
Threat modelling case study: bicycles - calpaterson
http://calpaterson.com/bicycle-threat-model.html
======
alkonaut
The battery powered angle grinder gave thieves the advantage, but you'd think
bike owners would have the advantage now that a battery powered transmitter
can be tiny and easily hidden on a bike. People could (if police isn't
interested in provoking crime which is illegal in some jurisdictions) plant
nice looking bikes with transmitters, wait for them to be stolen, and follow
the bike to what's presumably some kind of stash of stolen bikes. Repeat for a
few years until thieves feel it's too dangerous.

~~~
msla
> People could (if police isn't interested in provoking crime which is illegal
> in some jurisdictions) plant nice looking bikes with transmitters, wait for
> them to be stolen, and follow the bike to what's presumably some kind of
> stash of stolen bikes.

Number One Rule of Internet Legal Advice Forums: "No, that isn't entrapment."

[https://en.wikipedia.org/wiki/Bait_car](https://en.wikipedia.org/wiki/Bait_car)

Those bikes would be equivalent to bait cars, which are well-established tools
to catch car thieves. The car doesn't do anything except sit in a "bad"
neighborhood; everything else is entirely the work of the would-be thief. It's
about as far on the good side of entrapment as you can get without someone's
actual car being lifted. The reason police don't do it for bike thefts is
because police have (or think they have) better things to do than hunt down
someone's Huffy.

> Bait cars are not considered entrapment because they merely afford criminals
> the opportunity to steal the car; entrapment, on the other hand, constitutes
> law enforcement persuading or encouraging a person to commit a crime that
> they would not have committed otherwise.

[https://en.wikipedia.org/wiki/Entrapment](https://en.wikipedia.org/wiki/Entrapment)

> Entrapment is a practice whereby a law enforcement agent or agent of the
> state induces a person to commit a "crime" that the person would have
> otherwise been unlikely or unwilling to commit.[1] It "is the conception and
> planning of an offense by an officer or agent, and the procurement of its
> commission by one who would not have perpetrated it except for the trickery,
> persuasion or fraud of the officer or state agent."[2]

"But officer, the bike was just sitting there!" doesn't rise to the level of
persuasion.

~~~
coryrc
[https://www.seattletimes.com/seattle-news/crime/seattle-
bike...](https://www.seattletimes.com/seattle-news/crime/seattle-bike-bait-
sting-netted-a-lot-of-homeless-people-but-few-convictions/)

In Seattle, if you are "homeless" you won't be prosecuted for crimes, and
guess who most of the bike thieves are?

------
brudgers
The Lock Picking Lawyer discusses why he uses a thick chain lock for his
cheaper bike.
[https://www.youtube.com/watch?v=SpVOTEOMRuE](https://www.youtube.com/watch?v=SpVOTEOMRuE)

~~~
analog31
This is kind of my approach. I figure, nothing will defeat an angle grinder,
but a piece of chain will defeat a wire cutters if there's a nicer bike parked
nearby. Riding a sub-$100 jalopy completes the picture.

~~~
Fricken
Over the 30 years I've been commuting by bicycle, I get a bike stolen once
every 3 years or so. My bikes cost in the neighbourhood of $1k each. It costs
me about a buck a day to travel by bike, which is really cheap relative to
other transportation options. The cost of replacing a stolen bike seems to be
less of a concern for people than the feeling of having been violated and
taken advantage of.

~~~
analog31
That's certainly the case for me. I think I value my bikes more than my car,
though most of my bikes were assembled from piles of old parts. But a bike is
a bike, and a car is just an appliance. ;-)

------
narwally
_" This prevents opportunistic theft but if this space is shared with others
(apartment blocks and offices) it in fact serves to increase the economies of
scale for prepared thieves who break into your storage area late at night with
a van. It's not uncommon for office bicycle stores (with many fancy, expensive
bikes inside) to be emptied out completely overnight by professional
thieves."_

At the shop I used to work at, we had some guys back a pickup truck through
the front window of the store, load the pickup with five or so $8-10K bikes,
and then drive off. We got it all on security camera and it took less than a
minute. They made off with more value than most small banks keep in cash.

~~~
crote
That's a bike shop, right? I assume that means the bikes weren't locked to
anything, or even locked at all.

Where I live, to get to my bike you'd need to:

1\. Pass a keyed electric door.

2\. Enter locked floor-specific cage (think datacenter cage, but more heavy-
duty)

3\. Cut lock attaching bike to bike rack.

All while being watched by about 5 cameras. The best part? It's student
housing!

I'd expect any appartment block or office building to have similar or better
security. I have literally never heard of that kind of smash-n-grab happening.
It's just too much risk for way too little reward.

~~~
ornornor
My previous apartment building was secured by electronic badges, several
camera, and security sitting 50m away (they didn’t have a direct line or sight
though). No one stored their bikes longer that 4–6 months there before getting
theirs stolen. Thieves would go behind people when the door was being operated
and in the case of the parking garage used a van and just fit the rack off, or
for the upstairs bike room cut the locks and loaded the bikes in their van
just outside the back.

It took very little time, it was all on camera, the police never did anything.
I’m actually pretty sure it was the same thief hitting the building every time
because the MO was the same. It was actually safer to lock your bike anywhere
else than these purpose built bike rooms.

Cameras don’t do anything at all, and neither does the police. Thieves know
it.

But a stolen car? The police will be very interested and keep looking.

------
zerni
“What about bicycle insurance? It's fairly expensive here in the UK, usually
10-15% of the bicycle's value annually and insurers typically only pay out
when the whole bicycle is taken (so if if your front wheel is nicked, you're
on your own) and when you can demonstrate that it was locked to their
standards. Often these standards require that it is locked up indoors which
means you're chancing it whenever you park away from your home or office.”

None of that is true. I founded a UK bicycle insurer (not your usual one
though).

Our price is locked in max at 10% per year but it’s less if people claim less
in our collective. On average people have been paying 6.5%.

We settle partial and full theft claims. Stolen handlebars are more common
than stolen wheels.

It makes no sense to have customer prove to you as an insurer that the bike
was properly locked beyond asking “was it locked to an immovable object?” and
“did you own a lock of a certain standard at the time of theft?”. It’s almost
impossible to prove and by that you could always reject a claim.

I haven’t heard of a specialist bicycle insurer which requires you to lock a
bike inside all the time. Why would you buy theft insurance? A lock of certain
rating is enough, depending on insurer between 24h-48h - after that you
abandoned your bike in the eyes of many insurance contracts.

Last note.. of course this article focuses on theft but you’d also be covered
for damage which can be the bigger risk depending on your use case (e.g road
cycling or mountain biking).

~~~
narwally
For damage, how do you handle things likely caused by poor maintenance? I used
to work as a bike mechanic, and there were plenty of times where a customer's
bike got completely trash if they had just learned how to do some very basic
routine maintenance and had brought it in to the shop once a year. Thinks like
riding the bike when the the headset or bottom bracket are obviously loose, or
riding on wheels that are very noticeable out of true.

~~~
zerni
Maintenance is indeed tricky.

Our way out is probably that the minimum bike value has to be £500 but the
average customer has a multiple of that value and bikes at home. Passionate
cyclists buy into our concept.

We are looking into how we can institutionalise maintenance a bit more because
there is a strong case to drive down cost further for everyone if a decent
mechanic sees your bike at least once a year.

My personal top tip are chain catchers. It’s a matter of time until the chain
drops and if the front mech is not well adjusted. And if you get unlucky and
have a carbon frame you might rip a hole into the frame.

~~~
narwally
Yep, I've seen that multiple times. Just knowing how to check your limit
screws occasionally would save a lot of people some future headaches. It would
be cool if for a certain price range and kind of bike you could get insurance
that would cover certain routine maintenance costs. Maybe something that would
help cover annual suspension services on high end mountain bikes, or that
helped cover routine tune-ups. As a mechanic I'd hate to have to navigate that
kind of system in order to get paid, but as customer I'd love it.

Most people just don't realize that they'll save money in the long run if they
just put some money into their bike every year. We had customers that would
buy an S-Works every year or two because they just pounded out miles but never
wanted to pay for maintenance. If they put $500-1000 into the bike every year
they could have kept it 5-6 years instead of the 1-2 they were getting out of
them.

------
II2II
I have had two bikes stolen, both of which fit into the "bike shaped object"
category. Your bike can still be a target even if it is cheap, the main
difference is that you have less to lose.

> Backing up your important data ...

If only I could run an inexpensive piece of software to restore my bike to the
condition it was in before I put several thousand kilometres on it!

------
hokkos
Even cheap bikes are being stolen by crackheads, it is not a deterrent.

