Technical Papers: "Physical Security
Cryptologic techniques can be applied outside of computers and networks, Perhaps surprisingly, the abstractions used in analyzing secure computing and communications systems turn out also to be useful for understanding mechnical locks and their keyspaces. Indeed, modeling master keyed locks as online authentication oracles leads directly to efficient solutions for what might naively seem like exponential problems for the attacker. In fact, it seems like almost a textbook example, as if master keying practices for locks were designed specifically to illustrate this class of weakness. We sometimes assume that hardware-based security is inherently superior to that based in software, but even the humble mechanical lock can be just as insecure as complex computing systems, and can fail in similar ways."
Matt's Master-Keyed Lock Vulnerability article is here
And Matt's safecracking PDF is here
Since information security and risk reduction invariably relies on physical security, it is time that infosec pushes the envelope on mandating physical security that is not based an illusion of security, but on provable security. That tape library with millions worth of intellectual property and trade secrets is sitting in a "Safe" somewhere right? Is that really safe? Probably in name only. As a great mind or two have concluded over the centuries: "security through obscurity is neither..."
-Bryan
