 My associate this morning is Matt Fidler, who is a Security Consultant and Foreign Military Intelligence and does a lot of security work, both hardware and software. The impetus for this discussion this morning grew out of last year, the conference in New York. I was part of a panel involving some vulnerability of LOX issues, which is what I made a deal with. And as a result of that, there was a lot of controversy that was generated in the LOX myth and community and to a lesser extent the security community with regard to the ethics of disclosure of vulnerabilities of locking systems. And so we decided that we put together a presentation and really would like at the conclusion of our PowerPoint to solicit from you folks as to what your thoughts are so these will be taken back to the hardware security community. Essentially the LOX myths and their organization have determined that there should not be any disclosure of defects or vulnerabilities other than the security professionals and security management and other LOX myths. I don't particularly subscribe to that theory nor does Matt, we want to go through why we do not this obviously has been dealt with in the logical security community a long time ago, but not really in the hardware community. And so we'll present a PowerPoint first, Matt will do that, and then we want to solicit your comments and input. Good morning everybody. So as Mark said, we're going to run through this pretty quick so that we can hop down and we can use the input. So this is what AC hops of the type of bypass that does not require sophisticated tools, expertise and time, the type of tools that I routinely deal with versus the ballpoint pen opening the tubular lock trick, that's the type of bypass that we're really talking about. The simple, really defects or problems that lead to the ability to circumvent a locking system. Okay, well the legal issues are real simple. The real question is what does the end user have a right to know about the security products that they're buying and using and what's the liability for the LOX myth or architect or hardware vendor if they don't tell you about a vulnerability and you put in that system and then you suffer a loss, somebody gets injured, somebody gets killed, there's a major theft, there's a compromise of information. Who's got the liability or is there any liability and especially involving federal and state statutes regarding the disclosure of protection of medical information, financial information. These are serious legal issues. The LOX myths really haven't come to grips with them and frankly don't understand a lot of the problems that can face them and as an end user security administrator or person responsible for physical security, the real question is how much information do you have a right to know in order to make the security assessment? If you rely on a security consultant to make that assessment for you, that's fine but if you're charged with the responsibility and fail to have all the needed information then you really can't make that assessment and then who is liable. Those are really the critical issues. I'm sure most of you have governed physical access control. Security defect or persistent to be bypassed, do you take it to the manufacturer without making it public or do you make it public and that's really an interesting question because if you take it to the manufacturer and they have a large embedded base of security products, do they make it public? The responsible manufacturers will, a lot of them will not, so where does that leave the end user? In a closed group. The other issue is it's a propounded okay if there's a known vulnerability in a lock or piece of hardware, okay you can tell the public yes there's a vulnerability but you can't tell them what it is, what does that do for you? In our view nothing because the minute you disclose there's a hardware defect somebody's going to find it and if they find it they're going to publish it. A lot of locksmiths haven't heard of the internet yet and so they still believe that there are secrets out there and as we keep trying to tell them there are no secrets anymore. Since it's a security defect, I think defect versus an exposed vulnerability because there's a continuum of vulnerability versus a real significant design defect. Let me even take it further. The real question is who has the need to know and let's talk about one of the security releases we did last year. I found a vulnerability in gun lock, gun trigger locks. Really serious vulnerability to the point that literally I shot a video in Toronto with an 11 year old kid removing three of the most popular gun locks off a rifle in seconds. Should that vulnerability be disclosed to the public or how should they be warned because at some point some kid's going to get hurt or killed by removing one of these gun locks that their parents mistakenly believe provide security on that weapon. It's a perfect example where there can be tragic results. Do you disclose it? Do you not disclose it? When I talked to one of the leading manufacturers in the industry who I did some work for a long time ago they didn't want it disclosed. They didn't think it was a big problem and they weren't talking about it. And they happened to this day and they continued to manufacture the locks. And these are major manufacturers that are putting this material out there. Every hardware store and sporting goods store in the country sells them. Should that be exposed in the national media? We'll talk about that in a minute because you say yes until you're the parent of a kid that reads a report on the internet and then goes and pulls a gun lock off a weapon and shoots one of his classmates and then you're going to be coming to me saying what the hell did you publish it for? Because my kid wouldn't have known about it if you didn't publish it. That's the problem. We'll talk about it in just a minute. Right, well that's the attitude. Actually we took the attitude that we didn't publish it directly. We charged a $3 fee for the report so that you'd have to have a credit card to buy it which would eliminate