Posted on Mar 10, 2016 by Rick Falkvinge

In one single image, establishment and mainstream media show their utter ignorance of security

The various branches of the establishment are frequently criticized for not understanding, or even caring about, the critically important fields of privacy and security. In just one image, the New York Post shows just how bad the situation is with this ignorance.

When I was in the European Parliament, I was frequently shocked at how badly decision-makers and policymakers understood the crucial issues of the 21st century: information, security, privacy (which in turn lead to innovation and growth). Rather, Members of the European Parliament would have e-mails printed for them by their secretaries and put in a pile on their desks, and they would therefore believe that they understood what the Internet was about.

Some decade ago, there was something akin to a riot on the Internet as the copyright industry tried to suppress the key “09-F9-11-02-9D-74-E3-5B-D8-41-56-C5-63-56-88-C0” from being discussed: this was a cryptographic key for access and playback control of Hollywood DVDs. Everybody who is familiar with the Internet understands the concept of publishing a key. It cannot be undone, and once you publish its secret, you’ve opened Pandora’s box.

A cryptographic key is usually published like above, in a sequence of hexadecimal digits, since that’s the secret of the key. This makes it different from a physical key, where the physical shape of the key is the crucial secret.

Now consider this story by the New York Post, which cries out in terror that a master key to the New York City utilities has leaked. Consider that this story has passed by many people on its way to publishing, all part of the narrative-creating establishment, and consider what their understanding of the most fundamental security must look like.

The New York Post has a scare story that a master key is on the loose, and publishes a huge image of it

Yes, that’s the key being discussed right there, the “1620” key. The New York Post is crying out in terror that this master key is on the loose, and goes on to publish the full secret of the key, in gigantic format. From this point, anybody can trivially reproduce this key.

It’s reasonable to ask at what point an ignorance of security to this unbelievable level becomes criminal negligence.

The ignorance is not unlike the fiasco with Diebold voting machines, also about a decade ago. The voting machines were supposedly secure; they needed a key to access the memory card slots. Spare keys were for sale on the Diebold website, and were only sold to certified voting officials. But like any webshop, there were high-resolution photos of the keys to the voting machines right on that webshop, and those images could be (and were) used to create keys that could access the voting records.

Security, too, is starting to become your own responsibility.

(hat tip: @gsuberland)

About Rick Falkvinge

Rick is Head of Privacy at Private Internet Access. He is also the founder of the first Pirate Party and is a political evangelist, traveling around Europe and the world to talk and write about ideas of a sensible information policy. Additionally, he has a tech entrepreneur background and loves good whisky and fast motorcycles.

VPN Service
  • Austin Wyman

    This is dumbfuckery on a legendary scale!

  • Actually, this is a mixed bag. On one hand they’re showing everyone how to reproduce the key.

    On the other they’re making it impossible for NYC officials to ignore the situation.

    It may have been intentional. Force the cat out of the bag in a big way, and make the problem impossible to avoid.

    • Commish of hangin’

      You are giving the New York Post way too much credit.

      • It really doesn’t matter whether NYPost knew what they were doing, and I’m not going to try to crawl into the head of the editor or whoever chose that key photo, regardless of who they work for, but I think it’s not outside the realm of plausibility to consider that it may have been intentional.

        I think the important takeaway from here, is will it force the hand of NYC officials? I’m guessing it will.

        Those of us that have been involved more on the breaching side of computer security understand the value of an act of intentional dissemination of a security flaw. Sometimes it’s the only way to get the people that can fix it to do something. Microsoft used to be notoriously lazy about patching exploits. Back when IE6 was vulnerable to a code-injection attack using JPEG images (yes, you could get IE to run arbitrary code at IE6’s privilege level by putting it in a malformed JPEG header) I did something similar. I released a visual studio add-on that allowed you to compile/link software into JPEG images, which could then be released onto an unsuspecting public. This made it *very easy* for someone with relatively little programming ability to use this exploit. I then released the Add-on on programming sites across the net. They’re mum on what drove them to finally patch it, but let’s just say it was shortly after I put that out to the world. Everyone was better for it because prior to that a whole lot of machines were extremely vulnerable. I could format a winME hard drive using a banner ad. Okay? This isn’t cool.

        • foljs

          “but I think it’s not outside the realm of plausibility to consider that it may have been intentional.”

