Praise then darkness, and creation unfinished

new lock

Tue, 21 Nov 2017 19:59:55 GMT

We had a locksmith here this morning to replace the lock (cylinder) on the apartment door.

This is because, around lunchtime yesterday, the door to our apartment opened. The upstairs neighbor, not really paying attention, had gotten off the elevator at our floor, walked to this corner of the building, put the key in the lock of what he thought was his apartment, and turned it.

Obviously, this isn't supposed to happen. I've tried to unlock the wrong door before; sometimes the key will go in, but it doesn't turn. Yes, there are a finite number of lock cylinder designs, but apartments 31 and 51 in the same building shouldn't have the same one, because people are more likely to try to walk into the apartment right downstairs than some other random house on the same street.

Before he left, we asked the neighbor to verify that his key really did work in our lock (i.e., that cattitude hadn't forgotten to lock up an hour before that). Then we called building management, who said the locksmith would be here between 9 and 10 this morning. He got here about 9:15, after first changing the cylinder on the upstairs apartment. He then went back upstairs, saying he wanted to make sure we now had unrelated cylinders, returned and gave us the new keys, taking the old cylinder and keys with him.

As locksmith adventure go, this is pretty tame: nothing was lost or damaged, nobody was locked out, and it cost us nothing (though I'll be spending a couple of dollars at a hardware store to make adrian_turtle a new key).

comments

A thought on deleting LiveJournal accounts

Fri, 30 Dec 2016 23:31:51 GMT

I know a bunch of people who are deleting their LiveJournal accounts because they're worried about the servers now being in Russia. One of them noted that they didn't want their private data being available for Putin's use.

That strikes me as a good reason not to put anything private on LJ from now on, but what's there is there. I commented:

Don't count on SUP to actually overwrite or otherwise get rid of the data if you delete a journal. Keeping the files while claiming they were gone wouldn't even be technically difficult: the software is already supposed to keep the contents of deleted journals for 30 days in case you change your mind. My inexpert hunch is that deleting an individual entry, or editing it to replace your private content with quotes from Shakespeare or Alice in Wonderland or the first umpteen digits of pi is more likely to actually get rid of the data.

comments

further adventures in security questions

Mon, 01 Feb 2016 23:18:50 GMT

I logged in to the TIAA-CREF website today (my retirement funds are with them, because my former employer somehow qualified as an academic institution), and they wanted me to update my security profile.

That turned out to include adding security questions. The list of options this time includes, along with things that seem too easy to look up, and things that don't apply (I didn't go to the prom), several to which my reaction was "I don't know…" I could ask my mother for my maternal grandmother's middle name; I'm not sure there's any way to find out what city my paternal grandmother was born in. What country, maybe (she was born in Russia, before the revolution, and I think my father said it was Ukrainian, but we had that conversation when it would have been the Ukrainian SSR].

Still, I found some I could answer without making up something random and writing it down in the list of passwords (the software would let me put "How-would-I-know" for my grandmother's middle name, and might have accepted "pi=3.141592," but then I would need to remember having said that), and maybe I'll ask my mother for her mother's middle name the next time we talk.

comments

PSA: Chip-and-pin broken

Fri, 12 Feb 2010 00:50:21 GMT

The chip-and-pin authentication system is badly broken, such that a hacker/thief with anyone's chip-and-PIN Visa or Mastercard can make arbitrary purchases. The problem appears to be that these cards can be used with chip and pin, or chip and signature, and by telling the card they're using one and the terminal they're using the other, people who know where it's broken can make purchases using any arbitrary PIN. The problem behind the problem is that there are lots of different, overlapping implementations of the security for chip-and-PIN, and lots of people with unsupported confidence that their implementations are sound.

The researchers reported this to the banking industry a couple of months ago. They note that this may explain at least some of the cases of phantom withdrawals. It may make it harder for the banking industry to deny refunds on the grounds that the challenged transactions were authenticated with a PIN: the researchers demonstrated using this attack on a system that was calling the bank for authentication, getting the authentication, and completing the transaction.

A cancelled card is still a cancelled card, and won't be authorized even with this attack. Also, it doesn't work at ATMs/cashpoints, only at merchants. But there are lots of stores that will sell any number of things that a thief either wants or can resell.

(If you're North American and don't know what chip-and-PIN is, hope that this gets fixed for real, and on a large scale, before it's implemented as "security" for our credit and debit cards.)

[via Bruce Schneier]

comments