Friday, June 19, 2009

Lockpicking and Security

No doubt in the past day or so people have seen on boing boing a Wired article about Marc Tobias picking Medeco's "high security" locks. From the article, the claim high security means something specific in the industry, being able to withstand compromise for 10 or more strictly 15 minutes. These locks have been specifically hardened to resist attacks and you have no doubt been wondering about the security of the lock on the front door of your home.

Before you run out and buy a more "secure" lock for your home, let's discuss some security concerns that affect your purchasing decision.

Do you have windows made from bullet proof glass on your home? If so, the lock on your front door may be your weak point. If not, consider that a non-savy criminal can defeat your multi-hundred dollar/pound/euro lock with a cheap brick or a rock from your landscaping (maybe you want to reconsider leaving break in tools around your front yard). This goes double if you have another exterior door that's glass or that a similar high security lock can't be affixed to. Remember that unless you have a facade constructed entirely of thick, well mortared masonry, a persistent attacker could easily cut through your wall with tools available at any home improvement store. Any system is only as secure as its weakest point.

Let's also consider the rate of home break ins. The US Department of Justice provides statistics on historical trends of household burglery defined as "Unlawful or forcible entry or attempted entry of a residence." The following chart shows the national rate of burglery per 1000 homes from 1973 - 2005 (clicking through will take you to the numerical data).

Since this is a national average, you can reduce the rate of incidence by your choice of neighborhoods/areas to live in.

If we assume that your chances of actually being broken into are small, 29.5 per 1000 homes in 2005, and your locks and windows are actually insecure and only useful for keeping the honest honest, is your money better spent upgrading insecure locks, windows and walls or limiting the consequences of such an unlikely event? By all means, lock your doors and windows, but also make sure you carry an appropriate home or renters insurance policy and have documented what you own and their approximate value. This evidence should be stored, like your backups, in a secured off-site location such as a safe deposit box. You could also opt to store this material in a heavy, fire and flood proof safe in your home. Keep in mind that safes can also be cracked, but the walls of the safe are more hardened than the walls, windows and locks of your home and you're trying to raise the cost of acquiring the contents beyond the value of the contents (much like the premise behind using digital encryption). If you opt for a "fire proof" safe keep in mind that many of them work by removing oxygen from the enclosure with a foam or such and not by limiting the heat delivered, which can erase magnetic media.

In closing, "Don't Panic." Be prudent, but keep in mind the actual rate of such attacks on your home's security and take appropriate steps that will aid you in the event of any catastrophic event in your home.

Thursday, June 11, 2009

GPG Key Transition

A signed version of the below message is available at

Thu Jun 11 11:43:50 EDT 2009

For a number of reasons, i've recently set up a new OpenPGP key, and
will be transitioning away from my old one.

The old key will continue to be valid for some time, but i prefer all
future correspondence to come to the new one. I would also like this
new key to be re-integrated into the web of trust. This message is
signed by both keys to certify the transition.

the old key was:

pub 1024D/7108E308 2002-01-14
Key fingerprint = D86C 9E6D AA49 FBD2 33C6 7EF9 8D4D 6868 7108 E308

And the new key is:

pub 2048R/18F94934 2009-06-11
Key fingerprint = F4AE 5B6B 29A4 355A 0EC1 0B4C AC5D 54B8 18F9 4934

To fetch my new key from a public key server, you can simply do:

gpg --keyserver --recv-key 18F94934

If you already know my old key, you can now verify that the new key is
signed by the old one:

gpg --check-sigs 18F94934

If you don't already know my old key, or you just want to be double
extra paranoid, you can check the fingerprint against the one above:

gpg --fingerprint 18F94934

If you are satisfied that you've got the right key, and the UIDs match
what you expect, I'd appreciate it if you would sign my key:

gpg --sign-key 18F94934

Lastly, if you could upload these signatures, i would appreciate it.
You can either send me an e-mail with the new signatures (if you have
a functional MTA on your system):

gpg --armor --export 18F94934 | mail -s 'OpenPGP Signatures'

Or you can just upload the signatures to a public keyserver directly:

gpg --keyserver --send-key 18F94934

Please let me know if there is any trouble, and sorry for the