Marc Weber Tobias - Engadget

Engadget Editorial Policies

The unique content on Engadget is a result of skilled collaboration between writers and editors with broad journalistic, academic, and practical expertise.

In pursuit of our mission to provide accurate and ethical coverage, the Engadget editorial team consistently fact-checks and reviews site content to provide readers with an informative, entertaining, and engaging experience. Click here for more information on our editorial process.

Stories By Marc Weber Tobias

0

Cybersecurity

Cybersecurity By Marc Weber Tobias

The Lockdown: Lasershield - convenient, cost effective, potentially vulnerable

What we may have is "a failure to communicate!" In previous Lockdown articles we have examined the vulnerabilities of mechanical locks and how easily most of them can be compromised. Even some popular high security locks can be easily bypassed -- if you thought that installing a deadbolt would provide all the protection you may need, think again.But if your locks will not adequately protect you, then what will? How about a portable alarm system that is affordably priced, a cinch to install, and virtually immune to the most common cause of false alarms (keypad entry errors), maybe something like the LaserShield. Still, the question arises: if a determined burglar can easily bypass this wireless system with some simple and abundant technology, is that too much of a risk to your home security?
By Marc Weber Tobias Read More
0

News

News By Marc Weber Tobias

The Lockdown: Deadbolt walking

There are millions of Medeco deadbolt systems in place worldwide. Between Medeco's reputation for quality and engineering excellence and their high security ratings by UL, BHMA / ANSI and other standards organizations, they are rated as one of the most secure systems available. The current mechanical design of Medeco's deadbolt has been utilized in its Biaxial product line, and now the m3, which we previously discussed. And guess what: a simple attack can bypass the security of this deadbolt in less than one minute, rendering all of the advanced Medeco technologies virtually irrelevant.These Medeco systems are relied upon in many different applications including high security installations throughout the world. The locks contain many levels of security including sidebars, sliders and special security pins. Unfortunately, all of that security can be circumvented in seconds with tools such as a simple screwdriver as shown above.
By Marc Weber Tobias Read More
0

Cybersecurity

Cybersecurity By Marc Weber Tobias

The Lockdown: The Medeco m3 meets the perilous paper clip

Noted security expert Marc Weber Tobias contributes The Lockdown, exposing the shoddy security you may depend on. Medeco is the predominant high security lock manufacturer in the United States and has been trusted for more than thirty-five years to provide cylinder and hardware security for the private, commercial and government sectors. According to Medeco, their locks are utilized in such venues as the White House and Pentagon to afford the maximum in cylinder lock security. The m3 cylinder, released about 2005, is the Medeco star product, the flagship in the security company's state-of-the-art, designed to resist almost any form of attack. The lock touts its key control attributes based its unique integrated slider that adds another level of security to the lock. But if you are using these locks and think you're secure, you might just be surprised by what you can accomplish with a paperclip and a custom-cut shim.
By Marc Weber Tobias Read More
0

News

News By Marc Weber Tobias

The Lockdown: Gun locks - unsafe at any caliber

Noted security expert Marc Weber Tobias contributes The Lockdown, exposing the shoddy security you may depend on.Two years ago I published an alert on my site regarding the inherent insecurity of gun trigger locks in the hope that manufacturers would remove them from the market or modify their design to make them more child-proof. Although some manufacturers now produce a more secure model to meet statutory requirements in California, even some of these can be easily compromised. Essentially nothing has changed: many manufacturers continue to sell products that are poorly designed, the consequences of which can be fatal -- literally. Even the cable locks that are provided under a US Justice Department grant to law enforcement agencies through Project ChildSafe for free dissemination to gun owners are inadequate.I hope that this article will once again place all gun owners on notice of the dangers stemming from any form of trigger or cable lock to protect a weapon from unauthorized use by anyone -- but most importantly children. Have you ever seen an untrained eleven year old demonstrate the removal of three of the most popular trigger locks on the market from a rifle in just a few seconds? You will today. Read on.
By Marc Weber Tobias Read More
0

Cybersecurity

Cybersecurity By Marc Weber Tobias

The Lockdown: Locked, but maybe secure (part 2)

Noted security expert Marc Weber Tobias contributes The Lockdown, exposing the shoddy security you may depend on. The vast majority of door locks in the U.S. and many other parts of the world rely upon the security or insecurity of the pin tumbler mechanism. In part 1, I described the serious vulnerability to bumping and how most locks can be easily and quickly opened, even by a child. But in part 2 I will try to answer the question that most readers have asked in their emails: what lock should I buy?Security: How much is enough?The answer to the question of which lock you should buy is not quite so simple, and depends upon your definition of security. You need to consider a lock in the context of what it is designed to protect, where you are going to install it, and what your perceived risks are. In my opinion, conventional mechanical locks, the ones that do not carry any type of rating, are not secure and can be relatively easily compromised by a variety of techniques, bumping perhaps being the most onerous. When a kid can open a lock in seconds there is no security. As I have pointed out before, you get what you pay for in locks; the cheap ones like Kwikset and others that I have talked about offer no real security against anything when it comes to covert and other attacks.
By Marc Weber Tobias Read More
0

Cybersecurity

Cybersecurity By Marc Weber Tobias

The Lockdown: Locked, but maybe secure (part 1)

Noted security expert Marc Weber Tobias contributes The Lockdown, exposing the shoddy security you may depend on.Part I: Methods of attack, an overview All of these conventional locks look secure, but which really are? In the real world, none of them, and this is only a fraction of what ostensibly protects the consumer. This series of articles will describe what makes a lock secure and what is hype by the lock manufacturers.In The Lockdown: Locked but not secure (see also part 2), the technique of "bumping" was described in detail, alerting Engadget readers to the vulnerability of virtually every pin tumbler lock from simple and rapid bypass. In this sequel, Marc analyzes mechanical locks and what really makes them secure or easy to defeat. Whether you are a consumer or security specialist, you need to understand the criteria established by UL (Underwriters Laboratories) and other rating organizations to define the term "high security," because some manufacturers will try to mislead the public into believing that their locks are secure, when in fact they are not. Read on.
By Marc Weber Tobias Read More
0

Accessories

Accessories By Marc Weber Tobias

The Lockdown: an interview with Al Giazzon of Targus

Noted security expert Marc Weber Tobias contributes The Lockdown, exposing the shoddy security you may depend on.On Friday, September 22, 2006, I interviewed Al Giazzon, the U.S. marketing manager for Targus. We talked about the company's philosophy regarding the security of their products and specifically about the Engadget report on the Defcon CL armored cable lock and the iPod mobile security lock.The interview lasted for one hour and is available here to listen to in its entirety [WMA]. For those of you that would like to review the critical points that were touched upon during our conversation, I have summarized them for a bit quicker of a read. Regarding their view of security and of their products:"We are not in the business of providing [a high] level of security against a well thought out, planned theft. We're really about providing a level of security for an affordable amount to protect against that more opportunistic theft. And for all of our corporate accounts that we sell these products to, they know that anyone who really wants it is gonna take it. And if it's the case where [the laptop is] that valuable, they take other precautions as well."
By Marc Weber Tobias Read More
0

Reviews

Reviews By Marc Weber Tobias

The Lockdown: The Targus iPod Lock, or, a modicum of security

Noted security expert Marc Weber Tobias contributes a new column, The Lockdown, exposing the shoddy security you may depend on. Targus is offering what they call a "mobile security lock" that they claim is a perfect "solution" for the millions of iPod owners who are hoping to keep their music players secure from theft. After evaluating the device from three different perspectives, I was not quite sure exactly what the "solution" was that they were describing, so I requested an interview with their Director of United States Marketing, Al Giazzon. Targus agreed, in part to respond to the Lockdown analysis of the Defcon CL Armored computer lock. I offered them a chance to talk about their philosophy on both of these products and to comment specifically on what I had described as Defcon CL design deficiencies. They also reviewed my video prior to the interview. The interview will come shortly, but in this article, I will analyze their latest product offering, the Targus iPod Lock, and summarize what I thought were key points of the interview regarding this product. I think you will find the discussion quite interesting and may shed some light on how Targus defines "security" in the context of protecting computers and small handheld devices, but for now we should discuss and expose the security in this product as well.The Mobile Security Lock for the iPodThis is a small (2.75-ounce) device that consists of a docking connector that is secured with a three-digit combination lock. It is connected to a retractable 2.5-foot wire that terminates in a lightweight carrying case. Functionally, the idea is that the dock will be inserted into the iPod connector and the cable extended and wrapped around something that is immobile. Two release buttons, one on each side of the locking mechanism, must be simultaneously depressed in order to retract the two metal pins that project into the base of the internal iPod connector. Once the combination wheels are spun and locked, the side buttons cannot be depressed, thus making it impossible to easily withdraw the dock. The design is similar to a notebook lock; the iPod is tied to something that cannot be carried away.
By Marc Weber Tobias Read More
0

Cybersecurity

Cybersecurity By Marc Weber Tobias

The Lockdown: Your new Targus Defcon CL lock, hacked by beer

Noted security expert Marc Weber Tobias contributes a new column, The Lockdown, exposing the shoddy security you may depend on. If you thought that this hefty looking lock was secure? Think again. Marc Weber Tobias and Matt Fiddler demonstrate how the Targus Defcon CL security device can be defeated in seconds with a piece of metal from a beer can, or with a paper clip. Its Targus time!A security analysis of this new product was prompted by a recent call from a technology reporter at the St. Paul Pioneer Press. This was the same journalist that wrote a detailed story about laptop locks in September 2004 that followed our security alert regarding the Defcon, wherein we described the simple method to decode its combination and quickly open it.Based upon the Targus press release and verbiage on the product packaging that extolled the Defcon CL Armor as having "more cut resistance and greater protection against cable cutters than other leading security cables," an associate and I decided to revisit the security of the new design and see if Targus has learned anything about the design of security products in the last two years. Evidently not! We sought to determine the new lock's resistance to both covert and forced methods of entry. As a result, an updated security alert and technical analysis has been posted on www.security.org and Engadget, together with a video that demonstrates how easy this lock can be compromised. Based upon our findings, I think it is fair to say that the latest Targus lock is on the cutting edge -- literally.
By Marc Weber Tobias Read More
0

Cybersecurity

Cybersecurity By Marc Weber Tobias

The Lockdown: Locked, but not secure (Part 2)

