padlocks with backdoors - TSA approved

Allen netsecurity at sound-by-design.com
Tue Feb 27 00:23:30 EST 2007 

Hi Hadmut,

Welcome to the world of total stupidity. I was in the hardware 
store the other and looked at those cheap luggage looks and 
thought about how thieves might be able to utilize the weakness 
of the system to rip off people, but then..., well I looked at 
the Master brand, generally a good brand, and a couple of other 
combination lock brands in the $30 to $45 USD range where you can 
set the combination to whatever you want. Guess what? They all 
seemed to use the same key to enable setting the combination. 
Now, granted, you have to open the lock first then you use the 
key to release the cylinders to set the combination, but it seems 
to me that with a little work one could figure out how to bypass 
the security mechanism to open the lock quickly.

Then, too, there are some great lock picking sites on the net 
that will teach you how to pick even so called security locks.

Much like DES slowed people down until they developed the 
technology to overcome the encryption, locks are only as good as 
the lack of knowledge that the average crook has.

Look up the Kryptonite motorcycle lock that was about $65 USD and 
a kid in a bike shop figured out how to hack the lock with a 
$0.19 USD BIC Pen. Lock had been made and sold for twenty plus 
years with the same weakness in design.

That was truly a zero day exploit.

Oh, and another story for you on failure in design. We are 
thinking of re-financing our house. The mortgage company keeps 
all the personal identifiable data in encrypted form in their 
offices, but when they send me the quote it's in plain text in an 
e-mail!

Thinking through all aspects of the design and application of a 
security model is mostly lacking as far as I can tell.

Best,

Allen

Hadmut Danisch wrote:
> Hi,
> 
> has this been mentioned here before?
> 
> 
> I just had my crypto mightmare experience. 
> 
> 
> I was in a (german!) outdoor shop to complete my equipment 
> for my next trip, when I came to the rack with luggage padlocks 
> (used to lock the zippers). 
> 
> While the german brand locks were as usual, all the US brand locks 
> had a sticker 
> 
>    "Can be opened and re-locked by US luggage inspectors". 
> 
> Each of these (three digit code) locks had a small keyhole for the 
> master key to open. Obviously there are different key types 
> (different size, shape, brand) as the locks had numbers like "TSA005" 
> tell the officer which key to use to open that lock.
> 
> 
> Never seen anything in real world which is such a precise analogon of 
> a crypto backdoor for governmental access.
> 
> Ironically, they advertise it as a big advantage and important feature, 
> since it allows to arrive with the lock intact and in place instead of 
> cut off. 
> 
> 
> This is the point where I decided to have nightmares from now on.
> 
> 
> regards
> Hadmut
> 
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
> 

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list