I tend to hold my keys in my hand when I insert those keys into a lock, so I suspect that taking photos will be somewhat harder. Photographing people's PINs at an ATM or similar location is a numbers game - for every 1000 people, you might get 10 or 5 PINs, which makes the endeavour worthwhile. Installing surveillance outside private property would involve 1000x the expense, probably making it not worthwhile. And if you install your own counter-surveillance, then even if your physical key is compromised (assuming you only have one lock), you can record the perpetrators in the act, and claim on insurance and report to law enforcement.
In my line of work, I've seen this 1000 times: - Solution 123 (doesn't meet requirement ABC || is vulnerable to exploit DEF). We should look at solution 345 or 678 The issue is that whilst 345 or 678 might mitigate or solve the defect with 123, it introduces new vulnerabilities or other non-compliance with requirements. And Solution 123 typically has a proven history behind it, and there are alternate measures that can be employed to satisfy ABC. Keys and locks have served us well for hundreds of years (notwithstanding the threat of people lock picking your locks - despite that issue being around, we live with it every day). Introducing more complex keys, or electronic countermeasures introduces other risks. For example: If you make keys impossible to copy, then you run the risk of a Denial of Service attack against yourself if you lose your own key (e.g. through complete accident). No doubt threats continually evolve - and this is an example of an emerging threat. However countermeasures also continually evolve. Criminals (other than the really stupid ones) follow the money. There's entire industries (e.g. insurance), not to mention law enforcement, that work to make crime not pay. It's the same reason why, eventually, the entire world, will have CC cards with chips and require PINs. Until the next round of attacks and countermeasures. Cheers Ken From: [email protected] [mailto:[email protected]] On Behalf Of Micheal Espinola Jr Sent: Thursday, 31 July 2014 7:09 PM To: ntsysadm Subject: Re: [NTSysADM] This was inevitable, but it's still a good reminder I've read that article before, and agree that it is a good read. I didnt realize thats what you meant, because I dont concider that a realistic proposal to the threat - especially giving what you are potentially asking of the general public. The threat, as I addressed it in my initial reply, is that a common-style key can be copied in an automated fashion via photographs. As an current example: A key factor in a lot of identity theft that happens with "skimmers" also incorporates video surveillance to steal pins, zip codes, etc, to be used with the skim-copied card. Surveillance could similarly be set up at residences and other building egresses to capture images of keys for duplication. Let alone that people casually place their keys down all the time. Perhaps I'm misreading the situation, but this is what I see as the worst aspect of the threat - particularly because I see no need for physical possession. -- Espi On Wed, Jul 30, 2014 at 11:52 PM, Ken Schaefer <[email protected]<mailto:[email protected]>> wrote: A simple solution would be not to give your keys out to untrusted parties Fwiw, the Technet article was written by Steve Riley: "It's Me, and Here's My Proof: Why Identity and Authentication Must Remain Distinct" - it's a good article, worth reading. From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Micheal Espinola Jr Sent: Thursday, 31 July 2014 4:42 PM To: ntsysadm Subject: Re: [NTSysADM] This was inevitable, but it's still a good reminder I'm sorry, what exactly was your proposal? Was it the technet article? I didnt read it. -- Espi On Wed, Jul 30, 2014 at 9:13 PM, Ken Schaefer <[email protected]<mailto:[email protected]>> wrote: So, what's wrong with my proposal? You didn't address that anywhere, unless I've missed it somehow. (leaving aside the issue of traditional lock picking, which has been an issue, or non-issue, for years) From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Micheal Espinola Jr Sent: Thursday, 31 July 2014 1:34 PM To: ntsysadm Subject: Re: [NTSysADM] This was inevitable, but it's still a good reminder I'm referring specifically to the standard types of keys that are used by consumers for thier private property. Current common door locks/keys are decreasingly viable as a security solution, and have been for years. If a common key can now be duplicated via automation simply by a series of pictures, then its really time to put this antiquated system to rest. Keys need to become more complex. Its not that I have issue with the concept of physical keys - its a problem with the low-tech variations of common locks that are still so prevalent around the world. "Authentication" issues aside, the typical mechanical systems are still not complex enough to prevent basic lock-picking methods. And now, we are subject to duplication by photograph? I think this is a horrendous turn of events. Cool tech, but how utterly exploitable on a massive scale. People are already subject to video-based types of identity theft. Now, I would speculate, that we can welcome breaking and entering. -- Espi On Wed, Jul 30, 2014 at 7:14 PM, Ken Schaefer <[email protected]<mailto:[email protected]>> wrote: Why do they "have to go"? Keys are a physical authenticator (something you have). You give it to someone else, and you run the risk of it being cloned or otherwise compromised. A simple solution would be not to give your keys out to untrusted parties... I think the fundamental issues with using current keys is that there's no separation between identity and authenticator. Just like using your CC number online: http://technet.microsoft.com/en-us/library/cc512578.aspx is an old article, but still applies. Not to mention the lack of simple revocation mechanisms, audit capabilities etc. :) Cheers Ken From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Micheal Espinola Jr Sent: Thursday, 31 July 2014 11:11 AM To: ntsysadm Subject: Re: [NTSysADM] This was inevitable, but it's still a good reminder It was inevitable. Locks and keys as they have existed for decades simply have to go. -- Espi On Tue, Jul 29, 2014 at 7:17 AM, Kurt Buff <[email protected]<mailto:[email protected]>> wrote: Physical security is just as important as computing security http://www.wired.com/2014/07/keyme-let-me-break-in/
