think they'll do the honest thing and thank them for pointing out this serious fault?

Why is it as a vegas resident, events are given bigger coverage AFTER they happen?

I scan the papers and yet they expect me to goto these things ex posto facto.

I don't know if I'd really call this 'cracking the lock'. More like cracking the key control system.

To be clear, this doesn't allow them access to a lock which they didn't originally have access to the key (or detailed picture of the key).

"There are some locks that hackers can't open. For everything else, there's MasterCard."

When I worked at a secure government site, locks for filing cabinets (the ones that didn't have combination locks) used odd keys that had two sets of teeth at a 120 degree angle, precisely so that it would be harder to make a replacement or get one cut.

Of course, once we have RepRaps, weird-shaped keys won't be a problem.

Simon@4: Medeco tried something like this and were pwned by a paper-clip: "last year at DefCon, Tobias and his colleagues showed how they could simply insert the end of a bent paper clip into a Medeco high-security lock to push back the slider, rendering the slider ineffective as a security layer."

#3 - It's more accurate to say that it requires just enough access to a key to get a good-enough-to-replicate digital image of its profile. A cameraphone photo of the key might be enough for all we know, and that's certainly a much lower hurdle to clear. If an intruder is motivated enough, getting a quick, surreptitious snap of someone's keys probably isn't that daunting.

Like most security measures, most physical keys just aren't that secure against a determined intruder, for any number of reasons.

#7, Not for a Medeco key.

>>My hardware store can do the same thing....
>>Not for a Medeco key.

Which is sometimes the only reason for using Medeco. I once lived in an apartment where the front door to the building had a Medeco lock. It was a big plate-glass door, making the pickability of the lock completely irrelevant. They just wanted to keep the tenants from duplicating the keys.

There's usually a "The hackers are coming! The hackers are coming!" article in the local papers about week before Blackhat/DEFCON. Hard to miss, lots of paranoia about social engineering and people stealing grass from the lawn at Ceaser's.

#2 Writes

Why is it as a vegas resident, events are given bigger coverage AFTER they happen?

I scan the papers and yet they expect me to goto these things ex posto facto.

This is a common problem with newspapers, some acknowledge the issue, and are planning to "fix" it, give local events much more advance coverage rather than only after-the-fact.

they done anything about bump keys yet?

Is there anything here that isn't true of all key locks? And hasn't been true of all key locks since the very first one was invented?

i.e. if you know exactly what the key looks like, you can make another one. Okay, until comparatively recently you couldn't have made one out of a credit card. I guess that counts as a patentable innovation these days.

Medeco locks are EXPENSIVE. People buy them under the impressions they offer superior security.

I think one of the main issues is that medeco locks have always been thought of as the most secure locks in the US. Clearly they have serious issues. Most attacks come from the inside. If you can copy a key the system epic fails.

People who are saying this isn't a big deal should read the original article at Wired, as it explains this better than the excerpt does, but essentially what it comes down to is that Medeco has used patents and other legal stuff to make it so that only specific locksmiths, licensed by Medeco themselves, have access to the blank keys used for Medeco locks. This, along with their having been considered unpickable until last year's Defcon, was a main selling point: even if someone who is supposed to have a key should turn out to be untrustworthy, they couldn't duplicate that key, quit their job, and then break in. Until now.

VISA - It's everywhere you want to be.

"To be clear, this doesn't allow them access to a lock which they didn't originally have access to the key (or detailed picture of the key)."

These keys are extra expensive because they're supposed to be unduplicatable.

Security is inherently a balance between unbreakable, usable , and cost effective. Pick any 2 was the joke.
This time the joke is unfunny yet true. And stacking factors inherently runs head on against usable or cost effective.

Witness the automotive "transponder keys" Nice in concept yet fails on cost AND usability. A key BLANK priced at over $50 is far from cost effective to many people. Then when you add dealer mechanical cutting plus transponder coding? Closer to $150 for some cars if not more.