virtually every kid from buying the report. And that's how we control distribution. Yeah, that's it. In the hardware locks and hardware environment. Okay, there you go. So you're all familiar with the controversy when we were in the New York Times two years ago on top level master key as I've referred to it in my disc set and my book, Extrapolation of the Top Level Master Key. Very, very serious security vulnerability. Basically anybody in an organization that has access to one key to one door that is on the top level master key system can compromise that system unless they have the proper locks installed, they can code it properly and they have the proper restricted type of blank with sidebar coding. It's a serious, serious problem. Huge. And that we compromise national security. Now then of course they turned around and said yes but every locksmith has known about this for 50 years so it's no secret. So of course there would be a slight inconsistency in that position but it shouldn't have been disclosed notwithstanding everybody knew about it. Everybody except the consumer. I can tell you the first two days that we posted that on our website we had 100,000 hits and I had thousands of emails from security administrators from colleges, governments, hospitals, schools wanting to know what to do about their laptop locks which escalated into the bike lock issue and into gun locks that used tubular locks. The problem isn't with the tubular lock. The problem is with inexpensive tubular locks that aren't designed properly. Now as a result of that and I can talk about kryptonite, they really did the right thing. They woke up one morning to all the flood of media and it was sort of, it was a big surprise for them. And so they spent a couple days looking at the issue and then they finally made a corporate decision they were going to replace every lock which I believe was the very responsible thing to do. There was frankly there wasn't anything else they could do. They, the management of kryptonite which is a sub company of Schlage Lock, they made the decision to bite the bullet. They admitted the problem and they offered a free replacement no matter when you bought your lock. They today have replaced my understanding about 350,000 of them at a cost of about 10 million or more to Schlage. That is the responsible way to do it and they've redesigned their lock and so now it is a very secure piece of hardware. In fact it has a security rating in Europe from the rating agency. They're not going to be easily broken. Now that would never have occurred if actually we hadn't released our initial report and then one of the bikers picked up on it and described the vulnerability for kryptonite locks which have been and are the leader worldwide in the industry. And so it's a prime example. You know the bottom line is don't kill the messenger for the message. If you have a security defect or vulnerability in your hardware, fix it or don't sell it. That's really the bottom line. Now obviously a lot of lock manufacturers don't subscribe to that theory but they should and the consumer really dictates that. Other vendors and we're not going to name names but I can also tell you that they are because I'm in contact with a lot of them. They are implementing design changes to frustrate the problem. It's actually a very difficult problem to solve. It's not quite so easy as everybody thinks but all of the vendors that I'm dealing with they are taking a responsible approach now and they are solving the problem. I guess the bump keys are 999 key. The highest position key is inserted. Yeah actually it's Mr. Newton from England from 300 years ago that helped us out on that with his third law of motion. He just didn't quite foresee it at that time but that's exactly what it is. For every action there's an equal and opposite reaction and basically when you wrap on the pins in a specific way you create a few milliseconds of gap and you can open the lock. I did some television interviews back at home demonstrating this because it is a very big security vulnerability. Very well has done a lot of work with it in Europe and there's been a lot of publicity not so much in America yet but it is a problem for every standard conventional Pintumber lock. Not for most of the high security locks. But again if the public doesn't know about it then literally somebody can walk up to your residence door, your business door and in two seconds open it with no damage and no real evidence of entry. Right. And coming in a certain way. Yeah let me just address that for two minutes. It's about seven or eight years ago I got a phone call from a locksmith in Hawaii LSAFE which is the largest in-room safe manufacturer in the world. They're owned by the OSSA Abloy Group. It has over a million safes in luxury hotel rooms and virtually all of them are insecure and they were at that time although they rated them as high security safe. I looked at it, documented the defect and frankly had a sixteen year old kid that was working for me in the office for the summer open it with a screwdriver and a paper clip in about one minute. And this was brought to the attention of LSAFE. They really didn't fix it. They didn't acknowledge it. They didn't acknowledge that I even existed because of the massive lawsuits that would have flowed from it. This is a perfect example. Hotel guests have no clue. I've done a lot of work in the hotel liability area. A lot of hotel locks are not secure. They should not be relied on and the hotels they're concerned but they're not concerned because they have statutory exemption from liability and they have insurance. And so it's a problem and again as a consumer you ought to be aware of the problem. TSA luggage locks. Everybody's using them to lock their luggage when they fly. They're very insecure. We put out a security alert and demonstrated how you could take a piece of plastic from a credit card and open the most popular ones just by sticking a little piece of square plastic in the key way. This is not security and the real problem in that area is not theft from your luggage because it's easy to rip open