September 25, 2015 • 40 mins
Now that someone has created 3D models of TSA master keys, TSA luggage locks are no longer secure. What is the future of locks?
Learn more about your ad-choices at https://www.iheartpodcastnetwork.com
See omnystudio.com/listener for privacy information.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Brought to you by Toyota. Let's go places. Welcome to
Forward Thinking, Pater and welcome to Forward Thinking, the podcast
that looks at the future and says they take you
away and throw away the key. I'm Jonathan Strickland, I'm
(00:21):
Lauren bo and I'm Joe McCormick, and i want to
ask you guys a question. I'll go to the prom
with you. You guys are so sweet. It wasn't the prom,
it was the enchantment under the seat. That's thank goodness,
because it's two thousand and fifteen. You know what year
that is. To the future too. Anyway, what's your what's
your actual question? No, no, no, I may have made
(00:42):
this comparison before, but I've got to make it again.
Do you remember all the Internet paranoia in the nineties, Yeah, yeah,
And so thinking back on it now, it's often very
funny because we were all thinking back then, oh no,
what if evil techno criminals used the net to do
horrible things? And and it's funny how some of the
(01:06):
fears we had back then turned out to be hilariously
wrong and overblown, you know, like Sandra Bullock gets caught
in the net. Yeah, it turns out. She was perfectly fine.
She never got she got caught in a net, but
it wasn't the net. But then, uh, some of it
represented threats that we actually do have to deal with
now that we're in this this internet, ubiquitous future. Identity, theft,
(01:30):
privacy compromises. I mean, these were things people were worried
about back in the nineties and that they turned out
to become reality. Sure, yeah, not everything depicted in those
films was completely off base, although it was almost always
you know, because it has imagined in a hilarious way,
overly dramatized. And that certainly that the user operating systems
(01:53):
were like nothing that we've ever seen. I know this UM,
and I think we're sort of living in a similar
era for three D printing. Sure we don't know yet
what we're worrying about too much and what we're not
worrying about enough. Sure, well, especially for people who have
had very limited experience with three D printers. They've heard
(02:16):
about them but never had direct experience. Joe, as someone
who has had direct experience with three D printers, would
you say that the three D printer we have here
in the office would be capable of printing anything that
someone should be worried about remotely. Are you worried about
tangled masses of plastic hair? Yeah? See, here's the thing.
(02:36):
It sounds like the plot of a Japanese horror movie
actually if it's in front of the person's face. Uh So,
we have printed stuff out with a three D printer
here at the office. It's just it takes a lot
of of paying attention, Like you can't just hit the
print and walk away because the materials themselves in our case,
I think we're using p L A plastic, but the
(02:58):
materials themselves are uh you know there. They need a
certain temperature to operate at, and beyond that you're either
not going to get the meltedness you need for extrusion,
or it's going to be too warm and then the
stability of the build will be compromised. Or the build
plate isn't leveled, or you haven't aligned everything correctly in
(03:20):
your your pre planning phase, trying to print at a
level below where the plate is or something, or your
design has a key element missing some kind of structural
bit to it that just isn't quite there right. I
recently had a mask three D printed for a costume
and in that case, the mask was divided into three pieces,
because if we had tried to print it as one
(03:42):
full piece, it would have been very It would have
been a miracle if it had come through with the
structural integrity intact and not folded in on itself. The
point being that three D printing, at least on the
consumer level, has come a long way, but it's it's
still fairly primitive, and it's it's not like you can
hit print and you get a gorgeous coffee mug at
(04:05):
the end of it. You're gonna get something that's made
out of plastic. Depending upon the sophistication of your printer,
it may be fairly there may be some fairly obvious edges,
especially like just between the layers of the plastic that's
been like a plastic plastic pixelation. Yeah, yeah, it's it's
not like a smooth surface like you would get from
(04:26):
something that was molded plastic. Well, I mean, certainly, to
a certain degree, you're right, But also I mean, if
you're willing to shell out a lot of money, there
are some really good printers out there. These show absolutely
and in labs and research labs, there are extremely good
printers that can print with with metals and with glass even. Yeah,
it's it's a little bit beyond even the pro summer
(04:47):
level obviously, But the point being that, uh, some of
the fears around three D printers might be a little premature, right,
But but there are all kinds of fears people have
because I mean, obviously it's not exactly analogous the Internet,
because the Internet was a more ubiquitous kind of information technology.
You know what, anything that people could do to you
socially in general life that didn't involve physical contact they
(05:11):
could do over the Internet. Sure, but there's there's there
are fears that some of which are are vaguely valid
in the like like especially for the future about three
D printers. Uh, you know it's not all the like
Oh no, cats and dogs three D printing together. Uh,
copyright infringement. I suppose that the fair fear sort of
(05:31):
the I mean, it's almost difficult to even call it copyright.
It is certainly intellectual property. The idea of of let's
say that you own a furniture store. Someone comes in,
takes pictures of a table that you have designed, and
then goes and uses additive manufacturing a three D printing
process to essentially replicate that table. There's they're stealing your work.
(05:52):
You could at least you could argue that this is
my plastic table now. Yeah, or or especially with art
or something like if you really wanted a sculpture and
you had an extremely good three D printer, then you
know that sucks for the artist. Yeah. I thought it
was funny back when everybody freaked out that somebody three
D printed a gun, because I was like, you can
(06:14):
buy guns a lot more easily than you could three
D print one. Well, let's say you've got a criminal record,
but you also have a large bank account. You buy
a three D printer and you can print as many
guns as you would, But you can go into any
you know, legitimate establishment and have difficulty buying guns. Not
great if you have a criminal background. You probably also,
(06:36):
i mean, assuming it's a large amount of money, you
probably can illegally obtain a gun with you know, a
good ten dollars anyway, Right, But it's still one of
those things that you know, you think, oh, well, this
could suddenly put a not only could it put guns
in the hands of people, and that's kind of scary,
you know, without any sort of regulations right. But also
(06:57):
on the other side of it, beyond that scary thought
is if the person is not careful with the materials
they're using to build their gun, you could end up
with something that maims the person who built it. Even
if they are just like, Hey, look at this cool
thing I built. I'm going to take it out to
the shooting range and I'm going to shoot it there.
I'm not playing on shooting anyone else. You're talking about
(07:18):
using something that's you know, if you're not using the
right plastic, the forces of a of a bullet being
fired could be enough to shatter that and severely hurt
the person who's actually using the gun. Oh. Absolutely, the
type of plastic that Cody Wilson used in that demonstration,
we were far beyond the grade of the usual p
l A that's found in most commercial level three D printers. Yeah,
(07:40):
his gun was called the Liberator. Jonathan and I did
an entire episode in which we mostly contained our snark
about defense distributed Tody Wilson um back in it was
called printing a gun that was over on tech stuff.
So if you somehow missed that story, you've been living
(08:01):
under a rock for a couple of years and or
you'd like to go back and hear some details about it.
Go ahead and check that out. It is on the interwebs. Yeah,
but like all of your security information, speaking of security, okay, Yes,
that that seguates us into into a story about Yeah,
it ends up getting us to a story about how
(08:22):
three D printing could cause a threat to one element
of security. In fact, has that. It's not could, it's
it's happened. It's it's out there. It's going on right now.
We're all do it's your keys, it's your key, specific
your luggage. It could be any key, but specifically, we're
(08:43):
gonna start talking about the t s A approved locks
that you would use on your luggage. Yeah, so I'm
gonna tell a little story. On November, the Washington Post
ran a story by Ashley Halsey the third titled the
Secret Life of Baggage? Where does your luggage go at
the airport? It sounds like it sounds like one of
(09:06):
the movies they would watch on Best of the Worst Media.