          That’s a pretty low bar.

          • This has nothing to do with any sort of arbitrary bar, dear.

          • foljs

            Not your dear, obviously.

            And what I mean is that merely not “being outside of the realm of plausibility” does not make “they did it intentionally” worth mentioning.

            It’s up there with “they were kidnapped and forced to write it this way” — still plausible, hardly probable…

          • > does not make “they did it intentionally” worth mentioning.

            Oh it doesn’t? Despite the fact that this happens all the time for exactly that reason in other venues, like infotech?

    • Hob

      When someone publicly describes a security vulnerability in software, at least it’s theoretically possible for the software publisher to make a fix available quickly and hope that people will install the fix promptly.

      How fast do you think it’s physically possible for the city of New York to change thousands of locks? And who gets to decide that “making the problem impossible to avoid” justifies making the problem much worse until all those locks get changed? Would you feel the same if someone had made keys available to everyone’s apartment, including your own?

      • I certainly would take exception to anyone having a master key to where I live, since I’ve lived in a building where the person who held those keys robbed me.

        That being said, there’s a good chance that if the newspaper ran that, then people already knew about it and were likely making bump keys and such as it is, which means it needs to be fixed.

        Bureaucracy being what it is, it would likely never get fixed otherwise, but you can be damned sure that once it dawns on them the level of breach, they’re going to mobilize a fair amount of resources to fix it.

        • Hob

          There are two unsupported assertions in your last paragraph(*), but I realize that it’s often difficult for techies (of which I am one) to acknowledge that they don’t know much about the working of systems outside of their field.

          (* I’m not even counting the second paragraph, which seems to be based on an assumption that anyone at the freaking New York Post gives a crap about the consequences of what they print. Based on no inside knowledge of journalism, but 13 years of reading the Post, I would say that that’s a stretch to say the least.)

          • I love when people make vague claims about unsupported assertions without naming them, particularly when they make their own.

            As it happens, I’m pretty good at getting into places people don’t want me, whether they are protected digitally or mechanically, so I know a bit about physical security – not just digital.

            Furthermore, all I said was that it *may* have been intentional. You act as though your 13 years of reading a newspaper means you know the staff. I think that’s silly to be so certain based on that, but then whatever.

          • Hob

            Of course I don’t know the staff. I expressed an opinion, because the paper has a long history of doing outrageously stupid and offensive things and acting like they care more about hurting their political enemies than anything else. I’m sure they have some good people working there, but I would be surprised if they had enough influence to do something like this. But of course I don’t know— which is why I didn’t say something silly like “you can be damned sure.”

            I’m sure your reading comprehension is just fine so you know I wasn’t making “vague claims”— you only said two things in that paragraph, so that’s obviously what I was talking about (“it would never get fixed otherwise” and “they’re going to mobilize a fair amount of resources to fix it”; I’m sure the latter is true *sooner or later*, but that’s a meaningless statement if you don’t acknowledge that it takes much longer to change thousands of locks than a browser patch). But you seem to be here to play debating games and brag about your ninja skills, rather than because you have any concern about what happens to anyone in New York, so whatever.

          • And we’ve devolved to personal attacks. Lovely.

            Maybe I’m just here to offer my opinion. I don’t suppose that occurred to you.

          • Hob

            I’m sure it’s your opinion. I don’t know anything about you personally, and I’m not attacking you. I’m saying I don’t think you’re discussing this in a particularly serious way, and you’re throwing in fairly self-congratulatory anecdotes about your skills at every opportunity, so I don’t see the point of arguing further. Bye.

          • You certainly did though. You impugned my intentions for posting here, as if my motivation was to brag in an attempt to attack my credibility.

            Bad faith, guy.

          • Hob

            You know what, if you want an apology, here you go. I shouldn’t have gotten into a pissing match with you; I have no way to know why you write anything, I was just venting unnecessarily. I do find your general “oh it’ll all work out fine, that’s how these things go, I know because I know about security” attitude pretty annoying, but you’re not doing anyone any harm. I do hope that you’re right and that they fix the locks.

          • > l “oh it’ll all work out fine, that’s how these things go, I know because I know about security” attitude pretty annoying

            Next time you quote me, actually quote me, because I never said anything of the sort.