luggage. The real issue in my view and I did a magazine article over in Europe on it is that contraband can be put into your luggage after you think it's locked. And if it's not caught in security then it can be a real serious problem. A multi lock is a telescoping pin. Very high security lock. They're made in Israel. I've been to their factory many times. They're also part of the ASA Abloy Group out of Finland. Eric Michaud actually thought he came up with a compromise. When you are talking about bypass of locks, especially high security, one of the criteria is repeatability. And which I don't believe can be shown in this particular bypass. Opening one lock doesn't mean anything. Opening all of them or 99% of them reliably within a time frame means a lot. That has not been demonstrated with multi lock. And frankly I don't think it will. I've done quite a bit of analysis on their locking system. It wasn't a very secure device but it was published. And the flip side of this argument is it should have been published until it was truly documented. Theoretical in the laboratory is one thing but you don't cause a manufacturer problem or you don't cause the public a security concern unless you can document it. And so that really is the flip side of this argument. There's a lot of material on the net. There's some on our website that's publicly available. A lot of it's restricted but there's a lot of material out there. You really have to understand these systems. And again, it all comes down to what is your need to know, which is where I think we ought to begin this discussion. What is your need to know from manufacturers about vulnerabilities? I think we ought to start off. What do you all think about the gun lock issue? And should we have disclosed it? That's almost unanimous. Anyone for a free copy of LSS Plus? But ask your question. Actually Matt, maybe they ought to come up afterwards because otherwise it's going to take time into the presentation. Maybe they ought to come up to get CDs afterwards. Why don't we do this at 10 to 11 so that we don't take time into this? Can you comment on electronic access control systems at all? Vulnerabilities? Can you comment on the vulnerabilities of electronic access control systems? Well, actually I just did a survey, a study of all of the access control technologies for one of the government agencies. Some of them are secure. Some of them are marginally secure. There's been a lot in the media about how things can be compromised. The real question is if there's a security vulnerability on the electronic side, should it be published? What's your attitude? Okay, so should it be published? That's exactly correct. But the question is should it be published? Yeah, you need to use a microphone. I believe it should be, but manufacturers should be given some disclosure period so that they can react to it. That is the responsible way to deal with it unless national security is involved. Yeah, I mean most manufacturers, us included, are working on preventing these things and coming out with new technologies and it would be unfair for it to be disclosed before we had a solution to it. I agree with that. Okay, next question. Hello. My concern is with the HID card systems that I installed just about every server I had a chance to work in. And to date, I have not seen any published reports on any vulnerability on the system. I'm sure they exist, but what I'm basically concerned about is electronic systems. Well, obviously, Matt, maybe you should address that, but the old systems obviously were compromised and newer ones were a little bit more difficult. Matt? HID has, their traditional proximity-based cards have been compromised. There is public information out there to duplicate a card. The new HID i-class cards defeat that capability, but there is publicly available information on the HID cards. Next. What do you think about a peer review system like they do in scientific journals for law security? Say that again. So in scientific journals, what they do is they sort of publish them and then let everyone verify it before it's considered good. Do you think it might apply well to locks? I think that happens on the internet about locks. It's just that it can really cause a manufacturer problem if you publish that there's a vulnerability. Well, I mean, do you think we could sort of engineer a place where you could publish a possible vulnerability and people wouldn't lose their head? I don't think so. I think that'd be all right. So my theory and Matt's theory in all this is the more people that are looking at locks the better because all it can do is improve the end product. There's a lot of sports lock-picking clubs in Europe. I go to some of them and routinely visit with them, speak and learn. They're just starting in America and Matt can address that more, but I think it's a good thing because there are engineers, lawyers, doctors, teachers, kids, housewives. To pick a lock is an intellectual challenge. It's not just mechanical. To me it's much better than chess. I've been doing it since I was 15 and it's intriguing. In fact, I'm doing a new book on the subject and it is really intriguing. And so the more people that are looking at locks and finding potential exploits in my view the better and the responsible manufacturers will agree with me. They want the input because at the end of the day they want to make the best locks possible. End of story. Next. So briefly, lockpicking101.com is the definitive source for information. They've started some lock sports organizations. There's one in Europe that very well runs its tool. I think the URL was in the presentation. So lock sports are picking up. Clearly we have lockpicking competition here. It's a blast. It's a lot of fun. So I'm curious to get the thoughts on going back to the tubular gun lock issue. If you remove, as far later as you want to go, that also includes sales, store locks, two gun stores. Given the number of lawsuits that have come against gun manufacturers for what has happened, do you believe there will be a change before there's a lot of lawsuits against gun lock manufacturers