Thursday, February 15, 2018

Whether that dedicated server room is secure (or not) hinges on something simple












I enjoy reading stories in the Shark Tank series of articles at Computerworld. My latest laugh came from one on January 25, 2018 titled Throwback Thursday: Oops!

A company had finished building a dedicated secure server room. Then they proudly gave a grand-opening tour. That room had a raised floor (in case of flooding), and a fireproof and reinforced door with an electronic security lock. But as the tour group left, and they began to close that door the article author noticed that, as is shown above, the two removable hinge pins were located on the outside of the door. The locked room could easily be entered just by using a flat-bladed screwdriver or pry bar to remove them. A week later a contractor fixed the hinges.
       
That story reminded me of another story about safes that were unsafe – because the combination never was reset from one supplied by the factory. It appears in Richard P. Feynman’s 1985 book, Surely You’re Joking, Mr. Feynman, at the end of a chapter titled Safecracker Meets Safecracker. At Los Alamos Feynman met a locksmith who had been asked to drill a safe. But it turned out he didn’t have to:

“Oh, yeah. I knew that the locks come from the factory set at 25-0-25 or 50-25-50, so I thought, who knows; maybe the guy didn’t bother to change the combination,’ and the second one worked…

[Then Feynman said]

I went from office to office in my building, trying those two factory combinations, and I opened about one safe in five.”

How about locks with keys? The beginning of that chapter says:

“It turns out that picking ordinary tumbler locks—like Yale locks—is easy. You try to turn the lock by putting a screwdriver in the hole (you have to push from the side in order to leave the hole open). It doesn’t turn because there are some pins inside which have to be lifted to just the right height (by the key). Because it is not made perfectly, the lock is held more by one pin than the others. Now, if you push a little wire gadget—maybe a paper clip with a slight bump at the end—and jiggle it back and forth inside the lock, you’ll eventually push that one pin that’s doing the most holding, up to the right height. The lock gives, just a little bit, so the first pin stays up—it’s caught on the edge. Now most of the load is held by another pin, and you repeat the same random process for a few more minutes, until all the pins are pushed up.….What is not really appreciated by most people is that they’re perpetually locking themselves in with locks everywhere, and it’s not very hard to pick them.” 

Now it is even worse since there is a faster procedure (using a special key) called lock bumping.

No comments: