Re: padlocks with backdoors - TSA approved
On 2/26/07, Hadmut Danisch [EMAIL PROTECTED] wrote: Each of these (three digit code) locks had a small keyhole for the master key to open. Obviously there are different key types (different size, shape, brand) as the locks had numbers like TSA005 tell the officer which key to use to open that lock. I'm just waiting for someone with access to photograph said keys and post it all over the internet. -- Taral [EMAIL PROTECTED] You can't prove anything. -- Gödel's Incompetence Theorem - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: padlocks with backdoors - TSA approved
Some of the locks have special indicators which flag that a TSA key has opened it, which marginally improves the idea, but not by much. Whether those flags could represent a defence in the case of a corrupt official in possession of TSA keys I do not know. Without such flags, it's an INCREDIBLY unwise idea, as if you keep the bag unlocked, at least you have a defence that handlers could have added items to the luggage in transit. Some readers will have heard the case of Schapelle Corby, who is serving a 20 year sentence in Indonesia for trafficing marijuana. In the ensuing investigation, a significant amount of evidence was uncovered suggesting that corrupt baggage handlers were trafficing drugs between Australian airports, using unlocked baggage. Corby's laywers claimed that she was the victim of this, and that the destination baggage handler failed to intercept the drugs which were planted in her luggage. I won't make a comment on the conduct of the agencies, the media and governments involved in the Corby case. However, I will say that any government (or other) program which assumes the honesty of employees and contractors is fundamentally flawed, and any associated risk analysis is either incompetent, or in failing to identify risk to travellers, seriously incomplete. Ian. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hadmut Danisch Sent: Tuesday, 27 February 2007 7:20 AM To: cryptography@metzdowd.com Subject: padlocks with backdoors - TSA approved Hi, has this been mentioned here before? I just had my crypto mightmare experience. I was in a (german!) outdoor shop to complete my equipment for my next trip, when I came to the rack with luggage padlocks (used to lock the zippers). While the german brand locks were as usual, all the US brand locks had a sticker Can be opened and re-locked by US luggage inspectors. Each of these (three digit code) locks had a small keyhole for the master key to open. Obviously there are different key types (different size, shape, brand) as the locks had numbers like TSA005 tell the officer which key to use to open that lock. Never seen anything in real world which is such a precise analogon of a crypto backdoor for governmental access. Ironically, they advertise it as a big advantage and important feature, since it allows to arrive with the lock intact and in place instead of cut off. This is the point where I decided to have nightmares from now on. regards Hadmut - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: padlocks with backdoors - TSA approved
Hi Hadmut, Welcome to the world of total stupidity. I was in the hardware store the other and looked at those cheap luggage looks and thought about how thieves might be able to utilize the weakness of the system to rip off people, but then..., well I looked at the Master brand, generally a good brand, and a couple of other combination lock brands in the $30 to $45 USD range where you can set the combination to whatever you want. Guess what? They all seemed to use the same key to enable setting the combination. Now, granted, you have to open the lock first then you use the key to release the cylinders to set the combination, but it seems to me that with a little work one could figure out how to bypass the security mechanism to open the lock quickly. Then, too, there are some great lock picking sites on the net that will teach you how to pick even so called security locks. Much like DES slowed people down until they developed the technology to overcome the encryption, locks are only as good as the lack of knowledge that the average crook has. Look up the Kryptonite motorcycle lock that was about $65 USD and a kid in a bike shop figured out how to hack the lock with a $0.19 USD BIC Pen. Lock had been made and sold for twenty plus years with the same weakness in design. That was truly a zero day exploit. Oh, and another story for you on failure in design. We are thinking of re-financing our house. The mortgage company keeps all the personal identifiable data in encrypted form in their offices, but when they send me the quote it's in plain text in an e-mail! Thinking through all aspects of the design and application of a security model is mostly lacking as far as I can tell. Best, Allen Hadmut Danisch wrote: Hi, has this been mentioned here before? I just had my crypto mightmare experience. I was in a (german!) outdoor shop to complete my equipment for my next trip, when I came to the rack with luggage padlocks (used to lock the zippers). While the german brand locks were as usual, all the US brand locks had a sticker Can be opened and re-locked by US luggage inspectors. Each of these (three digit code) locks had a small keyhole for the master key to open. Obviously there are different key types (different size, shape, brand) as the locks had numbers like TSA005 tell the officer which key to use to open that lock. Never seen anything in real world which is such a precise analogon of a crypto backdoor for governmental access. Ironically, they advertise it as a big advantage and important feature, since it allows to arrive with the lock intact and in place instead of cut off. This is the point where I decided to have nightmares from now on. regards Hadmut - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: padlocks with backdoors - TSA approved
