Category Archives: Security

Security

Get a Free Hotel Room — Key Management Failure

Leave a comment

Plastic hotel “key cards” with a mag-stripe are notoriously unreliable (at least 5% failure rate). They can easily be demagnetized and stop working, even by proximity to cell-phones and small fashion magnets (unlike payment cards, which are more resilient). I run mag-stripe payment card security tests and the hotel cards that sometimes use to calibrate and test my card reader (they usually have a 3 track .500″ stripe with the data stored on a very small spot on track 2) always have been the most prone to failure.

With that in mind I recently stayed at a chain hotel that issued me a generic key card. After a day or two the key stopped working. Maybe I was expecting it to stop working; but when it failed the first time I went straight to the front desk and asked that it be reprogrammed. To my surprise the hotel clerk, who I had not seen before, just asked me what room number I was in.

I said “I think it’s #305”

She ran the card hit a couple buttons and handed it back to me.

Then I said “Oh, sorry, it’s actually #302.”

She smiled, took the card back, ran the same procedure and handed it back to me.

At this point I was outraged and found my mind racing through a checklist of security controls. Laptop hard drive encrypted. Check. USB drives encrypted. Check. Laptop physically cabled to desk. Check…

I was amazed by this giant gaping hole in security procedure. Anyone, and I mean anyone, can get an old hotel key from any of their world-wide locations (they do not collect them — no revocation procedure) and just have it programmed by the front desk to get into my room.

I sent a formal complaint to the hotel management and then I heard nothing more about it…until I read a sad and shocking story in StlToday.

Hughes tried to enter a room on the same floor as his room at the Sheraton, and then went to the front desk to tell a clerk his key didn’t work. The clerk issued him a key for the room number he provided but failed to check to make sure it was the right room, Byrne said. The clerk has since resigned.

Hughes “really had it all screwed up on what his room number was,” Byrne said.

Thus, at least one hotel chain in America has security so lax you can walk in with an old key and they — no questions asked, no verification required — will program it for a free room for the night. You only have to give them a room number, which obviously is trivial to figure out, even if you’re “highly intoxicated”.

I would like to take this moment to point out that the problem is not with a clerk. Their resignation does not fix the vulnerability.

The St. Louis molestation case above has now publicly disclosed the danger of the exact vulnerability I reported to the hotel. A hotel’s key management policy and procedures may let anyone, and I mean anyone, else into your room.

The obvious, free and easy solution is for a key to be programmed for a door only after the front desk is able to perform a simple authentication check before authorization. There is no excuse for such poor key management. Firing a clerk is not a solution; this example casts a dark shadow over encryption as a solution for payment card security in the hospitality industry.

The cards fail often enough that hotels and their staff are probably under some pressure to reduce the cost of reprogramming them. Reasons for card error include the following:

  • User — key used incorrectly
  • Admin — wrong room number or check-out date
  • Magnet — fields affected by static, cell phones, card cases, bags with magnets, metal clips
  • Card material — sub-standard (non-compliant) keys, re-use of failed keys
  • Lock mechanism not maintained
  • Lock environment — dirty/humid
  • Lock battery not maintained
  • Software not maintained — encoders and locks out of sync
  • Encoders not maintained

The entire list of reasons together is still not enough reason to remove validation from key management. Hotels should not be allowed to abandon the security of their rooms and guests just because the keys system often fails, especially given that the reasons for key failure are well known and the repairs are easy and inexpensive.

Energy, History, Security

Bicycle Sales Climb After Disasters

Leave a comment
Women cyclists dry themselves off after getting wet during the 1936 N.C.U cyclists rally at Alexandra Palace in London. (Photo by © Hulton-Deutsch Collection/CORBIS/Corbis via Getty Images)

The prosperity of cities and countryside of the late 1940s England, France, Italy, etc. benefited significantly from inexpensive and “off-grid” two-wheeled technology — these economies all were rebuilt on bicycles.

When I lived in London in the 1990s and studied post-WWII History, I regularly noticed this kind of footnote (pun not intended) on two-wheeled transportation for much of Europe.

My curiosity in European cycling might have been a bit biased, as I myself rode a bicycle everywhere and everyday (spinning through the dark rainy days along dirty double-decker red buses, black cabs and the anti-terror Ring of steel that obfuscated downtown London).

It wasn’t just a link with history. The math of cycling appealed to me: A car at that time would have taken at least 30 minutes plus parking time for me to go from home to the city. I could ride a bus for 45 minutes plus waiting, take the train for 30 minutes plus waiting, or… I could go door-to-door on a bike in just 20 minutes.

Besides saving money, the time I saved on a bicycle made the choice obvious (I have to admit I did not properly account for the pollution/health costs caused by lax vehicle emission laws).

Despite these simple calculations, I usually found at all times I was the only cyclist on any London roads.

It seemed odd to not see others on bikes especially since London had been through a period of extremely popular two-wheel transportation use in the past that had proved their value.

