
In one single image, mainstream media show their utter ignorance of security - jarcane
https://www.privateinternetaccess.com/blog/2016/03/one-single-image-mainstream-media-shows-utter-ignorance-security/
======
dsjoerg
I don't think OP actually read the NYPost article he's complaining about.
[http://nypost.com/2015/09/20/the-8-key-that-can-open-new-
yor...](http://nypost.com/2015/09/20/the-8-key-that-can-open-new-york-city-to-
terrorists/)

The keys are being sold so cheaply that it is easier to just buy them online
than to turn the published key image into your own copy:
"UltimateSecurityDevices offers 1620 keys at $7.40 each for up to nine, and
$6.66 each for 10 or more. Any order over $249 comes with a 10 percent
discount."

EDIT: My point is that the cat is way, way, way out of the bag. Publishing the
key image reduces the security of this key from 0.2% to 0.1%. It's already
utterly destroyed.

~~~
ams6110
Another point missed is that the lock mechanism on something like an elevator
fire-service switch is not exactly robust, and a person determined to access
it could probably do so quite easily with standard locksmith tools or even a
screwdriver or pry tool.

The keys make casual mischief easier, but would not stop anyone more serious.

~~~
pilsetnieks
The keys make tampering much less noticeable. If you take a crowbar to a
panel, someone will eventually see it and investigate. With a key you lock up
after yourself and no one will know.

~~~
dsmithatx
Actually looking at that key any cheap pick set or a couple of bobby pins and
in a matter of seconds I could open and reclose the lock (without having ever
seen the key). Surely any self respecting terrorist could figure that out too.
If a cheap little lock is all that protects us from terrorism the danger level
hasn't changed too much.

~~~
logfromblammo
A paper clip and a binder clip are usually sufficient to open any keyed
furniture lock in the office where you found the clips. It actually takes
longer to bend the paper clip into the proper pick shape than it does to open
the lock. You can also pick them back into the locked position afterward.

That's a case where having an actual key is less useful than knowledge of how
the locks work, because the key won't actually open every lock in the office,
whereas the clips will.

This is why you make a distinction between privacy locks and security locks.

Most of the locks in daily use by humans on this planet are barely better than
privacy locks. I once unlocked the car, got in, and started it up before the
country music station on the radio made me realize that _my_ car was actually
parked in the next space over in the parking lot. It was a different brand of
GM car that coincidentally had exactly the same body style, paint color, and
locks as mine.

After that, I thought about trying my key in every car in the parking lot, but
I never quite overcame my fear of getting arrested for it.

------
jonstokes
This article is not good. I, for one, applaud the NY Post for publishing the
key. Back when we were all flipping out over electronic voting, I published a
"how-to" on Ars for compromising various popular voting machines, complete
with some codes and other instructions. It was so easy anyone could do it, and
the piece was printed out and waved angrily at various hearings on CSPAN, and
the end result was...

Well, actually, the end result was that some counties went back to mechanical,
and some didn't, and today it's all still a mess and it's impossible to have
any confidence that your vote was correctly recorded. And now, in the digital
age, voting is probably just this cargo cult ritual that we all do to summon
this "democracy" thing that our ancestors once encountered.

Anyway, my point is, just publish the key. That makes it harder for the people
who are embarrassed by this and want to bury it to do so.

~~~
maxerickson
_And now, in the digital age, voting is probably just this cargo cult ritual
that we all do to summon this "democracy" thing that our ancestors once
encountered._

If the current situation is a farce, what description does more than half of
the population being disenfranchised deserve?

States with paper ballots and electronic tabulators shouldn't have too much
problems with election integrity, the electronic results may be tampered with,
but the paper trail is much harder to mess with.

~~~
mikeash
I think there's an important difference between outright prohibiting someone
from voting, and allowing them to vote but not counting it. If you prohibit
someone from voting, at least they know it happened.

Paper trails are great, but are they checked frequently?

~~~
maxerickson
Yeah, the stated election process and actual election outcome have to both be
considered, but my point was more that there aren't any good ol' days to
harken back to when it comes to evaluating how egalitarian US elections are in
practice.

Personally, I'm more concerned that parties have easier access to the ballot
and that people are prevented from voting than I am with records tampering.

~~~
mikeash
Agreed on both points. The potential for shenanigans with electronic voting
machines is worrying, but it seems to be a mostly theoretical problem right
now.

------
danso
So, the idea that "obscurity is not security" is not exclusive to security
professionals. It is the justification that investigative journalists use on a
daily basis in pursuing and publishing their stories. Next time you read an
exposé of a government function, consider that the government at some point
pressured the journalist to back off for "the sake of national security|the
children"...assuming that the journalist isn't a total sociopath, we can give
some benefit of the doubt and assume the reporter believes it's more important
to expose government incompetence completely so that there's no turning back.
That is almost certainly what the NYPost thought here...images draw attention.
They also cost money to print, especially in full color on the inside pages.
This wasn't an accident and the author of the critique shows his utter
ignorance of civic institutions and bureaucracy.

------
hellofunk
Maybe the media was forcing things to change by exposing the key,
deliberately, rather than being ignorant of what their exposure was doing.

~~~
degenerate
This is more along what I think they were doing with this article/picture.

------
mikeash
It's not the newspaper's responsibility to keep secrets. That's actually
pretty much the opposite of their responsibility. If the key was intended to
be secret, then the organizations that use it should have done a better job
keeping it that way.

Somewhat related, it wasn't that long ago that the TSA published their _own_
master keys:

[https://www.schneier.com/blog/archives/2015/09/tsa_master_ke...](https://www.schneier.com/blog/archives/2015/09/tsa_master_keys.html)

And here's a case where a prison _put a picture of their master key on the
cover of a booklet given to every prisoner_ :

[http://www.news.com.au/national/killer-escaped-prison-
after-...](http://www.news.com.au/national/killer-escaped-prison-after-being-
issued-picture-of-master-key-to-all-locks/story-fncynjr2-1226629878591)

Mainstream media isn't showing their utter ignorance of security so much as
showing everybody else's.

~~~
SixSigma
I did some video work in a couple of prisons. We had to sit with the prison
security team afterwards and watch all the tapes looking for images of keys -
they had already been burned to the £m before.

------
justinclift
Related useful info - "Replication Prohibited", a talk at the recent 32C3
about 3D printing keys:
[https://media.ccc.de/v/32c3-7435-replication_prohibited](https://media.ccc.de/v/32c3-7435-replication_prohibited)

------
kelseydh
Personally I get more annoyed when reporters cover stories about "cyber
attacks" but don't actually go into the details of what's going on -- because
a DDoS is a completely different story from a SQL Injection.

~~~
newsignup
Maybe they publish the report as early as possible and the "fix" is not in
place yet?

------
callumlocke
This article could have been a tweet

------
TazeTSchnitzel
Promotional coverage of something much better covered here previously.