for the same thing? No. You know, it depends. If they're negligent, if it was purely a negligent design, yes. The real problem in lockpicking and decoding and impressioning is one of expertise and skill level and time and tools required. If a 10-year-old kid can open a gun lock by wrapping it on the floor or sticking an ice pit into it, which is what I demonstrated, and pop it off the weapon in two seconds, I think they're going to get sued if somebody gets hurt or killed. It's a defective manufacturer and they all copied each other's defects. If it's more esoteric than that, no. Well, the reason why I mention that is a lot of the lawsuits that have been against the manufacturers of guns have just been because of guns. Yeah, that's right. And so going along those lines, if we do end up with something like an mandatory gun lock law, which could happen, given the fact that the locks actually work and you're still able to use a weapon, do you see that going down the bad path? Yeah, I mean, if the gun locks work and I'm dealing with some manufacturers in Europe on this issue, if they work and then there's a defect and you're able to fire the weapon that puts them a lot closer to liability, I'm not sure gun locks are a really complicated problem. Next. In the American patent system, we're dealing with software now and it's speculative innovation looking right. I was wondering if you think that I was wondering about your opinion of whether or not the American patent system is stifling or helping innovation in the creation of locks. Yeah, I think it's helping. I mean, look, if you're inventive and create something that is unique and provides security, some of them do, some of them don't, the patent doesn't guarantee security. I think our system rewards you for that and it gives you a monopoly on that product for 20 years. Every major design defect in locks is describing patents to improve it and so I've done a lot of research in the U.S. and English patent offices to find out vulnerabilities when I write books and so, you know, it's a positive thing. So harder designs actually do make it into multiple vendors of locks. Yeah, oh sure. Yeah, look, there's nothing new in locks. Everybody copies everything and modifies it for patents. Yes, sir. Hi. You mentioned the full disclosure of certain cases of national security. If you found out that some government organization was using a certain brand of lock and you knew that this audio system was not really good. If you found out that some government organization, like some base, was using a certain brand of lock and you knew there was a streaming vulnerability and you brought it to, you know, either the attention of security forces or someone in charge of security on the base or an organization and they didn't do anything about it. I mean, how do you normally handle that? I mean, what do you just... Well, that's a real judgment call. I've brought vulnerabilities to GSA's attention and did not publish them upon their request. Even though their first comment was if it's not covert, we don't care. If you have to drill a hole in the lock, we don't care. So, okay, we're going to publish it. No, you're not. Why not? Well, because it's a security problem. Well, but these locks are used in the banking industry and everybody ought to know about it. No, they really shouldn't know about it and if you publish it, we'll classify it. Now, that was the government's response. I wasn't afraid of their response because I don't think they could sustain that, but I didn't publish it because it was a responsible thing to do. About five years ago. Regarding the situation where you disclosed the manufacturer first before the public giving them a chance to do what Kryptonite did. Right. What kind of turnaround time is reasonable for a manufacturer to be able to reach them? Oh, I think Brooklynite was pretty reasonable. They did it in like two months. Really? Yeah. They had a huge problem and they acknowledged it and they fixed it. I mean, they did what they were supposed to do and it cost them 10 million bucks to do it. And with no questions asked, you know, they didn't depreciate the, if you had had that lock for 10 years, they still gave you a new one. They didn't depreciate the value like your insurance company would do on your homeowners and say, well, that locks only, you know, you paid 100 for it but it's only worth 25, so now we're going to give you a coupon for 25 to go buy a new one, which would have been a marketing demand for them. They didn't do that. They just replaced it. They said, hey, you know, send us your lock or send us proof we'll send you a new one. I don't know if they, I don't know if they probably not. I don't know. But they do have a better lock now. It's a tough lock. I understand your argument about the fact of, you know, being something that maybe a 10-year-old could open versus a skilled person, but, you know, I don't have any 10-year-olds running around my corporation and if I go to buy a lock to lock the data center door, you know, I want to be, I think as a consumer, I'm surprised that the Consumer Product Safety Commission or somebody else wouldn't go after manufacturers because, you know, we've had Firestone for the Ford tires on the SUVs. People got killed. People got killed, but, you know, I mean, if I locked my house and a skilled burglar comes in and murders me, you know, I'm killed. Vioxx, the anti-arthritis drug, it was, you know, clearly uncovered that they knew there was a problem and swept it under the rug and they're being punished for that fact. Will this happen in the lock industry? I don't think so. It's a different set of problems and frankly the problem is, in all those cases you've named, actions. Here you're dealing with somebody that's violating the law and you really can't control that other than criminal statutes. That's the sanction. And so the real question again that nobody's really addressed yet is what's your, how much information do you think you ought to be entitled to from the lock manufacturer and who ought to be entitled to it? Yeah, that is true. But, yeah, I agree. But it's a little