> "Those keys were a dead-set copy of the keys that we had. The key he copied was in the shape of a figure E, which was the master key."
> The officer said it was Heiss's fellow inmate - fellow murderer Shane Baker - who made the key. He said Baker was a jeweller who had jewellery-making equipment in his cell, and used this to work on the key.
This has "I don't know what I expected" written all over it
"The Prison Service has been forced to spend £250,000 on changing every lock and key in Feltham young offenders' institution after a TV news crew filmed a prison key during a media visit last week."
I heard about a similar incident in the Santa Clara county jail. In that case, the inmate, ironically facing a federal counterfeiting currency charge, managed to make a skeleton key to the jail by cutting plastic from a jail-supplied Rubbermaid bin that was supposed to be used for storing personal property. The inmate got the general shape of the key by looking at it as guards passed by, then perfected it over a period of weeks by sticking it in the lock and attempting to turn it. The lock made marks on the plastic where the teeth were supposed to go. The inmate was caught and all plastic bins removed from the jail after the key was finally good enough to open the lock, which set off an alarm.
Why did the alarm was set off? Do these locks work only with a key that passes through electricity or have some other built-in secondary check? Really curious.
Apparently there are parts of the Santa Clara County jail that are very old. This occurred in a dorm-style housing unit, and the key he made opened a stairwell door (the door to the stairwell being inside the housing unit, which is how he was able to repeatedly test without scrutiny). The door was alarmed and went off when it opened. Most modern jails don't use skeleton-style keys, and the doors are opened and closed electronically, but the part of the jail he was in was decades old.
I'm not entirely sure, but I think that the door was not ordinarily used by anyone, something akin to the jail version of a fire exit. I believe it was set to alarm regardless of who opened it, but if an authorized person opened it, presumably they would let whomever receives the alarms know about it in advance and not send in an army of officers.
Presumably they disable the alarms before the guards open the doors, and enable the alarms when the prisoners are unsupervised. Like how you enable your house alarm when you leave, and then disable it when you return home.
People need to realize that the shape of your key is pretty much a "password". Letting your keys lay on a table in open view is akin to leaving a piece of paper with your password out in open view.
"UC San Diego computer scientists have built a software program that can perform key duplication without having the key. Instead, the computer scientists only need a photograph of the key."
A bit harder - use of a telephone book would probably solve a fair portion of cases where they didn't just get straight in (assuming you paid with your own credit card and so they had your name).
> Yes, so all it takes is somebody to rob THEM, and get keys and addresses...
Which would legitimately take the heat off of them, so it would be in their interests to fake a robbery of themselves not long before their real robberies of others begin.
Ah, but I'm just getting started! If you wanted to rob houses and frame them, just rob them first. The police and everyone else will think your real robbery was faked by the company, as per my previous paragraph, so you get off scot free.
It's strange, but I really find it hard to come up with a legitimate reason for this service - I think there's a place that'll copy my keys down the street from me. It would take me less time to get my keys copied there on the way home than it would to actually check my mail when I get home.
I find it hard to come up with an illegitimate reason for this service. A thief could finagle a picture of your key, send off to an online service using information that could easily be traced back to him, then use it to open your door. Or he could just pick your lock in less time than it would take him to fill out the order form.
It's also very possible to abuse a local, bricks and mortar key duplication service.
To abuse the online service, you need a valid credit card not in your name or traceable to you, a valid anonymous dropbox to ship to, a clean shot of the key, and an anonymous or well concealed IP address.
To abuse the local service, you need the key, some cash, and about 20 minutes.
As the consumer, it is way easier to be abused by the online service. First let's assume those running the service are perfectly honest. Now let's assume they practice security about as well as the average small online retailer. Now let's assume a hacker breaks into their system and downloads a full dump of their database. Now that hacker has many (hundreds? thousands?) of key photos matched directly to addresses and likely tons of other PII.
> Now let's assume a hacker breaks into their system and downloads a full dump of their database. Now that hacker has many (hundreds? thousands?) of key photos matched directly to addresses and likely tons of other PII.
In theory, they could encrypt the data with a public key before it ever hits the database (or any other permanent storage) and ensure the matching private key is never stored on the same computer.
In theory there are lots of ways they could secure the data, my point was that in the non-theory real world most online companies fall way short of good practices for data security.
This is why barely a day can go by these days without some some story popping up on HN about "Company XYZ was hacked, customer data exposed".
Right, my point is that neither service is ironclad secure. (By the way, loading and activating a prepaid Visa anonymously is more tricky than you'd think post Patriot Act - I'd venture criminals would more likely just grab a stolen CC).
Interesting about the redaction. Presumably that's to guard your home if the picture is ever compromised?
Not sure if the PA is what caused this, but the last time I tried to set up a prepaid card a couple years ago, (one of those off-the-shelf drugstore ones), the actual card could only have $100 put on it until I filled out a form online that required all kinds of PII, including the requisite SSN.
The prepaid card only worked in person too, never online. (I assume they did this by having a bogus or placeholder name attached in their database, which would fail any basic verification checks done by an online seller, but work just fine at a local retailer.
Agreed. Even though the site says "requires a credit card" as some type of security measure, it doesn't secure anything. What are the chances that if your locked item is opened, you would trace the theft back to this service to notify them?
Slim. You'd have to catch the perpetrator first and then figure out how he got a key.
99.99999% of people don't even know a service like this exists let alone to check if their house key was duplicated there before it got robbed.
In the U.S., the main deterrent against robbery is jail time. Most houses can be broken into with an elbow. Locks prevent silent entry and make it slightly harder to break in, they don't secure anything.
This. Locks keep honest thieves out. I don't know of any house that I couldn't gain entry into in a few minutes, without damaging anything, including my own.
No, it's often much easier than that. I do live in a pretty quiet neighborhood, but that's not what I meant either. There are a couple of things. One is that people tend to be vigilant WRT their home's primary access, but pay less attention to side-doors, back-doors, garage-doors, and windows. So you can often find one of these left unsecured. The second is that the latches on windows are notoriously bad WRT their ability to stay closed. They can often be dislodged by just bumping them gently while applying pressure in the right place, even when installed correctly. If they were installed incorrectly, or just carelessly, or if the house has "settled" windows can be even easier to defeat. Another weakness of windows is the glazing, sometimes it just slips out, or can be easily pried loose, sometimes it takes a screwdriver. Until very recently, little attention seems to have been paid to the security of windows in residential construction. There are a few other more-foolproof entry methods that I know that do little or no damage, but they aren't the sort of thing that a burglar would do.
PS I learned most of this at Texas Fireman's Training Academy (and just paying attention to my surroundings), in case you're wondering.
This allows you to keep a digital copy of your key. In the event that something unexpected happens, like you are in a different state and you misplace your car keys, you have a digital backup that can be turned into a physical key.
You buy expensive makes then, I really hope you know that you're way above what most people spend on cars. Most cars don't have those chips yet. The only sort of mainstream car I've seen with a chip in the key is the prius, which starts in the low 20s new.
Come to think of it, I've only had a Mazda the last 10 or so years. Maybe it's just Mazda then. Their bottom-line Mazda3 (currently 16.7k MSRP) came with it when I bought one 6 years ago too.
>I really find it hard to come up with a legitimate reason for this service
Do you really find it hard? Let me help you out then. First, there are people who don't live next to a locksmith. Second, there are people who drive home instead of walking, and an extra stop while driving certainly takes more time than checkin mail. Third, there are people who check their mail regularly anyway. Which is pretty much everyone.
That leaves us with all of the people who walk home, live next to a locksmith, and don't check their mail regularly, who can't make good use of this service.
Yes! I remember this was on HN a few days ago and thought it relevant but I couldn't remember the exact name so I googled shoosl+keys+copy+delivery+startup and a variety of combinations based on that but couldn't find the service online. They really need a memorable name.
This is made easier by the fact that key bitting is discrete. The software doesn't have to measure the exact depth of the valleys; it just needs to know which of the seven (or whatever it is for that particular lock) possible heights it's closest to.