I recently brought a 4500€ e-mountain bike, and my solutions are :

\- a 20/20 motorcycle U-lock from Abus

\- a 15/15 bike folding lock with a vibration alarm from Abus

\- a LoRaWan GPS and movement/vibration tracker hidden in the bike

\- only keeping it in my secure parking at work, inside my house or a few
minutes at the grocery market.

~~~
wasdfff
I think the best solution is to assume theft. Even with the GPS position, not
much you or law enforcement will do once its in a homeless encampment with 20
other bikes.

Buy a cheap lock to deter walking off with the bike, and buy insurance. I pay
$8 a month and if my $1k of bike is stolen, I pay nothing more to get a brand
new one.

------
twic
I built my bike (as in assembled it - i didn't build the frame or the wheels).
It cost something like £2000, or would have cost about that if i'd bought it
ready-made. I chose all the parts to fit my needs as closely as possible -
nice frame, nice but off-brand wheels, cheap bottom bracket because that's all
you need, handlebar and stem reused from an old bike, decent headset, wide
gear ratio, etc.

Because it's built from a random assortment of parts, all of which are now
filthy and scratched, it looks horrific. I do lock it carefully, but i don't
worry about it. Nigel the junkie won't get through the lock. Nor will Rupert,
and he won't see anything he can sell on (except maybe the saddle). Percy
knows perfectly well it's not worth his time.

Having said that, of course, it will get nicked next week.

~~~
strogonoff
Any resources good for learning bicycle assembly and maintenance that you
could recommend by chance? There’re so many available, but if you have started
doing this more or less recently perhaps you remember which would help a
beginner the most?

~~~
narwally
The Park Tool youtube channel is good at explaining things in a lots of detail
without being convoluted. It should cover 95% of what you'd need to learn. The
hardest part is trying to figure out what components are compatible with what.
There are more standards for bottom brackets than there are for character
encoding.

~~~
twic
The Park Tool videos are phenomenal.

I particularly like the Tech Tuesday videos, partly because Calvin Jones is so
fun to watch (although he's not just a pretty face [2]), but also because, for
example, this is the first explanation i ever heard of how hydraulic brakes
self-centre that actually makes sense:

[https://www.youtube.com/watch?v=vQXFFgRButo&vl=fr](https://www.youtube.com/watch?v=vQXFFgRButo&vl=fr)

[2] [https://www.probma.org/blog/calvin-jones-more-neednt-be-
said](https://www.probma.org/blog/calvin-jones-more-neednt-be-said)

------
LargoLasskhyfv
My favourite solution would be something like this:

[1]
[https://duckduckgo.com/q=japanese+underground+bicycle+parkin...](https://duckduckgo.com/q=japanese+underground+bicycle+parkingbicycle+parking)

------
kop316
I recently bought an expensive ebike to commute, and I decided to get a
kryptonite lock. The primary reason was because of their anti-theft offer:

[https://shop.kryptonitelock.com/atpo_landing_pages/register-...](https://shop.kryptonitelock.com/atpo_landing_pages/register-
for-anti-theft-en.html)

I bought a lock that would fully insure the bike, so if it does get stolen I
would at least get the value of it back.

~~~
analog31
Note that you need to recover the broken lock in order to make a claim. Now I
can't think of why the thief would take your lock after defeating it, but I
don't understand the criminal mind.

~~~
hokkos
Having bikes stolen 3 times, I have never found the broken lock at the bike
place. Thief take all because the owner will lose time trying to remember if
it was the correct place, it leaves no clue if a police car happens to pass a
few seconds later after the bike is stolen.

------
complexworld
My ebike was stolen. It had a good lock, and was on street with significant
passersby. It seemed like there was nothing I could do to prevent that from
happening again.

My solution was to buy a foldable bike that was half the price, and half the
weight of my ebike.

I didn't even buy a bike lock because I never leave the foldable bike parked
on the street. Wherever I go I bring it inside.

------
Gys
I am very impressed by this electric bike that optionally comes with a theft
insurance that will simply return your bike or otherwise replaces it:
[https://www.vanmoof.com/en-US/peace-of-mind](https://www.vanmoof.com/en-
US/peace-of-mind) (not affiliated)

~~~
closeparen
I would expect the justice system in SF to come down _hard_ on those bike
hunters. Wonder how they get away with it.

~~~
Drdrdrq
Curious - is there something illegal in the way the system works?

~~~
Rebelgecko
I would imagine there would be similar pitfalls to what you see in places with
legalized bounty hunting

------
gorgoiler
My summary from the article: take down the fence — the middleman criminal who
provides a market where thieves can sell their stolen bicycles — and be
especially ruthless about it.

This is an option only really available to the police. Perhaps there’s a
reason for law enforcement to tolerate fencing though? Maybe there are nuances
downsides to society if we eliminate the black markets?

Do fences act as some kind of lubricant to the underclasses? Do we allow
fences to exist because, if we didn’t, the desperate / evil thieves would
resort to violently extorting cash instead of non-violently stealing bicycles?

Imagine a future, for example, where the black market for stolen goods is
quashed. It is much safer to lock bicycles up outside, but ATM knife
extortions go up tenfold.

