The situation with keys is actually worse than Forbes makes out.
Apparently they don't realize that (most) keys can now be copied from a photograph, from up to 195 feet away[1]. I realize that these "high security keys" are probably harder to duplicate than a normal key - but how many security officers know they should be keeping the keys out of sight as well as physically secure?
Mythbusters was able to defeat several fingerprint identification systems quite easily.
At first their attempts were pretty elaborate. They lifted a fingerprint from a glass a person had held and then used an acidic solution to etch that pattern onto a mold. This mold then opened all of the high-end thumbprint readers they had.
However, if I remember correctly, they then went low-tech and simply used a photocopy of the thumbprint which also opened several devices.
I think it is good to remember that security is situational. So unless a prisoner is holding a copy of every officer/guard/transfer agent's finger prints, they won't be able to undo the lock while in most detention situations (the only ones I can come up with are fairly contrived, or require the prisoner to escape in cuffs, making the point moot). Basically, if the arresting officer puts the cuffs on the detainee, and scans in his fingerprint as the "unlock with this fingerprint" option, it becomes very difficult for the detainee to get a copy of that print in a form that will work, and then use it, unlike an accessible hidden key known to work with $model-of-handcuff.
Of course that says nothing about other ways to defeat the cuffs, which would probably become the prime area of research at that point. (why attack the locking mechanism if there are easier to defeat weaknesses).
According to the article, that's not how handcuffs need to work.
Handcuffs are designed so that one officer can put them on and another can take them off. If that weren't the case this situation of being able to print 1 key for all handcuffs wouldn't exist - they would simply make unique keys per handcuff.
Fair enough, although, I think a procedure change and a "transfer authority" function could easily cover this. The transfer function would basically be: original cuffer presses the transfer button, swipes his print, the receiver then swipes his print, and the transfer is done.
However, in a broader view, yeah, there are probably better ways than fingerprints handle keys once electronic locking mechanisms are introduced. Probably something akin to a 2-factor cryptographic mechanism.
Just for interest, this still can be done with unique keys: Officer Alice handcuffs prisoner and wants to hand off to Officer Bob. Officer Bob locks prisoner with his own handcuffs (prisoner is now wearing two pairs), then Officer Alice removes hers.
Good question. I don't know, but perhaps an override key. However now that the physical key isn't an open secret, and needed by everyone, they would be easier to secure. And small batches would have a specific key for that batch, but not for all cuffs, making it even harder for the detainee to have the right duplicate on hand.
I feel though that my larger point is getting lost in this thread. It was/is:
Just because a security technology doesn't work for reason $x in situation $y, that doesn't mean that the weaknesses also apply to situation $z.
Depending on the situation, I might be ok with fingerprint access (such as high secure areas and such). The problem is for normal everyday use, I wouldn't be able to tell where the data is going. Either the manufacturers themselves or governments or hackers could be storing the data about who enters which door and when which would be another attack on my personal privacy that I don't want to give up.
Interesting story. My larger concern is that incumbent businesses and political interests will use this type of story to spread FUD that enables them to enact fear-based regulation before the benefits of cheap 3D printing can be realized by the general population. One simply has to look at piracy concerns and asanine infosec and privacy regulations for previous examples.
Just wait until you can download a handgun. Just wait until someone attaches explosives to a DIY drone and sends it into a shopping mall. Just wait until someone hacks the firmware on your self-driving car. It's going to get ugly.
I don't see how a DIY drone is any different from using an off the shelf RC plane and a wireless camera. The car one though, I have serious concerns about. There's an urban legend about cell phone viruses infecting cars via bluetooth, and while I don't know of any real cases of remote car hacking, it's not a happy thought.
One would hope that self-driving cars will have their driving system disconnected from any networks, but I don't know if that's even practical.
> I don't see how a DIY drone is any different from using an off the shelf RC plane and a wireless camera.
It isn't, except in as much as you can program it to follow a flight-path and then clear off. Given that you don't need to be in wireless range (200 meters?) you could send the drone in from miles away. But that aside: your comment is rational, but I wouldn't rely on politicians being so faced with scare stories about these exciting new technologies. Allied to their usual technophobia, they will try to ban everything, or require licences with onerous conditions.
I suppose it's more effective still, given small-scale production, to upgrade components on existing fire-arms rather than try to manufacture one from scratch.
tomorrow: handcuff manufacturers call the DMCA over reverse engineering and subsequent pirating of their keys copyright.
everyone with a key is considered suspect. EFF suggest you walk around with several keys to your neighbors houses to enable a doubt defense.
Feds waste millions of tax dollars on 3D printers crackdowns trhu the country, since they can't be used for anything else other than pirating handcuffs keys copyrighted material. Seizes thingverse servers and demand CEO extradition.
