Hacker News new | comments | ask | show | jobs | submit login

This is perhaps an unintentional demonstration that "insecure against absurdly complex and specific attacks" does not always mean "insecure."

For a web system that is under attack 24/7 from 255^4 different attack vectors, you need "secure against even absurdly complex attacks" to be "secure."

But for my house? Your average thief isn't going to spend the time to take a high-res photo of my keys. Instead, they're just going to beat me until I give them my keys (the original "rubber-hose crytography") or just take a crowbar to the door. It's just not worth it to use such a complex attack.

(Yes, I can see uses for being able to break in without giving away the fact of the breakin, and I'd be surprised if the CIA/NSA/etc hadn't already used a similar technique, but for everyday life it's just a cool theoretical hack that would make a great plot point in a Neil Stephenson novel.)




XKCD did a comic on what you describe:

http://imgs.xkcd.com/comics/security.png

Yes, they'll just bean you until you give the key.


Today's comic also related:

http://xkcd.com/916/


Actually, since my parents' house has been robbed recently, this gives me a great idea:

You put an easy to open fake safe in a clandestine but still fairly obvious location (eg: behind a picture frame). Sort of like a real life honeypot.

You hook up a surveillance system pointing to the safe or maybe even inside the safe that triggers when the safe moves or opens. Maybe hide a gps chip inside the safe (they are tiny these days).

Bam, you have a photo of the criminal, time of the crime, and you get alerted instantly and silently. Chances are you or the police can interfere in time or you'll have some sort of lead on the criminal since you know what they look like but they don't even know you're after them already.


I have seen in my local newspaper an example of a burglar who has been photographed, but who still isn't caught.

http://www.startribune.com/local/west/123030203.html

When this burglar's photograph was taken, he thought he had effectively disabled the home's security system. But he is still able to commit new burglaries, as no one has been able to identify him so far.


Looks like he has been caught: http://www.startribune.com/local/west/124464954.html

"Stewart E. Pesheck, 42, of Minneapolis was arrested on June 9 during a traffic stop in Minneapolis."

It's still an interesting example of the futility of most security attempts. The story notes the earlier surveillance photos but doesn't mention how much they helped.


Hey, thanks for this. One question: how did you find the article?


That's pretty sad, but it's way nicer than having no clue who the perpetrator is. This guy is on local news and now a lot more people have seen his face, so it's much more likely that he'll get busted compared to an unidentified person.

Furthermore, there's the small matter of proof. Even if you happen to see the person who robbed your house and you locate them a couple days later, it can be hard to prove that they were the criminal. A photo solves this problem nicely.


This might work, but my gut says that the average criminal isn't going to spend much time looking behind picture frames for safes: they'll be too busy ripping the plasma TV off the wall and loading your laptops into their van.


I guess this is a cultural thing. In my country, a lot of people keep some of their money in a relatively safe spot in their houses as "just in case" money. It sounds unwise, but many banks have gone down under in times of crisis and it has taken people months to get their money back, even though it is guaranteed by the government. People even keep gold because if you have a crazy crisis and your currency is suddenly worth nothing, it helps to have something that isn't as devalued.

Anyway, this combined with the fact that in the city many buildings are apartments and not houses (and so you need to climb to get in) means that thieves don't steal large things often.

However the one that broke into my parent's house searched a few areas in the bedroom and successfully found the hidden safe, and proceeded to break into it.


I recall in a good friend's home being shown the safe cemented into the floor. Something they inherited from the previous owner -- part of why they were not paranoid about it but treated it more as a bit of a curiosity.

One could eventually get in, of course, but not in the timeframe of a typical burglary. Same problem with regard to moving it off-site.


Are those safes that easy to break into? Or was the guy just that good at cracking safes?


I don't know. It was key access, but it was opened somehow. Guessing it was picked.


Yes, this sounds like an equally absurd idea as copying a key from 100 meters.


Why? It's a weekend project and you don't need much more than some cables, something like an arduino and a camera.


This still seems like a valid low-tech hacking technique. Simply take photos of anyones keys (easy to do if you are planning it out) and run some software. This seems like a potentially big problem for any facility secured by only lock and key (schools, homes, safety deposit boxes, PO boxes, cars, storage, etc.).


Any facility secured by only lock and key is vulnerable to anyone with a pickgun or a lock pick set and a little skill anyway. Security isn't reliant on locks, it's reliant on behavior.


If you make a fake key, then you can walk in with people all around without looking suspicious. You can even act like the owner whilst in a group of non-conspirators. Even with a great picking kit, it's going to look different to anyone looking somewhat closely.

Depending on the level of physical security surrounding the lock itself, this difference could be as extreme as the difference between knowing the password and having a great rainbow table. In the former case, you can log in as the owner without arousing any suspicion. In the latter case, you have to have some time when nobody is looking (download the hashed password database).


So get a big bright "ABC Locksmithing" shirt printed up and carry a toolbox while commiting crimes. Odds are good nobody will notice you then. Or just change the lock and come back later for the theft, now that you have a key.