more complicated. That's right. Now they're trying to sue the gun manufacturer. Right. Well, yeah, okay. But that's not going to go anywhere. Next question, because we're running out of time. Instead of waiting for a lock manufacturer to invest marketing dollars and then pissing them off by releasing a security breach in their lock, you think the manufacturers would consider almost like a hardware open source review of their design before going to market so that they can know it is wrong? Why not? No. But isn't it better than waiting? Well, first of all, until they receive a patent they're not going to publish anything. That's the way things work. And I mean, part of the security of locks is you not knowing how they work. But did you just prove security by obscurity doesn't work? Yeah, well, actually, I'd prefer to call it security by ignorance. And that's really what it is. Because, look, if you're a security manager, IT professional, you're charged with a physical security responsibility as well as logical security. You can't make the risk assessment in your organization unless you know what the bypass techniques are and are shown what those are. If they'll tell you that, I don't have a problem with their policy. I don't think we ought to be telling criminals how to bypass locks. If you have a need to know, because you have a protection responsibility, I think you have a right to know everything about that lock. Now, unlike software and Bill Gates and everybody who doesn't tell you, doesn't give you the code, if you're smart, you can take a lock and it'll tell you everything about itself. So if you're smart enough to figure it out, then is there anyway? But I think you have a right to know that information. How can you differentiate between a consumer and a possible criminal? Well, that's a real good question because if the consumer relies on his locksmith or their locksmith as their security professional, then no problem. Let the security professional say, look, yeah, there's a vulnerability. You don't need to know what it is. I mean, my mother, she puts new locks on their house. So is it secure? And how long would it take a competent burglar to open it? Well, first of all, burglars don't open locks by picking them. These are crowbar brick. 99% of the burglaries are done that way. We're talking about more sophisticated burglaries and information theft and compromise the data and that type of thing. So next question. Just a quick question about you saying that 50 years they knew how to circumvent and wondering if the information space in lockpicking is a lot tighter than information security because 50 years the public hasn't heard about this. Honestly, they really haven't. It's really quite amazing. This has been around for a long, long time, especially on bumping and on master keying. A lot of folks know about it. The locksmithing community was aware of it. The problem was they weren't telling their end user customers. A lot of them didn't understand it. They had no way to assess their risk. So the second part of the question ahead is for the kryptonite locks, I don't know a lot about locks but I know about bikes and I haven't seen, before this vulnerability was published, anyone who's kryptonite lock ever was really knocked open. I'm sure there are, but I don't know if you have any statistics. Actually, what we published of variants of that was published about 10 years before in the UK. Nobody paid any attention to it. If you understand lock picking theory and impressioning theory, then it's a real simple deal. Thank you. Next. Yeah. I'm going to travel locks for a second. About 10 years ago, actually maybe 12 or 13, we had something unattamped by the government to put something in place called Kiestro in cryptography. Would you consider the quote unquote KSA safe locks to be a form of physical Kiestro? No. First of all, they're $10 cheap locks and the problem is the public doesn't understand that. They think they're buying security and it's a matter of convenience. Look, you have two choices. If you want to lock your luggage to prevent pilfering, allegedly, then you put a lock that TSA can get into because otherwise they're going to cut the lock because they have a legitimate interest in seeing what's in your luggage and the story. That's why TSA locks were developed. A trade organization got all the lock manufacturers together, established criteria for five different kinds of locks that all have master keys or a bypass key that TSA can get into. That's their sole purpose. But isn't that that's not a form of Kiestro? It's not a form of giving them, here's the pattern for the key to get into the lock? In that regard, yeah. But I don't think anybody's going to disagree with TSA to have the right to check your lock. No, I'm not disagree with that. I'm just saying that this is... It's a loose parallel. I don't think that's exactly it. Okay. Yeah, actually I would just... I travel a lot and I would recommend instead of using a lock, use a penetration tag. Use like the little wire tags or something like that. At least that way you know if somebody broke into the back. You tagged it. You know when you pull it... Yeah. The lock, he said, you can stick something in there, lock it back up. Well, it's not TSA that I'm worried about sticking something back in there. They'll steal it. They won't put it back in. Well, that's been documented. There's been lots of arrests. The problem is your hotel porter in London putting something into your lock luggage that you don't know is there, either in narcotics or explosives or whatever and you think you're okay because it was locked. That's where I think the problem is. We've got time for one more quick question. Yeah. Okay, Mark, a year ago at Hope you talked about the idea of a national security college. Do you have a comment about that idea and is that used to looking into doing something with that? I'd love to do something with it. I had some media interest with nobody because America, nobody does anything. I think it's a great idea, though. Are we out of time, man? Yeah, we're out of time. Thank you very much. Pleasure.