WE just could reproduce the corridor of doors Maxwell Smart went thru.

nothing cheaper than a human guard

"nothing cheaper than a human guard"

Yeah, having an 'inside guy' pays dividends.

I was talking about keeping your own eye on things you care about

I assumed you meant 'hire a guard'. The best heist movies always have an inside guy.

Yeah, 'cause, you know, when I hear "human guard" I immediately think: "myself, keeping an eye on my own belongings."

That said, they've finally found a legitimate use for credit cards.

bah! illiterates! I'll be taking your stuff while you're in remedial classes!

Housemates of mine in college used to make keys for Medeco locks out of some more generic key blank (Yale I think, something that was thin enough to fit in a Medeco key path). The material just needs to be stiff enough and thick enough that you can file in the twists for the pins. Doesn't surprise me too much that credit card plastic fits the bill.

I suppose it's interesting that they were able to duplicate a Medeco from a picture, but I imagine it's not too hard to measure the pin heights from the picture, and determine whether each pin is twisted left, right or center. The twists are pretty easy to see on a real Medeco key.

As others have said Medecos aren't impenetrable, no lock is. They just up the barrier, since you can't realistically pick them and duplicating the key requires some extra effort.

I sorta figure Takuan is so zen he has no petty material 'things' worth locking up, so of course he could keep an eye on them himself.

He's one of the tippling monks. Gotta keep an eye on the bottle.

Or a tentacle. Leaving several hundred more tentacles free to tipple, eviscerate and constrict, amongst other things beyond the ken of man.

I'm pretty sure Takuan is a mom.

I bet you could get a good image by xray

So Medeco has based its business model on the claim that they can make an object into some kind of special shape such that nobody else can form matter into that shape?

Seriously, WTF? A key is just a piece of inert matter. The only thing that differentiates it from a cheese grater is that it's been formed into a very particular shape that matches the pattern of tumblers inside the lock. How can it be impossible to form another piece of inert matter into that shape once you know the details of the shape in question? Honestly, am I missing something?

I'm pretty sure Takuan is a mom.

I've heard him referred to as a 'mother' before, but not as a mom.

takuan is a NOUN! with tentacles. (some vestigial)

Medecos exist mainly to help with key control. The locks are beatable, but it isn't really worth most office workers' time to mess with all that, or to find a specific dealer who will copy their keys without recording it.

O, Ryleh?

You can duplicate almost any key that you have access to, by making a mold of it, or using a 3d scanner, or just by eye/comparison.

Medeco keys are harder to duplicate, but if you are familiar with how they work it's easy to imagine how it wouldn't take THAT much work to duplicate one yourself.

In addition to superior key control, medeco locks offer increased defense against picking.

http://www.toool.nl/index-eng.php

http://www.zdnetasia.com/news/security/0,39044215,62044472,00.htm

It would be trivial to increase the torque required for latch actuation. Set it way beyond what any conceivable plastic could transmit and this hack's expired! Left for reader research is keys with ohmic contact devices. Which also could devalue this hack.

It's arguably good practice to use self restraint in applying skills. YES we should ethically feed back a valid risk so it can be managed. Exploiting it for unwarranted personal gain is ethically bankrupt.

Locks are of primary utility to keep honest people thinking that their property is secure.

Tak -

Just thought you'd like to know, BoingBoing is #5 in Google results for "human guard."

That may be enough to establish a new sense of meaning, in my estimation. But another use of the phrase might be: "a human-shaped guard fitted to a giant electric razor." Like a Flowbee, only scarier.

speciesist. Now be quiet and set up the bomb.

It's good when someone will point out a flaw in the weakness of a system. Sometimes. It's not like everyone who uses those locks is going to run out and change them. Sometimes telling people how easy it is to copy something is a two-edged sword.

M3 Has "for" and "aft" cuts. thesere are angles cuts at the dept of every cut. Unlike regular keys medeco keys has angle cuts whre pins drop and spin at same time. did they do those "for" and "aft" cuts also ?
i wish they have given some info about that

Jon from NYC - champion LS-