The Security Mentor

You must have seen the New York Times story about researchers who can copy electronically coded car keys. What does this mean?

Your car's probably almost as safe as before. There's a world of difference between an attack that can duplicate one key at a time and a hypothetical attack that could bypass all keys everywhere. This discovery could only affect you if your car in particular was being stolen to order. Which does happen, but see below. The researchers are holding on to some of the details instead of releasing them. They haven't told criminals how to copy car keys. But organized crime can pay someone to figure out the rest, assuming they don't already know.

What does this discovery tell us about security in general?

• Secrecy doesn't work. If you need to know how secure a system is, you have to let lots of bright people look at it.
• Most "secure" systems aren't. Until lots of bright people have studied a system, you should figure there's a way around it.
• Avoid tunnel vision. While the car industry and the Johns Hopkins researchers were studying the mathematics of how the car key and the car talk to each other, car thieves were stealing cars using short bits of wire. You see, after all the sophisticated math, the ignition lock says "go" or "don't go" to the engine computer. On one model of car you can fake the "go" signal by connecting two pins on one of the connectors.
  A security consultant can help you get the perspective to find embarrasing little "oops"es like that.
• Keep things in perspective. The single best comment I've seen about this research is from Ford spokesman Dan Bedore:

  "Flatbed trucks are a bigger threat," he said, "and a lot lower tech."

  Bad guys will choose the easiest attack, not the most publicized one.