Security by Insecurity = Insecurity

by DocSlow

The rather expensive education of protecting your personal belongings from theft offered up by many so-called security "experts" usually involves obfuscating the simplicity with which most barriers can be bypassed.

This is simply a part of the flawed concept of "security by obscurity" that many self-proclaimed security authorities pass on to everyman as their intimate brand of super-secret technical wizardry.  These security experts want us to believe that they can, for a fee, mentor us on how to secure our most treasured belongings.  More often than not, their instruction is completely invalid.

Last year, at DEFCON, there was an entire ballroom reserved for nothing but lockpicking.  Hackers have always had a romantic fascination with picking locks (myself included), and this ballroom was packed with those who were teaching techniques, some of them selling wares, and there were a host of avid students of the sport.

Let's just focus for a minute on your transportation.

I'm sure you've all seen the movies where there are elaborate collections of "high-tech" tools used to start a car (especially those with a steering console ignition) minus a key.  Usually, these absurd methods either involve large vise-like tools (e.g., slide hammer puller) that remove the lock from the console (and expose an abysmal myriad of color-coded wires), or the use of brand-specific bypass keys, and many yet still show the silliness of pulling a few wires from underneath the dashboard to simply "hot wire" the ignition.  Most of these (((Hollywood))) techniques irreparably damage the vehicle in some way, and all of them offer nothing in the form of car-jacking reality.  Real car thieves are having a good laugh.

A good locksmith (one that knows the true intricacies of locking mechanisms) can open your car and start it in seconds, without the use of any high-tech gear.  No need for Slim Jims, pick guns, or Lever Wedges (expensive lockpicking tools marketed to the programming equivalent of script kiddies).  The job can be done with nothing more than a couple of simple rake picks.  And the beauty of a steering console ignition is that you don't need any sophisticated external leverage device to tum the lock - it's built in to most console ignition locks.

While I've heard that the use of two simple jagged rake picks can do the job in short order, one might also use a snake rake pick and a double-ball pick.  But simple rake picks work just fine, as they do on almost all locks.

To test this theory (one that I acquired from real experts), I performed a quick trial run on several subjects that included all manner of console ignition switches, and all turned out to be easy "pickings."

My first test case, a 1995 Jeep Grand Cherokee, proved to be a reference standard for all other experiments.  The first attempt at entering the vehicle and successfully starting it took a little under 30 seconds.  Most others took a similar amount of time.

And, remember, the beauty of 4-inch slender picking tools is that if the cops show up in under the 30 seconds it takes to drive off with your cache, you can quickly and easily hide them in your shoe (or wherever your imagination takes you), and claim that all cars look alike these days.

Oh yeah, and getting into your house is even easier.

No, I'm not providing you with exact details on how to do this, but, we're just speaking hypothetically here (yes, that's a disclaimer).

To quickly conclude... this is why some governments hire hackers.

Hackers don't bullshit you about your security.  They show you how easy it is to break in and steal your shit (after the "security experts" have "consulted" you that your security is now O.K. - subsequently implementing a whole host of useless measures), and hackers prove that their possession of real security knowledge far surpasses that of the "security expert."

Obscure that.