          • Hob

            In case anyone was actually confused and thought that was supposed to be a direct quotation, I withdraw the quotation marks and add “this was the impression I got from the way you were talking about this”. And I repeat that my being annoyed by your attitude did not justify my hostility. OK? Feel free to get the last word now or whatever, I’m done.

          • Well the impression was wrong.

          • Brandon Walker

            Also the impression everyone got by your douchy braggy attitude.

          • You seem upset. Vaguely curious if you created an account just to troll me, like the last one did.

          • Brandon Walker

            Lol, actually, you started the personal attacks, so i think everyone fails to see anything but hypocrisy in your complaint, and they would not need to know anything about the leak to make a bump key, but using the “format” or making copies are also not bump keys, so those statements were ignorant, than the fact that there are actually TONS of bump resistant locks, there are locks that don’t use pins at all, there are locks that have magnets incorporated into the key, there are locks with multiple pinned faces etc, all creating a bump resistant or bump proof lock.

          • The locks for those keys uses prins, and if they haven’t been updated lately (they haven’t), they aren’t bump resistant)

          • Brandon Walker

            Lol except you were making personal attacks before hobs second post and he did not make any personal attack in his first, or in other words, you quite literally started the personal attacks, and your comment about bunp resistant locks had nothing to do with those specific locks, you simply said very few locks are truly bump resistant, which is false, as not only is there a literal plethora of bump resistant locks, there are locks that have yet to be defeated by any type of picking of bumping technique, so in summary both of your counterarguments are entirely false, and one is an outright lie.

          • Don’t you have any hobbies?

          • > n about what happens to anyone in New York, so whatever.

            Pro-tip: Whining on internet forums about how doubleplus-ungood the NYPost is won’t protect the people of New York. That ship already sailed. Nor is it – if your comments about their behavior are any indication – likely to change the behavior of that paper in the future.

            Most of what you seem upset about is I didn’t criticize the NYPost enough for you. I don’t care. I am not your trained monkey. You’re more than welcome to criticize them in your own comments.

        • Robert Daggett

          Don’t use words you don’t understand. A bump key works on any tumbler lock that is not bump resistant.

          • Very few locks are truly bump resistant, dear.

            Wiki is not your friend. Get back to me when you have some experience with the subject.

          • Robert Daggett

            “then people already knew about it and were likely making bump keys”
            They were copying the keys, not making bump keys. You don’t need a bump key if you have the keyshape. What exactly qualified you as a locksmith?

          • I’m referring to prior to this article. Some people may have had access to an original that would facilitate proper copying, but that doesn’t preclude others from exploiting the leak as well, and one way to do that would be to make a bump key using the same template.

            I never claimed to be a locksmith, but I do have quite a bit of experience defeating locks, nonetheless, and that includes making bump keys.

            You need a hobby.

          • Robert Daggett

            I’m referring to this article that’s what the rest of us want to talk about

          • Then you completely misread my initial comment. Next time read slower. Move your lips – I hear that can help.

          • Robert Daggett

            It appears the only experience you have is with buzz words you don’t understand. Go back to your transgender arguments. Troll

          • That wasn’t really a response, now was it?

            Also your reactionary garbage is off topic.

          • Robert Daggett

            I have a hobby. I’m a volunteer firefighter, it contributes more to society then arguing with people about subjects you don’t understand. We are discussing the article. I lost cut my own keys. Look it up. Unlike you I am not using a fake name sir

          • You’re a reactionary idiot.

            I don’t need to look it up, dear.

          • Die in a fire. =)

          • Robert Daggett

            Cute. You vien attempt to rouse me has failed. Real men would be happy to die in a fire knowing it may save a life. I see how you diverted from the technical subject because your wrong. This has nothing to do with bump keys and we all know it. Sir

          • You’re using the word vien incorrectly, dear.

            I’ll be more clear this time: Set a fire and go die in it.

            Also if you weren’t stupid you’d have seen either in my profile or by the big letters scrawled prominently across my avatar that I am quite happily male, idiot.

            Sir away.