Noted security expert Marc Weber Tobias contributes a new column, The Lockdown, exposing the shoddy security you may depend on. Locks that are not at riskIn yesterday's column, I set up key bumping -- what it is, how to do it, what it means for most anyone who relies on a lock for their safety and security. Now, let's get into generic locking mechanisms that cannot be bumped. There are several and all share a common trait; none of them have a split set of moving components, like pin tumblers do. Thus, warded, lever, wafer, magnetic, and disk locks cannot be bumped open. (Neither can laser-track vehicle locks, as they're really made of sliders, disks or wafers.)Warded locks are used in cheap padlocks and old hotel room doors. They are neither secure nor very prevalent.Wafer locks are used in many low security applications, mainly on cabinets, desks, showcases, inexpensive padlocks, alarm panels, vending machines, elevators, filing cabinets and many other venues. Interestingly, they can be easily picked but are immune to bumping. Lever locks can be found on blue postal collection boxes and access for groups of mailboxes and key keepers in apartment complexes that are accessed by the postal service. They are also the primary lock for safe deposit boxes and high security safes and vaults, primarily in Europe and other countries. Again, lever locks cannot be opened by bumping but may be picked and decoded.Disk locks, such as employed by Abloy, likewise cannot be bumped. Their internal design resembles a combination lock and they can be very secure, although there are decoding tools for some models. Like Bic pens.Locks that employ sliders, such as the Evva 3KS are immune from bumping. I note the 3KS which is produced in Austria and very popular in Europe. This and similar slider locks are particularly secure against most forms of attack. Similar technology is employed in several automobiles. Locks that are at riskWhat are the types of generic locking mechanism that can be opened by bumping? The answer is simple: almost any conventional pin tumbler lock. So what does that mean? Virtually any lock that employs split pin tumblers can be rapidly compromised by bumping. That list would include low to high security conventional designs, but what does "conventional" mean? It denotes any pin tumbler mechanism that does not employ secondary locking systems, such as sidebars. Remember that sidebars in and of themselves do not prevent the lock from being bumped; they just may make it more difficult and require additional information. It all depends upon the mechanical design of the lock.As I stated earlier, any pin tumbler lock that utilizes two or more moving pins within each chamber is at risk. Door locks, post office locks, file cabinet locks, access control override locks, and padlocks. All of them can be bumped if you have the key that will fit the keyway and has been properly cut to all "9"s. Are there exceptions? Yes. Can every conventional lock be bumped open? No, but statistically, a very high percentage can. As detailed in my white paper, there are complicating factors which may make the process difficult or impossible.You may be asking if conventional lock manufacturers have implemented designs to stop or frustrate bumping. Might these include measures such as the use of security pins (mushroom, spool, serrated or other designs), increasing the number of pin tumblers within a given cylinder, employing removable core locks, or increasing spring bias on some or all of the pins? What about making one or more of the bores shorter than the rest? How about employing interactive elements like are used by Mul-T-Lock? Don't worry if you don't know what any of that means, because the simple answer is that none of these countermeasures are really effective. There have been some patents granted for anti-bumping pins, notably to Moshe Dolev, the co-inventor of Mul-T-Lock in Israel, and to Evva in Austria. Some locks do have anti-bump technology, but some of these schemes can often be defeated. In fact, my original White Paper on this subject has been revised after I did extensive testing on some cylinders and found that what was believed to present an obstacle to bumping in fact did not. So, the short answer is that not much is effective against the problem, unless you utilize certain high security mechanisms.
By Marc Weber Tobias Read More
0

Cybersecurity

Cybersecurity By Marc Weber Tobias

The Lockdown: Locked, but not secure (Part I)

Noted security expert Marc Weber Tobias contributes a new column, The Lockdown, exposing the shoddy security you may depend on. The Bump Key: A new old threat to the security of mechanical locksThe most popular locking mechanism in the world utilizes the pin tumbler design, first developed 4000 years ago in Egypt and then rediscovered and perfected a century and a half ago by Linus Yale. There are billions of these locks in the world and they come in all sizes, configurations, and security ratings. Some are secure; most are not, and even some high security rated cylinders can be easily compromised. All that is required to open many times of pin tumbler cylinders -- the kind of lock that probably keeps the bad guys out of your home -- is a bump key and a tool for creating a bit of force. The bump key shown above opens an extremely popular five pin lock, and the plastic bumping tool is produced by Peterson manufacturing, although many others are now being offered for sale. With these two cheap implements, anyone -- and I do mean anyone -- can get into your home or business in a matter of seconds.In 2004, this relatively old technique of opening locks was rediscovered by the European locksmith community in Germany and other countries. As the word spread as to the ease with which certain locks could be bypassed, several sports lock picking clubs and notably the members of TOOOL began to examine the issue more closely. Subsequently, tests were conducted by the prestigious consumer research organization in the Netherlands in 2006 and published last March. In early April, we issued a security alert on security.org with regard to the vulnerability of United States Postal Service and Mail Boxes Etc. locks. Two White Papers were also posted, dealing with the security threat and legal issues involving bumping: A detailed technical analysis of bumping and Bumping of Locks: Legal issues in the United States.There is significant misunderstanding about the bumping technique, what locks are affected, and which products will provide real security against this threat. Barry Wels and I discussed bumping during a panel at HOPE in New York in July, and Matt Fiddler and I presented the same topic at DEFCON 14. A great deal of international media attention resulted from these talks because of the apparent simplicity of opening cylinders that were previously believed to be secure. The photograph to the right shows an eleven year old girl that opened a popular five pin cylinder in seconds at Defcon 14. She had no prior experience or expertise. You can watch a video (WMV) of her opening the lock here, it's actually a little scary.
By Marc Weber Tobias Read More