padlocks with backdoors - TSA approved

Hi,

has this been mentioned here before?


I just had my crypto mightmare experience. 


I was in a (german!) outdoor shop to complete my equipment 
for my next trip, when I came to the rack with luggage
padlocks 
(used to lock the zippers). 

While the german brand locks were as usual, all the US brand
locks 
had a sticker 

   "Can be opened and re-locked by US luggage
inspectors". 

Each of these (three digit code) locks had a small keyhole
for the 
master key to open. Obviously there are different key types

(different size, shape, brand) as the locks had numbers like
"TSA005" 
tell the officer which key to use to open that lock.


Never seen anything in real world which is such a precise
analogon of 
a crypto backdoor for governmental access.

Ironically, they advertise it as a big advantage and
important feature, 
since it allows to arrive with the lock intact and in place
instead of 
cut off. 


This is the point where I decided to have nightmares from
now on.


regards
Hadmut

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

On 2/26/07, Hadmut Danisch <hadmutdanisch.de> wrote:
> Each of these (three digit code) locks had a small
keyhole for the
> master key to open. Obviously there are different key
types
> (different size, shape, brand) as the locks had numbers
like "TSA005"
> tell the officer which key to use to open that lock.

I'm just waiting for someone with access to photograph said
keys and
post it all over the internet.

-- 
Taral <taralxgmail.com>
"You can't prove anything."
    -- Gödel's Incompetence Theorem

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

Hi Hadmut,

Welcome to the world of total stupidity. I was in the
hardware 
store the other and looked at those cheap luggage looks and

thought about how thieves might be able to utilize the
weakness 
of the system to rip off people, but then..., well I looked
at 
the Master brand, generally a good brand, and a couple of
other 
combination lock brands in the $30 to $45 USD range where
you can 
set the combination to whatever you want. Guess what? They
all 
seemed to use the same key to enable setting the
combination. 
Now, granted, you have to open the lock first then you use
the 
key to release the cylinders to set the combination, but it
seems 
to me that with a little work one could figure out how to
bypass 
the security mechanism to open the lock quickly.

Then, too, there are some great lock picking sites on the
net 
that will teach you how to pick even so called security
locks.

Much like DES slowed people down until they developed the 
technology to overcome the encryption, locks are only as
good as 
the lack of knowledge that the average crook has.

Look up the Kryptonite motorcycle lock that was about $65
USD and 
a kid in a bike shop figured out how to hack the lock with a

$0.19 USD BIC Pen. Lock had been made and sold for twenty
plus 
years with the same weakness in design.

That was truly a zero day exploit.

Oh, and another story for you on failure in design. We are 
thinking of re-financing our house. The mortgage company
keeps 
all the personal identifiable data in encrypted form in
their 
offices, but when they send me the quote it's in plain text
in an 
e-mail!

Thinking through all aspects of the design and application
of a 
security model is mostly lacking as far as I can tell.

Best,

Allen

Hadmut Danisch wrote:
> Hi,
> 
> has this been mentioned here before?
> 
> 
> I just had my crypto mightmare experience. 
> 
> 
> I was in a (german!) outdoor shop to complete my
equipment 
> for my next trip, when I came to the rack with luggage
padlocks 
> (used to lock the zippers). 
> 
> While the german brand locks were as usual, all the US
brand locks 
> had a sticker 
> 
>    "Can be opened and re-locked by US luggage
inspectors". 
> 
> Each of these (three digit code) locks had a small
keyhole for the 
> master key to open. Obviously there are different key
types 
> (different size, shape, brand) as the locks had numbers
like "TSA005" 
> tell the officer which key to use to open that lock.
> 
> 
> Never seen anything in real world which is such a
precise analogon of 
> a crypto backdoor for governmental access.
> 
> Ironically, they advertise it as a big advantage and
important feature, 
> since it allows to arrive with the lock intact and in
place instead of 
> cut off. 
> 
> 
> This is the point where I decided to have nightmares
from now on.
> 
> 
> regards
> Hadmut
> 
>
------------------------------------------------------------
---------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com
> 

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

On Mon, Feb 26, 2007 at 10:36:22PM -0600, Taral wrote:

> 
> I'm just waiting for someone with access to photograph
said keys and
> post it all over the internet.


