Profile picture
, 13 tweets, 4 min read
My Authors
Read all threads
Locks are pretty rubbish. The lock on your door is more of a "keep out" sign than an actual way to keep someone who wants to get in from coming in. My daughter was 5 or 6 when I first took her to @defcon and she learned to pick locks in an hour.

1/ Image
So can you! Try Toool, The Open Organization of Lockpickers, and go to town. It's a super fun, soothing way to pass the day. Like knitting, but simultaneously more and less practical.

toool.us

2/
Once you've learned to pick locks, you get a profound realization about security: there are billion-dollar companies whose products are just GARBAGE and always have been, who, despite this, have been in business for decades or even centuries.

3/
You also realize why: security is hard. Making locks that can be easily opened with a key, not easily opened without the key, can be serviced and mass produced? That's just hard.

4/
Moreover, the materiality of locks - the fact that they're made from STUFF, and that STUFF has its own characteristics, flaws and behaviors, makes those problems a million times gnarlier.

5/
For years, we've known that amateur lockpickers can reproduce your keys by taking pictures of them. There are even grocery store machines that take a picture of your key and duplicate it. The shape of your key is itself a security vulnerability.

6/
But it turns out it's not just the SHAPE of your key, it's the SOUND. #Spikey is an exploit from a NUS Comp Sci team lead by Soundarya Ramesh, laid out in this (paywalled) ACM Hotmobile paper.

dl.acm.org/doi/abs/10.114…

7/
Spikey is an acoustic attack on traditional six-pin locks. It analyzes a sound recording of a key entering the keyway and hitting the pins and infers what the key must look like based on the sounds.

cacm.acm.org/news/246744-pi…

8/
The actual inference part works really reliably! Here's Ramesh demoing the technique:



9/
The hard part isn't the analysis, it's obtaining the recording. You need to get a smartphone to within a few centimeters of the key as it enters the lock, which is pretty obvious. On the other hand, it may be possible to capture the audio by hacking a "smart" doorbell's mic.

10/
Speaking as an author of technothrillers, this is a fantastic bit. (attn: @jonrog1).

What's more, it dispenses with the need for lockpicking altogether: obtain an advance recording, infer the key, make the key, enter the premises.

11/
Ramesh speculates that a generic defense against this attack can be found in subtle alterations in the geometry of the key - by making the ridges smoother, it could dampen the sounds they make when hitting the pins, frustrating attempts to infer the pin configuration.

12/
If you want to learn lockpicking (and I think you should try!), I recommend the picks and practice locks from @SparrowsTools, which have never steered me wrong.

sparrowslockpicks.com

eof/
Missing some Tweet in this thread? You can try to force a refresh.

Keep Current with Cory Doctorow #BLM

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#Spikey

More from @doctorow see all

Profile picture
Cory Doctorow #BLM
@doctorow
The Chinese film regulator has released a new policy document: "Several Opinions on Promoting the Development of Science Fiction Films," which sets out guidelines for new sf movies.

chinafilm.gov.cn/chinafilm/cont…

1/
Writing in @variety, China Bureau Chief @rebeccaludavis breaks down the new rules and gives some context for them.

variety.com/2020/film/news…

2/
The top priority, of course, is to "thoroughly study and implement Xi Jinping Thought."

After that empty nod to the cult of personality, the guidelines get more specific.

3/
Read 15 tweets
Profile picture
Cory Doctorow #BLM
@doctorow
There are two iron laws of security that are often tragically ignored:

I. "There is no abstract 'security' - only security from some specific threat"

II. "There is no security in obscurity."

1/
Bridgefy, an app that's been billed as a way for protesters to communicate securely, illustrates both of them.

Bridgefy is an offline messaging tool - a mobile app that uses Bluetooth to pass encrypted messages around a crowd where there is no internet access.

2/
It was originally billed as being useful for big festivals and concerts out in the countryside, where there were lots of people but little or no internet connectivity.

3/
Read 23 tweets
Profile picture
Cory Doctorow #BLM
@doctorow
The phrase "Wall Street Versus Main Street" has a nice ring to it, but what does it actually mean?

Here's a very concrete example of how policies can be rigged to benefit the finance sector while destroying the productive economy.

1/
The US central bank has created a "Main Street Lending Program" that is meant to be extending credit to imperilled small- and medium-sized enterprises, but so far it has only managed to lend out $531m.

ft.com/content/91b690…

2/
But there's another sector of the economy that is thriving in the downturn: the largest companies in America. These companies are not actually profitable for the most part, but their shares are trading at all-time highs, thanks in large part to their access to cheap credit.

3/
Read 13 tweets

Embed code for your website

×
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!