~~~
082349872349872
My wife finds it hard to believe my tales of how things in the US would grow
legs if left unattended, and how sidewalk cafés there would lock the tables to
the pavement and bring the chairs inside at night. (caveat: the "big city"
where I lived when I met her is 30k, hers was 80k)

So I do believe rampant petty crime is a deliberate societal choice, but as to
whether it serves a purpose or why it would be tolerated, I have no clue. All
I can say is that in at least some jurisdictions, lack of bike theft does not
translate into increase in mugging.

Tangentially related (education instead of petty crime) but I still find it
darkly amusing that people who call _Brave New World_ 's five colour-coded
castes a dystopia voluntarily sort themselves by five-digit ZIP code:
[https://news.ycombinator.com/item?id=24269640](https://news.ycombinator.com/item?id=24269640)

"I'm really awfully glad I'm a 94301"

------
foobar1962
Worth reading to the very end:

>When threat modelling, a good starting point might be take your attackers
"needs" and then instead of striving to 'surprise and delight' you instead
strive to "bore and frustrate".

------
pmontra
> No thief is going to bother cutting my locks when there is a Campagnolo on
> the next rack.

Exactly, lock your bike close to a better one with a similar lock. The thieve
will start from that one and could have no time left for yours.

~~~
bambax
This reminds one of this old joke about two people running away from a bear.
One of the guys says to the other: why are you running? You'll never outrun a
bear! And the other says: I don't need to be faster than the bear. I only need
to be faster than you.

~~~
dtparr
Although the National Park Service officially recommends not pushing down
friends when running from a bear, or otherwise using friends as bait or
sacrifices.

[https://m.facebook.com/nationalparkservice/photos/a.74409236...](https://m.facebook.com/nationalparkservice/photos/a.74409236388/10157206218381389/?type=3)

------
avivo
I think this in point. "[Treat] the attacker user personas with the same
primacy as those of the customer user personas — [put] them on a wall in the
office and [have] everyone conversant in their "needs".

Another solid piece that goes into more of the details of threat modeling:
[https://increment.com/security/approachable-threat-
modeling/](https://increment.com/security/approachable-threat-modeling/)

------
joshlemer
>"Powertool Percy" will be kept at bay by:

> Nothing, save ensuring that your bicycle doesn't look valuable enough to be
> worth his time this probably means keeping its value down below a few
> hundred pounds

There actually are a handful of products that will successfully defend against
power tools, such as the SAF lock: [https://altorlocks.com/products/saf-
lock](https://altorlocks.com/products/saf-lock)

~~~
wasdfff
At what point does the thief just cut your frame? They want scrap metal,
functional bike be damned.

------
wintermutestwin
My insurance policy (renters or homeowners) covers bike theft. Yes, there is a
$1k deductible, but my bikes range from $3-5k each. Is this not a thing in the
UK/EU?

~~~
crote
The Netherlands here. Homeowners insurance usually only covers bike theft when
the bike is actually stolen from inside the home or garage, and there must be
entry damage to prove this.

If you want to to insure against bike theft, you need a separate form of bike
insurance. They generally have no deductible, though.

But it's usually not worth the effort. Daily-use bikes are too cheap to worry
about, and expensive racing bikes / mountain bikes never leave your line of
sight while outside your home.

~~~
burlesona
Is bicycle theft taken seriously in the Netherlands? Meaning, do the police
work to stop it? I’ve wondered since there’s such a strong cycling culture
there.

------
sevencolors
I think this is a good list of things to consider for the first two personas.
As for the last persona "Powertool Percy", there are a few tactics you can
deploy. Especially for folks in dense urban areas.

* If have an expensive bike don't ride it for errands, get a junker that rides well but looks worthless.

* Remove the branding or make it camouflaged with stickers.

* Ride dirty. Obviously keep the components lubed, but let your frame and wheel stay dirty

~~~
crote
The overall idea is to make it not worth the effort.

Making your bike look shit will decrease the perceived value. Other nearby
bikes will look comparatively more valuable, and are thus a more attractive
target.

Using overkill locking will make it too much effort to steal. When choosing
between bikes of similar value, the one which is easiest to steal will be
choosen.