There's nothing spectacular about it. 

That's the one I have bought:

http://www.pac-safe.com/www/index.php?
_room=3&_action=detail&id=72

That's another one:

http://www.eaglecreek.com/accessori
es/security_id/TSA-SearchAlert-Lock-41027/


The TSA keyhole is always on the other side such that you
don't see them.

I am currently in a hurry, but I'll make a picture today and
post ist.

regards
Hadmut

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

* Hadmut Danisch <hadmutdanisch.de> [2007-02-26
21:20 +0100]:
> has this been mentioned here before?

I don't know if it was mentioned here. Bruce Schneier wrote
about it
some time ago.

http:
//www.schneier.com/crypto-gram-0404.html#2
http
://www.schneier.com/crypto-gram-0405.html#10


Nicolas

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

On Feb 26, 2007, at 21:20 , Hadmut Danisch wrote:

> Hi,
>
> has this been mentioned here before?

Yes. It is old news, Bruce Schneier's Cryptogram mentioned
it in  
April 2004, actually [1].

> Never seen anything in real world which is such a
precise analogon of
> a crypto backdoor for governmental access.

Welcome to the "real world". Things suck here.

>
> Ironically, they advertise it as a big advantage and
important  
> feature,
> since it allows to arrive with the lock intact and in
place instead of
> cut off.

Some of apparently have the feature that you can tell *IF*
the TSA  
has opened them with their master-keys. You are supposed to
find a  
TSA notice in your bag if it has been opened and searched.
Although  
I'm not sure whether you can really raise hell if they
forget to  
stick the notice in there after having searched your bag.


> This is the point where I decided to have nightmares
from now on.

G'night then.

Cheers,
Ralf

[1] Crypto-Gram Newsletter, April 15th, 2004
     http://
www.schneier.com/crypto-gram-0404.html

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

Hi Allen,

On Mon, Feb 26, 2007 at 09:23:30PM -0800, Allen wrote:
> Hi Hadmut,
> 
> combination lock brands in the $30 to $45 USD range
where you can 
> set the combination to whatever you want. Guess what?
They all 
> seemed to use the same key to enable setting the
combination. 


Why make it that difficult and complicated?


You can easily and immediately open most combination locks
with
vertical wheels on suitcases (and probably those at
padlocks). All you
need is a flashlight. 

The wheels are usually a little bit loose. Just shift it to
the left
or to the right with your finger tip and use the flashlight
to peep
into the gap. You will spot the axis of the wheel. Now turn
the wheel
until you see the chamfer pointing directly to you. Proceed
with all
wheels. 

If the lock doesn't open, turn all wheel by 180 degree (to
digit n+5
mod 10). Some locks need the chamfer up, some need it down
to open.

With a little practise and experience it is almost as fast
as if you 
knew the combination code.

regards
Hadmut

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

On Mon, Feb 26, 2007 at 10:36:22PM -0600, Taral wrote:
> 
> I'm just waiting for someone with access to photograph
said keys and
> post it all over the internet.



It does not need access to the keys. 


Do you know that car Volkswagen Golf? As far as I know also
sold in
the USA. 

In the eighties there was a problem: Many of the had been
stolen
without visible force. No broken window, no broken ignition
lock.


They finally found the method:


These Golfs had plastic fuel tank caps, which could be
easily broken
off by hand. Just grab it, tear it away with force, and you
have it.

The tank cap had a lock inside. All you needed to do is to
cut the
plastic lock open and to copy the tumbler lengths to a blank
key. 
Then you have a working key. 

You could do the same and just open some of these locks, one
per key
number.

regards
Hadmut


------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

>> Each of these (three digit code) locks had a small
keyhole for the
>> master key to open.
>
> I'm just waiting for someone with access to photograph
said keys and
> post it all over the internet.

I'm just waiting for two or three governments to demand the
same  
access to my luggage. Mechanically solvable, yes (link locks
in  
series), but it will hasten the collapse-by-ridicule.



Ceterum censeo Fenestras esse delendas.


------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com