At 03:20 PM 2/26/2007, you wrote: ?xml version=1.0 encoding=US-ASCII? Hi, has this been mentioned here before? I just had my crypto mightmare experience. I was in a (german!) outdoor shop to complete my equipment for my next trip, when I came to the rack with luggage padlocks (used to lock the zippers). While the german brand locks were as usual, all the US brand locks had a sticker Can be opened and re-locked by US luggage inspectors. Each of these (three digit code) locks had a small keyhole for the master key to open. Obviously there are different key types (different size, shape, brand) as the locks had numbers like TSA005 tell the officer which key to use to open that lock. Never seen anything in real world which is such a precise analogon of a crypto backdoor for governmental access. Ironically, they advertise it as a big advantage and important feature, since it allows to arrive with the lock intact and in place instead of cut off. This is the point where I decided to have nightmares from now on. This is why I don't bother with padlocks until I get to the hotel room. It is a good idea to slow down the petty thief, but a twist tie from a plastic bag will work. I use the nylon straps used to hold cable bunches in place. I use many different colors, so it is most unlikely that a petty thief would have one handy (black or white are very common. When last I flew they TSA had cut the cable ties. I took the suitcase directly to the baggage desk and we examined it together. (Do not pile up books in your suitcase. The TSA does not distinguish between books and Semtex: it considers both equally dangerous.) -- D__/d [EMAIL PROTECTED] [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: padlocks with backdoors - TSA approved
* Hadmut Danisch [EMAIL PROTECTED] [2007-02-26 21:20 +0100]: has this been mentioned here before? I don't know if it was mentioned here. Bruce Schneier wrote about it some time ago. http://www.schneier.com/crypto-gram-0404.html#2 http://www.schneier.com/crypto-gram-0405.html#10 Nicolas - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: padlocks with backdoors - TSA approved
Taral wrote: I'm just waiting for someone with access to photograph said keys and post it all over the internet. Let us hope that happnes - it won't make passenger security worse, and would demonstrate that The Emperor Has No Clothes. Even if that doesn't happen, it is presumabley feasible to reverse-engineer the keys by dismantling the locks. Peter Trei - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: padlocks with backdoors - TSA approved
Hi Allen, On Mon, Feb 26, 2007 at 09:23:30PM -0800, Allen wrote: Hi Hadmut, combination lock brands in the $30 to $45 USD range where you can set the combination to whatever you want. Guess what? They all seemed to use the same key to enable setting the combination. Why make it that difficult and complicated? You can easily and immediately open most combination locks with vertical wheels on suitcases (and probably those at padlocks). All you need is a flashlight. The wheels are usually a little bit loose. Just shift it to the left or to the right with your finger tip and use the flashlight to peep into the gap. You will spot the axis of the wheel. Now turn the wheel until you see the chamfer pointing directly to you. Proceed with all wheels. If the lock doesn't open, turn all wheel by 180 degree (to digit n+5 mod 10). Some locks need the chamfer up, some need it down to open. With a little practise and experience it is almost as fast as if you knew the combination code. regards Hadmut - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: padlocks with backdoors - TSA approved
On Tue, Feb 27, 2007 at 01:09:00AM -0500, David Chessler wrote: This is why I don't bother with padlocks until I get to the hotel room. It is a good idea to slow down the petty thief, but a twist tie from a plastic bag will work. I use the nylon straps used to hold cable bunches in place. I use many different colors, so it is most unlikely that a petty thief would have one handy (black or white are very common. Same what I do, especially because opening luggage in absence of the owner is rather unusual outside the USA. Sometimes I also seal the case with any unusual sticker I got somewhere for free or a paper sticker. The method with the cable binder became difficult since it is forbidden to have a nail scissors in the bord luggage. Sometimes not that easy to open it without damaging luggage without a tool. regards Hadmut - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: padlocks with backdoors - TSA approved
On Mon, Feb 26, 2007 at 10:36:22PM -0600, Taral wrote: I'm just waiting for someone with access to photograph said keys and post it all over the internet. It does not need access to the keys. Do you know that car Volkswagen Golf? As far as I know also sold in the USA. In the eighties there was a problem: Many of the had been stolen without visible force. No broken window, no broken ignition lock. They finally found the method: These Golfs had plastic fuel tank caps, which could be easily broken off by hand. Just grab it, tear it away with force, and you have it. The tank cap had a lock inside. All you needed to do is to cut the plastic lock open and to copy the tumbler lengths to a blank key. Then you have a working key. You could do the same and just open some of these locks, one per key number. regards Hadmut - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: padlocks with backdoors - TSA approved
On Feb 26, 2007, at 21:20 , Hadmut Danisch wrote: Hi, has this been mentioned here before? Yes. It is old news, Bruce Schneier's Cryptogram mentioned it in April 2004, actually [1]. Never seen anything in real world which is such a precise analogon of a crypto backdoor for governmental access. Welcome to the real world. Things suck here. Ironically, they advertise it as a big advantage and important feature, since it allows to arrive with the lock intact and in place instead of cut off. Some of apparently have the feature that you can tell *IF* the TSA has opened them with their master-keys. You are supposed to find a TSA notice in your bag if it has been opened and searched. Although I'm not sure whether you can really raise hell if they forget to stick the notice in there after having searched your bag. This is the point where I decided to have nightmares from now on. G'night then. Cheers, Ralf [1] Crypto-Gram Newsletter, April 15th, 2004 http://www.schneier.com/crypto-gram-0404.html - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: padlocks with backdoors - TSA approved
Ian Farquhar (ifarquha) wrote: [...] However, I will say that any government (or other) program which assumes the honesty of employees and contractors is fundamentally flawed, and any associated risk analysis is either incompetent, or in failing to identify risk to travellers, seriously incomplete. Ian. [...] The first time I used a TSA lock, it came back attached to one zipper pull, not two, leaving the luggage unlocked will a locked lock. The second time the lock did not come back. I don't use them any more. -- Sean McGrath [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