It's so magical, like your luggage has a little magic
gnome kingdom and you know, you know, I would have
that plinky music that do do do do do do
do do do do as you watch it go through anyway,
Sorry you were saying no no. So it was an
article looking into US Transportation Security Administration. So that's the
(09:27):
t s A. You're probably familiar with it screening practices
for checked bags, and it was telling the story of
what happens to your stuff after you check it, and
I thought it was a pretty interesting article. Actually, it
talked about the machinery and the procedures used to screen
traveling containers. And the key part of the story that's
relevant to this topic is that the author talks about
(09:51):
how the t s A has a set of master
keys that can open all t s A approved locks
on luggage, which makes sense if your job is to
to be certain that stuff going through the airport, going
onto airplanes doesn't contain dangerous materials. Right. The t s
A started saying, well, we need to screen this luggage
(10:13):
for important security purposes, but if people are putting locks
on their luggage, then we might have to cut their
locks off, which is, you know, a waste of that
person's resources. So please buy these t s A approved
locks that the t s A has master keys for,
and then we can rifle through your personal belongings without
destroying any of them on purpose, and you'll never know
(10:34):
because the lock will be back on them again. Yeah,
But anyway, so people are people. If you want to
lock your luggage to keep people out of it, but
you don't use the t s A approved lock, and
the t s A agent wants to check what's inside
your bag, they'll just use bolt cutters, which I guess
is is at least a little better than you know,
(10:57):
damaging your bag directly to get at what's inside of it, right,
knife in the side of the bag just barely better
than that. So the problem is that somebody published a
version of this story that contained a very problematic picture.
And I word it that way because I honestly can't
tell if the image that I'm going to talk about
(11:18):
originally ran with the story when it was published on
the Washington Post page, or if it only appeared in
a reprinting of the story on a site called Harold
dot net, which some sources refer to. Uh. The Washington
Post version of the story does not have the offending
image anymore, if it ever did, got you, but that
offending image would be a picture of a hand holding
(11:40):
a series of the master keys for the various types
of T s A locks. Yeah, it's a close up
image of all of the master keys that can get
into all your bags. So in other words, if you
take a look at this, you can see the shapes
of each of those keys. Whoops, which you know all right.
Back in the day, it would have taken quite a
(12:03):
lot of work to create a key to you know,
use like a piece of metal and then grind it
down just right based upon the way it looks in
a picture. But that could have been done and we'll
talk about that later. Yeah, well, certainly before computer run
key creating machines. Words are apparently not in my head
(12:25):
today it's terrific, and also before algorithms that can end
up looking at a pattern and making a really close
estimation of what that pattern represents. Right, Because the resolution
on these images is not so high that you could
just zoom. You couldn't zoom and enhance over and over.
So you've got a good picture, you need you need
a computer that has some good guesswork with it too.
(12:46):
But now we're in the era, the combined era of
sophisticated object recognition image software and additive manufacturing that is
three D printing. Joe, Please tell me, please tell me
that is impossible for someone to take the images that
(13:06):
are here in front of us and turned that into
an actual physical thing, thus manufacturing their own master keys
for T. S A. Locks. Well, I don't know about
this image, but it's definitely possible to do from a photo,
and it has been done, and people have tried the
keys and they work. So I'm going to tell the
story of that now. Apparently somebody tried to delete this
(13:28):
photo after they had published it, But silly person, Nothing
gets deleted off the Internet. What's the rule about the Internet?
The Internet is forever Archive dot org, We salute you,
and so on. Auguste Remember that original article was last year,
so it was out for a while. I don't know
when the image got deleted, So I don't know exactly
(13:51):
who was the first person to point out this problem,
but several sources linked to an August one tweet by
a guy who calls himself an independent journalist named Luke Rudkowski,
and it shared the image of the master keys and
said does at Washington Post and brilliant T s A. No,
they just compromise their locking system by putting this out.
(14:15):
So ouch, yeah, some hackers got to work. So I'm
going to try to explain what happened as far as
as best I can understand it, because there was a
kind of complicated series of events. But in early September,
a group of lock pickers and security hobbyists published to
get hub, a collection of CAD files based on the
(14:35):
images of the t s A master keys that have
become available on the internet. And it looks like it
probably wasn't just the Washington Post image. And I'll say
more about that in a minute. But yeah, let's break down.
Let's let's unpack a couple of terms for those of
you who might not be familiar with get hub and
cat images. Sure. So, get hub is essentially a repository.
It's a place where you put open source code. Typically,
(14:58):
so let's say that you create a program and you
want to make it open source so other people can
take your code, tweak it, change it, upload their own versions,
you know, do transformative work with it. Get hub is
sort of the centralized place that you would go and
store that so other people could get at the code
you had created. Right, So, if you want to make
something like a Google deep dream available to the public.
(15:21):
You can put it up on geth hubs, so people
can make their own apps to do things with it, right, Yeah,
but then also their CAD files. The CAD just stands
for computer aided design. So if you want to put
together a digital shape to make on your three D
printer in three dimensions, you'll probably make it in a
CAD program you can. You can think of a CAD
program as a kind of MS paint for three D objects. Yeah.
(15:43):
I remember I had a friend who did a lot
of work with CAD programs back in high school. But
that was specifically in design classes where you're trying to
create a a three dimensional object, a plan for a
three dimensional object. It's also used a lot in architecture
firms that kind of thing, right. So CAD is bigger
than just three D print, but it's a way to
(16:05):
get the file you want to you want to print
in a three D printer. So apparently after these files
went up on geth hub, it was literally only a
few hours before somebody downloaded them and printed one of
these things and it worked. There are now images online
of people using these three D printed keys based on
(16:25):
these images to pop open their t s A approved
luggage locks. Yeah, and you know, to be fair, some
of the t s A locks feel like they could
open if you sneezed on them. But maybe that's just
my experience with t s A luggage locks. I've never
used one I travel. I traveled just enough where I've
(16:46):
used them a few times. Uh And and I often
question why I go through the trouble, but I still
do it. Yeah. Well, some users report being able to
open the locks with unmodified prints of keys using plain
old p l A. So these are plastic keys. You
don't need a print him in metal or anything. And
p l A is not not the sturdiest plastic. I've
(17:09):
got some little p l A trinkets on my desk
that I made in our in our printer in the office.
I read about one user in this Wired article that
I'm currently referring to who had to modify the scale
of the key, but otherwise it worked. And this Wired
article talked to a lockpicker and University of Pennsylvania compside
professor named Matt Blaze about it, and he made some
(17:30):
interesting points I thought. First of all, he pointed out that, uh,
not that it really changes the thrust of the story,
but just for the record, he thinks the image in
question leaked somewhere before the Washington Post story, so they
might not don't line up with your pitchforks only there.
Yeah uh. He also says that a good lockpicker, you know,
(17:51):
could probably pick the locks in less time and was
with less trouble than it would take to print the keys,
since he says, and I quote, I find it's actually
quicker to pick the t s A locks than to
look for my key sometimes. Yeah. Now, these are not
terribly sophisticated locks. They're not meant to be. They're just
meant to be a deterrent. And the other point he
makes is that the parties in questions should have known
(18:12):
better than allowing people to photograph the keys, because photo
security and physical keys is a known issue, and we'll
get to more about that in a minute. But there
have been more developments since then. According to a timeline
that I read, which was created by a lockpicker involved
with the T s A Key story, which I found
linked in another article for The Intercept by Jenna McLaughlin, boy,
(18:36):
the trail of of sights here is is impressive. Well,
I'm just trying to lead you through my thoughts. But anyway,
the printed keys were actually based on additional imagery dug
up by the hackers, So it wasn't just the Washington
Post image that leaked, but it was sort of inspired
by the Washington Post league that hackers said, I wonder
(18:56):
if we can find any more images of these keys,
and they went out and looked for him, and they did.
They found, whether by legitimate or illegitimate means. I'm not sure,
photos contained in a document called Guide to Travel Century
pass Keys, which was created by a group called Travel Century,
which they have a kind of complicated relationship with the
t s A and the lockmakers. They are not lock
(19:19):
manufacturers and they are not the t s A. But
I understand that there's some sort of liaison organization. I
got a third party kind of that. Yeah, like they
according to this article, they generate and enforced security guidelines
for T s A approved locks, whatever that means. Huh okay.
(19:41):
So so in the face of this mishap, the t
s A responded, Yeah, and this is one of the
most troubling parts that that piece in the intercept I
talked about got a t s A official to talk
about the late the leak and the three D printed
master keys, and I just thought i'd read a select
(20:02):
quote this was pretty interesting. Okay, sure. The t s
A spokesperson Mike England sent in an email to the
Intercept the reported ability to create keys for t s
A approved suitcase locks from a digital image does not
create a threat to aviation security. These consumer products are
peace of mind devices, not part of t s AS
(20:23):
aviation security regime. And also, and the same guy said,
carried in check bags are subject to the t s
AS electronics screening and manual inspection. In addition, the reported
availability of keys to unauthorized persons causes no loss of
physical security to bags while they are under t s
A control. In fact, the vast majority of bags are
(20:45):
not locked when checked in prior to flight. So what
they're saying is that, well, we're concerned with national security,
not your luggage is security. So it's not really our problem. Yeah,
not our problem. No, it's yeah, essentially don't matter. The
t s A. The t s AS purpose is not
(21:08):
to make certain that the bag you packed has the
same stuff in it when you get to where you're
going as when you left. It's just to make sure
that you're not going to hurt the airplane or anybody
on it, which I should put in is a is
a valid thing to want. Yeah, this perhaps was maybe
not the best way to communicate it, since it seems
(21:30):
like it's by by this way, I mean, this quote
almost seems like they are flipping me the bird and
saying saying, don't worry your stuff doesn't matter. They might
as well say, don't put a lock on it, you know,
because here they're saying, well, you know, it's it's going
to be within our care the whole time. I mean,
no one else is going to have access to it.
(21:50):
And I'm thinking the people that are handling the luggage
all along the pathway from the point where I handed
off to the point where I pick it up aren't
all necessarily upstanding citizens. I say that because I know
there have been incidents where people have found stuff missing
(22:12):
from their I mean, there's there's also just the mere
fact that if you're if you are distrustful of human people,
and you perhaps don't make it to the baggage carousel
exactly at the moment when your suitcase comes out, then
you know, a dishonest human person could walk up and
just kind of rummage through your stuff. It takes some
of it out. Yeah, well, yeah, especially if it's one
(22:34):
of those things where you ended up getting bumped on
a flight. You're delayed, but your luggage got on the
flight that you were supposed to be on, and then
it's going to be waiting for you for hours at
an airport. You know, there are a lot of reasons
why this, to me is not exactly comforting. Yeah. Yeah,
so perhaps not the most pc response from the t
(22:55):
s A. However, this does speak to a larger issue
with with three D printing and security. Yeah, because this
thing that just happened, this t s A keys event,
was not not a totally unique situation. I mean there
are other ways that photo analysis or three D printing
and things like that can affect physical security. I mean,
(23:17):
there are these ideas of three D printed bump keys.
I think you looked into this, Jonathan. Yeah, bump keys are, um,
they're interesting. So the really weird thing about bump keys
is you don't need a picture of the key to
create a bump key. You need a picture of the lock.
You need to see how the lock is shaped. From there,
you can create sort of a generic key that has
(23:39):
sort of generic little peaks and troughs in it, so
they don't have to match the way the actual key fits.
It just has to be low enough so it can
slide into the depth of the lock, all right. They're
called bump keys because you put the key in the
lock and you hammer it with a mallet, which jolts
the key into the lock, pushing the pins. The pins
(24:02):
are what keep the lock from being able to turn.
Pushes the pins up. It's like it's it's like you
just gave it a quick shove, so the pins bounce up,
and at that moment you have to turn the key.
And as you start turning the key, it's as if
you're using the actual key built for that lock, and
it will unlock the lock in question. So you would
three D print this kind of generic key and then
(24:25):
just use that hammer to go quick a quick uh
bump and then a turn. And apparently it takes a
little practice, takes some some finesse to get the timing
just right. Um, but it works. You can totally make
keys that will unlock locks this way. Yeah. And of
course there's just plain old lock picking, sure, yeah, which
(24:48):
requires a little bit more. Uh, practice and access to
lock picking tools, which are not hard to get, but
the practice takes time. Like it's it's a learned skill. Yeah,
it's not. As it's not as simple as as you
might think, but it's not, you know, impossible to learn.
There are plenty of lock picking groups out there, copy
(25:09):
groups that U do this stuff all the time. Hopefully
airport security people should be able to look at someone
and determine that they're sitting there trying to pick a lock,
sticking a lock pick gun into a lock, or or
they they see a person just like I would like
kneel down in front of a piece of luggage and
then unfold my lock picks in front of me and
(25:33):
picturing you like sitting on a skateboard and like and
like rolling along next to baggage carousel, like with your
with your little kit laid out on your knees. Yes,
that would be a little bit obvious. But also way
before three D printing, this was an issue too. Yeah.
I mean, well, I mean people have been talking about
various ways to reproduce keys from photos for years, right yeah, yeah,
(25:54):
So for example, at the a c M Conference on
Computer and Communication Security, a way back into the eight
there were a trio of security experts who presented a
product they called Sneaky as an E A K E
Y why because we love you A system for duplicating
(26:14):
a key that's not in your possession, so specifically by
taking a picture of a key being able to create
a copy of it. Uh. Here's here's a quote from there.
The abstract of their presentation, the access control provided by
a physical lock is based on the assumption that the
information content of the corresponding key is private, that duplication
(26:39):
should require either possession of the key or a priori
knowledge of how it was cut. However, the ever increasing
capabilities and prevalence of digital imaging technologies present a fundamental
challenge to this privacy assumption. Using modest imaging equipment and
standard computer vision algorithms, we demonstrate the effectiveness of physical
(27:02):
key tele duplication extracting the key's complete and precise bidding
code at a distance via optical decoding, and then cutting
precise duplicates. We describe our prototype system Sneaky and evaluate
its effectiveness in both laboratory and real world settings. Using
the most popular residential key types in the United States,
(27:25):
which is basically saying that if anyone has ever taken
a photograph of a key that you have, there's the
potential out there, even without three D printers, to produce
a copy of it. That's right. So all you kids
who wear your keys on your hips, yeah, start putting
those in pockets. They can keep the chain on them,
but put them in a pocket deep in those Jinko pockets. Yeah.
(27:48):
So hey, I like my chinkoes. So one of the
other things that that you want to talk about, Joe,
was how this goes beyond the t s A goes
beyond even physical locks and keys. Actually, oh sure, I mean,
and of course it applies to physical locks and keys,
but it's a broader security question because in in response
to this incident, I've seen many writers and security analysts
(28:10):
pointing out how that this is essentially a problem that's
inherent with backdoor systems. We often think of backdoors in
terms of software exploits, but the master key is a
physical form of a security back door, right, So what's
the idea of a backdoor. It's essentially that there is
a there is a secret way around known only to
(28:33):
supposedly legitimate authorities that can always get in through your
security measures. Yeah, I um. I was on an episode
of Daily Tech News show where we were talking about backdoors,
were specifically talking about the n S A and and backdoors.
Various law and law enforcement agencies often lobby to have
(28:55):
backdoors inserted into popular types of software. Uh, the argument
being that this would increase safety if they were able
to get access to these things quickly and stop actors
who would be who are who are trying to plan
out something that's going to be harmful to others, often
in the form of terrorist plans like sure so so
(29:18):
the ability to kind of peek in on telephone communications
along those lines exactly. And the point I made, and
it's something I still believe in today, is that you
do not increase security by introducing vulnerabilities into your system.
And a backdoor is by its nature of vulnerability. Yeah.
And frankly, they don't care about increasing security. I mean
(29:40):
that's not the goal is to increase your privacy or
your personal security. It's it's about another goal, which is
even if you take the authorities who want backdoors and
everything at their word and say they're not going to
abuse their power no matter what kind of system we're
talking about if there's a third party with a key
that all always works, there are ways that third party's
(30:02):
key can slip into the hands of the bad actors.
So even if you totally trust the government, which you know,
we're not saying it's not the point of the show
right now, one way or another. But let's let's pretend
you do totally trust the government and the authorities, it's
still a bad idea to have these back doors because
they always get out, and that that's exactly what what
(30:23):
my point was was. The idea that a back door
is is by its nature of vulnerability, it's it's a
away other than the preferred way to access a system.
Doesn't matter if it's a door, or if it's an
operating system, or if it's a piece of software, or
if it's a telephone, does not matter what it is.
(30:44):
It is another way that an actor can gain access
to a system, uh and and potentially cause quite a
bit of damage in the process. So I it is
my belief that back doors are nearly always a bad idea.
We all saw what kind of havoc they wreaked in
Jurassic Park. Yes, yes, oh, you're talking about Nedriya Nedri
(31:09):
had a backdoor. Yeah, I don't know if that was
for legitimate authorities, but that was for no. No, you
didn't say the magic word related purposes. I'm extrapolating on
the part. I mean, you know, did you create backdoors
and suddenly dinosaurs can run them up? Well, that is
a good part because it wasn't necessarily part of Nedri's
plan to have a losci raptors eat everybody. It's just
(31:29):
an unfortunate consequence. Yea, this this brings us back to
this is unix I know this, but anyway, I think
it would be interesting to talk about some of the
implications of this kind of event. Yeah, so, obviously we
could reach the conclusion that physical locks and keys have
had their day. We've already known that there were these
(31:52):
potential vulnerabilities. We've talked about those, We've talked about lock picking,
and we talked about the ability to replicate a key
simply from a picture. But this new story about three
D printing, coupled with the rise of three D printing
and popular culture, kind of drives at home yet again
that the physical lock and key is not a beat
(32:13):
all security measure, and that perhaps it's time to start
looking at alternatives. We need retin a scanners on everything.
Biometrics are part of it. But also this is not
the only type of story, embarrassing story about a lock
and a a way of getting access to that lock.
Did you guys ever hear about There was a story
that broke around two thousand five about the Kryptonite bike locks.
(32:36):
So I got a buddy. His name is Brian Brushwood,
and he's a magician and a scam artist, that's what
he calls himself. And so he did an episode of
Scam School recently where he actually showed this particular vulnerability
in action. So back in two thousand five, Kryptonite released
a bike lock that had a tubular lock to it.
(32:58):
So it uses a cylindrical key to activate the pens
and then you turn that it releases the lock. It's
sort of like a like like whistle shaped almost, yeah,
And so he showed that something that people had known
for quite some time, that that particular style of luck
could be defeated with a big pen casing. You take
(33:18):
the pen out of the pen and then plastic. Yeah,
you just wiggle that onto the lock and if you
wiggle it the right way, you can activate the lock,
and you've you've opened up a Kryptonite These are expensive locks,
by the way, Kryptonite bike lock, thus getting access to
not just the bike lock, but also the bike that
was locked to it. And uh. And so there were
(33:41):
some people who were criticizing Brian because they were saying, hey,
why don't show people how to steal bikes? And I
actually commented on his YouTube video and said, guys, he's
not showing you how to pick locks. This is information
that's been out there since two thousand five. What he's
showing you is which lock you absolutely should not be
(34:04):
using for your bicycle. All right, this is this is
important consumer information, right. This is the it's the white
hat hacker principle. Somebody shows you the vulnerabilities and your security.
Hopefully that should spur you to create better security. And
Kryptonite did do that. In in full disclosure, Kryptonite went back,
they redesigned their lock, they went with a disc shape
(34:24):
rather than a tube shape, and they offered an exchange program.
So they did their due diligence once once the vulnerability
was known, they you know, it wasn't like they washed
their hands and backed away. This is their business. Yeah,
so they went they did well, uh and uh and
and held up their end of the bargain uh and and.
Some other systems have certainly been created that are trying
(34:47):
to move away from physical keys. You know, the little
UH beepers on cars that will open your car door,
having a numerical keypad on your on your house right right.
A lot of them are things that are proximity based.
Like you have a smartphone that has a particular app
on it, you may be uh, you may have to
put in a pen in order to activate a lock
and unlock something as you're walking up to your front door.
(35:10):
I've seen some systems that are so proximity base that
you don't even have to do that. If you have
your phone on, you've paired it with the lock system,
and you get within range, it will automatically unlock. I
don't know that I'm particularly in favor of that approach,
but I do like the idea of using the pen system.
It's not full proof. No security system is ever full proof,
(35:32):
but it's an alternative to the physical key and lock. Now,
a lot of these systems also have a physical key
that you can use UM. So if that's if it's
not a double lock system. In other words, if the
same like physical lock and the digital lock are the same,
you might not be in any better shape, considering that
(35:53):
we've already talked about the vulnerabilities of physical locks. Yeah,
and there's also vulnerabilities involved in inometric systems too. We've
we've talked about that either here on tech stuff before
and thinking Okay, but because it's it's at this current
moment not all that difficult to fool a retina scanner
or a thumb print scanner, right, Yeah, there there are
(36:15):
certain ones that are are looking more promising, like the
ones that trace the veins underneath the skin and check
for blood flowing. Yeah, making sure that someone hasn't just
cut off your hand and used it to slap on
your front door. Um, in which case you may not
be worried so much about the burglary. There might be
other things that are pressing issues on your mind, like bleeding. Yeah,
that could be way up there. But yeah, this is
(36:38):
this is one of the things. We don't meant say
this nor to to cause fear, uncertainty and doubt, but
rather to raise awareness of security vulnerabilities. Maybe it's one
of those things that just makes you think before you
get a picture taken, like, oh, you know, I pres
shouldn't have my keys out, or you know, anything along
those lines where you want to practice good security measures. No,
(37:00):
not necessarily to go out and like by the latest
security system to outfit your your house. I mean, I
just use a cave troll is what I've got right
behind the front door. Very effective. But let's talk about
your puppy like that. He's a monster. Now, what if somebody,
the person who bred those cave trolls actually all taught them,
(37:23):
taught them all a secret password that only the company
has until they leak internal documents, and now people know
they can get past your troll by saying the magic word,
which is yar olsburg. I was concerned with that, but
it turns out that this particular cave troll only goes
into a grape vine if you say that. So apparently
there was musical theater at that particular cave troll UH university.
(37:47):
So I'm thankful for that. Uh. To be more serious, however,
obviously it's it's good to think about these things whenever
you're trying concerned about your security. When it comes to
t s a locks, I mean I don't have any
good advice for that at all right now. I don't
even know if I'll be using them at this point.
Oh yeah, well, I mean, you know, it's don't take
(38:08):
anything valuable on a plane. Yeah, that's that's that's pretty good.
The part part is when you go someplace and you
pick up stuff for people you love to bring back
to give to them. Like if I go on a
trip and I start buying souvenirs for people, then I
have a concern about that, although I could always ship it.
I guess stop having people that you love. It's slowly
(38:30):
turning out that way. I'm just getting grouchier as they
get older. No, I don't know. I mean, you know,
perhaps perhaps good advice if you have a few extra
bucks on you is to buy a regular lock. But
since even those aren't full proof. Yeah. I saw one
comment or on one of the articles I read saying
I always use zip ties. Interesting, is there cheap and
(38:54):
if the t s A Needs to get in there,
they'll just cut it off, Yeah, and then won't cause
damage to the luggage. That's probably that's probably the best approach.
And thinking that well, if they don't need to see it,
everything safe and if they do need to see it, well,
there's nothing I can do to stop them anyway, because
that's their job. They're they're trying to practice security for
a much larger group than just my stuff. They verify
(39:18):
that my cans of dog food are not actually something else. Yeah. Yeah, well,
at any rate, this was this was an interesting topic
to cover. Uh, we didn't get quite as angry as
we all thought we would, which I guess is good.
I think I got about as angry as I was anticipating.
I got about I think I got about three quarters
as angry as I was anticipating. Yeah, yeah, I had.
(39:41):
I had calm, dude, I'm calm. Alright, Well, I'm gonna
abide by that. Guys, if you have any suggestions for
future episodes of forward Thinking, I recommend you write to
us and tell us what those are. The email addresses
f W Thinking at how Stuffworks dot com. You can
drop us a line on Facebook, Twitter, or Google Plus.
(40:03):
At Twitter and Google Plus, we are FW thinking. Just
search FW thinking on Facebook. We'll pop right up. You
can leave us a message on there, and we will
talk to you again really soon. We're more on this
topic and the future of technology. This is forward sinking
dot com, brought to you by Toyota. Let's Go Places,
Brought to you by Toyota. Let's go places. Welcome to
Forward Thinking, Pater and welcome to Forward Thinking, the podcast
that looks at the future and says they take you
away and throw away the key. I'm Jonathan Strickland, I'm
(00:21):
Lauren bo and I'm Joe McCormick, and i want to
ask you guys a question. I'll go to the prom
with you. You guys are so sweet. It wasn't the prom,
it was the enchantment under the seat. That's thank goodness,
because it's two thousand and fifteen. You know what year
that is. To the future too. Anyway, what's your what's
your actual question? No, no, no, I may have made
(00:42):
this comparison before, but I've got to make it again.
Do you remember all the Internet paranoia in the nineties, Yeah, yeah,
And so thinking back on it now, it's often very
funny because we were all thinking back then, oh no,
what if evil techno criminals used the net to do
horrible things? And and it's funny how some of the
(01:06):
fears we had back then turned out to be hilariously
wrong and overblown, you know, like Sandra Bullock gets caught
in the net. Yeah, it turns out. She was perfectly fine.
She never got she got caught in a net, but
it wasn't the net. But then, uh, some of it
represented threats that we actually do have to deal with
now that we're in this this internet, ubiquitous future. Identity, theft,
(01:30):
privacy compromises. I mean, these were things people were worried
about back in the nineties and that they turned out
to become reality. Sure, yeah, not everything depicted in those
films was completely off base, although it was almost always
you know, because it has imagined in a hilarious way,
overly dramatized. And that certainly that the user operating systems
(01:53):
were like nothing that we've ever seen. I know this UM,
and I think we're sort of living in a similar
era for three D printing. Sure we don't know yet
what we're worrying about too much and what we're not
worrying about enough. Sure, well, especially for people who have
had very limited experience with three D printers. They've heard
(02:16):
about them but never had direct experience. Joe, as someone
who has had direct experience with three D printers, would
you say that the three D printer we have here
in the office would be capable of printing anything that
someone should be worried about remotely. Are you worried about
tangled masses of plastic hair? Yeah? See, here's the thing.
(02:36):
It sounds like the plot of a Japanese horror movie
actually if it's in front of the person's face. Uh So,
we have printed stuff out with a three D printer
here at the office. It's just it takes a lot
of of paying attention, Like you can't just hit the
print and walk away because the materials themselves in our case,
I think we're using p L A plastic, but the
(02:58):
materials themselves are uh you know there. They need a
certain temperature to operate at, and beyond that you're either
not going to get the meltedness you need for extrusion,
or it's going to be too warm and then the
stability of the build will be compromised. Or the build
plate isn't leveled, or you haven't aligned everything correctly in
(03:20):
your your pre planning phase, trying to print at a
level below where the plate is or something, or your
design has a key element missing some kind of structural
bit to it that just isn't quite there right. I
recently had a mask three D printed for a costume
and in that case, the mask was divided into three pieces,
because if we had tried to print it as one
(03:42):
full piece, it would have been very It would have
been a miracle if it had come through with the
structural integrity intact and not folded in on itself. The
point being that three D printing, at least on the
consumer level, has come a long way, but it's it's
still fairly primitive, and it's it's not like you can
hit print and you get a gorgeous coffee mug at
(04:05):
the end of it. You're gonna get something that's made
out of plastic. Depending upon the sophistication of your printer,
it may be fairly there may be some fairly obvious edges,
especially like just between the layers of the plastic that's
been like a plastic plastic pixelation. Yeah, yeah, it's it's
not like a smooth surface like you would get from
(04:26):
something that was molded plastic. Well, I mean, certainly, to
a certain degree, you're right, But also I mean, if
you're willing to shell out a lot of money, there
are some really good printers out there. These show absolutely
and in labs and research labs, there are extremely good
printers that can print with with metals and with glass even. Yeah,
it's it's a little bit beyond even the pro summer
(04:47):
level obviously, But the point being that, uh, some of
the fears around three D printers might be a little premature, right,
But but there are all kinds of fears people have
because I mean, obviously it's not exactly analogous the Internet,
because the Internet was a more ubiquitous kind of information technology.
You know what, anything that people could do to you
socially in general life that didn't involve physical contact they
(05:11):
could do over the Internet. Sure, but there's there's there
are fears that some of which are are vaguely valid
in the like like especially for the future about three
D printers. Uh, you know it's not all the like
Oh no, cats and dogs three D printing together. Uh,
copyright infringement. I suppose that the fair fear sort of
(05:31):
the I mean, it's almost difficult to even call it copyright.
It is certainly intellectual property. The idea of of let's
say that you own a furniture store. Someone comes in,
takes pictures of a table that you have designed, and
then goes and uses additive manufacturing a three D printing
process to essentially replicate that table. There's they're stealing your work.
(05:52):
You could at least you could argue that this is
my plastic table now. Yeah, or or especially with art
or something like if you really wanted a sculpture and
you had an extremely good three D printer, then you
know that sucks for the artist. Yeah. I thought it
was funny back when everybody freaked out that somebody three
D printed a gun, because I was like, you can
(06:14):
buy guns a lot more easily than you could three
D print one. Well, let's say you've got a criminal record,
but you also have a large bank account. You buy
a three D printer and you can print as many
guns as you would, But you can go into any
you know, legitimate establishment and have difficulty buying guns. Not
great if you have a criminal background. You probably also,
(06:36):
i mean, assuming it's a large amount of money, you
probably can illegally obtain a gun with you know, a
good ten dollars anyway, Right, But it's still one of
those things that you know, you think, oh, well, this
could suddenly put a not only could it put guns
in the hands of people, and that's kind of scary,
you know, without any sort of regulations right. But also
(06:57):
on the other side of it, beyond that scary thought
is if the person is not careful with the materials
they're using to build their gun, you could end up
with something that maims the person who built it. Even
if they are just like, Hey, look at this cool
thing I built. I'm going to take it out to
the shooting range and I'm going to shoot it there.
I'm not playing on shooting anyone else. You're talking about
(07:18):
using something that's you know, if you're not using the
right plastic, the forces of a of a bullet being
fired could be enough to shatter that and severely hurt
the person who's actually using the gun. Oh. Absolutely, the
type of plastic that Cody Wilson used in that demonstration,
we were far beyond the grade of the usual p
l A that's found in most commercial level three D printers. Yeah,
(07:40):
his gun was called the Liberator. Jonathan and I did
an entire episode in which we mostly contained our snark
about defense distributed Tody Wilson um back in it was
called printing a gun that was over on tech stuff.
So if you somehow missed that story, you've been living
(08:01):
under a rock for a couple of years and or
you'd like to go back and hear some details about it.
Go ahead and check that out. It is on the interwebs. Yeah,
but like all of your security information, speaking of security, okay, Yes,
that that seguates us into into a story about Yeah,
it ends up getting us to a story about how
(08:22):
three D printing could cause a threat to one element
of security. In fact, has that. It's not could, it's
it's happened. It's it's out there. It's going on right now.
We're all do it's your keys, it's your key, specific
your luggage. It could be any key, but specifically, we're
(08:43):
gonna start talking about the t s A approved locks
that you would use on your luggage. Yeah, so I'm
gonna tell a little story. On November, the Washington Post
ran a story by Ashley Halsey the third titled the
Secret Life of Baggage? Where does your luggage go at
the airport? It sounds like it sounds like one of
(09:06):
the movies they would watch on Best of the Worst Media.
It's so magical, like your luggage has a little magic
gnome kingdom and you know, you know, I would have
that plinky music that do do do do do do
do do do do as you watch it go through anyway,
Sorry you were saying no no. So it was an
article looking into US Transportation Security Administration. So that's the
(09:27):
t s A. You're probably familiar with it screening practices
for checked bags, and it was telling the story of
what happens to your stuff after you check it, and
I thought it was a pretty interesting article. Actually, it
talked about the machinery and the procedures used to screen
traveling containers. And the key part of the story that's
relevant to this topic is that the author talks about
(09:51):
how the t s A has a set of master
keys that can open all t s A approved locks
on luggage, which makes sense if your job is to
to be certain that stuff going through the airport, going
onto airplanes doesn't contain dangerous materials. Right. The t s
A started saying, well, we need to screen this luggage
(10:13):
for important security purposes, but if people are putting locks
on their luggage, then we might have to cut their
locks off, which is, you know, a waste of that
person's resources. So please buy these t s A approved
locks that the t s A has master keys for,
and then we can rifle through your personal belongings without
destroying any of them on purpose, and you'll never know
(10:34):
because the lock will be back on them again. Yeah,
But anyway, so people are people. If you want to
lock your luggage to keep people out of it, but
you don't use the t s A approved lock, and
the t s A agent wants to check what's inside
your bag, they'll just use bolt cutters, which I guess
is is at least a little better than you know,
(10:57):
damaging your bag directly to get at what's inside of it, right,
knife in the side of the bag just barely better
than that. So the problem is that somebody published a
version of this story that contained a very problematic picture.
And I word it that way because I honestly can't
tell if the image that I'm going to talk about
(11:18):
originally ran with the story when it was published on
the Washington Post page, or if it only appeared in
a reprinting of the story on a site called Harold
dot net, which some sources refer to. Uh. The Washington
Post version of the story does not have the offending
image anymore, if it ever did, got you, but that
offending image would be a picture of a hand holding
(11:40):
a series of the master keys for the various types
of T s A locks. Yeah, it's a close up
image of all of the master keys that can get
into all your bags. So in other words, if you
take a look at this, you can see the shapes
of each of those keys. Whoops, which you know all right.
Back in the day, it would have taken quite a
(12:03):
lot of work to create a key to you know,
use like a piece of metal and then grind it
down just right based upon the way it looks in
a picture. But that could have been done and we'll
talk about that later. Yeah, well, certainly before computer run
key creating machines. Words are apparently not in my head
(12:25):
today it's terrific, and also before algorithms that can end
up looking at a pattern and making a really close
estimation of what that pattern represents. Right, Because the resolution
on these images is not so high that you could
just zoom. You couldn't zoom and enhance over and over.
So you've got a good picture, you need you need
a computer that has some good guesswork with it too.
(12:46):
But now we're in the era, the combined era of
sophisticated object recognition image software and additive manufacturing that is
three D printing. Joe, Please tell me, please tell me
that is impossible for someone to take the images that
(13:06):
are here in front of us and turned that into
an actual physical thing, thus manufacturing their own master keys
for T. S A. Locks. Well, I don't know about
this image, but it's definitely possible to do from a photo,
and it has been done, and people have tried the
keys and they work. So I'm going to tell the
story of that now. Apparently somebody tried to delete this
(13:28):
photo after they had published it, But silly person, Nothing
gets deleted off the Internet. What's the rule about the Internet?
The Internet is forever Archive dot org, We salute you,
and so on. Auguste Remember that original article was last year,
so it was out for a while. I don't know
when the image got deleted, So I don't know exactly
(13:51):
who was the first person to point out this problem,
but several sources linked to an August one tweet by
a guy who calls himself an independent journalist named Luke Rudkowski,
and it shared the image of the master keys and
said does at Washington Post and brilliant T s A. No,
they just compromise their locking system by putting this out.
(14:15):
So ouch, yeah, some hackers got to work. So I'm
going to try to explain what happened as far as
as best I can understand it, because there was a
kind of complicated series of events. But in early September,
a group of lock pickers and security hobbyists published to
get hub, a collection of CAD files based on the
(14:35):
images of the t s A master keys that have
become available on the internet. And it looks like it
probably wasn't just the Washington Post image. And I'll say
more about that in a minute. But yeah, let's break down.
Let's let's unpack a couple of terms for those of
you who might not be familiar with get hub and
cat images. Sure. So, get hub is essentially a repository.
It's a place where you put open source code. Typically,
(14:58):
so let's say that you create a program and you
want to make it open source so other people can
take your code, tweak it, change it, upload their own versions,
you know, do transformative work with it. Get hub is
sort of the centralized place that you would go and
store that so other people could get at the code
you had created. Right, So, if you want to make
something like a Google deep dream available to the public.
(15:21):
You can put it up on geth hubs, so people
can make their own apps to do things with it, right, Yeah,
but then also their CAD files. The CAD just stands
for computer aided design. So if you want to put
together a digital shape to make on your three D
printer in three dimensions, you'll probably make it in a
CAD program you can. You can think of a CAD
program as a kind of MS paint for three D objects. Yeah.
(15:43):
I remember I had a friend who did a lot
of work with CAD programs back in high school. But
that was specifically in design classes where you're trying to
create a a three dimensional object, a plan for a
three dimensional object. It's also used a lot in architecture
firms that kind of thing, right. So CAD is bigger
than just three D print, but it's a way to
(16:05):
get the file you want to you want to print
in a three D printer. So apparently after these files
went up on geth hub, it was literally only a
few hours before somebody downloaded them and printed one of
these things and it worked. There are now images online
of people using these three D printed keys based on
(16:25):
these images to pop open their t s A approved
luggage locks. Yeah, and you know, to be fair, some
of the t s A locks feel like they could
open if you sneezed on them. But maybe that's just
my experience with t s A luggage locks. I've never
used one I travel. I traveled just enough where I've
(16:46):
used them a few times. Uh And and I often
question why I go through the trouble, but I still
do it. Yeah. Well, some users report being able to
open the locks with unmodified prints of keys using plain
old p l A. So these are plastic keys. You
don't need a print him in metal or anything. And
p l A is not not the sturdiest plastic. I've
(17:09):
got some little p l A trinkets on my desk
that I made in our in our printer in the office.
I read about one user in this Wired article that
I'm currently referring to who had to modify the scale
of the key, but otherwise it worked. And this Wired
article talked to a lockpicker and University of Pennsylvania compside
professor named Matt Blaze about it, and he made some
(17:30):
interesting points I thought. First of all, he pointed out that, uh,
not that it really changes the thrust of the story,
but just for the record, he thinks the image in
question leaked somewhere before the Washington Post story, so they
might not don't line up with your pitchforks only there.
Yeah uh. He also says that a good lockpicker, you know,
(17:51):
could probably pick the locks in less time and was
with less trouble than it would take to print the keys,
since he says, and I quote, I find it's actually
quicker to pick the t s A locks than to
look for my key sometimes. Yeah. Now, these are not
terribly sophisticated locks. They're not meant to be. They're just
meant to be a deterrent. And the other point he
makes is that the parties in questions should have known
(18:12):
better than allowing people to photograph the keys, because photo
security and physical keys is a known issue, and we'll
get to more about that in a minute. But there
have been more developments since then. According to a timeline
that I read, which was created by a lockpicker involved
with the T s A Key story, which I found
linked in another article for The Intercept by Jenna McLaughlin, boy,
(18:36):
the trail of of sights here is is impressive. Well,
I'm just trying to lead you through my thoughts. But anyway,
the printed keys were actually based on additional imagery dug
up by the hackers, So it wasn't just the Washington
Post image that leaked, but it was sort of inspired
by the Washington Post league that hackers said, I wonder
(18:56):
if we can find any more images of these keys,
and they went out and looked for him, and they did.
They found, whether by legitimate or illegitimate means. I'm not sure,
photos contained in a document called Guide to Travel Century
pass Keys, which was created by a group called Travel Century,
which they have a kind of complicated relationship with the
t s A and the lockmakers. They are not lock
(19:19):
manufacturers and they are not the t s A. But
I understand that there's some sort of liaison organization. I
got a third party kind of that. Yeah, like they
according to this article, they generate and enforced security guidelines
for T s A approved locks, whatever that means. Huh okay.
(19:41):
So so in the face of this mishap, the t
s A responded, Yeah, and this is one of the
most troubling parts that that piece in the intercept I
talked about got a t s A official to talk
about the late the leak and the three D printed
master keys, and I just thought i'd read a select
(20:02):
quote this was pretty interesting. Okay, sure. The t s
A spokesperson Mike England sent in an email to the
Intercept the reported ability to create keys for t s
A approved suitcase locks from a digital image does not
create a threat to aviation security. These consumer products are
peace of mind devices, not part of t s AS
(20:23):
aviation security regime. And also, and the same guy said,
carried in check bags are subject to the t s
AS electronics screening and manual inspection. In addition, the reported
availability of keys to unauthorized persons causes no loss of
physical security to bags while they are under t s
A control. In fact, the vast majority of bags are
(20:45):
not locked when checked in prior to flight. So what
they're saying is that, well, we're concerned with national security,
not your luggage is security. So it's not really our problem. Yeah,
not our problem. No, it's yeah, essentially don't matter. The
t s A. The t s AS purpose is not
(21:08):
to make certain that the bag you packed has the
same stuff in it when you get to where you're
going as when you left. It's just to make sure
that you're not going to hurt the airplane or anybody
on it, which I should put in is a is
a valid thing to want. Yeah, this perhaps was maybe
not the best way to communicate it, since it seems
(21:30):
like it's by by this way, I mean, this quote
almost seems like they are flipping me the bird and
saying saying, don't worry your stuff doesn't matter. They might
as well say, don't put a lock on it, you know,
because here they're saying, well, you know, it's it's going
to be within our care the whole time. I mean,
no one else is going to have access to it.
(21:50):
And I'm thinking the people that are handling the luggage
all along the pathway from the point where I handed
off to the point where I pick it up aren't
all necessarily upstanding citizens. I say that because I know
there have been incidents where people have found stuff missing
(22:12):
from their I mean, there's there's also just the mere
fact that if you're if you are distrustful of human people,
and you perhaps don't make it to the baggage carousel
exactly at the moment when your suitcase comes out, then
you know, a dishonest human person could walk up and
just kind of rummage through your stuff. It takes some
of it out. Yeah, well, yeah, especially if it's one
(22:34):
of those things where you ended up getting bumped on
a flight. You're delayed, but your luggage got on the
flight that you were supposed to be on, and then
it's going to be waiting for you for hours at
an airport. You know, there are a lot of reasons
why this, to me is not exactly comforting. Yeah. Yeah,
so perhaps not the most pc response from the t
(22:55):
s A. However, this does speak to a larger issue
with with three D printing and security. Yeah, because this
thing that just happened, this t s A keys event,
was not not a totally unique situation. I mean there
are other ways that photo analysis or three D printing
and things like that can affect physical security. I mean,
(23:17):
there are these ideas of three D printed bump keys.
I think you looked into this, Jonathan. Yeah, bump keys are, um,
they're interesting. So the really weird thing about bump keys
is you don't need a picture of the key to
create a bump key. You need a picture of the lock.
You need to see how the lock is shaped. From there,
you can create sort of a generic key that has
(23:39):
sort of generic little peaks and troughs in it, so
they don't have to match the way the actual key fits.
It just has to be low enough so it can
slide into the depth of the lock, all right. They're
called bump keys because you put the key in the
lock and you hammer it with a mallet, which jolts
the key into the lock, pushing the pins. The pins
(24:02):
are what keep the lock from being able to turn.
Pushes the pins up. It's like it's it's like you
just gave it a quick shove, so the pins bounce up,
and at that moment you have to turn the key.
And as you start turning the key, it's as if
you're using the actual key built for that lock, and
it will unlock the lock in question. So you would
three D print this kind of generic key and then
(24:25):
just use that hammer to go quick a quick uh
bump and then a turn. And apparently it takes a
little practice, takes some some finesse to get the timing
just right. Um, but it works. You can totally make
keys that will unlock locks this way. Yeah. And of
course there's just plain old lock picking, sure, yeah, which
(24:48):
requires a little bit more. Uh, practice and access to
lock picking tools, which are not hard to get, but
the practice takes time. Like it's it's a learned skill. Yeah,
it's not. As it's not as simple as as you
might think, but it's not, you know, impossible to learn.
There are plenty of lock picking groups out there, copy
(25:09):
groups that U do this stuff all the time. Hopefully
airport security people should be able to look at someone
and determine that they're sitting there trying to pick a lock,
sticking a lock pick gun into a lock, or or
they they see a person just like I would like
kneel down in front of a piece of luggage and
then unfold my lock picks in front of me and
(25:33):
picturing you like sitting on a skateboard and like and
like rolling along next to baggage carousel, like with your
with your little kit laid out on your knees. Yes,
that would be a little bit obvious. But also way
before three D printing, this was an issue too. Yeah.
I mean, well, I mean people have been talking about
various ways to reproduce keys from photos for years, right yeah, yeah,
(25:54):
So for example, at the a c M Conference on
Computer and Communication Security, a way back into the eight
there were a trio of security experts who presented a
product they called Sneaky as an E A K E
Y why because we love you A system for duplicating
(26:14):
a key that's not in your possession, so specifically by
taking a picture of a key being able to create
a copy of it. Uh. Here's here's a quote from there.
The abstract of their presentation, the access control provided by
a physical lock is based on the assumption that the
information content of the corresponding key is private, that duplication
(26:39):
should require either possession of the key or a priori
knowledge of how it was cut. However, the ever increasing
capabilities and prevalence of digital imaging technologies present a fundamental
challenge to this privacy assumption. Using modest imaging equipment and
standard computer vision algorithms, we demonstrate the effectiveness of physical
(27:02):
key tele duplication extracting the key's complete and precise bidding
code at a distance via optical decoding, and then cutting
precise duplicates. We describe our prototype system Sneaky and evaluate
its effectiveness in both laboratory and real world settings. Using
the most popular residential key types in the United States,
(27:25):
which is basically saying that if anyone has ever taken
a photograph of a key that you have, there's the
potential out there, even without three D printers, to produce
a copy of it. That's right. So all you kids
who wear your keys on your hips, yeah, start putting
those in pockets. They can keep the chain on them,
but put them in a pocket deep in those Jinko pockets. Yeah.
(27:48):
So hey, I like my chinkoes. So one of the
other things that that you want to talk about, Joe,
was how this goes beyond the t s A goes
beyond even physical locks and keys. Actually, oh sure, I mean,
and of course it applies to physical locks and keys,
but it's a broader security question because in in response
to this incident, I've seen many writers and security analysts
(28:10):
pointing out how that this is essentially a problem that's
inherent with backdoor systems. We often think of backdoors in
terms of software exploits, but the master key is a
physical form of a security back door, right, So what's
the idea of a backdoor. It's essentially that there is
a there is a secret way around known only to
(28:33):
supposedly legitimate authorities that can always get in through your
security measures. Yeah, I um. I was on an episode
of Daily Tech News show where we were talking about backdoors,
were specifically talking about the n S A and and backdoors.
Various law and law enforcement agencies often lobby to have
(28:55):
backdoors inserted into popular types of software. Uh, the argument
being that this would increase safety if they were able
to get access to these things quickly and stop actors
who would be who are who are trying to plan
out something that's going to be harmful to others, often
in the form of terrorist plans like sure so so
(29:18):
the ability to kind of peek in on telephone communications
along those lines exactly. And the point I made, and
it's something I still believe in today, is that you
do not increase security by introducing vulnerabilities into your system.
And a backdoor is by its nature of vulnerability. Yeah.
And frankly, they don't care about increasing security. I mean
(29:40):
that's not the goal is to increase your privacy or
your personal security. It's it's about another goal, which is
even if you take the authorities who want backdoors and
everything at their word and say they're not going to
abuse their power no matter what kind of system we're
talking about if there's a third party with a key
that all always works, there are ways that third party's
(30:02):
key can slip into the hands of the bad actors.
So even if you totally trust the government, which you know,
we're not saying it's not the point of the show
right now, one way or another. But let's let's pretend
you do totally trust the government and the authorities, it's
still a bad idea to have these back doors because
they always get out, and that that's exactly what what
(30:23):
my point was was. The idea that a back door
is is by its nature of vulnerability, it's it's a
away other than the preferred way to access a system.
Doesn't matter if it's a door, or if it's an
operating system, or if it's a piece of software, or
if it's a telephone, does not matter what it is.
(30:44):
It is another way that an actor can gain access
to a system, uh and and potentially cause quite a
bit of damage in the process. So I it is
my belief that back doors are nearly always a bad idea.