          • Robert Daggett

            No I used the word exactly how I intended , vain attemptnoun aborted mission, all talk and no action, barren, efforts to no avail, efforts to no purpose, empty effort, fruitless effort, futile effort, hallow efforts, idle efforts, impotent efforts, inadequate efforts, inane efforts, ineffective efforts, ineffectual efforts, inefficacious efforts, interrupted mission, meaningless attempt, unnvailing efforts, unsuccessful efforts, useless attempt, worthless effort. Maybe spend less time arguing and belittling people on here and more time reading and you’d know that

          • PavePusher

            You’re a real piece of shit.

          • Sometimes, but not always. Bump keys are highly over rated.

    • Disgusted

      You are a fucking scumbag. “Die in a fire?” Holy shit, you need to die a slow, painful death from any number of humiliating complications. Suck on a tailpipe. Play in traffic. Pick something, go do it. What the New York Post did is gross negligence. They did not do it to “force a hand.” If they wanted an info-graphic then they should’ve used a fake key or blocked the bottom half of the key (or show it in a lock or ANYthing other than to give away a sensitive blueprint).

      God damn, you are a worthless sack of wasted human skin. Go die in a fire? Really? Jesus I hope you get caught under burning timbers one day and that thought crosses your mind as you choke to death on smoke while these guys pull your worthless carcass out of the fire, and I hope it leaves you so physically scarred that you can be truly gender neutral and have a LEGITIMATE say (and not a narcissistic one) on issues. Worthless little punk…

    • Jordan Silverman

      this is assuming the officials know that this is an issue.

      It’s not impossible for them to ignore it if they’re too stupid to realize the photo means they’re fucked.

      • Diebold was probably intentional.

        > It’s not impossible for them to ignore it if they’re too stupid to realize the photo means they’re fucked.

        That’s *extremely* unlikely.

    • greetbigball

      knowing the officials in NYC, they’ll willfully ignore the situation, citing it will cost $100 trillion to replace all the locks.

  • Pippilotta

    How can anyone be sure this is the EXACT key?Why shouldnt they use a picture of any key?

    • Gregory Magarshak

      The any key… it’s been around for decades. It’s what I was always told to press to continue 🙂

  • Point

    Master keys are inherently unsafe. This is only one of the myriad of ways in which a master key can be compromised, and represents a very small minority of instances of a master key being compromised.

    The very greatest defense we have – individually and collectively – against any threat is information and knowledge.

    Regarding Mr. Falkvinge’s closing statement, “Security, too, is starting to become your own responsibility,” security has always and ever been each of our responsibilities.

  • Terra Jones

    This is a really good example to why the government should not have a backdoor to internet encryption protocols.

  • ಠ_ಠ Roger X

    There are thousands of threads about this key on public web forums dating back many years. It’s clear that nearly every person who has served in a public safety or maintenance capacity at some point has a personal copy or five. Anyone who was remotely interested in getting into these places could have gotten images or copies easily; all this publication has done is stirred up fear, uncertainty, and doubt about security. I’m hesitant to judge whether this is a good thing or not, but this much is certain: Anyone who had intended to use these keys for harm in the past could have – or almost certainly has – done so before.

  • PavePusher

    “Security, too, is starting to become your own responsibility.”

    It always was, and always will be.

    People are simply becoming aware of this AGAIN. As they used to be.

  • Ashley Meyer

    why would the reporter have a photo of the key in question? she probably just got a stock photo of a key, right?

  • grandeweasel

    So, you’re re-printing the key here, presumably with the reasoning that it’s already out there and the damage is already done? It sounds like you’re operating under the same logic as the people you’re criticizing.

    And let’s not forget that keys are three dimensional objects, whereas pictures of keys are two dimensional. There’s a lot that a would-be key duplicator cannot get from this picture.

    • Brandon Walker

      What could they not get? The only important part that can’t be gathered with a glance at one of these locks is the pin lengths, which they gave away, they wouldn’t even need to make a copy now because picking it would be so easy knowing where the shear line is.

  • Jouni Valkonen

    I would rather choose a safe society, where people trust each other and therefore there is no urgent need to lock doors.

  • Andres Gonzalez

    I like to see that my VPN service provider is on the ball about security and has thoughtful experts on staff.

  • Restricted keyways have been around for years, that would be the best way to keep unauthorized duplication to an absolute minimum. Someone was just too stupid to require them. Where I live, the local power company now uses a proprietary keyway for electric meter rooms, getting a copy of one of those keys is very difficult. You just don’t wander into Home Depot and have one cut.