I remember my elementary school got robbed. We had to sit in the auditorium for a while until they led us past the crime scene into our classrooms. I still remember a forensics guy picking up one of those plastic barrel juice boxes with tweezers and thinking about how ridiculous he looked. They ended up stealing some video cameras and stuff (back in the day pricey), but the police believed they had some inside information because they seemed to know exactly where to go.

Pretty much anywhere with windows is vulnerable. Break window, reach through, unlock door. I think that's what those robbers did.


But you can get biometric locks if you need to: http://www.brickhousesecurity.com/keyless-entry-lock.html

Of course, then they could chop your finger off.

But then, that lock allows for PIN code + finger... so after they've chopped your finger off, they still won't be able to get entry without the PIN code.

Or they could just beat you until you opened the door. Traditional methods are still the best.


>Of course, then they could chop your finger off.

Don't the finger printers have "pulsox" (pulse and oxygen level) sensors in them like those dinky devices they use in hospitals that just clip on your finger.

Threatening to chop their finger off would get most people to open most doors I imagine.


Exactly - I fail to see how this is news at all. Anybody with a camera and internet connection could figure this out in a few days.


>I fail to see how this is news at all.

I'd just like to point out both that I forget things some times and other people are new to stuff all the time.

So, while it might not be NEWS - it is always good to keep stuff conscious.

As an example, I was actively training to lock sport some years ago - but havent done anything in a long time (though I still lie to myself and believe I am into it) - but honestly have never thought of using a secret hidden webcam sized CMOS to zoom in on a lock waiting for the key to arrive.

Fuck, that is actually brilliant.

Now - instead of anything - I need to worry about a secret camera pointed at a keypad (rather than lock).

I ONLY use the keypad to enter my apt building.

At my, now previous, office - I have used the keypad to code entry to the door for 10 years.

I was caught by some anon who lived in the building and she interrogated me as to who I worked for, why I used the code, why not a key etc...

She stated "someone could see you entering that code!" - I replied "I'd see them close to me!" - obviously though I am wrong now.

I thought she was a crazy bitch - but thinking of this, now not so much.

In fact - a small device with a cam and a 3G card with periodic pic uploads is perfect and can be built for cheap if not on the market.

Even my new office has keycode access, where when I went for the interview (over by pixar) I found myself trying to spy on workers of the building entering their codes as they returned from lunch...

---

You know what would be an interesting defeat of such attacks: in addition to keycode - you have a timing around the entry. i.e. first keypress, wait 2 seconds, second wait 1, third wait 4....


Or fake key presses.


@cloudwalking At first I thought that fake keypress would not work if you were expected to open the door; meaning youd actually have to perform the correct press to get the door open... But you could conceivably either fake a press before - or do a bunch of presses afterward to fake the sequence... I guess this really needs to be tested - specifically against the ability of the camera/viewer to be able to tell when the 1/4" depression of a key really occurs. I think the take away here, though, is for anyone using a keypad to act like they pressed 10 keys rather than the requisite 4# sequence. Ideally with the 4 numbers non sequntial in your finger movements.


I've done this for year when entering my pin code for making payments or cash withdrawals. I position my hand so that it obscures all the keys, and then move one finger a tiny bit that does the actual key press, and another finger in an obvious way to make it seem as if I'm pressing another key as the one I'm actually pressing.


I go one step further - I consciously think of another number as I enter my PIN, just in case a Telepath is nearby!


It is also another thing to worry about when governments go into mass-surveilance camera-placing frenzy on the streets.


Government agencies can open doors in few seconds without taking a picture and creating a duplicate. It takes trained locksmiths few seconds to open doors without breaking it. Its only about will to get in.


Most of the government agencies I've observed open doors in less than a second without reliance on locksmiths or key decoding.

The most I've ever seen used on cheap commercial doors/residential is a pick gun, but 99% of the time it's a boot, ram, pry bar, etc.

They do call in locksmiths to open safes, etc. afterward, to get evidence.


Picking/banging a lock leaves forensic evidence that a duplicate key would not, even when performed by experts. Google "lockpicking forensics" for lots of information.

Anyhow I guess your point is still valid. Someone wanting to get in and out of your house without living a trace could use some other means not necessarily involving the door, though most of the time they would risk looking suspicious to potential witnesses.


"It takes trained locksmiths few seconds to open doors without breaking it."

I think that the certified (EU norms) locks are tested so that they provide something like at least 5 minutes resistance against the best known non-destructive attacks.


If it was an iPhone app (anybody?) then its really not so far-fetched. It would be easier and cheaper ($1?) than risking exposure to the homeowner and possible identification.


Maybe there's a hugely male, and young populance here, but I'd like to point out that theft isn't always the intent of home invaders, and that in a lot of cases, the really scary people want to get in without alerting you to it.

This is information I'd want my sister to be aware of, as I can easily see how I'd use it to hypothetically abuse someone.


Some thieves are dedicated. Sure, they might not bother with this, but I'd rather be safe than sorry.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: