What’s the world coming to when a guy can’t even enjoy a nice rant about disclosure as a valuable input to managing his own risk without his friends picking on him?

Of course, he must be pulling our legs a bit [ed: ya think?]. I mean, you don’t have to watch too much television to sort of get the point about fallibility of locks…

Btw, this type of “disclosure” increases the collective risk to the world simply by making more potential attackers aware of it. Note that we have had the vulnerability portion of this risk forever (essentially) so the only change is in that knowledge distribution. But there is good news - at least this risk is constrained by physical proximity.

As I noted in my original post,

Is this risk low? Probably. While I couldn’t find data by googling, my instinct is that very few break-ins involve a picked lock. That probably has more to do with the fact that it’s easier for the average attacker (burglar or home invader) to simply smash a window or kick in the door than pick the lock. Picking locks is generally an inefficient branch of the attack tree for getting into a facility (unless non-detection is significant, but detective controls are out-of-scope today).

So the incremental increase in aggregate risk due to full disclosure is quite small in the immediate-term, but has a long-term payoff in reduced risk over time as lock engineering continues to improve.

So, yes, I know that locks are pick-able, even if I don’t watch much TV. With the rise of the Internets, though, that information flows freely. Criminals are quite good at sharing information electronically, and they can find the five million google pages which reference lock picking (and mostly seem to consist of How-To Guides) as easily as I can.

So Mike Rothman asked in his own response to my post,

Now let’s look at physical locks. Is there a lock-pickers newsgroup, or bulletin board? Are there blogs written by lock pickers that share the latest gadgets and techniques. Are folks RSS readers buzzing with how to break a Schlage F-Series? I honestly don’t know. And how many of the lock pickers frequent these information sources and would be able to quickly take advantage of the new information. Again, I don’t know.

Well, the fact of the matter is that there absolutely is a lock-picking sub-culture. There’s also the whole profession of locksmiths, and their trade is partly about knowing which locks are good and which are bad.

So in the end, what irritates me is that the only people who probably don’t know the effectiveness of their locks are the people who falsely assume they are keeping them safe at night. In the IT world, it took the threat of naming and shaming from the full disclosure movement to prod a lot of companies into action, and I strongly suspect that so long as the risk associated with a given make and model of lock is not available to consumers, it will take similar action to prod the lock manufacturers in the physical world into action, as well.

Is that issue that more people can learn about hot to pick locks (Oh My!), or that those who wish to protect something focus on the perceived strength of the lock and not the overall physical security? An example is the home with a Medeco cylinder and a dead bolt, sitting within a few inches of a single pane window. Or the backyard shed of sturdy construction with a strong padlock, with the door hinges on the outside of the frame. Or the file cabinets at work that have exactly how many different key combinations? I could go on and on about this, but I’ll end with the moral of the story: locks only keep your friends out.

Doug,

That’s true, but at least with a window or hinge type & location, I can assess the risk those. With a lock, I can’t really assess its effectiveness because I can’t get good data.

Thus, even if I close other branches of the attack tree like windows location and quality, door/hinge strength, etc., I might still be unknowingly left with a significant risk. My steel-core door would be useless if the lock on it can be easily bypassed (picked/bump-keyed/pulled/etc.).

When all is said and done, the best I can hope for is to make myself enough of a harder target that a random attacker (i.e. burglar) will pick the guy next door or a targeted attacker (hit man? Am I really that unpopular? ;-) ) will be delayed long enough and/or make enough noise that I can react.

[…] Just overnight an, um, discussion has erupted online between two people I really, really like - Chandler Howell and Mike Rothman (and others). They are discussing "vulnerability disclosure" and the concept of obscurity. Kind of. They are disagreeing over something entirely different, however. […]

Chandler — I agree that locks can be helpful against an attack of opportunity. I doubt that disclosure of lock vulnerabilities will either help or slow down those attacks. Their are too many vulnerabilities elsewhere for an attacker to focus on the lock.

The targeted attacks are the ones where attacker technical knowledge can make a difference. And in those attacks, one has to assume the attacker has the knowledge. The protection isn’t in the lock, it’s in the relationship between the time it takes to break in overall and the time it takes to detect and respond to the attack.

Agreed, Doug.

We’ve now moved far beyond my original complaint with Mike, which was his defense of lock manufacturers’ desire for vulnerability non-disclosure based on the cost of “patching” (replacing) bad locks and the difficulty of vulnerability notification. I never doubted that the risk of exploit was low, I was offended that he would defend hiding information simply because only a small minority of people like myself would ever be bothered to find out about it and do something.

Back to your original comment, I put attacks involving the use of a lock as a detective control (tamper evidence) out-of-scope of the initial discussion, and that’s where your points really come into play. If I know that the protected area has been breached, I can react (call the police, insurance company, etc.) If I don’t know the area was breached, then I won’t know to react until it’s too much too late to have any chance of responding effectively.

Currently, we assume that brand reuputation and design attributes of the lock (number of pins, presence of anti-picking countermeasures like mushroom pins, etc) are a reliable proxy for time-to-pick.

When a true class break like bump-keying comes along, though, then all those assumptions go out the window. If it’s now effectively just as easy to pick the lock as to break a window or otherwise bypass the lock, then all decisions based on that Mean Expected Time to Penetrate (METP) become inaccurate until Control Strength can be restored.

[…] Responding once again Not Bad For a Cubicle is not convinced: “what irritates me is that the only people who probably don’t know the effectiveness of their locks are the people who falsely assume they are keeping them safe at night. In the IT world, it took the threat of naming and shaming from the full disclosure movement to prod a lot of companies into action, and I strongly suspect that so long as the risk associated with a given make and model of lock is not available to consumers, it will take similar action to prod the lock manufacturers in the physical world into action, as well.” […]