For a web system that is under attack 24/7 from 255^4 different attack vectors, you need "secure against even absurdly complex attacks" to be "secure."
But for my house? Your average thief isn't going to spend the time to take a high-res photo of my keys. Instead, they're just going to beat me until I give them my keys (the original "rubber-hose crytography") or just take a crowbar to the door. It's just not worth it to use such a complex attack.
(Yes, I can see uses for being able to break in without giving away the fact of the breakin, and I'd be surprised if the CIA/NSA/etc hadn't already used a similar technique, but for everyday life it's just a cool theoretical hack that would make a great plot point in a Neil Stephenson novel.)
Yes, they'll just bean you until you give the key.
You put an easy to open fake safe in a clandestine but still fairly obvious location (eg: behind a picture frame). Sort of like a real life honeypot.
You hook up a surveillance system pointing to the safe or maybe even inside the safe that triggers when the safe moves or opens. Maybe hide a gps chip inside the safe (they are tiny these days).
Bam, you have a photo of the criminal, time of the crime, and you get alerted instantly and silently. Chances are you or the police can interfere in time or you'll have some sort of lead on the criminal since you know what they look like but they don't even know you're after them already.
When this burglar's photograph was taken, he thought he had effectively disabled the home's security system. But he is still able to commit new burglaries, as no one has been able to identify him so far.
"Stewart E. Pesheck, 42, of Minneapolis was arrested on June 9 during a traffic stop in Minneapolis."
It's still an interesting example of the futility of most security attempts. The story notes the earlier surveillance photos but doesn't mention how much they helped.
Furthermore, there's the small matter of proof. Even if you happen to see the person who robbed your house and you locate them a couple days later, it can be hard to prove that they were the criminal. A photo solves this problem nicely.
Anyway, this combined with the fact that in the city many buildings are apartments and not houses (and so you need to climb to get in) means that thieves don't steal large things often.
However the one that broke into my parent's house searched a few areas in the bedroom and successfully found the hidden safe, and proceeded to break into it.
One could eventually get in, of course, but not in the timeframe of a typical burglary. Same problem with regard to moving it off-site.
Depending on the level of physical security surrounding the lock itself, this difference could be as extreme as the difference between knowing the password and having a great rainbow table. In the former case, you can log in as the owner without arousing any suspicion. In the latter case, you have to have some time when nobody is looking (download the hashed password database).
Pretty much anywhere with windows is vulnerable. Break window, reach through, unlock door. I think that's what those robbers did.
Of course, then they could chop your finger off.
But then, that lock allows for PIN code + finger... so after they've chopped your finger off, they still won't be able to get entry without the PIN code.
Or they could just beat you until you opened the door. Traditional methods are still the best.
Don't the finger printers have "pulsox" (pulse and oxygen level) sensors in them like those dinky devices they use in hospitals that just clip on your finger.
Threatening to chop their finger off would get most people to open most doors I imagine.
I'd just like to point out both that I forget things some times and other people are new to stuff all the time.
So, while it might not be NEWS - it is always good to keep stuff conscious.
As an example, I was actively training to lock sport some years ago - but havent done anything in a long time (though I still lie to myself and believe I am into it) - but honestly have never thought of using a secret hidden webcam sized CMOS to zoom in on a lock waiting for the key to arrive.
Fuck, that is actually brilliant.
Now - instead of anything - I need to worry about a secret camera pointed at a keypad (rather than lock).
I ONLY use the keypad to enter my apt building.
At my, now previous, office - I have used the keypad to code entry to the door for 10 years.
I was caught by some anon who lived in the building and she interrogated me as to who I worked for, why I used the code, why not a key etc...
She stated "someone could see you entering that code!" - I replied "I'd see them close to me!" - obviously though I am wrong now.
I thought she was a crazy bitch - but thinking of this, now not so much.
In fact - a small device with a cam and a 3G card with periodic pic uploads is perfect and can be built for cheap if not on the market.
Even my new office has keycode access, where when I went for the interview (over by pixar) I found myself trying to spy on workers of the building entering their codes as they returned from lunch...
You know what would be an interesting defeat of such attacks: in addition to keycode - you have a timing around the entry. i.e. first keypress, wait 2 seconds, second wait 1, third wait 4....
The most I've ever seen used on cheap commercial doors/residential is a pick gun, but 99% of the time it's a boot, ram, pry bar, etc.
They do call in locksmiths to open safes, etc. afterward, to get evidence.
