Popular Safe Locks Have Undisclosed Back Doors

Posted by TJ Easter II on Thursday, March 14. 2024 in Security, Tech


Two of the biggest manufacturers of locks used in commercial safes have been accused of essentially putting backdoors in at least some of their products in a new letter by Senator Ron Wyden. Wyden is urging the U.S. government to explicitly warn the public about the vulnerabilities, which Wyden says could be exploited by foreign adversaries to steal what U.S. businesses store in safes, such as trade secrets.

The little known “manufacturer” or “manager” reset codes could let third parties—such as spies or criminals—bypass locks without the owner’s consent and are sometimes not disclosed to customers. Wyden’s office also found that while the U.S. Department of Defense (DoD) bans such locks for sensitive and classified U.S. government use in part due to the security vulnerability reset codes pose, the government has deliberately not warned the public about the existence of these backdoors.

# The meatspace equivalent of the "forgot password" link.

The specific companies named in Wyden’s letter are China-based SECURAM and U.S.-based Sargent and Greenleaf (S&G). Each produces keypad locks which are then implemented into safes by other manufacturers. The full list of locks that contain backdoor codes is unknown, but documentation available online points to multiple SECURAM products which do include them, and S&G confirmed to Wyden’s office that some of its own locks also have similar codes.

[ ... ]

The findings produce clarity on sometimes-hidden features inside widely popular physical locks. They also provide an analogy to the discussion around encryption backdoors. For decades, governments, tech companies, and members of civil society have clashed over multiple lobbying attempts by agencies to have backdoors inserted into technology, and in particular, encryption products. The fact the DoD protected its own interests while not warning the public gives a stark demonstration of what could happen if a backdoor was inserted into a consumer electronics device or similar.

“The government has opted to keep the public in the dark about this vulnerability, after quietly protecting government agencies from it,” Wyden writes in the letter. The letter is addressed to the Honorable Michael C. Casey, director of the National Counterintelligence and Security Center (NCSC). The NCSC is tasked with leading the U.S. government’s counterintelligence efforts, and, of particular relevance to backdoors in locks, “provide [counterintelligence] outreach to U.S. private sector entities at risk of foreign intelligence penetration,” according to the NCSC’s website.

# These companies are using security through obscurity; that is, the locks are secure so 
# long as the reset code remains secret.  Many. not least of which is Bruce Schneier,
# have proven that this means of security is not secure at all.

[ ... ]

SECURAM products include SafeLogic Xtreme, a keypad style lock that sells for around $550. Another is the SafeLogic Direct Drive, a similar lock that is available to wholesale buyers. According to SECURAM’s documentation available online, both of these locks can include a “manager code.” This allows someone who isn’t the end user to unlock the safe lock system, change the manager code, add or delete a user code, or enable or disable a user code, the documentation reads.

# The U.S. government has banned the use of  such locks, those featuring a reset code,
# for securing anything classified while keeping consumers in the dark about the
# security implications thereof.
# The article mentions requiring a serial number from the safe to obtain the reset code.
# This is likely to avoid having a single, universal reset code.  All it takes is one 
# disgruntled former employee to leak the application the manufacturer uses and all
# is lost.
0 Comments More...

Canonical turns 20: Shaping the Ubuntu Linux world

Posted by TJ Easter II on Sunday, March 10. 2024 in Tech, Unix


Ubuntu's parent company - now powering millions of desktops, servers, and clouds - continues to seek the balance between delivering 'Linux for Human Beings' and embracing its responsibilities in the global tech market.

2004 was already an eventful year for Linux. As I reported at the time, SCO was trying to drive Linux out of business. Red Hat was abandoning Linux end-user fans for enterprise customers by closing down Red Hat Linux 9 and launching the business-friendly Red Hat Enterprise Linux (RHEL). Oh, and South African tech millionaire and astronaut Mark Shuttleworth launched Canonical, Ubuntu Linux's parent company.

Little did I -- or anyone else -- suspect that Canonical would become one of the world's major Linux companies.

As a long-time Kubuntu user, I would like to wish Canonical a happy 20th birthday!
0 Comments More...

To Replace HexChat, Linux Mint is Building a New Desktop Chat App Called 'Jargonaut'

Posted by TJ Easter II on Sunday, March 10. 2024 in Tech, Unix


So work has begun on a new dedicated "chat room" app to replace HexChat, called Jargonaut. Linux Mint's goal is not to build a fully-featured IRC client, or even an IRC client at all. Jargonaut is a chat app that just happens to use IRC as its underlying chat protocol. Users won't need to know what IRC is nor learn its syntax, as Jargonaut isn't going to respond to standard IRC commands... When the app is opened Linux Mint's official support channels are there, ready to engage with. A real-time support chat app built on IRC — with additional bells:

"[Jargonaut] will support pastebin/imgur via DND, uploading your system specifications, troubleshooting and many features which have nothing to do with IRC," says Linux Mint lead Clement Lefebvre in the distro's latest monthly update. "HexChat was a great IRC client which helped us make a relatively good support chat room. We're hoping Jargonaut will help us make this chat room even better and much easier to use."
0 Comments More...

Page 1 of 1, totaling 3 entries


Search for an entry in Digital Warlock's Blog:

Did not find what you were looking for? Post a comment for an entry or contact us via email!