We all saw what kind of havoc they wreaked in
Jurassic Park. Yes, yes, oh, you're talking about Nedriya Nedri
(31:09):
had a backdoor. Yeah, I don't know if that was
for legitimate authorities, but that was for no. No, you
didn't say the magic word related purposes. I'm extrapolating on
the part. I mean, you know, did you create backdoors
and suddenly dinosaurs can run them up? Well, that is
a good part because it wasn't necessarily part of Nedri's
plan to have a losci raptors eat everybody. It's just
(31:29):
an unfortunate consequence. Yea, this this brings us back to
this is unix I know this, but anyway, I think
it would be interesting to talk about some of the
implications of this kind of event. Yeah, so, obviously we
could reach the conclusion that physical locks and keys have
had their day. We've already known that there were these
(31:52):
potential vulnerabilities. We've talked about those, We've talked about lock picking,
and we talked about the ability to replicate a key
simply from a picture. But this new story about three
D printing, coupled with the rise of three D printing
and popular culture, kind of drives at home yet again
that the physical lock and key is not a beat
(32:13):
all security measure, and that perhaps it's time to start
looking at alternatives. We need retin a scanners on everything.
Biometrics are part of it. But also this is not
the only type of story, embarrassing story about a lock
and a a way of getting access to that lock.
Did you guys ever hear about There was a story
that broke around two thousand five about the Kryptonite bike locks.
(32:36):
So I got a buddy. His name is Brian Brushwood,
and he's a magician and a scam artist, that's what
he calls himself. And so he did an episode of
Scam School recently where he actually showed this particular vulnerability
in action. So back in two thousand five, Kryptonite released
a bike lock that had a tubular lock to it.
(32:58):
So it uses a cylindrical key to activate the pens
and then you turn that it releases the lock. It's
sort of like a like like whistle shaped almost, yeah,
And so he showed that something that people had known
for quite some time, that that particular style of luck
could be defeated with a big pen casing. You take
(33:18):
the pen out of the pen and then plastic. Yeah,
you just wiggle that onto the lock and if you
wiggle it the right way, you can activate the lock,
and you've you've opened up a Kryptonite These are expensive locks,
by the way, Kryptonite bike lock, thus getting access to
not just the bike lock, but also the bike that
was locked to it. And uh. And so there were
(33:41):
some people who were criticizing Brian because they were saying, hey,
why don't show people how to steal bikes? And I
actually commented on his YouTube video and said, guys, he's
not showing you how to pick locks. This is information
that's been out there since two thousand five. What he's
showing you is which lock you absolutely should not be
(34:04):
using for your bicycle. All right, this is this is
important consumer information, right. This is the it's the white
hat hacker principle. Somebody shows you the vulnerabilities and your security.
Hopefully that should spur you to create better security. And
Kryptonite did do that. In in full disclosure, Kryptonite went back,
they redesigned their lock, they went with a disc shape
(34:24):
rather than a tube shape, and they offered an exchange program.
So they did their due diligence once once the vulnerability
was known, they you know, it wasn't like they washed
their hands and backed away. This is their business. Yeah,
so they went they did well, uh and uh and
and held up their end of the bargain uh and and.
Some other systems have certainly been created that are trying
(34:47):
to move away from physical keys. You know, the little
UH beepers on cars that will open your car door,
having a numerical keypad on your on your house right right.
A lot of them are things that are proximity based.
Like you have a smartphone that has a particular app
on it, you may be uh, you may have to
put in a pen in order to activate a lock
and unlock something as you're walking up to your front door.
(35:10):
I've seen some systems that are so proximity base that
you don't even have to do that. If you have
your phone on, you've paired it with the lock system,
and you get within range, it will automatically unlock. I
don't know that I'm particularly in favor of that approach,
but I do like the idea of using the pen system.
It's not full proof. No security system is ever full proof,
(35:32):
but it's an alternative to the physical key and lock. Now,
a lot of these systems also have a physical key
that you can use UM. So if that's if it's
not a double lock system. In other words, if the
same like physical lock and the digital lock are the same,
you might not be in any better shape, considering that
(35:53):
we've already talked about the vulnerabilities of physical locks. Yeah,
and there's also vulnerabilities involved in inometric systems too. We've
we've talked about that either here on tech stuff before
and thinking Okay, but because it's it's at this current
moment not all that difficult to fool a retina scanner
or a thumb print scanner, right, Yeah, there there are
(36:15):
certain ones that are are looking more promising, like the
ones that trace the veins underneath the skin and check
for blood flowing. Yeah, making sure that someone hasn't just
cut off your hand and used it to slap on
your front door. Um, in which case you may not
be worried so much about the burglary. There might be
other things that are pressing issues on your mind, like bleeding. Yeah,
that could be way up there. But yeah, this is
(36:38):
this is one of the things. We don't meant say
this nor to to cause fear, uncertainty and doubt, but
rather to raise awareness of security vulnerabilities. Maybe it's one
of those things that just makes you think before you
get a picture taken, like, oh, you know, I pres
shouldn't have my keys out, or you know, anything along
those lines where you want to practice good security measures. No,
(37:00):
not necessarily to go out and like by the latest
security system to outfit your your house. I mean, I
just use a cave troll is what I've got right
behind the front door. Very effective. But let's talk about
your puppy like that. He's a monster. Now, what if somebody,
the person who bred those cave trolls actually all taught them,
(37:23):
taught them all a secret password that only the company
has until they leak internal documents, and now people know
they can get past your troll by saying the magic word,
which is yar olsburg. I was concerned with that, but
it turns out that this particular cave troll only goes
into a grape vine if you say that. So apparently
there was musical theater at that particular cave troll UH university.
(37:47):
So I'm thankful for that. Uh. To be more serious, however,
obviously it's it's good to think about these things whenever
you're trying concerned about your security. When it comes to
t s a locks, I mean I don't have any
good advice for that at all right now. I don't
even know if I'll be using them at this point.
Oh yeah, well, I mean, you know, it's don't take
(38:08):
anything valuable on a plane. Yeah, that's that's that's pretty good.
The part part is when you go someplace and you
pick up stuff for people you love to bring back
to give to them. Like if I go on a
trip and I start buying souvenirs for people, then I
have a concern about that, although I could always ship it.
I guess stop having people that you love. It's slowly
(38:30):
turning out that way. I'm just getting grouchier as they
get older. No, I don't know. I mean, you know,
perhaps perhaps good advice if you have a few extra
bucks on you is to buy a regular lock. But
since even those aren't full proof. Yeah. I saw one
comment or on one of the articles I read saying
I always use zip ties. Interesting, is there cheap and
(38:54):
if the t s A Needs to get in there,
they'll just cut it off, Yeah, and then won't cause
damage to the luggage. That's probably that's probably the best approach.
And thinking that well, if they don't need to see it,
everything safe and if they do need to see it, well,
there's nothing I can do to stop them anyway, because
that's their job. They're they're trying to practice security for
a much larger group than just my stuff. They verify
(39:18):
that my cans of dog food are not actually something else. Yeah. Yeah, well,
at any rate, this was this was an interesting topic
to cover. Uh, we didn't get quite as angry as
we all thought we would, which I guess is good.
I think I got about as angry as I was anticipating.
I got about I think I got about three quarters
as angry as I was anticipating. Yeah, yeah, I had.
(39:41):
I had calm, dude, I'm calm. Alright, Well, I'm gonna
abide by that. Guys, if you have any suggestions for
future episodes of forward Thinking, I recommend you write to
us and tell us what those are. The email addresses
f W Thinking at how Stuffworks dot com. You can
drop us a line on Facebook, Twitter, or Google Plus.
(40:03):
At Twitter and Google Plus, we are FW thinking. Just
search FW thinking on Facebook. We'll pop right up. You
can leave us a message on there, and we will
talk to you again really soon. We're more on this
topic and the future of technology. This is forward sinking
dot com, brought to you by Toyota. Let's Go Places,
Fw:Thinking News
Hosts And Creators
Jonathan Strickland
Joe McCormick
Lauren Vogelbaum
Popular Podcasts
United States of Kennedy
United States of Kennedy is a podcast about our cultural fascination with the Kennedy dynasty. Every week, hosts Lyra Smith and George Civeris go into one aspect of the Kennedy story.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.