You do know they'll use your suggestions as their playbook now, don't you? These days, the US Government seems to be using 1984 as their playbook, so why not this, too.
It's sad that it seems any story can be twisted into some way that entrenched powers can exert themselves, particularly over information. Such a shame.
The thing is that certain forms of 3d printing technology brings the costs down so far for manufacturing certain technologies, that not restricting it as a society means that you will win technologically overall, compared to more restrictive societies.
They are in basic form, the first generation of digital replicators and some of the open source variants are already under $500, with dirt cheap print costs.
Who only knows what the patent industry is going to do, because certain sections of it are now screwed far, far worse than the recording and distribution industry ever was over people downloading MP3s, especially given that the mashup and resharing of different objects will probably be an extremely common use of desktop manufacture-to-order technologies and is easily accomplished over many existing and popular MMORPGs, alongside all the standard web channels, so is an absolute nightmare to try and police.
And that's without even considering the issues raised by laser scanning, photographic 3d, or just artists with a good eye and memory.
Handcuff locks are identically keyed so that any police officer can open them.
But it's rare that you need such compatibility; instead, "anyone in the department" is a fine size.
Handcuff manufacturers cheaped out. If they offered keys made per department, the keyspace would go from approximately 5 to tens of thousands. That won't stop someone from duplicating a key, but it will change the cost proposition for mass-duplication.
Plastic ties don't have the key issue, but they are vulnerable to a knowledgeable (semi-) brute-force attack.
In large-scale and homogenous departments, yes, that might sometimes work.
Through what is known as mutual aid, it is routine for various smaller police agencies to interoperate with other law enforcement agencies; with county, state and federal agencies with direct jurisdiction, and police departments from neighboring municipalities through mutual aid.
Finding a half-dozen police agencies at various calls is not uncommon.
This isn't only a factor with small departments, either. In some areas within cities with large established police departments, there can be a dozen law enforcement agencies with direct jurisdiction for a particular location and/or event.
And yes, this can be why officers at large events are often issued plastic cuffs. No keys.
Paralleling the problem that would arise with using multiple different cuff keys, simple radio communications among the various police and municipal agencies can be an issue. Everything from the frequencies and bands and encoding to the individual radio codes used by officers can lead to confusion.
When the hits the fan, a police officer needs equipment that works reliably, and the officer doesn't want to even have to think about using the equipment, nor about different cuff keys, radio protocols or codes.
There was a usenix paper I recall from last year: Why (special agent) Johnny (still) Can't Encrypt[1], which I think includes some of the issues of trying to run these sorts of ad-hoc radio networks securely.
"Even so, Ray says he won’t post CAD models of the Bonowi or Clejuso models online, given that those keys are harder to obtain and providing blueprints for their reproduction could in fact reduce their real-world security. "
But in the very same article, there's a lovely photo of the Bonowi key next to a more readily-available Chubb key[1].
And I suspect most of the kinds of people with access to laser cutters and 3D printers have heard that it's pretty easy to dupe a key from a photo. Googling for "duplicate key from photo" brings up any number of articles that outline the techniques.
I can only assume that the Chubb key was provided for scale, to allow anyone with the tools to reproduce the Bonowi as well!
Not knowing much about keys, but knowing a bit about machining materials, I dare say that skilled people with access to a hardware store to buy a hacksaw, a few files and some metal could also duplicate a key without much trouble.
For all their high-tech trappings, laser cutters are still doing what humans do by hand all the time; they just do it faster.
I wonder if someone patented an actuator/microcontroller based cuff. The "key" would contain a battery and the cuff would challenge the key for the right password. There's lots of cryptography that could be used there, from shared secrets to public/private signatures.
If it's not patented yet, I guess this description of the idea (that I might have thought of 364 days ago) counts as prior art :-)
I don't understand why we are making handcuff with keys. Wouldn't it be better to have cuffs that lock but can't be unlocked. The only way to get them off would be to destroy them. Think zip ties that are structurally stronger.
Maybe the destruction method would be something like UV light to melt the cuffs.
I was thinking like 3/4 to 1/2 inch tubes of solid plastic. So maybe heavy-duty bolt cutters would be a good idea to get them off.
The crux of the idea is that only way to get the cuffs off is to break the cuff with a specific brute force that requires a large unconcealable device. Even with the device, you still need time/space to use it (5-10 mins).
So pretend that we would need a large UV lamp and 5 mins to melt through.
Apparently they don't realize that (most) keys can now be copied from a photograph, from up to 195 feet away[1]. I realize that these "high security keys" are probably harder to duplicate than a normal key - but how many security officers know they should be keeping the keys out of sight as well as physically secure?
[1] http://hackaday.com/2009/09/22/photographic-key-duplication/