer that used that trick
to carry his -very expensive- equipment without fear that the airline would
loose it.

Aha, not the original text I read, but same idea:
[https://www.schneier.com/blog/archives/2006/09/expensive_cam...](https://www.schneier.com/blog/archives/2006/09/expensive_camer.html)

------
Yeri
It's been online for a few days:
[http://www.wired.com/2015/09/lockpickers-3-d-print-tsa-
lugga...](http://www.wired.com/2015/09/lockpickers-3-d-print-tsa-luggage-keys-
leaked-photos/)

~~~
Bluestrike2
The article links to the SNEAKEY project, which is pretty impressive. Using a
photo taken from 195 feet away, they were able to duplicate phsyical keys by
decoding their bitting code from the photo. Never stumbled across this before.

[http://vision.ucsd.edu/~blaxton/sneakey.html](http://vision.ucsd.edu/~blaxton/sneakey.html)

~~~
iMark
When I heard about the keys being reproduced from a photo, I assumed that the
photo was taken of the keys close up.

Under these circumstances, it's an impressive feat.

~~~
Bluestrike2
The TSA key photo was taken as a close up; SNEAKEY is something different, but
the same end result.

------
ck2
Well someone's life is about to get "interesting".

Hope they do not live in the USA.

~~~
Strom
According to their github profile, they're located in France. If they're a
French citizen, then extradition to USA most likely won't happen. [1]
Traveling can still get really interesting though.

[1]
[https://en.wikipedia.org/wiki/Extradition#Bars_to_extraditio...](https://en.wikipedia.org/wiki/Extradition#Bars_to_extradition)

~~~
balabaster
This is assuming that they are indeed who their profile suggests and they
weren't in a coffee shop with no security cameras that they didn't use an
untraceable transport to get to, and didn't used a VPN and TOR on an
untraceable computer... or they took their cellphone with them.

Of course, they quite probably are and quite probably uploaded it from home...
and hoped that any extradition wouldn't get enforced.

~~~
reacweb
As far as I understand the law in France (I am french, but not a lawer),
providing these files may be slightly reprehensible because it helps to create
illegal copies of the keys. But, there is a strong mitigating circumstance in
the fact that TSA has been careless with its keys.

I think that the author does not risk anything in France. The spirit of the
law is very different in US.

------
valdiorn
Taking bets on when this gets DMCA'd out of existence.

Surely the keys are copyrighted? :)

~~~
balabaster
I'm quite sure enough people have copies of that there's no putting this genie
back in the bottle.

~~~
at-fates-hands
Like a wise man once said,

"One does not simply delete something from the internet."

------
Hortinstein
wow on a side note. I learn to love Github more and more. Had no idea they
have STL viewers built into preview panels. Very Cool

------
viggity
these are not keys to get into a secure facility, they're for fucking luggage.
a rusty hammer or discount $1 pliers will break these things.

Consider me not impressed.

~~~
Uehreka
> a rusty hammer or discount $1 pliers will break these things.

True, but with the master key you could open anyone's luggage, take something
out, put something in, or just examine the contents, and then close it up with
no evidence that you'd done anything.

~~~
loopbit
Actually, there would be a (very) small piece of evidence.

The TSA-approved locks I have to travel to the US have a small red ring. If
the lock is opened with a TSA master key, the red ring appears, it has to be
opened with its own key for the red thing to disappear.

So yeah, you'd know that someone has fiddled with your lock, little more.

~~~
mejari
Simple solution: Travel around until you get your luggage inspected, copy the
notification paper they place in your luggage, place copy in any luggage you
surreptitiously open, boom: TSA did it, not you.

~~~
jessaustin
I've never seen such a paper, but presumably it could include a date and
serial number? If that doesn't match their records, TSA will know something's
up.

~~~
mejari
It looks like this:
[http://i.stack.imgur.com/oR15I.jpg](http://i.stack.imgur.com/oR15I.jpg)

I'm sure the TSA would be able to figure it out, but the goal would be to
leave the person whose luggage it is without any reason to believe something
is amiss or to bring it to the attention of the TSA in the first place.