Anyhow I guess your point is still valid. Someone wanting to get in and out of your house without living a trace could use some other means not necessarily involving the door, though most of the time they would risk looking suspicious to potential witnesses.
I think that the certified (EU norms) locks are tested so that they provide something like at least 5 minutes resistance against the best known non-destructive attacks.
This is information I'd want my sister to be aware of, as I can easily see how I'd use it to hypothetically abuse someone.
This is really nothing new thought if you have studied locks at all. All the common keylocks (eg: standard house locks, most vehicles, etc.) have a fixed/known set of tumblers, and a fixed/known set of pin codes. When I was more interested in physical lock mechanisms about 18 years ago I had the GM tumbler height elevations pretty well memorized, plus a good stock of blanks and templates. I could look at most GM keys, "read" the code (like 5,4,4,3,1) and then go off and make a key that would work 90% of the time. Same thing for Ford locks. It was fun to move a friends vehicle in the high school parking lot, but the novelty wore off quickly. This article seems to be the same thing, except rather than having to say something like "cool keychain, can I see it?", you have to take a high-res pic of their key from 300 feet.
Of course the camera can be hidden so that nobody would even see a guy in a van taking pictures, just a guy eating a sandwich who could push a button to take the picture unnoticed.
If you've ever seen Barry Wels at work, you'll understand that this is anything but a far-fetched attack. Someone is unlikely to burgle a house using this technique, but it's a very practical method for determined attackers against otherwise hardened targets. With the prevalence of master and sub-master keying systems, the leak of a single key could potentially give access to dozens or hundreds of locks. Unlike a leak due to loss or theft of a key, there is no way of knowing of a breach in security until an attack is attempted. That's just about the worst case scenario.
A lock keeps out casual thieves, nothing more.
Some places will sell practice locks with pins removed, but do not buy them, they are way overpriced and if you really want to understand the mechanics of locks it will serve you well to bust one open. So go to a hardware store and pick up an inexpensive but not cheap lock, crack it open and remove some of the pins (even all but one), add/remove/reorder the pins until you are really good, and then buy more locks.
Also do keep the law in mind, when I looked it up it's illegal in most if not all states to pick locks that you do not own if you are a not a locksmith (even with the owners permission), which can include obviously the locks on your apartment and locks of friends. You could probably get away with this, but the hacker interest in learning things like lock-picking is not universally seen as benevolent, and it would be stupid to get in legal trouble for a hobby
Get a good lock and a sturdy door frame. It's usually about making it difficult for burglars, not impossible.
This also has me thinking about the "Light Field" story from two days ago. ( http://www.hackerne.ws/item?id=2681554 ) If that technology becomes common, and camera resolutions continue to improve, I bet you could lift people's thumbprints from photos of them waving on Flickr. That sucks if you use a biometric thumb lock like they do in the shared office space I work out of.
Your thumbprint is like a password which you can never change. If your thumbprint appears in a single photo of you ever, there's no locksmith that can help you get that JPEG back from Lulzsec! :-)
But how do you not show something online? If it can be seen, it can be photographed. If it can be photographed, anyone can put it online.
a similar technology has been commercialized: http://dittokey.com/
also similar but relatively unrelated: http://eclecti.cc/hardware/physical-keygen-duplicating-house...
These efforts are unaffiliated with the authors but provide a far more tangible result.
I speculate that within another generation or two of fabricators, people will have something trivially useful to plug the data into -- if they are of a mind. (Automated lathes and whatnot being pricier and eventually less common.)
they're still pretty expensive, but arguing you're in a fairly high rent neighborhood with basic security systems (no keypad requirements, but alarms blare if you force a lock or break a window...Is that even a system on the market?) Anyhow, if you've a van, that's a good five thousand dollars at least. Grab a printer, say another 10k...I dunno how many robberies you need to pay that off, but assuming you intend to make a go of this life of crime, being a guy with the key helps a lot.
By default, the key will be hidden inside it's case. When the user wishes to open the lock, he can just place the key on the keyhole and start inserting it. :)
As opposed to the standard pin tumbler lock where there's a single row of pins, the pins in this lock surround the key from all sides, therefore the protrusions on the key are also all around it.
I know you're not responsible for other people's actions, but releasing this story may do more harm than good.
And even back then, they got it right:
> It cannot be too earnestly urged that an acquaintance
> with real facts will, in the end, be better for all parties.