Make it hard to offload. Giving it a shitload of stickers or a weird paintjob
will make it too recognizable. It will be too obviously stolen to sell, again
making other bikes more attractive.

------
ggm
I don't usually support the death penalty, but for persisting bicycle thieves,
I do wonder if, like street-mimes, the pit of snakes is the best option?

~~~
LargoLasskhyfv
I seem to recall that in former times caught horse thieves in the plains and
the "wild west" were quickly hanged. Understandable, as the owners usually
depended on them for their livelihood.

------
TheMagicHorsey
Why not create a bicycle whose frame is itself the lock, such that if you cut
the lock, you are destroying the bicycle itself.

~~~
jeffbee
Thieves often cut the frames anyway, because it takes only seconds to cut
tubular frames with a pipe cutter and the rest of the bike is still valuable
as parts.

~~~
narwally
Yep, the most expensive components on an ebike are the battery and motor, you
can cut the top tube and pull those components out and sell them for 500+ a
piece on the used market. The batteries usually have a lock that is supposed
to keep them from being stolen, but even on the high end brands they can just
be shimmed open with a credit card in a second. I used to work as a bike
mechanic, so learned all the tricks of the bike theft trade just from the
stories from customers coming in after they had their bike stolen or stripped.

If I was a bike thief I wouldn't even be bothering stealing full bikes, you
can just walk around with a set of allen wrenches and a chain tool and make
off with a nice derailleurs, carbon wheelsets, full stem and handlebars
mounted with expensive shifters. You will look less like a thief and more like
a guy working on his bike, and if you're afraid of someone questioning you,
just stuff a card with your name and information on it in the seat-tube while
your stripping it, and if anyone ask you can just pull that out as 'proof'
that the bike is actually yours.

------
mleonhard
Takeaways:

1\. Make attacker user personas part of your threat model.

2\. Create the threat model openly inside your organization. Get input from
knowledgeable people. Help people to get familiar with it.

------
widforss
I live at a uni campus, and use a pretty good bicycle. But it's in a
sufficiently bad shape to pass as worthless.

I almost never lock it, but use a fixed rear wheel lock that I put in an
almost-locked position sp that it looks locked.

The only time I lost it was when it was confiscated by the school due to bad
parking during clearing of snow. I found it in a nearby locked yard a couple
of months later. I won't describe in detail how I got it back.

------
ohazi
Mostly for the hilarity... How much would it cost to make a bicycle lock out
of Inconel?

~~~
GuB-42
If want to have it machined for you, several thousands. If you just want a
chain, maybe $100.

I don't think it is a good material for a bike lock anyways. It has excellent
heat and corrosion resistance but for strength, I think you are better off
with regular hardened steel.

If you are looking for an unconventional lock, the one I found the most
interesting has a sheaf made of loose Kevlar fibers that fouls angle grinders.

To defeat grinders, some locks contain ball bearings and ceramic inserts. Ball
bearings spin with the cutting disc preventing abrasion and hard ceramic
insert quickly wear off tools. I've never seen these on bike locks though.

~~~
crote
The kevlar fibers don't really work in practice. Turns out you can just use a
pair of shears or a boltcutter.

Examples:

[https://www.youtube.com/watch?v=j7ah3RA0Alo](https://www.youtube.com/watch?v=j7ah3RA0Alo)

[https://www.youtube.com/watch?v=D-On0DGcDlc](https://www.youtube.com/watch?v=D-On0DGcDlc)

~~~
plorkyeran
[https://altorlocks.com/products/saf-
lock](https://altorlocks.com/products/saf-lock) sounds more like what the
parent was referring to. It's a good example of clearly addressing a specific
threat model: it doesn't try to be impossible to cut (although the marketing
material says otherwise...). Instead it's just _so thick_ that a 5" angle
grinder can't reach all the way through it in a single cut, and the coating
material is specifically designed to be slow to cut through so that it takes a
long time and requires multiple batteries.

Of course, it still has the obvious problem that the thing you're locking it
onto is probably a lot easier to cut.

~~~
burlesona
Holy cow, 6.2KG!! That’s almost as much as a good bike weighs, and enough
weight to seriously feel it lugging that around.

I guess if you really have to leave your bike locked in public for long
periods of time it could be worth it, but wow, that would not be a nice or
convenient thing to lug around.

------
brudgers
recent comments,
[https://news.ycombinator.com/item?id=24340190](https://news.ycombinator.com/item?id=24340190)

~~~
dang
We invited the submitter to repost that one but didn't hear back, so I told
calpaterson it was fine if he did.

~~~
brudgers
I can see why.