I'm not even sure why you need a computer for this - maybe to print out the picture. As mentioned elsewhere in the thread, the heights are discrete, and you could figure out how to reproduce the key with a ruler and a pencil.
With 3D printing coming mainstream in the next decade, combined with high resolution cameras being common on smartphones, it's going to be important to start hiding the teeth of keys.
This could be made much harder both for accidentally seeing the code and for copying if the usual keys got inverted. As in - make them round pipes like the gerda ones, but with holes on the inside instead of outside.
Not only would a photo of it be useless, they'd be also much harder to print (still fairly easy to cut though, but you'd have a hard time doing it manually - it would have to be done by a machine precisely measuring the movements in most cases).
Most new prison keys have this feature, I think. It's some sort of retractable sheath of sorts that hides the profile of the teeth.
And some high-security keys don't have teeth at all. They have dimples of varying depth on the side of the key serving the same function instead. These don't jot out and are very hard to copy even photographically.
The non-intuitive nature of the distinction between physical artifacts and the information they contain seems to be the source of a lot of different problems.
Also, most consumer locks are trivial to quickly pick (after a few days of practice), so the "picture of your key" vulnerability is the least of your concern if you have reason to suspect someone actively desires to circumvent your locks.
I had a hard time understanding the article. Can someone explain why putting an image of the prison's master key on an inmate pamphlet makes any sense? Someone went through the trouble of putting that exact key on the cover--it wasn't coincidental. Did the designer think it was a way of teasing the inmates with the key to their freedom?
This is a good point. No one seems to be able to answer why that picture was taken and then chosen as the cover of the welcome to prison booklet.
I bet somebody originally wanted an aerial shot of the prison, but someone else wisely objected because that would be bad security move - giving prisoners a map of the area...
At first blush, I think one could easily have the attitude that a picture of a key is no more dangerous than a picture of a gun. The vulnerability is clear but not completely obvious. Especially when prisoners can also see the real keys, as guards no doubt have to use them near prisoners from time to time.
Given the description of the key looking like an E, the picture could have been an image of an ancient old key and the actual key was an ancient old key. Old locks with that E style shape are very easy to open due to being so warn. We used to pick them at school using modified spoons and such like. I'd hope the prison wasn't like this though.
This article made me realize that the whole concept of keys is something that needs to be looked into quite a bit with the rise in 3D printing technology. With an excellent 3D printer, one would hypothetically be able to take a picture of keys and be able to print a copy of them.
Physical locks are not that resistant to attack to start with. A $20 lockpick set in the hands of someone who has put in less than 100 hours of training can open up almost any door or padlock in a matter of seconds.
Have you seen how fast and easy it can be with bumpkeys? It isn't nearly as versatile, but a ring of properly made bumpkeys can open the majority of locks.
I don't see why this would invalidate the concept of physical keys.
The problem of visual key copying can be easily solved by either making keys in a shape that doesn't allow to see the ridges easily (something like 'E' with middle bar being the actual key) or by making a "dynamic" key that changes shape after you insert it into the lock.
I think you'll have better luck adapting lock technology to user behavior than changing every user's behavior.
Good password selection thinking should be commonsense by now to people who post here, but it seems like there's still a lot of work to be done educating the general (less geeky) public.
I don't have any inside knowledge, but presumably the keys and car exchange messages and do some crypto signing.
For example, the car makes up and sends a random string, the key signs it and sends it back.
I remember there was some graduate study done at UCSD where they took a picture of a key from afar, and using a computer, be able to create the exact key that accounted for the angle the picture was shot out. Does anyone remember an article like that?
Is this an example that a man can be smart and stupid at the same time? paid a lot of effort to get out for 12 days , then got several more years in jail for that,maybe,wow.
> The officer said it was Heiss's fellow inmate - fellow murderer Shane Baker - who made the key. He said Baker was a jeweller who had jewellery-making equipment in his cell, and used this to work on the key.
This has "I don't know what I expected" written all over it