Surely we all hold our keys in our hands when we use them - but I dont think we do anything to obstruct the important-end with the teeth from public view - like what we might do when we enter a pin. I would put forward that people typically take out their keys, look at them to confirm the correct key as well as orientation, and then also briefly pause the key in mid air while confirming visually the proper orientation/alignment with the lock.
You forever run the risk of locking yourself out of you own home or car. Do you have a car with a fob-only starter, with no key override? Those are tons of fun to replace. Very time consuming; very expensive. So wait - you dont think that current CC's should stay the same for another 1000 years? (hey. I can use "1000" too). If current CC's should change, is that not saying that the current less-secure variation "have to go"... in order to make way for a new version? So if thats something thats OK with you, what exactly are you arguing here, Ken? -- Espi On Thu, Jul 31, 2014 at 6:17 AM, Ken Schaefer <[email protected]> wrote: > I tend to hold my keys in my hand when I insert those keys into a lock, > so I suspect that taking photos will be somewhat harder. > > Photographing people's PINs at an ATM or similar location is a numbers > game - for every 1000 people, you might get 10 or 5 PINs, which makes the > endeavour worthwhile. Installing surveillance outside private property > would involve 1000x the expense, probably making it not worthwhile. And if > you install your own counter-surveillance, then even if your physical key > is compromised (assuming you only have one lock), you can record the > perpetrators in the act, and claim on insurance and report to law > enforcement. > > > > In my line of work, I've seen this 1000 times: > > - Solution 123 (doesn't meet requirement ABC || is vulnerable to > exploit DEF). We should look at solution 345 or 678 > > > > The issue is that whilst 345 or 678 might mitigate or solve the defect > with 123, it introduces new vulnerabilities or other non-compliance with > requirements. And Solution 123 typically has a proven history behind it, > and there are alternate measures that can be employed to satisfy ABC. > > > > Keys and locks have served us well for hundreds of years (notwithstanding > the threat of people lock picking your locks - despite that issue being > around, we live with it every day). Introducing more complex keys, or > electronic countermeasures introduces other risks. For example: If you make > keys impossible to copy, then you run the risk of a Denial of Service > attack against yourself if you lose your own key (e.g. through complete > accident). > > > > No doubt threats continually evolve - and this is an example of an > emerging threat. However countermeasures also continually evolve. Criminals > (other than the really stupid ones) follow the money. There's entire > industries (e.g. insurance), not to mention law enforcement, that work to > make crime not pay. It's the same reason why, eventually, the entire world, > will have CC cards with chips and require PINs. Until the next round of > attacks and countermeasures. > > > > Cheers > > Ken > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Micheal Espinola Jr > *Sent:* Thursday, 31 July 2014 7:09 PM > > *To:* ntsysadm > *Subject:* Re: [NTSysADM] This was inevitable, but it's still a good > reminder > > > > I've read that article before, and agree that it is a good read. > > > I didnt realize thats what you meant, because I dont concider that a > realistic proposal to the threat - especially giving what you are > potentially asking of the general public. The threat, as I addressed it in > my initial reply, is that a common-style key can be copied in an automated > fashion via photographs. As an current example: A key factor in a lot of > identity theft that happens with "skimmers" also incorporates video > surveillance to steal pins, zip codes, etc, to be used with the skim-copied > card. Surveillance could similarly be set up at residences and other > building egresses to capture images of keys for duplication. Let alone that > people casually place their keys down all the time. > > Perhaps I'm misreading the situation, but this is what I see as the worst > aspect of the threat - particularly because I see no need for physical > possession. > > > -- > Espi > > > > > > On Wed, Jul 30, 2014 at 11:52 PM, Ken Schaefer <[email protected]> wrote: > > A simple solution would be not to give your keys out to untrusted > parties > > > > Fwiw, the Technet article was written by Steve Riley: "It's Me, and Here's > My Proof: Why Identity and Authentication Must Remain Distinct" - it's a > good article, worth reading. > > > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Micheal Espinola Jr > *Sent:* Thursday, 31 July 2014 4:42 PM > > > *To:* ntsysadm > *Subject:* Re: [NTSysADM] This was inevitable, but it's still a good > reminder > > > > I'm sorry, what exactly was your proposal? Was it the technet article? I > didnt read it. > > > -- > Espi > > > > > > On Wed, Jul 30, 2014 at 9:13 PM, Ken Schaefer <[email protected]> wrote: > > So, what's wrong with my proposal? You didn't address that anywhere, > unless I've missed it somehow. > > > > (leaving aside the issue of traditional lock picking, which has been an > issue, or non-issue, for years) > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Micheal Espinola Jr > *Sent:* Thursday, 31 July 2014 1:34 PM > > > *To:* ntsysadm > *Subject:* Re: [NTSysADM] This was inevitable, but it's still a good > reminder > > > > I'm referring specifically to the standard types of keys that are used by > consumers for thier private property. Current common door locks/keys are > decreasingly viable as a security solution, and have been for years. If a > common key can now be duplicated via automation simply by a series of > pictures, then its really time to put this antiquated system to rest. Keys > need to become more complex. Its not that I have issue with the concept of > physical keys - its a problem with the low-tech variations of common locks > that are still so prevalent around the world. > > "Authentication" issues aside, the typical mechanical systems are still > not complex enough to prevent basic lock-picking methods. And now, we are > subject to duplication by photograph? I think this is a horrendous turn of > events. Cool tech, but how utterly exploitable on a massive scale. People > are already subject to video-based types of identity theft. Now, I would > speculate, that we can welcome breaking and entering. > > > -- > Espi > > > > > > On Wed, Jul 30, 2014 at 7:14 PM, Ken Schaefer <[email protected]> wrote: > > Why do they "have to go"? Keys are a physical authenticator (something > you have). You give it to someone else, and you run the risk of it being > cloned or otherwise compromised. A simple solution would be not to give > your keys out to untrusted parties... > > > > I think the fundamental issues with using current keys is that there's no > separation between identity and authenticator. Just like using your CC > number online: http://technet.microsoft.com/en-us/library/cc512578.aspx > is an old article, but still applies. Not to mention the lack of simple > revocation mechanisms, audit capabilities etc. J > > > > Cheers > > Ken > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Micheal Espinola Jr > *Sent:* Thursday, 31 July 2014 11:11 AM > *To:* ntsysadm > *Subject:* Re: [NTSysADM] This was inevitable, but it's still a good > reminder > > > > It was inevitable. Locks and keys as they have existed for decades simply > have to go. > > > -- > Espi > > > > > > On Tue, Jul 29, 2014 at 7:17 AM, Kurt Buff <[email protected]> wrote: > > Physical security is just as important as computing security > http://www.wired.com/2014/07/keyme-let-me-break-in/ > > > > > > > > >