Take for example this video of the Cyclist Touring Club from Britain, which talks of “rediscovering common humanity” and “getting rid of our enemies” in the 1950s:

Another good example is the light scooter industry of Italy — a result of the war industry. While bicycles were obviously popular, after 1945 the prevalence of metal tubes (frame), wheels, tires and sheet metal manufacturing for Axis war planes was re-purposed into two-wheeled transportation. It all started with the single model motor scooter in 1946 by Piaggio & Co. SpA of Pontedera, Italy

I won’t go into why people moved away from these logical options for transportation and to the illogical gasoline automobile. Kunstler does a good job of that in The Geography of Nowhere. Instead, I want to point out here that the recent tsunami devastation in Japan is showing a sudden uptick in two-wheeled commuters.

The disruption of centralized fuel sources, coupled with the unreliability of roads and rails, makes bicycles an obvious best choice for transportation. Rather than walk from the city to the suburbs workers are driving up demand for efficient yet fast transportation on two-wheels.

Bicycles sold like hotcakes at supermarkets and bike shops after Friday’s megaquake shut down train services in the Tokyo metropolitan area, attracting local residents — and people from farther afield — who wanted to cycle home instead of facing the prospect of walking for several hours.

Disaster planners should not underestimate the importance and resilience of two-wheel transportation (and power generation), especially given recent advances in motorcycle ambulances in Africa that greatly reduce mortality rates.

WWI cycle engineering eerily still seems modern in concept

A bicycle ride to a data center, office or even a hospital might seem ridiculous until you take a good look at these disasters and factor transportation dependencies. The next days and weeks unfortunately will illustrate the automobile infrastructure weakness as well as how gasoline hoarding by automobile owners can negatively impact recovery.

The growth of automobiles always has been based on questionable assumptions about the government’s ability to collect taxes in order to protect and provide smooth highways, right-of-way, and inexpensive fuel. A national disaster puts these assumptions in a very different light. It shifts the economic playing field and puts the automobile back into its more natural disadvantaged state.

The biggest irony of this all, perhaps, is how often I find avowed libertarians driving exactly the kind of inefficient cars that depend heavily on the commonality of infrastructure and centralized services — only after a national disaster do they realize that a gas-guzzling shiny and fragile “success-mobile” is the ultimate sign of their unsustainable yet socialist tendencies.

Energy, Security

BP Spill Cleanup Causes Toxic Catastrophe

2 Comments

Evidence has started to mount regarding a new category of environmental risk from the Gulf oil spill. Physically-fit and healthy Americans exposed to dispersant chemicals quickly have become ill or died.

Paul Doom, 22, from Navarre, Florida, was training in preparation to join the US Marines, until he became extremely ill from swimming in the Gulf of Mexico.

“I stopped swimming in July because I started having severe headaches that wouldn’t go away,” Doom told Al Jazeera. “But each time I went to the doctor they dismissed it.”

In October, Doom began to have internal bleeding, but this too was dismissed by doctors. In November, when it worsened, he was given pain medications in the Emergency Room and was told it would pass. Less then three weeks after that, Doom collapsed with a seizure.

“Since then, I’ve had two blood tests for Volatile Organic Compounds [VOC’s] which are in BP’s oil and dispersants, and they both came back with alarmingly high levels,” he said.

Since the onset of his symptoms, Doom has been dealing with ongoing internal bleeding, nose bleeds, bleeding from his ears, blood in his stool, headaches, severe diarrhea, two to five seizures per day, paralysis in his left leg and arm, and failing vision.

“A toxicologist that interpreted my blood VOC results told me they didn’t know how I was alive,” Doom explained. “My Hexane was off the charts, and I have 2 and 3 Methylpentane, Iso-octane, Ethylbenze, and mp-Xylene.”

Security

US Rep King says it can’t be terrorism if it doesn’t happen in the US

Leave a comment

Peter King is targeted by the Daily Show for his contradictory positions on terrorism.

John Oliver tries to explain the difference: “Hamas is an Islamic organization and doesn’t drink. The IRA has a slightly different policy on that…”

The Guardian hints that Representative King may be trying only to foment fear and raise “ultra-rightwing” capital to win votes, regardless of actual security concerns:

As his star witness, King invited the credential-free Dr Zudhi Jasser, who wears the honourable badge of being “Glenn Beck’s favourite Muslim”. Jasser, unknown to mainstream Muslim communities, once anecdotally claimed that 3-5% of US Muslims are militant and nearly 40% do not approve the principle of the separation of church [sic] and state. Jasser also narrated the notorious “Third Jihad” video, produced by the clandestine and ultra-rightwing Clarion Fund and briefly used to train NYPD officers on counter-terrorism. After seeing the video, an NYPD officer remarked, “It was so ridiculously one-sided. It just made Muslims look like the enemy. It was straight propaganda.”